OMPUB-941: 同时命中security(shunt)和intercept策略，优先执行security策略v6.0.17TSG-OS-V23.05

1 files changed, 12 insertions, 7 deletions

diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 70f88ff..8e3288f 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -1479,6 +1479,18 @@ unsigned char session_matched_rules_deal(const struct streaminfo *a_stream, stru
 {
 	unsigned char state=APP_STATE_GIVEME;
 
+	struct maat_rule security_rules[MAX_RESULT_NUM]={0};
+	size_t n_security_rules=tsg_select_rules_by_service_id(rules, n_rules, security_rules, MAX_RESULT_NUM, TSG_SERVICE_SECURITY);
+	if(n_security_rules>0)
+	{
+		state=matched_security_rules_deal(a_stream, srt_process_context, security_rules, n_security_rules, a_packet, a_stream->threadnum);
+		
+		if(state&APP_STATE_KILL_OTHER)
+		{
+			return state;
+		}
+	}
+
 	struct maat_rule s_chaining_rules[MAX_RESULT_NUM]={0};
 	size_t n_s_chaining_rules=tsg_select_rules_by_service_id(rules, n_rules, s_chaining_rules, MAX_RESULT_NUM, TSG_SERVICE_CHAINING);
 	if(n_s_chaining_rules>0)
@@ -1500,13 +1512,6 @@ unsigned char session_matched_rules_deal(const struct streaminfo *a_stream, stru
 		matched_intercept_rules_deal(a_stream, intercept_rules, n_intercept_rules, a_stream->threadnum);
 	}
 
-	struct maat_rule security_rules[MAX_RESULT_NUM]={0};
-	size_t n_security_rules=tsg_select_rules_by_service_id(rules, n_rules, security_rules, MAX_RESULT_NUM, TSG_SERVICE_SECURITY);
-	if(n_security_rules>0)
-	{
-		state=matched_security_rules_deal(a_stream, srt_process_context, security_rules, n_security_rules, a_packet, a_stream->threadnum);
-	}
-
 	return state;
 }