Flow Offloading

Flow offloading in Linux is a networking feature that bypasses the CPU-intensive Netfilter stack (firewall processing) for established traffic flows. This approach significantly increases network throughput.

Overview

Software Flow Offloading typically increases bandwidth by 2-3x over firewall filtering each packet, and often relieves fully loaded CPUs improving latency/jitter too. Technically, software flow offload is a firewall rule. Since SFO is a software feature it is widely supported on all CPUs.

Hardware Flow Offloading bypasses QoS traffic controls at high priority, resulting in high throughput and low CPU usage. However, this handles a limited number of concurrent connections, e.g. 64, returning surplus connections to the software offload pool, thus will not significantly help some applications including p2p. It is also incompatible with QoS features such as SQM. Since HFO requires specialized CPU/SoC hardware it is supported by small number of platforms, primarily MediaTek SoCs.

Common abbreviations:

  • Software Flow Offloading - SFO.
  • Hardware Flow Offloading - HFO.
  • Wireless Ethernet Dispatch - WED.
  • Packet Processing Engine - PPE.

How to enable

LuCI web UI

Using LuCI web UI: Network → Firewall, from the dropdown select “Software flow offloading” or “Hardware flow offloading” depending on your hardware and desired features, then hit “Save & Apply”.

UCI

CLI with UCI (choose the one option you want): 

uci set 'firewall.@defaults[0].flow_offloading=1'
uci set 'firewall.@defaults[0].flow_offloading_hw=1'
uci commit
/etc/init.d/firewall restart

CLI

CLI: edit /etc/config/firewall and insert the following under the config defaults section (choose the one option you want): 

config defaults
…
  option flow_offloading '1'
  option flow_offloading_hw '1'

Then restart the firewall: 

/etc/init.d/firewall restart

Hardware implementation

MediaTek mt76

The main page about MediaTek chipsets: soc.mediatek. Hardware offloading is supported on mt76 platforms starting from SoC mt7621 and can be monitored via /sys/kernel/debug/ppe0/entries.

For hardware offloading of Wi-Fi see the WED page. Note that WED will bypass QoS AQL and stale connections/freezes can occur when changing or roaming (e.g. from 2.4 GHz to 5 GHz) as WED is not available on 2.4 GHz.

Notes

  • Netfilter's flowtable infrastructure — the Linux kernel documentation with description of both Software offload and Hardware offload including limitations. This software is in development and features may expand, so confirm the doc page is set to the same version as your kernel.
  • Flow offload is not directly related to network adapter offload functions controlled by ethtool -k/-K.
  • Flow offloading applies to forwarded connections, including those to containers like LXC or podman, but not locally running web-server.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2026/05/11 17:24
  • by phinn