From 52158c98ed34deaa002580ea975fc1c702400c03 Mon Sep 17 00:00:00 2001
From: swoga <swoga@users.noreply.github.com>
Date: Mon, 24 Feb 2020 15:46:58 +0100
Subject: [PATCH] Add docs for rmACL()

---
 pdns/dnsdistdist/docs/advanced/acl.rst     |  7 +++++++
 pdns/dnsdistdist/docs/reference/config.rst | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/pdns/dnsdistdist/docs/advanced/acl.rst b/pdns/dnsdistdist/docs/advanced/acl.rst
index 4fd92a755a..9bb82b7f36 100644
--- a/pdns/dnsdistdist/docs/advanced/acl.rst
+++ b/pdns/dnsdistdist/docs/advanced/acl.rst
@@ -52,6 +52,13 @@ To add a new network range to the existing ACL, use :func:`addACL`:
   addACL('192.0.2.0/25')
   addACL('2001:db8::1') -- No netmask specified, only allow this address
 
+To remove a previously added network range from the existing ACL, use :func:`rmACL`:
+
+.. code-block:: lua
+
+  rmACL('192.0.2.0/25')
+  rmACL('2001:db8::1') -- No netmask specified, only remove this address
+
 dnsdist also has the :func:`setACL` function that accepts a list of netmasks and resets the ACL to that list:
 
 
diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst
index 7949cf2d6e..b10253b790 100644
--- a/pdns/dnsdistdist/docs/reference/config.rst
+++ b/pdns/dnsdistdist/docs/reference/config.rst
@@ -325,6 +325,19 @@ Access Control Lists
 
   :param str netmask: A CIDR netmask, e.g. ``"192.0.2.0/24"``. Without a subnetmask, only the specific address is allowed.
 
+.. function:: rmACL(netmask)
+
+  Remove a network from the existing ACL controlling which clients can send UDP, TCP, DNS over TLS and DNS over HTTPS queries. See :ref:`ACL` for more information.
+  This function only removes previously added entries, it does not remove subnets of entries.
+
+  :param str netmask: A CIDR netmask, e.g. ``"192.0.2.0/24"``. Without a subnetmask, only the specific address is allowed.
+
+  .. code-block:: lua
+
+    addACL("192.0.2.0/24") -- for example add subnet to the ACL
+    rmACL("192.0.2.10")    -- does NOT work, the ACL is unchanged
+    rmACL("192.0.2.0/24")  -- does work, the exact match is removed from the ACL
+
 .. function:: setACL(netmasks)
 
   Remove the existing ACL and add the netmasks from the table of those allowed to send UDP, TCP, DNS over TLS and DNS over HTTPS queries. See :ref:`ACL` for more information.
-- 
2.47.2