detect: explicitly forbid impossible cases fot bidir rules

Only allows bidir rules when needed.
When there is only one direction, just write a single dir rule.

Do not allow flow keyword to set a direction.

Do not allow keywords ambiguous about direction.

src/detect-flow.c

@@ -391,8 +391,16 @@ int DetectFlowSetup (DetectEngineCtx *de_ctx, Signature *s, const char *flowstr)
     bool appendsm = true;
     /* set the signature direction flags */
     if (fd->flags & DETECT_FLOW_FLAG_TOSERVER) {
+        if (s->init_data->init_flags & SIG_FLAG_INIT_BOTHDIR) {
+            SCLogError("rule %u means to use both directions, cannot specify a flow direction", s->id);
+            return -1;
+        }
         s->flags |= SIG_FLAG_TOSERVER;
     } else if (fd->flags & DETECT_FLOW_FLAG_TOCLIENT) {
+        if (s->init_data->init_flags & SIG_FLAG_INIT_BOTHDIR) {
+            SCLogError("rule %u means to use both directions, cannot specify a flow direction", s->id);
+            return -1;
+        }
         s->flags |= SIG_FLAG_TOCLIENT;
     } else {
         s->flags |= SIG_FLAG_TOSERVER;

src/detect-parse.c

@@ -2032,6 +2032,16 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
     } else if (dir_amb) {
         SCLogDebug("%u: rule direction cannot be deduced from keywords", s->id);
     }
+    if (s->init_data->init_flags & SIG_FLAG_INIT_BOTHDIR) {
+        if (!ts_excl || !tc_excl) {
+            SCLogError("rule %u should use both directions, but does not", s->id);
+            SCReturnInt(0);
+        }
+        if (dir_amb) {
+            SCLogError("rule %u means to use both directions, cannot have keywords ambiguous about directions", s->id);
+            SCReturnInt(0);
+        }
+    }
 
     if ((s->flags & SIG_FLAG_REQUIRE_PACKET) &&
         (s->flags & SIG_FLAG_REQUIRE_STREAM)) {