aboutsummaryrefslogtreecommitdiff
path: root/src/core/or/dos_options.inc
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/or/dos_options.inc')
-rw-r--r--src/core/or/dos_options.inc59
1 files changed, 59 insertions, 0 deletions
diff --git a/src/core/or/dos_options.inc b/src/core/or/dos_options.inc
new file mode 100644
index 0000000000..9baa7a35b8
--- /dev/null
+++ b/src/core/or/dos_options.inc
@@ -0,0 +1,59 @@
+/* Copyright (c) 2021, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * @file dos_options.inc
+ * @brief Declare configuration options for the DoS module.
+ **/
+
+BEGIN_CONF_STRUCT(dos_options_t)
+
+/** Autobool: Is the DoS connection mitigation subsystem enabled? */
+CONF_VAR(DoSConnectionEnabled, AUTOBOOL, 0, "auto")
+
+/** Autobool: Is the circuit creation DoS mitigation subsystem enabled? */
+CONF_VAR(DoSCircuitCreationEnabled, AUTOBOOL, 0, "auto")
+
+/** Minimum concurrent connection needed from one single address before any
+ * defense is used. */
+CONF_VAR(DoSCircuitCreationMinConnections, POSINT, 0, "0")
+
+/** Circuit rate used to refill the token bucket. */
+CONF_VAR(DoSCircuitCreationRate, POSINT, 0, "0")
+
+/** Maximum allowed burst of circuits. Reaching that value, the address is
+ * detected as malicious and a defense might be used. */
+CONF_VAR(DoSCircuitCreationBurst, POSINT, 0, "0")
+
+/** When an address is marked as malicious, what defense should be used
+ * against it. See the dos_cc_defense_type_t enum. */
+CONF_VAR(DoSCircuitCreationDefenseType, INT, 0, "0")
+
+/** For how much time (in seconds) the defense is applicable for a malicious
+ * address. A random time delta is added to the defense time of an address
+ * which will be between 1 second and half of this value. */
+CONF_VAR(DoSCircuitCreationDefenseTimePeriod, INTERVAL, 0, "0")
+
+/** Maximum concurrent connection allowed per address. */
+CONF_VAR(DoSConnectionMaxConcurrentCount, POSINT, 0, "0")
+
+/** When an address is reaches the maximum count, what defense should be
+ * used against it. See the dos_conn_defense_type_t enum. */
+CONF_VAR(DoSConnectionDefenseType, INT, 0, "0")
+
+/** Autobool: Do we refuse single hop client rendezvous? */
+CONF_VAR(DoSRefuseSingleHopClientRendezvous, AUTOBOOL, 0, "auto")
+
+/** Allowed burst of client connection allowed per address. */
+CONF_VAR(DoSConnectionConnectBurst, POSINT, 0, "0")
+
+/** Allowed rate of client connection allowed per address. */
+CONF_VAR(DoSConnectionConnectRate, POSINT, 0, "0")
+
+/** For how much time (in seconds) the connection connect rate defense is
+* applicable for a malicious address. A random time delta is added to the
+* defense time of an address which will be between 1 second and half of this
+* value. */
+CONF_VAR(DoSConnectionConnectDefenseTimePeriod, INTERVAL, 0, "0")
+
+END_CONF_STRUCT(dos_options_t)
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion