Update to latest Debian and opam

Reported by Honzoo.

Dockerfile

@@ -1,13 +1,13 @@
 # Pin the base image to a specific hash for maximum reproducibility.
 # It will probably still work on newer images, though, unless Debian
 # changes some compiler optimisations (unlikely).
-#FROM ocaml/opam2:debian-9-ocaml-4.04
-FROM ocaml/opam2@sha256:feebac4b6f9df9ed52ca1fe7266335cb9fdfffbdc0f6ba4f5e8603ece7e8b096
+#FROM ocaml/opam2:debian-9-ocaml-4.07
+FROM ocaml/opam2@sha256:5ff7e5a1d4ab951dcc26cca7834fa57dce8bb08d1d27ba67a0e51071c2197599
 
 # Pin last known-good version for reproducible builds.
 # Remove this line (and the base image pin above) if you want to test with the
 # latest versions.
-RUN git fetch origin && git reset --hard 1fa4c078f5b145bd4a455eb0a5559f761d0a94c0 && opam update
+RUN git fetch origin && git reset --hard 95448cbb9fad7515e104222f92b3d1e0bee70ede && opam update
 
 RUN sudo apt-get install -y m4 libxen-dev pkg-config
 RUN opam install -y vchan xen-gnt mirage-xen-ocaml mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes

README.md

@@ -27,6 +27,9 @@ This took about 10 minutes on my laptop (it will be much quicker if you run it a
 The symlink step at the start isn't needed if your build VM is standalone.
 It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.
 
+Note: the object files are stored in the `_build` directory to speed up incremental builds.
+If you change the dependencies, you will need to delete this directory before rebuilding.
+
 You can also build without Docker, as for any normal Mirage unikernel;
 see [the Mirage installation instructions](https://mirage.io/wiki/install) for details.
 

build-with-docker.sh

@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum qubes_firewall.xen)"
-echo "SHA2 last known: 3605a97fbdb9e699a9ceb9e43def8a3cdd04e5cefb48b5824df8f55e7f949203"
+echo "SHA2 last known: 21bd3e48dbca42ea5327a4fc6e27f9fe1f35f97e65864fff64e7a7675191148c"
 echo "(hashes should match for released versions)"

client_eth.ml

@@ -30,7 +30,7 @@ let add_client t iface =
     if IpMap.mem ip t.iface_of_ip then (
       (* Wait for old client to disappear before adding one with the same IP address.
          Otherwise, its [remove_client] call will remove the new client instead. *)
-      Log.info (fun f -> f "Waiting for old client %a to go away before accepting new one" Ipaddr.V4.pp_hum ip);
+      Log.info (fun f -> f "Waiting for old client %a to go away before accepting new one" Ipaddr.V4.pp ip);
       Lwt_condition.wait t.changed >>= aux
     ) else (
       t.iface_of_ip <- t.iface_of_ip |> IpMap.add ip iface;

client_net.ml

@@ -65,7 +65,7 @@ let input_ipv4 ~client_ip ~router packet =
     if src = client_ip then Firewall.ipv4_from_client router packet
     else (
       Log.warn (fun f -> f "Incorrect source IP %a in IP packet from %a (dropping)"
-                   Ipaddr.V4.pp_hum src Ipaddr.V4.pp_hum client_ip);
+                   Ipaddr.V4.pp src Ipaddr.V4.pp client_ip);
       return ()
     )
 

config.ml

@@ -20,10 +20,12 @@ let main =
     ~packages:[
       package "vchan";
       package "cstruct";
+      package "astring";
       package "tcpip" ~sublibs:["stack-direct"; "xen"; "arpv4"] ~min:"3.1.0";
       package "shared-memory-ring" ~min:"3.0.0";
       package "netchannel" ~min:"1.8.0";
       package "mirage-net-xen" ~min:"1.7.1";
+      package "ipaddr" ~min:"3.0.0";
       package "mirage-qubes";
       package "mirage-nat";
       package "mirage-logs";

firewall.ml

@@ -18,7 +18,7 @@ let transmit_ipv4 packet iface =
          (fun () -> iface#writev Ethif_wire.IPv4 transport)
          (fun ex ->
             Log.warn (fun f -> f "Failed to write packet to %a: %s"
-                         Ipaddr.V4.pp_hum iface#other_ip
+                         Ipaddr.V4.pp iface#other_ip
                          (Printexc.to_string ex));
             Lwt.return ()
          )
@@ -58,10 +58,10 @@ let pp_ports fmt {sport; dport} =
   Format.fprintf fmt "sport=%d dport=%d" sport dport
 
 let pp_host fmt = function
-  | `Client c -> Ipaddr.V4.pp_hum fmt (c#other_ip)
-  | `Unknown_client ip -> Format.fprintf fmt "unknown-client(%a)" Ipaddr.pp_hum ip
+  | `Client c -> Ipaddr.V4.pp fmt (c#other_ip)
+  | `Unknown_client ip -> Format.fprintf fmt "unknown-client(%a)" Ipaddr.pp ip
   | `NetVM -> Format.pp_print_string fmt "net-vm"
-  | `External ip -> Format.fprintf fmt "external(%a)" Ipaddr.pp_hum ip
+  | `External ip -> Format.fprintf fmt "external(%a)" Ipaddr.pp ip
   | `Firewall_uplink -> Format.pp_print_string fmt "firewall(uplink)"
   | `Client_gateway -> Format.pp_print_string fmt "firewall(client-gw)"