Distribution-specific:
# Fedora / RHEL
dnf install kmod-nft-offload
kmod-nft-offload is a Linux kernel module that allows nftables rules to be offloaded directly to network hardware (smart NICs or switches) that support flow offloading.
In simple terms:
🔧 kmod = kernel module
🔧 nft = nftables framework
🔧 offload = push work to hardware
Installing the module does not automatically offload rules. You must explicitly tell nftables which flows to offload. This is done using the flow offload keyword in your nftables syntax. kmod-nft-offload
Example nftables configuration:
table inet firewall
chain forward rst) == 0 ct state established,related flow offload @ft
# Standard acceptance rule
ct state established,related accept
# Define the flow table
flow table ft hook ingress priority 0; devices = eth0, eth1 ;
Key Syntax Breakdown:
| Scenario | Software PPS | Offloaded PPS |
|-----------------------|--------------|----------------|
| Simple forward (UDP) | 1.2 M | 9.8 M |
| 5-tuple ACL (100 rules) | 0.9 M | 7.2 M |