diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 01a69d59a..41e20f71c 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -1646,15 +1646,21 @@ setup_ipsec() {
 
 	for option in $opts; do
 	    case $option in
-		strict)       newoptions="$newoptions --strict" ;;
-		next)         newoptions="$newoptions --next" ;;
-		reqid=*)      newoptions="$newoptions --reqid ${option#*=}" ;;
-		spi=*)        newoptions="$newoptions --spi ${option#*=}" ;;
-		proto=*)      newoptions="$newoptions --proto ${option#*=}" ;;
-		mode=*)       newoptions="$newoptions --mode ${option#*=}" ;;
-		tunnel-src=*) newoptions="$newoptions --tunnel-src ${option#*=}" ;;
-		tunnel-dst=*) newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
-		*)            fatal_error "Invalid option \"$option\" for zone $zone" ;;
+		strict)        newoptions="$newoptions --strict" ;;
+		next)          newoptions="$newoptions --next" ;;
+		reqid=*)       newoptions="$newoptions --reqid ${option#*=}" ;;
+		spi=*)         newoptions="$newoptions --spi ${option#*=}" ;;
+		proto=*)       newoptions="$newoptions --proto ${option#*=}" ;;
+		mode=*)        newoptions="$newoptions --mode ${option#*=}" ;;
+		tunnel-src=*)  newoptions="$newoptions --tunnel-src ${option#*=}" ;;
+		tunnel-dst=*)  newoptions="$newoptions --tunnel-dst ${option#*=}" ;;
+		reqid!=*)      newoptions="$newoptions ! --reqid ${option#*=}" ;;
+		spi!=*)        newoptions="$newoptions ! --spi ${option#*=}" ;;
+		proto!=*)      newoptions="$newoptions ! --proto ${option#*=}" ;;
+		mode!=*)       newoptions="$newoptions ! --mode ${option#*=}" ;;
+		tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
+		tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
+		*)             fatal_error "Invalid option \"$option\" for zone $zone" ;;
 	    esac
 	done
 
@@ -4577,6 +4583,12 @@ setup_masq()
 		mode=*)         policy="$policy --mode ${option#*=}" ;;
 		tunnel-src=*)   policy="$policy --tunnel-src ${option#*=}" ;;
 		tunnel-dst=*)   policy="$policy --tunnel-dst ${option#*=}" ;;
+		reqid!=*)       policy="$policy ! --reqid ${option#*=}" ;;
+		spi!=*)         policy="$policy ! --spi ${option#*=}" ;;
+		proto!=*)       policy="$policy ! --proto ${option#*=}" ;;
+		mode!=*)        policy="$policy ! --mode ${option#*=}" ;;
+		tunnel-src!=*)  policy="$policy ! --tunnel-src ${option#*=}" ;;
+		tunnel-dst!=*)  policy="$policy ! --tunnel-dst ${option#*=}" ;;
 		*)              fatal_error "Invalid IPSEC option \"$option\"" ;;
 	    esac
 	done
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 38c7fefba..3ca33d838 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -327,18 +327,29 @@ New Features:
 
     The available options are:
 
-	reqid=<number> where <number> is specified using setkey(8) using
+	reqid[!]=<number> where <number> is specified using setkey(8) using
 	the 'unique:<number>' option for the SPD level.
 
-	 spi=<number> where <number> is the SPI of the SA.
+	 spi[!]=<number> where <number> is the SPI of the SA. Since
+	 different SAs are used to encrypt and decrypt traffic, this
+	 option should only be listed in the IN OPTIONS and OUT OPTIONS
+	 columns.
 
-	 proto=ah|esp|ipcomp 
+	 proto[!]=ah|esp|ipcomp 
 
-	 mode=transport|tunnel
+	 mode[!]=transport|tunnel
 
-	 tunnel-src=<address>[/<mask>] (only available with mode=tunnel)
+	 tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
 
-	 tunnel-dst=<address>[/<mask>] (only available with mode=tunnel) 
+	 tunnel-dst[!]=<address>[/<mask>] (only available with
+	 mode=tunnel). Because tunnel source and destination are
+	 dependent on the direction of the traffic, these options
+	 should only appear in the IN OPTIONS and OUT OPTIONS columns.
+
+	 strict  (if specified, packets must match all policies;
+	 polcies are delimited by 'next').
+
+	 next    (only available with strict)
 
     Examples: