From de56f0031f9670a1b6c1d896098c88284861cba6 Mon Sep 17 00:00:00 2001
From: Markus Makela <markus.makela@mariadb.com>
Date: Wed, 16 Mar 2016 21:33:38 +0200
Subject: [PATCH] Added note about combining dbfw blacklist and whitelist
 functionality

Added a small explanation and an excerpt from a configuraton file to
the dbfwfilter documentation. It demonstrates the use of both blacklist
and whitelist functionality in the same service.
---
 .../Filters/Database-Firewall-Filter.md       | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/Documentation/Filters/Database-Firewall-Filter.md b/Documentation/Filters/Database-Firewall-Filter.md
index f56f95b20..f9780c1ea 100644
--- a/Documentation/Filters/Database-Firewall-Filter.md
+++ b/Documentation/Filters/Database-Firewall-Filter.md
@@ -36,6 +36,34 @@ The database firewall filter has one mandatory parameter that defines the locati
 
 This parameter is optional and determines what action is taken when a query matches a rule. The value can be either `allow`, which allows all matching queries to proceed but blocks those that don't match, or `block`, which blocks all matching queries, or `ignore` which allows all queries to proceed.
 
+You can have both blacklist and whitelist functionality by configuring one filter
+with `action=allow` and another one with `action=block`. You can then use
+different rule files with each filter, one for blacklisting and another one
+for whitelisting. After this you only have to add both of these filters
+to a service in the following way.
+
+```
+[my-firewall-service]
+type=service
+servers=server1
+router=readconnroute
+user=maxuser
+passwd=maxpwd
+filters=dbfw-whitelist|dbfw-blacklist
+
+[dbfw-whitelist]
+type=filter
+module=dbfwfilter
+action=allow
+rules=/home/user/whitelist-rules.txt
+
+[dbfw-blacklist]
+type=filter
+module=dbfwfilter
+action=block
+rules=/home/user/blacklist-rules.txt
+```
+
 #### `log_match`
 
 Log all queries that match a rule. For the `any` matching mode, the name of