The question is: How can I enqueue packets to the user-space with netfilter NFQUEUE before defragment?
According to Linux kernel source, nf_defrag_ipv4 is installed in NF_INET_PRE_ROUTING (known as PREROUTING in iptables/nftables) and NF_INET_LOCAL_OUT (OUTPUT).
So I tried the following anti-defrag nftables filter (original: https://stackoverflow.com/a/30638753/5167443) for NF_INET_LOCAL_OUT, but I'm still getting defragmented packets.
sudo nft add table filter
sudo nft add chain filter predefrag { type filter hook output priority -- -450 \; }
sudo nft add filter predefrag skuid nfqhooked counter queue num 42
In the above filter, -450 stands for a priority that precedes NF_IP_PRI_CONNTRACK_DEFRAG=-400. i.e., the filter is expected to work before nf_defrag_ipv4.
I'm using Linux 3.19 (Ubuntu 15.04) and this my own binding for libnetfilter_queue.so.1.
I just resolved by myself.
I had misunderstood that netfilter handles TCP reassembly that is actually handled by "TCP Auto Corking".
Now I can get fragmented (i.e. non-corked) packets by just writing 0 to /proc/sys/net/ipv4/tcp_autocorking.