The BSD PacketFilter firewall has an extra scrub option which is, “reassemble tcp”. I was researching and exploring the different types of fragmented-packets/segmented-streams of data that could be forwarded within a network that may have a smaller MTU link in the middle of the routing path. I am still reading about what this option does on a streamed session and if Linux has anything similar to it…

Note: nftables has user-land hooks via nfqueue

# nft insert rule ip mangle FORWARD ip daddr 8.8.4.4 tcp dport 53 counter queue num 1

from scapy.layers.inet import IP
from netfilterqueue import NetfilterQueue

def que_packet(pkt):
    pay = pkt.get_payload()
    ipf = IP(pay)
    print("pkt",pkt)
    ipf.show()
    pkt.accept()

nfqueue = NetfilterQueue()
nfqueue.bind(1, que_packet)

try:
    nfqueue.run()
except:
    print("exit")

nfqueue.unbind()

Edit: I found that it was a bit complicated trying to understand when optimized network stacks (software or hardware) will combine multiple TCP segments into bigger IP packet payloads and that trying to perform reassembly at that higher level was a bit challenging/difficult. I came up with a way to solve the occasional web site having slow upload speeds for large files by running an nginx transparent reverse proxy server for HTTP/HTTPS instead!

HTTPS:

user root wheel;
worker_processes 1;
worker_rlimit_nofile 8192;
events {
	accept_mutex off;
	multi_accept off;
	worker_connections 1024;
	#use select;
}
stream {
	resolver 1.1.1.1 ipv6=off;
	server {
		listen 127.0.0.1:3129;
		ssl_preread on;
		proxy_half_close off;
		proxy_socket_keepalive off;
		proxy_connect_timeout 45s;
		proxy_timeout 90s;
		proxy_pass $ssl_preread_server_name:443;
	}
}

rdr on en0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 3129

Update: Modifying the nginx framework to proxy more generically/reliably

~