using fascistfirewall and having your bridge on an unreachable

port silently didn't mix. now they loudly don't mix.


svn:r10862

1 files changed, 15 insertions, 3 deletions

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 4d9a9c23ac..e56b92dd2c 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -2739,6 +2739,7 @@ fetch_bridge_descriptors(void)
   struct in_addr in;
   or_options_t *options = get_options();
   int num_bridge_auths = get_n_authorities(BRIDGE_AUTHORITY);
+  int ask_bridge_directly;
 
   if (!bridge_list)
     return;
@@ -2750,9 +2751,20 @@ fetch_bridge_descriptors(void)
       in.s_addr = htonl(bridge->addr);
       tor_inet_ntoa(&in, address_buf, sizeof(address_buf));
 
-      if (tor_digest_is_zero(bridge->identity) ||
-          !options->UpdateBridgesFromAuthority ||
-          !num_bridge_auths) {
+      ask_bridge_directly = tor_digest_is_zero(bridge->identity) ||
+                            !options->UpdateBridgesFromAuthority ||
+                            !num_bridge_auths;
+
+      if (ask_bridge_directly &&
+          !fascist_firewall_allows_address_or(bridge->addr, bridge->port)) {
+        log_notice(LD_DIR, "Bridge at '%s:%d' isn't reachable by our "
+                   "firewall policy. %s.", address_buf, bridge->port,
+                   num_bridge_auths ? "Asking bridge authority instead" :
+                                      "Skipping");
+        ask_bridge_directly = 0;
+      }
+
+      if (ask_bridge_directly) {
         if (!connection_get_by_type_addr_port_purpose(
             CONN_TYPE_DIR, bridge->addr, bridge->port,
             DIR_PURPOSE_FETCH_SERVERDESC)) {