The kmod-nft-offload module acts as a translator. It bridges the nftables configuration and the underlying hardware driver.
make M=net/netfilter/ modules insmod net/netfilter/nft_offload.ko kmod-nft-offload
Activation example:
# Enable hardware offload globally
sysctl -w net.netfilter.nf_flow_offload=1
kmod-nft-offload is useless without supported hardware. You cannot offload to a standard Realtek or Intel PRO/1000. The kmod-nft-offload module acts as a translator
Supported NIC Families:
Checklist for compatibility:
# Check if your driver supports TC offload
ethtool -k eth0 | grep hw-tc-offload
# Output should be: hw-tc-offload: on
You cannot offload ct state established easily because the hardware would need to maintain stateful timers. For true offload, use stateless rules or ensure tc can offload the connection tracking (requires advanced hardware with full conntrack offload, like Mellanox ASAP²). Checklist for compatibility: # Check if your driver