diff --git a/SOURCES/0159-doc-clarify-set-target-values-default-vs-reject.patch b/SOURCES/0159-doc-clarify-set-target-values-default-vs-reject.patch
new file mode 100644
index 0000000..5357bba
--- /dev/null
+++ b/SOURCES/0159-doc-clarify-set-target-values-default-vs-reject.patch
@@ -0,0 +1,112 @@
+From 8303e10ece79829a2abbb61f4e353ae17d995797 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 27 Mar 2020 14:25:47 -0400
+Subject: [PATCH] doc: clarify --set-target values "default" vs "reject"
+
+Fixes: #590
+(cherry picked from commit 1249b741781d424e03844b35a4545db69a282dfb)
+(cherry picked from commit 48a80a871b3e6be9abcc195c12b2860b4958c32b)
+---
+ doc/xml/firewall-cmd.xml.in      | 36 ++++++++++++++++++++++++++++++++++++
+ doc/xml/firewall-offline-cmd.xml | 38 +++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 73 insertions(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index cd4aa47addb2..661bbdfe0c47 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -482,6 +482,42 @@
+             <para>
+               Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
+             </para>
++            <para>
++              <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
++              <orderedlist>
++                <listitem><para>ICMP explicitly allowed</para>
++                <para>
++                  At the end of the zone's ruleset ICMP packets are explicitly allowed.
++                </para>
++                </listitem>
++
++                <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
++                <para>
++                  In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
++                </para>
++                <para>
++                  For a forwarded packet that ingresses zoneA and egresses zoneB:
++                </para>
++                <itemizedlist>
++                <listitem>
++                <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
++                </listitem>
++                <listitem>
++                <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
++                </listitem>
++                </itemizedlist>
++                </listitem>
++
++                <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
++                <para>
++                  This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++                </para>
++                <para>
++                  If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
++                </para>
++                </listitem>
++              </orderedlist>
++            </para>
+           </listitem>
+ 	</varlistentry>
+       </variablelist>
+diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
+index aeaf3dc0ebd5..9406833ed74d 100644
+--- a/doc/xml/firewall-offline-cmd.xml
++++ b/doc/xml/firewall-offline-cmd.xml
+@@ -572,7 +572,43 @@
+           <term><option>--zone</option>=<replaceable>zone</replaceable> <option>--set-target</option>=<replaceable>zone</replaceable></term>
+           <listitem>
+             <para>
+-              Set the target of a permanent zone.
++              Set the target of a permanent zone. <replaceable>target</replaceable> is one of: <literal>default</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
++            </para>
++            <para>
++              <literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
++              <orderedlist>
++                <listitem><para>ICMP explicitly allowed</para>
++                <para>
++                  At the end of the zone's ruleset ICMP packets are explicitly allowed.
++                </para>
++                </listitem>
++
++                <listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
++                <para>
++                  In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
++                </para>
++                <para>
++                  For a forwarded packet that ingresses zoneA and egresses zoneB:
++                </para>
++                <itemizedlist>
++                <listitem>
++                <para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
++                </listitem>
++                <listitem>
++                <para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
++                </listitem>
++                </itemizedlist>
++                </listitem>
++
++                <listitem><para>Zone drifting from source-based zone to interface-based zone</para>
++                <para>
++                  This only applies if <option>AllowZoneDrifting</option> is enabled. See <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
++                </para>
++                <para>
++                  If a packet ingresses a source-based zone with a <replaceable>target</replaceable> of <literal>default</literal>, it may still enter an interface-based zone (including the default zone).
++                </para>
++                </listitem>
++              </orderedlist>
+             </para>
+           </listitem>
+ 	</varlistentry>
+-- 
+1.8.3.1
+
diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec
index 5817730..5ef97ad 100644
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@@ -8,7 +8,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.6.3
-Release: 12%{?dist}
+Release: 13%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -169,6 +169,7 @@ Patch155: 0155-feat-service-add-RH-Satellite-6-Capsule.patch
 Patch156: 0156-test-service-coverage-for-RH-Satellite-6.patch
 Patch157: 0157-fix-policy-cache-rule_str-for-rich-rules.patch
 Patch158: 0158-test-zone-rich-rule-parsing-bottleneck.patch
+Patch159: 0159-doc-clarify-set-target-values-default-vs-reject.patch
 
 BuildArch: noarch
 BuildRequires: desktop-file-utils
@@ -470,6 +471,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Thu Apr 15 2021 Eric Garver <egarver@redhat.com> - 0.6.3-13
+- doc: clarify --set-target values "default" vs "reject"
+
 * Tue Sep 08 2020 Eric Garver <egarver@redhat.com> - 0.6.3-12
 - fix(zone): cache rule_str for rich rules