dirauth: Add a AuthDirVoteGuard to pin Guard flags

Related to #40652

Signed-off-by: David Goulet <dgoulet@torproject.org>

4 files changed, 30 insertions, 0 deletions

diff --git a/changes/ticket40652 b/changes/ticket40652
new file mode 100644
index 0000000000..2b9f2ee1cb
--- /dev/null
+++ b/changes/ticket40652
@@ -0,0 +1,5 @@
+  o Minor features (dirauth):
+    - Add an AuthDirVoteGuard torrc option that can allow authorities to assign
+      the Guard flag to the given fingerprints/country code/IPs. This is a
+      needed feature mostly for defense purposes in case a DoS hits the network
+      and relay start losing the Guard flags too fast. Closes ticket 40652.
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt
index 1814801b71..ba7cdbabc8 100644
--- a/doc/man/tor.1.txt
+++ b/doc/man/tor.1.txt
@@ -3229,6 +3229,11 @@ on the public Tor network.
     If set to 0, we vote Running for every relay, and don't perform
     these tests. (Default: 1)
 
+[[AuthDirVoteGuard]] **AuthDirVoteGuard** __node__,__node__,__...__::
+    A list of identity fingerprints or country codes or address patterns of
+    nodes to vote Guard for regardless of their uptime and bandwidth. See
+    <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.
+
 [[BridgePassword]] **BridgePassword** __Password__::
     If set, contains an HTTP authenticator that tells a bridge authority to
     serve all requested bridge information. Used by the (only partially
diff --git a/src/feature/dirauth/dirauth_options.inc b/src/feature/dirauth/dirauth_options.inc
index 4fd07a8859..146dc7254c 100644
--- a/src/feature/dirauth/dirauth_options.inc
+++ b/src/feature/dirauth/dirauth_options.inc
@@ -76,6 +76,9 @@ CONF_VAR(RecommendedClientVersions, LINELIST, 0, NULL)
 /** Which versions of tor should we tell users to run on relays? */
 CONF_VAR(RecommendedServerVersions, LINELIST, 0, NULL)
 
+/** Relays which should be voted Guard regardless of uptime and bandwidth. */
+CONF_VAR(AuthDirVoteGuard, ROUTERSET, 0, NULL)
+
 /** If an authority has been around for less than this amount of time, it
  * does not believe its reachability information is accurate.  Only
  * altered on testing networks. */
diff --git a/src/feature/dirauth/voteflags.c b/src/feature/dirauth/voteflags.c
index 9aefc6c5b4..52b84a9d89 100644
--- a/src/feature/dirauth/voteflags.c
+++ b/src/feature/dirauth/voteflags.c
@@ -573,6 +573,21 @@ should_publish_node_ipv6(const node_t *node, const routerinfo_t *ri,
      router_is_me(ri));
 }
 
+/** Set routerstatus flags based on the authority options. Same as the testing
+ * function but for the main network. */
+static void
+dirserv_set_routerstatus_flags(routerstatus_t *rs)
+{
+  const dirauth_options_t *options = dirauth_get_options();
+
+  tor_assert(rs);
+
+  /* Assign Guard flag to relays that can get it unconditionnaly. */
+  if (routerset_contains_routerstatus(options->AuthDirVoteGuard, rs, 0)) {
+    rs->is_possible_guard = 1;
+  }
+}
+
 /**
  * Extract status information from <b>ri</b> and from other authority
  * functions and store it in <b>rs</b>, as per
@@ -638,6 +653,8 @@ dirauth_set_routerstatus_from_routerinfo(routerstatus_t *rs,
 
   if (options->TestingTorNetwork) {
     dirserv_set_routerstatus_testing(rs);
+  } else {
+    dirserv_set_routerstatus_flags(rs);
   }
 }