| Supported | Not Supported | |-----------|----------------| | IPv4/IPv6 forwarding | Dynamic NAT (SNAT/DNAT with port mapping) | | Simple VLAN tagging | Bridge port isolation | | Basic conntrack (established/related) | Rules with log , queue , limit | | Matching on input/output interfaces | Stateful expressions (e.g., ct state new in same flow) |
Your firewall rules must be written to support the flowtable directive. A typical configuration looks like this:
framework. By offloading flows, the router can skip several expensive networking stack steps for established connections, significantly reducing CPU usage and increasing maximum transfer speeds—especially on Gigabit connections. Key Technical Details Dependencies : This module typically requires kmod-nf-flow kmod-nft-nat to function. Implementation : It works by utilizing the Linux kernel's nf_flow_table_offload.c kmod-nft-offload
In the world of modern Linux networking, efficiency is everything. As multi-gigabit connections become standard, the overhead of processing every packet through the CPU can become a significant bottleneck. This is where comes into play—a kernel module designed to bridge the gap between high-level firewall rules and high-speed hardware processing. What is kmod-nft-offload ?
nft list chain netdev filter ingress -a
nft list flowtables
While standard nftables rules are processed by the system's CPU, kmod-nft-offload allows the kernel to "offload" established network flows directly to compatible Network Interface Cards (NICs). This means once a connection is verified and established, the hardware takes over the heavy lifting, bypassing the CPU for subsequent packets in that stream. How Flow Offloading Works Key Technical Details Dependencies : This module typically
In strict terms, kmod-nft-offload is not a standalone piece of software you install via yum or apt-get . Instead, it is a collective term used within distributions like Fedora, CentOS, RHEL, and Arch Linux to represent the kernel module supporting the mechanism for nftables.