From: Victor Julien <victor@inliniac.net>
Date: Fri, 10 Sep 2021 10:35:13 +0000 (+0200)
Subject: detect: enforce flow drops earlier
X-Git-Tag: suricata-5.0.10~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b73c94c3060bb85210c8aa38eafb82f53787e28;p=thirdparty%2Fsuricata.git

detect: enforce flow drops earlier

Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.

(cherry picked from commit 802c1ffee35250d1ac753aec1343e481b83d854f)
---

diff --git a/src/detect.c b/src/detect.c
index dc5fe50bf9..f63219bb7f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -550,12 +550,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
             /* save in the flow that we scanned this direction... */
             FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
         }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
     } else { /* p->flags & PKT_HAS_FLOW */
         /* no flow */
 
@@ -1548,6 +1542,12 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
     /* see if the packet matches one or more of the sigs */
     (void)DetectRun(tv, de_ctx, det_ctx, p);
 }