6726575 ipfilter needs to be able to do randomised port mapping

6730614 random port numbers are in the wrong range of numbers

15 files changed, 363 insertions, 16 deletions

diff --git a/usr/src/cmd/ipf/lib/common/printnat.c b/usr/src/cmd/ipf/lib/common/printnat.c
index ea8bd72fb0..fd23127cbc 100644
--- a/usr/src/cmd/ipf/lib/common/printnat.c
+++ b/usr/src/cmd/ipf/lib/common/printnat.c
@@ -220,6 +220,8 @@ int opts;
 			printf(" mssclamp %d", np->in_mssclamp);
 		if (np->in_tag.ipt_tag[0] != '\0')
 			printf(" tag %s", np->in_tag.ipt_tag);
+		if (np->in_flags & IPN_SEQUENTIAL)
+			printf(" sequential");
 		printf("\n");
 		if (opts & OPT_DEBUG) {
 			struct in_addr nip;
diff --git a/usr/src/cmd/ipf/tools/ip_fil.c b/usr/src/cmd/ipf/tools/ip_fil.c
index bbdb57802a..29d69a8b07 100644
--- a/usr/src/cmd/ipf/tools/ip_fil.c
+++ b/usr/src/cmd/ipf/tools/ip_fil.c
@@ -1024,3 +1024,50 @@ ipf_stack_t *ifs;
 	}
 	return 0;
 }
+
+
+/*    
+ * This function is not meant to be random, rather just produce a
+ * sequence of numbers that isn't linear to show "randomness".
+ */
+u_32_t ipf_random() 
+{
+	static u_int last = 0xa5a5a5a5;
+	static int calls = 0;
+	int number;
+
+	calls++;
+
+	/*
+	 * These are deliberately chosen to ensure that there is some
+	 * attempt to test whether the output covers the range in test n18.
+	 */
+	switch (calls)
+	{
+	case 1 :
+		number = 0;
+		break;
+	case 2 :
+		number = 4;
+		break;
+	case 3 :
+		number = 3999;
+		break;
+	case 4 :
+		number = 4000;
+		break;
+	case 5 :
+		number = 48999;
+		break;
+	case 6 :
+		number = 49000;
+		break;
+	default :
+		number = last;
+		last *= calls;
+		last++;
+		number ^= last;
+		break;
+	}
+	return number;
+}
diff --git a/usr/src/cmd/ipf/tools/ipnat_y.y b/usr/src/cmd/ipf/tools/ipnat_y.y
index cab9d6d3c5..d929bf413a 100644
--- a/usr/src/cmd/ipf/tools/ipnat_y.y
+++ b/usr/src/cmd/ipf/tools/ipnat_y.y
@@ -102,7 +102,7 @@ static	void	setnatproto __P((int));
 %token	IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
 %token	IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
 %token	IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
-%token	IPNY_TLATE
+%token	IPNY_TLATE IPNY_SEQUENTIAL
 %type	<port> portspec
 %type	<num> hexnumber compare range proto
 %type	<num> saddr daddr sobject dobject mapfrom rdrfrom dip
@@ -490,11 +490,11 @@ otherifname:
 	;
 
 mapport:
-	IPNY_PORTMAP tcpudp portspec ':' portspec
+	IPNY_PORTMAP tcpudp portspec ':' portspec randport
 			{ nat->in_pmin = htons($3);
 			  nat->in_pmax = htons($5);
 			}
-	| IPNY_PORTMAP tcpudp IPNY_AUTO
+	| IPNY_PORTMAP tcpudp IPNY_AUTO randport
 			{ nat->in_flags |= IPN_AUTOPORTMAP;
 			  nat->in_pmin = htons(1024);
 			  nat->in_pmax = htons(65535);
@@ -514,6 +514,10 @@ mapport:
 			}
 	;
 
+randport:
+	| IPNY_SEQUENTIAL	{ nat->in_flags |= IPN_SEQUENTIAL; }
+	;
+
 sobject:
 	saddr				{ $$ = $1; }
 	| saddr IPNY_PORT portstuff	{ nat->in_sport = $3.p1;
@@ -654,6 +658,7 @@ rdroptions:
 nattag:	| IPNY_TAG YY_STR		{ strncpy(nat->in_tag.ipt_tag, $2,
 						  sizeof(nat->in_tag.ipt_tag));
 					}
+
 rr:	| IPNY_ROUNDROBIN		{ nat->in_flags |= IPN_ROUNDR; }
 	;
 
@@ -806,6 +811,7 @@ static	wordtab_t	yywords[] = {
 	{ "range",	IPNY_RANGE },
 	{ "rdr",	IPNY_RDR },
 	{ "round-robin",IPNY_ROUNDROBIN },
+	{ "sequential",	IPNY_SEQUENTIAL },
 	{ "sticky",	IPNY_STICKY },
 	{ "tag",	IPNY_TAG },
 	{ "tcp",	IPNY_TCP },
diff --git a/usr/src/uts/common/Makefile.files b/usr/src/uts/common/Makefile.files
index e1ad27f097..e4d97623f1 100644
--- a/usr/src/uts/common/Makefile.files
+++ b/usr/src/uts/common/Makefile.files
@@ -1470,7 +1470,7 @@ PHX_OBJS += phx.o
 
 IPF_OBJS += ip_fil_solaris.o fil.o solaris.o ip_state.o ip_frag.o ip_nat.o \
 	    ip_proxy.o ip_auth.o ip_pool.o ip_htable.o ip_lookup.o \
-	    ip_log.o misc.o ip_compat.o ip_nat6.o
+	    ip_log.o misc.o ip_compat.o ip_nat6.o drand48.o
 
 IBD_OBJS +=	ibd.o
 
diff --git a/usr/src/uts/common/inet/ipf/drand48.c b/usr/src/uts/common/inet/ipf/drand48.c
new file mode 100644
index 0000000000..34e5de4808
--- /dev/null
+++ b/usr/src/uts/common/inet/ipf/drand48.c
@@ -0,0 +1,247 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+/*	Copyright (c) 1988 AT&T	*/
+/*	  All Rights Reserved  	*/
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ *	drand48, etc. pseudo-random number generator
+ *	This implementation assumes unsigned short integers of at least
+ *	16 bits, long integers of at least 32 bits, and ignores
+ *	overflows on adding or multiplying two unsigned integers.
+ *	Two's-complement representation is assumed in a few places.
+ *	Some extra masking is done if unsigneds are exactly 16 bits
+ *	or longs are exactly 32 bits, but so what?
+ *	An assembly-language implementation would run significantly faster.
+ */
+/*
+ *	New assumptions (supercede those stated above) for 64-bit work.
+ *	Longs are now 64 bits, and we are bound by standards to return
+ *	type long, hovever all internal calculations where long was
+ *	previously used (32 bit precision) are now using the int32_t
+ *	type (32 bit precision in both ILP32 and LP64 worlds).
+ */
+
+#include <sys/mutex.h>
+
+static kmutex_t seed_lock;
+static int	init48done = 0;
+
+#define	EXPORT0(TYPE, fn, fnu)	TYPE fn() { \
+	TYPE res; \
+	mutex_enter(&seed_lock); \
+	res = fnu(); \
+	mutex_exit(&seed_lock); \
+	return (res); }
+#define	EXPORT1(TYPE, fn, fnu)	TYPE fn(unsigned short xsubi[3]) { \
+	TYPE res; \
+	mutex_enter(&seed_lock); \
+	res = fnu(xsubi); \
+	mutex_exit(&seed_lock); \
+	return (res); }
+
+#define	N	16
+#define	MASK	((unsigned)(1 << (N - 1)) + (1 << (N - 1)) - 1)
+#define	LOW(x)	((unsigned)(x) & MASK)
+#define	HIGH(x)	LOW((x) >> N)
+#define	MUL(x, y, z)	{ int32_t l = (int32_t)(x) * (int32_t)(y); \
+		(z)[0] = LOW(l); (z)[1] = HIGH(l); }
+#define	CARRY(x, y)	((int32_t)(x) + (int32_t)(y) > MASK)
+#define	ADDEQU(x, y, z)	(z = CARRY(x, (y)), x = LOW(x + (y)))
+#define	X0	0x330E
+#define	X1	0xABCD
+#define	X2	0x1234
+#define	A0	0xE66D
+#define	A1	0xDEEC
+#define	A2	0x5
+#define	C	0xB
+#define	SET3(x, x0, x1, x2)	((x)[0] = (x0), (x)[1] = (x1), (x)[2] = (x2))
+#define	SETLOW(x, y, n) SET3(x, LOW((y)[n]), LOW((y)[(n)+1]), LOW((y)[(n)+2]))
+#define	SEED(x0, x1, x2) (SET3(x, x0, x1, x2), SET3(a, A0, A1, A2), c = C)
+#define	REST(v)	for (i = 0; i < 3; i++) { xsubi[i] = x[i]; x[i] = temp[i]; } \
+		return (v)
+#define	NEST(TYPE, f, F) static TYPE f(unsigned short *xsubi) { \
+	int i; TYPE v; unsigned temp[3]; \
+	for (i = 0; i < 3; i++) { temp[i] = x[i]; x[i] = LOW(xsubi[i]); }  \
+	v = F(); REST(v); }
+
+/* Way ugly solution to problem names, but it works */
+#define	x	_drand48_x
+#define	a	_drand48_a
+#define	c	_drand48_c
+/* End way ugly */
+static unsigned x[3] = { X0, X1, X2 }, a[3] = { A0, A1, A2 }, c = C;
+static unsigned short lastx[3];
+static void next(void);
+
+static double
+ipf_r_drand48_u(void)
+{
+	static double two16m = 1.0 / ((int32_t)1 << N);
+
+	next();
+	return (two16m * (two16m * (two16m * x[0] + x[1]) + x[2]));
+}
+
+NEST(double, ipf_r_erand48_u, ipf_r_drand48_u)
+
+static long
+ipf_r_lrand48_u(void)
+{
+	next();
+	return ((long)((int32_t)x[2] << (N - 1)) + (x[1] >> 1));
+}
+
+static void
+init48(void)
+{
+	mutex_init(&seed_lock, 0L, MUTEX_DRIVER, 0L);
+	init48done = 1;
+}
+
+static long
+ipf_r_mrand48_u(void)
+{
+	next();
+	return ((long)((int32_t)x[2] << N) + x[1]);
+}
+
+static void
+next(void)
+{
+	unsigned p[2], q[2], r[2], carry0, carry1;
+
+	MUL(a[0], x[0], p);
+	ADDEQU(p[0], c, carry0);
+	ADDEQU(p[1], carry0, carry1);
+	MUL(a[0], x[1], q);
+	ADDEQU(p[1], q[0], carry0);
+	MUL(a[1], x[0], r);
+	x[2] = LOW(carry0 + carry1 + CARRY(p[1], r[0]) + q[1] + r[1] +
+		a[0] * x[2] + a[1] * x[1] + a[2] * x[0]);
+	x[1] = LOW(p[1] + r[0]);
+	x[0] = LOW(p[0]);
+}
+
+void
+ipf_r_srand48(long seedval)
+{
+	int32_t fixseed = (int32_t)seedval;	/* limit to 32 bits */
+
+	if (init48done == 0)
+		init48();
+	mutex_enter(&seed_lock);
+	SEED(X0, LOW(fixseed), HIGH(fixseed));
+	mutex_exit(&seed_lock);
+}
+
+unsigned short *
+ipf_r_seed48(unsigned short seed16v[3])
+{
+	if (init48done == 0)
+		init48();
+	mutex_enter(&seed_lock);
+	SETLOW(lastx, x, 0);
+	SEED(LOW(seed16v[0]), LOW(seed16v[1]), LOW(seed16v[2]));
+	mutex_exit(&seed_lock);
+	return (lastx);
+}
+
+void
+ipf_r_lcong48(unsigned short param[7])
+{
+	if (init48done == 0)
+		init48();
+	mutex_enter(&seed_lock);
+	SETLOW(x, param, 0);
+	SETLOW(a, param, 3);
+	c = LOW(param[6]);
+	mutex_exit(&seed_lock);
+}
+
+NEST(long, ipf_r_nrand48_u, ipf_r_lrand48_u)
+
+NEST(long, ipf_r_jrand48_u, ipf_r_mrand48_u)
+
+EXPORT0(double, ipf_r_drand48, ipf_r_drand48_u)
+EXPORT1(double, ipf_r_erand48, ipf_r_erand48_u)
+
+EXPORT0(long, ipf_r_lrand48, ipf_r_lrand48_u)
+EXPORT1(long, ipf_r_nrand48, ipf_r_nrand48_u)
+
+EXPORT0(long, ipf_r_mrand48, ipf_r_mrand48_u)
+EXPORT1(long, ipf_r_jrand48, ipf_r_jrand48_u)
+
+#ifdef DRIVER
+/*
+	This should print the sequences of integers in Tables 2
+		and 1 of the TM:
+	1623, 3442, 1447, 1829, 1305, ...
+	657EB7255101, D72A0C966378, 5A743C062A23, ...
+ */
+#include <stdio.h>
+
+main()
+{
+	int i;
+
+	for (i = 0; i < 80; i++) {
+		printf("%4d ", (int)(4096 * ipf_r_drand48()));
+		printf("%.4X%.4X%.4X\n", x[2], x[1], x[0]);
+	}
+}
+#else
+
+#include <sys/random.h>
+
+unsigned
+ipf_random()
+{
+	static int seeded = 0;
+
+	if (seeded == 0) {
+		long seed;
+
+		/*
+		 * Keep reseeding until some good randomness comes from the
+		 * kernel. One of two things will happen: it will succeed or
+		 * it will fail (with poor randomness), thus creating NAT
+		 * sessions will be "slow" until enough randomness is gained
+		 * to not need to get more. It isn't necessary to initialise
+		 * seed as it will just pickup whatever random garbage has
+		 * been left on the heap and that's good enough until we
+		 * get some good garbage.
+		 */
+		if (random_get_bytes((uint8_t *)&seed, sizeof (seed)) == 0)
+			seeded = 1;
+		ipf_r_srand48(seed);
+	}
+
+	return (unsigned)ipf_r_lrand48();
+}
+#endif
diff --git a/usr/src/uts/common/inet/ipf/ip_nat.c b/usr/src/uts/common/inet/ipf/ip_nat.c
index 2327c01d8c..93c6a0caec 100644
--- a/usr/src/uts/common/inet/ipf/ip_nat.c
+++ b/usr/src/uts/common/inet/ipf/ip_nat.c
@@ -2225,7 +2225,15 @@ natinfo_t *ni;
 			/*
 			 * Standard port translation.  Select next port.
 			 */
-			port = htons(np->in_pnext++);
+			if (np->in_flags & IPN_SEQUENTIAL) {
+				port = np->in_pnext;
+			} else {
+				port = ipf_random() % (ntohs(np->in_pmax) -
+						       ntohs(np->in_pmin));
+				port += ntohs(np->in_pmin);
+			}
+			port = htons(port);
+			np->in_pnext++;
 
 			if (np->in_pnext > ntohs(np->in_pmax)) {
 				np->in_pnext = ntohs(np->in_pmin);
diff --git a/usr/src/uts/common/inet/ipf/ip_nat6.c b/usr/src/uts/common/inet/ipf/ip_nat6.c
index 77fd2c139f..71a4dbd556 100644
--- a/usr/src/uts/common/inet/ipf/ip_nat6.c
+++ b/usr/src/uts/common/inet/ipf/ip_nat6.c
@@ -438,7 +438,15 @@ natinfo_t *ni;
 			/*
 			 * Standard port translation.  Select next port.
 			 */
-			port = htons(np->in_pnext++);
+			if (np->in_flags & IPN_SEQUENTIAL) {
+				port = np->in_pnext;
+			} else {
+				port = ipf_random() % (ntohs(np->in_pmax) -
+						       ntohs(np->in_pmin));
+				port += ntohs(np->in_pmin);
+			}
+			port = htons(port);
+			np->in_pnext++;
 
 			if (np->in_pnext > ntohs(np->in_pmax)) {
 				np->in_pnext = ntohs(np->in_pmin);
diff --git a/usr/src/uts/common/inet/ipf/ip_state.c b/usr/src/uts/common/inet/ipf/ip_state.c
index b33b7a2b84..7502c541ac 100644
--- a/usr/src/uts/common/inet/ipf/ip_state.c
+++ b/usr/src/uts/common/inet/ipf/ip_state.c
@@ -157,6 +157,9 @@ int fr_stgetent __P((caddr_t, ipf_stack_t *));
 int fr_stateinit(ifs)
 ipf_stack_t *ifs;
 {
+#if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
+	struct timeval tv;
+#endif
 	int i;
 
 	KMALLOCS(ifs->ifs_ips_table, ipstate_t **, 
@@ -170,16 +173,20 @@ ipf_stack_t *ifs;
 		 ifs->ifs_fr_statesize * sizeof(*ifs->ifs_ips_seed));
 	if (ifs->ifs_ips_seed == NULL)
 		return -2;
+#if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
+	tv.tv_sec = 0;
+	GETKTIME(&tv);
+#endif
 	for (i = 0; i < ifs->ifs_fr_statesize; i++) {
 		/*
 		 * XXX - ips_seed[X] should be a random number of sorts.
 		 */
-#if  (__FreeBSD_version >= 400000)
-		ifs->ifs_ips_seed[i] = arc4random();
+#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+		ifs->ifs_ips_seed[i] = ipf_random();
 #else
 		ifs->ifs_ips_seed[i] = ((u_long)ifs->ifs_ips_seed + i) *
 		    ifs->ifs_fr_statesize;
-		ifs->ifs_ips_seed[i] ^= 0xa5a55a5a;
+		ifs->ifs_ips_seed[i] += tv.tv_sec;
 		ifs->ifs_ips_seed[i] *= (u_long)ifs->ifs_ips_seed;
 		ifs->ifs_ips_seed[i] ^= 0x5a5aa5a5;
 		ifs->ifs_ips_seed[i] *= ifs->ifs_fr_statemax;
diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_compat.h b/usr/src/uts/common/inet/ipf/netinet/ip_compat.h
index 1f6c9a261a..77c27f8e06 100644
--- a/usr/src/uts/common/inet/ipf/netinet/ip_compat.h
+++ b/usr/src/uts/common/inet/ipf/netinet/ip_compat.h
@@ -322,6 +322,7 @@ typedef mblk_t mb_t;
 typedef	struct uio	uio_t;
 # endif
 typedef	int		ioctlcmd_t;
+typedef	uint8_t		u_int8_t;
 
 # define OS_RECOGNISED 1
 
@@ -558,6 +559,8 @@ typedef struct {
 # endif
 
 # ifdef _KERNEL
+#  define	NEED_LOCAL_RAND	1
+#  define	ipf_random		arc4random
 #  define	ATOMIC_INC(x)		{ MUTEX_ENTER(&ipf_rw); \
 					  (x)++; MUTEX_EXIT(&ipf_rw); }
 #  define	ATOMIC_DEC(x)		{ MUTEX_ENTER(&ipf_rw); \
@@ -653,6 +656,8 @@ typedef struct mbuf mb_t;
 # include <sys/sysmacros.h>
 
 # ifdef _KERNEL
+#  define	NEED_LOCAL_RAND		1
+#  define	ipf_random		arc4random
 #  define	KMUTEX_T		simple_lock_data_t
 #  define	KRWLOCK_T		lock_data_t
 #  include <net/net_globals.h>
diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
index 0b98cf420a..323944dc30 100644
--- a/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
+++ b/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
@@ -1525,6 +1525,9 @@ extern	void		ipf_freetoken __P((ipftoken_t *, ipf_stack_t *));
 extern	int		ipf_deltoken __P((int,int, void *, ipf_stack_t *));
 extern	int		ipf_genericiter __P((void *, int, void *,
 					     ipf_stack_t *));
+#ifndef ipf_random
+extern	u_32_t		ipf_random __P((void));
+#endif
 
 extern	char	ipfilter_version[];
 #ifdef	USE_INET6
diff --git a/usr/src/uts/common/inet/ipf/netinet/ip_nat.h b/usr/src/uts/common/inet/ipf/netinet/ip_nat.h
index d7df16dba6..c78ae22223 100644
--- a/usr/src/uts/common/inet/ipf/netinet/ip_nat.h
+++ b/usr/src/uts/common/inet/ipf/netinet/ip_nat.h
@@ -266,9 +266,11 @@ typedef	struct	ipnat	{
 #define	IPN_FIXEDDPORT	0x200000
 #define	IPN_FINDFORWARD	0x400000
 #define	IPN_IN		0x800000
+#define	IPN_SEQUENTIAL	0x1000000
 #define	IPN_USERFLAGS	(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
 			 IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|\
-			 IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY)
+			 IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY|\
+			 IPN_SEQUENTIAL)
 
 /*
  * Values for in_redir
diff --git a/usr/src/uts/intel/ipf/Makefile b/usr/src/uts/intel/ipf/Makefile
index d23d2e9b11..8ae5ba3dff 100644
--- a/usr/src/uts/intel/ipf/Makefile
+++ b/usr/src/uts/intel/ipf/Makefile
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -60,7 +60,7 @@ INSTALL_TARGET	= $(BINARY) $(ROOTMODULE) $(ROOT_CONFFILE)
 
 CPPFLAGS += -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP -DUSE_INET6
 CPPFLAGS += -DSUNDDI -DSOLARIS2=$(RELEASE_MINOR) -DIRE_ILL_CN
-LDFLAGS += -dy -Ndrv/ip -Nmisc/md5 -Nmisc/neti
+LDFLAGS += -dy -Ndrv/ip -Nmisc/md5 -Nmisc/neti -Nmisc/kcf
 
 INC_PATH += -I$(UTSBASE)/common/inet/ipf
 
diff --git a/usr/src/uts/intel/ipf/ipf.global-objs.debug64 b/usr/src/uts/intel/ipf/ipf.global-objs.debug64
index 4217374f6b..de4365bbd0 100644
--- a/usr/src/uts/intel/ipf/ipf.global-objs.debug64
+++ b/usr/src/uts/intel/ipf/ipf.global-objs.debug64
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -54,3 +54,9 @@ rcsid
 sccsid
 secopt
 tcpopts
+lastx
+_drand48_a
+_drand48_c
+_drand48_x
+init48done
+seed_lock
diff --git a/usr/src/uts/sparc/ipf/Makefile b/usr/src/uts/sparc/ipf/Makefile
index cc1bc4eb02..9ab95b305b 100644
--- a/usr/src/uts/sparc/ipf/Makefile
+++ b/usr/src/uts/sparc/ipf/Makefile
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -65,7 +65,7 @@ INSTALL_TARGET	= $(BINARY) $(ROOTMODULE) $(ROOT_CONFFILE)
 CFLAGS += $(CCVERBOSE)
 CPPFLAGS += -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP 
 CPPFLAGS += -DSUNDDI -DSOLARIS2=$(RELEASE_MINOR) -DIRE_ILL_CN -DUSE_INET6
-LDFLAGS += -dy -Ndrv/ip -Nmisc/md5 -Nmisc/neti
+LDFLAGS += -dy -Ndrv/ip -Nmisc/md5 -Nmisc/neti -Nmisc/kcf
 
 INC_PATH += -I$(UTSBASE)/common/inet/ipf
 
diff --git a/usr/src/uts/sparc/ipf/ipf.global-objs.debug64 b/usr/src/uts/sparc/ipf/ipf.global-objs.debug64
index 4217374f6b..21c10a84f4 100644
--- a/usr/src/uts/sparc/ipf/ipf.global-objs.debug64
+++ b/usr/src/uts/sparc/ipf/ipf.global-objs.debug64
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -54,3 +54,9 @@ rcsid
 sccsid
 secopt
 tcpopts
+_drand48_a
+_drand48_c
+_drand48_x
+init48done
+seed_lock
+lastx