abf: exclude networks with deny rules

Type: improvement Signed-off-by: Josh Dorsey <jdorsey@netgate.com> Change-Id: Iee43ca9278922fc7396764b88cff1a87bcb28349
author: Josh Dorsey <jdorsey@netgate.com> 2023-01-04 21:28:07 +0000
committer: Neale Ranns <neale@graphiant.com> 2023-01-12 02:17:37 +0000
commit: 6903da232304bc47fc82178bb6956e3613a9921c (patch)
tree: 8766d7ba8f0b5556742d935eaaa6e8367c19346e /src/plugins/abf/abf_itf_attach.c
parent: 058237e5811ab0b2d2ffb119228349737dea4a54 (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c
index 6f85ff69ae6..a14717e1999 100644
--- a/src/plugins/abf/abf_itf_attach.c
+++ b/src/plugins/abf/abf_itf_attach.c
@@ -567,10 +567,11 @@ abf_input_inline (vlib_main_t * vm,
 					 (FIB_PROTOCOL_IP6 == fproto), 1, 0,
 					 &fa_5tuple0);
 
-	  if (acl_plugin_match_5tuple_inline
-	      (acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
-	       (FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
-	       &match_acl_index, &match_rule_index, &trace_bitmap))
+	  if (acl_plugin_match_5tuple_inline (
+		acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
+		(FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
+		&match_acl_index, &match_rule_index, &trace_bitmap) &&
+	      action > 0)
 	    {
 	      /*
 	       * match:
author	Josh Dorsey <jdorsey@netgate.com>	2023-01-04 21:28:07 +0000
committer	Neale Ranns <neale@graphiant.com>	2023-01-12 02:17:37 +0000
commit	6903da232304bc47fc82178bb6956e3613a9921c (patch)
tree	8766d7ba8f0b5556742d935eaaa6e8367c19346e /src/plugins/abf/abf_itf_attach.c
parent	058237e5811ab0b2d2ffb119228349737dea4a54 (diff)