diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 3b8819784..b8712dfeb 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1670,7 +1670,13 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
+	    if ( $hosts =~ /^\+/ ) {
+		$zoneref->{options}{complex} = 1;
+		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
+	    }
+
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 52ee9d074..97d50327c 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -39,6 +39,18 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     This has been corrected so that a single ERROR message is
     generated.
 
+4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
+    file could be qualified with a list of 'src' and/or 'dst' enclosed
+    in quotes. This was virtually guaranteed not to work since the set
+    must match when used to verify both a packet source and a
+    packet destination. Now, the following error is raised:
+
+    	   ERROR: ipset name qualification is disallowed in this file
+
+    As part of this change, the ipset name is now verified to begin
+    with a letter and be composed of letters, digits, underscores ("_")
+    and hyphens ("-").
+
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------