Responding to packets stolen with ip_queue
I have a userland program that I'm trying to modify (it's actually an updated version of packetbl). I see my only options are to return NF_ACCEPT, NF_DROP, or NF_STOLEN. If I return NF_DROP, then Netfilter simply discards the packet, which is not what I want; I want to return a rejection, either a TCP RST, or an ICMP Administratively Prohibited.
I'm assuming I can't easily change Netfilter's behavior on receiving NF_DROP, so I guess I need to steal the packet and construct a response in userland. Does anyone have any pointers on how to do this? Thanks!
|