I think we can avoid those pathological cases (IP IP IP..) cited by
Alan if we pass on the fragments only for packets where we know
it's some well-behaved protocol (UDP, TCP), and the header is
completely contained in the first fragment.
These pathological cases are actually even easier to solve.
Just have the prot->rcv for encapsulated IP be some dummy function
which first checks whats in the first chain and pulls stuff up if
necessary, then it calls the real ip_rcv(), taking all of this junk
out of the main code path.
Similar tricks can be used in other situations.