Moving ssl DoS mitigation snippets to firewall.pp

diff --git a/manifests/kvm.pp b/manifests/kvm.pp
index 2686cd8e4e8231d7fd2fa8c68c67741518fa0d2e..b6e2c51c264902d9e5b5df3b26afab7a0bcafbec 100644 (file)
--- a/manifests/kvm.pp
+++ b/manifests/kvm.pp
@@ -9,16 +9,6 @@ class nodo::kvm inherits nodo {
   include resolver
   include monkeysphere_nodo
 
-  # SSL computational DoS mitigation
-  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
-  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
-    ''      => $firewall_global_ssl_ratelimit ? {
-      ''      => '-',
-      default => $firewall_global_ssl_ratelimit,
-    },
-    default => $firewall_ssl_ratelimit,
-  }
-
   # Firewall configuration
   include firewall
 

diff --git a/manifests/physical.pp b/manifests/physical.pp
index bb026d46c104e5ffc9ad0ad244185eb188200498..4a81e0098713379d5d5d1c4678ce54c035126588 100644 (file)
--- a/manifests/physical.pp
+++ b/manifests/physical.pp
@@ -11,16 +11,6 @@ class nodo::physical inherits nodo {
 
   class { 'syslog-ng': }
 
-  # SSL computational DoS mitigation
-  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
-  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
-    ''      => $firewall_global_ssl_ratelimit ? {
-      ''      => '-',
-      default => $firewall_global_ssl_ratelimit,
-    },
-    default => $firewall_ssl_ratelimit,
-  }
-
   # Firewall configuration
   include firewall
 

diff --git a/manifests/subsystems/firewall.pp b/manifests/subsystems/firewall.pp
index 949a81d0f8c3fbd90594fcfb5b50fa3ca535df17..a43662f384b9eb1c2351ccaa67006c565e319dfa 100644 (file)
--- a/manifests/subsystems/firewall.pp
+++ b/manifests/subsystems/firewall.pp
@@ -2,6 +2,16 @@
 class firewall {
   class { 'shorewall': }
 
+  # SSL computational DoS mitigation
+  # See http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
+  $firewall_ssl_ratelimit = $firewall_ssl_ratelimit ? {
+    ''      => $firewall_global_ssl_ratelimit ? {
+      ''      => '-',
+      default => $firewall_global_ssl_ratelimit,
+    },
+    default => $firewall_ssl_ratelimit,
+  }
+
   $rfc1918 = $shorewall_local_net ? {
     true    => true,
     false   => false,