[pve-devel] [PATCH ve-rs 1/2] fix: firewall: introduce iptables to nftables mapping for icmpv6-types

Thomas Lamprecht t.lamprecht at proxmox.com
Sat Oct 4 15:17:30 CEST 2025


Am 16.09.25 um 11:32 schrieb Gabriel Goller:
> +        if let Ok(index) = IPTABLES_ICMP_TYPES_MAPPING.binary_search_by(|v| v.0.cmp(s)) {
> +            if let Some(mapped_nftables_type) = IPTABLES_ICMP_TYPES_MAPPING[index].1 {
> +                return Ok(Self::Named(mapped_nftables_type));
> +            } else {
> +                bail!("icmp_type {s:?} is unsupported in nftables");

How is this Err handled on use sites? As for the bail below I'd be fine
if it causes some further failure down the road, but if it is a supported
type in pve-firewall above should not cause any actual error or rule
generations to get skipped, besides skipping the nftables-unsupported
ones, obviously.

Also, the linked wiki spots "Last update: Mar/2022" at the top, so a bit
dated. Did you actually try if this is still the case for all of the
listed ones?

> +            }
> +        }
> +
>          bail!("{s:?} is not a valid icmpv6 type");
>      }





More information about the pve-devel mailing list