This report outlines the purpose, technical specifications, and performance impact of the kmod-nft-offload kernel module within the OpenWrt ecosystem 1. Executive Summary kmod-nft-offload package provides Netfilter nf_tables routing and NAT offload support . It is a critical component for routers with limited CPU power, as it allows established network flows to bypass the standard, CPU-intensive Linux networking stack after the initial connection setup. 2. Technical Specifications Module Name: kmod-nft-offload Dependencies: kmod-nf-flow kmod-nft-nat Functionality: It enables the flow offload ) action in , which instructs the kernel to move specific TCP or UDP flows into a fast-path flowtable 3. Performance Impact Throughput Can increase forwarding bandwidth by for software offload. OpenWrt Wiki Significantly reduces CPU load by bypassing the L3 network stack for established packets. YouTube Guide Latency/Jitter Generally improves overall latency by relieving a fully loaded CPU. OpenWrt Wiki 4. Limitations & Known Issues Software flow offloading implications - OpenWrt Forum
Instead, the "useful article" you need is one that explains Hardware Offloading for NFTables . Below is a comprehensive article-style guide regarding kmod-nft-offload , explaining what it is, why you need it, and how to use it.
Article: Accelerating Linux Firewalls with kmod-nft-offload Introduction If you are running a modern Linux router (such as OpenWrt) or a high-performance firewall, you may have encountered the package kmod-nft-offload . While standard firewall rules process packets using the CPU, this module enables the kernel to offload those rules directly to the network hardware (Network Interface Card or Switch). This guide explains the functionality of this module and how it improves network throughput. What is kmod-nft-offload ? Definition: kmod-nft-offload is a kernel module ( kmod ) that provides support for hardware offloading for the nftables ( nft ) packet filtering framework. The Problem: In a standard software-based firewall, every packet that passes through the network interface must be examined by the CPU. The CPU looks at the packet headers, compares them against the firewall rules, and decides to accept or drop them. On high-speed networks (1Gbps, 10Gbps, or higher), this consumes significant CPU resources and can create a bottleneck. The Solution: Many modern network chips (especially in embedded routers and smart NICs) have dedicated hardware circuits for packet processing. kmod-nft-offload acts as the bridge between the Linux kernel's nftables rules and this hardware. It allows the kernel to "teach" the network hardware the firewall rules. Once offloaded, the hardware processes the packets independently, freeing up the CPU for other tasks (like routing, VPN encryption, or serving files). Technical Requirements To use kmod-nft-offload , three things are required:
Kernel Support: The kernel must be compiled with CONFIG_NFT_OFFLOAD . Hardware Support: Your network hardware (NIC/Switch) must support Flow Offloading (often via ethtool or specific switch drivers like DSA in OpenWrt). Nftables: You must be using the nftables userspace tools, not the legacy iptables . kmod-nft-offload
How to Use It (Practical Guide) 1. Installation (OpenWrt Example) On OpenWrt, you typically install this via the package manager: opkg update opkg install kmod-nft-offload
2. Activating Offloading in Rules Installing the module does not automatically offload rules. You must explicitly tell nftables which flows to offload. This is done using the flow offload keyword in your nftables syntax. Example nftables configuration: table inet firewall { chain forward { type filter hook forward priority 0; policy drop;
# Establish a flow offload "faster" path for accepted traffic # This sends matching packets to the hardware tcp flags & (fin|rst) == 0 ct state established,related flow offload @ft OpenWrt Wiki Significantly reduces CPU load by bypassing
# Standard acceptance rule ct state established,related accept }
# Define the flow table flow table ft { hook ingress priority 0; devices = { eth0, eth1 }; } }
Key Syntax Breakdown:
flow table ft : Defines a flow table (where offloaded connections are tracked). The hook ingress part is crucial as it processes packets as they enter the network stack. flow offload @ft : This specific command tells the kernel: "If a packet matches this rule, try to move this connection into the hardware flow table named ft ."
Performance Benefits