Forum Discussion
Using data group for limiting the concurrent client connections from different subnets
Hi All,
We have recently deployed F5 in our environment. We are running 11.5.3 version.
We are trying to set up rule to limit the concurrent connections from a source IP to a particular value. After testing varios snippets, the best one worked for us was (https://devcentral.f5.com/tech-tips/articles/iruleology-connection-limiting-take-2):
when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 46 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject
} else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]
} }
However, when I start like 60 parallel concurrent connections it allows like 42 (or something) slight less than the set value. But then if I again try to make the connections (when pref connections are active) it does eventually limits me to 46 (total). This is probably an expected behavior , and we will see some %age of error?
My concern is to Limit the connections per subnets, hosts. As I was browsing through, data group can help me to achieve that.
So, I created an address data group "connlimit_dg" with address records in the GUI: Address Records: 192.0.0.0/255.0.0.0 := 22 10.0.0.0/255.0.0.0 :=22
I see like '1' or sometimes none connection allowed to my test host (everything else is refused). I am suspecting I am not referring to the data group correctly.
See the snippet:
when CLIENT_ACCEPTED { Max connections per client IP set limit [class match [IP::client_addr] equals "connlimit_dg"]
Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]"
Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]"
table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject
} else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]
} } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key
}
Thanks!
Regards Renuka
- jgranieriNimbostratus
I think if you added a log statement after each set statement it would help determine where the issue lies. log each [IP::client_addr] output and more importantly. More importantly can you also run a table output dump or log the table output just before the event CLIENT_CLOSED disable reject ?
- cdis_249710NimbostratusHowever, do let me know if you have any inputs.
- cdis_249710NimbostratusLooks like I was missing "-value". This seems to be working, it not very accurate in terms of parallel connections Limit each client IP address to 20 concurrent connections when CLIENT_ACCEPTED { Max connections per client IP set limit [class match -value [IP::client_addr] equals connlimit_dg] Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]" Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com