diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index f6e9c9b31..16400fc71 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -10,6 +10,8 @@ Changes in 3.3.6
 
 5)  Use multiport match in tcrules.
 
+6)  Fix safe- commands.
+
 Changes in 3.3.5
 
 1)  Restore default route when there are no 'balance' providers.
diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli
index d95976271..dc95be248 100644
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -267,10 +267,12 @@ save_config() {
 	    echo "   ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration"
 	else
 	    case $RESTOREFILE in
-		.*|capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
+		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
 		    echo "   ERROR: Reserved file name: $RESTOREFILE"
 		    ;;
 		*)
+		    validate_restorefile RESTOREFILE
+
 		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
 			echo "   Dynamic Rules Saved"
 			if [ -f ${VARDIR}/.restore ]; then
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index eda984fa4..d05aba4e0 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -37,7 +37,10 @@ Problems Corrected in 3.3.6
     used on a system running Shorewall Lite. If there is a file named
     'ipsets' on the CONFIG_PATH when the firewall script is compiled,
     then the compiled script attempts to restore the ipsets from that
-    file (which may not exist on the firewall system). 
+    file (which may not exist on the firewall system).
+
+2)  Previously, "shorewall safe-[re]start" was badly broken. This
+    breakage had been corrected. 
 
 Other Changes in 3.3.6