- // non-fragmented deny rules are skipped if containing L4 matches
- if (!rule->frag &&
- (rule->src_ports.op || rule->dst_ports.op || rule->tcp_flag_op) &&
- rule->action == FILTER_ACTION_DENY)
+ // layer 4 deny rules are skipped
+ if (rule->action == FILTER_ACTION_DENY &&
+ (rule->src_ports.op || rule->dst_ports.op || rule->tcp_flag_op))