From 5f2827b4bde51caa41f406824fbb2fbabeaefd04 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 26 May 2026 10:09:06 +0200
Subject: [PATCH] detect/firewall: fix TD drop:flow after FW accept:flow

Threat detection can drop a flow that is but in accept:flow by the
firewall.
---
 src/detect-engine-alert.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
index 810fb8d638..ae71392d59 100644
--- a/src/detect-engine-alert.c
+++ b/src/detect-engine-alert.c
@@ -176,7 +176,14 @@ static inline void RuleActionToFlow(const uint8_t action, Flow *f)
 
         // TODO firewall drop:flow should override FLOW_ACTION_PASS
     } else if (action & (ACTION_DROP | ACTION_REJECT_ANY)) {
-        if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS | FLOW_ACTION_ACCEPT)) {
+        /* drop:flow from TD rules will override a accept:flow from
+         * firewall rules. */
+        if (f->flags & FLOW_ACTION_ACCEPT) {
+            f->flags &= ~FLOW_ACTION_ACCEPT;
+            f->flags |= FLOW_ACTION_DROP;
+            SCLogDebug("replaced FLOW_ACTION_ACCEPT with FLOW_ACTION_DROP");
+        }
+        if (f->flags & (FLOW_ACTION_DROP | FLOW_ACTION_PASS)) {
             /* drop or pass already set. First to set wins. */
             SCLogDebug("not setting %s flow already set to %s",
                     (action & ACTION_PASS) ? "pass" : "drop",