Implement rate limiting

Refs #70

roles/install/files/kf2-ddos.conf

@@ -0,0 +1,4 @@
+:msg, regex, ".*_DROP: .* DPT=7777 .*" /var/log/kf2-ddos.log
+& stop
+:msg, regex, ".*_REJECT: .* DPT=7777 .*" /var/log/kf2-ddos.log
+& stop

roles/install/handlers/main.yml

@@ -3,3 +3,12 @@
   systemd:
     daemon_reload: true
   when: servicecheck.systemd
+
+- name: Reload firewalld configuration
+  command:
+    cmd: firewall-cmd --reload
+
+- name: Reload rsyslog configuration
+  systemd:
+    name: rsyslog.service
+    state: restarted

roles/install/tasks/firewalld.yml

@@ -1,17 +1,39 @@
 ---
-- include_role:
-    name: bviktor.servicecheck
-  vars:
-    unit: firewalld.service
+- name: Install rsyslog
+  package:
+    name: rsyslog
+    state: latest
+
+- name: Enable rsyslog
+  systemd:
+    name: rsyslog.service
+    state: started
+    enabled: true
+
+- name: Configure KF2 DDoS logging
+  copy:
+    src: kf2-ddos.conf
+    dest: /etc/rsyslog.d/kf2-ddos.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Reload rsyslog configuration
+
+- name: Log packets denied by firewalld
+  lineinfile:
+    path: /etc/firewalld/firewalld.conf
+    regexp: '^LogDenied='
+    line: LogDenied=all
+  notify: Reload firewalld configuration
 
 - include_role:
     name: bviktor.firewalld
   vars:
     service: 'kf2'
     port: "{{ item }}"
+    rate_limit: '10/m'
   loop:
     - '7777/udp'
     - '20560/udp'
     - '27015/udp'
     - '8080/tcp'
-  when: servicecheck.started

roles/install/tasks/main.yml

@@ -12,7 +12,15 @@
 - include_tasks: kf2.yml
 - include_tasks: systemd.yml
 - include_tasks: sudo.yml
+
+- include_role:
+    name: bviktor.servicecheck
+  vars:
+    unit: firewalld.service
+
 - include_tasks: firewalld.yml
+  when: servicecheck.started
+
 - include_tasks: config.yml
 - include_tasks: autokick.yml
 - include_tasks: killinuxfloor.yml