Configuring a Firewall Filter to Prevent or Allow IPv4 Packet Fragmentation
This topic explains how to use the dont-fragment
(set | clear) actions in an ingress firewall filter to modify
the Don’t Fragment flag in IPv4 packet headers. These actions
are supported only on MPCs in MX Series routers.
You can use a firewall filter on an ingress interface to match IPv4 packets that have the Don’t Fragment flag set to one or cleared to zero. Fragmentation is prevented when this flag is set in the packet header. Fragmentation is allowed when the flag is not set.
To prevent an IPv4 packet from being fragmented:
Configure a filter term that modifies the Don’t Fragment flag to one.
[edit firewall family inet filter dfSet] user@host# set term t1 then dont-fragment set
To allow an IPv4 packet to be fragmented:
Configure a filter term that modifies the Don’t Fragment flag to zero.
[edit firewall family inet filter dfClear] user@host# set term t1 then dont-fragment clear
In the following example, the dfSet firewall filter matches packets that are fragmented and changes the Don’t Fragment flag to prevent fragmentation. The dfClear firewall filter matches packets that are not fragmented and changes the Don’t Fragment flag to allow fragmentation.
[edit firewall family inet] user@host# edit filter dfSet user@host# set term t1 from fragment-flags is-fragment user@host# set term t1 then dont-fragment set user@host# up user@host# edit filter dfClear user@host# set term t1 from fragment-flags dont-fragment user@host# set term t1 then dont-fragment clear