Forum Discussion
Mike_Pimlott_61
Nimbostratus
NimbostratusLimit connections to node IP after load balancing
Hi
I have been trawling through the examples on the site and seem to have tried everythin to no avail.
I am trying to generate an iRule that will monitor the connections to a NODE ...
hoolio
Cirrostratus
CirrostratusActually, even though the TCL man page doesn't list it, 'info exist variable_name' works.
I'm not sure how you the iRule you posted could log "Reject IP 10.0.0.1 (6)" if the check on the client IP connection count was still set to 10.
There seem to be a few logic errors in the Codeshare example though. The first test was to see if the client IP existed in the connection count array and if the client wasn't in the whitelist array. If a new client in the whitelist array made a request that test would be false, but then in the else clause they'd still get added to the connection count array.
I removed the $client_ip references, as the IP::client_addr value is cached for the duration of the connection. Also, you should increment the connection count if the client is in the connection count array regardless of whether you're going to reset the connection (when you reset the connection, their connection count will be decremented in CLIENT_CLOSED). Lastly, I don't think you need to check if the client is in the white list in CLIENT_CLOSED, as white listed IP's will never be added to the connection count array.
Aaron
when RULE_INIT {
Clear the array of clients with open connections to the VIP
array set ::active_clients { }
Replace this array with a datagroup once done testing!
array set white_client {
10.41.0.610
10.0.0.2
}
}
when CLIENT_ACCEPTED {
log local0. "\$::active_clients: [array get ::active_clients] (size: [array size ::active_clients])"
Check if the client is already in the active clients array
if { ([info exists ::active_clients([IP::client_addr])]) } {
Regardless of whether we reject this client, we've already accepted the TCP connection.
so increment the counter for this client. The count will be decremented when the connection is closed.
incr ::active_clients([IP::client_addr])
log local0. "Incremented \$::active_clients([IP::client_addr]) to: $::active_clients([IP::client_addr])"
Check if client is already over the maximum
if {$::active_clients([IP::client_addr]) > 10 } {
Send TCP reset to client
reject
log local0. "Rejected IP [IP::client_addr], count ($::active_clients([IP::client_addr]))"
}
Don't need an else clause here. The default action will be to allow the connection to continue.
} elseif { ![info exists ::white_client([IP::client_addr])] }{
Client wasn't already in the array and isn't in the white list, so add them to the array with a count of 1.
set ::active_clients([IP::client_addr]) 1
log local0. "Initialised \$::active_clients([IP::client_addr]) to: 1"
}
}
when CLIENT_CLOSED {
Check if the client has a count in the array
if { [info exists ::active_clients([IP::client_addr])]} {
Decrement the count by 1
incr ::active_clients([IP::client_addr]) -1
Check if the count is 0 or negative
if { $::active_clients([IP::client_addr]) <= 0 } {
Clear the array element
unset ::active_clients([IP::client_addr])
}
}
}
