RDKDEV-1085: limit port range for webrtc peer connections

[mikolaj-staworzynski-red]

Port range limit is retrieved from env variable: WEBRTC_PEER_PORT_RANGE

[modeveci]

@emutavchi , Could you please look at this PR as well? It is important to know effects on all use-cases.

[philn]

What issue is this fixing?

[mikolaj-staworzynski-red]

That is related more to our internal STB firewall setup and NASC restrictions, as a general rule we have there on input traffic default DROP rule.

Problem was observed by us in the case of host to host WebRTC streaming (both being in the same local network) example drop:

Aug 20 15:42:18.078218 000378-EOS2STB-008388647706 kernel: DROP: IN=eth2 OUT= MAC=4c:d0:8a:2b:c4:19:00:2b:67:13:14:a8:08:00 SRC=192.168.50.118 DST=192.168.50.201 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=40595 DF PROTO=UDP SPT=37659 DPT=33807 LEN=108

(1) Usually without extra setup, the port is selected from ephemeral port range (next free is selected).
(2) Without having that kind of limitation we would need to open the wider range of ports (in our case range from port 32768 to 60999 that we would like to avoid and limit as much as possible).

Simply saying that env variable and setup give us more control on that behaviour and allow to selectively manage the incoming traffic.

[philn]

And on which devices is this needed? I wonder if instead of adding yet another env var this could be handled using the Quirks system.

[modeveci]

@philn , what do you think? Is that something needs to be outside of browser code or fine to have in browser? I am asking because it seems it is a requirement of specific platform not webrtc protocol, am I correct ?

[philn]

Well, I think this might be a browser decision, I'll investigate this further and get back asap.

[philn]

@philn , what do you think? Is that something needs to be outside of browser code or fine to have in browser?

I think this could be a runtime setting in WebKit, maybe.

I am asking because it seems it is a requirement of specific platform not webrtc protocol, am I correct ?

The protocol doesn't mandate a specific range of UDP ports afaik. It's up to each client's kernel to allocate port.

[mikolaj-staworzynski-red]

I think this could be a runtime setting in WebKit, maybe.

@philn for us it is enough to have it configurable via env variable.

Is my understanig correct? That to have it, we should introduce something like:

WebRTCPeerPortMax:
type: uint32_t
condition: ENABLE(WEB_RTC)
defaultValue:
WebKitLegacy:
default: 0
WebKit:
default: 0
WebCore:
default: 0
WebRTCPeerPortMin:
type: uint32_t
condition: ENABLE(WEB_RTC)
defaultValue:
WebKitLegacy:
default: 0
WebKit:
default: 0
WebCore:
default: 0

... in Source/WTF/Scripts/Preferences/WebPreferences.yaml

... and then introduce setting implementation (glib version and extra two properties in Source/WebKit/UIProcess/ API/glib/WebKitSettings.cpp), something like:
guint16 webkit_settings_get_min_rtc_peer_port_range(WebKitSettings *settings)
void webkit_settings_set_min_rtc_peer_port_range(WebKitSettings *settings, guint16 val)
guint16 webkit_settings_get_max_rtc_peer_port_range(WebKitSettings *settings)
void webkit_settings_ set_max_rtc_peer_port_range(WebKitSettings *settings, guint16 val)

... and also: WkPreferencesGet/WkPreferencesSet API for that new preferences

... and then propagate that via plugin config from Webkitbrowser plugin to Webkit ?

Is that the way to update that pull request to introduce/upstream that ?

[philn]

Yes, see WebKit/WebKit#34221 which I need to update (some test failing).

[philn]

I'm preparing the backport from upstream, including the env var support, which will remain downstream.