diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 709949dde..f86be1f03 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -4206,45 +4206,38 @@ sub do_user( $ ) {
 
     require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
 
-    if ( $user =~ /^(!)?(.*)\+(.*)$/ ) {
-	$rule .= "! --cmd-owner $2 " if supplied $2;
-	$user = "!$1";
-    } elsif ( $user =~ /^(.*)\+(.*)$/ ) {
-	$rule .= "--cmd-owner $2 " if supplied $2;
-	$user = $1;
+    assert ( $user =~ /^(!)?(.*?)(:(.*))?$/ );
+    my $invert = $1 ? '! ' : '';
+    my $group  = supplied $4 ? $4 : '';
+
+    if ( supplied $2 ) {
+	$user  = $2;
+	if ( $user =~ /(\d+)(-(\d+))?$/ ) {
+	    if ( supplied $2 ) {
+		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
+	    }
+	} else {
+	    $user  = resolve_id( $user, 'user' );
+	}
+
+	$rule .= "${invert}--uid-owner $user ";
     }
 
-    if ( $user =~ /^(!)?(.*):(.*)$/ ) {
-	my $invert = $1 ? '! ' : '';
-	my $group  = defined $3 ? $3 : '';
-
-	if ( supplied $2 ) {
-	    $user  = $2;
-	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
-	    $rule .= "${invert}--uid-owner $user ";
+    if ( $group ne '' ) {
+	if ( $group =~ /^(\d+)(-(\d+))?$/ ) {
+	    if ( supplied $2 ) {
+		fatal_error "Invalid Group Range ($group)" unless $3 >= $1;
+	    }
+	} else {
+	    $group = resolve_id( $group, 'group' );
 	}
 
-	if ( $group ne '' ) {
-	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+(-\d+)?$/;
-	    $rule .= "${invert}--gid-owner $group ";
-	}
-    } elsif ( $user =~ /^(!)?(.*)$/ ) {
-	my $invert = $1 ? '! ' : '';
-	$user   = $2;
-
-	fatal_error "Invalid USER/GROUP (!)" if $user eq '';
-	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
-	$rule .= "${invert}--uid-owner $user ";
-    } else {
-	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
-	$rule .= "--uid-owner $user ";
+	$rule .= "${invert}--gid-owner $group ";
     }
 
     $rule;
 }
 
-
-
 #
 # Create a "-m tos" match for the passed TOS
 #
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 76732f735..3f7018abe 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1084,8 +1084,7 @@
       <varlistentry>
         <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
 
         <listitem>
           <para>This optional column may only be non-empty if the SOURCE is
@@ -1124,19 +1123,6 @@
                 group</para>
               </listitem>
             </varlistentry>
-
-            <varlistentry>
-              <term>+upnpd</term>
-
-              <listitem>
-                <para>program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
-              </listitem>
-            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>