detect: add check to validate drops

author Victor Julien <vjulien@oisf.net>

Thu, 1 Jun 2023 08:57:08 +0000 (10:57 +0200)

committer Victor Julien <vjulien@oisf.net>

Fri, 2 Jun 2023 10:26:07 +0000 (12:26 +0200)
author Victor Julien <vjulien@oisf.net>
Thu, 1 Jun 2023 08:57:08 +0000 (10:57 +0200)
committer Victor Julien <vjulien@oisf.net>
Fri, 2 Jun 2023 10:26:07 +0000 (12:26 +0200)
diff --git a/src/detect.c b/src/detect.c

index 724679e9fa0e0782470a2e1c192f25fc00d3f55c..8420189a1eb6ed0b10e42f4095af94fd5a52b937 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1566,8 +1566,11 @@ static void DetectFlow(ThreadVars *tv,
          return;
      }
  
-    /* if flow is set to drop, we enforce that here */
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
      if (p->flow->flags & FLOW_ACTION_DROP) {
+        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PACKET_TEST_ACTION(p, ACTION_DROP));
          SCReturn;
      }
author	Victor Julien <vjulien@oisf.net>
	Thu, 1 Jun 2023 08:57:08 +0000 (10:57 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Fri, 2 Jun 2023 10:26:07 +0000 (12:26 +0200)