From 0c063a017b6f8275ba079f5a78cb8ab42d4d42e3 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 14 Mar 2024 14:34:44 +0100
Subject: [PATCH] ceph: allow some ICMP

---
 roles/ceph/templates/nftables.conf.j2 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index bf1da05..b7e0e25 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -32,6 +32,16 @@ table inet filter {
         ct state vmap { invalid : drop, established : accept, related : accept }
         iif lo accept
 
+        ip protocol icmp icmp type {
+            echo-request, echo-reply, destination-unreachable,
+            parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv4"
+
+        ip6 nexthdr icmpv6 icmpv6 type {
+            echo-request, echo-reply, destination-unreachable,
+            packet-too-big, parameter-problem, time-exceeded,
+        } accept comment "accept some ICMPv6"
+
         # BGP / BFD sessions
         iif lan0 ip6 saddr fe80::/64 accept
         iif lan1 ip6 saddr fe80::/64 accept