detect: enforce flow drops earlier

Enforcing flow drops is now done earlier in the detection engine and moved out of the IP-only engine where it didn't belong.
4 years ago · 802c1ffee3
parent aa93984b7e
commit 802c1ffee3
1 changed files with 6 additions and 6 deletions
--- a/src/detect.c
+++ b/src/detect.c
@ -549,12 +549,6 @@ static void DetectRunInspectIPOnly(ThreadVars *tv, const DetectEngineCtx *de_ctx
            /* save in the flow that we scanned this direction... */
            FlowSetIPOnlyFlag(pflow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
        }
-        /* If we have a drop from IP only module,
-         * we will drop the rest of the flow packets
-         * This will apply only to inline/IPS */
-        if (pflow->flags & FLOW_ACTION_DROP) {
-            PACKET_DROP(p);
-        }
    } else { /* p->flags & PKT_HAS_FLOW */
        /* no flow */

@ -1544,6 +1538,12 @@ static void DetectFlow(ThreadVars *tv,
        return;
    }

+    /* if flow is set to drop, we enforce that here */
+    if (p->flow->flags & FLOW_ACTION_DROP) {
+        PACKET_DROP(p);
+        SCReturn;
+    }
+
    /* see if the packet matches one or more of the sigs */
    (void)DetectRun(tv, de_ctx, det_ctx, p);
 }