# Check if your driver supports TC offload ethtool -k eth0 | grep hw-tc-offload # Output should be: hw-tc-offload: on Let's walk through a practical deployment on a router with a Mellanox ConnectX-5 and AlmaLinux 9 / Fedora. Step 1: Load the Module Ensure the kernel module is loaded.
sudo ethtool -K eth0 hw-tc-offload on sudo ethtool -K eth1 hw-tc-offload on We will offload a simple forward between two interfaces ( eth0 to eth1 ). kmod-nft-offload
# Show nftables rules (the 'offload' flag should appear) nft list ruleset nft list flowtables Check for dropped packets due to offload mismatches nft list chain netdev filter ingress -a # Check if your driver supports TC offload
# Create a table with netdev family (best for forwarding offload) nft add table netdev filter nft add chain netdev filter ingress type filter hook ingress device eth0 priority 0; Add an offloaded rule: Forward all SSH traffic (port 22) to eth1 The 'offload' keyword is critical. nft add rule netdev filter ingress ip protocol tcp tcp dport 22 accept offload Add a default drop (cannot be offloaded, but CPU processes it) nft add rule netdev filter ingress drop Step 4: Verification Check if the rule actually resides in hardware. # Show nftables rules (the 'offload' flag should
In the world of Linux networking, the mantra has long been "software-defined flexibility." The nftables framework revolutionized packet filtering by replacing the older iptables with a more efficient, expressive, and stateful system. However, as network interface card (NIC) speeds climb from 10GbE to 100GbE and beyond, even the most optimized kernel networking stack struggles to keep up without consuming massive CPU resources.