Don't forget that you don't really need a "do nothing" section of the rule at all. You can accomplish the same thing with negative logic.
when HTTP_REQUEST {
if { !([HTTP::header exists "X-Forwarded-For"])}{
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
log local0. "[IP::client_addr]:[TCP::client_port]: Added XFF: [HTTP::header values "X-Forwarded-For"]"
}
}
Not that it matters a ton in this case, but in longer, more complex scenarios, this can save a fair amount of code. Also, the header replace option is a good one, that way you should only ever end up with one. This is only an option if you aren't trying to preserve a previous XFF header though, obviously.
Colin