Forum Discussion
Kenny_Lussier_5
Nimbostratus
NimbostratusLimiting connections based on data group
Hi All,
Please excuse my lack of knowledge. I am very new to F5, and I am trying to work through a PoC with LTM v10.1. I have searched through and found several examples of how to limit traffic based on IP address. I am currently using this iRule with some success:
when CLIENT_ACCEPTED {
set client_ip [IP::remote_addr]
if { [table keys -subtable $client_ip -count] > 10 } {
log "Client $client_ip has too many connections"
reject
return
} else {
log local0. "$::active_clients($client_ip)"
table add -subtable $client_ip [TCP::remote_port] 1
}
}
when CLIENT_CLOSED {
table delete -subtable $client_ip [TCP::remote_port]
}
However, what I really need to do is limit the number of concurrent connections based on data group. What I would like to do is create 10+ data groups, each containing anywhere from 2 to 50 IP addresses, and limit the number of connections of all addresses in the group. Can someone help me with 1) how to search all existing data groups for client_ip and b) add up all of the existing connections of all of the other addresses in the datagroup.
Is there a better way to accomplish this?
Thanks,
Kenny
HamishCirrocumulus
You want the class command... There's two ways to do this...
1. Use datagroups of type address. Then simply drop addresses and netmasks into the group. A simple test for the group containing the IP address is as simple asif { [class lookup [IP::CLIENT] $className] } { do whatever... }
However this doesn't scale very well as the number of datagroups increases (I'm assuming you're using different datagroups to indicate different connection limits).
What I'd do is have a single DG, and using key/value pairs. e.g.address1:connlimit address2:connlimit
and use the class command to lookup the address and get back the connlimit. The actual counting of connlimit, I'd do with a table. Just like you're doing above. Just replace the hardcoded '10' with the connlmit that you get back from the DG.
H- HamishOh. The class function docs are at
http://devcentral.f5.com/wiki/default.aspx/iRules/class.html
H 
Kenny_Lussier_5Hamish,
Thank you very much for the response. The datagroups actually represent customers. Customers can have any number of IP addresses hitting us, but we need to limit the number of concurrent connections of the over all customer, not just the individual IP address. So, the connection limit of 10, for example, will apply to the customer. Different customers/data groups will have different connection limits, but the limit is on their pool of addresses.
I will read up on the class documents.
Thanks,
Kenny- Kenny_Lussier_5I think I am missing something. What I need to do is search all classes, but it seems like wild cards can't be used, and there is no way to list classes and match against a `for each in ` type of array. `class match` and `class lookup` require the name of a specif class to search. What I need to do is search through all classes to find which class an ip address is in.
Thanks,
Kenny 
hoolioCirrostratus
Hi Kenny,
I think Hamish was suggesting that you use a single address type datagroup and then set a value to return if the client IP matches a particular host or network. Here is an example from the bigip.conf:class conn_limit_class { { host 1.1.1.1 { "cust1" } network 2.2.2.0/24 { "cust1 } network 3.3.3.0/24 { "cust2" } network 4.4.5.0/24 { "cust2" } } }
You could then use a class function to query the class and get the customer group name for that particular client. You could use the table command to track the number of active connections per customer group. You could store the connection limit for each customer group in a separate datagroup or hardcode it in an array in the iRule.
Aaron