diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index e89b9f912..6c4f7ebf8 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3230,9 +3230,13 @@ sub addnatjump( $$$ ) {
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
 sub mysplit( $ ) {
-    my @input = split_list $_[0], 'host';
+    my $input = $_[0];
 
-    return @input unless $_[0] =~ /\[/;
+    my @input = split_list $input, 'host';
+
+    return @input unless $input =~ /\[/;
+
+    my $exclude = 0;
 
     my @result;
 
@@ -3245,7 +3249,11 @@ sub mysplit( $ ) {
 		$element .= ( ',' . shift @input );
 	    }
 
+	    fatal_error "Invalid host list ($input)" if $exclude && $element =~ /!/;
+	    $exclude ||= $element =~ /^!/ || $element =~ /\]!/;
 	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
+	} else {
+	    $exclude ||= $element =~ /!/;
 	}
 
 	push @result, $element;