From c5db057901b7ba18aa6a36b26f94f61987bc1336 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 21 Dec 2017 20:36:25 +0000
Subject: [PATCH] Limit Gerrit SSH API connections to 100 per addr

Add a connlimit stanza to the firewall rules on Gerrit servers
limiting access to its SSH API port to 100 concurrent connections
per source IP address. This has been running in production on
review.openstack.org for a few months now, in the wake of a number
of incidents where runaway third-part CI systems resulted in a
denial of service incidents for our Gerrit deployment there.

Change-Id: Id92cef93c115faf88cc822ecd8e3df9ebd6fd9c3
---
 manifests/site.pp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/manifests/site.pp b/manifests/site.pp
index 764e68e5a0..02824c4903 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -21,8 +21,12 @@ node default {
 #
 # Node-OS: trusty
 node 'review.openstack.org' {
+  $iptables_rules =
+    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443, 29418],
+    iptables_rules6           => $iptables_rules,
+    iptables_rules4           => $iptables_rules,
     sysadmins                 => hiera('sysadmins', []),
   }
 
@@ -62,8 +66,12 @@ node 'review.openstack.org' {
 
 # Node-OS: trusty
 node 'review-dev.openstack.org' {
+  $iptables_rules =
+    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443, 29418],
+    iptables_rules6           => $iptables_rules,
+    iptables_rules4           => $iptables_rules,
     sysadmins                 => hiera('sysadmins', []),
     afs                       => true,
   }