Forum Discussion
NimbostratusiRule time window - How to tell position within a window?
Hello, I have an iRule for rate-limiting signin attempts that uses a subtable for per-IP tracking. The rule limits unique source IP's to "maxRate" signin attempts within a "windowSecs" timeframe. While the rule works fine it may run up against a memory problem after long-term use. On suggestion from F5 support, I'm wanting to put in lines to delete the subtable to prevent the possible memory issue. This needs to be done when "windowSecs" expires, deleting it prior would negate the purpose of the rule.
when RULE_INIT {
set static::maxRate 15
set static::windowSecs 60
}
The main logic for the rule is:
if { $get_count < $static::maxRate } {
incr get_count 1
table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecs
} else {
log local0.notice "Sign-in rate-limiter triggered by True-Client-IP $client_id - count of $get_count from subtable $clientip_limitervar"
drop
return
}
i.e. I'm wanting to do something like the following:
if (windowTics >= $static::windowSecs) {
table delete -subtable $clientip_limitervar $get_count $clientip_limitervar
}
where "windowTics" is the number of seconds elapsed within the "windowSecs" window. Could someone please advise on how I can get the value of "windowTics"? Trying to keep this brief, will post the entire iRule if needed.
Thanks, -jay
2 Replies
Brad_ParkerCirrus
One suggestion I would make is to not use a subtable. The subtable is not CMP compatible so each tmm instance will have its own subtable created. I would suggest designing the iRule using just table.
- boneyard
MVP
those subtables are synced at access i believe.
