Forum Discussion
teemo_13 To you want transactions per second or a hard connection limit on the VS? If it's an overall amount of connections you can set the limit on the virtual server and then a log will automatically be generated once you reach that limit as seen in the following article.
https://my.f5.com/manage/s/article/K24513413#P1
The following link should assist you with an iRule to generate a log after a certain TPS as well as block the request beyond that limit. If you do not with to block the request you can adjust the iRule accordingly.
I have also taken the opportunity to adjust the iRule a bit to be formatted a bit better as well as update some of the older pieces of code to match newer configuration.
when RULE_INIT priority 500 {
set static::maxRate 900 * 3
set static::windowSecs 1
set static::timeout 30
}
when HTTP_REQUEST priority 500 {
if { [HTTP::method] == "GET" } {
set GETCOUNT [table key -count -subtable [IP::client_addr]]
log local0. "GETCOUNT=${GETCOUNT}"
if { ${GETCOUNT} < $static::maxRate } {
incr GETCOUNT 1
table -- set -subtable [IP::client_addr] ${GETCOUNT} "ignore" $static::timeout $static::windowSecs
} else {
log local0. "Exceeded the number of requests allowed. ${GETCOUNT}"
HTTP::respond 501 content "Request blockedExceeded requests/sec limit."
return
}
}
}
I think this article also could be helpful and the iRule could be modified to do what you would like.
https://clouddocs.f5.com/training/community/irules/html/class2/module1/lab2.html
I think we are on the right path here. But as I understand,
set GETCOUNT [table key -count -subtable [IP::client_addr]]
this command is limited to only one client IP address. Can I substitute it with VS IP address instead to get a value for the GETCOUNT?
- PauliusMar 02, 2023MVP
teemo_13 I could be wrong on this one because I haven't had to really deal with TPS but I believe this isn't checking every connection on the F5 but it's checking the virtual server (VS) that this particular iRule is associated to for this particular instance of use of the iRule. With that being said, if you used this iRule on 4 or 5 VSs each one would have its own instance of the particular counted variable and it wouldn't be shared across each VS. So the value that you are receiving in the GETCOUNT variable should be unique to that virtual server. Now when you log this to the F5 you will want to use something that easily differentitates each entry between virtual servers for this same iRule. If you are only using this iRule in one location then no reason to narrow it down any further. Now I absolutely could be wrong so if I am I hope someone comes to correct this assumption. I did find some more articles that might be of assistance to you.
https://community.f5.com/t5/technical-articles/the-table-command-subtables/ta-p/278501
https://community.f5.com/t5/technical-articles/the-table-command-counting/ta-p/278467