Good evening, the last two days we have experienced panics sequentially across all of our peering boxes. After one day of coffee, thinking and reading, I found this in 4.9. (5.0+ looks good):
target49# ifconfig vlan69 vlan69: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:0c:29:38:f3:c5 priority: 0 vlan: 69 priority: 0 parent interface: em1 groups: vlan status: active inet6 fe80::20c:29ff:fe38:f3c5%vlan69 prefixlen 64 scopeid 0x5 inet 192.168.69.49 netmask 0xffffff00 broadcast 192.168.69.255 target49# cat /etc/pf.conf set skip on lo set reassemble no block in log quick target49# sender51# tcpdump -n -i vlan69 -v tcpdump: listening on vlan69, link-type EN10MB tcpdump: WARNING: compensating for unaligned libpcap packets 20:55:58.958739 192.168.69.1.10562 > 192.168.69.49.1234: udp 2000 (frag 58745:1480@0+) (ttl 64, len 1500) 20:55:58.958745 192.168.69.1 > 192.168.69.49: (frag 58745:528@1480) (ttl 64, len 548) ^C Mar 20 20:57:17 target49 /bsd: uvm_fault(0xffffffff80d1b0e0, 0x0, 0, 1) -> e Mar 20 20:57:17 target49 /bsd: fatal page fault in supervisor mode Mar 20 20:57:17 target49 /bsd: trap type 6 code 0 rip ffffffff80245557 cs 8 rflags 10246 cr2 0 cpl 5 rsp ffff80000bba0b40 Mar 20 20:57:17 target49 /bsd: panic: trap type 6, code=0, pc=ffffffff80245557 Mar 20 20:57:17 target49 /bsd: Starting stack trace... Mar 20 20:57:17 target49 /bsd: panic() at panic+0xf5 Mar 20 20:57:17 target49 /bsd: trap() at trap+0x6fd Mar 20 20:57:17 target49 /bsd: --- trap (number 6) --- Mar 20 20:57:17 target49 /bsd: pf_change_ap() at pf_change_ap+0x57 Mar 20 20:57:18 target49 /bsd: pf_translate() at pf_translate+0x27d Mar 20 20:57:18 target49 /bsd: pflog_bpfcopy() at pflog_bpfcopy+0x233 Mar 20 20:57:18 target49 /bsd: bpf_catchpacket() at bpf_catchpacket+0xd8 Mar 20 20:57:18 target49 /bsd: bpf_mtap_pflog() at bpf_mtap_pflog+0x8f Mar 20 20:57:18 target49 /bsd: pflog_packet() at pflog_packet+0x223 Mar 20 20:57:18 target49 /bsd: pf_test_fragment() at pf_test_fragment+0x502 Mar 20 20:57:18 target49 /bsd: pf_test() at pf_test+0x7ef Mar 20 20:57:18 target49 /bsd: ipv4_input() at ipv4_input+0x22a Mar 20 20:57:18 target49 /bsd: ipintr() at ipintr+0x51 Mar 20 20:57:18 target49 /bsd: netintr() at netintr+0xda Mar 20 20:57:18 target49 /bsd: softintr_dispatch() at softintr_dispatch+0x5d Mar 20 20:57:18 target49 /bsd: Xsoftnet() at Xsoftnet+0x28 Mar 20 20:57:18 target49 /bsd: --- interrupt --- Mar 20 20:57:18 target49 /bsd: end of kernel Mar 20 20:57:18 target49 /bsd: end trace frame: 0x6a7, count: 242 Mar 20 20:57:18 target49 /bsd: 0x8: Mar 20 20:57:18 target49 /bsd: End of stack trace. Mar 20 20:57:18 target49 /bsd: End of stack trace. Mar 20 20:57:18 target49 /bsd: dump to dev 4,1 not possible Mar 20 20:57:18 target49 /bsd: rebooting... Ignore the timestamps, the box panics immediately after getting the fragmented packet. I could reproduce it on vmware 4.9-stable with GENERIC/GENERIC.MP, so no dmesg attached. Regards Tony