From: Victor Julien <vjulien@oisf.net>
Date: Wed, 31 May 2023 13:45:40 +0000 (+0200)
Subject: flow: apply flow to packet on flow lookup
X-Git-Tag: suricata-7.0.0-rc2~101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71a033ac62e0b71953f1884ecba7e6461c744197;p=thirdparty%2Fsuricata.git

flow: apply flow to packet on flow lookup

Issue drop to packet as early as possible.
---

diff --git a/src/flow.c b/src/flow.c
index 8bb8d4a9e5..75e77d8ed9 100644
--- a/src/flow.c
+++ b/src/flow.c
@@ -25,6 +25,9 @@
 
 #include "suricata-common.h"
 #include "suricata.h"
+
+#include "action-globals.h"
+#include "packet.h"
 #include "decode.h"
 #include "conf.h"
 #include "threadvars.h"
@@ -505,6 +508,9 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
         FlowUpdateState(f, FLOW_STATE_ESTABLISHED);
     }
 
+    if (f->flags & FLOW_ACTION_DROP) {
+        PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
+    }
     /*set the detection bypass flags*/
     if (f->flags & FLOW_NOPACKET_INSPECTION) {
         SCLogDebug("setting FLOW_NOPACKET_INSPECTION flag on flow %p", f);