From 6f114931bfd35e094a8e4430bf41c05497a2b019 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 20 Mar 2007 14:15:11 +0000
Subject: [PATCH] Don't use policy match if there are no IPSEC zones or host
 groups

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5595 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 New/Shorewall/Hosts.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/New/Shorewall/Hosts.pm b/New/Shorewall/Hosts.pm
index 6faeeb67d..0899c313e 100644
--- a/New/Shorewall/Hosts.pm
+++ b/New/Shorewall/Hosts.pm
@@ -50,6 +50,8 @@ sub validate_hosts_file()
 			tcpflags => 1,
 			);
 
+    my $ipsec = 0;
+
     open HOSTS, "$ENV{TMP_DIR}/hosts" or fatal_error "Unable to open stripped hosts file: $!";
 
     while ( $line = <HOSTS> ) {
@@ -89,6 +91,7 @@ sub validate_hosts_file()
 		if ( $option eq 'ipsec' ) {
 		    $type = 'ipsec';
 		    $zoneref->{options}{complex} = 1;
+		    $ipsec = 1;
 		} elsif ( $validoptions{$option}) {
 		    $options{$option} = 1;
 		} else {
@@ -107,6 +110,8 @@ sub validate_hosts_file()
     }
 
     close HOSTS;
+
+    $capabilities{POLICY_MATCH} = '' unless $ipsec or $zones{ipsec};
 }
 #
 # Returns a reference to a array of host entries. Each entry is a