With kmod-nft-offload + compatible hardware:
Check offload status:
apt install linux-modules-extra-$(uname -r) Load the module: kmod-nft-offload
Packet → NIC → Host CPU → nftables (kernel) → Forward/Drop → Host CPU → NIC → Wire Every packet consumes CPU cycles, limiting throughput, especially at 10 GbE, 25 GbE, or higher. especially at 10 GbE