From 7e02a13144abff7f6e21f2125b1632b00c4a947b Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Sat, 21 Sep 2024 20:19:55 +0200
Subject: [PATCH] firewall: forward ICMP(v6) packets

---
 roles/firewall/templates/nftables.nft.j2 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 9f8679c..baae902 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -123,6 +123,18 @@ table inet filter {
         ct status dnat accept \
         comment "Forward DNAT traffic for servers and suchlike"
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept \
+        comment "Accept ICMPv6"
+
         include "/etc/nftables.d/forward.nft*"
     }