Try something like this:
when HTTP_REQUEST {
if {[HTTP::header values "X-Forwarded-For"] ne ""}{
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
if { [class match $xff eq abc-address2] } {
log local0. "$xff hit ABC"
snatpool SNAT_POOL_1.1.1.1
return
}
if { [class match $xff eq def-address] } {
log local0. "$xff hit DEF"
snatpool SNAT_POOL_2.2.2.2
return
}
}
}
else {
log local0. "No X-Forwarded-For header found."
}
if {!([class match [IP::client_addr] equals proxy-address])} {
log local0. "Not matching any ip. traffic dropped"
drop
}
}