For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jbackman's avatar
jbackman
Icon for Nimbostratus rankNimbostratus
Nov 19, 2018

Bandwidth limiting and reporting per client

I am trying to implement bandwidth limiting and reporting on a per client basis, but am not sure it is working they way I intend. I want to limit each client to 150 Mbps using bandwidth control and then be able to report when a client is actually being rate limited. I created my BWC config with the following config:

create net bwc policy BC-BCS-RLPC {max-rate 160gbps max-user-rate 150mbps dynamic enabled}

The original script we used was:

when RULE_INIT {
     Bandwidth in bytes/sec
    set static::maxBandwidth 18750000
    set static::logDelay 300
} 
when CLIENT_ACCEPTED {
    set hsl [HSL::open -publisher /Common/management-port-pub]
    set srcip [IP::client_addr]
    BWC::policy attach BC-BCS-RLPC $srcip
    HSL::send $hsl  "<158> User $srcip attached to BC-BCS-RLPC" 
}
when HTTP_REQUEST {
    if {[ set logLastTime [table lookup -subtable lastBandwithLog $srcip ]] eq "" } then {
        set bw [TCP::bandwidth]
        if { $bw > $static::maxBandwidth } { 
            table add -subtable lastBandwithLog $srcip 1 indef $static::logDelay
            HSL::send $hsl  "<158> User $srcip bandwidth $bw exceeds the BWC limit of $static::maxBandwidth" 
        }
    } 
}

But this seems to display a strange maximum value of 16776960 (possibly a limit on the TCP::bandwidth reporting)

I have rewritten the script as:

when RULE_INIT {
     Bandwidth in bits/sec
    set static::maxBandwidth 150000000
    set static::logDelay 300
} 
when CLIENT_ACCEPTED {
    set hsl [HSL::open -publisher /Common/management-port-pub]
    set srcip [IP::client_addr]
    BWC::policy attach BC-BCS-RLPC $srcip
    HSL::send $hsl  "<158> User $srcip attached to BC-BCS-RLPC" 
}
when HTTP_REQUEST {
    if {[ set logLastTime [table lookup -subtable lastBandwithLog $srcip ]] eq "" } then {
        set totalTime [ expr  { [IP::stats age] / 1000 } ]
        set bpsOut [ expr { ( [IP::stats bytes out] * 8 ) / $totalTime } ]
        set bpsIn  [ expr { ( [IP::stats bytes in] * 8 ) / $totalTime } ]
        if { $static::maxBandwidth < $bpsIn || $static::maxBandwidth < $bpsOut } { 
            table add -subtable lastBandwithLog $srcip 1 indef $static::logDelay
            HSL::send $hsl  "<158> User $srcip bandwidth $bpsIn/$bpsOut (in/out) exceeds the BWC limit of $static::maxBandwidth" 
        }
    } 
}
  1. Does the new script do what I intend it to do (attach a client IP to a specific BW policy and report on a sliding 5 minute window when the client exceeds the limit)
  2. Are there any performance concerns with the new script
  3. Is there a better way to do this?
application delivery
iRules
per client bandwidth limiting and reporting
No RepliesBe the first to reply