iRule::ology; Connection Limiting Take 2
Welcome to the series in which we tear apart an iRule line by line to see what’s really going on. What is iRule::ology, you ask?
i·Rule·ol·o·gy
–noun, plural -gies.
1.The derivatio...
Published Jan 25, 2011
Version 1.0Colin_Walker_12
Historic F5 Account
Joined May 12, 2005
Colin_Walker_12
Historic F5 Account
Joined May 12, 2005
Paul_Szabo_9016
Feb 09, 2011Historic F5 Account
This iRule will fail for very low connection limits because there's a race between two or more TMMs for these three statements:
table set -subtable $tbl $key "ignored" 180
if { [table keys -subtable $tbl -count] > 1000 }
table delete -subtable $tbl $key
If the table is at 999 and three TMMs simulatanously try to insert the subtable entry before querying the subtable size all three connections will be rejected. Correct behavior would be that 2 out of the 3 would be rejected. If you have 32 TMMs (e.g. a fully loaded Viprion) the potential error starts to get larger.
Obviously for a limit of 1000 the iRule is mostly correct, but for a limit of 10 it is likely not.
This is a classic "dining philosopher's problem", and it can be solved by using a random collision avoidance mechanism (iRule to follow in later post), or by F5 implementing an "insert only if count is less than some value" command. (also known as the "let the waiter decide" solution).
BTW you can also write the command so that it unecessary to disable the CLIENT_CLOSED event. I think it's cleaner code to have cleanup code in only one place.