From 5550c46c5caa1852e9488bcd06eba8f42f09e2af Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Tue, 16 Apr 2024 17:12:54 +0200
Subject: [PATCH] Fix not applying permanent verdicts to ICMP

---
 service/firewall/packet_handler.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/service/firewall/packet_handler.go b/service/firewall/packet_handler.go
index 6934be5f..46cc83f0 100644
--- a/service/firewall/packet_handler.go
+++ b/service/firewall/packet_handler.go
@@ -559,10 +559,14 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 
 	// Enable permanent verdict.
 	if allowPermanent && !conn.VerdictPermanent {
-		// Only enable if enabled in config and it is not ICMP.
-		// ICMP is handled differently based on payload, so we cannot use persistent verdicts.
-		conn.VerdictPermanent = permanentVerdicts() && !reference.IsICMP(conn.Entity.Protocol)
-		if conn.VerdictPermanent {
+		switch {
+		case !permanentVerdicts():
+			// Permanent verdicts are disabled by configuration.
+		case conn.Entity != nil && reference.IsICMP(conn.Entity.Protocol):
+		case pkt != nil && reference.IsICMP(uint8(pkt.Info().Protocol)):
+			// ICMP is handled differently based on payload, so we cannot use persistent verdicts.
+		default:
+			conn.VerdictPermanent = true
 			conn.SaveWhenFinished()
 		}
 	}