151 /*
152 * No need to check for duplicate as this is the listener
153 * and we are holding the lock. This means that no new
154 * connection can be created out of it. And since the
155 * fanout already done cannot find a match, it means that
156 * there is no duplicate.
157 */
158 ASSERT(OK_32PTR(mp->b_rptr));
159
160 connp = sctp->sctp_connp;
161 sctps = sctp->sctp_sctps;
162
163 /*
164 * Enforce the limit set on the number of connections per listener.
165 * Note that tlc_cnt starts with 1. So need to add 1 to tlc_max
166 * for comparison.
167 */
168 if (slc != NULL) {
169 int64_t now;
170
171 if (atomic_add_32_nv(&slc->slc_cnt, 1) > slc->slc_max + 1) {
172 now = ddi_get_lbolt64();
173 atomic_add_32(&slc->slc_cnt, -1);
174 SCTP_KSTAT(sctps, sctp_listen_cnt_drop);
175 slc->slc_drop++;
176 if (now - slc->slc_report_time >
177 MSEC_TO_TICK(SCTP_SLC_REPORT_INTERVAL)) {
178 zcmn_err(connp->conn_zoneid, CE_WARN,
179 "SCTP listener (port %d) association max "
180 "(%u) reached: %u attempts dropped total\n",
181 ntohs(connp->conn_lport),
182 slc->slc_max, slc->slc_drop);
183 slc->slc_report_time = now;
184 }
185 return (NULL);
186 }
187 slc_set = B_TRUE;
188 }
189
190 if ((eager = sctp_create_eager(sctp)) == NULL) {
191 if (slc_set)
192 atomic_add_32(&slc->slc_cnt, -1);
193 return (NULL);
194 }
195 econnp = eager->sctp_connp;
196
197 if (connp->conn_policy != NULL) {
198 /* Inherit the policy from the listener; use actions from ira */
199 if (!ip_ipsec_policy_inherit(econnp, connp, ira)) {
200 sctp_close_eager(eager);
201 SCTPS_BUMP_MIB(sctps, sctpListenDrop);
202 return (NULL);
203 }
204 }
205
206 ip6h = (ip6_t *)mp->b_rptr;
207 if (ira->ira_flags & IXAF_IS_IPV4) {
208 ipha_t *ipha;
209
210 ipha = (ipha_t *)ip6h;
211 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &laddr);
212 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &faddr);
|
151 /*
152 * No need to check for duplicate as this is the listener
153 * and we are holding the lock. This means that no new
154 * connection can be created out of it. And since the
155 * fanout already done cannot find a match, it means that
156 * there is no duplicate.
157 */
158 ASSERT(OK_32PTR(mp->b_rptr));
159
160 connp = sctp->sctp_connp;
161 sctps = sctp->sctp_sctps;
162
163 /*
164 * Enforce the limit set on the number of connections per listener.
165 * Note that tlc_cnt starts with 1. So need to add 1 to tlc_max
166 * for comparison.
167 */
168 if (slc != NULL) {
169 int64_t now;
170
171 if (atomic_inc_32_nv(&slc->slc_cnt) > slc->slc_max + 1) {
172 now = ddi_get_lbolt64();
173 atomic_dec_32(&slc->slc_cnt);
174 SCTP_KSTAT(sctps, sctp_listen_cnt_drop);
175 slc->slc_drop++;
176 if (now - slc->slc_report_time >
177 MSEC_TO_TICK(SCTP_SLC_REPORT_INTERVAL)) {
178 zcmn_err(connp->conn_zoneid, CE_WARN,
179 "SCTP listener (port %d) association max "
180 "(%u) reached: %u attempts dropped total\n",
181 ntohs(connp->conn_lport),
182 slc->slc_max, slc->slc_drop);
183 slc->slc_report_time = now;
184 }
185 return (NULL);
186 }
187 slc_set = B_TRUE;
188 }
189
190 if ((eager = sctp_create_eager(sctp)) == NULL) {
191 if (slc_set)
192 atomic_dec_32(&slc->slc_cnt);
193 return (NULL);
194 }
195 econnp = eager->sctp_connp;
196
197 if (connp->conn_policy != NULL) {
198 /* Inherit the policy from the listener; use actions from ira */
199 if (!ip_ipsec_policy_inherit(econnp, connp, ira)) {
200 sctp_close_eager(eager);
201 SCTPS_BUMP_MIB(sctps, sctpListenDrop);
202 return (NULL);
203 }
204 }
205
206 ip6h = (ip6_t *)mp->b_rptr;
207 if (ira->ira_flags & IXAF_IS_IPV4) {
208 ipha_t *ipha;
209
210 ipha = (ipha_t *)ip6h;
211 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &laddr);
212 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &faddr);
|