From 2c31aceb12381d07cbdec369c9c8704eadadd4e8 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Sat, 16 May 2026 11:24:09 +0200
Subject: [PATCH] detect/firewall: fix last for progress handling

In last_for_progress handling set accept only on packet if it was also triggered on the last tx.

If there are more transactions, the accept can be set later (if policy allows).
---
 src/detect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/detect.c b/src/detect.c
index 277465eeff..514da074c4 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -2372,7 +2372,7 @@ static void DetectRunTx(ThreadVars *tv,
 
                     /* if this is also the last fw rule we'll inspect we have to issue a default
                      * accept to the packet */
-                    if (s->app_progress_hook == tx.tx_progress) {
+                    if (last_tx && s->app_progress_hook == tx.tx_progress) {
                         DetectRunAppendDefaultAccept(det_ctx, p);
                     }
                 }