Help need to create a irule for limit Client Connection

You can take Thomas's logic and store the hosts and/or networks in a data group with the values set for the connection limit.

 Data group mapping hosts/networks to connection limit values
class conn_limit_dg {
   network 10.0.0.0/8 { "5" }
   network 192.168.0.0/16 { "5" }
   host 172.16.1.1 {"10"}
}

 From http://devcentral.f5.com/wiki/iRules.table.ashx
 Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {
    Max connections per client IP
   set limit [class match [IP::client_addr] equals conn_limit_dg]
    Set a subtable name with a standard prefix and the client IP
   set tbl "connlimit:[IP::client_addr]"
    Use a key of the client IP:port
   set key "[IP::client_addr][TCP::client_port]"
    Check if the subtable has over X entries
   if { [table keys -subtable $tbl -count] >= $limit } {
      log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
      reject
   } else {
       Add the client IP:port to the client IP-specific subtable 
         with a max lifetime of 1800 seconds (30min)
      table set -subtable $tbl $key "ignored" 1800
      log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
   }
}
when CLIENT_CLOSED {
    When the client connection is closed, remove the table entry
   table delete -subtable $tbl $key
   log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl -count] connections / limit: $limit)"
}

Once you're done testing, make sure to comment out the log statements.

Aaron

Hi Aaron/Thomas,

 

 

Thanks for you support.

 

 

I have configured the Irule and tested , its working fine .

 

 

Provided Irule wil block all Tcp connection , but i m looking for http/s request per client connection and i got the irule which match our requirement and tested its working , below is the Irule FYI

 

 

when RULE_INIT {

 

 

this is the life timer of the subtable object. defines how long this object exist in the subtable

 

set static::maxRate 10

 

This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds

 

set static::windowSecs 3

 

set static::timeout 30

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::method] eq "GET" } {

 

set getCount [table key -count -subtable [IP::client_addr]]

 

log local0. "getCount=$getCount"

 

if { $getCount < $static::maxRate } {

 

incr getCount 1

 

table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs

 

} else {

 

log local0. "This user $user has exceeded the number of requests allowed. "

 

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

 

 

return

 

}

 

}

 

}

 

 

can u help me to chnage this irule base on different connection limit for each client by using data group,

 

 

Appreciate your support on this

Hi Aaron/Thomas,

 

 

Thanks for you support.

 

 

I have configured the Irule and tested , its working fine .

 

 

Provided Irule wil block all Tcp connection , but i m looking for http/s request per client connection and i got the irule which match our requirement and tested its working , below is the Irule FYI

 

 

when RULE_INIT {

 

 

this is the life timer of the subtable object. defines how long this object exist in the subtable

 

set static::maxRate 10

 

This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds

 

set static::windowSecs 3

 

set static::timeout 30

 

}

 

when HTTP_REQUEST {

 

if { [HTTP::method] eq "GET" } {

 

set getCount [table key -count -subtable [IP::client_addr]]

 

log local0. "getCount=$getCount"

 

if { $getCount < $static::maxRate } {

 

incr getCount 1

 

table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs

 

} else {

 

log local0. "This user $user has exceeded the number of requests allowed. "

 

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

 

 

return

 

}

 

}

 

}

 

 

can u help me to chnage this irule base on different connection limit for each client by using data group,

 

 

Appreciate your support on this

Try Hamish's example for 10.1 or higher:

 

 

http://devcentral.f5.com/wiki/iRules.HTTP_Session_Limit.ashx

 

 

Aaron

Hi Aaron,

 

 

Irule which i sent you is working for me but ,that will block all client connection with the same connection limit , is it possible to rewrite the irule for each client having different connection limit on the same irule .

 

 

Regards,

 

Midhun P.K

I think this should work if you've defined the host/network = limit pairs in the conn_limit_dg data group.

when RULE_INIT {
 This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds
set static::windowSecs 3
set static::timeout 30
}
when CLIENT_ACCEPTED {

 Max connections per client IP
set limit [class match [IP::client_addr] equals conn_limit_dg]
log local0. "[IP::client_addr]: \$limit: $limit"

}
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
log local0. "getCount=$getCount"
if { $getCount < $limit} {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "ignore" $static::timeout $static::windowSecs
} else {  log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit"
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
}
}
}

Aaron

Hi Aaron,

 

 

I have applied the above irule by creating Data Group "conn_limit_dg" defining Host with a vlue of 10a , but its not working ,The Web page is opening on every first request but its blocking after that and i can see the logs that my request is not crossing above 1 , below are my logs and attached screen-shot for Data Group entry , Kindly lookin to this and helpme to fix this.

 

 

Thu Jan 26 14:19:44 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test2 : getCount=0

 

Thu Jan 26 14:41:07 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test2 : getCount=0

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=0

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : getCount=1

 

Thu Jan 26 14:44:35 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : getCount=1

 

 

Regards,

 

Midhun p.k

Hi Midhun,

Can you try using this version with some additional debug logging?

when RULE_INIT {
 This defines how long is the sliding window to count the requests. This example allows 10 requests in 3 seconds
set static::windowSecs 3
}
when CLIENT_ACCEPTED {

 Max connections per client IP
set limit [class match -value [IP::client_addr] equals conn_limit_dg]
log local0. "[IP::client_addr]: \$limit: $limit"

}
when HTTP_REQUEST {
if { [HTTP::method] eq "GET" } {
set getCount [table key -count -subtable [IP::client_addr]]
log local0. "[IP::client_addr]: getCount=$getCount"
if { $getCount < $limit} {
incr getCount 1
table set -subtable [IP::client_addr] $getCount "" indefinite $static::windowSecs
} else {  log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit"
HTTP::respond 501 content "Request blocked. Exceeded requests/sec limit."
}
}
}

Aaron

Hi Aaron,

 

 

I have applied the rule and run the test , below are the logs message ,it shows Allowed maximum connection for the client is "1" and thats why its blocking my request randomly.

 

but i have allowed 10 connection for the client in Data Group list, but the script not taking that value, attached the screenshot of Datagroup list configuration FYI.

 

 

 

Thu Jan 26 23:59:38 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Thu Jan 26 23:59:38 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

 

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:39 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:45 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

 

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:46 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:48 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:48 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:50 AST 2012 info local/tmm1 tmm1[5126] Rule limt-test4 : 192.168.249.14: getCount=0

 

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:50 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:51 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:51 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:53 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:53 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:54 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=0

 

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:55 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:56 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:56 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:57 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Thu Jan 26 23:59:57 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Thu Jan 26 23:59:59 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=0

 

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: $limit: 1

 

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Fri Jan 27 00:00:00 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Fri Jan 27 00:00:01 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: getCount=1

 

Fri Jan 27 00:00:01 AST 2012 info local/tmm tmm[5125] Rule limt-test4 : 192.168.249.14: exceeded the number of requests allowed. 1 / 1

 

Sorry for missing this... the class match command was missing the -value flag so it was just returning 1 for true (meaning the client IP was found in the data group). Using the -value flag indicates class match should return the value for the corresponding data group key. I've edited my post above with the update. Can you try that instead?

 

 

Thanks, Aaron