diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 565d3a2e1..37d231ef5 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -775,9 +775,9 @@ sub do_proto( $$$ )
     $sports = '' if $sports eq '-';
 
     if ( $proto ) {
-	if ( $proto =~ /^((tcp|6)((:syn)?))|(udp|17)$/ ) {
+	if ( $proto =~ /^(((tcp|6)((:syn)?))|(udp|17))$/ ) {
 
-	    if ( $3 ) {
+	    if ( $4 ) {
 		$output = '-p 6 --syn ';
 	    } else {
 		$proto   = $protocols{$proto} if defined $protocols{$proto};
@@ -817,7 +817,7 @@ sub do_proto( $$$ )
 	    }
 
 	    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
-	} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
+	} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
 	    require_capability( 'IPP2P_MATCH' , 'PROTO = ipp2p' );
 	    $proto = $2 ? $3 : 'tcp';
 	    $ports = 'ipp2p' unless $ports;
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 0be1455da..947855095 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -499,7 +499,7 @@ my %validlevels = ( debug   => 7,
 		    ULOG    => 'ULOG' );
 
 #
-# Validate a log level
+# Validate a log level -- Drop the trailing '!' that some fools think is important.
 #
 sub validate_level( $ ) {
     my $level = $_[0];