This document gives a thorough overview of how netfilter works and why.
My understanding is that returning NF_DROP
tells netfilter to drop the packet, whereas returning NF_STOLEN
basically means that you're assuming responsibility for the packet from now on: the kernel still has the packet in its internal tables, and you're now responsible for telling the kernel to clean that up after you've done whatever else you're doing with the packet.
For most applications, you'll want to use NF_DROP
rather than NF_STOLEN
.