iRule::ology; Connection Limiting Take 2
Welcome to the series in which we tear apart an iRule line by line to see what’s really going on. What is iRule::ology, you ask?
i·Rule·ol·o·gy
–noun, plural -gies.
1.The derivatio...
Published Jan 25, 2011
Version 1.0Colin_Walker_12
Historic F5 Account
Joined May 12, 2005
Colin_Walker_12
Historic F5 Account
Joined May 12, 2005
Paul_Szabo_9016
Feb 09, 2011Historic F5 Account
Here's the snippet of an iRule that shows a random backoff-and-retry if the limit is exceeded by some amount. This allows low limits to work pretty accurately (might be off by 1 occasionally)
set limit $static::cmcc_limit
set max_backlog $static::cmcc_backlog
set accept_it 0
Save the subtable name with the client IP address
set tbl "connlimit:[IP::client_addr]"
Use the client's source port as the subtable key
set key "[TCP::client_port]"
the client source port to the subtable with an 180 second timeout
table set -subtable $tbl $key "ignored" 180
Check if the client IP has more than X connections
set count [table keys -subtable $tbl -count]
if { $count <= $limit } {
set accept_it 1
log local0.alert "accept-1 count=$count"
} elseif { $count <= $limit + $max_backlog } {
we're close to the limit, randomly retry
set tmout [expr { int(rand()*20) + 1 }]
after $tmout
set count [table keys -subtable $tbl -count]
if { $count <= $limit } {
log local0.alert "accept-2 count=$count"
set accept_it 1
}
}