diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 57316391f..30b3f928c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -951,7 +951,7 @@ sub compatible( $$ ) { } } - return 1; + return ! ( $ref1->{policy} && $ref2->{policy} ); } # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 487aab3c0..2d9d7d9f1 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1536,7 +1536,7 @@ sub handle_complex_zone( $$ ) { if ( have_ipsec ) { # - # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the + # In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets # can match '--pol none --dir out' rules and send the packets down the wrong rules chain. #