detect: enforce flow drops earlier

Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.

diff --git a/src/detect.c b/src/detect.c
index 9bca53c9c87d662e7815e2a5861f19c757d77fe8..89d37dcfa4e812123ce8721df119bbd883b9dfcf 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -549,12 +549,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
             /* save in the flow that we scanned this direction... */
             FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
         }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
     } else { /* p->flags & PKT_HAS_FLOW */
         /* no flow */
 
@@ -1544,6 +1538,12 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
     /* see if the packet matches one or more of the sigs */
     (void)DetectRun(tv, de_ctx, det_ctx, p);
 }