diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index f8ebcf754..53bcd5ea8 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5172,7 +5172,7 @@ sub match_source_net( $;$\$ ) {
 	return $result;
     }
 
-    if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
+    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
 
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5238,7 +5238,7 @@ sub imatch_source_net( $;$\$ ) {
 	return \@result;
     }
 
-    if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
+    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & ( OUTPUT_RESTRICT | POSTROUTE_RESTRICT );
 
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5301,7 +5301,7 @@ sub match_dest_net( $;$ ) {
 	return $result;
     }
 
-    if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
+    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
 
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
@@ -5362,7 +5362,7 @@ sub imatch_dest_net( $;$ ) {
 	return \@result;
     }
 
-    if ( $net =~ /^(!?)\^([A-Z,\d]+)$/ ) {
+    if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
 	fatal_error "A countrycode list may not be used in this context" if $restriction & (PREROUTE_RESTRICT | INPUT_RESTRICT );
 
 	require_capability 'GEOIP_MATCH', 'A country-code', '';
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 1177ccd65..6432ea5cf 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -642,8 +642,10 @@
           <para>Beginning with Shorewall 4.5.4, A
           <replaceable>countrycode-list</replaceable> may be specified. A
           countrycode-list is a comma-separated list of two-character ISO-3661
-          country codes preceded by a caret ('^'). A list of country codes
-          supported by Shorewall may be found at <ulink
+          country codes enclosed in square brackets ('[...]') and preceded by
+          a caret ('^'). When a single country code is given, the square
+          brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
           url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
           Specifying a <replaceable>countrycode-list</replaceable> requires
           <firstterm>GeoIP Match</firstterm> support in your iptables and
@@ -757,8 +759,10 @@
           <para>Beginning with Shorewall 4.5.4, A
           <replaceable>countrycode-list</replaceable> may be specified. A
           countrycode-list is a comma-separated list of two-character ISO-3661
-          country codes preceded by a caret ('^'). A list of country codes
-          supported by Shorewall may be found at <ulink
+          country codes enclosed in square brackets ('[...]') and preceded by
+          a caret ('^'). When a single country code is given, the square
+          brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
           url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
           Specifying a <replaceable>countrycode-list</replaceable> requires
           <firstterm>GeoIP Match</firstterm> support in your iptables and
diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml
index e8da734ae..b49d11854 100644
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -493,8 +493,10 @@
           <para>Beginning with Shorewall 4.5.4, A
           <replaceable>countrycode-list</replaceable> may be specified. A
           countrycode-list is a comma-separated list of two-character ISO-3661
-          country codes preceded by a caret ('^'). A list of country codes
-          supported by Shorewall may be found at <ulink
+          country codes enclosed in square brackets ('[...]') and preceded by
+          a caret ('^'). When a single country code is given, the square
+          brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
           url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
           Specifying a <replaceable>countrycode-list</replaceable> requires
           <firstterm>GeoIP Match</firstterm> support in your ip6tables and
@@ -625,8 +627,10 @@
           <para>Beginning with Shorewall 4.5.4, A
           <replaceable>countrycode-list</replaceable> may be specified. A
           countrycode-list is a comma-separated list of two-character ISO-3661
-          country codes preceded by a caret ('^'). A list of country codes
-          supported by Shorewall may be found at <ulink
+          country codes enclosed in square brackets ('[...]') and preceded by
+          a caret ('^'). When a single country code is given, the square
+          brackets may be omitted. A list of country codes supported by
+          Shorewall may be found at <ulink
           url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
           Specifying a <replaceable>countrycode-list</replaceable> requires
           <firstterm>GeoIP Match</firstterm> support in your ip6tables and
diff --git a/docs/ISO-3661.xml b/docs/ISO-3661.xml
index 94ec16a1a..d0f580e76 100644
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -40,7 +40,9 @@
     <para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
     SOURCE and/or DEST IP addresses by their corresponding country. That is
     done by specifying a comma-separated list of ISO-3661 2-character Country
-    Codes prefixed by a caret ('^').</para>
+    Codes enclosed in square brackets ('[...]') and prefixed by a caret ('^').
+    When a single country code is given, the square brackets can be
+    omitted.</para>
 
     <para>Example - Drop email from the Anonymous Proxy and Satellite Provider
     networks.</para>
@@ -49,7 +51,7 @@
 
     <programlisting>    #ACTION   	   SOURCE	 	DEST	PROTO	DEST
     #		   					PORT(S)
-    DROP:info	   net:^A1,A2		dmz	tcp	25
+    DROP:info	   net:^[A1,A2]		dmz	tcp	25
 </programlisting>
 
     <para>The country codes recognized by Shorewall as of Shorewall 4.5.4 are