diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
index 2ef159db5..22dd13612 100644
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -94,9 +94,7 @@
         <term><emphasis role="bold">SOURCE</emphasis> — {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
-        role="bold">$FW</emphasis>[<emphasis
-        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
+        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
         role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
 
         <listitem>
@@ -152,7 +150,7 @@
           role="bold">ipp2p</emphasis> then this column must contain an
           <emphasis>ipp2p-option</emphasis> ("iptables -m ipp2p --help")
           without the leading "--". If no option is given in this column,
-          "ipp2p" is assumed.</para>
+          <emphasis role="bold">ipp2p</emphasis> is assumed.</para>
 
           <para>Service name from services(5) or <emphasis>port
           number</emphasis>. May only be specified if the protocol is
@@ -190,8 +188,8 @@
 
         <listitem>
           <para>This column may only be non-empty if the <emphasis
-          role="bold">SOURCE</emphasis> is the firewall itself (<emphasis
-          role="bold">$FW</emphasis>).</para>
+          role="bold">CHAIN</emphasis> is <emphasis
+          role="bold">OUTPUT</emphasis>.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
diff --git a/manpages/shorewall-exclusion.xml b/manpages/shorewall-exclusion.xml
new file mode 100644
index 000000000..2c2f1e1fb
--- /dev/null
+++ b/manpages/shorewall-exclusion.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-exclusion</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>exclusion</refname>
+
+    <refpurpose>Exclude a set of hosts from a definition in a shorewall
+    configuration file.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>!</command>
+
+      <arg choice="plain">address-or-range</arg>
+
+      <arg rep="repeat">,address-or-range</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Exclusion is used when you wish to exclude one or more addresses
+    from a definition. An exclaimation point is followed by a comma-separated
+    list of addresses. The addresses may be single host addresses (e.g.,
+    192.168.1.4) or they may be network addresses in CIDR format (e.g.,
+    192.168.1.0/24). If your kernel and iptables include iprange support, you
+    may also specify ranges of ip addresses of the form
+    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
+
+    <para>No embedded whitespace is allowed.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example 1</term>
+
+        <listitem>
+          <para>!192.168.3.4</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2</term>
+
+        <listitem>
+          <para>!192.168.1.0/24,10.1.3.4</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Example 3</term>
+
+        <listitem>
+          <para>!192.168.1.3-192.168.1.12,10.0.0.0/8</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/hosts</para>
+
+    <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall/rules</para>
+
+    <para>/etc/shorewall/tcrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
\ No newline at end of file
diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml
index 52593acc8..b59f2d11a 100644
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@@ -56,9 +56,9 @@
 
       <varlistentry>
         <term><emphasis role="bold">HOST(S)</emphasis> —
-        <emphasis>interface</emphasis>:{[<emphasis>port</emphasis>:]{<emphasis>address-or-range</emphasis>[<emphasis
+        <emphasis>interface</emphasis>:{[<emphasis>bridge-port</emphasis>:]{<emphasis>address-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>The name of an interface defined in the
@@ -81,8 +81,8 @@
             </listitem>
 
             <listitem>
-              <para>A physical <emphasis>port</emphasis> name; only allowed
-              when the interface names a bridge created by the
+              <para>A physical <emphasis>bridge-port</emphasis> name; only
+              allowed when the interface names a bridge created by the
               <command>brctl(8) addbr</command> command. This port must not be
               defined in shorewall-interfaces(5) and may be optionally
               followed by a colon (":") and a host or network IP or a range.
@@ -96,11 +96,16 @@
               <para>The name of an <emphasis>ipset</emphasis>.</para>
             </listitem>
           </orderedlist>
+
+          <blockquote>
+            <para>You may also exclude certain hosts through use of an
+            <emphasis>exclusion</emphasis> (see shorewall-exclusion(5).</para>
+          </blockquote>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>OPTIONS — [<emphasis>option</emphasis>[<emphasis
+        <term>OPTIONS (Optional) — [<emphasis>option</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
 
         <listitem>
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index 9ca99bc04..acc9b8d83 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -43,7 +43,7 @@
         role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
         role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
         role="bold">:</emphasis>[<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>]...][<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Outgoing <emphasis>interface</emphasis>. This is usually your
@@ -58,8 +58,8 @@
           <para>The interface may be qualified by adding the character ":"
           followed by a comma-separated list of destination host or subnet
           addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular
-          destinations.</para>
+          address for packets being sent to those particular destinations.
+          Exclusion is allowed (see shorewall-exclusion(5)).</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -85,9 +85,7 @@
         <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
         —
         {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]}[<emphasis
-        role="bold">!</emphasis><emphasis>exclude-address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>exclude-address</emphasis>]...]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>]}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this
@@ -98,8 +96,9 @@
           appropriate addresses to masquerade).</para>
 
           <para>In order to exclude a address of the specified SOURCE, you may
-          append "!" and a comma-separated list of IP addresses (host or net)
-          that you wish to exclude.</para>
+          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
+          list of IP addresses (host or net) that you wish to exclude (see
+          shorewall-exclusion(5))).</para>
 
           <para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
 
@@ -402,12 +401,13 @@
     url="http://www.shorewall.net/Documentation.htm#Masq">http://www.shorewall.net/Documentation.htm#Masq</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
+    shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>
\ No newline at end of file
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 0a3b9413f..3b4c13782 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -375,7 +375,7 @@
         role="bold">-</emphasis>]}<emphasis
         role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
         role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Source hosts to which the rule applies. May be a zone defined
@@ -416,6 +416,10 @@
           square brackets ([]) to indicate the number of levels of source
           bindings to be matched.</para>
 
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see
+          shorewall-exclusion(5)).</para>
+
           <para>Examples:</para>
 
           <variablelist>
@@ -460,6 +464,15 @@
                 <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>net:155.186.235.0/24!155.186.235.16/28</term>
+
+              <listitem>
+                <para>Subnet 155.186.235.0/24 on the Internet except for
+                155.186.235.16/28</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
 
           <blockquote>
@@ -481,7 +494,7 @@
         role="bold">-</emphasis>]}<emphasis
         role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
         role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Location of Server. May be a zone defined in
@@ -505,6 +518,10 @@
           restricted to a particular subnet, host or interface by appending
           ":" and the subnet, host or interface. See above.</para>
 
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see
+          shorewall-exclusion(5)).</para>
+
           <para>Restrictions:</para>
 
           <para>1. MAC addresses are not allowed.</para>
@@ -703,7 +720,7 @@
         [<emphasis role="bold">-</emphasis>|<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
-        role="bold">min</emphasis>}[:<emphasis>burst</emphasis>] </term>
+        role="bold">min</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
           <para>You may rate-limit the rule by placing a value in this
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 24a89890a..bf2b103b3 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -195,7 +195,7 @@
         role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
         role="bold">$FW</emphasis>|[{<emphasis>interface</emphasis>|<emphasis
         role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Source of the packet. A comma-separated list of interface
@@ -219,13 +219,17 @@
           separator.</para>
 
           <para>Example: ~00-A0-C9-15-39-78</para>
+
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see
+          shorewall-exclusion(5)).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> — {<emphasis
         role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
           <para>Destination of the packet. Comma separated list of IP
@@ -236,6 +240,10 @@
           role="bold">MARK</emphasis> column specificies a classification of
           the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
           this column may also contain an interface name.</para>
+
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see
+          shorewall-exclusion(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -460,9 +468,9 @@
        1         0.0.0.0/0 0.0.0.0/0    icmp    echo-request
        1         0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
        RESTORE   0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
-        CONTINUE 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-        4        0.0.0.0/0 0.0.0.0/0    ipp2p:all
-        SAVE     0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0</programlisting>
+       CONTINUE  0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
+       4         0.0.0.0/0 0.0.0.0/0    ipp2p:all
+       SAVE      0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0</programlisting>
 
           <para>If a packet hasn't been classifed (packet mark is 0), copy the
           connection mark to the packet mark. If the packet mark is set, we're
@@ -492,12 +500,13 @@
     url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>
\ No newline at end of file