See this netfilter header: http://lxr.free-electrons.com/source/include/uapi/linux/netfilter.h we have:
9 /* Responses from hook functions. */
10 #define NF_DROP 0
11 #define NF_ACCEPT 1
12 #define NF_STOLEN 2
13 #define NF_QUEUE 3
14 #define NF_REPEAT 4
15 #define NF_STOP 5
16 #define NF_MAX_VERDICT NF_STOP
here I found this paragraph:
The NF_DROP return code means that this packet should be dropped completely and any resources allocated for it should be released. NF_ACCEPT tells Netfilter that so far the packet is still acceptable and that it should move to the next stage of the network stack. NF_STOLEN is an interesting one because it tells Netfilter to "forget" about the packet. What this tells Netfilter is that the hook function will take processing of this packet from here and that Netfilter should drop all processing of it. This does not mean, however, that resources for the packet are released. The packet and it's respective sk_buff structure are still valid, it's just that the hook function has taken ownership of the packet away from Netfilter. NF_REPEAT requests that Netfilter calls the hook function again.
But I don't know what is the difference between discarding
and forgetting
packets regarding to NF_DROP
and NF_STOLE
?