dos: Make circuit rate limit per second, not tenths anymore

Because this touches too many commits at once, it is made into one single
commit.

Remove the use of "tenths" for the circuit rate to simplify things. We can
only refill the buckets at best once every second because of the use of
approx_time() and our token system is set to be 1 token = 1 circuit so make
the rate a flat integer of circuit per second.

Signed-off-by: David Goulet <dgoulet@torproject.org>

doc/tor.1.txt

@@ -2466,12 +2466,10 @@ Denial of Service mitigation subsystem.
     parameter.
     (Default: 0)
 
-[[DoSCircuitCreationRateTenths]] **DoSCircuitCreationRateTenths** __NUM__::
+[[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__::
 
-    The allowed circuit creation rate in tenths of circuit per second applied
-    per client IP address. For example, if you want to set a rate of 5
-    circuits per second allowed per IP address, this value should be set to
-    50. If this option is 0, it obeys a consensus parameter. (Default: 0)
+    The allowed circuit creation rate per second applied per client IP
+    address. If this option is 0, it obeys a consensus parameter. (Default: 0)
 
 [[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
 

src/or/config.c

@@ -245,7 +245,7 @@ static config_var_t option_vars_[] = {
   /* DoS circuit creation options. */
   V(DoSCircuitCreationEnabled,   AUTOBOOL, "auto"),
   V(DoSCircuitCreationMinConnections,      UINT, "0"),
-  V(DoSCircuitCreationRateTenths,          UINT, "0"),
+  V(DoSCircuitCreationRate,      UINT,     "0"),
   V(DoSCircuitCreationBurst,     UINT,     "0"),
   V(DoSCircuitCreationDefenseType,         INT,  "0"),
   V(DoSCircuitCreationDefenseTimePeriod,   INTERVAL, "0"),

src/or/dos.c

@@ -31,7 +31,7 @@ static unsigned int dos_cc_enabled = 0;
 /* Consensus parameters. They can be changed when a new consensus arrives.
  * They are initialized with the hardcoded default values. */
 static uint32_t dos_cc_min_concurrent_conn;
-static uint32_t dos_cc_circuit_rate_tenths;
+static uint32_t dos_cc_circuit_rate;
 static uint32_t dos_cc_circuit_burst;
 static dos_cc_defense_type_t dos_cc_defense_type;
 static int32_t dos_cc_defense_time_period;
@@ -93,14 +93,14 @@ get_param_cc_min_concurrent_connection(const networkstatus_t *ns)
 /* Return the parameter for the time rate that is how many circuits over this
  * time span. */
 static uint32_t
-get_param_cc_circuit_rate_tenths(const networkstatus_t *ns)
+get_param_cc_circuit_rate(const networkstatus_t *ns)
 {
   /* This is in seconds. */
-  if (get_options()->DoSCircuitCreationRateTenths) {
-    return get_options()->DoSCircuitCreationRateTenths;
+  if (get_options()->DoSCircuitCreationRate) {
+    return get_options()->DoSCircuitCreationRate;
   }
-  return networkstatus_get_param(ns, "DoSCircuitCreationRateTenths",
-                                 DOS_CC_CIRCUIT_RATE_TENTHS_DEFAULT,
+  return networkstatus_get_param(ns, "DoSCircuitCreationRate",
+                                 DOS_CC_CIRCUIT_RATE_DEFAULT,
                                  1, INT32_MAX);
 }
 
@@ -189,7 +189,7 @@ set_dos_parameters(const networkstatus_t *ns)
   /* Get the default consensus param values. */
   dos_cc_enabled = get_param_cc_enabled(ns);
   dos_cc_min_concurrent_conn = get_param_cc_min_concurrent_connection(ns);
-  dos_cc_circuit_rate_tenths = get_param_cc_circuit_rate_tenths(ns);
+  dos_cc_circuit_rate = get_param_cc_circuit_rate(ns);
   dos_cc_circuit_burst = get_param_cc_circuit_burst(ns);
   dos_cc_defense_time_period = get_param_cc_defense_time_period(ns);
   dos_cc_defense_type = get_param_cc_defense_type(ns);
@@ -225,23 +225,7 @@ cc_consensus_has_changed(const networkstatus_t *ns)
 STATIC uint32_t
 get_circuit_rate_per_second(void)
 {
-  int64_t circ_rate;
-
-  /* We take the burst divided by the rate which is in tenths of a second so
-   * convert to get a circuit rate per second. */
-  circ_rate = dos_cc_circuit_rate_tenths / 10;
-  if (circ_rate < 0) {
-    /* Safety check, never allow it to go below 0 else the bucket will always
-     * be empty resulting in every address to be detected. */
-    circ_rate = 1;
-  }
-
-  /* Clamp it down to a 32 bit value because a rate of 2^32 circuits per
-   * second is just too much in any circumstances. */
-  if (circ_rate > UINT32_MAX) {
-    circ_rate = UINT32_MAX;
-  }
-  return (uint32_t) circ_rate;
+  return dos_cc_circuit_rate;
 }
 
 /* Given the circuit creation client statistics object, refill the circuit

src/or/dos.h

@@ -70,7 +70,7 @@ void dos_note_refuse_single_hop_client(void);
 /* DoSCircuitCreationMinConnections default */
 #define DOS_CC_MIN_CONCURRENT_CONN_DEFAULT 3
 /* DoSCircuitCreationRateTenths is 3 per seconds. */
-#define DOS_CC_CIRCUIT_RATE_TENTHS_DEFAULT (3 * 10)
+#define DOS_CC_CIRCUIT_RATE_DEFAULT 3
 /* DoSCircuitCreationBurst default. */
 #define DOS_CC_CIRCUIT_BURST_DEFAULT 90
 /* DoSCircuitCreationDefenseTimePeriod in seconds. */

src/or/or.h

@@ -4520,9 +4520,8 @@ typedef struct {
   /** Minimum concurrent connection needed from one single address before any
    * defense is used. */
   int DoSCircuitCreationMinConnections;
-  /** Circuit rate, in tenths of a second, that is used to refill the token
-   * bucket at this given rate. */
-  int DoSCircuitCreationRateTenths;
+  /** Circuit rate used to refill the token bucket. */
+  int DoSCircuitCreationRate;
   /** Maximum allowed burst of circuits. Reaching that value, the address is
    * detected as malicious and a defense might be used. */
   int DoSCircuitCreationBurst;