Do not fence connections without valid greeting.

There is no reason to fence any connection that hasn't sent a valid greeting, since they haven't progressed far enough for it to make sense. We remove the connection from the list of accepted clients, which then removes the need for fencing, and the server won't need to restart. Adds a test script that makes sure that we didn't actually restart the server while this was happening. Signed-off-by: Auke Kok <auke.kok@versity.com>
2025-12-23 05:25:18 +00:00 · 2025-05-05 08:11:21 -07:00
parent 9741d40e10
commit 16a292fb30
4 changed files with 43 additions and 0 deletions
--- a/kmod/src/net.c
+++ b/kmod/src/net.c
@@ -1278,6 +1278,17 @@ restart:
 			set_conn_fl(acc, reconn_freeing);
 			spin_unlock(&conn->lock);
 			if (!test_conn_fl(conn, shutting_down)) {
+				/*
+				 * If we haven't seen a vg for this connection, don't bother fencing
+				 * it - instead just drop it. If this was a real client, it will try
+				 * again to connect.
+				 */
+				if (!test_conn_fl(acc, valid_greeting)) {
+					/* delete the conn */
+					list_del_init(&acc->accepted_head);
+					goto restart;
+				}
+
 				scoutfs_info(sb, "client "SIN_FMT" reconnect timed out, fencing",
 					     SIN_ARG(&acc->last_peername));
 				ret = scoutfs_fence_start(sb, acc->rid,
--- a/tests/golden/portscan
+++ b/tests/golden/portscan
@@ -0,0 +1,7 @@
+== empty packets
+Ncat: Connection refused.
+Ncat: Connection refused.
+== find portscan in connections
+
+== find portscan in connections
+
--- a/tests/sequence
+++ b/tests/sequence
@@ -57,4 +57,5 @@ archive-light-cycle.sh
 block-stale-reads.sh
 inode-deletion.sh
 renameat2-noreplace.sh
+portscan.sh
 xfstests.sh
--- a/tests/tests/portscan.sh
+++ b/tests/tests/portscan.sh
@@ -0,0 +1,24 @@
+#
+# portscan tests - assure malformed packets do not cause issues
+#
+
+t_require_commands scoutfs nc
+
+echo "== empty packets"
+sleep 1
+echo "    " | nc -p 33033 127.0.0.1 42000
+echo "    " | nc -p 33133 127.0.0.1 42001
+echo "    " | nc -p 33233 127.0.0.1 42002
+
+echo "== find portscan in connections"
+L=$(grep 'peer 127.0.0.1:33.33' /sys/kernel/debug/scoutfs/*/connections)
+echo $L
+
+# wait for fencing timeout (20s)
+sleep 30
+
+echo "== find portscan in connections"
+L=$(grep 'peer 127.0.0.1:33.33' /sys/kernel/debug/scoutfs/*/connections)
+echo $L
+
+t_pass