For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jrmorris_151361's avatar
jrmorris_151361
Icon for Nimbostratus rankNimbostratus
Jul 30, 2015

How to view session table created with iRule

Hi, I have created the following iRule. I know the reject is commented out and the limit is high. But for now, I want to monitor what the iRule actually catches. Is there a way for me to view the tab...
application delivery
devops
iRules
LTM
management
TMSH
Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Jul 31, 2015

Don't think you can use TMSH, but you should be able to use an iRule for that. Beware of the following, it's like table inception. 🙂

First add a meta table to your original iRule (you might want to touch the meta table entry whenever the connlimit table is refreshed).

when CLIENT_ACCEPTED {

    set tbl "connlimit:[IP::client_addr]"
    set key "[TCP::client_port]"

    table set -subtable metatable "connlimit:[IP::client_addr]" 1

    table set -subtable $tbl $key "ignored" 180

    if { [table keys -subtable $tbl -count] > 5000 } {
        table delete -subtable $tbl $key
        event CLIENT_CLOSED disable
      reject
    } else {
        set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] 
    }
}

when CLIENT_CLOSED {
    after cancel $timer
    table delete -subtable $tbl $key 
}

Then you can add this iRule to another virtual server (or add a condition to show the information on the current server):

when HTTP_REQUEST {

    set response ""

    foreach tablename [table keys -subtable "metatable"] {

        foreach $key [table keys -subtable $tablename] {
            set value [table lookup -notouch -subtable  $key]
            set response "$response
$key = $value"
        }
    }

    HTTP::respond 200 content $response
}