From 187f71de24f2a19eac184391e0fb983afc4ec654 Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Thu, 13 Mar 2025 09:23:22 +0100
Subject: [PATCH] detect: check for a flow drop first

---
 src/detect.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/detect.c b/src/detect.c
index 0b43f32af2..64c69d301f 100644
--- a/src/detect.c
+++ b/src/detect.c
@@ -1938,6 +1938,14 @@ static void DetectFlow(ThreadVars *tv,
 {
     Flow *const f = p->flow;
 
+    /* we check the flow drop here, and not the packet drop. This is
+     * to allow stream engine "invalid" drop packets to still be
+     * evaluated by the stream event rules. */
+    if (f->flags & FLOW_ACTION_DROP) {
+        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
+        SCReturn;
+    }
+
     if (p->flags & PKT_NOPACKET_INSPECTION || f->flags & (FLOW_ACTION_PASS)) {
         /* hack: if we are in pass the entire flow mode, we need to still
          * update the inspect_id forward. So test for the condition here,
@@ -1955,14 +1963,6 @@ static void DetectFlow(ThreadVars *tv,
         return;
     }
 
-    /* we check the flow drop here, and not the packet drop. This is
-     * to allow stream engine "invalid" drop packets to still be
-     * evaluated by the stream event rules. */
-    if (f->flags & FLOW_ACTION_DROP) {
-        DEBUG_VALIDATE_BUG_ON(!(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP));
-        SCReturn;
-    }
-
     /* see if the packet matches one or more of the sigs */
     DetectRun(tv, de_ctx, det_ctx, p);
 }