Wrap all of the legacy guard code, and its users, in #ifdefs

This will make it easier to see what we remove down the line.

src/or/bridges.c

@@ -743,7 +743,11 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
                    (int) bridge->port);
       }
       if (get_options()->UseDeprecatedGuardAlgorithm) {
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
         add_bridge_as_entry_guard(get_guard_selection_info(), node);
+#else
+        tor_assert_nonfatal_unreached();
+#endif
       } else {
         entry_guard_learned_bridge_identity(&bridge->addrport_configured,
                                (const uint8_t*)ri->cache_info.identity_digest);
@@ -754,8 +758,12 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
       /* set entry->made_contact so if it goes down we don't drop it from
        * our entry node list */
       if (get_options()->UseDeprecatedGuardAlgorithm) {
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
         entry_guard_register_connect_status(ri->cache_info.identity_digest,
                                             1, 0, now);
+#else
+        tor_assert_nonfatal_unreached();
+#endif
       }
       if (first) {
         routerlist_retry_directory_downloads(now);

src/or/channel.c

@@ -2538,6 +2538,7 @@ channel_do_open_actions(channel_t *chan)
   if (started_here) {
     circuit_build_times_network_is_live(get_circuit_build_times_mutable());
     rep_hist_note_connect_succeeded(chan->identity_digest, now);
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
     // XXXX prop271 this call is no longer useful with the new algorithm.
     if (entry_guard_register_connect_status(
           chan->identity_digest, 1, 0, now) < 0) {
@@ -2549,6 +2550,7 @@ channel_do_open_actions(channel_t *chan)
                 "connection so we can retry the earlier entry guards.");
       close_origin_circuits = 1;
     }
+#endif
     router_set_status(chan->identity_digest, 1);
   } else {
     /* only report it to the geoip module if it's not a known router */

src/or/circpathbias.c

@@ -1279,7 +1279,10 @@ pathbias_measure_use_rate(entry_guard_t *guard)
                  tor_lround(pb->timeouts),
                  tor_lround(get_circuit_build_close_time_ms()/1000));
           pb->path_bias_disabled = 1;
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
+          // XXXX
           entry_guard_mark_bad(guard);
+#endif
           return;
         }
       } else if (!pb->path_bias_use_extreme) {
@@ -1385,7 +1388,10 @@ pathbias_measure_close_rate(entry_guard_t *guard)
                  tor_lround(pb->timeouts),
                  tor_lround(get_circuit_build_close_time_ms()/1000));
           pb->path_bias_disabled = 1;
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
+          // XXXX
           entry_guard_mark_bad(guard);
+#endif
           return;
         }
       } else if (!pb->path_bias_extreme) {

src/or/circuitbuild.c

@@ -2277,6 +2277,7 @@ choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state,
      * family. */
     nodelist_add_node_and_family(excluded, node);
   }
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
   /* and exclude current entry guards and their families,
    * unless we're in a test network, and excluding guards
    * would exclude all nodes (i.e. we're in an incredibly small tor network,
@@ -2295,6 +2296,7 @@ choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state,
         }
       });
   }
+#endif
 
   if (state) {
     if (state->need_uptime)

src/or/circuituse.c

@@ -550,16 +550,14 @@ circuit_expire_building(void)
                                       == CPATH_STATE_OPEN;
           log_info(LD_CIRC,
                  "No circuits are opened. Relaxing timeout for circuit %d "
-                 "(a %s %d-hop circuit in state %s with channel state %s). "
-                 "%d guards are live.",
+                 "(a %s %d-hop circuit in state %s with channel state %s).",
                  TO_ORIGIN_CIRCUIT(victim)->global_identifier,
                  circuit_purpose_to_string(victim->purpose),
                  TO_ORIGIN_CIRCUIT(victim)->build_state ?
                    TO_ORIGIN_CIRCUIT(victim)->build_state->desired_path_len :
                    -1,
                  circuit_state_to_string(victim->state),
-                 channel_state_to_string(victim->n_chan->state),
-                 num_live_entry_guards(0));
+                 channel_state_to_string(victim->n_chan->state));
 
           /* We count the timeout here for CBT, because technically this
            * was a timeout, and the timeout value needs to reset if we
@@ -577,16 +575,15 @@ circuit_expire_building(void)
                  "No circuits are opened. Relaxed timeout for circuit %d "
                  "(a %s %d-hop circuit in state %s with channel state %s) to "
                  "%ldms. However, it appears the circuit has timed out "
-                 "anyway. %d guards are live.",
+                 "anyway.",
                  TO_ORIGIN_CIRCUIT(victim)->global_identifier,
                  circuit_purpose_to_string(victim->purpose),
                  TO_ORIGIN_CIRCUIT(victim)->build_state ?
                    TO_ORIGIN_CIRCUIT(victim)->build_state->desired_path_len :
                    -1,
                  circuit_state_to_string(victim->state),
                  channel_state_to_string(victim->n_chan->state),
-                 (long)build_close_ms,
-                 num_live_entry_guards(0));
+                 (long)build_close_ms);
       }
     }
 
@@ -1655,8 +1652,10 @@ circuit_build_failed(origin_circuit_t *circ)
       /* New guard API: we failed. */
       if (circ->guard_state)
         entry_guard_failed(&circ->guard_state);
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
       /* Old guard API: we failed. */
       entry_guard_register_connect_status(n_chan_id, 0, 1, time(NULL));
+#endif
       /* if there are any one-hop streams waiting on this circuit, fail
        * them now so they can retry elsewhere. */
       connection_ap_fail_onehop(n_chan_id, circ->build_state);
@@ -1966,15 +1965,14 @@ circuit_get_open_circ_or_launch(entry_connection_t *conn,
       int severity = LOG_NOTICE;
       /* Retry some stuff that might help the connection work. */
       if (entry_list_is_constrained(options) &&
-          entries_known_but_down(options)) {
+          guards_retry_optimistic(options)) {
         log_fn(severity, LD_APP|LD_DIR,
                "Application request when we haven't %s. "
                "Optimistically trying known %s again.",
                !router_have_minimum_dir_info() ?
                "used client functionality lately" :
                "received a consensus with exits",
                options->UseBridges ? "bridges" : "entrynodes");
-        entries_retry_all(options);
       } else if (!options->UseBridges || any_bridge_descriptors_known()) {
         log_fn(severity, LD_APP|LD_DIR,
                "Application request when we haven't %s. "

src/or/config.c

@@ -2116,11 +2116,13 @@ options_act(const or_options_t *old_options)
     rep_hist_desc_stats_term();
 
   /* Check if we need to parse and add the EntryNodes config option. */
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
   if (options->EntryNodes &&
       (!old_options ||
        !routerset_equal(old_options->EntryNodes,options->EntryNodes) ||
        !routerset_equal(old_options->ExcludeNodes,options->ExcludeNodes)))
     entry_nodes_should_be_added();
+#endif
 
   /* Since our options changed, we might need to regenerate and upload our
    * server descriptor.
@@ -3040,6 +3042,13 @@ options_validate(or_options_t *old_options, or_options_t *options,
 
   warn_about_relative_paths(options);
 
+#ifndef ENABLE_LEGACY_GUARD_ALGORITHM
+  if (options->UseDeprecatedGuardAlgorithm) {
+    log_warn(LD_CONFIG, "DeprecatedGuardAlgorithm not supported.");
+    return -1;
+  }
+#endif
+
   if (server_mode(options) &&
       (!strcmpstart(uname, "Windows 95") ||
        !strcmpstart(uname, "Windows 98") ||

src/or/connection_or.c

@@ -737,9 +737,11 @@ connection_or_about_to_close(or_connection_t *or_conn)
       rep_hist_note_connect_failed(or_conn->identity_digest, now);
       /* Tell the new guard API about the channel failure */
       entry_guard_chan_failed(TLS_CHAN_TO_BASE(or_conn->chan));
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
       /* Tell the old guard API about the channel failure */
       entry_guard_register_connect_status(or_conn->identity_digest,0,
                                           !options->HTTPSProxy, now);
+#endif
       if (conn->state >= OR_CONN_STATE_TLS_HANDSHAKING) {
         int reason = tls_error_to_orconn_end_reason(or_conn->tls_error);
         control_event_or_conn_status(or_conn, OR_CONN_EVENT_FAILED,
@@ -1678,9 +1680,11 @@ connection_or_client_learned_peer_id(or_connection_t *conn,
            conn->base_.address, conn->base_.port, expected, seen, extra_log);
     /* Tell the new guard API about the channel failure */
     entry_guard_chan_failed(TLS_CHAN_TO_BASE(conn->chan));
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
     /* Tell the old guard API about the channel failure */
     entry_guard_register_connect_status(conn->identity_digest, 0, 1,
                                         time(NULL));
+#endif
     control_event_or_conn_status(conn, OR_CONN_EVENT_FAILED,
                                  END_OR_CONN_REASON_OR_IDENTITY);
     if (!authdir_mode_tests_reachability(options))

src/or/control.c

@@ -4041,12 +4041,17 @@ handle_control_dropguards(control_connection_t *conn,
   smartlist_split_string(args, body, " ",
                          SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
 
+#ifdef ENABLE_LEGACY_GUARD_ALGORITHM
   if (smartlist_len(args)) {
     connection_printf_to_buf(conn, "512 Too many arguments to DROPGUARDS\r\n");
   } else {
     remove_all_entry_guards();
     send_control_done(conn);
   }
+#else
+  // XXXX
+  connection_printf_to_buf(conn, "512 not supported\r\n");
+#endif
 
   SMARTLIST_FOREACH(args, char *, cp, tor_free(cp));
   smartlist_free(args);