detect/parse: limit pkthdr proto to decoder event rules

`alert pkthdr` was initially just an alias for `alert ip`, as that was
really just a way of stating that "any" should be matched. However with
the Ethernet matching in place, it no long makes sense to treat `alert
ip` as "any". Since `pkthdr` is used to match on decoder events, also
for packets that completely failed to parse, it should no longer be
treated as `alert ip` but rather as it's own distinct logic.

src/detect-parse.c

@@ -2813,6 +2813,16 @@ static bool SigValidateEthernet(const Signature *s)
     return true;
 }
 
+/* `pkthdr` is meant to allow matching on "any" packet with a decoder event. */
+static bool SigValidateProtoPkthdr(const Signature *s)
+{
+    if ((s->init_data->proto.flags & DETECT_PROTO_L2_ANY) && s->type != SIG_TYPE_DEONLY) {
+        SCLogError("protocol 'pkthdr' is for decoder-events only");
+        return false;
+    }
+    return true;
+}
+
 /**
  *  \internal
  *  \brief validate and consolidate parsed signature
@@ -2856,6 +2866,10 @@ static int SigValidateConsolidate(
     SignatureSetType(de_ctx, s);
     DetectRuleSetTable(s);
 
+    if (!SigValidateProtoPkthdr(s)) {
+        SCReturnInt(0);
+    }
+
     if (DetectProtoFinalizeSignature(s) != 0)
         SCReturnInt(0);