abf: exclude networks with deny rules

[vpp.git] / src / plugins / abf / abf_itf_attach.c

diff --git a/src/plugins/abf/abf_itf_attach.c b/src/plugins/abf/abf_itf_attach.c
index 6f85ff6..a14717e 100644 (file)
--- a/src/plugins/abf/abf_itf_attach.c
+++ b/src/plugins/abf/abf_itf_attach.c
@@ -567,10 +567,11 @@ abf_input_inline (vlib_main_t * vm,
                                         (FIB_PROTOCOL_IP6 == fproto), 1, 0,
                                         &fa_5tuple0);
 
-         if (acl_plugin_match_5tuple_inline
-             (acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
-              (FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
-              &match_acl_index, &match_rule_index, &trace_bitmap))
+         if (acl_plugin_match_5tuple_inline (
+               acl_plugin.p_acl_main, lc_index, &fa_5tuple0,
+               (FIB_PROTOCOL_IP6 == fproto), &action, &match_acl_pos,
+               &match_acl_index, &match_rule_index, &trace_bitmap) &&
+             action > 0)
            {
              /*
               * match: