Kmod-nft-offload [repack] Now

nft add rule ip filter forward offload ip protocol tcp counter accept

In OpenWrt, you can install the module via the command-line interface using opkg : opkg update opkg install kmod-nft-offload Use code with caution. Enabling via LuCI (Web Interface) Log into your router’s web interface. Navigate to -> Firewall . Scroll down to the Routing/NAT Flow Offloading section.

Check (if your router supports it). Click Save & Apply .

Reduces CPU load to nearly 0%, allowing low-power chips to handle full gigabit throughput. Key Benefits of Enabling kmod-nft-offload Maximize Gigabit Throughput kmod-nft-offload

Every single packet crosses the system bus (PCIe) and consumes CPU cycles. At 10 million packets per second (Mpps), this becomes unsustainable.

kmod-nft-offload translates this flow table entry into instructions that the underlying hardware switch chip or NIC network processor understands.

Note: For the module to work, your router's hardware must support flow offloading. Most modern MediaTek (MT76xx), Qualcomm Atheros, and newer Broadcom chips in OpenWrt-supported devices support this feature. Enabling kmod-nft-offload in OpenWrt Once installed, you must configure the firewall to use it. Open /etc/config/firewall . nft add rule ip filter forward offload ip

Note that iptables-nft requires xt_ kmods for syntax checking, which may interact with native -nft- modules. Conclusion

In the modern networking landscape, home routers and embedded gateways are expected to handle gigabit-speed internet connections while managing complex firewall rules, quality-of-service (QoS) configurations, and virtual private networks (VPNs). When a router processes every network packet via the main CPU, it can encounter a significant bottleneck.

nft list flowtables

To combat this, the Linux networking subsystem leverages hardware acceleration. One of the most critical kernel modules driving this efficiency in modern OpenWrt and Linux firewall architectures is .

: Allows budget routers to sustain gigabit WAN-to-LAN connections without dropping packets.

By bypassing the CPU for established flows, kmod-nft-offload allows packets to pass through the switch hardware, enabling speeds closer to the maximum capacity of your Gigabit ethernet ports (up to 900+ Mbps). 2. Lower CPU Utilization Scroll down to the Routing/NAT Flow Offloading section

Driven directly by kmod-nft-offload , software offloading speeds up the software stack itself. Once a connection is identified as "established," the CPU bypasses the heavy code paths of the firewall.

While standard nftables rules are processed by the system's CPU, kmod-nft-offload allows the kernel to "offload" established network flows directly to compatible Network Interface Cards (NICs). This means once a connection is verified and established, the hardware takes over the heavy lifting, bypassing the CPU for subsequent packets in that stream. How Flow Offloading Works