Add and use a new NumEntryGuards consensus parameter.

When specified, it overrides our default of 3 entry guards.

(By default, it overrides the number of directory guards too.)

Implements ticket 12688.

changes/ticket12688

@@ -0,0 +1,5 @@
+  Major features:
+    - Make the number of entry guards (and thus, by default, directory
+      guards too) configurable via a new NumEntryGuards consensus
+      parameter. Implements ticket 12688.
+

src/or/config.c

@@ -315,7 +315,7 @@ static config_var_t option_vars_[] = {
   VAR("NodeFamily",              LINELIST, NodeFamilies,         NULL),
   V(NumCPUs,                     UINT,     "0"),
   V(NumDirectoryGuards,          UINT,     "0"),
-  V(NumEntryGuards,              UINT,     "3"),
+  V(NumEntryGuards,              UINT,     "0"),
   V(ORListenAddress,             LINELIST, NULL),
   VPORT(ORPort,                      LINELIST, NULL),
   V(OutboundBindAddress,         LINELIST,   NULL),
@@ -3031,9 +3031,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
              "have it group-readable.");
   }
 
-  if (options->UseEntryGuards && ! options->NumEntryGuards)
-    REJECT("Cannot enable UseEntryGuards with NumEntryGuards set to 0");
-
   if (options->MyFamily && options->BridgeRelay) {
     log_warn(LD_CONFIG, "Listing a family for a bridge relay is not "
              "supported: it can reveal bridge fingerprints to censors. "

src/or/entrynodes.c

@@ -435,7 +435,10 @@ decide_num_guards(const or_options_t *options, int for_directory)
 {
   if (for_directory && options->NumDirectoryGuards != 0)
     return options->NumDirectoryGuards;
-  return options->NumEntryGuards;
+  if (options->NumEntryGuards)
+    return options->NumEntryGuards;
+  /* Use the value from the consensus, or 3 if no guidance. */
+  return networkstatus_get_param(NULL, "NumEntryGuards", 3, 1, 10);
 }
 
 /** If the use of entry guards is configured, choose more entry guards
@@ -815,6 +818,7 @@ entry_guards_set_from_config(const or_options_t *options)
 {
   smartlist_t *entry_nodes, *worse_entry_nodes, *entry_fps;
   smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list;
+  const int numentryguards = decide_num_guards(options, 0);
   tor_assert(entry_guards);
 
   should_add_entry_nodes = 0;
@@ -883,7 +887,7 @@ entry_guards_set_from_config(const or_options_t *options)
   /* Next, the rest of EntryNodes */
   SMARTLIST_FOREACH_BEGIN(entry_nodes, const node_t *, node) {
     add_an_entry_guard(node, 0, 0, 1, 0);
-    if (smartlist_len(entry_guards) > options->NumEntryGuards * 10)
+    if (smartlist_len(entry_guards) > numentryguards * 10)
       break;
   } SMARTLIST_FOREACH_END(node);
   log_notice(LD_GENERAL, "%d entries in guards", smartlist_len(entry_guards));