Less-straightforward `Deny` decisions don't bump layers' `out_`/`in_deny` stats

[FelixMcFelix]

opte/lib/opte/src/engine/layer.rs

Lines 1235 to 1240 in d777d6b

	AllowOrDeny::Deny => {
	return Ok(LayerResult::Deny {
	name: self.name,
	reason: DenyReason::Action,
	});
	}

A few lines above, we bump the aforementioned kstat in response to an explicit Action::Deny. We should generally be doing this regardless of what path was taken to decide upon a packet drop, particularly since we only see hits on any rule with a more complex action like the overlay layer has.

It would be better still to get #744 revived even if I don't yet have the time to plumb it into omicron.