diff --git a/Documentation/Filters/Database-Firewall-Filter.md b/Documentation/Filters/Database-Firewall-Filter.md
index cace99ff7..6e759d7c2 100644
--- a/Documentation/Filters/Database-Firewall-Filter.md
+++ b/Documentation/Filters/Database-Firewall-Filter.md
@@ -165,6 +165,12 @@ matched. The symbolic comparison operators (`<`, `>`, `>=` etc.) are also
 considered functions whereas the text versions (`NOT`, `IS`, `IS NOT` etc.) are
 not considered functions.
 
+If the rule is given no values then the rule will match any query which does not
+use functions. By combining this with the `action=allow` parameter, it is
+possible to enable whitelisting of all queries which do not use functions. One
+such use case is preventing functions from being used to circumvent masking done
+by the masking filter.
+
 When the filter is in whitelist mode (`action=allow`) the function rule
 will match any query that does not use a function. This means that queries
 that do not use functions will be allowed through a function type rule.
diff --git a/server/modules/filter/dbfwfilter/ruleparser.y b/server/modules/filter/dbfwfilter/ruleparser.y
index e5be55cf0..a32408e5a 100644
--- a/server/modules/filter/dbfwfilter/ruleparser.y
+++ b/server/modules/filter/dbfwfilter/ruleparser.y
@@ -114,6 +114,7 @@ mandatory:
     | FWTOK_REGEX FWTOK_QUOTEDSTR {if (!define_regex_rule(scanner, $2)){YYERROR;}}
     | FWTOK_COLUMNS columnlist
     | FWTOK_FUNCTION functionlist
+    | FWTOK_FUNCTION {if (!define_function_rule(scanner, "")){YYERROR;}}
     ;
 
 columnlist: