For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

iRule: Limit Connections from single client

A question came across the wire asking how to enable connection limiting based on a single client address.

I need to Limit the number of concurrent connections to a virtual server based on Source IP or source subnet, so for example a given IP or subnet can have only 5 simultaneous connections at any given time with a specific virtual server if a 6th connection comes in then I'd like to reset or simply drop the incoming SYN.

User Shin posted this solution.

when RULE_INIT {
  array set ::active_clients { }
}
when CLIENT_ACCEPTED {
  set client_ip [IP::remote_addr]
  if { [info exists ::active_clients($client_ip)] } {
    if {$::active_clients($client_ip) > 5 } {
      reject
      return
    } else {
      incr ::active_clients($client_ip)
    }
  } else {
    set ::active_clients($client_ip) 1
  }
}
when CLIENT_CLOSED {
  if { [info exists ::active_clients($client_ip)] } {
    incr ::active_clients($client_ip) -1
    if { $::active_clients($client_ip) <= 0 } {
      unset ::active_clients($client_ip)
    }
  }
}

Ahhh, the power of iRules!

Click here for the forum thread.

-Joe

 

[Listening to: Notes...- Prima Donna - Original Soundtrack - The Phantom Of The Opera (1986 Original London Cast) (10:55)]
Published Aug 10, 2005
Version 1.0
application delivery
BIG-IP
devops
iRules
No CommentsBe the first to comment