Kmod-nft-offload: |work|

Unlocking Wire-Speed Networking: A Deep Dive into kmod-nft-offload and Hardware Acceleration

In the world of Linux networking, the mantra has long been "software-defined flexibility." The nftables framework revolutionized packet filtering by replacing the older iptables with a more efficient, expressive, and stateful system. However, as network interface card (NIC) speeds climb from 10GbE to 100GbE and beyond, even the most optimized kernel networking stack struggles to keep up without consuming massive CPU resources.

Enter hardware offloading. This is where the unassuming kernel module kmod-nft-offload takes center stage. This article explores what this module is, how it works, and how you can leverage it to transform your Linux box from a software bottleneck into a wire-speed forwarding engine.

Quick start

# Clone / install the module
git clone https://github.com/your-repo/kmod-nft-offload
cd kmod-nft-offload
make && sudo make install

2. Offload Doesn't Engage for Conntrack


You cannot offload ct state established easily because the hardware would need to maintain stateful timers. For true offload, use stateless rules or ensure tc can offload the connection tracking (requires advanced hardware with full conntrack offload, like Mellanox ASAP²).


Step 3: Create the nftables Ruleset


We will offload a simple forward between two interfaces (eth0 to eth1). kmod-nft-offload


# Create a table with netdev family (best for forwarding offload)
nft add table netdev filter

Conclusion


The kmod-nft-offload kernel module is a hidden gem in the Linux networking stack. It bridges the gap between high-level configuration via nftables and the blistering speed of modern SmartNICs.


Key Takeaways:


    

  • Do not use it if you have standard 1GbE NICs or complex, stateful rules.
    • 

  • Do use it if you run a router/firewall on 25GbE+ Mellanox hardware with simple forwarding logic.
    • 

  • Remember: Hardware offload is not magic; it is a tradeoff. You sacrifice flexibility (no logging, limited NAT) for speed.
    • 



By mastering kmod-nft-offload, you transform your Linux server from a packet processor into a high-performance switching fabric, all while maintaining the open-source, flexible tooling you already love. Do not use it if you have standard




Further Reading:


    

  • Kernel source: drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
    • 

  • man pages: man nft (Search for "offload")
    • 

  • Linux kernel documentation: Documentation/networking/flow_offload.rst
    • 



Instead, the "useful article" you need is one that explains Hardware Offloading for NFTables.


Below is a comprehensive article-style guide regarding kmod-nft-offload, explaining what it is, why you need it, and how to use it. By mastering kmod-nft-offload , you transform your Linux




How to Use It (Configuration)


To use nft-offload, you define a flowtable in your nftables configuration and associate it with a specific network interface.


Example nft configuration syntax:


table ip filter 
    # 1. Define the flowtable
    flowtable f1 
        hook ingress priority 0;
        devices =  eth0, eth1 ;

chain forward 
    type filter hook forward priority 0; policy accept;
# 2. Standard policy
    ct state established, related accept
# 3. Offload the established connection to the hardware
    # The 'offload' keyword triggers the hardware offload
    meta l4proto tcp ct state established flow add @f1 accept







What happens here?


    

  1. The flowtable f1 is created at the ingress hook (earliest point in the packet path).
    2. 

  2. When a new TCP connection is established, the rule flow add @f1 tells the kernel to program the NIC hardware with this flow's tuple (IPs, ports, protocol).
    3. 

  3. Future packets for this connection bypass the Linux forwarding stack entirely and are switched by the hardware.
    4. 



kmod-nft-offload: accelerating nftables with hardware offload


Key Components


    

  • Network Drivers: The network card driver must support the ndo_setup_tc (Traffic Control) or specific nft_offload operations. Common drivers supporting this include Mellanox (mlx5), Intel (ixgbe, i40e), and Netronome.
    • 

  • Netfilter Infrastructure: The module extends the nf_tables API to include an offload flag.
    • 

  • TC (Traffic Control) Flower: Under the hood, nftables hardware offloading often maps nftables rules to the tc-flower hardware API, which is the industry standard for hardware classification on Linux.
    •