On Mon, 2010-02-01 at 10:17 -0500, Kyle McMartin wrote:
On Sun, Jan 31, 2010 at 04:12:07AM -0500, Jon Masters wrote:
The disabling of netfilter on bridges is not really "solving" this problem. The problem is that the hashing code needs fixing. Until that changes, whenever libvirtd plays with namespaces (as it does), we run the risk of falling over as we play with the size of the hashtables.
Thanks for the heads up, Jon. I'll watch this and the internal thread for a fix.
Well, I sent a summary for why it happens. It happens because an IPv6 error (set via icmpv6_error) causes us to set the conntrack (ct) for an incoming skb to nf_conntrack_untracked (a catchall struct). We then try to free that like any other conntrack, back into the (now per-namespace) cache, but it's not a SL[U]B allocated struct, it's a static...boom.
The conntrack code should catch this and error it, it should also do per-namespace cache allocation, and per-namespace hashtable metadata. I'm *very* surprised if this isn't biting a lot more Fedora users.
Jon.