Allow decapsulated ip6ip6 packets

global/overlay/etc/puppet/modules/cdn/manifests/cache.pp

@@ -122,6 +122,9 @@ class cdn::cache(
   sunet::nftables::rule { 'sunet_cdn_service4':
     rule => 'add rule inet filter input meta iifname tunl0 ip daddr 188.240.152.0/24 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service4"'
   }
+  sunet::nftables::rule { 'sunet_cdn_service6':
+    rule => 'add rule inet filter input meta iifname ip6tnl0 ip6 daddr 2001:6b0:2100::/48 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service6"'
+  }
 
   if $cache_secrets {
     $customers.each |String $customer, Integer $customer_uid| {