For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_San_Pedr's avatar
George_San_Pedr
Icon for Altostratus rankAltostratus
Aug 04, 2005

rate limiting per user/IP

Hi,     I am trying to rate limit my tcp connections based on client source/destination IPs so that a given user is limited to 15k/sec. Any suggestion on how to achieve this based on irules an...
application delivery
dev
devops
iRules
Joe_Pruitt's avatar
Joe_Pruitt
Aug 05, 2005
No need to loop. If you want to mask off an entire Class C subnet, you can use the slash notation in the comparison. Try this:

when CLIENT_ACCEPTED {
  if {[IP::addr "[IP::client_addr]/24" equals "aaa.bbb.ccc.0/24"]} {
    log local0. "[IP::client_addr] being sent to rateclass class1" 
    rateclass class1
  }
}

The IP::client_addr is probably what you want to be going with as well when comparing.

Also, make sure you are using the IP::addr command when comparing IP Addresses, it makes sure it's not a string compare but a actual IP Address comparison which is more optimal and accurate.

If you had multiple subnets you need to monitor, you could create an IP Address Data Group and use the matchclass command in conjunction with that data group.

-Joe