Forum Discussion
Greenberg
Nimbostratus
NimbostratusiRule to Limit Connections from Source IP to Destination IP
Guys,
Novice to iRules brings himself before you.
I've been given a requirement to Limit the number of Connections from a number of Source Hosts to a Destination.
This is where I've gotten to:-
bigpipe class 'conn_limit_Pi {
host <> {"<>"}
}'
bigpipe rule '_Pi_throttle_tcp_connections {
when CLIENT_ACCEPT {
set limit [class match [IP:client_addr] equals conn_limit_Pi]
set tbl "connlimit:[IP:client_addr]"
set key "[IP::client_addr][TCP::client_port]"
if { [table keys -subtable $tbl -count] >= $limit } {
reject
} else {
table set -subtable $tbl $key "ignored" <>
}
}
when CLIENT_CLOSED {
table delete -subtable $tbl $key
}'
Unfortunately I am unable to find how to target the Destination. Would another "Class" Statement do the Trick? And if so, how would I introduce this into the iRule to Target the Destination if ir Orginates from the Specific Source.
Thanks in Advance.
Chris.
14 Replies
- nitass
Employee
Would this only max connections for traffic hitting the URI or all Connections hitting the Virtual Server?based on the irule, i understand it is for traffic hitting the URI.
by the way, i think static::active_connections_pi is not static global variable since you increase it in HTTP_REQUEST event. 
GreenbergThe iRule I posted last stopped all Traffic to the Virtual. So I went back to the Drawing Board:-when RULE_INIT { Set a global max for number of concurrent TCP connections set ::max_connections 25 Print debug messages to /var/log/ltm? 1=yes, 0=no set ::debug 1 Initialize a counter for active connections (don't modify this) set ::active_connections 0 Log local identifying start log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients" } when HTTP_REQUEST { if the HTTP Request contains the specified URI String if { [HTTP::uri] contains "URI" } { if we are over the limit for the connection, redirect if { not [HTTP::cookie exists "inpicheckout"] and $::active_connections > $::max_connections} { redirect HTTP::redirect "http://www.sorry.com" Close the connection TCP::close Log a message to /var/log/ltm if {$::debug}{log local0. "Over limit (current/max: $::active_connections/$::max_connections). Closing to [IP::client_addr]"} Increment the TCP connection count. incr ::active_connections 1 } } when CLIENT_CLOSED { A connection was closed, so decrement the global counter incr ::active_connections -1 if the Active Connections are less than 0 then reset to 0 if { $::active_connections <= 0 } { set ::active_connections 0 } Log a message to /var/log/ltm if {$::debug}{log local0. "Connection closing to [IP::client_addr]" } }
Any thoughts :S- nitassThe iRule I posted last stopped all Traffic to the Virtual.was user redirected to www.sorry.com or did connection get reset?
by the way, your irule is not cmp friendly since you are using global variable. the following is an example which is cmp compatible.
iRule::ology - Table Based Rate Limiting by Colin
https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086416/iRuleology--Table-Based-Rate-Limiting.aspx 
Asim_SharfuddinHi,
Are you using this irule? does it cause any performance or stability issue?
