diff --git a/lib/puppet/type/firewall.rb b/lib/puppet/type/firewall.rb
index de9276026..f757c5bbe 100644
--- a/lib/puppet/type/firewall.rb
+++ b/lib/puppet/type/firewall.rb
@@ -1461,7 +1461,7 @@
     hashlimit_dstmask: {
       type: 'Optional[Integer[0,32]]',
       desc: <<-DESC
-      When --hashlimit-mode srcip is used, all destination addresses encountered will be grouped according to the given prefix length
+      When --hashlimit-mode dstip is used, all destination addresses encountered will be grouped according to the given prefix length
       and the so-created subnet will be subject to hashlimit.
       Prefix must be between (inclusive) 0 and 32.
       Note that --hashlimit-dstmask 0 is basically doing the same thing as not specifying srcip for --hashlimit-mode, but is technically more expensive.