For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greenberg's avatar
Greenberg
Icon for Nimbostratus rankNimbostratus
Mar 08, 2012

iRule to Limit Connections from Source IP to Destination IP

Guys,

 

 

Novice to iRules brings himself before you.

 

 

I've been given a requirement to Limit the number of Connections from a number of Source Hosts to a Destination.

 

 

This is where I've gotten to:-

 

 

bigpipe class 'conn_limit_Pi {

 

host <> {"<>"}

 

}'

 

bigpipe rule '_Pi_throttle_tcp_connections {

 

when CLIENT_ACCEPT {

 

set limit [class match [IP:client_addr] equals conn_limit_Pi]

 

set tbl "connlimit:[IP:client_addr]"

 

set key "[IP::client_addr][TCP::client_port]"

 

if { [table keys -subtable $tbl -count] >= $limit } {

 

reject

 

} else {

 

table set -subtable $tbl $key "ignored" <>

 

}

 

}

 

when CLIENT_CLOSED {

 

table delete -subtable $tbl $key

 

}'

 

 

Unfortunately I am unable to find how to target the Destination. Would another "Class" Statement do the Trick? And if so, how would I introduce this into the iRule to Target the Destination if ir Orginates from the Specific Source.

 

 

Thanks in Advance.

 

 

Chris.

 

application delivery
dev
devops
iRules

14 Replies

Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 13, 2012
    Would this only max connections for traffic hitting the URI or all Connections hitting the Virtual Server?based on the irule, i understand it is for traffic hitting the URI.

     

     

    by the way, i think static::active_connections_pi is not static global variable since you increase it in HTTP_REQUEST event.
  • Greenberg's avatar
    Greenberg
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2012
    The iRule I posted last stopped all Traffic to the Virtual. So I went back to the Drawing Board:- 

    when RULE_INIT { 
 Set a global max for number of concurrent TCP connections 
set ::max_connections 25 
 Print debug messages to /var/log/ltm? 1=yes, 0=no 
set ::debug 1 
 Initialize a counter for active connections (don't modify this) 
set ::active_connections 0 
Log local identifying start
log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients" 
} 
when HTTP_REQUEST { 
 if the HTTP Request contains the specified URI String
if { [HTTP::uri] contains "URI" } {
 if we are over the limit for the connection, redirect 
if { not [HTTP::cookie exists "inpicheckout"] and $::active_connections > $::max_connections} {
 redirect
HTTP::redirect "http://www.sorry.com" 
 Close the connection 
TCP::close 
 Log a message to /var/log/ltm 
if {$::debug}{log local0. "Over limit (current/max: $::active_connections/$::max_connections). Closing to [IP::client_addr]"} 
 Increment the TCP connection count. 
incr ::active_connections 1 
} 
} 
when CLIENT_CLOSED {
 A connection was closed, so decrement the global counter 
incr ::active_connections -1
 if the Active Connections are less than 0 then reset to 0
if { $::active_connections <= 0 } { set ::active_connections 0 } 
 Log a message to /var/log/ltm 
if {$::debug}{log local0. "Connection closing to [IP::client_addr]"
} 
}

    Any thoughts :S
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 15, 2012
    The iRule I posted last stopped all Traffic to the Virtual.was user redirected to www.sorry.com or did connection get reset?

     

     

    by the way, your irule is not cmp friendly since you are using global variable. the following is an example which is cmp compatible.

     

     

    iRule::ology - Table Based Rate Limiting by Colin

     

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086416/iRuleology--Table-Based-Rate-Limiting.aspx