Make the Pepper TCP open the firewall on Cros.

content/browser/renderer_host/pepper/pepper_socket_utils.cc

Index: content/browser/renderer_host/pepper/pepper_socket_utils.cc
diff --git a/content/browser/renderer_host/pepper/pepper_socket_utils.cc b/content/browser/renderer_host/pepper/pepper_socket_utils.cc
index 45d35ce4160cf14f653cbb1879bc0d00a607e031..6366fb980070851101250f2e0af9e6cc2252568e 100644
--- a/content/browser/renderer_host/pepper/pepper_socket_utils.cc
+++ b/content/browser/renderer_host/pepper/pepper_socket_utils.cc
@@ -15,11 +15,16 @@
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/common/content_client.h"
+#include "net/base/ip_endpoint.h"
 #include "net/cert/x509_certificate.h"
 #include "ppapi/c/private/ppb_net_address_private.h"
 #include "ppapi/shared_impl/private/net_address_private_impl.h"
 #include "ppapi/shared_impl/private/ppb_x509_certificate_private_shared.h"
 
+#if defined(OS_CHROMEOS)
+#include "chromeos/network/firewall_hole.h"
+#endif  // defined(OS_CHROMEOS)
+
 namespace content {
 namespace pepper_socket_utils {
 
@@ -43,7 +48,7 @@ bool CanUseSocketAPIs(bool external_plugin,
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   if (!external_plugin) {
     // Always allow socket APIs for out-process plugins (other than external
-    // plugins instantiated by the embeeder through
+    // plugins instantiated by the embedder through
     // BrowserPpapiHost::CreateExternalPluginProcess).
     return true;
   }
@@ -128,5 +133,68 @@ bool GetCertificateFields(const char* der,
   return GetCertificateFields(*cert.get(), fields);
 }
 
+#if defined(OS_CHROMEOS)
+namespace {

[bbudge, 2015/07/09 19:55:17]

nit: Blank line here.

[avallee, 2015/07/13 18:29:10]

Done.

+const unsigned char kIPv4Empty[] = {0, 0, 0, 0};
+const unsigned char kIPv6Empty[] =
+    {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
+const unsigned char kIPv6Loopback[] =
+    {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1};

[bbudge, 2015/07/09 19:55:17]

nit: insert blank line

[avallee, 2015/07/13 18:29:09]

Done.

+bool isLoopbackAddress(const net::IPAddressNumber& address) {
+  if (address.size() == net::kIPv4AddressSize && address[0] == 0x7f) {

[bbudge, 2015/07/09 19:55:17]

This would be a little easier to reason about if you simplify the 'if'
conditions:

if (address.size() == net::kIPv4AddressSize) {
  return address[0] == 0x7f;
} else if (address.size() == net::kIPv6AddressSize) {
  return std::equal(&kIPv6Loopback[0],
                    &kIPv6Loopback[net::kIPv6AddressSize],
                    address.begin());
}
...

Also, don't you need to check the other bytes of the address for the ipv4 case?

[avallee, 2015/07/13 18:29:10]

Done.
Nope the whole /8 netblock is loopback per RFC3330, page 2.

+    // All of 127.0.0.0/8 is loopback in ipv4.
+    return true;
+  } else if (address.size() == net::kIPv6AddressSize &&
+             std::equal(&kIPv6Loopback[0],
+                        &kIPv6Loopback[net::kIPv6AddressSize],
+                        address.begin())) {
+    // ::1 is the only loopback address in ipv6.
+    return true;
+  }
+  return false;
+}
+
+std::string addressToFirewallString(const net::IPAddressNumber& address) {
+  if (address.empty()) {
+    return std::string();
+  }
+  if (address.size() == net::kIPv4AddressSize &&
+      std::equal(&kIPv4Empty[0], &kIPv4Empty[net::kIPv4AddressSize],
+                 address.begin())) {
+    return std::string();
+  }
+  if (address.size() == net::kIPv6AddressSize &&
+      std::equal(&kIPv6Empty[0], &kIPv6Empty[net::kIPv6AddressSize],
+                 address.begin())) {
+    return std::string();
+  }
+
+  return net::IPAddressToString(address);
+}

[bbudge, 2015/07/09 19:55:16]

nit: insert blank line

[avallee, 2015/07/13 18:29:10]

Done.

+}  // namespace
+
+void OpenFirewallHole(const net::IPEndPoint& address,
+                      chromeos::FirewallHole::PortType type,
+                      FirewallHoleOpenCallback callback) {
+  if (isLoopbackAddress(address.address())) {
+    callback.Run(nullptr);
+    return;
+  }
+  std::string address_string = addressToFirewallString(address.address());
+
+  chromeos::FirewallHole::Open(type, address.port(), address_string, callback);
+}
+
+void OpenTCPFirewallHole(const net::IPEndPoint& address,
+                         FirewallHoleOpenCallback callback) {
+  OpenFirewallHole(address, chromeos::FirewallHole::PortType::TCP, callback);
+}
+
+void OpenUDPFirewallHole(const net::IPEndPoint& address,
+                         FirewallHoleOpenCallback callback) {
+  OpenFirewallHole(address, chromeos::FirewallHole::PortType::UDP, callback);
+}
+#endif  // defined(OS_CHROMEOS)
+
 }  // namespace pepper_socket_utils
 }  // namespace content