Various fixes & ecosystem update

• Update ARP entry behavior: the unikernel now responds with its MAC address for every APR request from a client. This fixes issues with some VPN clients (#221, @palainp, reviewed by @hannesm, fix confirmed by @pprudev).
• Fix HVM client handling: HVM Clients, such as Windows, have two network interfaces but only use one. This causes deadlock states because the connection protocol for one interface is not completed, leading the unikernel to wait for the client to shut down. Now, each connection uses its own thread, and the unikernel can handle Windows HVM (#219 @palainp).
• Add a GH action for code auto-formatting (#217 @hannesm).
• Update to OCaml 5.3 + Mirage ecosystem (4.9 in #215 @hannesm and 4.10 in #216 @palainp).

Fix netvm mac handling

• Fix an issue when qubes-mirage-firewall is used a a mullvad AppVM client. If our netvm does not reply to our ARP requests we can not construct the ethernet header. However in Linux VMs, Qubes adds a default netvm address associated to fe:ff:ff:ff:ff:ff, so if ARP fails, we fall back on that address.
  (#213, @palainp, reported in the Qubes forum #212, reviewed by @hannesm)

Fix OpenBSD as client

0.9.3 (2025-01-04)

• Fix an issue when qubes-mirage-firewall is used along with *BSD sys-net
  (#209, @palainp, reported in the Qubes forum #208, reviewed by @dinosaure)

Code & tooling update

0.9.2 (2024-10-16)

• Code refactoring and improvements (#197, @dinosaure)
• Build tooling updates: opam 2.2.1, solo5 0.9, mirage 4.8.1 (#199, #201, #202, #203, @hannesm)

Less dependencies and allow firewall rules with domain names

• Drop astring dependency, update mirage-net-xen, and OCaml 4.14.2 -- the latest LTS release (#193, @hannesm)
• Allow the firewall to use domains requests in rules (#193, @palainp, reported in the Qubes forum, fix confirmed by @neoniobium)

Update to mirage 4.5.0 and improve netvm features

• Fix an incorrect free memory estimation (fix in mirage/ocaml-solo5#135 @palainp)
• Update to mirage 4.5.0, allowing openBSD to be used as netvm (#146 reported by @Szewcson), and recover from a netvm change (#156 reported by @xaki23) (#178 @palainp)

Fix docker build & update build scripts

• With Qubes 4.2 SELinux policies on Fedora AppVMS are enforced and now we need to run an additional command to be allowed to store docker images in the user homedir (#183 @palainp, reported by @Szewcson)
• Updated the build scripts for more build reproducibility (change for official debian repositories, update debian image, update opam-repository commit, set commit for opam-overlay and mirage-overlay) (#184 @palainp, reported by @ben-grande)
• Update disk usage value during local compilation (#186 @palainp, reported by @ben-grande)

Fix startup crash and memory reporting to Xen

• Remove memreport to Xen to avoid Qubes trying to get back some memory (#176 @palainp, reported from Qubes forum[1], this also fixes #177 reported by @bluesteal and @xaki23)
• Use bookworm and snapshot.notset.fr debian packages for reproducibility (#175 @palainp, reported by @hannesm #165)

[1]: https://forum.qubes-os.org/t/new-usability-issues-dom0-processes-making-system-unusable/18301/2 and https://forum.qubes-os.org/t/memory-allocation-problem-remains-in-low-allocation-for-minutes/18787

Avoid denial of service with console output

• Fix remote denial of service due to excessive console output (#166 @burghardt,
  fix in Solo5/solo5#538 by @palainp)
• Use Ubuntu container for build, now GitHub action, ./build-with-docker.sh and
  builds.robur.coop are synchronized (and result in the same artifact)
  (#164 @hannesm)

autumn 2022 bugfixes

• Fix "DNS issues", a firewall ruleset with a domain name lead to 100% CPU usage
  (reported by fiftyfourthparallel on
  https://forum.qubes-os.org/t/mirage-firewall-0-8-2-broken-new-users-should-install-0-8-1/14566,
  re-reported by @palainp in #158, fixed by @hannesm in mirage/mirage-nat#48
  (release 3.0.1)) - underlying issue was a wrong definition of is_port_free
  (since 3.0.0, used since mirage-qubes-firewall 0.8.2).
• Fix "crash on downstream vm start", after more than 64 client VMs have been
  connected and disconnected with the qubes-mirage-firewall (reported by @xaki23
  in #155, fixed by @hannesm in #161) - underlying issue was a leak of xenstore
  watchers and a hard limit in xen on the amount of watchers
• Fix "detach netvm fails" (reported by @rootnoob in #157, fixed by @palainp
  in mirage/mirage-net-xen#105 (release 2.1.2)) - underlying issue was that the
  network interface state was never set to closed, but directly removed
• Fix potential DoS in handling DNS replies (#162 @hannesm)
• Avoid potential forever loop in My_nat.free_udp_port (#159 @hannesm)
• Assorted code removals (#161 @hannesm)
• Update to dns 6.4.0 changes (#154, @hannesm)