In modern OpenWrt releases (starting from version 22.03 and up), the firewall shifted from iptables to nftables . kmod-nft-offload is the kernel module that provides the underlying support for and Hardware Flow Offloading within this nftables environment.
This ensures the module is built into the final image.
Check (and Hardware flow offloading if your device hardware explicitly supports it). Click Save & Apply . Summary of Benefits
: Typically used in OpenWrt versions 21.02 and newer, often in conjunction with firewall4 and nftables .
kmod-nft-nat : Required for offloading Network Address Translation (NAT) operations. kmod-nft-offload
To integrate seamlessly with OpenWrt's default nftables-based firewall ( fw4 ), you can create custom nftables configuration files. This example creates a hardware flowtable named pft and a custom chain lans that offloads flows to it. The flowtable and chain are then integrated into the overall fw4 processing flow.
While highly effective, kmod-nft-offload changes how packets move through the system, which can break certain advanced network features:
Because offloaded packets bypass the Linux CPU completely, features like Quality of Service (QoS), SQM bufferbloat control, traffic shaping, and deep packet inspection (DPI) cannot see the traffic. If you require strict bandwidth shaping, offloading must be disabled.
In a standard software-based firewall, every packet that passes through the network interface must be examined by the CPU. The CPU looks at the packet headers, compares them against the firewall rules, and decides to accept or drop them. On high-speed networks (1Gbps, 10Gbps, or higher), this consumes significant CPU resources and can create a bottleneck. In modern OpenWrt releases (starting from version 22
Once offloaded, the hardware processes the packets independently, freeing up the CPU for other tasks (like routing, VPN encryption, or serving files).
Here is a comprehensive breakdown for a post covering what it is, why it matters, and how to use it.
If you're interested in testing this, what type of router hardware are you currently using (e.g., ARM-based, MIPS-based)? Knowing the SoC can help determine if kmod-nft-offload will provide significant gains. kmod-nft-offload - [OpenWrt Wiki] package
Despite its benefits, configuring hardware offload can sometimes be challenging. Here's a guide to common issues and their solutions: Check (and Hardware flow offloading if your device
uci set firewall.@defaults[0].flow_offloading='1' uci set firewall.@defaults[0].flow_offloading_hw='1' # Only if your hardware supports it uci commit firewall /etc/init.d/firewall restart Use code with caution. Copied to clipboard
This mechanism identifies long-lived, established network streams (flows). Once a connection is verified and established by the CPU, the routing rule is "pushed" down into the network hardware. Subsequent packets in that specific stream bypass the CPU entirely. The Role of kmod-nft-offload
opkg update opkg install kmod-nft-offload
For advanced users or those on non-OpenWrt systems, you can configure hardware offload manually using the nft command-line tool. The following configuration example demonstrates how to create a hardware-offloaded flowtable for two interfaces, enp2s0 and enp3s0 :
Routers that might top out at 400-500 Mbps in software-only mode can often reach full Gigabit speeds (1000 Mbps) with hardware offloading enabled. Reduced CPU Load: