diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 2d77146..5d2026d 100644
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -2571,7 +2571,7 @@ return {
 
 			/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
 			if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) {
-				add_rule(0, proto, [], [], sports, dports, null, null, null, rule);
+				add_rule(0, proto, [], [], sports, dports, null, null, ipset, rule);
 			}
 
 			/* we need to emit one or two AF specific rules */
@@ -3305,11 +3305,7 @@ return {
 			return;
 		}
 
-		if (ipset.family == 0) {
-			this.warn_section(data, "must not specify family 'any'");
-			return;
-		}
-		else if (!length(ipset.match)) {
+		if (!length(ipset.match)) {
 			this.warn_section(data, "has no datatypes assigned");
 			return;
 		}
@@ -3318,6 +3314,11 @@ return {
 		    types = map(ipset.match, m => m[1]),
 		    interval = false;
 
+		if (("ip" in types || "net" in types) && ipset.family == 0) {
+			this.warn_section(data, "must not specify family 'any' when matching type 'ip' or 'net'");
+			return;
+		}
+
 		if ("set" in types) {
 			this.warn_section(data, "match type 'set' is not supported");
 			return;