Limit Gerrit SSH API connections to 100 per addr

Add a connlimit stanza to the firewall rules on Gerrit servers
limiting access to its SSH API port to 100 concurrent connections
per source IP address. This has been running in production on
review.openstack.org for a few months now, in the wake of a number
of incidents where runaway third-part CI systems resulted in a
denial of service incidents for our Gerrit deployment there.

Change-Id: Id92cef93c115faf88cc822ecd8e3df9ebd6fd9c3

manifests/site.pp

@@ -21,8 +21,12 @@ node default {
 #
 # Node-OS: trusty
 node 'review.openstack.org' {
+  $iptables_rules =
+    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443, 29418],
+    iptables_rules6           => $iptables_rules,
+    iptables_rules4           => $iptables_rules,
     sysadmins                 => hiera('sysadmins', []),
   }
 
@@ -62,8 +66,12 @@ node 'review.openstack.org' {
 
 # Node-OS: trusty
 node 'review-dev.openstack.org' {
+  $iptables_rules =
+    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [80, 443, 29418],
+    iptables_rules6           => $iptables_rules,
+    iptables_rules4           => $iptables_rules,
     sysadmins                 => hiera('sysadmins', []),
     afs                       => true,
   }