diff --git a/Shorewall-common/lib.dynamiczones b/Shorewall-common/lib.dynamiczones
index a46b0cf90..92a0872f6 100644
--- a/Shorewall-common/lib.dynamiczones
+++ b/Shorewall-common/lib.dynamiczones
@@ -187,6 +187,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 
 			for h in $dest_hosts; do
 			    iface=${h%%:*}
+			    iface=${iface#+}
 			    hosts=${h#*:}
 
 			    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
@@ -206,6 +207,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 
 		    for h in $source_hosts; do
 			iface=${h%%:*}
+			iface=${iface#+}
 			hosts=${h#*:}
 
 			if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
@@ -374,6 +376,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
 			for h in $dest_hosts; do
 			    iface=${h%%:*}
+			    iface=${iface#+}
 			    hosts=${h#*:}
 
 			    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
@@ -390,6 +393,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
 
 		    for h in $source_hosts; do
 			iface=${h%%:*}
+			iface=${iface#+}
 			hosts=${h#*:}
 
 			if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 19651e306..7136d205b 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1420,25 +1420,25 @@ sub generate_matrix() {
 		add_rule $in_ref   , "-i $interface -s $net -j RETURN";
 		add_rule $out_ref  , "-i $interface -s $net -j RETURN";
 	    }
+	}
 
-	    if ( $capabilities{POLICY_MATCH} ) {
-		my $type       = $zoneref->{type};
-		my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
+	if ( $capabilities{POLICY_MATCH} ) {
+	    my $type       = $zoneref->{type};
+	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-		if ( $config{DYNAMIC_ZONES} ) {
-		    no warnings;
-		    create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type ne 'ipsec4' );
-		}
+	    if ( $config{DYNAMIC_ZONES} ) {
+		no warnings;
+		create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' );
+	    }
 
-		for my $interface ( keys %$source_ref ) {
-		    my $arrayref = $source_ref->{$interface};
-		    for my $hostref ( @{$arrayref} ) {
-			my $ipsec_match = match_ipsec_in $zone , $hostref;
-			for my $net ( @{$hostref->{hosts}} ) {
-			    add_rule
-				$filter_table->{forward_chain $interface} ,
+	    for my $interface ( keys %$source_ref ) {
+		my $arrayref = $source_ref->{$interface};
+		for my $hostref ( @{$arrayref} ) {
+		    my $ipsec_match = match_ipsec_in $zone , $hostref;
+		    for my $net ( @{$hostref->{hosts}} ) {
+			add_rule
+			    $filter_table->{forward_chain $interface} ,
 				join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" );
-			}
 		    }
 		}
 	    }
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index 77a69c016..fc5287444 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -248,7 +248,7 @@ sub determine_zones()
 	$in_options   = '' if $in_options  eq '-';
 	$out_options  = '' if $out_options eq '-';
 
-	$zone_hash{in_out}   = parse_zone_option_list( $options || '',$zoneref->{type} );
+	$zone_hash{in_out}   = parse_zone_option_list( $options || '', $zoneref->{type} );
 	$zone_hash{in}       = parse_zone_option_list( $in_options || '', $zoneref->{type} );
 	$zone_hash{out}      = parse_zone_option_list( $out_options || '', $zoneref->{type} );
 	$zone_hash{complex}  = ($zoneref->{type} eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0);