|work| | Kmod-nft-offload

sudo modprobe nft_offload # Verify it exists in kernel modules list lsmod | grep nft_offload Turn on the hardware offload feature for your interface.

sudo ethtool -K eth0 hw-tc-offload on sudo ethtool -K eth1 hw-tc-offload on We will offload a simple forward between two interfaces ( eth0 to eth1 ). kmod-nft-offload

# Create a table with netdev family (best for forwarding offload) nft add table netdev filter nft add chain netdev filter ingress type filter hook ingress device eth0 priority 0; Add an offloaded rule: Forward all SSH traffic (port 22) to eth1 The 'offload' keyword is critical. nft add rule netdev filter ingress ip protocol tcp tcp dport 22 accept offload Add a default drop (cannot be offloaded, but CPU processes it) nft add rule netdev filter ingress drop Step 4: Verification Check if the rule actually resides in hardware. sudo modprobe nft_offload # Verify it exists in

However, nftables remains the standard management interface for millions of Linux admins. The kmod-nft-offload module provides a gentle transition path: Keep using nftables syntax you know, but get near-ASIC performance. As more NIC vendors implement the flow_block API, this module will only become more powerful. The kmod-nft-offload kernel module is a hidden gem in the Linux networking stack. It bridges the gap between high-level configuration via nftables and the blistering speed of modern SmartNICs. nft add rule netdev filter ingress ip protocol