Kmod-nft-offload -
When a router processes network traffic, every single packet typically traverses the Linux kernel network stack, hitting multiple firewall tables, connection tracking ( conntrack ) systems, and NAT rules. On embedded devices with lower-powered CPUs, this heavy packet-by-packet inspection creates a severe performance bottleneck.
When a router's CPU maxes out, it creates a queue for incoming packets. This queue causes "bufferbloat," which spikes your ping during gaming or video calls. Offloading processes packets instantly, ensuring your latency remains low even under heavy network loads. Free CPU Resources for Advanced Services
| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log , queue , limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |
This mechanism identifies long-lived, established network streams (flows). Once a connection is verified and established by the CPU, the routing rule is "pushed" down into the network hardware. Subsequent packets in that specific stream bypass the CPU entirely. The Role of kmod-nft-offload kmod-nft-offload
: The hardware offloading infrastructure was merged into the Linux kernel starting with version 5.3, with ongoing improvements and bug fixes. A modern kernel (5.4 or newer) is generally recommended for stable operation.
uci set firewall.@defaults[0].flow_offloading=1 uci set firewall.@defaults[0].flow_offloading_hw=1 uci commit firewall /etc/init.d/firewall restart Use code with caution. kmod-nft-offload vs. kmod-natflow
Here's an example nftables configuration: When a router processes network traffic, every single
In the OpenWrt ecosystem, solves this problem. This kernel module bridges high-level firewall rules and hardware-level packet processing. It allows compatible routers to forward data packets at wire speed while keeping CPU usage close to zero. What is kmod-nft-offload?
(Note: In many modern OpenWrt releases, this module comes pre-installed as part of the core firewall package). Step 2: Configure via the LuCI Web Interface Open your web browser and log into the interface. Navigate to Network ➔ Firewall . Scroll down to the Routing/NAT Flow Offloading section. Check the box for Software flow offloading .
Some open-source Wi-Fi or switch drivers experience race conditions when hardware offloading is active. If your router reboots during large torrent downloads or speed tests, disable but keep Software flow offloading active. Software offloading offers a reliable middle ground for performance. To help optimize your router setup, tell me: What router model or SoC are you currently using? What is your total internet bandwidth speed? This queue causes "bufferbloat," which spikes your ping
Packets spend less time in the queue waiting for the CPU. Installing and Enabling kmod-nft-offload
Smart Queue Management (SQM) limits bufferbloat by shaping packet queues based on configured bandwidth limits. Because flow offloading bypasses the packet processor to optimize speed, . If you prioritize low latency for gaming via SQM over raw download speeds, offloading must be turned off. 2. Deep Packet Inspection (DPI) and Layer 7 Filtering
The NIC driver did not load the flow. Fix: Ensure hw-tc-offload on is persistent. Some drivers require a driver reload after changing this flag.
: In storage-constrained devices, adding this and related offloading modules can lead to "storage full" errors during sysupgrades. Verdict Pros Cons Can more than double throughput on compatible hardware. Performance is highly hardware-dependent. Essential for modern nftables (fw4) offloading. Known issues on some older or specific chipsets. Reduces CPU overhead for high-speed traffic. Adds complexity and storage footprint to the image.
The module acts as a bridge between the nftables ruleset and network driver’s flow table.