modprobe nft_offload Verify:
nft add table netdev filter nft add chain netdev filter forward type filter hook forward priority 0\; nft add rule netdev filter forward ip daddr 192.168.2.0/24 oif eth1 offload accept The offload keyword is what triggers the kernel to attempt hardware programming. kmod-nft-offload
With kmod-nft-offload + compatible hardware: modprobe nft_offload Verify: nft add table netdev filter
dnf install kmod-nft-offload On Debian/Ubuntu (module may be built-in or named differently, e.g., nft-offload ): How It Works Without offload:
lsmod | grep nft_offload Create a simple forwarding rule with offload:
Packet → NIC → Host CPU → nftables (kernel) → Forward/Drop → Host CPU → NIC → Wire Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher.
In short, it allows certain nftables rules (e.g., forwarding, DNAT, SNAT) to be programmed directly into that supports flow offloading. How It Works Without offload: