I just saw this in a patch:

+               if (ntohs(ih->frag_off) & IP_OFFSET)
+                       return EBT_NOMATCH;

This isn't optimal, it requires a byte switch little endian machines.
The compiler isn't smart enough.  It would be better to use

     if (ih->frag_off & ntohs(IP_OFFSET))

where the byte-swap can be done at compile time.  This is kind of ugly,
I guess, so maybe a dedicate macro

    net_host_bit_p(ih->frag_off, IP_OFFSET)

??

-- 
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖