Forum Discussion
hooleylist
Jan 23, 2012Cirrostratus
Can you try this version with logging, retest and post the logs?
From http://devcentral.f5.com/wiki/iRules.table.ashx
Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {
Max connections per client IP
set limit 20
Set a subtable name with a standard prefix and the client IP
set tbl "connlimit:[IP::client_addr]"
Use a key of the client IP:port
set key "[IP::client_addr][TCP::client_port]"
Check if the subtable has over X entries
if { [table keys -subtable $tbl -count] > $limit } {
log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
reject
} else {
Add the client IP:port to the client IP-specific subtable
with a max lifetime of 1800 seconds (30min)
table set -subtable $tbl $key "ignored" 1800
log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
}
}
when CLIENT_CLOSED {
When the client connection is closed, remove the table entry
table delete -subtable $tbl $key
log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl -count] connections / limit: $limit)"
}
Aaron