From cfa09dce228c9ac8f701c0307e471469cb48ad98 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 1 Mar 2010 08:32:37 -0800
Subject: [PATCH] Avoid multiple policy matches with OPTIMIZE=7 and not
 KLUDGEFREE

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 1956aa058..2c2794df4 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1598,7 +1598,7 @@ sub optimize_ruleset() {
 			    #
 			    # Not so easy -- the rule contains matches
 			    #
-			    if ( $chainref->{builtin} ) {
+			    if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now.