If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718.

diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c
index 518302c38b2a536227b6ad00f12e20942c9b391d..1eb76b8bc7bd52e2d2674d7f705e7b58c6eb034d 100644 (file)
--- a/src/alert-debuglog.c
+++ b/src/alert-debuglog.c
@@ -254,13 +254,12 @@ TmEcode AlertDebugLogger(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
 #endif
         MemBufferWriteString(aft->buffer,
                              "FLOW IPONLY SET:   TOSERVER: %s, TOCLIENT: %s\n"
-                             "FLOW ACTION:       DROP: %s, PASS %s\n"
+                             "FLOW ACTION:       DROP: %s\n"
                              "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
                              "FLOW APP_LAYER:    DETECTED: %s, PROTO %"PRIu16"\n",
                              p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 3ce9cc2563377e0931e409b670d252db1b76f9ac..6114ee45a6b40c39d44c789e48da5bab665f976f 100644 (file)
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -241,8 +241,9 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                             p->flow->flags |= FLOW_ACTION_DROP;
                         if (s->action & ACTION_REJECT_BOTH)
                             p->flow->flags |= FLOW_ACTION_DROP;
-                        if (s->action & ACTION_PASS)
-                            p->flow->flags |= FLOW_ACTION_PASS;
+                        if (s->action & ACTION_PASS) {
+                            FlowSetNoPacketInspectionFlag(p->flow);
+                        }
                         FLOWLOCK_UNLOCK(p->flow);
                     }
                 }

diff --git a/src/detect.c b/src/detect.c
index 1aee82a8c775ae45608e9fe848ad7e882a740c37..01ef1ee9239f6fc706e67e4bbd2f7f2cbb7afc72 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1306,11 +1306,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                    ((p->flowflags & FLOW_PKT_TOCLIENT) &&
                    (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))
         {
-            /* Get the result of the first IPOnlyMatch() */
-            if (p->flow->flags & FLOW_ACTION_PASS) {
-                /* if it matched a "pass" rule, we have to let it go */
-                p->action |= ACTION_PASS;
-            }
             /* If we have a drop from IP only module,
              * we will drop the rest of the flow packets
              * This will apply only to inline/IPS */

diff --git a/src/flow.h b/src/flow.h
index 7ff3a1bd8d1a9fef3c2586863a426c12f3148171..2c5096892aab9ba94e7e001f00666fbe8921590f 100644 (file)
--- a/src/flow.h
+++ b/src/flow.h
@@ -60,8 +60,6 @@
 
 /** All packets in this flow should be dropped */
 #define FLOW_ACTION_DROP                  0x00000200
-/** All packets in this flow should be accepted */
-#define FLOW_ACTION_PASS                  0x00000400
 
 /** Sgh for toserver direction set (even if it's NULL) */
 #define FLOW_SGH_TOSERVER                 0x00000800