Forum Discussion
Klaus_Gerthein1
Nimbostratus
NimbostratusLimit the packets per Second for a session
Hello,
I am new to irules and need some tips.
I used the iRule "Limit Connections From Client" from the iRule Wiki and added the
CLIENT_DATA part to this rule. Will this iRule limit the connections per source ip-address
and the packet per second per source ip-address?
With this rule I want to limit DNS Query's and connections from clients to our dnscaches.
toenspook
when RULE_INIT {
max number of concurent connections
set ::maxcon 10
max number of packets per second
set ::maxpackets 10
array set ::active_clients { }
}
This part is from the iRule Wiki "Limit Connections From Client"
when CLIENT_ACCEPTED {
set client_ip [IP::remote_addr]
if { [info exists ::active_clients($client_ip)] } {
if {$::active_clients($client_ip) > $::maxcon} {
reject
return
} else {
incr ::active_clients($client_ip)
}
} else {
set ::active_clients($client_ip) 1
}
}
I have added this part
when CLIENT_DATA {
If 'IP stats pkts in / IP stats age' is lager then maxpackets reject the packet
if { [expr {[IP::stats pkts in]} / {[IP::stats age]}] > $::maxpackets } {
reject
return
}
}
This part is from the iRule Wiki "Limit Connections From Client"
when CLIENT_CLOSED {
if { [info exists ::active_clients($client_ip)] } {
incr ::active_clients($client_ip) -1
if { $::active_clients($client_ip) <= 0 } {
unset ::active_clients($client_ip)
}
}
}
- That's a neat way of going about the math, using variables that are already there. I think this will probably get you close to what you're looking for. I would suggest taking a look at the rateclass features available on BIG-IP, though, as they are more robust when it comes to rate limiting, and can be dynamically selected via an iRule if necessary.
-Colin 
Klaus_Gerthein1Hi Colin,
thanks for your hint and sorry for my late response.
I modified the client_data part, because IP::stats age is in milli seconds.
when CLIENT_DATA {
when session is older then one second
if { [IP::stats age] > 1000 } {
milli seconds to seconds
set age_sec [expr [IP::stats age] / 1000]
get the packtes per second
set packets [expr {[IP::stats pkts in]} / $age_sec]
log "Packets per Second $packets Packets {[IP::stats pkts in]} Age {[IP::stats age] milli second}"
if { $packets > $::maxpackets } {
log "Client $client_ip rejected with $packets packets per second rejected"
reject
return
}
}
}
I tested the iRule on a big-ip 5100 and version 9.1.0.
The rule seems to work. I have tested it with one client
and one server. I dont know what will happen if thousands
of clients and connections will penetrate the loadbalancer.
The rate classes in an iRule will be the best way to limit the banwidth
in a productive environment.
The only feature I miss at version 9.x is to limit the concurrent connections per client/source
ip-address in a rate class or as feature for a virtual server, without using a iRule.
This feature would be very helpful when a service is under heavy load.
It is possible to limit the connection for a virtual, but so one or more bad clients are able
to use all these connections.
Best regards
Klaus
