diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index d0b5280b7..817a7d4ea 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -162,6 +162,7 @@ our @EXPORT = qw(
 
 		 have_capability
 		 require_capability
+		 require_mangle_capability
 		 report_used_capabilities
 		 kernel_version
 
@@ -804,7 +805,7 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
+sub initialize($;$$$) {
     ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
@@ -5267,6 +5268,16 @@ sub require_capability( $$$ ) {
     fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
 }
 
+sub require_mangle_capability( $$$ ) {
+    my ( $capability, $description, $singular ) = @_;
+
+    if ( $config{MANGLE_ENABLED} ) {
+	&require_capability( @_ );
+    } else {
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{product}.conf";
+    }
+}
+
 #
 # Return Kernel Version
 #
@@ -6611,6 +6622,7 @@ sub get_configuration( $$$ ) {
     if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+	fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
     } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
@@ -6686,7 +6698,7 @@ sub get_configuration( $$$ ) {
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
-    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+    require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS'         , 8, 0;
     numeric_option 'MASK_BITS'       , 8, 0;
@@ -6930,7 +6942,7 @@ sub get_configuration( $$$ ) {
 
     if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
-	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+	require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
     if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -7013,9 +7025,10 @@ sub get_configuration( $$$ ) {
     }
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
+
+    require_mangle_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_mangle_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
     if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 55ed6ba53..7c995cf2e 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -97,7 +97,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 903abf579..9380e9c8e 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -594,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -714,7 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a0303bf70..53399d1ba 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {