Forum Discussion
Kevin_Davies_40
Nacreous
Try this and let me know how it performs for you...
when CLIENT_ACCEPTED {
this will give you 20 connections per second per source IP address
set cid [clock clicks]
set conns 20
set rate 1
table set -subtable [virtual]:[IP::client_addr] $cid 0 indef $rate
if {[table keys -subtable [virtual]:[IP::client_addr] -count] > $conns} {
table delete -subtable [virtual]:[IP::client_addr] $cid
TCP::close
}
}
In a BIGIP there will be many other instances of this iRule (one per TCP connection) running at the same time. When we get to the IF condition they could all say they are under the connection limit because they perform the test at the same moment in time.
To allow for this, we allocate the connection entry (table set), then backout (table delete) if we are over the limit (table keys -count). Since the table is always the source of truth, we never exceed the rate limit.
Kevin_Davies_40
Jun 14, 2014Nacreous
One second is the lowest resolution of table expiry timer. You may want to up this a little so if its 20 connections per second, you may get better results with 200 per 10 seconds.