Your firewall rules must be written to support the flowtable directive. A typical configuration looks like this:
In the world of modern Linux networking, efficiency is everything. As multi-gigabit connections become standard, the overhead of processing every packet through the CPU can become a significant bottleneck. This is where comes into play—a kernel module designed to bridge the gap between high-level firewall rules and high-speed hardware processing. What is kmod-nft-offload ?
table inet filter { flowtable f { hook ingress priority 0 devices = { eth0, eth1 } } chain forward { type filter hook forward priority 0; policy accept; ip protocol { tcp, udp } flow offload @f } } Use code with caution. When to Use It kmod-nft-offload
Processing packets in specialized silicon is generally more power-efficient than using general-purpose CPU cycles. Prerequisites and Compatibility
Modern Linux kernels (5.x and above) have the core infrastructure, but the specific kmod package ensures all dependencies are met for your specific distribution. Your firewall rules must be written to support
If hardware offloading is enabled via kmod-nft-offload , the kernel sends a message to the NIC's firmware. The hardware then creates a shortcut for that specific flow.
To appreciate what this module does, it helps to understand the "fast path" vs. "slow path" architecture: This is where comes into play—a kernel module
kmod-nft-offload is not a "magic button" for every home PC. It is most effective in:
Hardware is purpose-built for packet switching. Offloading allows systems to reach line-rate speeds (e.g., 10Gbps, 40Gbps, or 100Gbps) that might otherwise saturate a standard CPU.