diff --git a/Shorewall/compiler b/Shorewall/compiler
index 239a303cc..5b15a9ffa 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -123,11 +123,13 @@ do_iptables() {
 # Generate an IPTABLES command. Include hacks to work around iptables limitations
 #
 run_iptables() {
-    #
-    # Purge the temporary files that we use to prevent duplicate '-m' specifications
-    #
-    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
-    [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    if [ -z "$KLUDGEFREE" ]; then
+	#
+	# Purge the temporary files that we use to prevent duplicate '-m' specifications
+	#
+	[ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+	[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    fi
 
     save_command "$IPTABLES_COMMAND $@"
 
@@ -137,8 +139,10 @@ run_iptables() {
 # Version of 'run_iptables' that inserts white space after "!" in the arg list
 #
 run_iptables2() {
-    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
-    [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    if [ -z "$KLUDGEFREE" ]; then
+	[ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+	[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    fi
 
     save_command run_iptables $(fix_bang $@)
 }
@@ -147,11 +151,13 @@ run_iptables2() {
 # Generate command to quietly run iptables
 #
 qt_iptables() {
-    #
-    # Purge the temporary files that we use to prevent duplicate '-m' specifications
-    #
-    [ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
-    [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    if [ -z "$KLUDGEFREE" ]; then
+	#
+	# Purge the temporary files that we use to prevent duplicate '-m' specifications
+	#
+	[ -n "$BRIDGING" ]      && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+	[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+    fi
 
     save_command qt \$IPTABLES $@
 }
@@ -670,7 +676,9 @@ first_chains() #$1 = interface
 #
 iprange_echo()
 {
-    if [ -f $TMP_DIR/iprange ]; then
+    if [ -n "$KLUDGEFREE" ]; then
+	echo "-m iprange $@"
+    elif [ -f $TMP_DIR/iprange ]; then
 	echo $@
     else
 	echo "-m iprange $@"
@@ -714,7 +722,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
 #
 physdev_echo()
 {
-    if [ -f $TMP_DIR/physdev ]; then
+    if [ -n "$KLUDGEFREE" ]; then
+	echo -m physdev $@
+    elif [ -f $TMP_DIR/physdev ]; then
 	echo $@
     else
 	echo -m physdev $@
@@ -7854,7 +7864,7 @@ activate_rules()
 
 	if havenatchain $destchain ; then
 	    run_iptables2 -t nat -A $sourcechain $@ -j $destchain
-	else
+	elif [ -z "$KLUDGEFREE" ]; then
 	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && -rm -f $TMP_DIR/physdev
 	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
 	fi
@@ -7874,7 +7884,7 @@ activate_rules()
 	    eval run_iptables2 -t nat -I $sourcechain \
 		\$${sourcechain}_rule $@ -j $destchain
 	    eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
-	else
+	elif [ -z "$KLUDGEFREE" ]; then
 	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && rm -f $TMP_DIR/physdev
 	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
 
@@ -9217,8 +9227,10 @@ do_initialize() {
 	fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
     fi
 
-    rm -f $TMP_DIR/physdev
-    rm -f $TMP_DIR/iprange
+    if [ -z "$KLUDGEFREE" ]; then
+	rm -f $TMP_DIR/physdev
+	rm -f $TMP_DIR/iprange
+    fi
 
     qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
 }
diff --git a/Shorewall/functions b/Shorewall/functions
index 5b6db1298..e630cb71d 100644
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1137,14 +1137,26 @@ determine_capabilities() {
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
     USEPKTTYPE=
+    KLUDGEFREE=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
     qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
     qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
     qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT     && POLICY_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
+
+    if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
+    fi
+
+    if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
+	    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
     qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
@@ -1209,6 +1221,7 @@ report_capabilities() {
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Repeat match" $KLUDGEFREE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
diff --git a/Shorewall/shorecap b/Shorewall/shorecap
index 6196ff5b9..84cf49a6e 100755
--- a/Shorewall/shorecap
+++ b/Shorewall/shorecap
@@ -233,14 +233,26 @@ determine_capabilities() {
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
     USEPKTTYPE=
+    KLUDGEFREE=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
     qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
     qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
     qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT     && POLICY_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
+
+    if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
+    fi
+
+    if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
+	    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
     qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
@@ -307,6 +319,7 @@ report_capabilities() {
     report_capability IPP2P_MATCH
     report_capability CLASSIFY_TARGET
     report_capability ENHANCED_REJECT
+    report_capability KLUDGEFREE
 }
 
 load_kernel_modules