From Nftables Wiki or just man nft you can use ip frag-off. Now (after a few trials and errors) the 3 flags (reserved, DF, MF) are included in this value at the 3 highest bits and have to be excluded from the test, needing a & operation. So this:
nft 'add rule ip filter input ip frag-off & 0x1fff != 0 drop'
Would do it...
... but when nf_conntrack_ipv4 is loaded (almost always), its specific nf_defrag_ipv4 part registers at hook priority -400, and will reassemble all fragments. That means any processing after won't see any fragment. So your chain has to hook with a priority value lower than that. Here's a complete working example:
nft add table filter
nft 'add chain filter predefrag { type filter hook prerouting priority -450; }'
nft 'add rule ip filter predefrag ip frag-off & 0x1fff != 0 drop'
Arguably the 1st packet is also a fragment with offset 0 but with MF set. So maybe 0x1fff should be replaced with 0x3fff to catch it.
From Nftables Wiki or just
man nftyou can useip frag-off. Now (after a few trials and errors) the 3 flags (reserved, DF, MF) are included in this value at the 3 highest bits and have to be excluded from the test, needing a&operation. So this:Would do it...
... but when nf_conntrack_ipv4 is loaded (almost always), its specific nf_defrag_ipv4 part registers at hook priority -400, and will reassemble all fragments. That means any processing after won't see any fragment. So your chain has to hook with a priority value lower than that. Here's a complete working example:
Arguably the 1st packet is also a fragment with offset 0 but with MF set. So maybe
0x1fffshould be replaced with0x3fffto catch it.try:
result:
iptables-translate comme from (on debian Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux:
apt install iptables-nftables-compat
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
or nft 'add rule inet filter input ip frag-off 0x4000 counter accept'