Forum Discussion

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
Apr 30, 2021

Irule Trigger two times

Hi,

I created this irule in order to set rate limit based on source IP:

when RULE_INIT {
    set static::maxRate 4
    set static::windowSecs 10
    log local0. "Var Creation"
    
}
 
when HTTP_REQUEST {
        
       log local0. [IP::client_addr]
       #check IP
       if { [IP::addr [IP::client_addr] equals 192.168.19.12]} {
 
        # set variables
        
        set clientip_var [IP::client_addr]
        set get_count [table key -count -subtable $clientip_var]
        log local0. "$get_count before increase"
 
        # main condition
         if { $get_count < $static::maxRate } {
            incr get_count 1
            log local0. "$get_count after increase"
            table set -subtable $clientip_var $get_count $clientip_var indefinite $static::windowSecs
         } else {
            log local0. "404!?"
            HTTP::respond 404 content { "HTML PAGE" } -reset
 
                return
        }  
      } else {
        
          return
      }
}

This irule create an Array and count session number, when the sessions reach maxRate value the irule reset newest session, until flush.

I realized that when I send a request from the client (with the correct ip) to vs the irule is triggered twice, this means that the array reaches the limit with 2 requests instead of 4.

have you ever had such a problem?

log:

first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase
second request:
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 after  increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after  increase
third and fourth request:
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after  increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 before increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?

Best regards at all

  • Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

  • Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
    Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
    Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP

      The easy way to identify what were the HTTP REQUESTS would be the log the URI. Please test if that gives some clue.