exceptions: add dedicated flow drop reason

To better control stats counters.
2026-05-28 04:32:12 -04:00 · 2026-05-14 16:41:53 -03:00 · 2026-05-14 16:41:53 -03:00 · ce175eaa09
commit ce175eaa09
parent ebfc5f4023
6 changed files with 14 additions and 0 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -8002,6 +8002,10 @@
                                    "description":
                                            "Number of packets dropped due to defrag memcap exception policy"
                                },
+                                "exception_policy_flow_drop": {
+                                    "type": "integer",
+                                    "description": "Number of packets dropped due to an exception policy flow dropping"
+                                },
                                "flow_drop": {
                                    "type": "integer",
                                    "description": "Number of packets dropped due to dropped flows"
--- a/src/decode.c
+++ b/src/decode.c
@ -934,6 +934,8 @@ const char *PacketDropReasonToString(enum PacketDropReason r)
            return "flow memcap";
        case PKT_DROP_REASON_FLOW_DROP:
            return "flow drop";
+        case PKT_DROP_REASON_EP_FLOW_DROP:
+            return "exception policy flow drop";
        case PKT_DROP_REASON_STREAM_ERROR:
            return "stream error";
        case PKT_DROP_REASON_STREAM_MEMCAP:
@ -988,6 +990,8 @@ static const char *PacketDropReasonToJsonString(enum PacketDropReason r)
            return "ips.drop_reason.flow_memcap";
        case PKT_DROP_REASON_FLOW_DROP:
            return "ips.drop_reason.flow_drop";
+        case PKT_DROP_REASON_EP_FLOW_DROP:
+            return "ips.drop_reason.exception_policy_flow_drop";
        case PKT_DROP_REASON_STREAM_ERROR:
            return "ips.drop_reason.stream_error";
        case PKT_DROP_REASON_STREAM_MEMCAP:
--- a/src/decode.h
+++ b/src/decode.h
@ -386,6 +386,7 @@ enum PacketDropReason {
    PKT_DROP_REASON_DEFRAG_MEMCAP,
    PKT_DROP_REASON_FLOW_MEMCAP,
    PKT_DROP_REASON_FLOW_DROP,
+    PKT_DROP_REASON_EP_FLOW_DROP,
    PKT_DROP_REASON_APPLAYER_ERROR,
    PKT_DROP_REASON_APPLAYER_MEMCAP,
    PKT_DROP_REASON_RULES,
--- a/src/flow.c
+++ b/src/flow.c
@ -537,6 +537,8 @@ void FlowHandlePacketUpdate(Flow *f, Packet *p, ThreadVars *tv, DecodeThreadVars
    if (f->flags & FLOW_ACTION_DROP) {
        if (f->flags & FLOW_ACTION_BY_FIREWALL) {
            PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FW_FLOW_DROP);
+        } else if (f->flags & FLOW_ACTION_BY_EXCEPTION_POLICY) {
+            PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_EP_FLOW_DROP);
        } else {
            PacketDrop(p, ACTION_DROP, PKT_DROP_REASON_FLOW_DROP);
        }
--- a/src/flow.h
+++ b/src/flow.h
@ -123,6 +123,8 @@ typedef struct AppLayerParserState_ AppLayerParserState;

 /** Flow action issued by firewall */
 #define FLOW_ACTION_BY_FIREWALL BIT_U64(32)
+/** Flow action issued by exception policy */
+#define FLOW_ACTION_BY_EXCEPTION_POLICY BIT_U64(33)

 /* File flags */

--- a/src/util-exception-policy.c
+++ b/src/util-exception-policy.c
@ -163,6 +163,7 @@ void ExceptionPolicyApply(Packet *p, enum ExceptionPolicy policy, enum PacketDro
            SCLogDebug("EXCEPTION_POLICY_DROP_FLOW");
            if (p->flow) {
                p->flow->flags |= FLOW_ACTION_DROP;
+                p->flow->flags |= FLOW_ACTION_BY_EXCEPTION_POLICY;
                FlowSetNoPayloadInspectionFlag(p->flow);
                StreamTcpDisableAppLayer(p->flow);
            }