For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mat1010_230145's avatar
mat1010_230145
Icon for Nimbostratus rankNimbostratus
Oct 28, 2015

Rate limit only new connections

Hi, right now i'm using the following iRule on our big-ip 4200 to globally keep track of req/s through all vservers using this iRule. when HTTP_REQUEST { Set lifetime to 1s for earch request...
application delivery
devops
iRules
LTM
mat1010_230145's avatar
mat1010_230145
Icon for Nimbostratus rankNimbostratus
Oct 28, 2015

I'm now using the following which seems to work as I would expect it:

when HTTP_REQUEST {
   Set lifetime to 1s for earch request
  set lifetime 1

   Set the limit of req/s
  set requestlimit 10

   Adding "GlobalCount" to the table starting with a value of 1 and the lifetime of $lifetime
  table add "Globalcount" 1 indefinite $lifetime

   Set local variable "$currentcount" to the value of GlobalCount from the table
  set currentcount [table lookup -notouch Globalcount]

  log local0. "VIP: [HTTP::host]"
  log local0. "GlobalCount: $currentcount"

  if { $currentcount < $requestlimit } {
    table incr -notouch "Globalcount"
    table add -subtable connlimit:[IP::client_addr] [TCP::client_port] &quot;&quot; 180
  } elseif { [table keys -subtable connlimit:[IP::client_addr] -count] >= 1 } {
    table incr -notouch &quot;Globalcount&quot;
  } else {
    log local0. "Redirected to http://[HTTP::host]/somePage.html"
    HTTP::redirect "http://[HTTP::host]/somePage.html"
  }
}

Would be great if someone of the more experienced people could look at it and let me know if there's major pitfall in my iRule.

Thanks in advance