Télécharger en illimité
Utiliser un VPNKmod-nft-offload -
Understanding kmod-nft-offload in OpenWrt kmod-nft-offload is a specialized Linux kernel module primarily used within the OpenWrt ecosystem to provide hardware and software flow offloading capabilities for the nf_tables (nftables) firewall framework. Core Functionality and Architecture
or installation (e.g., "Unknown package"), ensure your package lists are updated via opkg update kmod-nft-offload
8. Security & Operational Considerations
- Flow table eviction: Aged out flows fall back to software processing. Ensure
nf_flowtabletimeout values align with security policies. - Visibility:
tcpdumpon offloaded interfaces will not capture hardware-forwarded packets (use hardware counters viaethtool -S). - Failover: If hardware offload fails (e.g., driver reset), the kernel processes rules normally. No packet loss occurs, but CPU spikes.
To appreciate what this module does, it helps to understand the "fast path" vs. "slow path" architecture: Flow table eviction: Aged out flows fall back
What happens here?
2. Offload Doesn't Engage for Conntrack
You cannot offload ct state established easily because the hardware would need to maintain stateful timers. For true offload, use stateless rules or ensure tc can offload the connection tracking (requires advanced hardware with full conntrack offload, like Mellanox ASAP²). To appreciate what this module does, it helps
Hardware Offload: If supported by the router's SoC (System on Chip), it can hand off packet processing directly to the hardware network switch/acceleration engine. Technical Details
kmod-nft-offload is a kernel module for OpenWrt that provides Netfilter nf_tables routing and NAT offload support. It is a core component for improving network performance by moving packet processing from the CPU to specialized hardware or optimized software paths. Key Features and Dependencies
sudo ethtool -K eth0 hw-tc-offload on
sudo ethtool -K eth1 hw-tc-offload on