If you want to do address comparisons using IP::addr, you'd need to parse each XFF IP address and check it individually. This could be a bit expensive in parsing time for every HTTP request. Also keep in mind that it would be trivial for an attacker to insert any XFF header value.
when HTTP_REQUEST {
Track whether we've found a match yet
set match 0
Check if there is at least one XFF header with a value
if {[HTTP::header values "X-Forwarded-For"] ne ""}{
log local0. "XFF: [HTTP::header values "X-Forwarded-For"]"
Remove spaces from the XFF header values and then split them into a list on commas
Loop through each list item (an IP)
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
Check if the current XFF IP is in the subnet we want to check
if {[IP::addr $xff equals 10.0.0.0/8]}{
Track that we've found a match and exit the loop
log local0. "Matched IP::addr check"
set match 1
break
}
}
}
Block the request if there wasn't a 10.0.0.0/8 XFF IP in the list
if {$match == 0}{
HTTP::respond 200 content {Blocked!}
}
}
Aaron