From: Victor Julien <vjulien@oisf.net>
Date: Thu, 13 Mar 2025 08:23:22 +0000 (+0100)
Subject: detect: check for a flow drop first
X-Git-Tag: suricata-8.0.0-beta1~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=187f71de24f2a19eac184391e0fb983afc4ec654;p=thirdparty%2Fsuricata.git

detect: check for a flow drop first
---

diff --git a/src/detect.c b/src/detect.c
index 0b43f32af2..64c69d301f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1938,6 +1938,14 @@ static void DetectFlow(ThreadVars *tv,
 {
     Flow *const f = p->flow;
 
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
+    if (f->flags & FLOW_ACTION_DROP) {
+        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
+        SCReturn;
+    }
+
     if (p->flags & PKT_NOPACKET_INSPECTION || f->flags & (FLOW_ACTION_PASS)) {
         /* hack: if we are in pass the entire flow mode, we need to still
          * update the inspect_id forward. So test for the condition here,
@@ -1955,14 +1963,6 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* we check the flow drop here, and not the packet drop. This is
-     * to allow stream engine "invalid" drop packets to still be
-     * evaluated by the stream event rules. */
-    if (f->flags & FLOW_ACTION_DROP) {
-        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
-        SCReturn;
-    }
-
     /* see if the packet matches one or more of the sigs */
     DetectRun(tv, de_ctx, det_ctx, p);
 }