diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 6c5002b66..e966ab9df 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2469,7 +2469,7 @@ sub get_set_flags( $$ ) {
 	$setname  = $1;
 	my $count = $2;
 	$options .= ",$option" while --$count > 0;
-    } elsif ( $setname =~ /^(.*)\[(.*)\]$/ ) {
+    } elsif ( $setname =~ /^(.*)\[(src|dst)(,(src|dst))*\]$/ ) {
 	$setname = $1;
 	$options = $2;
     }
@@ -2498,7 +2498,7 @@ sub match_source_net( $;$ ) {
     } elsif ( $net =~ /^!?~/ ) {
 	fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
 	mac_match $net;
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
     } elsif ( $net =~ s/^!// ) {
@@ -2522,7 +2522,7 @@ sub match_dest_net( $ ) {
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
 	iprange_match . "${invert}--dst-range $net ";
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*$/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
     } elsif ( $net =~ /^!/ ) {
diff --git a/docs/ipsets.xml b/docs/ipsets.xml
index a21775107..0a994388c 100644
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -120,6 +120,21 @@
     <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
 ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
 
+    <para>The name of the ipset can be optionally followed by a
+    comma-separated list of flags enclosed in square brackets ([...]). Each
+    flag is either <emphasis role="bold">src</emphasis> or <emphasis
+    role="bold">dst</emphasis> and specifies whether it is the SOURCE address
+    or port number or the DESTINATION address or port number that should be
+    matched. The number of flags must be appropriate for the type of ipset. If
+    no flags are given, Shorewall assumes that the set takes a single flag and
+    will select the flag based on the context. For example, in the blacklist
+    file and when the ipset appears in the SOURCE column of the rules file,
+    <emphasis role="bold">src</emphasis> is assumed. If the ipset appears in
+    the DEST column of the rules file, <emphasis role="bold">dst</emphasis> is
+    assumed. Note that by using <emphasis role="bold">[dst]</emphasis> in the
+    blacklist file, you can coerce the rule into matching the destination IP
+    address rather than the source.</para>
+
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>