Возможно такой подход позволяет выполнить дальнейшую обработку пакета без участия ядра, а значит и CPU, то есть например IPsec Offload Engine сам через DMA помещает в TX ring пакет.
Но это неточно, просто предполагаю.
Например у Fortigate NPU может обрабатывать IPsec без CPU для tunnel mode SA.
Вот ещё из документации ядра Linux для XFRM Offloading:
“IPsec is a useful feature for securing network traffic, but the computational cost is high: a 10Gbps link can easily be brought down to under 1Gbps, depending on the traffic and link configuration. Luckily, there are NICs that offer a hardware based IPsec offload which can radically increase throughput and decrease CPU utilization. The XFRM Device interface allows NIC drivers to offer to the stack access to the hardware offload.”
«When a packet is received and the HW has indicated that it offloaded a decryption, the driver needs to add a reference to the decoded SA into the packet’s skb. At this point the data should be decrypted but the IPsec headers are still in the packet data; they are removed later up the stack in xfrm_input().
find and hold the SA that was used to the Rx skb:
get spi, protocol, and destination IP from packet headers
xs = find xs from (spi, protocol, dest_IP)
xfrm_state_hold(xs);
store the state information into the skb:
sp = secpath_set(skb);
if (!sp) return;
sp->xvec[sp->len++] = xs;
sp->olen++;
indicate the success and/or error status of the offload:
xo = xfrm_offload(skb);
xo->flags = CRYPTO_DONE;
xo->status = crypto_status;
hand the packet to napi_gro_receive() as usual»
Как итог сетевая карта самостоятельно выполнила операции offload для нас, в потом через вызов NAPI передало skb на обработку ядру.