2 files changed, 4 insertions, 4 deletions

diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
index a43af6c..db9f979 100755
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ b/roles/common/files/etc/network/if-up.d/ipsec
@@ -42,8 +42,8 @@ case "$MODE" in
            # been SNAT'ed from $ipsec, and didn't have a xfrm
            # association.  Hence we nullroute it to avoid to leak data
            # intented to be tunneled through IPSec.  /!\ The priority
-           # must be >220 (strongSwan IPSec's policy) since xfrm lookup
-           # must take precedence.
+           # must be >220 (which the one used by strongSwan IPSec) since
+           # xfrm lookup must take precedence.
            /bin/ip rule  add fwmark "$secmark" table 666 priority 666 || true
            /bin/ip route add prohibit default  table 666              || true
     ;;
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 1c57646..2e16711 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -34,7 +34,7 @@ secmark=0xA99   # must match that in /etc/network/if-up.d/ipsec
 secproto=esp    # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp)
 
 fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S'
-IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$"
+IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$"
 declare -A rss=() tables=()
 
 usage() {
@@ -193,7 +193,7 @@ run() {
         grep -E -- "$fail2ban_re"       "$old" || true
     fi >> "$new"
 
-    if [ -n "$ifsec" ]; then
+    if [ -n "$ipsec" ]; then
         # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6.
         grep -E -- "$IPSec_re" "$old" >> "$new" || true