This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
# Establish a flow offload "faster" path for accepted traffic # This sends matching packets to the hardware tcp flags & (fin
In most modern OpenWrt builds (22.03 and newer), nftables is the default firewall backend. Install the module via the command-line interface: opkg update opkg install kmod-nft-offload Use code with caution. Configuration via LuCI (Web Interface) Log into your OpenWrt dashboard. Navigate to -> Firewall . Locate the Routing/NAT Offloading section. Check Software flow offloading (optional layer).
If you are running OpenWrt on a compatible device, enabling this feature can be done via the command line or the LuCI web interface. Via the LuCI Web Interface Navigate to > Firewall . Scroll down to the Routing/NAT Offloading section. kmod-nft-offload
table inet filter flowtable ft hook ingress priority filter devices = eth0, eth1 flags offload; # This flag enforces hardware offloading via kmod-nft-offload chain forward type filter hook forward priority filter; policy accept; meta l4proto tcp, udp flow add @ft Use code with caution. Current Limitations and Considerations
Hardware-level switching handles packets at wirespeed. This removes the variable delay introduced by CPU scheduling, resulting in lower ping times and stable gaming streams. Hardware Compatibility
Hardware offloading takes things a step further. Instead of the main CPU handling the bypassed flow, the instructions are pushed directly down into the router's physical network switch chip or Network Processing Unit (NPU) (e.g., MediaTek or Qualcomm chipsets). This public link is valid for 7 days
The kmod-nft-offload kernel module is a hidden gem in the Linux networking stack. It bridges the gap between high-level configuration via nftables and the blistering speed of modern SmartNICs.
You can directly alter the subsystem using Unified Configuration Interface (UCI) commands over an SSH connection:
: To function correctly, it typically requires other kernel modules, including: kmod-nf-flow : Handles the core flow table logic. Can’t copy the link right now
As OpenWrt has matured, the way offloading is handled has changed. For instance, in newer kernel versions (5.1+), many IPv4 and IPv6 NAT packages were merged to simplify the codebase.
You cannot offload ct state established easily because the hardware would need to maintain stateful timers. For true offload, use stateless rules or ensure tc can offload the connection tracking (requires advanced hardware with full conntrack offload, like Mellanox ASAP²).