From 3b73c94c3060bb85210c8aa38eafb82f53787e28 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 10 Sep 2021 12:35:13 +0200
Subject: [PATCH] detect: enforce flow drops earlier

Enforcing flow drops is now done earlier in the detection engine and
moved out of the IP-only engine where it didn't belong.

(cherry picked from commit 802c1ffee35250d1ac753aec1343e481b83d854f)
---
 src/detect.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index dc5fe50bf9..f63219bb7f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -550,12 +550,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
             /* save in the flow that we scanned this direction... */
             FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
         }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
     } else { /* p->flags & PKT_HAS_FLOW */
         /* no flow */
 
@@ -1548,6 +1542,12 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
     /* see if the packet matches one or more of the sigs */
     (void)DetectRun(tv, de_ctx, det_ctx, p);
 }
-- 
2.47.2