aboutsummaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2020-01-28 09:39:09 -0500
committerDavid Goulet <dgoulet@torproject.org>2020-02-11 09:58:28 -0500
commit6d9113d2f65b6e3142efdaa91a5b4761cd197be8 (patch)
tree35f3ca2ecc4a322905dc0b3127716a4acfab87f7 /src/core
parent735aa208b1592e166d03ec96e90422293d26b98a (diff)
downloadtor-6d9113d2f65b6e3142efdaa91a5b4761cd197be8.tar.gz
tor-6d9113d2f65b6e3142efdaa91a5b4761cd197be8.zip
dirauth: Resume sending 503 directory error code
Authorities were never sending back 503 error code because by design they should be able to always answer directory requests regardless of bandwidth capacity. However, that recently backfired because of a large number of requests from unknown source using the DirPort that are _not_ getting their 503 code which overloaded the DirPort leading to the authority to be unable to answer to its fellow authorities. This is not a complete solution to the problem but it will help ease off the load on the authority side by sending back 503 codes *unless* the connection is from a known relay or an authority. Fixes #33029 Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/core')
-rw-r--r--src/core/mainloop/connection.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c
index a157c0f3fb..50cd3810a4 100644
--- a/src/core/mainloop/connection.c
+++ b/src/core/mainloop/connection.c
@@ -3211,8 +3211,21 @@ connection_dir_is_global_write_low(const connection_t *conn, size_t attempt)
size_t smaller_bucket =
MIN(token_bucket_rw_get_write(&global_bucket),
token_bucket_rw_get_write(&global_relayed_bucket));
- if (authdir_mode(get_options()))
- return false; /* there's always room to answer v2 if we're an auth dir */
+
+ /* Special case for authorities (directory only). */
+ if (authdir_mode_v3(get_options())) {
+ /* Are we configured to possibly reject requests under load? */
+ if (!get_options()->AuthDirRejectRequestsUnderLoad) {
+ /* Answer request no matter what. */
+ return false;
+ }
+ /* Always answer requests from a known relay which includes the other
+ * authorities. The following looks up the addresses for relays that we
+ * have their descriptor _and_ any configured trusted directories. */
+ if (nodelist_probably_contains_address(&conn->addr)) {
+ return false;
+ }
+ }
if (!connection_is_rate_limited(conn))
return false; /* local conns don't get limited */