Hi all As discussed above,if the host machine create several linux containers, there will be several net namespaces.Resources with "nf conntrack" are registered or unregistered on the first net namespace(init_net),But init_net is not unregistered lastly,so cleanuping other net namespaces will triger painic. If net namespaces are created with the order of 1,2,...n,they should be cleaned with the order of n,...2,1,so in this case init_net will be unregistered lastly. I fixed it up (see below) diff -r 6a1a258923f5 -r 2667e89e6f50 net/core/net_namespace.c --- a/net/core/net_namespace.c Fri Dec 28 11:01:17 2012 +0800 +++ b/net/core/net_namespace.c Fri Dec 28 11:05:12 2012 +0800 @@ -450,7 +450,7 @@ list_del(&ops->list); for_each_net(net) - list_add_tail(&net->exit_list, &net_exit_list); + list_add(&net->exit_list, &net_exit_list); ops_exit_list(ops, &net_exit_list); ops_free_list(ops, &net_exit_list); } 2012/12/25 canqun zhang <canqunzhang@xxxxxxxxx>: > Thanks for your suggestion,i will modify this patch and take tests. > > 2012/12/25 Gao feng <gaofeng@xxxxxxxxxxxxxx>: >> On 2012/12/25 15:25, canqun zhang wrote: >>> Hi Gao feng >>> The stack information is as follows. The kenel will panic because the >>> nf_ct_destroy is NULL. >>> >>> Reproduction: >>> (1) starting a lxc container >>> (2) iptables -t nat -A POSTROUTING -s 10.48.254.18 -o eth1 -j >>> MASQUERADE (run it on host machine) >>> (3) /etc/ini.d/iptables save (run it on host machine) >>> (4)/etc/init.d/iptables restart (run it on host machine) >>> >> >> Thanks! >> It seems that nf_conntrack_l[3,4]proto_unregister doesn't make sure >> nf_conns of the proto being destroyed. >> >> If I'm right, there is another problem even your fix this panic problem. >> the l3,14proto will be unregistered before all of it's nf_conns being destroyed. >> So even nf_ct_destroy is not NULL,in destroy_conntrack we are not able to >> find the right l4proto,the l4proto->destroy will be incorrect.resources will >> not be released correctly. >> >> So I think the root problem is we do register/unregister, set/unset both on the >> first net (init_net), Maybe it's better to do register set on the first net, and >> do unregister unset on the last net. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html