What is the difference between NF_DROP and NF_STOLEN in Netfilter hooks?

Question

See this netfilter header: http://lxr.free-electrons.com/source/include/uapi/linux/netfilter.h we have:

  9 /* Responses from hook functions. */
  10 #define NF_DROP 0
  11 #define NF_ACCEPT 1
  12 #define NF_STOLEN 2
  13 #define NF_QUEUE 3
  14 #define NF_REPEAT 4
  15 #define NF_STOP 5
  16 #define NF_MAX_VERDICT NF_STOP

here I found this paragraph:

The NF_DROP return code means that this packet should be dropped completely and any resources allocated for it should be released. NF_ACCEPT tells Netfilter that so far the packet is still acceptable and that it should move to the next stage of the network stack. NF_STOLEN is an interesting one because it tells Netfilter to "forget" about the packet. What this tells Netfilter is that the hook function will take processing of this packet from here and that Netfilter should drop all processing of it. This does not mean, however, that resources for the packet are released. The packet and it's respective sk_buff structure are still valid, it's just that the hook function has taken ownership of the packet away from Netfilter. NF_REPEAT requests that Netfilter calls the hook function again.

But I don't know what is the difference between discarding and forgetting packets regarding to NF_DROP and NF_STOLE?

Answer 1

This document gives a thorough overview of how netfilter works and why.

My understanding is that returning NF_DROP tells netfilter to drop the packet, whereas returning NF_STOLEN basically means that you're assuming responsibility for the packet from now on: the kernel still has the packet in its internal tables, and you're now responsible for telling the kernel to clean that up after you've done whatever else you're doing with the packet.

For most applications, you'll want to use NF_DROP rather than NF_STOLEN.

Answer 2

In the case of NF_DROP your netfilter hook must NOT free the sk_buff since the network stack will take care of freeing that "resource".

In the case of NF_STOLEN your netfilter hook now "owns" the sk_buff "resource". Therefore you need to call kfree_skb on the sk_buff when you have finished using it.

Answer 3

I think NF_STOLEN means that netfilter will never call next registered hook point function ,nor deliever it to upper layer ,this sk_buff is yours now...typical scenario is that we filter some packets for my own, or intercept it, or do some confidential communiction...