Forum Discussion
How do I drop packet from iRules?
Hello,
I created following iRule to enforce connection/second. This iRule supposes to drop client request when LTM get more than 5 connections per second. But actual behavior of 10.2 was send RST back to the client in my verification.
How do I modify this iRule to work as I expected?
---------------------------------------
when CLIENT_ACCEPTED {
set reqno [table incr "reqs"]
table set -subtable "reqrate" $reqno "ignored" indefinite 1
set ConRate [table keys -count -subtable "reqrate"]
if { $ConRate > 5 } {
drop
event disable
return
}
}
---------------------------------------
Thanks!
3 Replies
- The_Bhattman
Nimbostratus
Have you looked at the following code share?
http://devcentral.f5.com/wiki/default.aspx/iRules/LimitConnectionsFromClient.html
I hope this helps
Bhattman - Thank you for the information but I just want to know behavior of "drop" command.
In my understanding, an iRule fires "reject" command, LTM sends RST to the peer but firing "drop" command does nothing.
However I am seeing to send RST to the peer from LTM even though I use "drop" command. Do I need to open a support case? 
hoolioCirrostratus
I'd have expected drop to either drop the current packet or to remove the connection table entry. I'd guess that drop called in CLIENT_ACCEPTED would remove the connection table entry. Maybe if it's used in a DATA event (like CLIENT_DATA or SERVER_DATA) it would just drop the current packet. If the connection table entry is removed and the client sends another packet, LTM should reset it as it's not associated with an existing connection.
You could open a case with F5 to confirm or correct these assumptions. If you do, could you reply back with what you find out?
Thanks, Aaron
