kmod-nft-offload is particularly useful in scenarios where high network performance and efficiency are critical, such as:
Bypassing the CPU for established streams drops CPU utilization from 100% down to near 0%. This frees up processing power for other critical router tasks, including: Running a WireGuard VPN server Managing local network storage (NAS) Processing complex container apps (Docker) 3. Lower Latency and Jitter
kmod-nft-offload is an essential package for anyone looking to squeeze maximum performance out of an OpenWrt router. By shifting the heavy lifting of packet forwarding away from the main firewall logic, it transforms modest hardware into a high-throughput routing powerhouse. If you have a high-speed internet connection and do not rely on complex per-packet QoS queuing, keeping this module active is highly recommended. To help tailor further performance tips, tell me: What or CPU are you using? What is your total internet download speed ? Do you run any bandwidth-heavy services like SQM or a VPN? Share public link
Understanding kmod-nft-offload : Boosting Network Performance with Hardware Acceleration kmod-nft-offload
kmod-nft-offload is a kernel module package in OpenWrt. It enables hardware-based flow offloading for the Netfilter ( nftables ) firewall subsystem. How it Works
The CPU performs NAT, filtering, and routing decisions. Forwarding: The packet is sent to the outgoing interface.
To help me tailor any further technical steps for your networking setup, tell me: By shifting the heavy lifting of packet forwarding
When traffic passes through a router, the CPU normally inspects every single packet against a list of firewall rules. With kmod-nft-offload active, once a network connection (flow) is established and validated, subsequent packets bypass the standard CPU routing stack entirely. How Flow Offloading Works
Low-power embedded devices (like home routers powered by MediaTek, Atheros, or Marvell SoCs) often struggle to route 1 Gbps or 2.5 Gbps traffic using software alone. Hardware offloading unlocks the physical speed limit of the hardware ports.
nft add rule inet filter forward oif "eth0" snat to 10.0.0.1 What is your total internet download speed
: The CPU processes it via nftables rules to determine its destination.
echo 'file nft_offload.c +p' > /sys/kernel/debug/dynamic_debug/control dmesg -w | grep -i offload