diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index a6ac3bb16..712c495c5 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -44,3 +44,5 @@ Changes since 2.0.3
 20) No longer enforce source port 500 for ISAKMP.
 
 21) Apply policy to interface/host options.
+
+22) Fix policy and maclist.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 26f0552f0..aee27f959 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -1828,14 +1828,14 @@ setup_mac_lists() {
     # Generate jumps from the input and forward chains
     #
     for hosts in $maclist_hosts; do
-	ipsec=${hosst%^*}
+	ipsec=${hosts%^*}
 	hosts=${hosts#*^}
 	[ -n $POLICY_MATCH ] && policy="-m policy --pol $ipsec --dir in" || policy=
 	interface=${hosts%%:*}
 	hosts=${hosts#*:}
 	for chain in $(first_chains $interface) ; do
 	    run_iptables -A $chain $(match_source_hosts $hosts) -m state --state NEW \
-		-j $(mac_chain $interface)
+		$policy -j $(mac_chain $interface)
 	done
     done
 }