Forum Discussion

bchick2_8645's avatar
bchick2_8645
Icon for Nimbostratus rankNimbostratus
Nov 21, 2011

Limit Client Connections with Table

We have been using (verbatim) the iRule given on the Wiki at Click Here to successfully limit the number of concurrent connections from a single source IP address. However, we recently learned the us...
application delivery
dev
devops
iRules
bchick2_8645's avatar
bchick2_8645
Icon for Nimbostratus rankNimbostratus
Nov 29, 2011
Here is my rewrite based on the approach I mentioned above. I have not had a chance to test it yet so I apologize if there is something obvious wrong with it. I will test it later today but based on the examples in the link posted by spark I think this is a better approach. After I have a chance to run it I will let you know whether the log entries go away and whether it appears to otherwise work okay.

Please let me know if you see any issues with this approach. I really appreciate the help. 

when RULE_INIT {

     The maximum number of TCP connections to the virtual server from a single client IP address
    set static::max_connections_per_ip 1000
     Table name (will later be appended with VS name)
    set static::tbl "vsratelimit"

}

when CLIENT_ACCEPTED {

 If client IP is exempted skip the rest of the rule and return
if {[class match [IP::client_addr] equals concurrent_sessions_exemptions]} {
return
}

 Set the key to the client TCP port
set key "[TCP::client_port]"
 Append the VS name and client IP to the end of the table name
set tbl ${static::tbl}_[virtual name]_[IP::client_addr]

 Check if over the max connection limit and if so reject
if {[table keys -subtable $tbl -count] >= $static::max_connections_per_ip} {

 Reject the connection
event CLIENT_CLOSED disable
reject
log local0. "Connection rejected for [IP::client_addr], max connections exceeded"
} else {

 Connection accepted, add key for client port
table set -subtable $tbl $key 1 180
log local0. "Entry added to $tbl for $key"
 Set timer to keep key alive, if connection dies without CLIENT_CLOSED the
 timer will die and the timeout on the key will cause it to be removed
set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]
}
}

when CLIENT_CLOSED {

 If client IP is exempted skip the rest of the rule and return
if {[class match [IP::client_addr] equals concurrent_sessions_exemptions]} {
return
}

 Set the key to the client IP
set key "[TCP::client_port]"
 Append the VS name to the end of the table name
set tbl ${static::tbl}_[virtual name]_[IP::client_addr]
    
 Remove the timer
after cancel $timer
 Clear the table entry
table delete -subtable $tbl $key
log local0. "Table $tbl entry deleted for $key"
}