Kmod-nft-offload -

Hardware flow offloading allows a network device to bypass the main CPU for processing established network connections. Instead, it delegates these tasks to the network interface's hardware (e.g., a Switch Chip or Network Acceleration Engine), significantly reducing CPU overhead and increasing throughput.

Place a simple drop offload rule for known attack IPs or subnets. The NIC hardware discards malicious traffic before it ever interrupts the CPU, preserving resources for legitimate flows. kmod-nft-offload

Look for the offload keyword. Also check flowtable entries: Hardware flow offloading allows a network device to

Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher. especially at 10 GbE

sysctl -w net.ipv4.ip_forward=1

Verify:

as "Software flow offloading" or "Hardware flow offloading". Performance Impact