To Reproduce Steps to reproduce the behavior:

RHOSP 17.1.8

I tried to drop ICMP packets, but it didn't work.

~~~

[stack@director ~]$ cat firewall.yaml 
parameter_defaults:
  ExtraFirewallRules:
    '001 drop icmp timestamp':
      proto: icmp
      type: 13
      jump: DROP
      ipversion: ipv4
    '001 drop icmp timestamp reply':
      proto: icmp
      type: 14
      jump: DROP
      ipversion: ipv4

~~~

All icmps are accepted because of the default "001 accept all icmp" rule.
~~~
[tripleo-admin@overcloud-novacompute-0 ~]$ sudo  nft list ruleset 
chain TRIPLEO_INPUT

{ ct state established,related counter packets 76338 bytes 69574593 accept comment "000 accept related established rules" meta l4proto icmp ct state new counter packets 2 bytes 124 accept comment "001 accept all icmp" meta l4proto ipv6-icmp counter packets 19 bytes 1368 accept comment "001 accept all ipv6-icmp" meta l4proto icmp ct state new counter packets 0 bytes 0 drop comment "001 drop icmp timestamp" meta l4proto icmp ct state new counter packets 0 bytes 0 drop comment "001 drop icmp timestamp reply" iifname "lo" counter packets 0 bytes 0 accept comment "002 accept all to lo interface" ip saddr 172.25.250.0/24 tcp dport 22 ct state new counter packets 2 bytes 120 accept comment "003 accept ssh from ctlplane subnet 172.25.250.0/24" ip6 daddr fe80::/64 udp dport 546 ct state new counter packets 0 bytes 0 accept comment "004 accept ipv6 dhcpv6" udp dport 123 ct state new counter packets 0 bytes 0 accept comment "105 ntp" ip saddr 172.16.2.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept api subnet 172.16.2.0/24" ip saddr 172.16.2.0/24 tcp dport 2022 ct state new counter packets 0 bytes 0 accept comment "113 nova_migration_target accept libvirt subnet 172.16.2.0/24" udp dport 4789 counter packets 0 bytes 0 accept comment "118 neutron vxlan networks" udp dport 6081 counter packets 7986 bytes 814572 accept comment "119 neutron geneve networks" ip saddr 172.25.250.0/24 udp dport 161 ct state new counter packets 0 bytes 0 accept comment "124 snmp 172.25.250.0/24" tcp dport \{ 5900-6923, 16514, 61152-61215 }

ct state new counter packets 0 bytes 0 accept comment "200 nova_libvirt"
}
~~~
Ping works and ICMP still works.

1. [stack@director ~]$ ping -c1 172.25.250.20
   PING 172.25.250.20 (172.25.250.20) 56(84) bytes of data.
   64 bytes from 172.25.250.20: icmp_seq=1 ttl=64 time=2.75 ms

— 172.25.250.20 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.753/2.753/2.753/0.000 ms
[stack@director ~]$ sudo nping -c1 --icmp --icmp-type 13 -v 172.25.250.20

Starting Nping 0.7.91 ( https://nmap.org/nping ) at 2025-07-21 05:17 EDT
SENT (0.0138s) ICMP [172.25.250.1 > 172.25.250.20 Timestamp request (type=13/code=0) id=6863 seq=1 orig=0 recv=0 trans=0] IP [ttl=64 id=38670 proto=1 csum=0x977d iplen=40 ]
RCVD (0.0147s) ICMP [172.25.250.20 > 172.25.250.1 Timestamp reply (type=14/code=0) id=6863 seq=1 orig=0 recv=33476696 trans=33476696] IP [ttl=64 id=62031 proto=1 csum=0x3c3c iplen=40 ]
 
Max rtt: 0.834ms | Min rtt: 0.834ms | Avg rtt: 0.834ms
Raw packets sent: 1 (40B) | Rcvd: 1 (40B) | Lost: 0 (0.00%)
Tx time: 0.00127s | Tx bytes/s: 31397.17 | Tx pkts/s: 784.93
Rx time: 1.00120s | Rx bytes/s: 39.95 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 1.03 seconds

Expected behavior

• icmp is denied.