From 0cff5a33f26504f81ec7ba03ca5964330389ea88 Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Wed, 10 Apr 2024 14:10:34 +0200
Subject: [PATCH] Never allow permanent verdicts for ICMP connections

---
 service/firewall/packet_handler.go     |  7 +++++--
 service/network/reference/protocols.go | 11 +++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/service/firewall/packet_handler.go b/service/firewall/packet_handler.go
index d4b3bbe2..6934be5f 100644
--- a/service/firewall/packet_handler.go
+++ b/service/firewall/packet_handler.go
@@ -22,6 +22,7 @@ import (
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/network/packet"
+	"github.com/safing/portmaster/service/network/reference"
 	"github.com/safing/portmaster/service/process"
 	"github.com/safing/portmaster/spn/access"
 )
@@ -556,9 +557,11 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 		return
 	}
 
-	// enable permanent verdict
+	// Enable permanent verdict.
 	if allowPermanent && !conn.VerdictPermanent {
-		conn.VerdictPermanent = permanentVerdicts()
+		// Only enable if enabled in config and it is not ICMP.
+		// ICMP is handled differently based on payload, so we cannot use persistent verdicts.
+		conn.VerdictPermanent = permanentVerdicts() && !reference.IsICMP(conn.Entity.Protocol)
 		if conn.VerdictPermanent {
 			conn.SaveWhenFinished()
 		}
diff --git a/service/network/reference/protocols.go b/service/network/reference/protocols.go
index 12202e8d..1214039e 100644
--- a/service/network/reference/protocols.go
+++ b/service/network/reference/protocols.go
@@ -73,3 +73,14 @@ func IsStreamProtocol(protocol uint8) bool {
 		return false
 	}
 }
+
+// IsICMP returns whether the given protocol is ICMP or ICMPv6.
+func IsICMP(protocol uint8) bool {
+	switch protocol {
+	case 1, // ICMP
+		58: // ICMP6
+		return true
+	default:
+		return false
+	}
+}