From 568d064089fbd256668d736be70ec69a0ab1ad41 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Thu, 2 Jan 2025 18:56:23 +0100
Subject: [PATCH] Drop certain forwarded icmp packets

---
 client/firewall/uspfilter/forwarder/icmp.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/client/firewall/uspfilter/forwarder/icmp.go b/client/firewall/uspfilter/forwarder/icmp.go
index 10019f21f..e04464dd9 100644
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -19,6 +19,8 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
 		f.logger.Error("Failed to create ICMP socket for %v: %v", id, err)
+
+		// This will make netstack reply on behalf of the original destination, that's ok for now
 		return false
 	}
 	defer func() {
@@ -42,7 +44,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 		_, err = conn.WriteTo(payload, dst)
 		if err != nil {
 			f.logger.Error("Failed to write ICMP packet for %v: %v", id, err)
-			return false
+			return true
 		}
 
 		f.logger.Trace("Forwarded ICMP packet %v type=%v code=%v",
@@ -51,7 +53,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 		return f.handleEchoResponse(conn, id)
 	case header.ICMPv4EchoReply:
 		// dont process our own replies
-		return false
+		return true
 	default:
 	}
 
@@ -59,7 +61,7 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 	_, err = conn.WriteTo(payload, dst)
 	if err != nil {
 		f.logger.Error("Failed to write ICMP packet for %v: %v", id, err)
-		return false
+		return true
 	}
 
 	f.logger.Trace("Forwarded ICMP packet %v type=%v code=%v",