upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-05-28 04:32:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

detect/firewall: fix TD drop:flow after FW accept:flow

Browse source 
Threat detection can drop a flow that is but in accept:flow by the
firewall.
This commit is contained in:
Victor Julien 2026-05-26 10:09:06 +02:00
parent 60e13aa8b3
commit 5f2827b4bd
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/detect-engine-alert.c
View file

@ -176,7 +176,14 @@ static inline void RuleActionToFlow(const uint8_t action, Flow *f)
// TODO firewall drop:flow should override FLOW_ACTION_PASS
} else if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS | FLOW_ACTION_ACCEPT)) {
/* drop:flow from TD rules will override a accept:flow from
* firewall rules. */
if (f->flags & FLOW_ACTION_ACCEPT) {
f->flags &= ~FLOW_ACTION_ACCEPT;
f->flags |= FLOW_ACTION_DROP;
SCLogDebug("replaced FLOW_ACTION_ACCEPT with FLOW_ACTION_DROP");
}
if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
/* drop or pass already set. First to set wins. */
SCLogDebug("not setting %s flow already set to %s",
(action & ACTION_PASS) ? "pass" : "drop",