Hi All, In NF_IP_LOCAL_OUT, I hooked the TCP SYN packets and directly sent out by dev_queue_xmit, and return with NS_STOLEN. The packets can be successfully sent out, and the peer replies with SYN+ACK. Unfortunately, the local host does not accept the packet but replies with ICMP error information, i.e., destination unreachable (host administratively prohibited. Actually, it is the same case if UDP request packets are hooked in the NF_IP_LCOAL_OUT hook and are return with NS_STOLEN. The UDP response packets will be dropped with an ICMP error packet. I think the skb will not be freed with NS_STOLEN. I analyze the traffic and observe that all address and port information of the response packets match what in the request packets. I do not know why the response packets cannot match the sock records. I am not sure if I misunderstand something. May I know how to fix this issue? Thank you very much! Best Regards, Lawrence -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html