diff --git a/radsecproxy.c b/radsecproxy.c
index 9ed972f..2ba5b0e 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2625,7 +2625,9 @@ int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
 }
 
 int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
+    uint8_t whitelist_mode = 0;
     char **rmattrs = NULL, **rmvattrs = NULL;
+    char **wlattrs = NULL, **wlvattrs = NULL;
     char **addattrs = NULL, **addvattrs = NULL;
     char **modattrs = NULL;
     char **supattrs = NULL, **supvattrs = NULL;
@@ -2633,8 +2635,11 @@ int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, cha
     debug(DBG_DBG, "confrewrite_cb called for %s", block);
 
     if (!getgenericconfig(cf, block,
+        "whitelistMode", CONF_BLN, &whitelist_mode,
         "removeAttribute", CONF_MSTR, &rmattrs,
         "removeVendorAttribute", CONF_MSTR, &rmvattrs,
+        "whitelistAttribute", CONF_MSTR, &wlattrs,
+        "whitelistVendorAttribute", CONF_MSTR, &wlvattrs,
         "addAttribute", CONF_MSTR, &addattrs,
         "addVendorAttribute", CONF_MSTR, &addvattrs,
         "modifyAttribute", CONF_MSTR, &modattrs,
@@ -2642,7 +2647,12 @@ int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, cha
         "supplementVendorAttriute", CONF_MSTR, &supvattrs,
         NULL))
         debugx(1, DBG_ERR, "configuration error");
-    addrewrite(val, rmattrs, rmvattrs, addattrs, addvattrs, modattrs, supattrs, supvattrs);
+    addrewrite(val, whitelist_mode, whitelist_mode? wlattrs : rmattrs, whitelist_mode? wlvattrs : rmvattrs,
+                addattrs, addvattrs, modattrs, supattrs, supvattrs);
+
+    freegconfmstr(whitelist_mode? rmattrs : wlattrs);
+    freegconfmstr(whitelist_mode? rmvattrs : wlvattrs);
+
     return 1;
 }
 
diff --git a/rewrite.c b/rewrite.c
index 4e41cf7..da4f53f 100644
--- a/rewrite.c
+++ b/rewrite.c
@@ -139,7 +139,7 @@ struct modattr *extractmodattr(char *nameval) {
     return m;
 }
 
-void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs,
+void addrewrite(char *value, uint8_t whitelist_mode, char **rmattrs, char **rmvattrs, char **addattrs,
                 char **addvattrs, char **modattrs, char **supattrs, char** supvattrs)
 {
     struct rewrite *rewrite = NULL;
@@ -252,6 +252,7 @@ void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs,
         rewrite = malloc(sizeof(struct rewrite));
         if (!rewrite)
             debugx(1, DBG_ERR, "malloc failed");
+        rewrite->whitelist_mode = whitelist_mode;
         rewrite->removeattrs = rma;
         rewrite->removevendorattrs = rmva;
         rewrite->addattrs = adda;
diff --git a/rewrite.h b/rewrite.h
index 3b2b62d..d8edecf 100644
--- a/rewrite.h
+++ b/rewrite.h
@@ -23,7 +23,7 @@ struct rewrite {
     struct list *supattrs; /*struct tlv*/
 };
 
-void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs,
+void addrewrite(char *value, uint8_t whitelist_mode, char **rmattrs, char **rmvattrs, char **addattrs,
                 char **addvattrs, char **modattrs, char **supattrs, char** supvattrs);
 int dorewrite(struct radmsg *msg, struct rewrite *rewrite);
 struct modattr *extractmodattr(char *nameval);