For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_San_Pedr's avatar
George_San_Pedr
Icon for Altostratus rankAltostratus
Aug 04, 2005

rate limiting per user/IP

Hi,

 

 

I am trying to rate limit my tcp connections based on client source/destination IPs so that a given user is limited to 15k/sec. Any suggestion on how to achieve this based on irules and rate shaping?

 

 

Thanks,

 

 

George
application delivery
dev
devops
iRules

4 Replies

  • Ken_Wong_48678's avatar
    Ken_Wong_48678
    Historic F5 Account
    Aug 05, 2005
    Hi Colin,

     

     

    This is Ken, I also encounter a simlar case. How about if I do not know the exactly ip of the user but I know the range? Should I pre-defined the client ip to rateclass mapping?

     

     

    There are may be a class C subnet, I need to create 254 rateclass to map with client ip. Is there any loop can be used in rule to simplify the rule. Thanks!

     

     

    Regards,

     

    Ken
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Aug 05, 2005
    No need to loop. If you want to mask off an entire Class C subnet, you can use the slash notation in the comparison. Try this:

    when CLIENT_ACCEPTED {
  if {[IP::addr "[IP::client_addr]/24" equals "aaa.bbb.ccc.0/24"]} {
    log local0. "[IP::client_addr] being sent to rateclass class1" 
    rateclass class1
  }
}

    The IP::client_addr is probably what you want to be going with as well when comparing.

    Also, make sure you are using the IP::addr command when comparing IP Addresses, it makes sure it's not a string compare but a actual IP Address comparison which is more optimal and accurate.

    If you had multiple subnets you need to monitor, you could create an IP Address Data Group and use the matchclass command in conjunction with that data group.

    -Joe
  • Ken_Wong_48678's avatar
    Ken_Wong_48678
    Historic F5 Account
    Aug 05, 2005
    Hi Joe,

     

     

    Thanks for your information. But actually, I want to ensure every ip in a class C subnet has same separate rateclass not share, such as following

     

     

    192.168.0.1/24 -> class1

     

    192.168.0.2/24 -> class2

     

    :

     

    :

     

    192.168.0.254/24 -> class254

     

     

    Can I use rule to perform this settings? TIA

     

     

    Regards,

     

    Ken
  • Ken_Wong_48678's avatar
    Ken_Wong_48678
    Historic F5 Account
    Aug 08, 2005
    Hi Colin,

     

     

    It's great. I just look for your secondary suggestion. It is a streaming services that I need to make sure every ip (customer) has received bandwidth.

     

     

    Could you tell me a little bit more of set rclass [concat class [lindex {$octets} end]]. If I am not using the last octet, what syntax I can use to replace "end".

     

     

    Finally, where can I find these "split, concat and lindex..." command information? I cannot find these in BIG-IP menu, I believe there are many useful command I can use in the irule. Pls. let me know where I can find these resources. Thanks!

     

     

    Regards,

     

    Ken