For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mat1010_230145's avatar
mat1010_230145
Icon for Nimbostratus rankNimbostratus
Oct 28, 2015

Rate limit only new connections

Hi,

right now i'm using the following iRule on our big-ip 4200 to globally keep track of req/s through all vservers using this iRule.

when HTTP_REQUEST {

   Set lifetime to 1s for earch request
  set lifetime 1

   Set the limit of req/s
  set requestlimit 10

   Adding "GlobalCount" to the table starting with a value of 1 and the lifetime of $lifetime
  table add "Globalcount" 1 indefinite $lifetime

   Set local variable "currentcount" to the value of GlobalCount from the table
  set currentcount [table lookup -notouch Globalcount]

  log local0. "VIP: [HTTP::host]"
  log local0. "GlobalCount: $currentcount"

  if { $currentcount < $requestlimit } {
    table incr -notouch "Globalcount"
  } else {
    log local0. "Redirected to http://[HTTP::host]/somePage.html"
    HTTP::redirect "http://[HTTP::host]/somePage.html"
  }
}

Now i'd like to only limit new connections and not those that are already established.

Do I have to create another table where I store all the IPs of the active connections and set a timeout when those should be treated as new connections or is there a more efficient way todo this?

application delivery
devops
iRules
LTM

1 Reply

  • mat1010_230145's avatar
    mat1010_230145
    Icon for Nimbostratus rankNimbostratus
    Oct 28, 2015

    I'm now using the following which seems to work as I would expect it:

    when HTTP_REQUEST {
   Set lifetime to 1s for earch request
  set lifetime 1

   Set the limit of req/s
  set requestlimit 10

   Adding "GlobalCount" to the table starting with a value of 1 and the lifetime of $lifetime
  table add "Globalcount" 1 indefinite $lifetime

   Set local variable "$currentcount" to the value of GlobalCount from the table
  set currentcount [table lookup -notouch Globalcount]

  log local0. "VIP: [HTTP::host]"
  log local0. "GlobalCount: $currentcount"

  if { $currentcount < $requestlimit } {
    table incr -notouch "Globalcount"
    table add -subtable connlimit:[IP::client_addr] [TCP::client_port] &quot;&quot; 180
  } elseif { [table keys -subtable connlimit:[IP::client_addr] -count] >= 1 } {
    table incr -notouch &quot;Globalcount&quot;
  } else {
    log local0. "Redirected to http://[HTTP::host]/somePage.html"
    HTTP::redirect "http://[HTTP::host]/somePage.html"
  }
}

    Would be great if someone of the more experienced people could look at it and let me know if there's major pitfall in my iRule.

    Thanks in advance