subnet limit
1 TopicUsing data group for limiting the concurrent client connections from different subnets
Hi All, We have recently deployed F5 in our environment. We are running 11.5.3 version. We are trying to set up rule to limit the concurrent connections from a source IP to a particular value. After testing varios snippets, the best one worked for us was (https://devcentral.f5.com/tech-tips/articles/iruleology-connection-limiting-take-2): when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 46 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } However, when I start like 60 parallel concurrent connections it allows like 42 (or something) slight less than the set value. But then if I again try to make the connections (when pref connections are active) it does eventually limits me to 46 (total). This is probably an expected behavior , and we will see some %age of error? My concern is to Limit the connections per subnets, hosts. As I was browsing through, data group can help me to achieve that. So, I created an address data group "connlimit_dg" with address records in the GUI: Address Records: 192.0.0.0/255.0.0.0 := 22 10.0.0.0/255.0.0.0 :=22 I see like '1' or sometimes none connection allowed to my test host (everything else is refused). I am suspecting I am not referring to the data group correctly. See the snippet: when CLIENT_ACCEPTED { Max connections per client IP set limit [class match [IP::client_addr] equals "connlimit_dg"] Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]" Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key } Thanks! Regards Renuka457Views0likes3Comments