frag6: check global limits before hash and lock

Check whether we are accepting more fragments (based on global limits)
before doing expensive operations of calculating the hash and taking the
bucket lock.   This slightly increases a "race" between check time and
incrementing counters (which is already there) possibly allowing a few
more fragments than the maximum limits.  However, when under attack,
we rather save this CPU time for other packets/work.

MFC after:		3 weeks
Sponsored by:		Netflix

sys/netinet6/frag6.c

@@ -458,6 +458,16 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 		return (IPPROTO_DONE);
 	}
 
+	/*
+	 * Enforce upper bound on number of fragments for the entire system.
+	 * If maxfrag is 0, never accept fragments.
+	 * If maxfrag is -1, accept all fragments without limitation.
+	 */
+	if (ip6_maxfrags < 0)
+		;
+	else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags)
+		goto dropfrag2;
+
 	/* Store receive network interface pointer for later. */
 	srcifp = m->m_pkthdr.rcvif;
 
@@ -473,16 +483,6 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 	IP6QB_LOCK(bucket);
 	head = IP6QB_HEAD(bucket);
 
-	/*
-	 * Enforce upper bound on number of fragments for the entire system.
-	 * If maxfrag is 0, never accept fragments.
-	 * If maxfrag is -1, accept all fragments without limitation.
-	 */
-	if (ip6_maxfrags < 0)
-		;
-	else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags)
-		goto dropfrag;
-
 	TAILQ_FOREACH(q6, head, ip6q_tq)
 		if (ip6f->ip6f_ident == q6->ip6q_ident &&
 		    IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &q6->ip6q_src) &&
@@ -825,6 +825,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto)
 
 dropfrag:
 	IP6QB_UNLOCK(bucket);
+dropfrag2:
 	in6_ifstat_inc(dstifp, ifs6_reass_fail);
 	IP6STAT_INC(ip6s_fragdropped);
 	m_freem(m);