Forum Discussion
CirrusI need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port)
I plan to use this
# Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {# Check if the subtable has over 20 entries
if { [table keys -subtable connlimit:[IP::client_addr] -count] >= 20 } {
reject
} else {# Add the client IP:port to the client IP-specific subtable
# with a max lifetime of 180 seconds
table set -subtable connlimit:[IP::client_addr] [TCP::client_port] "" 180
}
}when CLIENT_CLOSED {
# When the client connection is closed, remove the table entry
table delete -subtable connlimit:[IP::client_addr] [TCP::client_port]
}
https://community.f5.com/t5/technical-articles/advanced-irules-tables/ta-p/290369
https://clouddocs.f5.com/api/irules/table.html#:~:text=If%20no%20timeout%20is%20specified,timeout%20will%20not%20be%20changed.
Hi S_Meulmeester ,
you can use Connection limit per virtual server and source ip subnet , look at this Article :
https://my.f5.com/manage/s/article/K45530602
don't bother yourself with complex irule in this case , it consumes your resources and sometimes you may not be able to measure the impact if you wrote it wrong or if it consumed alot of resources
CirrusHi,
That is not the same as what I need! what you propose is : Connection Rate Limit Mode = rate limiting per second so if i put it to 10 it will allow 10 connections per second = 600 connections per minute
I want to be able to limit a source ip to connect for example 200 sessions max and not per time interval.
Hi S_Meulmeester ,
Not rate limit , there is another option of connection limit.
if you put for ex 10 connection limit , if this source did 11 connection the 11th will be dropped till one of 10 concurrent connections goes out.
Don't go for rate limit
