Forum Discussion
Kevin_Davies_40
Jun 14, 2014Nacreous
Try this and let me know how it performs for you...
when CLIENT_ACCEPTED {
this will give you 20 connections per second per source IP address
set cid [clock clicks]
set conns 20
set rate 1
table set -subtable [virtual]:[IP::client_addr] $cid 0 indef $rate
if {[table keys -subtable [virtual]:[IP::client_addr] -count] > $conns} {
table delete -subtable [virtual]:[IP::client_addr] $cid
TCP::close
}
}
In a BIGIP there will be many other instances of this iRule (one per TCP connection) running at the same time. When we get to the IF condition they could all say they are under the connection limit because they perform the test at the same moment in time.
To allow for this, we allocate the connection entry (table set), then backout (table delete) if we are over the limit (table keys -count). Since the table is always the source of truth, we never exceed the rate limit.
- Kevin_Davies_40Jun 14, 2014NacreousOne second is the lowest resolution of table expiry timer. You may want to up this a little so if its 20 connections per second, you may get better results with 200 per 10 seconds.
- Kevin_Davies_40Jun 16, 2014NacreousIf any of the above posts have provided a solution to your issue, please indicate so by clicking the tick to the left of them. This gives feedback and recognition to the volunteers who responded to your issue
- Bruce_BronczykJun 17, 2014AltostratusThanks for the suggestion. I am not very experienced with editing iRules, so does your suggested change insert into the iRule at a specific spot or does it replace some of the existing iRule below the 'when CLIENT_ACCEPTED' point? Thanks.
- Kevin_Davies_40Jun 17, 2014NacreousIt replaces the entire rate limiting iRule with what I have posted above.