iRule::ology; Connection Limiting Take 2

Welcome to the series in which we tear apart an iRule line by line to see what’s really going on.  What is iRule::ology, you ask?     i·Rule·ol·o·gy      –noun, plural -gies. 1.The derivatio...
Published Jan 25, 2011
Version 1.0
dev
news
tech tip
Paul_Szabo_9016's avatar
Paul_Szabo_9016
Historic F5 Account
Feb 09, 2011
Here's the snippet of an iRule that shows a random backoff-and-retry if the limit is exceeded by some amount. This allows low limits to work pretty accurately (might be off by 1 occasionally)

 

 

set limit $static::cmcc_limit

 

set max_backlog $static::cmcc_backlog

 

set accept_it 0

 

 

Save the subtable name with the client IP address

 

set tbl "connlimit:[IP::client_addr]"

 

 

Use the client's source port as the subtable key

 

set key "[TCP::client_port]"

 

 

the client source port to the subtable with an 180 second timeout

 

table set -subtable $tbl $key "ignored" 180

 

 

Check if the client IP has more than X connections

 

set count [table keys -subtable $tbl -count]

 

if { $count <= $limit } {

 

set accept_it 1

 

log local0.alert "accept-1 count=$count"

 

} elseif { $count <= $limit + $max_backlog } {

 

we're close to the limit, randomly retry

 

set tmout [expr { int(rand()*20) + 1 }]

 

after $tmout

 

set count [table keys -subtable $tbl -count]

 

if { $count <= $limit } {

 

log local0.alert "accept-2 count=$count"

 

set accept_it 1

 

}

 

}