In some cases there’s a need to introduce rate limiting based on number of connections over period of time. Out of the box F5 allow you to set rate limit based on concurrent connections which is useful option, but not always provide functionality business require.
Solution to this problem can be solved by using iRule applied to a VIP which we want to rate limit over time. The iRule use table command to store information about connections in F5 BigIP’s memory.
Note: It’s worth to mention that if you’re using HA pair and fail over will occur state of the local table if not moved across to new active device therefore state of the table will be lost (persist on now standby unit). In this situation number of connections per client IP will start from 0.
iRule variable usage
windowSecs – timer in seconds for source IP time in table
maxRate – maximum number of connections per IP address over period of time specified by “windowSecs”
Rate limit iRule code
when RULE_INIT {
set static::maxRate 100
set static::windowSecs 86400
}
when CLIENT_ACCEPTED {
# set variables
set clientip_limitervar [IP::client_addr]
set get_count [table key -count -subtable $clientip_limitervar]
# main condition
if { $get_count < $static::maxRate } {
incr get_count 1
table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecs
log local0. "Throttling iRule connection fromĀ $clientip_limitervar increased to $get_count (max allowed $static::maxRate)."
} else {
log local0. "Throttling iRule client $clientip_limitervar has exceeded the number of requests allowed."
drop
return
}
}
Follow me!
