Fix Pepper socket API to open incoming ports in the firewall.

content/browser/renderer_host/pepper/pepper_socket_utils.cc

Index: content/browser/renderer_host/pepper/pepper_socket_utils.cc
diff --git a/content/browser/renderer_host/pepper/pepper_socket_utils.cc b/content/browser/renderer_host/pepper/pepper_socket_utils.cc
index 73fcb5697355d0dc2556f1db78ebeb7aa05afc63..e3f089edd25b8398480901476ebb840f9aaaff70 100644
--- a/content/browser/renderer_host/pepper/pepper_socket_utils.cc
+++ b/content/browser/renderer_host/pepper/pepper_socket_utils.cc
@@ -156,14 +156,6 @@ bool IsLoopbackAddress(const net::IPAddress& address) {
   return false;
 }
 
-std::string AddressToFirewallString(const net::IPAddress& address) {
-  if (address.IsZero() || address.empty()) {
-    return std::string();
-  }
-
-  return address.ToString();
-}
-
 }  // namespace
 
 void OpenFirewallHole(const net::IPEndPoint& address,
@@ -173,9 +165,13 @@ void OpenFirewallHole(const net::IPEndPoint& address,
     callback.Run(nullptr);
     return;
   }
-  std::string address_string = AddressToFirewallString(address.address());
 
-  chromeos::FirewallHole::Open(type, address.port(), address_string, callback);
+  // TODO(sergeyu): Currently an empty string is passed as interface name, which
+  // means the port will be opened on all network interfaces. Interface name
+  // can be resolved by the address, but the best solution would be to update
+  // firewalld to allow filtering by destination address, not just destination
+  // port. iptables already support it.
+  chromeos::FirewallHole::Open(type, address.port(), std::string(), callback);

[avallee, 2017/01/23 19:28:23]

Might be a bit of plumbing to have both interface or address strings all the way
to firewalld but that would be ideal. The other thing I had considered was
looking up which interface had that address, but that might not be available
here or even a 1-1 mapping.

 }
 
 void OpenTCPFirewallHole(const net::IPEndPoint& address,