Reference

clear table

On this page

Remove one or more entries from a stick table.

Description Jump to heading

With no arguments, clear table removes all records from a stick table.

You can also select specific records to remove. Specify either the key of the record to remove or an expression that matches a record’s counters.

Examples Jump to heading

Consider this real-world example that uses a stick-table to track clients that exceed a rate limit and bans clients that exceed the limit three times:

haproxy
frontend fe_main
  bind :80
  # define stick table
  stick-table  type ip  size 100k  expire 24h  store http_req_rate(5s),gpc0,gpt0
  # begin tracking requests where the key in the table
  # is the client's source IP
  http-request track-sc0 src
  # has the client exceeded 20 requests in 5 seconds?
  acl exceeds_rate_limit sc_http_req_rate(0) gt 20
  # flag them if they exceeded the limit
  http-request sc-set-gpt0(0) 1 if exceeds_rate_limit
  # if they exceeded the limit 3 times, mark them as a known speeder
  acl known_speeder sc_get_gpc0(0) ge 3
  # deny all clients that exceed the limit or are known speeders
  http-request deny deny_status 429 if exceeds_rate_limit || known_speeder
  # count each time they exceed the limit if they were flagged
  acl issue_speeding_ticket sc_get_gpt0(0) eq 1
  http-request sc-inc-gpc0(0) if issue_speeding_ticket
  # reset the flag
  http-request sc-set-gpt0(0) 0
  default_backend be_servers
haproxy
frontend fe_main
  bind :80
  # define stick table
  stick-table  type ip  size 100k  expire 24h  store http_req_rate(5s),gpc0,gpt0
  # begin tracking requests where the key in the table
  # is the client's source IP
  http-request track-sc0 src
  # has the client exceeded 20 requests in 5 seconds?
  acl exceeds_rate_limit sc_http_req_rate(0) gt 20
  # flag them if they exceeded the limit
  http-request sc-set-gpt0(0) 1 if exceeds_rate_limit
  # if they exceeded the limit 3 times, mark them as a known speeder
  acl known_speeder sc_get_gpc0(0) ge 3
  # deny all clients that exceed the limit or are known speeders
  http-request deny deny_status 429 if exceeds_rate_limit || known_speeder
  # count each time they exceed the limit if they were flagged
  acl issue_speeding_ticket sc_get_gpt0(0) eq 1
  http-request sc-inc-gpc0(0) if issue_speeding_ticket
  # reset the flag
  http-request sc-set-gpt0(0) 0
  default_backend be_servers

First, use show table to lists records in the table fe_main:

nix
echo "show table fe_main" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "show table fe_main" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
output
text
# table: fe_main, type: ip, size:102400, used:1
0x5641b364f7e8: key=192.168.50.19 use=0 exp=86398242 gpt0=0 gpc0=3 http_req_rate(5000)=5
0x5641b364f7e8: key=192.168.50.24 use=0 exp=86398220 gpt0=0 gpc0=1 http_req_rate(5000)=5
0x5641b364f7e8: key=192.168.50.30 use=0 exp=86398250 gpt0=0 gpc0=1 http_req_rate(5000)=5 
output
text
# table: fe_main, type: ip, size:102400, used:1
0x5641b364f7e8: key=192.168.50.19 use=0 exp=86398242 gpt0=0 gpc0=3 http_req_rate(5000)=5
0x5641b364f7e8: key=192.168.50.24 use=0 exp=86398220 gpt0=0 gpc0=1 http_req_rate(5000)=5
0x5641b364f7e8: key=192.168.50.30 use=0 exp=86398250 gpt0=0 gpc0=1 http_req_rate(5000)=5

The key is the client’s IP address, and there are three counters tracked: gpt0, gpc0, and http_req_rate(5000).

Use clear table with no arguments to remove all records:

nix
echo "clear table fe_main" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "clear table fe_main" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

Set the key parameter to remove only the record that has a key with the given value. Here, we remove the record with the key 192.168.50.19:

nix
echo "clear table fe_main key 192.168.50.19" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "clear table fe_main key 192.168.50.19" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

You can also select records to remove using a filter expression. Prefix the counter you want to filter on with data. Here, we remove records that have a gpc0 counter set to 1:

nix
echo "clear table fe_main data.gpc0 eq 1" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "clear table fe_main data.gpc0 eq 1" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

Use any of the following comparison operators:

  • eq : true if the counter equals the value
  • ge : true if the counter is greater than or equal to the value
  • gt : true if the counter is greater than the value
  • le : true if the counter is less than or equal to the value
  • lt : true if the counter is less than the value

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page clear map Next page commit acl
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences