From 6903da232304bc47fc82178bb6956e3613a9921c Mon Sep 17 00:00:00 2001
From: Josh Dorsey <jdorsey@netgate.com>
Date: Wed, 4 Jan 2023 21:28:07 +0000
Subject: abf: exclude networks with deny rules

Type: improvement

Signed-off-by: Josh Dorsey <jdorsey@netgate.com>
Change-Id: Iee43ca9278922fc7396764b88cff1a87bcb28349
---
 src/plugins/abf/abf_itf_attach.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src/plugins/abf/abf_itf_attach.c')

diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c
index 6f85ff69ae6..a14717e1999 100644
--- a/src/plugins/abf/abf_itf_attach.c
+++ b/src/plugins/abf/abf_itf_attach.c
@@ -567,10 +567,11 @@ abf_input_inline (vlib_main_t * vm,
 					 (FIB_PROTOCOL_IP6 == fproto), 1, 0,
 					 &fa_5tuple0);
 
-	  if (acl_plugin_match_5tuple_inline
-	      (acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
-	       (FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
-	       &match_acl_index, &match_rule_index, &trace_bitmap))
+	  if (acl_plugin_match_5tuple_inline (
+		acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
+		(FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
+		&match_acl_index, &match_rule_index, &trace_bitmap) &&
+	      action > 0)
 	    {
 	      /*
 	       * match:
-- 
cgit 1.2.3-korg