To appreciate what this module does, it helps to understand the "fast path" vs. "slow path" architecture:
If hardware offloading is enabled via kmod-nft-offload , the kernel sends a message to the NIC's firmware. The hardware then creates a shortcut for that specific flow.
As networking demands continue to scale, the role of hardware acceleration becomes more vital. kmod-nft-offload provides a stable, enterprise-ready way to leverage the power of modern NICs, ensuring that your Linux infrastructure remains fast, responsive, and efficient under even the heaviest traffic loads. Kmod-nft-offload Apr 2026 kmod-nft-offload
Your firewall rules must be written to support the flowtable directive. A typical configuration looks like this:
Servers running multiple Virtual Machines (VMs) where networking overhead can quickly eat into available resources. To appreciate what this module does, it helps
table inet filter { flowtable f { hook ingress priority 0 devices = { eth0, eth1 } } chain forward { type filter hook forward priority 0; policy accept; ip protocol { tcp, udp } flow offload @f } } Use code with caution. When to Use It
Not all NICs support flow offloading. You generally need enterprise-grade hardware from vendors like Mellanox (Nvidia), Intel, or Netronome. As networking demands continue to scale, the role
When a new connection (like a TCP handshake) arrives, it is processed by the CPU. The nftables engine checks the rules, determines if the traffic is allowed, and sets up a connection tracking entry.