Kmod-nft-offload May 2026

nft -a list ruleset # Shows rule handles Check NIC offload counters:

ethtool -S eth1 | grep offload tc filter show dev eth1 ingress With increasing adoption of SmartNICs, DPUs, and switchdev mode, kmod-nft-offload represents a bridge between standard Linux netfilter and line-rate hardware processing . Future kernels will likely embed offload support deeper, making the module redundant — but for now, it remains the official key to unlocking hardware-accelerated nftables. Conclusion kmod-nft-offload is a small module with a huge impact. If you run a router, firewall, or load balancer on Linux at 10GbE+, and you’re using nftables, installing and enabling offload can cut CPU usage by an order of magnitude while pushing throughput to wire speed. Just ensure your NIC and driver support it — then let the hardware do the heavy lifting. Want to test if your current system supports nftables offload? Run nft -j list ruleset | grep offload and check your NIC’s ethtool features.

modprobe nft_offload Verify:

nft add table netdev filter nft add chain netdev filter forward type filter hook forward priority 0\; nft add rule netdev filter forward ip daddr 192.168.2.0/24 oif eth1 offload accept The offload keyword is what triggers the kernel to attempt hardware programming.

apt install linux-modules-extra-$(uname -r) Load the module: kmod-nft-offload

Packet → NIC → Host CPU → nftables (kernel) → Forward/Drop → Host CPU → NIC → Wire Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher.

lsmod | grep nft_offload Create a simple forwarding rule with offload: nft -a list ruleset # Shows rule handles

In short, it allows certain nftables rules (e.g., forwarding, DNAT, SNAT) to be programmed directly into that supports flow offloading. How It Works Without offload: