diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm
index c70ce5b96..3563d4887 100644
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@@ -1243,6 +1243,7 @@ sub expand_rule( $$$$$$$$$$ )
 		$oexcl = $2;
 	    } else {
 		$oexcl = '';
+		$onets = $origdest;
 	    }
 
 	    unless ( $onets ) {
diff --git a/New/Shorewall/Providers.pm b/New/Shorewall/Providers.pm
index 1fd79262d..a900330b3 100644
--- a/New/Shorewall/Providers.pm
+++ b/New/Shorewall/Providers.pm
@@ -56,12 +56,15 @@ my %providers  = ( 'local' => { number => LOCAL_NUMBER   , mark => 0 } ,
 my @providers;
 
 #
-# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules inconditionally, even if the associated interface isn't up.
+# Set up marking for 'tracked' interfaces. Unline in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.
 #
 sub setup_route_marking() {
     my $mask    = $config{HIGH_ROUTE_MARKS} ? '0xFFFF' : '0xFF';
     my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
 
+    require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' );
+    require_capability( 'CONNMARK' ,       'the provider \'track\' option' );
+
     add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
     add_rule $mangle_table->{OUTPUT} , " -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
 
@@ -145,8 +148,6 @@ sub setup_providers() {
 
 	my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy) = @_;
 
-	fatal_error 'Providers require mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
-
 	fatal_error "Duplicate provider ( $table )" if $providers{$table};
 
 	for my $provider ( keys %providers  ) {
diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm
index 92e35605f..47a198a11 100644
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@@ -980,10 +980,11 @@ sub process_rule1 ( $$$$$$$$$ ) {
 		}
 
 		$serverport = $ports;
-	    } elsif ( $action eq ' -j DNAT' ) {
+	    } elsif ( $action eq 'DNAT' ) {
+		$target = '-j DNAT ';
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
-		    $target .= "--to ${serv}${serverport} ";
+		    $target .= "--to-destination ${serv}${serverport} ";
 		}
 	    }
 
@@ -1019,6 +1020,8 @@ sub process_rule1 ( $$$$$$$$$ ) {
 	unless ( $actiontype & NATONLY ) {
 	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit ), do_user $user );
 	    $loglevel = '';
+	    $dest     = $server;
+	    $action   = 'ACCEPT';
 	}
     } else {
 	if ( $actiontype & NONAT ) {