Respond to ARP requests for *.*.*.1

This is a work-around to get DHCP working with HVM domains. See: https://github.com/QubesOS/qubes-issues/issues/5022
2024-10-01 01:05:39 -04:00 · 2019-05-05 17:26:56 +01:00 · 2019-05-05 17:26:56 +01:00 · d7b376d373
commit d7b376d373
parent 8b4cc6f5a9
2 changed files with 6 additions and 2 deletions
--- a/build-with-docker.sh
+++ b/build-with-docker.sh
@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum qubes_firewall.xen)"
-echo "SHA2 last known: 765cf16c2e85feb7e5dfd3e409a3013c91c2b07f5680ed9f4e487e27213f1355"
+echo "SHA2 last known: dbf7460fa628bea5d132a96fe7ba2cd832e3d9da7005ae74f6a124957f4848ea"
 echo "(hashes should match for released versions)"
--- a/client_eth.ml
+++ b/client_eth.ml
@ -70,7 +70,11 @@ module ARP = struct

  let lookup t ip =
    if ip = t.net.client_gw then Some t.client_link#my_mac
-    else None
+    else if (Ipaddr.V4.to_bytes ip).[3] = '\x01' then (
+      Log.info (fun f -> f ~header:t.client_link#log_header
+                   "Request for %a is invalid, but pretending it's me (see Qubes issue #5022)" Ipaddr.V4.pp ip);
+      Some t.client_link#my_mac
+    ) else None
  (* We're now treating client networks as point-to-point links,
     so we no longer respond on behalf of other clients. *)
    (*