Limit users to 50 MB

bandwidth limits are possible: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-3-0/8.html

but i expect you are looking for a fixed ammount of data per period right? that doesn't appear to be easily possible right now, i can imagine the start of an irule, but have my doubts about traffic counting.

can collecting number of bytes in table per user/ip address be useful?

IP::stats wiki

sol9077: Overview of BIG-IP traffic flow

v10.1 - The table Command - The Basics by Spark

this is just a simple IP::stats usage.

e.g.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.111:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 2
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_REQUEST {
  set host [HTTP::host]
  set uri [HTTP::uri]
}
when HTTP_RESPONSE {
  log local0. "client: [IP::client_addr]:[TCP::client_port] vs: [clientside {IP::local_addr}]:[clientside { TCP::local_port}] host: $host uri: $uri bytes in: [IP::stats bytes in] "
}
}

[root@ve11a:Active:Changes Pending] config  tail -f /var/log/ltm
Sep  9 16:50:15 ve11a info tmm1[16464]: Rule /Common/myrule : client: 192.168.206.33:50601 vs: 172.28.20.111:80 host: 172.28.20.111 uri: / bytes in: 519
Sep  9 16:50:15 ve11a info tmm[16464]: Rule /Common/myrule : client: 192.168.206.33:50602 vs: 172.28.20.111:80 host: 172.28.20.111 uri: /f5.gif bytes in: 4452

Hi Hussein,

I think this would be difficult to implement in an efficient way on BIG-IP as you would need to track every client IP and the bits out. If there was a small number of client IP addresses, doing this for a short period of time might not use a lot of memory. However, if you had a lot of client IPs or were tracking them for a long time, I think it would use too much RAM.

And I'm not sure there's a simple way to track the bits out from an iRule per connection.

Aaron

Hi All,

What about the below iRule with rate limiting rule.

rule testrule { when SERVER_CONNECTED { TCP::collect }

when SERVER_DATA { set srvAge [IP::stats age] set srvBytes [IP::stats bytes in] if {$srvAge > 86400000 } { if {$srvBytes > 52428800 } { rateclass droptest TCP::release log local0. "Bandwidth Hog: [IP::client_addr] server bytes $srvBytes" return } } TCP::release TCP::collect } }

rate class droptest { rate 0Mbps ceiling 0Mbps drop policy tail type sfq }

Update for the Rate Class

rate class droptest { rate 296bps ceiling 296bps drop policy tail type sfq }

What about the below iRule with rate limiting rule.

i thought you want to enforce it per ip address which may be spanned more than one tcp connection.

I see a few potential issues with that approach:

You'd be buffering every response payload which will use more memory and add latency to every connection.

You'd be enforcing a per-TCP connection bandwidth limit--not per client IP over a time span of days, weeks or months.

If you did want to implement this, I'd suggest storing the client IP address and bytes in (thanks Nitass for the correction :)) in table entries. But again, this could use a lot of memory if you're tracking a lot of client IP addresses.

https://devcentral.f5.com/wiki/iRules.table.ashx

Aaron

... dupe

yes i want to enforce it on client IP address.

Hi All, I am able to count all the bytes out & in for any user using tables as advised:) How can i drop the session if more that 50MB used by bytes out from the server? thankssss