Jan Engelhardt wrote:

On Wednesday 2009-04-15 23:07, Eric Dumazet wrote:

quoted

Stephen Hemminger a écrit :

quoted

Looks like there is some recursive path into ip_tables that makes the
per-cpu spinlock break.  I get lockup's with KVM networking.

Suggestions?

Well, it seems original patch was not so bad after all

http://lists.netfilter.org/pipermail/netfilter-devel/2006-January/023175.html

So change per-cpu spinlocks to per-cpu rwlocks 

and use read_lock() in ipt_do_table() to allow recursion...

iptables cannot quite recurse into itself due to the comefrom stuff.

Actually it can by using the REJECT target:

[ 2106.068550]  [<ffffffff804b0195>] ? nf_hook_slow+0x89/0x104
[ 2106.068552]  [<ffffffff804b8ed0>] ? dst_output+0x0/0xb
[ 2106.068555]  [<ffffffff80393925>] ? _raw_spin_unlock+0x8b/0x92
[ 2106.068557]  [<ffffffff804ba8c7>] ? __ip_local_out+0x98/0x9a
[ 2106.068559]  [<ffffffff804ba8d2>] ? ip_local_out+0x9/0x1f
[ 2106.068562]  [<ffffffff804babb4>] ? ip_push_pending_frames+0x2cc/0x33e
[ 2106.068566]  [<ffffffff804dac79>] ? icmp_send+0x559/0x588
[ 2106.068569]  [<ffffffff8022d3a0>] ? task_rq_lock+0x46/0x79
[ 2106.068571]  [<ffffffff8023004f>] ? enqueue_task_fair+0x23b/0x293
[ 2106.068575]  [<ffffffffa00f5083>] ? reject_tg+0x41/0x30e [ipt_REJECT]
[ 2106.068578]  [<ffffffffa024084f>] ? ipt_do_table+0x534/0x5f1 [ip_tables]