detect: update/document drop flow logic

Now that flow drop is applied to packets before other processing,
no drop has to be issued on a packet.

diff --git a/src/detect.c b/src/detect.c
index 8284a6597c2c6edf6807b85858af605257112259..ebc883188c221cc12750f09002203c8eb58aab60 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1709,9 +1709,10 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* if flow is set to drop, we enforce that here */
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
     if (f->flags & FLOW_ACTION_DROP) {
-        PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
         SCReturn;
     }