firewall: forward ICMP(v6) packets

roles/firewall/templates/nftables.nft.j2

@@ -123,6 +123,18 @@ table inet filter {
         ct status dnat accept \
         comment "Forward DNAT traffic for servers and suchlike"
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv6"
+
         include "/etc/nftables.d/forward.nft*"
     }