diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index ac4db1ec0..311673781 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1631,6 +1631,28 @@ iptables: Invalid argument
/etc/shorewall/modules and modify the copy to
include only the modules that you need.
+
+
+ (FAQ 61) I just installed the latest Debian kernel and now
+ "shorewall start" fails with the message "ipt_policy: matchsize 116 !=
+ 308". What's wrong?
+
+ Answer: Your iptables is incompatible with your kernel. Either
+
+
+
+
+ rebuild iptables using the kernel headers that match your new
+ kernel; or
+
+
+
+ if you don't need policy match support (you are not using the
+ IPSEC implementation built into the 2.6 kernel) then you can rename
+ /lib/iptables/libipt_policy.so.
+
+
+
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml
index 5d6bbe4fa..90d11fdf0 100644
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -339,7 +339,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
Remember that even though 'ping' packets were marked in one of
- the first two rules, they are still passed on to rule 3 (note that
+ the first two rules, they are still passed on to rule 5 (note that
packets marked by rules 3 and 4 are not processed by this rule since
it is in a different program). That rule moves the connection mark to
the packet mark, if the packet mark is still zero