Patsets is an array of indexed patterns that you configure on the Citrix® NetScaler® appliance. Pattern sets are used for string matching during default syntax policy evaluation. The NetScaler appliance provides you with a set of default syntax expression operators that you can use to compare a string in a packet with the patterns that are indexed and stored in a pattern set.

With Patsets one can have a set of IP address tables or even subnets and use them for advance features like rate limiting. Adding a named expression for client.ip.src effectively typecasts it to a string, and allows the use of patsets.

Here is an example of using patsets for rate-limiting as authored by Sandeep Kamath and Ratnesh Singh, two of the crown jewels of  the NetScaler brain trust.

Rate limiting IP banks:

   Rate limit a group of discontinuous IP addr and even subnets. And bind them to a tcp bind point.

add policy patset nstar_ipaddr

add policy patset nstar_subnet

add policy patset nstar_sandeep_subnet

#create a bank with a set of ips.

bind policy patset nstar_ipaddr

bind policy patset nstar_ipaddr

bind policy patset nstar_ipaddr

# with subnet

bind policy patset nstar_subnet

 bind policy patset nstar_sandeep_subnet

# subnet of 128

bind policy patset nstar_sandeep_subnet

# below3 lines convert the ip to str

add policy expression ip_exp_nstar “client.ip.src + \”\””

add policy expression ip_exp_subnet_nstar “client.ip.src.subnet(24) + \”\””

add policy expression ip_exp_sandeep_subnet_nstar “client.ip.src.subnet(25) + \”\””

#Rate limiting

add ns limitSelector nstar_ip_sel Client.ip.src

add ns limitSelector nstar_ip_sel_subnet “CLIENT.IP.SRC.SUBNET(24)”

add ns limitSelector nstar_ip_sandeep_sel_subnet “CLIENT.IP.SRC.SUBNET(25)”

add ns limitIdentifier nstar_id1 -threshold 2 -timeSlice 5000 -selectorName nstar_ip_sel

add ns limitIdentifier nstar_id2 -threshold 2 -timeSlice 5000 -selectorName nstar_ip_sel_subnet

add ns limitIdentifier nstar_id3 -threshold 2 -timeSlice 5000 -selectorName nstar_ip_sandeep_sel_subnet

#Responder policies

add responder policy nstar_p1 “ip_exp_nstar.equals_any(\”nstar_ipaddr\”)  && SYS.CHECK_LIMIT(\”nstar_id1\”)” DROP

add responder policy nstar_p2 “ip_exp_subnet_nstar.equals_any(\”nstar_subnet\”)  && SYS.CHECK_LIMIT(\”nstar_id2\”)” RESET

add responder policy nstar_p3 “ip_exp_subnet_nstar.equals_any(\”nstar_sandeep_subnet\”)  && SYS.CHECK_LIMIT(\”nstar_id3\”)” RESET

bind responder global nstar_p1 25 END -type OTHERTCP_REQ_DEFAULT

bind responder global nstar_p2 28 END -type OTHERTCP_REQ_DEFAULT

bind responder global nstar_p3 32 END -type OTHERTCP_REQ_DEFAULT

For more information  on patsets click here

Advance Search Simplified for Multiple Data Types

String Match simplified with Pattern Set