diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 2609ddbb4..d6e6f6f10 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1830,13 +1830,15 @@ sub generate_matrix() {
 			my $dest   = match_dest_net $net;
 
 			if ( $chain1 ) {
+			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
+			    my $interfacechainref = $filter_table->{output_chain $interface};
 			    my $interfacematch = '';
 			    my $use_output = 0;
 
-			    if ( use_output_chain $interface || ( @{$filter_table->{output_chain $interface}->{rules}} && ! $filter_table->{$chain1} ) ) {
-				$outputref = $filter_table->{output_chain $interface};
+			    if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 				$use_output = 1;
 			    } else {
@@ -1849,7 +1851,7 @@ sub generate_matrix() {
 			    add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
 				if $hostref->{options}{broadcast};
 
-			    move_rules( $filter_table->{output_chain $interface} , $filter_table->{$chain1} ) unless $use_output;
+			    move_rules( $interfacechainref , $chain1ref ) unless $use_output;
 			}
 
 			clearrule;
@@ -1884,12 +1886,14 @@ sub generate_matrix() {
 			    add_rule $raw_table->{PREROUTING}, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $parenthasnotrack;
 			}
 
+			my $chain2ref = $filter_table->{$chain2};
 			my $inputchainref;
+			my $interfacechainref = $filter_table->{input_chain $interface};
 			my $interfacematch = '';
 			my $use_input;
 
-			if ( use_input_chain $interface || ! $chain2 || ( @{$filter_table->{input_chain $interface}->{rules}} && ! $filter_table->{$chain2} ) ) {
-			    $inputchainref = $filter_table->{input_chain $interface};
+			if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+			    $inputchainref = $interfacechainref;
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			    $use_input = 1;
 			} else {
@@ -1899,7 +1903,7 @@ sub generate_matrix() {
 
 			if ( $chain2 ) {
 			    add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match );
-			    move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless $use_input;
+			    move_rules( $interfacechainref , $chain2ref ) unless $use_input;
 			}
 
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {