Hussein_Ghazy
Sep 09, 2013Nimbostratus
Limit users to 50 MB
Hi All,
i would like to limit users (per ip address) to only download from the VS 50MB (per day, per week, or per month), more than this will be dropped.
Regards
Hi All,
i would like to limit users (per ip address) to only download from the VS 50MB (per day, per week, or per month), more than this will be dropped.
Regards
bandwidth limits are possible: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-3-0/8.html
but i expect you are looking for a fixed ammount of data per period right? that doesn't appear to be easily possible right now, i can imagine the start of an irule, but have my doubts about traffic counting.
can collecting number of bytes in table per user/ip address be useful?
IP::stats wiki
https://devcentral.f5.com/wiki/irules.IP__stats.ashxsol9077: Overview of BIG-IP traffic flow
http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9077.htmlv10.1 - The table Command - The Basics by Spark
https://devcentral.f5.com/articles/v101-the-table-command-the-basicsthis is just a simple IP::stats usage.
e.g.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.111:80
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
http { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 2
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when HTTP_REQUEST {
set host [HTTP::host]
set uri [HTTP::uri]
}
when HTTP_RESPONSE {
log local0. "client: [IP::client_addr]:[TCP::client_port] vs: [clientside {IP::local_addr}]:[clientside { TCP::local_port}] host: $host uri: $uri bytes in: [IP::stats bytes in] "
}
}
[root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm
Sep 9 16:50:15 ve11a info tmm1[16464]: Rule /Common/myrule : client: 192.168.206.33:50601 vs: 172.28.20.111:80 host: 172.28.20.111 uri: / bytes in: 519
Sep 9 16:50:15 ve11a info tmm[16464]: Rule /Common/myrule : client: 192.168.206.33:50602 vs: 172.28.20.111:80 host: 172.28.20.111 uri: /f5.gif bytes in: 4452
Hi Hussein,
I think this would be difficult to implement in an efficient way on BIG-IP as you would need to track every client IP and the bits out. If there was a small number of client IP addresses, doing this for a short period of time might not use a lot of memory. However, if you had a lot of client IPs or were tracking them for a long time, I think it would use too much RAM.
And I'm not sure there's a simple way to track the bits out from an iRule per connection.
Aaron
Hi All,
What about the below iRule with rate limiting rule.
rule testrule { when SERVER_CONNECTED { TCP::collect }
when SERVER_DATA { set srvAge [IP::stats age] set srvBytes [IP::stats bytes in] if {$srvAge > 86400000 } { if {$srvBytes > 52428800 } { rateclass droptest TCP::release log local0. "Bandwidth Hog: [IP::client_addr] server bytes $srvBytes" return } } TCP::release TCP::collect } }
rate class droptest { rate 0Mbps ceiling 0Mbps drop policy tail type sfq }
Update for the Rate Class
rate class droptest { rate 296bps ceiling 296bps drop policy tail type sfq }
What about the below iRule with rate limiting rule.
i thought you want to enforce it per ip address which may be spanned more than one tcp connection.
I see a few potential issues with that approach:
You'd be buffering every response payload which will use more memory and add latency to every connection.
You'd be enforcing a per-TCP connection bandwidth limit--not per client IP over a time span of days, weeks or months.
If you did want to implement this, I'd suggest storing the client IP address and bytes in (thanks Nitass for the correction :)) in table entries. But again, this could use a lot of memory if you're tracking a lot of client IP addresses.
https://devcentral.f5.com/wiki/iRules.table.ashx
Aaron
... dupe
yes i want to enforce it on client IP address.
Hi All, I am able to count all the bytes out & in for any user using tables as advised:) How can i drop the session if more that 50MB used by bytes out from the server? thankssss