From f860cd037daf3208166e837369c487733c971f5a Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 24 Apr 2012 13:34:56 -0700
Subject: [PATCH] Change a comment in generate_matrix() to acknowledge
 'KLUDGEFREE'

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 186b9fc5c..1714c46ac 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1491,7 +1491,7 @@ sub generate_matrix() {
 
 	if ( have_ipsec ) {
 	    #
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	    #