Note that iptables-nft requires xt_ kmods for syntax checking, which may interact with native -nft- modules. Conclusion
In OpenWrt, this package enables hardware acceleration features, significantly improving routing performance on devices with supporting Network Processing Units (NPUs) or advanced Switch-on-Chip (SoC) architectures. The Problem: Software-Based Networking Traditionally, when a packet arrives at a router: NIC: The Network Interface Card receives the packet.
At high speeds (>1 Gbps), this process consumes massive amounts of CPU cycles, bottlenecking the network throughput. The Solution: Hardware Offload with kmod-nft-offload kmod-nft-offload
kmod-nft-offload creates a "fast path." The first few packets of a new connection are handled by the CPU (software path) to determine if they match firewall rules. If the connection is allowed, the module "offloads" the connection state to the network hardware.
In OpenWrt, offloading is typically categorized into two types, both of which utilize the capabilities provided by this module: Note that iptables-nft requires xt_ kmods for syntax
kmod-nft-offload is production-ready for scenarios (routers, vSwitch acceleration, 5G UPF). Avoid using with complex stateful rulesets.
As OpenWrt has matured, the way offloading is handled has changed. For instance, in newer kernel versions (5.1+), many IPv4 and IPv6 NAT packages were merged to simplify the codebase. At high speeds (>1 Gbps), this process consumes
echo 'file nft_offload.c +p' > /sys/kernel/debug/dynamic_debug/control dmesg -w | grep -i offload
uci set firewall.@defaults[0].flow_offloading=1 uci set firewall.@defaults[0].flow_offloading_hw=1 uci commit firewall /etc/init.d/firewall restart Use code with caution. kmod-nft-offload vs. kmod-natflow
Check the box for (requires kmod-nft-offload ). Click Save & Apply . Critical Trade-offs and Limitations