Check offload status:
ethtool -S eth1 | grep offload tc filter show dev eth1 ingress With increasing adoption of SmartNICs, DPUs, and switchdev mode, kmod-nft-offload represents a bridge between standard Linux netfilter and line-rate hardware processing . Future kernels will likely embed offload support deeper, making the module redundant — but for now, it remains the official key to unlocking hardware-accelerated nftables. Conclusion kmod-nft-offload is a small module with a huge impact. If you run a router, firewall, or load balancer on Linux at 10GbE+, and you’re using nftables, installing and enabling offload can cut CPU usage by an order of magnitude while pushing throughput to wire speed. Just ensure your NIC and driver support it — then let the hardware do the heavy lifting. Want to test if your current system supports nftables offload? Run nft -j list ruleset | grep offload and check your NIC’s ethtool features.
Packet → NIC → Host CPU → nftables (kernel) → Forward/Drop → Host CPU → NIC → Wire Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher.
In short, it allows certain nftables rules (e.g., forwarding, DNAT, SNAT) to be programmed directly into that supports flow offloading. How It Works Without offload:
modprobe nft_offload Verify:
dnf install kmod-nft-offload On Debian/Ubuntu (module may be built-in or named differently, e.g., nft-offload ):
lsmod | grep nft_offload Create a simple forwarding rule with offload:
nft -a list ruleset # Shows rule handles Check NIC offload counters:
Check offload status:
ethtool -S eth1 | grep offload tc filter show dev eth1 ingress With increasing adoption of SmartNICs, DPUs, and switchdev mode, kmod-nft-offload represents a bridge between standard Linux netfilter and line-rate hardware processing . Future kernels will likely embed offload support deeper, making the module redundant — but for now, it remains the official key to unlocking hardware-accelerated nftables. Conclusion kmod-nft-offload is a small module with a huge impact. If you run a router, firewall, or load balancer on Linux at 10GbE+, and you’re using nftables, installing and enabling offload can cut CPU usage by an order of magnitude while pushing throughput to wire speed. Just ensure your NIC and driver support it — then let the hardware do the heavy lifting. Want to test if your current system supports nftables offload? Run nft -j list ruleset | grep offload and check your NIC’s ethtool features.
Packet → NIC → Host CPU → nftables (kernel) → Forward/Drop → Host CPU → NIC → Wire Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher.
In short, it allows certain nftables rules (e.g., forwarding, DNAT, SNAT) to be programmed directly into that supports flow offloading. How It Works Without offload:
modprobe nft_offload Verify:
dnf install kmod-nft-offload On Debian/Ubuntu (module may be built-in or named differently, e.g., nft-offload ):
lsmod | grep nft_offload Create a simple forwarding rule with offload:
nft -a list ruleset # Shows rule handles Check NIC offload counters:
