Forum Discussion

cdis_249710's avatar
cdis_249710
Icon for Nimbostratus rankNimbostratus
Apr 12, 2016

Using data group for limiting the concurrent client connections from different subnets

Hi All,

 

We have recently deployed F5 in our environment. We are running 11.5.3 version.

 

We are trying to set up rule to limit the concurrent connections from a source IP to a particular value. After testing varios snippets, the best one worked for us was (https://devcentral.f5.com/tech-tips/articles/iruleology-connection-limiting-take-2):

 

when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 46 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject

 

} else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]

 

} }

 

However, when I start like 60 parallel concurrent connections it allows like 42 (or something) slight less than the set value. But then if I again try to make the connections (when pref connections are active) it does eventually limits me to 46 (total). This is probably an expected behavior , and we will see some %age of error?

 

My concern is to Limit the connections per subnets, hosts. As I was browsing through, data group can help me to achieve that.

 

So, I created an address data group "connlimit_dg" with address records in the GUI: Address Records: 192.0.0.0/255.0.0.0 := 22 10.0.0.0/255.0.0.0 :=22

 

I see like '1' or sometimes none connection allowed to my test host (everything else is refused). I am suspecting I am not referring to the data group correctly.

 

See the snippet:

 

when CLIENT_ACCEPTED { Max connections per client IP set limit [class match [IP::client_addr] equals "connlimit_dg"]

 

Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]"

 

Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]"

 

table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject

 

} else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]

 

} } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key

 

}

 

Thanks!

 

Regards Renuka

 

BIG-IP
client limiting
connection limit
data group list
data groups
devops
LTM
security
subnet limit

3 Replies

Sort By
  • cdis_249710's avatar
    cdis_249710
    Icon for Nimbostratus rankNimbostratus
    Apr 12, 2016
    Looks like I was missing "-value". This seems to be working, it not very accurate in terms of parallel connections Limit each client IP address to 20 concurrent connections when CLIENT_ACCEPTED { Max connections per client IP set limit [class match -value [IP::client_addr] equals connlimit_dg] Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]" Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key }
  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Apr 14, 2016

    I think if you added a log statement after each set statement it would help determine where the issue lies. log each [IP::client_addr] output and more importantly. More importantly can you also run a table output dump or log the table output just before the event CLIENT_CLOSED disable reject ?