diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 130246972..a083ee16b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3745,10 +3745,12 @@ sub do_condition( $ ) {
 
     return '' if $condition eq '-';
 
+    my $invert = $condition =~ s/^!// ? '! ' : '';
+
     require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
     fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/;
 
-    "-m condition --condition $condition "
+    "-m condition ${invert}--condition $condition "
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 32527514a..c3bfabf86 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2674,7 +2674,7 @@ sub Account_Target() {
 }
 
 sub Condition_Match() {
-    qt1( "$iptables -m condition --condition foo" );
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
 }
 
 sub Audit_Target() {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index fee53ca9d..cc4a94b92 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2087,8 +2087,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';