Forum Discussion
Kevin_Davies_40
Nacreous
Try this and let me know how it performs for you...
when CLIENT_ACCEPTED {
this will give you 20 connections per second per source IP address
set cid [clock clicks]
set conns 20
set rate 1
table set -subtable [virtual]:[IP::client_addr] $cid 0 indef $rate
if {[table keys -subtable [virtual]:[IP::client_addr] -count] > $conns} {
table delete -subtable [virtual]:[IP::client_addr] $cid
TCP::close
}
}
In a BIGIP there will be many other instances of this iRule (one per TCP connection) running at the same time. When we get to the IF condition they could all say they are under the connection limit because they perform the test at the same moment in time.
To allow for this, we allocate the connection entry (table set), then backout (table delete) if we are over the limit (table keys -count). Since the table is always the source of truth, we never exceed the rate limit.
Bruce_Bronczyk
Jun 17, 2014Altostratus
Thanks for the suggestion. I am not very experienced with editing iRules, so does your suggested change insert into the iRule at a specific spot or does it replace some of the existing iRule below the 'when CLIENT_ACCEPTED' point? Thanks.