diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm
index a922702ba..3969ba737 100644
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -357,7 +357,7 @@ sub validate_policy()
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
 	    }
- 	} elsif ( zone_type( $zone ) == VIRTUAL ) {
+ 	} elsif ( defined_zone( $zone )->{virtual} ) {
 	    for my $zone1 ( @{defined_zone( $zone )->{children}} ) {
 		for my $zone2 ( all_zones ) {
 		    unless ( $zone1 eq $zone2 ) {
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 4f5f5db68..215784284 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -40,7 +40,6 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
-		  VIRTUAL
 		  VIRTUAL_BITS
 
 		  determine_zones
@@ -165,8 +164,7 @@ our $virtualmark;
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VIRTUAL  => 5 };
+	       IPSEC    => 4 };
 
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -366,7 +364,6 @@ sub process_zone( \$ ) {
     my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
 
     my $mark = 0;
-    my $virtual = 0;
 
     if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@@ -392,12 +389,6 @@ sub process_zone( \$ ) {
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	$type = IPSEC;
-
-	for ( @parents ) {
-	    unless ( $zones{$_}{type} == IPSEC ) {
-		set_super( $zones{$_} );
-	    }
-	}
     } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	warning_message "Bridge Port zones should have a parent zone" unless @parents;
@@ -409,12 +400,6 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
-    } elsif ( $type eq 'virtual' ) {
-	require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
-	fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
-	$virtual = $virtualmark;
-	$virtualmark = $virtualmark << 1;
-	$type = VIRTUAL;
     } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
@@ -422,6 +407,25 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)" ;
     }
 
+    if ( $type eq IPSEC ) {
+	for ( @parents ) {
+	    unless ( $zones{$_}{type} == IPSEC ) {
+		set_super( $zones{$_} );
+	    }
+	}
+    }
+
+    my $virtual = 0;
+
+    if ( $options eq 'virtual' ) {
+	require_capability 'MARK_IN_FILTER' , 'virtual zones', '';
+	fatal_error "Only ipv${family} zones may be virtual" unless $type == IP;
+	fatal_error "Too many virtual zones" if $virtualmark == VIRTUAL_LIMIT;
+	$virtual = $virtualmark;
+	$virtualmark = $virtualmark << 1;
+	$options = '';
+    }
+
     for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';
     }
@@ -507,9 +511,9 @@ sub zone_report()
     my @translate;
 
     if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
     } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
     for my $zone ( @zones )
@@ -552,7 +556,7 @@ sub zone_report()
 
 	unless ( $printed ) {
 	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
-	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $type == VIRTUAL && @{$zoneref->{children}} );
+	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL || ( $zoneref->{virtual} && @{$zoneref->{children}} );
 	}
     }
 }
@@ -565,9 +569,9 @@ sub dump_zone_contents()
     my @xlate;
 
     if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'virtual' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
     } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'virtual' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
     for my $zone ( @zones )
@@ -608,7 +612,7 @@ sub dump_zone_contents()
 	    }
 	}
 
-	if ( $type == VIRTUAL && @{$zoneref->{children}} ) {
+	if ( $zoneref->{virtual} && @{$zoneref->{children}} ) {
 	    $entry .= " (";
 	    $entry .= "$_," for @{$zoneref->{children}};
 	    $entry =~ s/,$/) /;
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index bbf58a8d2..da6bc884e 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -231,12 +231,13 @@ None.
     	     $FW             all             ACCEPT
 
 3)  Shorewall 4.4.5 introduces 'virtual' zones. A virtual zone is used
-    to group together a set of sub-zones. A virtual zone is declared
-    as TYPE 'virtual' in /etc/shorewall/zones.
+    to group together a set of sub-zones. A virtual zone must by an
+    ipv4 zone (Shorewall) or an ipv6 zone (Shorewall6) and is declared
+    with the 'virtual' OPTION in /etc/shorewall/zones.
 
     Example:
 
-	virt		virtual
+	virt		ipv4	virtual
 
     The virtual zone must have no definition in
     /etc/shorewall/interfaces or /etc/shorewall/hosts. Virtual zones
@@ -250,7 +251,7 @@ None.
 
     Example:
 
-	virt			virtual
+	virt		ipv4	virtual
     	loc:virt		ipv4
     	vpn:virt		ipsec    
 
diff --git a/manpages/shorewall-nesting.xml b/manpages/shorewall-nesting.xml
index 63b004608..405b8f4bc 100644
--- a/manpages/shorewall-nesting.xml
+++ b/manpages/shorewall-nesting.xml
@@ -199,7 +199,7 @@
     <programlisting>        #ZONE            TYPE          OPTIONS
         fw               firewall
         net              ipv4
-        loc              virtual       #Virtual Zone
+        loc              ipv4          virtual
         loc1:loc         ipv4
         loc2:loc         ipv4</programlisting>
 
@@ -218,6 +218,10 @@
     <para>There are several restrictions on virtual zones:</para>
 
     <itemizedlist>
+      <listitem>
+        <para>They must have type <option>ipv4</option>.</para>
+      </listitem>
+
       <listitem>
         <para>A maximum of four virtual zones may be defined.</para>
       </listitem>
diff --git a/manpages6/shorewall6-nesting.xml b/manpages6/shorewall6-nesting.xml
index aa8b80655..307a1220c 100644
--- a/manpages6/shorewall6-nesting.xml
+++ b/manpages6/shorewall6-nesting.xml
@@ -103,7 +103,7 @@
     <programlisting>        #ZONE            TYPE          OPTIONS
         fw               firewall
         net              ipv6
-        loc              virtual       #Virtual Zone
+        loc              ipv6          virtual
         loc1:loc         ipv6
         loc2:loc         ipv6</programlisting>
 
@@ -122,6 +122,10 @@
     <para>There are several restrictions on virtual zones:</para>
 
     <itemizedlist>
+      <listitem>
+        <para>They must have type <option>ipv6</option>.</para>
+      </listitem>
+
       <listitem>
         <para>A maximum of four virtual zones may be defined.</para>
       </listitem>
diff --git a/manpages6/shorewall6-zones.xml b/manpages6/shorewall6-zones.xml
index c6b358e77..a97c23df6 100644
--- a/manpages6/shorewall6-zones.xml
+++ b/manpages6/shorewall6-zones.xml
@@ -169,17 +169,6 @@ c:a,b     ipv6</programlisting>
                 single bridge.</para>
               </listitem>
             </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">virtual</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.5. Virtual zones are containers
-                for other zones. See <ulink
-                url="shorewall6-nesting.html">shorewall6-nesting (5)</ulink>
-                for details.</para>
-              </listitem>
-            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>