From a8f3edebb1aa6a59c3224966205aae41db35c32e Mon Sep 17 00:00:00 2001
From: Peter Haag <peter@people.ops-trust.net>
Date: Wed, 4 Dec 2024 20:36:29 +0100
Subject: [PATCH] Add 'ttl equal' filter for min ttl == max ttl

---
 man/nfdump.1                   |  3 +++
 src/libnfdump/filter/filter.c  |  9 +++++++++
 src/libnfdump/filter/filter.h  |  1 +
 src/libnfdump/filter/grammar.y | 15 +++++++++++++++
 src/test/nftest.c              |  5 +++++
 5 files changed, 33 insertions(+)

diff --git a/man/nfdump.1 b/man/nfdump.1
index 1f56f2ff..db01adfa 100755
--- a/man/nfdump.1
+++ b/man/nfdump.1
@@ -855,6 +855,9 @@ True if min/max IP ttl matches comparison.
 .It Cm ttl Ar comp num
 True if min or max IP ttl matches comparison.
 .Pp
+.It Cm ttl equal
+True if min and max IP ttl have the same value
+.Pp
 .It Cm proto Ar protocol
 True if the record protocol field matches
 .Ar protocol. protocol
diff --git a/src/libnfdump/filter/filter.c b/src/libnfdump/filter/filter.c
index 725ca739..09a6e35a 100644
--- a/src/libnfdump/filter/filter.c
+++ b/src/libnfdump/filter/filter.c
@@ -111,6 +111,7 @@ static uint64_t mpls_any_function(void *dataPtr, uint32_t length, data_t data, r
 static uint64_t pblock_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 static uint64_t mmASLookup_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 static uint64_t torLookup_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
+static uint64_t ttlEqual_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *handle);
 
 /* flow pre-processing functions */
 static void *ssl_preproc(uint32_t length, data_t data, recordHandle_t *handle);
@@ -137,6 +138,7 @@ static struct flow_procs_map_s {
                             [FUNC_PBLOCK] = {"pblock", pblock_function},
                             [FUNC_MMAS_LOOKUP] = {"AS Lookup", mmASLookup_function},
                             [FUNC_TOR_LOOKUP] = {"TOR Lookup", torLookup_function},
+                            [FUNC_TTL_EQUAL] = {"min/max TTL equal", ttlEqual_function},
                             {NULL, NULL}};
 
 static struct preprocess_s {
@@ -316,6 +318,13 @@ static uint64_t torLookup_function(void *dataPtr, uint32_t length, data_t data,
     return isTor;
 }  // End of torLookup_function
 
+static uint64_t ttlEqual_function(void *dataPtr, uint32_t length, data_t data, recordHandle_t *recordHandle) {
+    EXipInfo_t *ipInfo = (EXipInfo_t *)recordHandle->extensionList[EXipInfoID];
+    if (ipInfo == NULL) return 0;
+
+    return ipInfo->minTTL == ipInfo->maxTTL;
+}  // End of ttlEqual_function
+
 static void *ssl_preproc(uint32_t length, data_t data, recordHandle_t *handle) {
     const uint8_t *payload = (uint8_t *)(handle->extensionList[EXinPayloadID]);
     if (payload == NULL) return NULL;
diff --git a/src/libnfdump/filter/filter.h b/src/libnfdump/filter/filter.h
index c736034c..ec669d66 100644
--- a/src/libnfdump/filter/filter.h
+++ b/src/libnfdump/filter/filter.h
@@ -113,6 +113,7 @@ typedef enum {
     FUNC_MMAS_LOOKUP,  // function code for optional maxmind AS lookup
     FUNC_TOR_LOOKUP,   // function code for optional tor node  lookup
     FUNC_JA3,          // function code for ja3 calc
+    FUNC_TTL_EQUAL,    // function code for comparing min/max TTL
 } filterFunction_t;
 
 #define FULLMASK FFFFFFFFFFFFFFFFLL
diff --git a/src/libnfdump/filter/grammar.y b/src/libnfdump/filter/grammar.y
index 9ba1a81c..ef56f1f5 100644
--- a/src/libnfdump/filter/grammar.y
+++ b/src/libnfdump/filter/grammar.y
@@ -94,6 +94,8 @@ static int AddTosNumber(direction_t direction, uint16_t comp, uint64_t tos);
 
 static int AddIPttl(prefix_t prefix, uint16_t comp, uint64_t ttl);
 
+static int AddIPttlEqual(char *arg);
+
 static int AddPackets(direction_t direction, uint16_t comp, uint64_t packets);
 
 static int AddBytes(direction_t direction, uint16_t comp, uint64_t bytes);
@@ -284,6 +286,10 @@ term:	ANY { /* this is an unconditionally true expression, as a filter applies i
 	  $$.self = AddIPttl($1.prefix, $3.comp, $4); if ( $$.self < 0 ) YYABORT;
 	}
 
+	| minmax IPTTL STRING {
+	  $$.self = AddIPttlEqual($3); if ( $$.self < 0 ) YYABORT;
+	}
+
 	| FWDSTAT comp NUMBER {
 	  $$.self = AddFwdStatNum($2.comp, $3); if ( $$.self < 0 ) YYABORT;
 	}
@@ -933,6 +939,15 @@ static int AddIPttl(prefix_t prefix, uint16_t comp, uint64_t ttl) {
 
 } // End of AddIPttl
 
+static int AddIPttlEqual(char *arg) {
+	if (strcasecmp(arg, "equal") != 0 ) {
+		yyprintf("Unexpected argument: %s", arg);
+		return -1;
+	}
+	
+	return NewElement(EXipInfoID, OFFminTTL, SIZEminTTL, 1, CMP_EQ, FUNC_TTL_EQUAL, NULLPtr);
+} // End of AddIPttlEqual
+
 static int AddPackets(direction_t direction, uint16_t comp, uint64_t packets) {
 
 	int ret = -1;
diff --git a/src/test/nftest.c b/src/test/nftest.c
index a239a0b9..c9556a1d 100644
--- a/src/test/nftest.c
+++ b/src/test/nftest.c
@@ -1032,6 +1032,11 @@ static void runTest(void) {
     CheckFilter("ttl 64", recordHandle, 0);
     CheckFilter("ttl < 30", recordHandle, 0);
 
+    CheckFilter("ttl equal", recordHandle, 0);
+    CheckFilter("not ttl equal", recordHandle, 1);
+    ipInfo->maxTTL = 36;
+    CheckFilter("ttl equal", recordHandle, 1);
+    CheckFilter("not ttl equal", recordHandle, 0);
     printf("DONE.\n");
 }  // End of runTest