As network interfaces get faster, the amount of CPU time available to
process each packet becomes correspondingly smaller. The good news is that
many tasks, including packet filtering, can be offloaded to the hardware
itself. The bad news is that the Linux kernel required quite a bit of work to be
able to take advantage of that capability. The first article in this series provided an
overview of how hardware-based packet filtering can work and the support
for this feature that already existed
in the kernel. This series now concludes with a detailed look at how
offloaded packet filtering works in the netfilter subsystem and how
administrators can make use of it.

Source: LWN.net – [$] Accelerating netfilter with hardware offload, part 2