From: Eric Leblond <eric@regit.org>
Date: Thu, 25 Feb 2021 21:48:16 +0000 (+0100)
Subject: detect/tag: add a tag for first packet
X-Git-Tag: suricata-7.0.0-beta1~567
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f4d59b3f79a77ed2faba663e4a54191bea17199;p=thirdparty%2Fsuricata.git

detect/tag: add a tag for first packet

We may need to know that a packet has been tagged but is the
first one (and thus is not tagged).
---

diff --git a/src/decode.h b/src/decode.h
index be1e6d2b75..1b9806e748 100644
--- a/src/decode.h
+++ b/src/decode.h
@@ -1222,6 +1222,7 @@ void DecodeUnregisterCounters(void);
 
 /** We had no alert on flow before this packet */
 #define PKT_FIRST_ALERTS BIT_U32(29)
+#define PKT_FIRST_TAG    BIT_U32(30)
 
 /** \brief return 1 if the packet is a pseudo packet */
 #define PKT_IS_PSEUDOPKT(p) \
diff --git a/src/detect-engine-tag.c b/src/detect-engine-tag.c
index 5839bd1597..66409d17bd 100644
--- a/src/detect-engine-tag.c
+++ b/src/detect-engine-tag.c
@@ -276,6 +276,7 @@ static void TagHandlePacketFlow(Flow *f, Packet *p)
          * to log it (the alert will log it) */
         if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) {
             iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST;
+            p->flags |= PKT_FIRST_TAG;
         } else {
             /* Update metrics; remove if tag expired; and set alerts */
             switch (iter->metric) {