It shouldn’t be. This just says that matching of headers of packets to traffic selectors of policies is now done in the order of policies from the topmost one to the bottommost one, allowing you to create exceptions like
action=none src-address=192.168.1.0/24 dst-address=192.168.1.0/24 …
action=encrypt src-address=192.168.0.0/16 dst-address=192.168.22.0/16 sa-dst-address=peerA …
action=encrypt src-address=192.168.0.0/16 dst-address=192.168.0.0/16 sa-dst-address=peerB …
I.e.
- traffic within 192.168.1.0/24 (for example a local one) is ignored by IPsec (action=none)
- traffic from anywhere in 192.168.0.0/16 to 192.168.22.0/24 is sent to remote peer A
- the rest of traffic from anywhere in 192.168.0.0/16 to anywhere in 192.168.0.0/16 is sent to remote peer B
Before that change, such exceptions were impossible, so you would have to compose tens of policies to fill the gaps around 192.168.1.0/24 and 192.168.22.0/24 to functionally substitute the last policy above.