ltm rule command table
iRule(1) BIG-IP TMSH Manual iRule(1)
table
Provides enhanced access to the session table.
SYNOPSIS
table set (((-mustexist | -excl) -notouch (-subtable TABLE_NAME))#
('--')?)? KEY VALUE (('indefinite' | POSITIVE_INTEGER)
('indefinite' | POSITIVE_INTEGER)?)?
table add ((-notouch (-subtable TABLE_NAME))# ('--')?)? KEY VALUE
(('indefinite' | POSITIVE_INTEGER) ('indefinite' |
POSITIVE_INTEGER)?)?
table replace ((-notouch (-subtable TABLE_NAME))# ('--')?)? KEY
VALUE (('indefinite' | POSITIVE_INTEGER) ('indefinite' |
POSITIVE_INTEGER)?)?
table lookup ((-notouch (-subtable TABLE_NAME))# ('--')?)? KEY
table incr ((-notouch (-subtable TABLE_NAME) -mustexist)#
('--')?)? KEY (INTEGER)?
table append ((-notouch (-subtable TABLE_NAME) -mustexist)#
('--')?)? KEY VALUE
table delete ((-all -subtable TABLE_NAME) | (-subtable TABLE_NAME
-all) | ((`-subtable` TABLE_NAME)? ('--')? KEY))
table timeout (((-subtable TABLE_NAME) -remaining)# ('--')?)? KEY
('indefinite' | POSITIVE_INTEGER)?
table lifetime (((-subtable TABLE_NAME) -remaining)# ('--')?)? KEY
('indefinite' | POSITIVE_INTEGER)?
table keys ((-subtable TABLE_NAME (-notouch | -count)?) | ((-notouch
| -count)? -subtable TABLE_NAME)) ('--')?
DESCRIPTION
The table command is a superset of the session command, with improved
syntax for general purpose use. Please see the table command article
series for detailed information on its use.
This command is not available to GTM.
If the table command is used on the standby system in a HA pair, the
command will perform a no-op because the content of the standby unit's
session db should be updated only through mirroring.
Syntax
table set
* Sets a key/value pair in the session table or named subtable, with
the specified timeout and lifetime.
* Returns the entry's value after the set operation is complete.
* If no timeout is specified, a default of 180 seconds will be used.
* The timeout may be specified as "indefinite" or "indef", in which
case the key/value will not be expired based on access times.
* The timeout may be specified as 0, in which case an existing
timeout will not be changed. A timeout specified as 0 for a new
record will be set to the default of 180 seconds.
* If no lifetime is specified, the default of indefinite will be
used.
* The lifetime may be specified as "indefinite" or "indef", in which
case the key/value will not be expired based on life time.
* The lifetime may be specified as 0, in which case an existing
lifetime will not be changed. A lifetime specified as 0 for a new
record will be set to the default of indefinite.
* If -notouch is specified any existing entry for the key will not
have its timestamp updated.
* If -mustexist is specified, and the key does not already exist, no
action will be taken, and an empty string will be returned. Cannot
be specified with -excl.
* If -excl is specified, and the key already exists, the key will not
be inserted, and the existing value will be returned. Cannot be
specified with -mustexist.
To use a subtable or not to use a subtable for storing your session
entries? The short answer is only use a subtable if you need to be able
to count the number of keys or retrieve the keys in one command.
Manipulating entries in subtables has higher overhead than manipulating
an entry not in a subtable. Each subtable itself also takes up memory.
All of the entries in a given subtable are on the same processor. So if
you put all of your entries (or the vast majority of them) into the
same subtable, then one CPU will take a disproportionate amount of
memory and load. Which you probably don't want.
table add
* Exactly the same as table set -excl
table replace
* Exactly the same as table set -mustexist
table lookup
* Looks up a value associated with the specified key, in the
specified table (if any).
* If -notouch is specified then any existing entry for the key will
not have its timestamp updated.
table incr
* Increments the value associated with the specified key, in the
specified subtable (if any). If no delta is specified, a default
value of 1 is used. If the key does not already exist, a default
value of 0 will be used, and the entry will have a timeout of 180
seconds.
* Returns the entry's value after the incr operation is complete.
* If -notouch is specified then any existing entry for the key will
not have its timestamp updated.
* If -mustexist is specified, and the key does not already exist,
then no action will be taken.
table append
* Appends to the value associated with the specified key, in the
specified subtable (if any). If the key does not already exist, a
starting value of an empty string will be used, and the entry will
have a timeout of 180 seconds.
* Returns the entry's value after the append operation is complete.
* If -notouch is specified then any existing entry for the key will
not have its timestamp updated.
* If -mustexist is specified, and the key does not already exist,
then no action will be taken.
table delete
* Deletes the key/value pair with specified key, in the specified
subtable (if any).
* If -all is specified in addition to a subtable name, all key/value
pairs in the subtable are deleted.
table timeout
* Returns, and optionally sets, the timeout of the specified key, in
the specified subtable (if any).
* If -remaining is specified, then the time remaining before timeout
will be returned instead. If the key does not already exist, an
empty string is returned.
* Returns -1 if no timeout or an indefinite timeout was set for the
specified key
* Any existing entry for the key will not have its timestamp updated.
table lifetime
* Returns, and optionally sets, the lifetime of the specified key, in
the specified subtable (if any).
* If -remaining is specified, then the time remaining before
expiration will be returned instead. If the key does not already
exist, an empty string is returned.
* Returns -1 if no lifetime or an indefinite lifetime was set for the
specified key
* Any existing entry for the key will not have its timestamp updated.
Note: By setting a lifetime on an entry, you can have it expire after a
certain period of time no matter how many changes or lookups are
performed on it. An entry can have a lifetime and a timeout at the same
time. It will expire (be removed from the table) whenever the timeout
OR the lifetime expires, whichever comes first. For more info see the
table article series: https://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2378
table keys
* Returns a list of the keys in the specified subtable.
* If -notouch is specified, then any existing entries will not have
their timestamps updated.
* If -count is specified, then a count of the keys in the specified
subtable is returned and entries will not have their timestamps
updated.
RETURN VALUE
VALID DURING
ANY_EVENT, except RULE_INIT
EXAMPLES
# Limit each client IP address to 20 concurrent connections
when CLIENT_ACCEPTED {
# Check if the subtable has over 20 entries
if { [table keys -subtable connlimit:[IP::client_addr] -count] >= 20 } {
reject
} else {
# Add the client IP:port to the client IP-specific subtable
# with a max lifetime of 180 seconds
table set -subtable connlimit:[IP::client_addr] [TCP::client_port] "" 180
}
}
when CLIENT_CLOSED {
# When the client connection is closed, remove the table entry
table delete -subtable connlimit:[IP::client_addr] [TCP::client_port]
}
Blacklist IPs for 10 minutes if they make more than 100 DNS queries per second:
when RULE_INIT {
set static::maxquery 100
set static::holdtime 600
}
when CLIENT_DATA {
set srcip [IP::remote_addr]
if { [table lookup -subtable "blacklist" $srcip] != "" } {
drop
return
}
set curtime [clock second]
set key "count:$srcip:$curtime"
set count [table incr $key]
table lifetime $key 2
if { $count > $static::maxquery } {
table add -subtable "blacklist" $srcip "blocked" indef $static::holdtime
table delete $key
drop
return
}
}
HINTS
Session table entries are synched to the peer unit by default. This can
be controlled by a database key, StateMirror.MirrorSessions. Ensure the
Mirroring Address is configured under System >> High Availability >>
Network Mirroring, and that the peer unit is reachable. In versions
prior to 11.1, if the peer is not reachable, but session mirroring is
enabled, TMM will leak memory and may crash. For details see SOL12370.
SEE ALSO
https://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2378
CHANGE LOG
@BIGIP-10.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)