Hi Bmohanak,
The build-in rate and connection limit capabilities, are either per Virtual Server or per Pool Member. So you have to write and deploy an iRule to enforce a connection limits per ClientIP.
You may use the iRule below as a staring point. It will create a
[table]
based counter for each individual Client_IP and create a periodic
[log]
message if a client has been reached its counter. Once you've figured out your desired connection limits, you could enforce the limits by setting the
$static::connection_limit_enforment
variable to
1
when RULE_INIT {
set static::connection_limit_value 10
set static::connection_limit_timeout 86400
set static::connection_limit_logging_interval 60
set static::connection_limit_enforment 0
}
when CLIENT_ACCEPTED {
To remove any existing table entries uncomment the line below...
table delete -subtable "Conn_[IP::client_addr]" -all
if { [set conn_count [table keys -subtable "Conn_[IP::client_addr]" -count]] >= $static::connection_limit_value } then {
if { [table lookup -notouch "ConnLog_[IP::client_addr]"] eq "" } then {
log local0.debug "Client: [IP::client_addr] has reached the connection limit of $conn_count"
table set "ConnLog_[IP::client_addr]" 1 indef $static::connection_limit_logging_interval
}
if { $static::connection_limit_enforment } then {
event disable all
reject
return
}
}
table set -subtable "Conn_[IP::client_addr]" [set conn_id [clock clicks]] 1 indef $static::connection_limit_timeout
}
when CLIENT_CLOSED {
table delete -subtable "Conn_[IP::client_addr]" $conn_id
}
Cheers, Kai
Cirrus
