Do you have more details about your use cases for this? For TLS received frames should probably use a TLS mbuf for each frame and there is ample room in the TLS mbuf to mark decrypted vs encrypted mbufs (e.g. m_epg_flags). If this is for IPsec, there is already an M_DECRYPTED mbuf flag defined to the TCP/IP layers. tcp_lro() can assume that the M_PROTO* flags are TCP/IP flags since it only operates on connections using netinet as the protocol layer.
@zi Can you please have a look at this? :)
Please also take a look at NetBSD's change 1.23, "Avoid undefined behavior in fread(3)".