detect/prefilter: use sig mask to exclude pkt engines

Add an argument to the packet prefilter registration function to include `SignatureMask` flags. This will be used at runtime to only call these prefilter engines when the mask check passes.
2 years ago · 956c8bebd1
parent 4c2960169c
commit 956c8bebd1
26 changed files with 99 additions and 127 deletions
--- a/src/detect-app-layer-protocol.c
+++ b/src/detect-app-layer-protocol.c
@ -316,9 +316,8 @@ PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_AL_APP_LAYER_PROTOCOL,
-        PrefilterPacketAppProtoSet,
-        PrefilterPacketAppProtoCompare,
-        PrefilterPacketAppProtoMatch);
+            SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
+            PrefilterPacketAppProtoMatch);
 }

 static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
--- a/src/detect-dsize.c
+++ b/src/detect-dsize.c
@ -195,8 +195,8 @@ PrefilterPacketDsizeMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void

 static int PrefilterSetupDsize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_DSIZE, PrefilterPacketU16Set,
-            PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_DSIZE, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketDsizeMatch);
 }

 static bool PrefilterDsizeIsPrefilterable(const Signature *s)
--- a/src/detect-engine-prefilter-common.c
+++ b/src/detect-engine-prefilter-common.c
@ -93,9 +93,8 @@ static void GetExtraMatch(const Signature *s, uint16_t *type, uint16_t *value)

 /** \internal
 */
-static int
-SetupEngineForPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
-        int sm_type, PrefilterPacketHeaderHashCtx *hctx,
+static int SetupEngineForPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, PrefilterPacketHeaderHashCtx *hctx,
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
 {
@ -143,8 +142,8 @@ SetupEngineForPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
    SCLogDebug("%s: ctx %p extra type %u extra value %u, sig cnt %u",
            sigmatch_table[sm_type].name, ctx, ctx->type, ctx->value,
            ctx->sigs_cnt);
-    PrefilterAppendEngine(de_ctx, sgh, Match, ctx,
-            PrefilterPacketHeaderFree, sigmatch_table[sm_type].name);
+    PrefilterAppendEngine(
+            de_ctx, sgh, Match, mask, ctx, PrefilterPacketHeaderFree, sigmatch_table[sm_type].name);
    return 0;
 }

@ -197,9 +196,8 @@ static void ApplyToU8Hash(PrefilterPacketU8HashCtx *ctx, PrefilterPacketHeaderVa
 *  \todo improve error handling
 *  \todo deduplicate sigs arrays
 */
-static int
-SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type, uint32_t *counts,
+static int SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(DetectEngineCtx *de_ctx,
+        SigGroupHead *sgh, int sm_type, SignatureMask mask, uint32_t *counts,
        void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
@ -247,8 +245,7 @@ SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(DetectEngineCtx *de_ctx,
    }

    if (cnt) {
-        PrefilterAppendEngine(de_ctx, sgh, Match, ctx,
-                PrefilterPacketU8HashCtxFree,
+        PrefilterAppendEngine(de_ctx, sgh, Match, mask, ctx, PrefilterPacketU8HashCtxFree,
                sigmatch_table[sm_type].name);
    } else {
        PrefilterPacketU8HashCtxFree(ctx);
@ -259,30 +256,25 @@ SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(DetectEngineCtx *de_ctx,
 /** \internal
 *  \brief setup a engine for each unique value
 */
-static void SetupSingle(DetectEngineCtx *de_ctx, HashListTable *hash_table,
-        SigGroupHead *sgh, int sm_type,
-        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-            Packet *p, const void *pectx))
+static void SetupSingle(DetectEngineCtx *de_ctx, HashListTable *hash_table, SigGroupHead *sgh,
+        int sm_type, SignatureMask mask, bool (*Compare)(PrefilterPacketHeaderValue v, void *),
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
 {
    HashListTableBucket *hb = HashListTableGetListHead(hash_table);
    for ( ; hb != NULL; hb = HashListTableGetListNext(hb)) {
        PrefilterPacketHeaderHashCtx *ctx = HashListTableGetListData(hb);

-        SetupEngineForPacketHeader(de_ctx, sgh, sm_type,
-                ctx, Compare, Match);
+        SetupEngineForPacketHeader(de_ctx, sgh, sm_type, mask, ctx, Compare, Match);
    }
 }

 /** \internal
 *  \brief setup a single engine with a hash map for u8 values
 */
-static void SetupU8Hash(DetectEngineCtx *de_ctx, HashListTable *hash_table,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+static void SetupU8Hash(DetectEngineCtx *de_ctx, HashListTable *hash_table, SigGroupHead *sgh,
+        int sm_type, SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-            Packet *p, const void *pectx))
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
 {
    uint32_t counts[256];
    memset(&counts, 0, sizeof(counts));
@ -330,17 +322,14 @@ static void SetupU8Hash(DetectEngineCtx *de_ctx, HashListTable *hash_table,
        }
    }

-    SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(de_ctx, sgh, sm_type,
-            counts, Set, Compare, Match);
+    SetupEngineForPacketHeaderPrefilterPacketU8HashCtx(
+            de_ctx, sgh, sm_type, mask, counts, Set, Compare, Match);
 }

-static int PrefilterSetupPacketHeaderCommon(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+static int PrefilterSetupPacketHeaderCommon(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-                      Packet *p, const void *pectx),
-        bool u8hash)
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx), bool u8hash)
 {
    Signature *s = NULL;
    uint32_t sig = 0;
@ -392,9 +381,9 @@ static int PrefilterSetupPacketHeaderCommon(DetectEngineCtx *de_ctx,
    }

    if (!u8hash) {
-        SetupSingle(de_ctx, hash_table, sgh, sm_type, Compare, Match);
+        SetupSingle(de_ctx, hash_table, sgh, sm_type, mask, Compare, Match);
    } else {
-        SetupU8Hash(de_ctx, hash_table, sgh, sm_type, Set, Compare, Match);
+        SetupU8Hash(de_ctx, hash_table, sgh, sm_type, mask, Set, Compare, Match);
    }

    HashListTableFree(hash_table);
@ -404,22 +393,18 @@ error:
    return -1;
 }

-int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-                      Packet *p, const void *pectx))
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
 {
-    return PrefilterSetupPacketHeaderCommon(de_ctx, sgh, sm_type, Set, Compare, Match, true);
+    return PrefilterSetupPacketHeaderCommon(de_ctx, sgh, sm_type, mask, Set, Compare, Match, true);
 }

-int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-        Packet *p, const void *pectx))
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
 {
-    return PrefilterSetupPacketHeaderCommon(de_ctx, sgh, sm_type, Set, Compare, Match, false);
+    return PrefilterSetupPacketHeaderCommon(de_ctx, sgh, sm_type, mask, Set, Compare, Match, false);
 }
--- a/src/detect-engine-prefilter-common.h
+++ b/src/detect-engine-prefilter-common.h
@ -58,19 +58,15 @@ typedef struct PrefilterPacketU8HashCtx_ {
 #define PREFILTER_U8HASH_MODE_GT DetectUintModeGt
 #define PREFILTER_U8HASH_MODE_RA DetectUintModeRange

-int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-            Packet *p, const void *pectx));
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx));

-int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, int sm_type,
-        void (*Set)(PrefilterPacketHeaderValue *v, void *),
+int PrefilterSetupPacketHeaderU8Hash(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type,
+        SignatureMask mask, void (*Set)(PrefilterPacketHeaderValue *v, void *),
        bool (*Compare)(PrefilterPacketHeaderValue v, void *),
-        void (*Match)(DetectEngineThreadCtx *det_ctx,
-            Packet *p, const void *pectx));
+        void (*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx));

 static inline bool
 PrefilterPacketHeaderExtraMatch(const PrefilterPacketHeaderCtx *ctx,
--- a/src/detect-engine-prefilter.c
+++ b/src/detect-engine-prefilter.c
@ -140,8 +140,8 @@ void DetectRunPrefilterTx(DetectEngineThreadCtx *det_ctx,
    }
 }

-void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh,
-        Packet *p, const uint8_t flags)
+void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh, Packet *p,
+        const uint8_t flags, const SignatureMask mask)
 {
    SCEnter();
 #if 0
@ -159,9 +159,11 @@ void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh,
        /* run packet engines */
        PrefilterEngine *engine = sgh->pkt_engines;
        do {
-            PREFILTER_PROFILING_START(det_ctx);
-            engine->cb.Prefilter(det_ctx, p, engine->pectx);
-            PREFILTER_PROFILING_END(det_ctx, engine->gid);
+            if ((engine->ctx.pkt_mask & mask) == engine->ctx.pkt_mask) {
+                PREFILTER_PROFILING_START(det_ctx);
+                engine->cb.Prefilter(det_ctx, p, engine->pectx);
+                PREFILTER_PROFILING_END(det_ctx, engine->gid);
+            }

            if (engine->is_last)
                break;
@ -200,7 +202,7 @@ void Prefilter(DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh,
 }

 int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc,
-        void *pectx, void (*FreeFunc)(void *pectx), const char *name)
+        SignatureMask mask, void *pectx, void (*FreeFunc)(void *pectx), const char *name)
 {
    if (sgh == NULL || PrefilterFunc == NULL || pectx == NULL)
        return -1;
@ -213,6 +215,7 @@ int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterP
    e->Prefilter = PrefilterFunc;
    e->pectx = pectx;
    e->Free = FreeFunc;
+    e->pkt_mask = mask;

    if (sgh->init->pkt_engines == NULL) {
        sgh->init->pkt_engines = e;
@ -445,6 +448,7 @@ void PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
        for (el = sgh->init->pkt_engines ; el != NULL; el = el->next) {
            e->local_id = el->id;
            e->cb.Prefilter = el->Prefilter;
+            e->ctx.pkt_mask = el->pkt_mask;
            e->pectx = el->pectx;
            el->pectx = NULL; // e now owns the ctx
            e->gid = el->gid;
@ -469,6 +473,7 @@ void PrefilterSetupRuleGroup(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
        for (el = sgh->init->payload_engines ; el != NULL; el = el->next) {
            e->local_id = el->id;
            e->cb.Prefilter = el->Prefilter;
+            e->ctx.pkt_mask = el->pkt_mask;
            e->pectx = el->pectx;
            el->pectx = NULL; // e now owns the ctx
            e->gid = el->gid;
@ -873,8 +878,8 @@ int PrefilterGenericMpmPktRegister(DetectEngineCtx *de_ctx, SigGroupHead *sgh, M
    pectx->mpm_ctx = mpm_ctx;
    pectx->transforms = &mpm_reg->transforms;

-    int r = PrefilterAppendEngine(de_ctx, sgh, PrefilterMpmPkt,
-        pectx, PrefilterMpmPktFree, mpm_reg->pname);
+    int r = PrefilterAppendEngine(
+            de_ctx, sgh, PrefilterMpmPkt, 0, pectx, PrefilterMpmPktFree, mpm_reg->pname);
    if (r != 0) {
        SCFree(pectx);
    }
--- a/src/detect-engine-prefilter.h
+++ b/src/detect-engine-prefilter.h
@ -47,11 +47,11 @@ typedef struct PrefilterStore_ {
    uint32_t id;
 } PrefilterStore;

-void Prefilter(DetectEngineThreadCtx *, const SigGroupHead *, Packet *p,
-        const uint8_t flags);
+void Prefilter(DetectEngineThreadCtx *, const SigGroupHead *, Packet *p, const uint8_t flags,
+        const SignatureMask mask);

 int PrefilterAppendEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh, PrefilterPktFn PrefilterFunc,
-        void *pectx, void (*FreeFunc)(void *pectx), const char *name);
+        SignatureMask mask, void *pectx, void (*FreeFunc)(void *pectx), const char *name);
 int PrefilterAppendPayloadEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
        PrefilterPktFn PrefilterFunc, void *pectx, void (*FreeFunc)(void *pectx), const char *name);
 int PrefilterAppendTxEngine(DetectEngineCtx *de_ctx, SigGroupHead *sgh,
--- a/src/detect-flow-age.c
+++ b/src/detect-flow-age.c
@ -74,8 +74,8 @@ static void PrefilterPacketFlowAgeMatch(

 static int PrefilterSetupFlowAge(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW_AGE, PrefilterPacketU32Set,
-            PrefilterPacketU32Compare, PrefilterPacketFlowAgeMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW_AGE, SIG_MASK_REQUIRE_FLOW,
+            PrefilterPacketU32Set, PrefilterPacketU32Compare, PrefilterPacketFlowAgeMatch);
 }

 static bool PrefilterFlowAgeIsPrefilterable(const Signature *s)
--- a/src/detect-flow-pkts.c
+++ b/src/detect-flow-pkts.c
@ -75,7 +75,8 @@ static void PrefilterPacketFlowPktsToClientMatch(
 static int PrefilterSetupFlowPktsToClient(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW_PKTS_TO_CLIENT,
-            PrefilterPacketU32Set, PrefilterPacketU32Compare, PrefilterPacketFlowPktsToClientMatch);
+            SIG_MASK_REQUIRE_FLOW, PrefilterPacketU32Set, PrefilterPacketU32Compare,
+            PrefilterPacketFlowPktsToClientMatch);
 }

 static bool PrefilterFlowPktsToClientIsPrefilterable(const Signature *s)
@ -148,7 +149,8 @@ static void PrefilterPacketFlowPktsToServerMatch(
 static int PrefilterSetupFlowPktsToServer(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW_PKTS_TO_SERVER,
-            PrefilterPacketU32Set, PrefilterPacketU32Compare, PrefilterPacketFlowPktsToServerMatch);
+            SIG_MASK_REQUIRE_FLOW, PrefilterPacketU32Set, PrefilterPacketU32Compare,
+            PrefilterPacketFlowPktsToServerMatch);
 }

 static bool PrefilterFlowPktsToServerIsPrefilterable(const Signature *s)
--- a/src/detect-flow.c
+++ b/src/detect-flow.c
@ -475,10 +475,8 @@ PrefilterPacketFlowCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupFlow(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW,
-        PrefilterPacketFlowSet,
-        PrefilterPacketFlowCompare,
-        PrefilterPacketFlowMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLOW, 0, PrefilterPacketFlowSet,
+            PrefilterPacketFlowCompare, PrefilterPacketFlowMatch);
 }

 static bool PrefilterFlowIsPrefilterable(const Signature *s)
--- a/src/detect-fragbits.c
+++ b/src/detect-fragbits.c
@ -364,10 +364,9 @@ PrefilterPacketFragBitsCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupFragBits(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGBITS,
-        PrefilterPacketFragBitsSet,
-        PrefilterPacketFragBitsCompare,
-        PrefilterPacketFragBitsMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGBITS, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketFragBitsSet, PrefilterPacketFragBitsCompare,
+            PrefilterPacketFragBitsMatch);
 }

 static bool PrefilterFragBitsIsPrefilterable(const Signature *s)
--- a/src/detect-fragoffset.c
+++ b/src/detect-fragoffset.c
@ -310,10 +310,9 @@ PrefilterPacketFragOffsetCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupFragOffset(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGOFFSET,
-        PrefilterPacketFragOffsetSet,
-        PrefilterPacketFragOffsetCompare,
-        PrefilterPacketFragOffsetMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FRAGOFFSET, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketFragOffsetSet, PrefilterPacketFragOffsetCompare,
+            PrefilterPacketFragOffsetMatch);
 }

 static bool PrefilterFragOffsetIsPrefilterable(const Signature *s)
--- a/src/detect-icmp-id.c
+++ b/src/detect-icmp-id.c
@ -307,10 +307,8 @@ PrefilterPacketIcmpIdCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupIcmpId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_ID,
-        PrefilterPacketIcmpIdSet,
-        PrefilterPacketIcmpIdCompare,
-        PrefilterPacketIcmpIdMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_ID, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketIcmpIdSet, PrefilterPacketIcmpIdCompare, PrefilterPacketIcmpIdMatch);
 }

 static bool PrefilterIcmpIdIsPrefilterable(const Signature *s)
--- a/src/detect-icmp-seq.c
+++ b/src/detect-icmp-seq.c
@ -308,10 +308,8 @@ PrefilterPacketIcmpSeqCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupIcmpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_SEQ,
-        PrefilterPacketIcmpSeqSet,
-        PrefilterPacketIcmpSeqCompare,
-        PrefilterPacketIcmpSeqMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMP_SEQ, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketIcmpSeqSet, PrefilterPacketIcmpSeqCompare, PrefilterPacketIcmpSeqMatch);
 }

 static bool PrefilterIcmpSeqIsPrefilterable(const Signature *s)
--- a/src/detect-icmpv6-mtu.c
+++ b/src/detect-icmpv6-mtu.c
@ -170,10 +170,8 @@ PrefilterPacketIcmpv6mtuMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const v

 static int PrefilterSetupIcmpv6mtu(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMPV6MTU,
-            PrefilterPacketU32Set,
-            PrefilterPacketU32Compare,
-            PrefilterPacketIcmpv6mtuMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ICMPV6MTU, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU32Set, PrefilterPacketU32Compare, PrefilterPacketIcmpv6mtuMatch);
 }

 static bool PrefilterIcmpv6mtuIsPrefilterable(const Signature *s)
--- a/src/detect-icode.c
+++ b/src/detect-icode.c
@ -173,8 +173,8 @@ static void PrefilterPacketICodeMatch(DetectEngineThreadCtx *det_ctx,

 static int PrefilterSetupICode(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeaderU8Hash(de_ctx, sgh, DETECT_ICODE, PrefilterPacketU8Set,
-            PrefilterPacketU8Compare, PrefilterPacketICodeMatch);
+    return PrefilterSetupPacketHeaderU8Hash(de_ctx, sgh, DETECT_ICODE, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketICodeMatch);
 }

 static bool PrefilterICodeIsPrefilterable(const Signature *s)
--- a/src/detect-id.c
+++ b/src/detect-id.c
@ -261,10 +261,8 @@ PrefilterPacketIdCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupId(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ID,
-        PrefilterPacketIdSet,
-        PrefilterPacketIdCompare,
-        PrefilterPacketIdMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ID, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketIdSet, PrefilterPacketIdCompare, PrefilterPacketIdMatch);
 }

 static bool PrefilterIdIsPrefilterable(const Signature *s)
--- a/src/detect-itype.c
+++ b/src/detect-itype.c
@ -189,8 +189,8 @@ static void PrefilterPacketITypeMatch(DetectEngineThreadCtx *det_ctx,

 static int PrefilterSetupIType(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeaderU8Hash(de_ctx, sgh, DETECT_ITYPE, PrefilterPacketU8Set,
-            PrefilterPacketU8Compare, PrefilterPacketITypeMatch);
+    return PrefilterSetupPacketHeaderU8Hash(de_ctx, sgh, DETECT_ITYPE, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketITypeMatch);
 }

 static bool PrefilterITypeIsPrefilterable(const Signature *s)
--- a/src/detect-stream_size.c
+++ b/src/detect-stream_size.c
@ -214,7 +214,8 @@ static bool PrefilterPacketStreamSizeCompare(PrefilterPacketHeaderValue v, void

 static int PrefilterSetupStreamSize(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE, PrefilterPacketStreamSizeSet,
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_STREAM_SIZE,
+            SIG_MASK_REQUIRE_FLOW | SIG_MASK_REQUIRE_REAL_PKT, PrefilterPacketStreamSizeSet,
            PrefilterPacketStreamSizeCompare, PrefilterPacketStreamsizeMatch);
 }

--- a/src/detect-tcp-ack.c
+++ b/src/detect-tcp-ack.c
@ -183,10 +183,8 @@ PrefilterPacketAckCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupTcpAck(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ACK,
-        PrefilterPacketAckSet,
-        PrefilterPacketAckCompare,
-        PrefilterPacketAckMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_ACK, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketAckSet, PrefilterPacketAckCompare, PrefilterPacketAckMatch);
 }

 static bool PrefilterTcpAckIsPrefilterable(const Signature *s)
--- a/src/detect-tcp-flags.c
+++ b/src/detect-tcp-flags.c
@ -595,11 +595,8 @@ PrefilterPacketFlagsCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupTcpFlags(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLAGS,
-            PrefilterPacketFlagsSet,
-            PrefilterPacketFlagsCompare,
-            PrefilterPacketFlagsMatch);
-
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_FLAGS, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketFlagsSet, PrefilterPacketFlagsCompare, PrefilterPacketFlagsMatch);
 }

 static bool PrefilterTcpFlagsIsPrefilterable(const Signature *s)
--- a/src/detect-tcp-seq.c
+++ b/src/detect-tcp-seq.c
@ -178,10 +178,8 @@ PrefilterPacketSeqCompare(PrefilterPacketHeaderValue v, void *smctx)

 static int PrefilterSetupTcpSeq(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_SEQ,
-        PrefilterPacketSeqSet,
-        PrefilterPacketSeqCompare,
-        PrefilterPacketSeqMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_SEQ, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketSeqSet, PrefilterPacketSeqCompare, PrefilterPacketSeqMatch);
 }

 static bool PrefilterTcpSeqIsPrefilterable(const Signature *s)
--- a/src/detect-tcpmss.c
+++ b/src/detect-tcpmss.c
@ -158,8 +158,8 @@ PrefilterPacketTcpmssMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void

 static int PrefilterSetupTcpmss(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TCPMSS, PrefilterPacketU16Set,
-            PrefilterPacketU16Compare, PrefilterPacketTcpmssMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TCPMSS, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU16Set, PrefilterPacketU16Compare, PrefilterPacketTcpmssMatch);
 }

 static bool PrefilterTcpmssIsPrefilterable(const Signature *s)
--- a/src/detect-template2.c
+++ b/src/detect-template2.c
@ -170,8 +170,8 @@ PrefilterPacketTemplate2Match(DetectEngineThreadCtx *det_ctx, Packet *p, const v

 static int PrefilterSetupTemplate2(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TEMPLATE2, PrefilterPacketU8Set,
-            PrefilterPacketU8Compare, PrefilterPacketTemplate2Match);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TEMPLATE2, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketTemplate2Match);
 }

 static bool PrefilterTemplate2IsPrefilterable(const Signature *s)
--- a/src/detect-ttl.c
+++ b/src/detect-ttl.c
@ -169,8 +169,8 @@ PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *p

 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TTL, PrefilterPacketU8Set,
-            PrefilterPacketU8Compare, PrefilterPacketTtlMatch);
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_TTL, SIG_MASK_REQUIRE_REAL_PKT,
+            PrefilterPacketU8Set, PrefilterPacketU8Compare, PrefilterPacketTtlMatch);
 }

 static bool PrefilterTtlIsPrefilterable(const Signature *s)
--- a/src/detect.c
+++ b/src/detect.c
@ -696,7 +696,7 @@ static inline void DetectRunPrefilterPkt(
    PACKET_PROFILING_DETECT_END(p, PROF_DETECT_NONMPMLIST);

    /* run the prefilter engines */
-    Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags);
+    Prefilter(det_ctx, scratch->sgh, p, scratch->flow_flags, scratch->pkt_mask);
    /* create match list if we have non-pf and/or pf */
    if (det_ctx->non_pf_store_cnt || det_ctx->pmq.rule_id_array_cnt) {
 #ifdef PROFILING
--- a/src/detect.h
+++ b/src/detect.h
@ -1394,6 +1394,8 @@ typedef struct PrefilterEngineList_ {

    uint8_t frame_type;

+    SignatureMask pkt_mask; /**< mask for pkt engines */
+
    /** Context for matching. Might be MpmCtx for MPM engines, other ctx'
     *  for other engines. */
    void *pectx;
@ -1419,6 +1421,7 @@ typedef struct PrefilterEngine_ {
    AppProto alproto;

    union {
+        SignatureMask pkt_mask; /**< mask for pkt engines */
        /** Minimal Tx progress we need before running the engine. Only used
         *  with Tx Engine */
        uint8_t tx_min_progress;