From 5cf8ca0e473df01c9b78894d6e62afa2e1d1166f Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 23 Sep 2015 21:56:48 +0200 Subject: [PATCH] cls_bpf: further limit exec opcodes subset Jamal suggested to further limit the currently allowed subset of opcodes that may be used by a direct action return code as the intention is not to replace the full action engine, but rather to have a minimal set that can be used in the fast-path on things like ingress for some features that cls_bpf supports. Classifiers can, of course, still be chained together that have direct action mode with those that have a full exec pass. For more complex scenarios that go beyond this minimal set here, the full tcf_exts_exec() path must be used. Suggested-by: Jamal Hadi Salim Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller --- net/sched/cls_bpf.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index d6c0a0b44afb..7eeffaf69c75 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code) { switch (code) { case TC_ACT_OK: - case TC_ACT_RECLASSIFY: case TC_ACT_SHOT: - case TC_ACT_PIPE: case TC_ACT_STOLEN: - case TC_ACT_QUEUED: case TC_ACT_REDIRECT: case TC_ACT_UNSPEC: return code; -- GitLab