6726575 ipfilter needs to be able to do randomised port mapping

6730614 random port numbers are in the wrong range of numbers

3 files changed, 58 insertions, 3 deletions

diff --git a/usr/src/cmd/ipf/lib/common/printnat.c b/usr/src/cmd/ipf/lib/common/printnat.c
index ea8bd72fb0..fd23127cbc 100644
--- a/usr/src/cmd/ipf/lib/common/printnat.c
+++ b/usr/src/cmd/ipf/lib/common/printnat.c
@@ -220,6 +220,8 @@ int opts;
 			printf(" mssclamp %d", np->in_mssclamp);
 		if (np->in_tag.ipt_tag[0] != '\0')
 			printf(" tag %s", np->in_tag.ipt_tag);
+		if (np->in_flags & IPN_SEQUENTIAL)
+			printf(" sequential");
 		printf("\n");
 		if (opts & OPT_DEBUG) {
 			struct in_addr nip;
diff --git a/usr/src/cmd/ipf/tools/ip_fil.c b/usr/src/cmd/ipf/tools/ip_fil.c
index bbdb57802a..29d69a8b07 100644
--- a/usr/src/cmd/ipf/tools/ip_fil.c
+++ b/usr/src/cmd/ipf/tools/ip_fil.c
@@ -1024,3 +1024,50 @@ ipf_stack_t *ifs;
 	}
 	return 0;
 }
+
+
+/*    
+ * This function is not meant to be random, rather just produce a
+ * sequence of numbers that isn't linear to show "randomness".
+ */
+u_32_t ipf_random() 
+{
+	static u_int last = 0xa5a5a5a5;
+	static int calls = 0;
+	int number;
+
+	calls++;
+
+	/*
+	 * These are deliberately chosen to ensure that there is some
+	 * attempt to test whether the output covers the range in test n18.
+	 */
+	switch (calls)
+	{
+	case 1 :
+		number = 0;
+		break;
+	case 2 :
+		number = 4;
+		break;
+	case 3 :
+		number = 3999;
+		break;
+	case 4 :
+		number = 4000;
+		break;
+	case 5 :
+		number = 48999;
+		break;
+	case 6 :
+		number = 49000;
+		break;
+	default :
+		number = last;
+		last *= calls;
+		last++;
+		number ^= last;
+		break;
+	}
+	return number;
+}
diff --git a/usr/src/cmd/ipf/tools/ipnat_y.y b/usr/src/cmd/ipf/tools/ipnat_y.y
index cab9d6d3c5..d929bf413a 100644
--- a/usr/src/cmd/ipf/tools/ipnat_y.y
+++ b/usr/src/cmd/ipf/tools/ipnat_y.y
@@ -102,7 +102,7 @@ static	void	setnatproto __P((int));
 %token	IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP IPNY_ANY
 %token	IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
 %token	IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
-%token	IPNY_TLATE
+%token	IPNY_TLATE IPNY_SEQUENTIAL
 %type	<port> portspec
 %type	<num> hexnumber compare range proto
 %type	<num> saddr daddr sobject dobject mapfrom rdrfrom dip
@@ -490,11 +490,11 @@ otherifname:
 	;
 
 mapport:
-	IPNY_PORTMAP tcpudp portspec ':' portspec
+	IPNY_PORTMAP tcpudp portspec ':' portspec randport
 			{ nat->in_pmin = htons($3);
 			  nat->in_pmax = htons($5);
 			}
-	| IPNY_PORTMAP tcpudp IPNY_AUTO
+	| IPNY_PORTMAP tcpudp IPNY_AUTO randport
 			{ nat->in_flags |= IPN_AUTOPORTMAP;
 			  nat->in_pmin = htons(1024);
 			  nat->in_pmax = htons(65535);
@@ -514,6 +514,10 @@ mapport:
 			}
 	;
 
+randport:
+	| IPNY_SEQUENTIAL	{ nat->in_flags |= IPN_SEQUENTIAL; }
+	;
+
 sobject:
 	saddr				{ $$ = $1; }
 	| saddr IPNY_PORT portstuff	{ nat->in_sport = $3.p1;
@@ -654,6 +658,7 @@ rdroptions:
 nattag:	| IPNY_TAG YY_STR		{ strncpy(nat->in_tag.ipt_tag, $2,
 						  sizeof(nat->in_tag.ipt_tag));
 					}
+
 rr:	| IPNY_ROUNDROBIN		{ nat->in_flags |= IPN_ROUNDR; }
 	;
 
@@ -806,6 +811,7 @@ static	wordtab_t	yywords[] = {
 	{ "range",	IPNY_RANGE },
 	{ "rdr",	IPNY_RDR },
 	{ "round-robin",IPNY_ROUNDROBIN },
+	{ "sequential",	IPNY_SEQUENTIAL },
 	{ "sticky",	IPNY_STICKY },
 	{ "tag",	IPNY_TAG },
 	{ "tcp",	IPNY_TCP },