Le samedi 30 janvier 2010 à 02:36 -0500, Jon Masters a écrit :

I'll play later. Right now, I'm looking over every iptables/ip call
libvirt makes - it explicitly plays with the netns for the loopback,
which looks interesting. Supposing it does cause the hashtables to get
unintentionally zereod or the sizing to get wiped out, we should also
nonetheless catch the case that the hash function generates a whacko
number or that the hash size is set to zero when we want to use it.

I asked you if you had multiple namespaces, because I was not sure
conntracking hash was global (shared by all namespaces), or local.

If it is local, then we have a bug, because nf_conntrack_cachep 
is still shared.

Because of SLAB_DESTROY_BY_RCU constraint, we must use a distinct
cachep, or an object can be freed from a namespace and immediatly reused
into another namespace, without lookups being able to notice.