On 2012/12/25 15:25, canqun zhang wrote: > Hi Gao feng > The stack information is as follows. The kenel will panic because the > nf_ct_destroy is NULL. > > Reproduction: > (1) starting a lxc container > (2) iptables -t nat -A POSTROUTING -s 10.48.254.18 -o eth1 -j > MASQUERADE (run it on host machine) > (3) /etc/ini.d/iptables save (run it on host machine) > (4)/etc/init.d/iptables restart (run it on host machine) > Thanks! It seems that nf_conntrack_l[3,4]proto_unregister doesn't make sure nf_conns of the proto being destroyed. If I'm right, there is another problem even your fix this panic problem. the l3,14proto will be unregistered before all of it's nf_conns being destroyed. So even nf_ct_destroy is not NULL,in destroy_conntrack we are not able to find the right l4proto,the l4proto->destroy will be incorrect.resources will not be released correctly. So I think the root problem is we do register/unregister, set/unset both on the first net (init_net), Maybe it's better to do register set on the first net, and do unregister unset on the last net. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html