From: Victor Julien <vjulien@oisf.net>
Date: Wed, 31 May 2023 13:49:57 +0000 (+0200)
Subject: detect: update/document drop flow logic
X-Git-Tag: suricata-7.0.0-rc2~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85ddba63f64e95f4c202f8ef05e8886a0cbac725;p=thirdparty%2Fsuricata.git

detect: update/document drop flow logic

Now that flow drop is applied to packets before other processing,
no drop has to be issued on a packet.
---

diff --git a/src/detect.c b/src/detect.c
index 8284a6597c..ebc883188c 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1709,9 +1709,10 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* if flow is set to drop, we enforce that here */
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
     if (f->flags & FLOW_ACTION_DROP) {
-        PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
         SCReturn;
     }