From 8d4ed1124fbf93a194dbdc5df5d1592137934ac9 Mon Sep 17 00:00:00 2001
From: Nataliia Solomko <natalirs1985@gmail.com>
Date: Wed, 11 Sep 2024 12:22:25 +0300
Subject: policy: T6676: Invalid route-map caused bgpd to crash

(cherry picked from commit 595f35bbdda732883ce0b8b0721061bb3a40a715)
---
 src/conf_mode/policy.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py
index 4df893ebf..a5963e72c 100755
--- a/src/conf_mode/policy.py
+++ b/src/conf_mode/policy.py
@@ -167,10 +167,10 @@ def verify(policy):
                 continue
 
             for rule, rule_config in route_map_config['rule'].items():
-                # Action 'deny' cannot be used with "continue"
-                # FRR does not validate it T4827
-                if rule_config['action'] == 'deny' and 'continue' in rule_config:
-                    raise ConfigError(f'rule {rule} "continue" cannot be used with action deny!')
+                # Action 'deny' cannot be used with "continue" or "on-match"
+                # FRR does not validate it T4827, T6676
+                if rule_config['action'] == 'deny' and ('continue' in rule_config or 'on_match' in rule_config):
+                    raise ConfigError(f'rule {rule} "continue" or "on-match" cannot be used with action deny!')
 
                 # Specified community-list must exist
                 tmp = dict_search('match.community.community_list',
-- 
cgit v1.2.3