The nftables framework checks for hardware offload capabilities during the rule preparation phase. If a user requests hardware offload for a chain (using NFT_CHAIN_HW_OFFLOAD ), the kernel verifies if the underlying network device supports the .ndo_setup_tc callback. This validation ensures that offload requests are only attempted on compatible hardware.
: Leverages specific chips (like those from MediaTek or Marvell) to handle packets entirely in the network switch hardware, resulting in nearly 0% CPU usage. 🔍 Troubleshooting Common Issues Compatibility
# Create a table with netdev family (best for forwarding offload) nft add table netdev filter kmod-nft-offload
: Subsequent packets skip the CPU entirely, routed directly by the network interface card (NIC) or System-on-Chip (SoC) hardware. Performance Impact: Software vs. Hardware
This module requires hardware driver support. If your device's network chip lacks an engine capable of flow offloading, installing kmod-nft-offload will provide no performance benefit. : Leverages specific chips (like those from MediaTek
sudo modprobe nft_offload # Verify it exists in kernel modules list lsmod | grep nft_offload
table inet filter flowtable f hook ingress priority 0 devices = eth0, eth1 chain forward type filter hook forward priority 0; policy accept; ip protocol tcp, udp flow offload @f Use code with caution. When to Use It Hardware This module requires hardware driver support
make M=net/netfilter/ modules insmod net/netfilter/nft_offload.ko
: If supported by the router's SoC (System on Chip), it can hand off packet processing directly to the hardware network switch/acceleration engine. Technical Details
High-traffic gateways that move massive amounts of data between networks.
: The main CPU inspects every network packet. The CPU applies firewall rules, routes the packet, and modifies headers. This process consumes significant CPU cycles.