If an IP-only pass rule matches, set the no inspect flag for that flow. Bug #718.

src/alert-debuglog.c

@@ -254,13 +254,12 @@ TmEcode AlertDebugLogger(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq,
 #endif
         MemBufferWriteString(aft->buffer,
                              "FLOW IPONLY SET:   TOSERVER: %s, TOCLIENT: %s\n"
-                             "FLOW ACTION:       DROP: %s, PASS %s\n"
+                             "FLOW ACTION:       DROP: %s\n"
                              "FLOW NOINSPECTION: PACKET: %s, PAYLOAD: %s, APP_LAYER: %s\n"
                              "FLOW APP_LAYER:    DETECTED: %s, PROTO %"PRIu16"\n",
                              p->flow->flags & FLOW_TOSERVER_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_TOCLIENT_IPONLY_SET ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_ACTION_DROP ? "TRUE" : "FALSE",
-                             p->flow->flags & FLOW_ACTION_PASS ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPACKET_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NOPAYLOAD_INSPECTION ? "TRUE" : "FALSE",
                              p->flow->flags & FLOW_NO_APPLAYER_INSPECTION ? "TRUE" : "FALSE",

src/detect-engine-alert.c

@@ -241,8 +241,9 @@ void PacketAlertFinalize(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx
                             p->flow->flags |= FLOW_ACTION_DROP;
                         if (s->action & ACTION_REJECT_BOTH)
                             p->flow->flags |= FLOW_ACTION_DROP;
-                        if (s->action & ACTION_PASS)
-                            p->flow->flags |= FLOW_ACTION_PASS;
+                        if (s->action & ACTION_PASS) {
+                            FlowSetNoPacketInspectionFlag(p->flow);
+                        }
                         FLOWLOCK_UNLOCK(p->flow);
                     }
                 }

src/detect.c

@@ -1306,11 +1306,6 @@ int SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineTh
                    ((p->flowflags & FLOW_PKT_TOCLIENT) &&
                    (p->flow->flags & FLOW_TOCLIENT_IPONLY_SET)))
         {
-            /* Get the result of the first IPOnlyMatch() */
-            if (p->flow->flags & FLOW_ACTION_PASS) {
-                /* if it matched a "pass" rule, we have to let it go */
-                p->action |= ACTION_PASS;
-            }
             /* If we have a drop from IP only module,
              * we will drop the rest of the flow packets
              * This will apply only to inline/IPS */

src/flow.h

@@ -60,8 +60,6 @@
 
 /** All packets in this flow should be dropped */
 #define FLOW_ACTION_DROP                  0x00000200
-/** All packets in this flow should be accepted */
-#define FLOW_ACTION_PASS                  0x00000400
 
 /** Sgh for toserver direction set (even if it's NULL) */
 #define FLOW_SGH_TOSERVER                 0x00000800