According to Netfilter hooks - nftables wiki any flow passing “Prerouting Hook” will have its packets defragmented (-400: defragmentation).
Which means if source sent 2 fragments they will be reunited to a single packet before forwarded when passing through VyOS.
However looking at output from “sudo nft list ruleset” one can see these two rules:
table ip vyos_filter {
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
}
}
table ip6 vyos_filter {
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0x000ffff1 return
}
}
Im not that familiar with nftables yet but doesnt the above mean that defragmentation will be bypassed as in fragments will remain fragments after passing VyOS?
Or does the above just mark the fragmented packets (defragmentation will still occur) and if so why?
But since it has “policy accept” doesnt it mean that it will stop processing of the packet if its found to be a fragment?
Which means that packets will be passed through the VyOS box instead of being reassembled as they normally would without that -450 rule since it preceeds the built int -400 defrag rule?
Those rules just looks if the packet wich has arrived to the router is fragmented or not. If it is, then it marks the paket.
With such mark, later in firewall filter, you can choose what to do with fragmented packets. Firewall — VyOS 1.4.x (sagitta) documentation
But since the “Prerouting Hook” automagically performs defragmention wouldnt such marking be useless because the fragments are defragmented into the original packet before further processing and finally being forwarded by the VyOS box to the destination?
Client A sends a 1500 byte packet to VyOS1 who then fragment that because the uplink mtu is 1000 bytes.
So this 1500 bytes packet is now 1000 + 500 byte packets (fragments) on the wire/network between VyOS1 and VyOS2.
When these fragments arrives to VyOS2 the “Prerouting Hook” within nftables will automagically defragment these two fragments back to its original 1500 byte packet which is then forwarded by VyoS2 to clientB.
So from the ClientA and ClientB point of views they are happily sending 1500 byte packets to each other and never encounter any fragments even if the network between VyOS1 and VyOS2 has a lower mtu (MTU1000 in this example)?
Compared to other vendors this has often been an issue because ClientB would then receive these fragments. This is why other vendors do have “ip virtual reassembly” or similar command to apply on the uplinks (in this example) to create the magic of defragment packets before forwarding them downstream.