diff --git a/firewall/firewall-lib.pl b/firewall/firewall-lib.pl
index d13d5ff09..e4c1fec34 100755
--- a/firewall/firewall-lib.pl
+++ b/firewall/firewall-lib.pl
@@ -255,35 +255,40 @@ return @rv;
 # Returns a human-readable description of some rule conditions
 sub describe_rule
 {
-local (@c, $d);
+my ($rule) = @_;
+my (@c, $d);
 foreach $d ('p', 's', 'd', 'i', 'o', 'f', 'dport',
 	    'sport', 'tcp-flags', 'tcp-option',
 	    'icmp-type', 'icmpv6-type', 'mac-source', 'limit', 'limit-burst',
 	    'ports', 'uid-owner', 'gid-owner',
 	    'pid-owner', 'sid-owner', 'ctstate', 'state', 'tos',
-	    'dports', 'sports', 'physdev-in', 'physdev-out', 'args') {
-	if ($_[0]->{$d}) {
+	    'dports', 'sports', 'physdev-in', 'physdev-out', 'match-set',
+	    'args') {
+	if ($rule->{$d}) {
 		# get name and values
-		local ($n, @v) = @{$_[0]->{$d}};
+		my ($n, @v) = @{$rule->{$d}};
 		# with additional args
 		if ($d eq 'args') {
 			# get args
-			@v = grep {/\S/} split(/ / , $_[0]->{$d});
+			@v = grep {/\S/} split(/ / , $rule->{$d});
 			# first arg is name, next are values
 			$n=shift(@v);
 			# translate src and dest parameter for ipset
-			push(@v, &text("desc_". pop(@v))) if ($n eq "--match-set");
+			push(@v, &text("desc_".pop(@v)))
+				if ($n eq "--match-set");
 			} 
 		# uppercase for p
 		@v = map { uc($_) } @v if ($d eq 'p');
 		# merge all in one for s and d
-		@v = map { join(", ", split(/,/, $_)) } @v if ($d eq 's' || $d eq 'd' );
-		# compose desc_$n$d to get localized message, provide values as $1, ..., $n
-		local $txt = &text("desc_$d$n", map { "<strong>$_</strong>" } @v);
+		@v = map { join(", ", split(/,/, $_)) } @v
+			if ($d eq 's' || $d eq 'd' );
+		# compose desc_$n$d to get myized message, provide values
+		# as $1, ..., $n
+		my $txt = &text("desc_$d$n", map { "<b>$_</b>" } @v);
 		push(@c, $txt) if ($txt);
 		}
 	}
-local $rv;
+my $rv;
 if (@c) {
 	$rv = &text('desc_conds', join(" $text{'desc_and'} ", @c));
 	}
diff --git a/firewall/firewall4-lib.pl b/firewall/firewall4-lib.pl
index 7346fa9b7..f8ca47500 100755
--- a/firewall/firewall4-lib.pl
+++ b/firewall/firewall4-lib.pl
@@ -27,7 +27,7 @@ else {
 		 '--ports', '--uid-owner', '--gid-owner',
 		 '--pid-owner', '--sid-owner', '--state', '--ctstate', '--tos',
 		 '-j', '--to-ports', '--to-destination', '--to-source',
-		 '--reject-with', '--dports', '--sports',
+		 '--reject-with', '--dports', '--sports', '--match-set',
 		 '--comment',
 		 '--physdev-is-bridged',
 		 '--physdev-is-in',
diff --git a/firewall/lang/en b/firewall/lang/en
index f4ccc63a2..713b18c9e 100644
--- a/firewall/lang/en
+++ b/firewall/lang/en
@@ -140,6 +140,8 @@ desc_ctstate=state of connection is $1
 desc_ctstate!=state of connection is not $1
 desc_tos=type of service field is $1
 desc_tos!=type of service field is not $1
+desc_match-set=$2 matches set $1
+desc_match-set!=$2 does not match set $1
 desc_physdev-in=input physical interface is $1
 desc_physdev-in!=input physical interface is not $1
 desc_physdev-out=output physical interface is $1