we had some issues with the way x-forwarded-for is currently implemented, and we think it needs to be reviewed. As already discussed off-line, the expected behavior should be something like this:
When x-forwarded-for contains strings (as opposed to numeric IPs): try to string-match it with allowed values which were declared as strings;
When “unknown” is found as header value, don’t match the rule, a priori.
if no match is found until now, and the user has declared allowed any numeric IP/IPMask, try to resolve the header value as a DNS name on the fly and match it with allowed IP/IPMasks.