From 35d08e30d89e5882b708a2cc6cb728f5393b2528 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 11 May 2012 17:00:41 -0400
Subject: An attempt at bug3940 and making AllowDotExit 0 work with MapAddress

This time, I follow grarpamp's suggestion and move the check for
.exit+AllowDotExit 0 to the top of connection_ap_rewrite_and_attach,
before any rewriting occurs.  This way, .exit addresses are
forbidden as they arrive from a socks connection or a DNSPort
request, and not otherwise.

It _is_ a little more complicated than that, though.  We need to
treat any .exit addresses whose source is TrackHostExits as meaning
that we can retry without that exit.  We also need to treat any
.exit address that comes from an AutomapHostsOnResolve operation as
user-provided (and thus forbidden if AllowDotExits==0), so that
transitioning from AllowDotExits==1 to AllowDotExits==0 will
actually turn off automapped .exit addresses.
---
 src/or/relay.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/or/relay.c')

diff --git a/src/or/relay.c b/src/or/relay.c
index 38a563fece..ad98e05041 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -761,7 +761,7 @@ connection_ap_process_end_not_open(
         /* rewrite it to an IP if we learned one. */
         if (addressmap_rewrite(conn->socks_request->address,
                                sizeof(conn->socks_request->address),
-                               NULL)) {
+                               NULL, NULL)) {
           control_event_stream_status(conn, STREAM_EVENT_REMAP, 0);
         }
         if (conn->chosen_exit_optional ||
-- 
cgit v1.2.3-54-g00ecf