Forum Discussion

hirox_127495's avatar
hirox_127495
Historic F5 Account
Aug 02, 2010

How do I drop packet from iRules?

Hello,

 

 

I created following iRule to enforce connection/second. This iRule supposes to drop client request when LTM get more than 5 connections per second. But actual behavior of 10.2 was send RST back to the client in my verification.

 

 

How do I modify this iRule to work as I expected?

 

 

---------------------------------------

 

when CLIENT_ACCEPTED {

 

set reqno [table incr "reqs"]

 

table set -subtable "reqrate" $reqno "ignored" indefinite 1

 

set ConRate [table keys -count -subtable "reqrate"]

 

if { $ConRate > 5 } {

 

drop

 

event disable

 

return

 

}

 

}

 

---------------------------------------

 

 

Thanks!

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 02, 2010
    Have you looked at the following code share?

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/LimitConnectionsFromClient.html

     

     

     

    I hope this helps

     

    Bhattman
  • hirox_127495's avatar
    hirox_127495
    Historic F5 Account
    Aug 03, 2010
    Thank you for the information but I just want to know behavior of "drop" command.

     

    In my understanding, an iRule fires "reject" command, LTM sends RST to the peer but firing "drop" command does nothing.

     

     

    However I am seeing to send RST to the peer from LTM even though I use "drop" command. Do I need to open a support case?

     

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Aug 03, 2010
    I'd have expected drop to either drop the current packet or to remove the connection table entry. I'd guess that drop called in CLIENT_ACCEPTED would remove the connection table entry. Maybe if it's used in a DATA event (like CLIENT_DATA or SERVER_DATA) it would just drop the current packet. If the connection table entry is removed and the client sends another packet, LTM should reset it as it's not associated with an existing connection.

     

     

    You could open a case with F5 to confirm or correct these assumptions. If you do, could you reply back with what you find out?

     

     

    Thanks, Aaron