bug87 Fix IPOnly veredicts on flows

src/detect-engine-iponly.c

@@ -404,6 +404,12 @@ void IPOnlyMatchPacket(DetectEngineCtx *de_ctx, DetectEngineIPOnlyCtx *io_ctx,
             PacketAlertHandle(de_ctx,s,p);
             /* set verdict on packet */
             p->action |= s->action;
+            if (p->flow != NULL) {
+                if (s->action & ACTION_DROP) p->flow->flags |= FLOW_ACTION_DROP;
+                if (s->action & ACTION_REJECT) p->flow->flags |= FLOW_ACTION_DROP;
+                if (s->action & ACTION_REJECT_DST) p->flow->flags |= FLOW_ACTION_DROP;
+                if (s->action & ACTION_REJECT_BOTH) p->flow->flags |= FLOW_ACTION_DROP;
+            }
         }
     }
 }

src/detect.c

@@ -554,8 +554,14 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
         IPOnlyMatchPacket(de_ctx, &de_ctx->io_ctx, &det_ctx->io_ctx, p);
         /* save in the flow that we scanned this direction... locking is
          * done in the FlowSetIPOnlyFlag function. */
-        if (p->flow != NULL)
+        if (p->flow != NULL) {
             FlowSetIPOnlyFlag(p->flow, p->flowflags & FLOW_PKT_TOSERVER ? 1 : 0);
+        }
+    } else if (((p->flowflags & FLOW_PKT_TOSERVER && (p->flowflags & FLOW_PKT_TOSERVER_IPONLY_SET)) ||
+               (p->flowflags & FLOW_PKT_TOCLIENT && (p->flowflags & FLOW_PKT_TOCLIENT_IPONLY_SET))) &&
+                p->flow != NULL) {
+        /* Get the result of the first IPOnlyMatch() */
+        if (p->flow->flags & FLOW_ACTION_DROP) p->flow->flags |= ACTION_DROP;
     }
 
     /* we assume we have an uri when we start inspection */

src/flow.h

@@ -19,6 +19,8 @@
 #define FLOW_PKT_NOSTREAM               0x40
 #define FLOW_PKT_STREAMONLY             0x80
 
+#define FLOW_ACTION_DROP                0x100
+
 /* global flow config */
 typedef struct FlowCnf_
 {