Hi, Can anyone help us to create a irule to limit number of client connection hitting to Virtual server , I got the same irule scenario in Dev central site for (iRule.Limit Connection from Client) , but thats not working with me its only logging the message not blocking the connection ,Kindly anyone help me to provide the irule for the same. Regards, Midhun P.K

Hi, Thanks Hoolio for your fast response , Below is the Irule Link Which i was using and F5 version We are having is 10.2 , My requirement is to limit the each client connection which is hitting to Virtual server , Let me try the Irule which you provided , Ill update you. Thanks http://devcentral.f5.com/wiki/iRules.LimitConnectionsFromClient.ashx

Hi Hoolio, I have tested using the Irule which you provided but it is not working , I have made Changes in Irule by setting client count Upto 5 and tested with one client but he is able to connect after 5 hit , Could you please help me on this

Hi Hoolio, Below is my configuration Information Virtual Server Port - 443 -- Pool Member --> Forwarding to Node in Port 80 Also configured oneconnet , http profile with Source address persistance. Client will connect Virtual server using port 443 and i need to limit the client connection to 20 , Kindly provide a solution for this

Help need to create a irule for limit Client Connection

hooleylist

Cirrostratus

Jan 24, 2012

You can take Thomas's logic and store the hosts and/or networks in a data group with the values set for the connection limit.


 Data group mapping hosts/networks to connection limit values
class conn_limit_dg {
   network 10.0.0.0/8 { "5" }
   network 192.168.0.0/16 { "5" }
   host 172.16.1.1 {"10"}
}


 From http://devcentral.f5.com/wiki/iRules.table.ashx
 Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {
    Max connections per client IP
   set limit [class match [IP::client_addr] equals conn_limit_dg]
    Set a subtable name with a standard prefix and the client IP
   set tbl "connlimit:[IP::client_addr]"
    Use a key of the client IP:port
   set key "[IP::client_addr][TCP::client_port]"
    Check if the subtable has over X entries
   if { [table keys -subtable $tbl -count] >= $limit } {
      log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
      reject
   } else {
       Add the client IP:port to the client IP-specific subtable 
         with a max lifetime of 1800 seconds (30min)
      table set -subtable $tbl $key "ignored" 1800
      log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
   }
}
when CLIENT_CLOSED {
    When the client connection is closed, remove the table entry
   table delete -subtable $tbl $key
   log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl -count] connections / limit: $limit)"
}

Once you're done testing, make sure to comment out the log statements.

Aaron

midhun_108442
Nimbostratus
Jan 24, 2012
Hi Aaron/Thomas,

Thanks for you support.

I have configured the Irule and tested , its working fine .

Provided Irule wil block all Tcp connection , but i m looking for http/s request per client connection and i got the irule which match our requirement and tested its working , below is the Irule FYI

when RULE_INIT {

this is the life timer of the subtable object. defines how long this object exist in the subtable

set static::maxRate 10

This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds

set static::windowSecs 3

set static::timeout 30

}

when HTTP_REQUEST {

if { [HTTP::method] eq "GET" } {

set getCount [table key -count -subtable [IP::client_addr]]

log local0. "getCount=$getCount"

if { $getCount < $static::maxRate } {

incr getCount 1

table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs

} else {

log local0. "This user $user has exceeded the number of requests allowed. "

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

return

}

}

}

can u help me to chnage this irule base on different connection limit for each client by using data group,

Appreciate your support on this
midhun_108442
Nimbostratus
Jan 24, 2012
Hi Aaron/Thomas,

Thanks for you support.

I have configured the Irule and tested , its working fine .

Provided Irule wil block all Tcp connection , but i m looking for http/s request per client connection and i got the irule which match our requirement and tested its working , below is the Irule FYI

when RULE_INIT {

this is the life timer of the subtable object. defines how long this object exist in the subtable

set static::maxRate 10

This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds

set static::windowSecs 3

set static::timeout 30

}

when HTTP_REQUEST {

if { [HTTP::method] eq "GET" } {

set getCount [table key -count -subtable [IP::client_addr]]

log local0. "getCount=$getCount"

if { $getCount < $static::maxRate } {

incr getCount 1

table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs

} else {

log local0. "This user $user has exceeded the number of requests allowed. "

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

return

}

}

}

can u help me to chnage this irule base on different connection limit for each client by using data group,

Appreciate your support on this
hooleylist
Cirrostratus
Jan 24, 2012
Try Hamish's example for 10.1 or higher:

http://devcentral.f5.com/wiki/iRules.HTTP_Session_Limit.ashx

Aaron
midhun_108442
Nimbostratus
Jan 24, 2012
Hi Aaron,

Irule which i sent you is working for me but ,that will block all client connection with the same connection limit , is it possible to rewrite the irule for each client having different connection limit on the same irule .

Regards,

Midhun P.K

hooleylist

Cirrostratus

Jan 25, 2012

I think this should work if you've defined the host/network = limit pairs in the conn_limit_dg data group.

when RULE_INIT {
 This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds
set static::windowSecs 3
set static::timeout 30
}
when CLIENT_ACCEPTED {

 Max connections per client IP
set limit [class match [IP::client_addr] equals conn_limit_dg]
log local0. "[IP::client_addr]: \$limit: $limit"

}
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
log local0. "getCount=$getCount"
if { $getCount < $limit} {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs
} else {  log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit"
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
}
}
}

Aaron

midhun_108442
Nimbostratus
Jan 26, 2012
Hi Aaron,

I have applied the above irule by creating Data Group "conn_limit_dg" defining Host with a vlue of 10a , but its not working ,The Web page is opening on every first request but its blocking after that and i can see the logs that my request is not crossing above 1 , below are my logs and attached screen-shot for Data Group entry , Kindly lookin to this and helpme to fix this.

Thu Jan 26 14:19:44 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test2 : getCount=0

Thu Jan 26 14:41:07 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test2 : getCount=0

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=0

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

Regards,

Midhun p.k

hooleylist

Cirrostratus

Jan 26, 2012

Hi Midhun,

Can you try using this version with some additional debug logging?

when RULE_INIT {
 This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds
set static::windowSecs 3
}
when CLIENT_ACCEPTED {

 Max connections per client IP
set limit [class match -value [IP::client_addr] equals conn_limit_dg]
log local0. "[IP::client_addr]: \$limit: $limit"

}
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
log local0. "[IP::client_addr]: getCount=$getCount"
if { $getCount < $limit} {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "" indefinite $static::windowSecs
} else {  log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit"
HTTP::respond 501 content "Request blocked. Exceeded requests/sec limit."
}
}
}

Aaron

midhun_108442
Nimbostratus
Jan 26, 2012
Hi Aaron,

I have applied the rule and run the test , below are the logs message ,it shows Allowed maximum connection for the client is "1" and thats why its blocking my request randomly.

but i have allowed 10 connection for the client in Data Group list, but the script not taking that value, attached the screenshot of Datagroup list configuration FYI.

Thu Jan 26 23:59:38 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

Thu Jan 26 23:59:38 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:45 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:48 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:48 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:50 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:51 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:51 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:53 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:53 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:54 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=0

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:56 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:56 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:57 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Thu Jan 26 23:59:57 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Thu Jan 26 23:59:59 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=0

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

Fri Jan 27 00:00:01 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

Fri Jan 27 00:00:01 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1
hooleylist
Cirrostratus
Jan 26, 2012
Sorry for missing this... the class match command was missing the -value flag so it was just returning 1 for true (meaning the client IP was found in the data group). Using the -value flag indicates class match should return the value for the corresponding data group key. I've edited my post above with the update. Can you try that instead?

Thanks, Aaron

Forum Discussion

Help need to create a irule for limit Client Connection

Recent Discussions

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

TMSH Command to list ASM policies not attached to any virtual servers in all partitions

dynamic signature detection

DNS HM Probe issue

Related Content

F5 LTM SNAT: only 1 outgoing connection, multiple internal clients

Issues with Mac Edge clients connecting to internet?

Unable to Create UCS files

Outbound routing creates connections that never clear

Routing problem for connect() in iRule

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS