diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2015-09-23 15:56:48 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-09-23 17:29:02 -0400 |
| commit | 5cf8ca0e473df01c9b78894d6e62afa2e1d1166f (patch) | |
| tree | 65ef1d74e2df607b83bfb534a121342488d22a49 /net/sched | |
| parent | ef146fa40cc3af1dcb13688f41cc06a9c0deb01c (diff) | |
cls_bpf: further limit exec opcodes subset
Jamal suggested to further limit the currently allowed subset of opcodes
that may be used by a direct action return code as the intention is not
to replace the full action engine, but rather to have a minimal set that
can be used in the fast-path on things like ingress for some features
that cls_bpf supports.
Classifiers can, of course, still be chained together that have direct
action mode with those that have a full exec pass. For more complex
scenarios that go beyond this minimal set here, the full tcf_exts_exec()
path must be used.
Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sched')
| -rw-r--r-- | net/sched/cls_bpf.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index d6c0a0b44afb..7eeffaf69c75 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c | |||
| @@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code) | |||
| 65 | { | 65 | { |
| 66 | switch (code) { | 66 | switch (code) { |
| 67 | case TC_ACT_OK: | 67 | case TC_ACT_OK: |
| 68 | case TC_ACT_RECLASSIFY: | ||
| 69 | case TC_ACT_SHOT: | 68 | case TC_ACT_SHOT: |
| 70 | case TC_ACT_PIPE: | ||
| 71 | case TC_ACT_STOLEN: | 69 | case TC_ACT_STOLEN: |
| 72 | case TC_ACT_QUEUED: | ||
| 73 | case TC_ACT_REDIRECT: | 70 | case TC_ACT_REDIRECT: |
| 74 | case TC_ACT_UNSPEC: | 71 | case TC_ACT_UNSPEC: |
| 75 | return code; | 72 | return code; |