From 37c80ea5082bf6e2044f02f44307bf9d9c79906b Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 15 Jan 2013 12:55:31 +0100
Subject: [PATCH] If an IP-only pass rule matches, set the no inspect flag for
 that flow. Bug #718.

---
 src/alert-debuglog.c      | 3 +--
 src/detect-engine-alert.c | 5 +++--
 src/detect.c              | 5 -----
 src/flow.h                | 2 --
 4 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/src/alert-debuglog.c b/src/alert-debuglog.c
index 518302c38b..1eb76b8bc7 100644
--- a/src/alert-debuglog.c
+++ b/src/alert-debuglog.c
@@ -254,13 +254,12 @@ TmEcode AlertDebugLogger(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
 #endif
         MemBufferWriteString(aft->buffer,
                              "FLOW IPONLY SET:   TOSERVER: %s, TOCLIENT: %s\n"
-                             "FLOW ACTION:       DROP: %s, PASS %s\n"
+                             "FLOW ACTION:       DROP: %s\n"
                              "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
                              "FLOW APP_LAYER:    DETECTED: %s, PROTO %"PRIu16"\n",
                              p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",
diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 3ce9cc2563..6114ee45a6 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -241,8 +241,9 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                             p->flow->flags |= FLOW_ACTION_DROP;
                         if (s->action & ACTION_REJECT_BOTH)
                             p->flow->flags |= FLOW_ACTION_DROP;
-                        if (s->action & ACTION_PASS)
-                            p->flow->flags |= FLOW_ACTION_PASS;
+                        if (s->action & ACTION_PASS) {
+                            FlowSetNoPacketInspectionFlag(p->flow);
+                        }
                         FLOWLOCK_UNLOCK(p->flow);
                     }
                 }
diff --git a/src/detect.c b/src/detect.c
index 1aee82a8c7..01ef1ee923 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1306,11 +1306,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                    ((p->flowflags & FLOW_PKT_TOCLIENT) &&
                    (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))
         {
-            /* Get the result of the first IPOnlyMatch() */
-            if (p->flow->flags & FLOW_ACTION_PASS) {
-                /* if it matched a "pass" rule, we have to let it go */
-                p->action |= ACTION_PASS;
-            }
             /* If we have a drop from IP only module,
              * we will drop the rest of the flow packets
              * This will apply only to inline/IPS */
diff --git a/src/flow.h b/src/flow.h
index 7ff3a1bd8d..2c5096892a 100644
--- a/src/flow.h
+++ b/src/flow.h
@@ -60,8 +60,6 @@
 
 /** All packets in this flow should be dropped */
 #define FLOW_ACTION_DROP                  0x00000200
-/** All packets in this flow should be accepted */
-#define FLOW_ACTION_PASS                  0x00000400
 
 /** Sgh for toserver direction set (even if it's NULL) */
 #define FLOW_SGH_TOSERVER                 0x00000800
-- 
2.47.3