dirauth: Add a AuthDirVoteGuard to pin Guard flags

Related to #40652

Signed-off-by: David Goulet <dgoulet@torproject.org>

changes/ticket40652

@@ -0,0 +1,5 @@
+  o Minor features (dirauth):
+    - Add an AuthDirVoteGuard torrc option that can allow authorities to assign
+      the Guard flag to the given fingerprints/country code/IPs. This is a
+      needed feature mostly for defense purposes in case a DoS hits the network
+      and relay start losing the Guard flags too fast. Closes ticket 40652.

doc/man/tor.1.txt

@@ -3229,6 +3229,11 @@ on the public Tor network.
     If set to 0, we vote Running for every relay, and don't perform
     these tests. (Default: 1)
 
+[[AuthDirVoteGuard]] **AuthDirVoteGuard** __node__,__node__,__...__::
+    A list of identity fingerprints or country codes or address patterns of
+    nodes to vote Guard for regardless of their uptime and bandwidth. See
+    <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.
+
 [[BridgePassword]] **BridgePassword** __Password__::
     If set, contains an HTTP authenticator that tells a bridge authority to
     serve all requested bridge information. Used by the (only partially

src/feature/dirauth/dirauth_options.inc

@@ -76,6 +76,9 @@ CONF_VAR(RecommendedClientVersions, LINELIST, 0, NULL)
 /** Which versions of tor should we tell users to run on relays? */
 CONF_VAR(RecommendedServerVersions, LINELIST, 0, NULL)
 
+/** Relays which should be voted Guard regardless of uptime and bandwidth. */
+CONF_VAR(AuthDirVoteGuard, ROUTERSET, 0, NULL)
+
 /** If an authority has been around for less than this amount of time, it
  * does not believe its reachability information is accurate.  Only
  * altered on testing networks. */

src/feature/dirauth/voteflags.c

@@ -573,6 +573,21 @@ should_publish_node_ipv6(const node_t *node, const routerinfo_t *ri,
      router_is_me(ri));
 }
 
+/** Set routerstatus flags based on the authority options. Same as the testing
+ * function but for the main network. */
+static void
+dirserv_set_routerstatus_flags(routerstatus_t *rs)
+{
+  const dirauth_options_t *options = dirauth_get_options();
+
+  tor_assert(rs);
+
+  /* Assign Guard flag to relays that can get it unconditionnaly. */
+  if (routerset_contains_routerstatus(options->AuthDirVoteGuard, rs, 0)) {
+    rs->is_possible_guard = 1;
+  }
+}
+
 /**
  * Extract status information from <b>ri</b> and from other authority
  * functions and store it in <b>rs</b>, as per
@@ -638,6 +653,8 @@ dirauth_set_routerstatus_from_routerinfo(routerstatus_t *rs,
 
   if (options->TestingTorNetwork) {
     dirserv_set_routerstatus_testing(rs);
+  } else {
+    dirserv_set_routerstatus_flags(rs);
   }
 }