Nimbostratus
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set xff [HTTP::header "X-Forwarded-For"]
xff may be in format of addr1,addr2,addr3
set addrs [split $xff ","]
foreach addr $addrs {
switch $addr {
"10.10.10.10" -
"10.10.10.20" -
"10.10.10.30" {
reject
}
}
}
}
}
Now depending on how many addresses you want to reject or if you want to reject based on subnets, you may want to use data groups with matchclass in a single statement like this.
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set xff [HTTP::header "X-Forwarded-For"]
xff may be in format of addr1,addr2,addr3
set addrs [split $xff ","]
foreach addr $addrs {
if { [matchclass $::banned_addr_list equals $addr] } {
reject
}
}
}
}
There are many ways to approach this but hopefully this will get you going.
-Joe