Hi All, In NF_IP_LOCAL_OUT, I hooked the TCP SYN packets and directly sent out by dev_queue_xmit, and return with NS_STOLEN. The packets can be successfully sent out, and the peer replies with SYN+ACK. Unfortunately, the local host does not accept the packet but replies with ICMP error information, i.e., destination unreachable (host administratively prohibited. Actually, it is the same case if UDP request packets are hooked in the NF_IP_LCOAL_OUT hook and are return with NS_STOLEN. The UDP response packets will be dropped with an ICMP error packet. I look into the source code. It seems that in the ip_local_deliver() function, return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL, ip_local_deliver_finish) does not get in ip_local_deliver_finish(), but call the icmp_send() function to send an destination unreachable message. May I know what is up and how to fix this issue? Thank you very much! Best Regards, Lawrence -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
