On Thursday 2009-04-16 14:12, Patrick McHardy wrote:

Jan Engelhardt wrote:

quoted

On Wednesday 2009-04-15 23:07, Eric Dumazet wrote:

quoted

Stephen Hemminger a écrit :

quoted

Looks like there is some recursive path into ip_tables that makes the
per-cpu spinlock break.  I get lockup's with KVM networking.

Suggestions?

Well, it seems original patch was not so bad after all

http://lists.netfilter.org/pipermail/netfilter-devel/2006-January/023175.html

So change per-cpu spinlocks to per-cpu rwlocks 
and use read_lock() in ipt_do_table() to allow recursion...

iptables cannot quite recurse into itself due to the comefrom stuff.

Actually it can by using the REJECT target:

Yes, but it has to return an absolute verdict (which REJECT does),
so it's not really a recursion, it's more like a goto without return.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html