From 2b2ac42ebcb248c8291d95c8d623901a9b17be65 Mon Sep 17 00:00:00 2001
From: Pierre Alain <pierre.alain@tuta.io>
Date: Thu, 6 Feb 2025 12:07:29 +0100
Subject: [PATCH 1/2] fallback to Qubes netvm_mac=fe:ff:ff:ff:ff:ff is our
 netvm does not reply to us

---
 dispatcher.ml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/dispatcher.ml b/dispatcher.ml
index f6c29c4..d929822 100644
--- a/dispatcher.ml
+++ b/dispatcher.ml
@@ -571,7 +571,14 @@ struct
     I.connect ~cidr ~gateway eth arp >>= fun ip ->
     U.connect ip >>= fun udp ->
     let netvm_mac =
-      Arp.query arp gateway >|= or_raise "Getting MAC of our NetVM" Arp.pp_error
+      Arp.query arp gateway >>= function
+        | Error e ->
+          Log.err(fun f -> f "Getting MAC of our NetVM: %a" Arp.pp_error e);
+          (* This mac address is a special address used by Qubes when the device
+             is not managed by Qubes itself. This can occurs inside a service
+             AppVM (e.g. VPN) when the service creates a new interface. *)
+          Lwt.return (Macaddr.of_string_exn "fe:ff:ff:ff:ff:ff")
+        | Ok mac -> Lwt.return mac
     in
     let interface =
       new netvm_iface eth netvm_mac ~my_ip ~other_ip:config.Dao.netvm_ip

From cf181026a8f21388298a0937a5b8eadc37c0eb02 Mon Sep 17 00:00:00 2001
From: Pierre Alain <pierre.alain@tuta.io>
Date: Thu, 6 Feb 2025 14:39:34 +0100
Subject: [PATCH 2/2] update hashsum

---
 qubes-firewall.sha256 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qubes-firewall.sha256 b/qubes-firewall.sha256
index c02b661..220644c 100644
--- a/qubes-firewall.sha256
+++ b/qubes-firewall.sha256
@@ -1 +1 @@
-b78d6711b502f8babcc5c4083b0352b78be8e8a6bef044189ce7a00e6e564612  dist/qubes-firewall.xen
+0c3c2c0e62a834112c69d7cddc5dd6f70ecb93afa988768fb860ed26e423b1f8  dist/qubes-firewall.xen