From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 29 Aug 2022 23:32:31 +0000 (-0300)
Subject: exceptions: add callbacks for drop-flow policy
X-Git-Tag: suricata-7.0.0-beta1~255
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=242b8f7d65498f7b7b33cf852a79206484c269b1;p=thirdparty%2Fsuricata.git

exceptions: add callbacks for drop-flow policy

Make sure that when the policy is to drop the flow, we set no inspection
for payload and packet and disable applayer inspection as well.

Task #5468
---

diff --git a/src/util-exception-policy.c b/src/util-exception-policy.c
index a646c5e33a..c849469db0 100644
--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@@ -23,6 +23,7 @@
 #include "suricata.h"
 #include "util-exception-policy.h"
 #include "util-misc.h"
+#include "stream-tcp-reassemble.h"
 
 void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDropReason drop_reason)
 {
@@ -35,6 +36,9 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
                 SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");
                 if (p->flow) {
                     p->flow->flags |= FLOW_ACTION_DROP;
+                    FlowSetNoPayloadInspectionFlag(p->flow);
+                    FlowSetNoPacketInspectionFlag(p->flow);
+                    StreamTcpDisableAppLayer(p->flow);
                 }
                 /* fall through */
             case EXCEPTION_POLICY_DROP_PACKET: