Forum Discussion

Klaus_Gerthein1's avatar
Klaus_Gerthein1
Icon for Nimbostratus rankNimbostratus
Mar 01, 2006

Limit the packets per Second for a session

Hello,

 

 

I am new to irules and need some tips.

 

 

I used the iRule "Limit Connections From Client" from the iRule Wiki and added the

 

CLIENT_DATA part to this rule. Will this iRule limit the connections per source ip-address

 

and the packet per second per source ip-address?

 

 

With this rule I want to limit DNS Query's and connections from clients to our dnscaches.

 

 

toenspook

 

 

 

when RULE_INIT {

 

max number of concurent connections

 

set ::maxcon 10

 

max number of packets per second

 

set ::maxpackets 10

 

array set ::active_clients { }

 

}

 

 

This part is from the iRule Wiki "Limit Connections From Client"

 

when CLIENT_ACCEPTED {

 

set client_ip [IP::remote_addr]

 

 

if { [info exists ::active_clients($client_ip)] } {

 

 

if {$::active_clients($client_ip) > $::maxcon} {

 

reject

 

return

 

} else {

 

incr ::active_clients($client_ip)

 

}

 

} else {

 

set ::active_clients($client_ip) 1

 

}

 

}

 

 

I have added this part

 

when CLIENT_DATA {

 

If 'IP stats pkts in / IP stats age' is lager then maxpackets reject the packet

 

if { [expr {[IP::stats pkts in]} / {[IP::stats age]}] > $::maxpackets } {

 

reject

 

return

 

}

 

}

 

 

This part is from the iRule Wiki "Limit Connections From Client"

 

when CLIENT_CLOSED {

 

if { [info exists ::active_clients($client_ip)] } {

 

incr ::active_clients($client_ip) -1

 

if { $::active_clients($client_ip) <= 0 } {

 

unset ::active_clients($client_ip)

 

}

 

}

 

}

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Mar 02, 2006
    That's a neat way of going about the math, using variables that are already there. I think this will probably get you close to what you're looking for. I would suggest taking a look at the rateclass features available on BIG-IP, though, as they are more robust when it comes to rate limiting, and can be dynamically selected via an iRule if necessary.

     

     

    -Colin
  • Klaus_Gerthein1's avatar
    Klaus_Gerthein1
    Icon for Nimbostratus rankNimbostratus
    Mar 16, 2006
    Hi Colin,

     

     

    thanks for your hint and sorry for my late response.

     

    I modified the client_data part, because IP::stats age is in milli seconds.

     

     

    when CLIENT_DATA {

     

    when session is older then one second

     

    if { [IP::stats age] > 1000 } {

     

    milli seconds to seconds

     

    set age_sec [expr [IP::stats age] / 1000]

     

     

    get the packtes per second

     

    set packets [expr {[IP::stats pkts in]} / $age_sec]

     

    log "Packets per Second $packets Packets {[IP::stats pkts in]} Age {[IP::stats age] milli second}"

     

     

    if { $packets > $::maxpackets } {

     

    log "Client $client_ip rejected with $packets packets per second rejected"

     

    reject

     

    return

     

    }

     

    }

     

    }

     

     

    I tested the iRule on a big-ip 5100 and version 9.1.0.

     

    The rule seems to work. I have tested it with one client

     

    and one server. I dont know what will happen if thousands

     

    of clients and connections will penetrate the loadbalancer.

     

     

    The rate classes in an iRule will be the best way to limit the banwidth

     

    in a productive environment.

     

     

    The only feature I miss at version 9.x is to limit the concurrent connections per client/source

     

    ip-address in a rate class or as feature for a virtual server, without using a iRule.

     

    This feature would be very helpful when a service is under heavy load.

     

    It is possible to limit the connection for a virtual, but so one or more bad clients are able

     

    to use all these connections.

     

     

    Best regards

     

    Klaus