Add a per-IP connection limit on planet.osm.org

diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb
index a672bee7e057f59b237eadb94d1f76405f050e38..88a4091f526af4ea058b8b59ee76067cf0ed4fbb 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -1,5 +1,6 @@
 default[:networking][:firewall][:inet] = []
 default[:networking][:firewall][:inet6] = []
+default[:networking][:firewall][:http_connection_limit] = "-"
 default[:networking][:interfaces] = {}
 default[:networking][:nameservers] = []
 default[:networking][:search] = []

diff --git a/cookbooks/networking/definitions/firewall_rule.rb b/cookbooks/networking/definitions/firewall_rule.rb
index 388470b9cdf3898963bc55c1379efc8b803adf0a..eb60a684c9adb3b527ec835e7ab1b841e785115b 100644 (file)
--- a/cookbooks/networking/definitions/firewall_rule.rb
+++ b/cookbooks/networking/definitions/firewall_rule.rb
@@ -25,7 +25,8 @@ define :firewall_rule, :action => :accept do
     :proto => params[:proto],
     :dest_ports => params[:dest_ports] || "-",
     :source_ports => params[:source_ports] || "-",
-    :rate_limit => params[:rate_limit] || "-"
+    :rate_limit => params[:rate_limit] || "-",
+    :connection_limit => params[:connection_limit] || "-"
   ]
 
   if params[:family].nil?

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 0ed0841bfe0b1f5f81d1d0ab08db703bc8026123..16dd48269c87b18b091abd3f43fb4a1ada5c2dda 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -336,6 +336,7 @@ firewall_rule "accept-http" do
   dest "fw"
   proto "tcp:syn"
   dest_ports "http"
+  connection_limit node[:networking][:firewall][:http_connection_limit]
 end
 
 firewall_rule "accept-https" do
@@ -344,4 +345,5 @@ firewall_rule "accept-https" do
   dest "fw"
   proto "tcp:syn"
   dest_ports "https"
+  connection_limit node[:networking][:firewall][:http_connection_limit]
 end

diff --git a/cookbooks/networking/templates/default/shorewall-rules.erb b/cookbooks/networking/templates/default/shorewall-rules.erb
index 7cda2fbf174a4a5c572d19b0f4caeb3a5f9877f8..0b13f7ba0f5d37939a5e6ab20fa8e5c2291dad75 100644 (file)
--- a/cookbooks/networking/templates/default/shorewall-rules.erb
+++ b/cookbooks/networking/templates/default/shorewall-rules.erb
@@ -6,8 +6,8 @@
 SECTION NEW
 <% end -%>
 
-# ACTION       SOURCE  DEST    PROTO           DEST            SOURCE  ORIGINAL        RATE
+# ACTION       SOURCE  DEST    PROTO           DEST            SOURCE  ORIGINAL        RATE    USER    MARK    CONNLIMIT
 #                                              PORTS           PORTS   DEST            LIMIT
 <% node[:networking][:firewall][@family].each do |r| # ~FC034 -%>
-<%= r[:action] %>              <%= r[:source] %>       <%= r[:dest] %> <%= r[:proto] %>                <%= r[:dest_ports] %>   <%= r[:source_ports] %> -       <%= r[:rate_limit] %>
+<%= r[:action] %>              <%= r[:source] %>       <%= r[:dest] %> <%= r[:proto] %>                <%= r[:dest_ports] %>   <%= r[:source_ports] %> -       <%= r[:rate_limit] %>   -       -       <%= r[:connection_limit] %>
 <% end -%>

diff --git a/roles/planet.rb b/roles/planet.rb
index 8ee1ce9e95f572a6a73ee2a491fe79328726c183..8c2870767b62c3be9c45961b762355afcfd5d5b2 100644 (file)
--- a/roles/planet.rb
+++ b/roles/planet.rb
@@ -31,6 +31,11 @@ default_attributes(
       }
     }
   },
+  :networking => {
+    :firewall => {
+      :http_connection_limit => 10
+    }
+  },
   :apache => {
     :mpm => "event",
     :keepalive => true,