Ryan_34424
Jan 18, 2018Altostratus
LTM :: iRule to Limit Source Addresses
So... here's a weird one. And I understand it's not optimal...
...but say there is a crisis and management sends down the proclamation: "Only allow X sources at a time access to the server pool until the admins can fix XYZ on the systems involved". So we rush to figure out a way to do so... and come up with the below.
Other than blasting the table full of addresses (such as a resource exhaustion DDoS against the F5), are there any other caveats that I might not be thinking about here?
when CLIENT_ACCEPTED {
set hsl [HSL::open -proto UDP -pool syslog-servers.pool]
}
when HTTP_REQUEST {
set source_ip [IP::client_addr]
set ip_limit 2000
Delete all IPs
table delete -subtable conns -all
if { [table lookup -notouch -subtable conns $source_ip] != 1 } {
Source IP doesn't exist in table, add to table
table add -subtable conns $source_ip 1 900
} else {
Source IP is in the table, actively involved, renew the timer
table lookup -subtable conns $source_ip
}
if { [table keys -subtable conns -count] <= $ip_limit } {
The current IP count is less than alloted, allow pool access
pool $pool_name
above variable acquired in prior logic
} else {
The IP count has been reached. Do not provide pool access.
HSL::send $hsl ":: Source IP limit ($ip_limit) hit for pool, redirecting to maintenance page."
call maintenance_page.irule::display_page
}
}