dos: Exclude known relays from client connection count

This is to avoid positively identifying Exit relays if tor client connection
comes from them that is reentering the network.

One thing to note is that this is done only in the DoS subsystem but we'll
still add it to the geoip cache as a "client" seen. This is done that way so
to avoid as much as possible changing the current behavior of the geoip client
cache since this is being backported.

Closes #25193

Signed-off-by: David Goulet <dgoulet@torproject.org>

diff --git a/src/or/dos.c b/src/or/dos.c
index 88f1351a3f8af84540de1300b9147274798fb3c1..9e8a7a9abe39d66bae6ad3a50fd7dbbbc3cb4c53 100644 (file)
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -14,6 +14,7 @@
 #include "geoip.h"
 #include "main.h"
 #include "networkstatus.h"
+#include "nodelist.h"
 #include "router.h"
 
 #include "dos.h"
@@ -664,6 +665,14 @@ dos_new_client_conn(or_connection_t *or_conn)
     goto end;
   }
 
+  /* We ignore any known address meaning an address of a known relay. The
+   * reason to do so is because network reentry is possible where a client
+   * connection comes from an Exit node. Even when we'll fix reentry, this is
+   * a robust defense to keep in place. */
+  if (nodelist_probably_contains_address(&or_conn->real_addr)) {
+    goto end;
+  }
+
   /* We are only interested in client connection from the geoip cache. */
   entry = geoip_lookup_client(&or_conn->real_addr, NULL,
                               GEOIP_CLIENT_CONNECT);