From 802c1ffee35250d1ac753aec1343e481b83d854f Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 10 Sep 2021 12:35:13 +0200 Subject: [PATCH] detect: enforce flow drops earlier Enforcing flow drops is now done earlier in the detection engine and moved out of the IP-only engine where it didn't belong. --- src/detect.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/detect.c b/src/detect.c index 9bca53c9c8..89d37dcfa4 100644 --- a/src/detect.c +++ b/src/detect.c @@ -549,12 +549,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx /* save in the flow that we scanned this direction... */ FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0); } - /* If we have a drop from IP only module, - * we will drop the rest of the flow packets - * This will apply only to inline/IPS */ - if (pflow->flags & FLOW_ACTION_DROP) { - PACKET_DROP(p); - } } else { /* p->flags & PKT_HAS_FLOW */ /* no flow */ @@ -1544,6 +1538,12 @@ static void DetectFlow(ThreadVars *tv, return; } + /* if flow is set to drop, we enforce that here */ + if (p->flow->flags & FLOW_ACTION_DROP) { + PACKET_DROP(p); + SCReturn; + } + /* see if the packet matches one or more of the sigs */ (void)DetectRun(tv, de_ctx, det_ctx, p); } -- 2.47.2