Help need to create a irule for limit Client Connection

Hi Midhun,

Which LTM version are you running? Which iRule did you try? Do you want to limit each client to X TCP connections to a virtual server?

If you're on 10.1 or higher, can you try this iRule?

 From http://devcentral.f5.com/wiki/iRules.table.ashx
 Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {

    Set a subtable name with a standard prefix and the client IP
   set tbl "connlimit:[IP::client_addr]"

    Use a key of the client IP:port
   set key "[IP::client_addr][TCP::client_port]"

    Check if the subtable has over 20 entries
   if { [table keys -subtable $tbl -count] > 20 } {
      reject
   } else {

       Add the client IP:port to the client IP-specific subtable 
         with a max lifetime of 180 seconds
      table set -subtable $tbl $key "ignored" 180
   }
}

when CLIENT_CLOSED {
    When the client connection is closed, remove the table entry
   table delete -subtable $tbl $key
}

Aaron

 

Hi,

 

 

Thanks Hoolio for your fast response , Below is the Irule Link Which i was using and F5 version We are having is 10.2 , My requirement is to limit the each client connection which is hitting to Virtual server , Let me try the Irule which you provided , Ill update you. Thanks

 

 

http://devcentral.f5.com/wiki/iRules.LimitConnectionsFromClient.ashx

Hi Hoolio,

 

 

I have tested using the Irule which you provided but it is not working ,

 

 

I have made Changes in Irule by setting client count Upto 5 and tested with one client but he is able to connect after 5 hit , Could you please help me on this

Hi Hoolio,

 

 

Below is my configuration Information

 

 

Virtual Server Port - 443 --

 

 

Pool Member --> Forwarding to Node in Port 80

 

 

Also configured oneconnet , http profile with Source address persistance.

 

 

Client will connect Virtual server using port 443 and i need to limit the client connection to 20 , Kindly provide a solution for this

Can you try this version with logging, retest and post the logs?

 From http://devcentral.f5.com/wiki/iRules.table.ashx
 Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {

    Max connections per client IP
   set limit 20

    Set a subtable name with a standard prefix and the client IP
   set tbl "connlimit:[IP::client_addr]"

    Use a key of the client IP:port
   set key "[IP::client_addr][TCP::client_port]"

    Check if the subtable has over X entries
   if { [table keys -subtable $tbl -count] > $limit } {
      log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
      reject
   } else {

       Add the client IP:port to the client IP-specific subtable 
         with a max lifetime of 1800 seconds (30min)
      table set -subtable $tbl $key "ignored" 1800

      log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
   }
}

when CLIENT_CLOSED {
    When the client connection is closed, remove the table entry
   table delete -subtable $tbl $key
   log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl -count] connections / limit: $limit)"
}

Aaron

Hello,

You might want to try this.

I had the same question today through support. Once you are happy with your testing, you can make it more efficient by removing the log and else statement

when CLIENT_ACCEPTED {
if { [table incr [IP::client_addr]] > [class match [IP::client_addr] equals conn_limit] } {
log local0. "counter: [table lookup [IP::client_addr]]"
table incr [IP::client_addr] -1
TCP::close

 Tested in v11.1 HF1, TMM is not stable when doing TCP::close and table manipulation in CLIENT_CLOSED event
 This solution appears more stable, no guarantees however.
event CLIENT_CLOSED disable
} else {
log local0. "counter: [table lookup [IP::client_addr]]"
}
}

when CLIENT_CLOSED {
table incr [IP::client_addr] -1
log local0. "counter: [table lookup [IP::client_addr]]"
}

The Data Group looks like this;

class conn_limit {

network 172.0.0.0/8 { "2" }

}

Thomas

Hi Hoolio,

 

 

Thanks for your response , I have tested the Irule which you provided by setting up a Test virtual server on port 80 which is pointing to a webpage and made the connection limit upto 4

 

 

From My machine i tried telnet to that virtual server and i can see the 5th telnet connection its blocking , but 6th and 7th connection its opening succesffuly , but the logs showing its rejecting above connection limit 4 , attached the logs FYI.

 

 

Also i did the test by opening the webpage from my internet explorer , but it is not blocking my request and i opened more than 15 webpages from my machine. but i can see in the logs each connection has accepted and closed and its not going beyond the applied connection limit. attached the logs FYI

 

 

Regards,

 

Midhun P.K

 

Hi Hoolio,

 

 

Thanks for your response , I have tested the Irule which you provided by setting up a Test virtual server on port 80 which is pointing to a webpage and made the connection limit upto 4

 

 

From My machine i tried telnet to that virtual server and i can see the 5th telnet connection its blocking , but 6th and 7th connection its opening succesffuly , but the logs showing its rejecting above connection limit 4 , attached the logs FYI.

 

 

Also i did the test by opening the webpage from my internet explorer , but it is not blocking my request and i opened more than 15 webpages from my machine. but i can see in the logs each connection has accepted and closed and its not going beyond the applied connection limit. attached the logs FYI

 

 

Regards,

 

Midhun P.K

 

If you change > to >= it should work:

 From http://devcentral.f5.com/wiki/iRules.table.ashx
 Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {

    Max connections per client IP
   set limit 20

    Set a subtable name with a standard prefix and the client IP
   set tbl "connlimit:[IP::client_addr]"

    Use a key of the client IP:port
   set key "[IP::client_addr][TCP::client_port]"

    Check if the subtable has over X entries
   if { [table keys -subtable $tbl -count] >= $limit } {
      log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
      reject
   } else {

       Add the client IP:port to the client IP-specific subtable 
         with a max lifetime of 1800 seconds (30min)
      table set -subtable $tbl $key "ignored" 1800

      log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys -subtable $tbl -count] connections / limit: $limit)"
   }
}

when CLIENT_CLOSED {
    When the client connection is closed, remove the table entry
   table delete -subtable $tbl $key
   log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl -count] connections / limit: $limit)"
}

Aaron

Hi Hoolio,

 

 

Thanks for your support it works, Can you tel me how to make different Connection limit for each client in this irule .For Eg:For a specific client maximum connection will be 10 at a time and for another client Maximum connection will be 20 at a time. If he cross beyond that BIG-IP system sends a TCP RST packet in response to a connection attempt. What changes i should make in Irule for this