Forum Discussion
S_Meulmeester
Cirrus
CirrusI need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port)
I need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port) if that source has aleady "n" number of connections open. I am using Fast layer 4 LTM configuratio...
I plan to use this
# Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {# Check if the subtable has over 20 entries
if { [table keys -subtable connlimit:[IP::client_addr] -count] >= 20 } {
reject
} else {# Add the client IP:port to the client IP-specific subtable
# with a max lifetime of 180 seconds
table set -subtable connlimit:[IP::client_addr] [TCP::client_port] "" 180
}
}when CLIENT_CLOSED {
# When the client connection is closed, remove the table entry
table delete -subtable connlimit:[IP::client_addr] [TCP::client_port]
}
https://community.f5.com/t5/technical-articles/advanced-irules-tables/ta-p/290369
https://clouddocs.f5.com/api/irules/table.html#:~:text=If%20no%20timeout%20is%20specified,timeout%20will%20not%20be%20changed.
S_MeulmeesterCirrus
CirrusHi,
That is not the same as what I need! what you propose is : Connection Rate Limit Mode = rate limiting per second so if i put it to 10 it will allow 10 connections per second = 600 connections per minute
I want to be able to limit a source ip to connect for example 200 sessions max and not per time interval.
Hi S_Meulmeester ,
Not rate limit , there is another option of connection limit.
if you put for ex 10 connection limit , if this source did 11 connection the 11th will be dropped till one of 10 concurrent connections goes out.
Don't go for rate limit