diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 8b0138301..fdb1e74fb 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -82,4 +82,4 @@ Changes since 1.4.6
 
 36) Extend USER SET column in /etc/shorewall/rules to allow user:group.
 
-
+37) Reword error message to avoid the word 'illegal'.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 8a23bc968..653b8d1fe 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -2569,15 +2569,15 @@ process_rule() # $1 = target
     logtarget="$target"
     dnat_only=
 
-    [ "x$userset" = x- ] && userset=
-
     # Tranform the rule:
     #
+    # - parse the user set specification
     # - set 'target' to the filter table target.
     # - make $FW the destination for REDIRECT
     # - remove '-' suffix from logtargets while setting 'dnat_only'
     # - clear 'address' if it has been set to '-'
 
+    [ "x$userset" = x- ]   && userset=
     [ "x$address" = "x-" ] && address=
 
     if [ -n "$userset" ]; then
@@ -4074,7 +4074,7 @@ add_common_rules() {
 		logdrop|DROP|RETURN)
 		    ;;
 		*)
-		    fatal_error "Illegal target ($target) for $subnet"
+		    fatal_error "Invalid target ($target) for $subnet"
 		    ;;
 	    esac