Okay, this SEEMS to work. The database is just the start addresses for lots of /8, /16, /24 or /32 ranges (depending on the size of the requested block - e.g. a /22 range gets written as the start address for four /24s) taken from https://www.okean.com/antispam/iptables/rc.firewall.china and mapped to "BLOCKED" and then built into a database file with `httxt2dbm`.
```
# Extract IP parts
RewriteCond %{REMOTE_ADDR} ^((([0-9]+)\.[0-9]+)\.[0-9]+)\.[0-9]+$
RewriteRule . - [E=subnet8:%3.0.0.0,E=subnet16:%2.0.0,E=subnet24:%1.0,E=subnet32:%0]
# Tarpit provided by a Mastodon user - https://mastodon.social/@pcarrier/112429748041537087
# We don't have access to mod_cspnonce yet, so fudge a random-ish value
RewriteCond ${greatfirewall:%{ENV:subnet8}} =BANNED [OR]
RewriteCond ${greatfirewall:%{ENV:subnet16}} =BANNED [OR]
RewriteCond ${greatfirewall:%{ENV:subnet24}} =BANNED [OR]
RewriteCond ${greatfirewall:%{ENV:subnet32}} =BANNED
RewriteRule . https://srv.us/tarpit?nonce=%{REMOTE_PORT}%{TIME} [L,E=donotlog:1,R=301]
```
(`donotlog` is used later to avoid logging, because when they hit so hard and so often then I don't need that bloat in my server logs!)
Not yet worked out why it only seemed to work within <VirtualHost> blocks.