From 28bb8ec6ca8edfc4537bdd979edf09fd599d8d9d Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Fri, 6 Nov 2020 08:53:07 +0100
Subject: [PATCH] Fix connection blocking on Linux

---
 firewall/interception/nfq/packet.go    | 12 ++++++++++++
 firewall/interception/nfqueue_linux.go |  8 ++++++++
 2 files changed, 20 insertions(+)

diff --git a/firewall/interception/nfq/packet.go b/firewall/interception/nfq/packet.go
index 911d2fdb..2399d43e 100644
--- a/firewall/interception/nfq/packet.go
+++ b/firewall/interception/nfq/packet.go
@@ -122,6 +122,12 @@ func (pkt *packet) Accept() error {
 }
 
 func (pkt *packet) Block() error {
+	if pkt.Info().Protocol == pmpacket.ICMP {
+		// ICMP packets attributed to a blocked connection are always allowed, as
+		// rejection ICMP packets will have the same mark as the blocked
+		// connection. This is why we need to drop blocked ICMP packets instead.
+		return pkt.mark(MarkDrop)
+	}
 	return pkt.mark(MarkBlock)
 }
 
@@ -134,6 +140,12 @@ func (pkt *packet) PermanentAccept() error {
 }
 
 func (pkt *packet) PermanentBlock() error {
+	if pkt.Info().Protocol == pmpacket.ICMP {
+		// ICMP packets attributed to a blocked connection are always allowed, as
+		// rejection ICMP packets will have the same mark as the blocked
+		// connection. This is why we need to drop blocked ICMP packets instead.
+		return pkt.mark(MarkDropAlways)
+	}
 	return pkt.mark(MarkBlockAlways)
 }
 
diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go
index 1e25fb14..2cb215f4 100644
--- a/firewall/interception/nfqueue_linux.go
+++ b/firewall/interception/nfqueue_linux.go
@@ -60,10 +60,18 @@ func init() {
 
 		"filter C17 -m mark --mark 0 -j DROP",
 		"filter C17 -m mark --mark 1700 -j RETURN",
+		// Accepting ICMP packets with mark 1701 is required for rejecting to work,
+		// as the rejection ICMP packet will have the same mark. Blocked ICMP
+		// packets will always result in a drop within the Portmaster.
+		"filter C17 -m mark --mark 1701 -p icmp -j RETURN",
 		"filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited",
 		"filter C17 -m mark --mark 1702 -j DROP",
 		"filter C17 -j CONNMARK --save-mark",
 		"filter C17 -m mark --mark 1710 -j RETURN",
+		// Accepting ICMP packets with mark 1711 is required for rejecting to work,
+		// as the rejection ICMP packet will have the same mark. Blocked ICMP
+		// packets will always result in a drop within the Portmaster.
+		"filter C17 -m mark --mark 1711 -p icmp -j RETURN",
 		"filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited",
 		"filter C17 -m mark --mark 1712 -j DROP",
 		"filter C17 -m mark --mark 1717 -j RETURN",