Kmod-nft-offload

ethtool -k eth0 | grep hw-tc-offload # Must show "on"

: Traffic shaping tools like SQM (Smart Queue Management) rely on inspecting every packet. Offloading bypasses the CPU, rendering QoS ineffective.

Parent controls or deep packet inspection features that look inside every packet will be bypassed once a flow is offloaded. How to Enable kmod-nft-offload in OpenWrt Method 1: Using the LuCI Web Interface Log into your OpenWrt dashboard. Navigate to Network > Firewall . Scroll down to the Routing/NAT Flow Offloading section. Check the box for Software flow offloading .

: Reduces CPU utilization to near zero during heavy transfers. How It Works First Packet : A new network flow arrives at the router. kmod-nft-offload

kmod-nft-offload is a kernel module package in OpenWrt. It enables hardware-based flow offloading for the Netfilter ( nftables ) firewall subsystem. How it Works

| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log , queue , limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |

If you need to log every packet for security, offloading will hide that traffic from the logger. 🔧 How to Enable It ethtool -k eth0 | grep hw-tc-offload # Must

: In storage-constrained devices, adding this and related offloading modules can lead to "storage full" errors during sysupgrades. Verdict Pros Cons Can more than double throughput on compatible hardware. Performance is highly hardware-dependent. Essential for modern nftables (fw4) offloading. Known issues on some older or specific chipsets. Reduces CPU overhead for high-speed traffic. Adds complexity and storage footprint to the image.

nft add rule netdev filter ingress drop

[ Incoming Packet ] │ ▼ [ Is flow established? ] ├── NO ──> [ CPU processes packet via firewall rules ] ──> [ Establish Flow ] │ │ └── YES ──> [ Bypass standard CPU path via kmod-nft-offload ] ──────┘ │ ▼ [ Fast-forwarded to Destination ] 1. Software Flow Offloading How to Enable kmod-nft-offload in OpenWrt Method 1:

opkg update opkg install kmod-nft-offload

. In recent OpenWrt versions (like 24.10), some related modules like kmod-nft-queue

This article provides a comprehensive overview of kmod-nft-offload , explaining what it is, how it works, and why it is essential for optimizing your router's performance. What is kmod-nft-offload ?

Hardware-level switching handles packets at wirespeed. This removes the variable delay introduced by CPU scheduling, resulting in lower ping times and stable gaming streams. Hardware Compatibility

Reduces CPU load to nearly 0%, allowing low-power chips to handle full gigabit throughput. Key Benefits of Enabling kmod-nft-offload Maximize Gigabit Throughput