Users have reported significant speed differences depending on whether offloading is active. For example, on some hardware, enabling offload can increase speeds from ~200Mbps to over 600Mbps, though actual results depend heavily on your specific router hardware and firmware configuration.
# Enable Software Offloading uci set firewall.@defaults[0].flow_offloading='1' # Enable Hardware Offloading (Requires hardware compatibility) uci set firewall.@defaults[0].flow_offloading_hw='1' # Commit changes and restart the firewall service uci commit firewall /etc/init.d/firewall restart Use code with caution. Verifying Active Offloading Status
Then, a rule is added to populate this hardware flowtable. Note that the rule's syntax is identical to the software case:
To check if your NIC driver advertises hardware offload capabilities, you can use the ethtool command and look for the hw-tc-offload feature: kmod-nft-offload
ethtool -K <interface> hw-tc-offload on
If you are configuring a modern router (like the NanoPi R2S or similar Rockchip-based devices), you might encounter errors if you try to manually install legacy packages like kmod-nft-nat6
: To offload the flow to the network hardware itself, the offload flag is required within the flowtable definition. This is the primary use case for the kmod-nft-offload kernel module. Verifying Active Offloading Status Then, a rule is
: Some network drivers expose hardware offload statistics. For example, on MediaTek platforms with PPE support, you might find detailed statistics in debugfs:
nft add rule ip filter forward iif eth0 oif eth1 ip daddr 192.168.1.0/24 offload
If you are running a modern Linux router (such as OpenWrt) or a high-performance firewall, you may have encountered the package kmod-nft-offload . While standard firewall rules process packets using the CPU, this module enables the kernel to offload those rules directly to the network hardware (Network Interface Card or Switch). : Some network drivers expose hardware offload statistics
opkg update opkg install kmod-nft-offload
: Lower CPU consumption reduces chip temperatures, expanding hardware longevity in compact, fanless router enclosures.
cat /sys/kernel/debug/mtk_ppe/offload
In this kingdom, the was the King. Every piece of data—called a "packet"—that entered the kingdom had to be inspected by the King. He had to check their passports (IP addresses), their luggage (ports), and decide where they were allowed to go based on the Laws of the Land (the Firewall rules ).