Never allow permanent verdicts for ICMP connections

2025-04-25 13:29:10 +00:00 · 2024-04-10 14:10:34 +02:00 · 2024-04-10 14:10:34 +02:00 · 0cff5a33f2
commit 0cff5a33f2
parent 5215e41624
2 changed files with 16 additions and 2 deletions
--- a/service/firewall/packet_handler.go
+++ b/service/firewall/packet_handler.go
@ -22,6 +22,7 @@ import (
 	"github.com/safing/portmaster/service/network"
 	"github.com/safing/portmaster/service/network/netutils"
 	"github.com/safing/portmaster/service/network/packet"
+	"github.com/safing/portmaster/service/network/reference"
 	"github.com/safing/portmaster/service/process"
 	"github.com/safing/portmaster/spn/access"
 )
@ -556,9 +557,11 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V
 		return
 	}

-	// enable permanent verdict
+	// Enable permanent verdict.
 	if allowPermanent && !conn.VerdictPermanent {
-		conn.VerdictPermanent = permanentVerdicts()
+		// Only enable if enabled in config and it is not ICMP.
+		// ICMP is handled differently based on payload, so we cannot use persistent verdicts.
+		conn.VerdictPermanent = permanentVerdicts() && !reference.IsICMP(conn.Entity.Protocol)
 		if conn.VerdictPermanent {
 			conn.SaveWhenFinished()
 		}
--- a/service/network/reference/protocols.go
+++ b/service/network/reference/protocols.go
@ -73,3 +73,14 @@ func IsStreamProtocol(protocol uint8) bool {
 		return false
 	}
 }
+
+// IsICMP returns whether the given protocol is ICMP or ICMPv6.
+func IsICMP(protocol uint8) bool {
+	switch protocol {
+	case 1, // ICMP
+		58: // ICMP6
+		return true
+	default:
+		return false
+	}
+}