From 1e11109bb2c005bae8337e461b28cbc108ae0952 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 16 Aug 2012 08:34:30 -0700
Subject: [PATCH] Don't combine rules with '-m policy'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 2 +-
 Shorewall/Perl/Shorewall/Misc.pm   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 0eb00962b..0412c6da6 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -951,7 +951,7 @@ sub compatible( $$ ) {
 	}
     }
 
-    return 1;
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 487aab3c0..2d9d7d9f1 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1536,7 +1536,7 @@ sub handle_complex_zone( $$ ) {
 
     if ( have_ipsec ) {
 	#
-	# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
+	# In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
 	# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	#