From e724d8830136e44f538e444530dd717cb4feccc0 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Fri, 22 May 2026 15:04:10 +0200
Subject: [PATCH] detect/firewall: minor code cleanup

---
 src/detect.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index 17cda58735..5ba087a35b 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1782,6 +1782,9 @@ static enum DetectTxFirewallFlowControl DetectRunTxPreCheckFirewallPolicy(
         const Signature *s, const uint32_t can_idx, struct DetectFirewallAppTxState *fw_state,
         const bool last_tx)
 {
+    if ((s->flags & SIG_FLAG_FIREWALL) != 0 && fw_state->fw_skip_app_filter) {
+        return DETECT_TX_FW_FC_SKIP;
+    }
     if (p->flow->flags & FLOW_ACTION_ACCEPT) {
         if (fw_state->tx_fw_verdict == false) {
             fw_state->tx_fw_verdict = true;
@@ -2271,9 +2274,6 @@ static void DetectRunTx(ThreadVars *tv,
                     tx.detect_progress, tx.detect_progress_orig, s->app_progress_hook);
 
             if (have_fw_rules) {
-                if ((s->flags & SIG_FLAG_FIREWALL) != 0 && fw_state.fw_skip_app_filter) {
-                    continue;
-                }
                 const enum DetectTxFirewallFlowControl fw_r = DetectRunTxPreCheckFirewallPolicy(
                         det_ctx, p, &tx, flow_flags & (STREAM_TOSERVER | STREAM_TOCLIENT), s, i,
                         &fw_state, last_tx);