From 85ddba63f64e95f4c202f8ef05e8886a0cbac725 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Wed, 31 May 2023 15:49:57 +0200
Subject: [PATCH] detect: update/document drop flow logic

Now that flow drop is applied to packets before other processing,
no drop has to be issued on a packet.
---
 src/detect.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index 8284a6597c..ebc883188c 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1709,9 +1709,10 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* if flow is set to drop, we enforce that here */
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
     if (f->flags & FLOW_ACTION_DROP) {
-        PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
         SCReturn;
     }