From d7b376d3730bc9dae82a359906ab4f8fb44a5d59 Mon Sep 17 00:00:00 2001
From: Thomas Leonard <talex5@gmail.com>
Date: Sun, 5 May 2019 17:26:56 +0100
Subject: [PATCH] Respond to ARP requests for *.*.*.1

This is a work-around to get DHCP working with HVM domains.
See: https://github.com/QubesOS/qubes-issues/issues/5022
---
 build-with-docker.sh | 2 +-
 client_eth.ml        | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/build-with-docker.sh b/build-with-docker.sh
index 1389a8d..d14c057 100755
--- a/build-with-docker.sh
+++ b/build-with-docker.sh
@@ -5,5 +5,5 @@ docker build -t qubes-mirage-firewall .
 echo Building Firewall...
 docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum qubes_firewall.xen)"
-echo "SHA2 last known: 765cf16c2e85feb7e5dfd3e409a3013c91c2b07f5680ed9f4e487e27213f1355"
+echo "SHA2 last known: dbf7460fa628bea5d132a96fe7ba2cd832e3d9da7005ae74f6a124957f4848ea"
 echo "(hashes should match for released versions)"
diff --git a/client_eth.ml b/client_eth.ml
index 345552a..a65325c 100644
--- a/client_eth.ml
+++ b/client_eth.ml
@@ -70,7 +70,11 @@ module ARP = struct
 
   let lookup t ip =
     if ip = t.net.client_gw then Some t.client_link#my_mac
-    else None
+    else if (Ipaddr.V4.to_bytes ip).[3] = '\x01' then (
+      Log.info (fun f -> f ~header:t.client_link#log_header
+                   "Request for %a is invalid, but pretending it's me (see Qubes issue #5022)" Ipaddr.V4.pp ip);
+      Some t.client_link#my_mac
+    ) else None
   (* We're now treating client networks as point-to-point links,
      so we no longer respond on behalf of other clients. *)
     (*