From ea1d5b6b1f33c9a9a745dd4f0e1ad70c1f97d3b6 Mon Sep 17 00:00:00 2001
From: NHAS <jordanatararimu@gmail.com>
Date: Mon, 30 Oct 2023 08:16:44 +1300
Subject: [PATCH] Update docs

---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 03244c3a..7ce1e4f9 100644
--- a/README.md
+++ b/README.md
@@ -431,9 +431,46 @@ Example:
  }
  ```
 
-It is **important to note** that rules will not compose subnet matches, i.e rules that apply to `10.0.0.0/16` will not apply to `10.0.1.1/32` as the more specific route rule takes preference.   
+Its important to note that the most specific rule effectively creates a new rule "bucket", so if you do something like:  
+```json
+"group:nerds": {
+      "Allow": [
+            "10.0.0.0/24 443/tcp"
+      ],
+      "Deny": [
+            "10.0.0.5/32 22/tcp"
+      ]
+}
+```
+  
+Your clients will not be able to access `10.0.0.5/32 443/tcp`, as the only rule in the `/32` "bucket" is a deny rule. You can solve this by adding the following:
+```json
+"group:nerds": {
+      "Allow": [
+            "10.0.0.0/24 443/tcp"
+            "10.0.0.5/32 22/tcp"
+      ],
+      "Deny": [
+            "10.0.0.5/32 22/tcp"
+      ]
+}
+```
+  
+or  
+  
+```json
+"group:nerds": {
+      "Allow": [
+            "10.0.0.0/24 443/tcp"
+      ],
+      "Deny": [
+            "10.0.0.0/24 22/tcp"
+      ]
+}
+```
+As then you're adding the deny rule to the `/24` "bucket".  
   
-It is possible to define what services a user can access by defining port and protocol rules.  
+Additionally, It is possible to define what services a user can access by defining port and protocol rules.  
 Currently 3 types of port and protocol rules are supported:  
   
 ### Any