From 5cf8ca0e473df01c9b78894d6e62afa2e1d1166f Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed, 23 Sep 2015 21:56:48 +0200
Subject: [PATCH] cls_bpf: further limit exec opcodes subset

Jamal suggested to further limit the currently allowed subset of opcodes
that may be used by a direct action return code as the intention is not
to replace the full action engine, but rather to have a minimal set that
can be used in the fast-path on things like ingress for some features
that cls_bpf supports.

Classifiers can, of course, still be chained together that have direct
action mode with those that have a full exec pass. For more complex
scenarios that go beyond this minimal set here, the full tcf_exts_exec()
path must be used.

Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/sched/cls_bpf.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index d6c0a0b44afba..7eeffaf69c758 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code)
 {
 	switch (code) {
 	case TC_ACT_OK:
-	case TC_ACT_RECLASSIFY:
 	case TC_ACT_SHOT:
-	case TC_ACT_PIPE:
 	case TC_ACT_STOLEN:
-	case TC_ACT_QUEUED:
 	case TC_ACT_REDIRECT:
 	case TC_ACT_UNSPEC:
 		return code;
-- 
2.30.2