Nimbostratus
Cirrostratus
Purpose: Limit each client to X concurrent connections
when RULE_INIT {
Max number of connections for a client over an interval
set static::max_conns 10
Log debug to /var/log/ltm? 1=yes, 0=no
set static::conn_debug 1
}
when CLIENT_ACCEPTED {
Use a subtable name specific to the client IP
set subtable "connlimit:[IP::client_addr]"
Add the client port to the client IP-specific subtable with a 65 second timer
and an indefinite timeout. We use the after command to touch the key every 60 seconds
as long as the connection is open.
The subtable entry is removed when the connection is closed.
table set -subtable $subtable [TCP::client_port] "" 65 indefinite
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Added new key [TCP::client_port],\
count: [table keys -subtable $subtable -count], max: $static::max_conns"}
Set a timer to update the subtable entry every Y milliseconds
set timer [after 60000 -periodic {
table lookup -subtable $subtable [TCP::client_port]
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Touched key [TCP::client_port] using after script"}
}]
Check if the subtable has over X entries
set count [table keys -subtable $subtable -count]
if { $count >= $static::max_conns } {
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Over limit count: $count / limit: $static::max_conns"}
Drop the connection
drop
Or apply a rateclass
rateclass rateclass1
}
}
when CLIENT_CLOSED {
When the client connection is closed, remove the subtable entry
table delete -subtable $subtable [TCP::client_port]
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Deleting key [TCP::client_port]"}
Cancel the timer
if {[info exists timer] && $timer ne ""}{
if {$static::conn_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Cancelling timer $timer"}
after cancel $timer
}
}Aaron