From 6903da232304bc47fc82178bb6956e3613a9921c Mon Sep 17 00:00:00 2001
From: Josh Dorsey <jdorsey@netgate.com>
Date: Wed, 4 Jan 2023 21:28:07 +0000
Subject: abf: exclude networks with deny rules

Type: improvement

Signed-off-by: Josh Dorsey <jdorsey@netgate.com>
Change-Id: Iee43ca9278922fc7396764b88cff1a87bcb28349
---
 src/plugins/abf/FEATURE.yaml     | 7 +++++--
 src/plugins/abf/abf_itf_attach.c | 9 +++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/plugins/abf/FEATURE.yaml b/src/plugins/abf/FEATURE.yaml
index b9f3285daa3..7902dbe7800 100644
--- a/src/plugins/abf/FEATURE.yaml
+++ b/src/plugins/abf/FEATURE.yaml
@@ -1,9 +1,12 @@
 ---
 name: ACL Based Forwarding
-maintainer: Neale Ranns <nranns@cisco.com>
+maintainer: Neale Ranns <neale@graphiant.com>
 features:
   - 'Policy Based Routing'
-  - ACLs match traffic to be forwarded
+  - ACLs identify how traffic should be forwarded. Packets matching a permit
+    rule are forwarded using ABF policy. Packets matching a deny rule are
+    excluded from ABF handling and continue traversing the input feature arc on
+    the L3 path.
   - Each rule in the ACL has an associated 'path' which determines how the
     traffic will be forwarded. This path is described as a FIB path, so anything
     possible with basic L3 forwarding is possible with ABF (with the exception
diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c
index 6f85ff69ae6..a14717e1999 100644
--- a/src/plugins/abf/abf_itf_attach.c
+++ b/src/plugins/abf/abf_itf_attach.c
@@ -567,10 +567,11 @@ abf_input_inline (vlib_main_t * vm,
 					 (FIB_PROTOCOL_IP6 == fproto), 1, 0,
 					 &fa_5tuple0);
 
-	  if (acl_plugin_match_5tuple_inline
-	      (acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
-	       (FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
-	       &match_acl_index, &match_rule_index, &trace_bitmap))
+	  if (acl_plugin_match_5tuple_inline (
+		acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
+		(FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
+		&match_acl_index, &match_rule_index, &trace_bitmap) &&
+	      action > 0)
 	    {
 	      /*
 	       * match:
-- 
cgit