2 files changed, 61 insertions, 8 deletions

diff --git a/doc/HACKING b/doc/HACKING
index b0689d82c1..bc409dc0d0 100644
--- a/doc/HACKING
+++ b/doc/HACKING
@@ -473,7 +473,7 @@ git branches too.
 a while to see if anybody has problems building it. Try to get Sebastian
 or somebody to try building it on Windows.
 
-6) Get at least two of weasel/arma/karsten to put the new version number
+6) Get at least two of weasel/arma/sebastian to put the new version number
 in their approved versions list.
 
 7) Sign the tarball, then sign and push the git tag:
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 76791269cf..4c65334187 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -110,6 +110,12 @@ Other options can be specified either on the command-line (--option
     You should never need to change this value, since a network-wide value is
     published in the consensus and your relay will use that value. (Default: 0)
 
+**ClientTransportPlugin** __transport__ socks4|socks5 __IP__:__PORT__::
+    When set along with a corresponding Bridge line, the Tor client
+    forwards its traffic to a SOCKS-speaking proxy on "IP:PORT". It's
+    the duty of that proxy to properly forward the traffic to the
+    bridge.
+
 **ConnLimit** __NUM__::
     The minimum number of file descriptors that must be available to the Tor
     process before it will start. Tor will ask the OS for as many file
@@ -119,6 +125,12 @@ Other options can be specified either on the command-line (--option
     You probably don't need to adjust this. It has no effect on Windows
     since that platform lacks getrlimit(). (Default: 1000)
 
+**DisableNetwork** **0**|**1**::
+    When this option is set, we don't listen for or accept any connections
+    other than controller connections, and we don't make any outbound
+    connections.  Controllers sometimes use this option to avoid using
+    the network until Tor is fully configured. (Default: 0)
+
 **ConstrainedSockets** **0**|**1**::
     If set, Tor will tell the kernel to attempt to shrink the buffers for all
     sockets to the size specified in **ConstrainedSockSize**. This is useful for
@@ -233,6 +245,12 @@ Other options can be specified either on the command-line (--option
     distinguishable from other users, because you won't believe the same
     authorities they do.
 
+**DynamicDHGroups** **0**|**1**::
+    If this option is set to 1, when running as a server, generate our
+    own Diffie-Hellman group instead of using the one from Apache's mod_ssl.
+    This option may help circumvent censorship based on static
+    Diffie-Hellman parameters. (Default: 1).
+
 **AlternateDirAuthority** [__nickname__] [**flags**] __address__:__port__ __fingerprint__ +
 
 **AlternateHSAuthority** [__nickname__] [**flags**] __address__:__port__ __fingerprint__ +
@@ -252,6 +270,20 @@ Other options can be specified either on the command-line (--option
     option requires that you start your Tor as root, and you should use the
     **User** option to properly reduce Tor's privileges. (Default: 0)
 
+**DisableDebuggerAttachment** **0**|**1**::
+   If set to 1, Tor will attempt to prevent basic debugging attachment attempts
+   by other processes. It has no impact for users who wish to attach if they
+   have CAP_SYS_PTRACE or if they are root.  We believe that this feature
+   works on modern Gnu/Linux distributions, and that it may also work on *BSD
+   systems (untested).  Some modern Gnu/Linux systems such as Ubuntu have the
+   kernel.yama.ptrace_scope sysctl and by default enable it as an attempt to
+   limit the PTRACE scope for all user processes by default. This feature will
+   attempt to limit the PTRACE scope for Tor specifically - it will not attempt
+   to alter the system wide ptrace scope as it may not even exist. If you wish
+   to attach to Tor with a debugger such as gdb or strace you will want to set
+   this to 0 for the duration of your debugging. Normal users should leave it
+   on. (Default: 1)
+ 
 **FetchDirInfoEarly** **0**|**1**::
     If set to 1, Tor will always fetch directory information like other
     directory caches, even if you don't meet the normal criteria for fetching
@@ -483,13 +515,17 @@ The following options are useful only for clients (that is, if
     so using these relays might make your client stand out.
     (Default: 1)
 
-**Bridge** __IP__:__ORPort__ [fingerprint]::
+**Bridge** [__transport__] __IP__:__ORPort__ [__fingerprint__]::
     When set along with UseBridges, instructs Tor to use the relay at
     "IP:ORPort" as a "bridge" relaying into the Tor network. If "fingerprint"
     is provided (using the same format as for DirServer), we will verify that
     the relay running at that location has the right fingerprint. We also use
     fingerprint to look up the bridge descriptor at the bridge authority, if
-    it's provided and if UpdateBridgesFromAuthority is set too.
+    it's provided and if UpdateBridgesFromAuthority is set too.  +
+ +
+    If "transport" is provided, and matches to a ClientTransportPlugin
+    line, we use that pluggable transports proxy to transfer data to
+    the bridge.
 
 **LearnCircuitBuildTimeout** **0**|**1**::
     If 0, CircuitBuildTimeout adaptive learning is disabled. (Default: 1)
@@ -527,7 +563,7 @@ The following options are useful only for clients (that is, if
     A list of identity fingerprints, nicknames, country codes and address
     patterns of nodes to avoid when building a circuit.
     (Example:
-    ExcludeNodes SlowServer, $    EFFFFFFFFFFFFFFF, \{cc}, 255.254.0.0/8) +
+    ExcludeNodes SlowServer, ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, \{cc}, 255.254.0.0/8) +
  +
     By default, this option is treated as a preference that Tor is allowed
     to override in order to keep working.
@@ -727,11 +763,11 @@ The following options are useful only for clients (that is, if
     received on this SOCKSPort are allowed to share circuits with one
     another.  Recognized isolation flags are:
     **IsolateClientAddr**;;
-        Don't share a circuits with streams from a different
+        Don't share circuits with streams from a different
         client address.  (On by default and strongly recommended;
         you can disable it with **NoIsolateClientAddr**.)
     **IsolateSOCKSAuth**;;
-        Don't share a circuits with streams for which different
+        Don't share circuits with streams for which different
         SOCKS authentication was provided. (On by default;
         you can disable it with **NoIsolateSOCKSAuth**.)
     **IsolateClientProtocol**;;
@@ -739,10 +775,10 @@ The following options are useful only for clients (that is, if
         (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections,
         and DNSPort requests are all considered to be different protocols.)
     **IsolateDestPort**;;
-        Don't share a circuits with streams targetting a different
+        Don't share circuits with streams targetting a different
         destination port.
     **IsolateDestAddr**;;
-        Don't share a circuits with streams targetting a different
+        Don't share circuits with streams targetting a different
         destination address.
     **SessionGroup=**__INT__;;
         If no other isolation rules would prevent it, allow streams
@@ -770,6 +806,13 @@ The following options are useful only for clients (that is, if
     unattached waiting for an appropriate circuit, before we fail it. (Default:
     2 minutes.)
 
+**TokenBucketRefillInterval** __NUM__ [**msec**|**second**]::
+    Set the refill interval of Tor's token bucket to NUM milliseconds.
+    NUM must be between 1 and 1000, inclusive.  Note that the configured
+    bandwidth limits are still expressed in bytes per second: this
+    option only affects the frequency with which Tor checks to see whether
+    previously exhausted connections may read again. (Default: 100 msec.)
+
 **TrackHostExits** __host__,__.domain__,__...__::
     For each value in the comma separated list, Tor will track recent
     connections to hosts that match this value and attempt to reuse the same
@@ -1422,6 +1465,16 @@ DIRECTORY AUTHORITY SERVER OPTIONS
     Authoritative directories only. Like AuthDirMaxServersPerAddr, but applies
     to addresses shared with directory authorities. (Default: 5)
 
+**AuthDirFastGuarantee** __N__ **bytes**|**KB**|**MB**|**GB**::
+    Authoritative directories only. If non-zero, always vote the
+    Fast flag for any relay advertising this amount of capacity or
+    more. (Default: 100 KB)
+
+**AuthDirGuardBWGuarantee** __N__ **bytes**|**KB**|**MB**|**GB**::
+    Authoritative directories only. If non-zero, this advertised capacity
+    or more is always sufficient to satisfy the bandwidth requirement
+    for the Guard flag. (Default: 250 KB)
+
 **BridgePassword** __Password__::
     If set, contains an HTTP authenticator that tells a bridge authority to
     serve all requested bridge information.  Used for debugging.  (Default: