From 16a292fb30b20904463bf7ce00b3d596edb2691d Mon Sep 17 00:00:00 2001
From: Auke Kok <auke.kok@versity.com>
Date: Mon, 5 May 2025 08:11:21 -0700
Subject: [PATCH] Do not fence connections without valid greeting.

There is no reason to fence any connection that hasn't sent a valid
greeting, since they haven't progressed far enough for it to make
sense.

We remove the connection from the list of accepted clients, which then
removes the need for fencing, and the server won't need to restart.

Adds a test script that makes sure that we didn't actually restart the
server while this was happening.

Signed-off-by: Auke Kok <auke.kok@versity.com>
---
 kmod/src/net.c          | 11 +++++++++++
 tests/golden/portscan   |  7 +++++++
 tests/sequence          |  1 +
 tests/tests/portscan.sh | 24 ++++++++++++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100644 tests/golden/portscan
 create mode 100644 tests/tests/portscan.sh

diff --git a/kmod/src/net.c b/kmod/src/net.c
index 613cf169..fdf335e0 100644
--- a/kmod/src/net.c
+++ b/kmod/src/net.c
@@ -1278,6 +1278,17 @@ restart:
 			set_conn_fl(acc, reconn_freeing);
 			spin_unlock(&conn->lock);
 			if (!test_conn_fl(conn, shutting_down)) {
+				/*
+				 * If we haven't seen a vg for this connection, don't bother fencing
+				 * it - instead just drop it. If this was a real client, it will try
+				 * again to connect.
+				 */
+				if (!test_conn_fl(acc, valid_greeting)) {
+					/* delete the conn */
+					list_del_init(&acc->accepted_head);
+					goto restart;
+				}
+
 				scoutfs_info(sb, "client "SIN_FMT" reconnect timed out, fencing",
 					     SIN_ARG(&acc->last_peername));
 				ret = scoutfs_fence_start(sb, acc->rid,
diff --git a/tests/golden/portscan b/tests/golden/portscan
new file mode 100644
index 00000000..4b7509b2
--- /dev/null
+++ b/tests/golden/portscan
@@ -0,0 +1,7 @@
+== empty packets
+Ncat: Connection refused.
+Ncat: Connection refused.
+== find portscan in connections
+
+== find portscan in connections
+
diff --git a/tests/sequence b/tests/sequence
index 18eff7cf..17ed27e3 100644
--- a/tests/sequence
+++ b/tests/sequence
@@ -57,4 +57,5 @@ archive-light-cycle.sh
 block-stale-reads.sh
 inode-deletion.sh
 renameat2-noreplace.sh
+portscan.sh
 xfstests.sh
diff --git a/tests/tests/portscan.sh b/tests/tests/portscan.sh
new file mode 100644
index 00000000..f3ed2910
--- /dev/null
+++ b/tests/tests/portscan.sh
@@ -0,0 +1,24 @@
+#
+# portscan tests - assure malformed packets do not cause issues
+#
+
+t_require_commands scoutfs nc
+
+echo "== empty packets"
+sleep 1
+echo "    " | nc -p 33033 127.0.0.1 42000
+echo "    " | nc -p 33133 127.0.0.1 42001
+echo "    " | nc -p 33233 127.0.0.1 42002
+
+echo "== find portscan in connections"
+L=$(grep 'peer 127.0.0.1:33.33' /sys/kernel/debug/scoutfs/*/connections)
+echo $L
+
+# wait for fencing timeout (20s)
+sleep 30
+
+echo "== find portscan in connections"
+L=$(grep 'peer 127.0.0.1:33.33' /sys/kernel/debug/scoutfs/*/connections)
+echo $L
+
+t_pass