Forum Discussion
ocnsinc_68625
May 10, 2012Nimbostratus
Connection Limit iRule not rejecting concurrent sessions as expected
Hi --
The below iRule was enabled on a specific V/S to reject more than one session for a given unique source IPADDR. After enabling the iRule, rejection notifications are logged in the "ltm" syslog. However, when checking the member servers in the V/S pool, some concurrent sessions are still getting through the iRule. Does any see an issue with the below iRule or know of any other issue that may cause the iRule to partially work?
Thanks --
====================================================
when RULE_INIT {
array set ::Connections { }
}
when CLIENT_ACCEPTED {
set ipaddr [IP::remote_addr]
set tcpPrt [TCP::client_port]
log local0. "Client Accepted from $ipaddr"
if { [info exists ::Connections($ipaddr)] } {
set tcpport $::Connections($ipaddr)
log local0. "Reject Client Session from $ipaddr:$tcpPrt - "
log local0. " --> Session Entry $ipaddr:$tcpport, in progress ..."
reject
return
} else {
set ::Connections($ipaddr) $tcpPrt
set tcpport $::Connections($ipaddr)
log local0. "Created Session Entry for $ipaddr:$tcpport ..."
}
}
when CLIENT_CLOSED {
if { [info exists ::Connections($ipaddr)] } {
set tcpport $::Connections($ipaddr)
log local0. "Remove Session Entry $ipaddr:$tcpport ..."
unset ::Connections($ipaddr)
}
}
====================================================
- George_Watkins_Historic F5 AccountHi ocnsinc,
when RULE_INIT { lifetime (in seconds) of connection tracker record(s), maximum length of time connection will be tracked if connection is not explicitly closed set static::lifetime 600 logging - 0 = off, 1 = on; disable unless testing set static::logging 0 } when CLIENT_ACCEPTED { set static::table_name [virtual name]_connection_tracker set conn [table lookup -subtable $static::table_name [IP::remote_addr]] if { $conn ne "" } { client already has an active connection, rejecting subsequent connection reject if { $static::logging == 1 } { log local0. "Rejecting connection from [IP::remote_addr]" } } else { table add -subtable $static::table_name [IP::remote_addr] 1 indef $static::lifetime if { $static::logging == 1 } { log local0. "Adding connection for [IP::remote_addr] to tracker" } } } when CLIENT_CLOSED { table delete -subtable $static::table_name [IP::remote_addr] if { $static::logging == 1 } { log local0. "Removing connection for [IP::remote_addr] from tracker" } }
- ocnsinc_68625NimbostratusHi George –
- spark_86682Historic F5 AccountThe only way to access a sort of global data store on 10.0.x is the session command. However, it can't provide a 100% perfect solution, since it doesn't really provide any good concurrency tools for you (which is why we wrote the table command). You'd have to do something like:
if { [session lookup uie $ipaddr] != 1} { session add uie $ipaddr 1 } else { reject }
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects