提交 5cf8ca0e 编写于 作者: D Daniel Borkmann 提交者: David S. Miller

cls_bpf: further limit exec opcodes subset

Jamal suggested to further limit the currently allowed subset of opcodes
that may be used by a direct action return code as the intention is not
to replace the full action engine, but rather to have a minimal set that
can be used in the fast-path on things like ingress for some features
that cls_bpf supports.

Classifiers can, of course, still be chained together that have direct
action mode with those that have a full exec pass. For more complex
scenarios that go beyond this minimal set here, the full tcf_exts_exec()
path must be used.
Suggested-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Acked-by: NAlexei Starovoitov <ast@plumgrid.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 ef146fa4
...@@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code) ...@@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code)
{ {
switch (code) { switch (code) {
case TC_ACT_OK: case TC_ACT_OK:
case TC_ACT_RECLASSIFY:
case TC_ACT_SHOT: case TC_ACT_SHOT:
case TC_ACT_PIPE:
case TC_ACT_STOLEN: case TC_ACT_STOLEN:
case TC_ACT_QUEUED:
case TC_ACT_REDIRECT: case TC_ACT_REDIRECT:
case TC_ACT_UNSPEC: case TC_ACT_UNSPEC:
return code; return code;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册