From: Victor Julien <victor@inliniac.net>
Date: Fri, 10 Sep 2021 10:35:13 +0000 (+0200)
Subject: detect: enforce flow drops earlier
X-Git-Tag: suricata-7.0.0-beta1~1415
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=802c1ffee35250d1ac753aec1343e481b83d854f;p=thirdparty%2Fsuricata.git

detect: enforce flow drops earlier

Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.
---

diff --git a/src/detect.c b/src/detect.c
index 9bca53c9c8..89d37dcfa4 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -549,12 +549,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
             /* save in the flow that we scanned this direction... */
             FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
         }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
     } else { /* p->flags & PKT_HAS_FLOW */
         /* no flow */
 
@@ -1544,6 +1538,12 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
     /* see if the packet matches one or more of the sigs */
     (void)DetectRun(tv, de_ctx, det_ctx, p);
 }