Forum Discussion

dogg_dogg_23774's avatar
dogg_dogg_23774
Icon for Nimbostratus rankNimbostratus
Jun 06, 2013

connection limit by subnet

I have a group of users in 10.1.1.0/24 segment, and anothe group in 10.3.1.0/24. What I want to do is if concurrent connection from 10.1.1.0/24 is greater than 100, drop connection request from 10.3.1.0/24, otherwise accept connection from 10.3.1.0/24 as well. No limit on 10.1.1.0/24 side.

 

I am having trouble figuring out how to do this. Does anyone have samples that make it possible?

 

 

Thanks,

 

 

 

application delivery
dev
devops
iRules

1 Reply

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 06, 2013
    i think you may add 10.1.1.0/24 client to table when connection is established and remove it when it is closed. when 10.3.1.0/24 client comes, count table to see whether it reaches threshold. if yes, drop 10.3.1.0/24 client. static::lifetime is set in case CLIENT_CLOSED is not triggered, so entry won't be in table forever.

    e.g. 

    [root@ve10:Active] config  b rule myrule list
rule myrule {
   when RULE_INIT {
  set static::lifetime 86400
  set static::limit 100
}
when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] } {
    table set -subtable "connlimit" "[IP::client_addr]:[TCP::client_port]" " " indefinite $static::lifetime
    return
  }
  if { [table keys -subtable "connlimit" -count] > $static::limit } {
    if { [IP::addr [IP::client_addr] equals 10.3.1.0/24] } {
      drop
    }
  }
}
when CLIENT_CLOSED {
  if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] } {
    table delete -subtable "connlimit" "[IP::client_addr]:[TCP::client_port]"
  }
}
}