Bypassing software queues reduces the physical time it takes for a packet to traverse the router, resulting in more stable ping times for gaming and real-time voice/video applications. kmod-nft-offload vs. Software Flow Offloading
The CPU identifies a flow and sends it to the hardware switch/NIC . The hardware then takes over handling the packets entirely, freeing up the CPU for other tasks. Benefits of kmod-nft-offload
Hardware is purpose-built for packet switching. Offloading allows systems to reach line-rate speeds (e.g., 10Gbps, 40Gbps, or 100Gbps) that might otherwise saturate a standard CPU.
kmod-nft-offload is a specialized that provides hardware and software flow offloading support for the nftables firewall engine. By offloading network traffic processing, it bypasses some of the standard CPU-heavy networking stacks to improve overall throughput and reduce latency. Core Functionality kmod-nft-offload
The kmod-nft-offload module is a clear signal of the industry's direction. The legacy iptables framework is being deprecated in favor of nftables . While early offloading efforts focused on iptables , the future is undoubtedly with nftables . The module's existence in default OpenWrt images signifies that .
[ Incoming Packet ] │ ▼ [ Is flow established? ] ├── NO ──> [ CPU processes packet via firewall rules ] ──> [ Establish Flow ] │ │ └── YES ──> [ Bypass standard CPU path via kmod-nft-offload ] ──────┘ │ ▼ [ Fast-forwarded to Destination ] 1. Software Flow Offloading
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later. Bypassing software queues reduces the physical time it
The nftables framework provides a more modern, consistent, and feature-rich API for managing network traffic. Its integration with hardware offload via the kmod-nft-offload module is a testament to its position as the successor to iptables .
Note: For the module to work, your router's hardware must support flow offloading. Most modern MediaTek (MT76xx), Qualcomm Atheros, and newer Broadcom chips in OpenWrt-supported devices support this feature. Enabling kmod-nft-offload in OpenWrt Once installed, you must configure the firewall to use it. Open /etc/config/firewall .
The strategist made a simple observation: "Many of these packets are part of the same long conversation. Once the King has approved the first packet of a video stream or a large download, why must he look at every single one that follows?" How the Magic Worked The strategist implemented a plan called : The hardware then takes over handling the packets
Because the CPU isn't "touching" every packet, it remains free to handle other tasks like VPN encryption (WireGuard), DNS filtering, or managing the web interface (LuCI). Lower Latency:
kmod-nft-offload is particularly useful in scenarios where high network performance and security are critical:
The kmod-nft-offload module acts as a translator. It bridges the nftables configuration and the underlying hardware driver.