: It is a standard inclusion for modern OpenWrt targets like x86/64 and high-end ARM routers (e.g., Linksys E8450).
The output should confirm that flags offload is set.
nft add flowtable inet filter hw_flowtable hook ingress priority 0 \; devices = eth0, eth1 \; flags offload \;
When you enable software offloading, the first few packets of a new TCP or UDP connection pass through the complete firewall stack to ensure security policies are met. Once the connection is recognized as safe and established, kmod-nft-offload bypasses the entire firewall evaluation system for all subsequent packets in that specific stream. kmod-nft-offload
In OpenWrt, the kmod-nft-offload module is typically installed as a dependency of the firewall4 package. However, if you need to install it manually or verify its presence:
: While it supports generic software offloading (which reduces CPU load), its primary value lies in hardware flow offloading , where the networking hardware itself handles packet forwarding for established connections at near-line speeds. Performance Impact and Use Cases
The effectiveness of this module can vary significantly based on your hardware and OpenWrt version: : It is a standard inclusion for modern
Then, a rule is added to populate this hardware flowtable. Note that the rule's syntax is identical to the software case:
Check (only if your router chipset explicitly supports it). Click Save & Apply . Option B: Using the Command Line Interface (CLI)
kmod-nft-offload is a specialized but vital module for high-performance Linux networking. It bridges the gap between the flexibility of software-defined networking (NFTables) and the speed of hardware switching. If you are building a custom router or optimizing an OpenWrt setup, enabling this module with proper nftables rules is the key to achieving gigabit-speed firewalling. Once the connection is recognized as safe and
The main reason to care about this module is . Without offloading, your router's CPU must process every single packet of a download, which can bottleneck high-speed fiber connections on lower-powered hardware.
uci set firewall.@defaults[0].flow_offloading='1' uci set firewall.@defaults[0].flow_offloading_hw='1' # Only if your hardware supports it uci commit firewall /etc/init.d/firewall restart Use code with caution. Copied to clipboard