Having looked at disassembly, the fault happens when accessing e->ip.invflags in ip_packet_match() inlined inside ipt_do_table().
e = private->entries[smp_processor_id()] + private->hook_entry[NF_IP_FORWARD]
smp_processor_id() should be 0 (since the oops appears to occur on cpu0) and presumably all the ipt_entry structures are static once set up. Since this crash happens on a common path in ipt_do_table(), and since it happens only after the system has been up a while (I believe?), it rather looks as though something has either corrupted a pointer or unmapped memory from under iptables' feet.
As the concerned user, what does this mean to me? It will only affect SMP systems? It is a bug in Xen or netfilter?
I'd just like to understand what is going on.