diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 90463d74e..ce263f533 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -14,6 +14,8 @@ Changes in 2.5.7
 
 7) Add zone type to /var/lib/shorewall/zones.
 
+8) Give better diagnostics when IPP2P match isn't available.
+
 Changes in 2.5.6
 
 1) Finish install/fallback cleanup.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 2a0178dac..2e3da90af 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -3206,6 +3206,7 @@ process_tc_rule()
 
 	case $proto in
 	    ipp2p|IPP2P)
+		[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
 		[ "x$port" = "x-" ] && port="ipp2p"
 		r="${r}-p tcp -m ipp2p --${port} "
 		;;
@@ -3558,6 +3559,7 @@ process_accounting_rule() {
 	-|any|all)
 	    ;;
 	ipp2p)
+	   [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support"
 	    rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
 	    port=
 	    ;;
@@ -3978,6 +3980,7 @@ add_an_action()
 	    [ -n "$port" ]  && 	dports="--icmp-type $port"
 	    ;;
 	ipp2p)
+	    [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
 	    dports="-m ipp2p --${port:-ipp2p}"
 	    port=
 	    proto=tcp
diff --git a/Shorewall/functions b/Shorewall/functions
index f47b3b217..31a659e12 100755
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -898,6 +898,7 @@ determine_capabilities() {
     CONNMARK=
     CONNMARK_MATCH=
     RAW_TABLE=
+    IPP2P_MATCH=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -909,6 +910,7 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT                         && OWNER_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT                            && CONNMARK_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT                          && IPP2P_MATCH=Yes
 
     qt $IPTABLES -t mangle -N fooX1234
     qt $IPTABLES -t mangle -A fooX1234 -j ROUTE --oif eth0                              && ROUTE_TARGET=Yes
@@ -966,6 +968,8 @@ report_capabilities() {
     report_capability "CONNMARK Target" $CONNMARK
     report_capability "Connmark Match" $CONNMARK_MATCH
     report_capability "Raw Table" $RAW_TABLE
+    report_capability "IPP2P Match" $IPP2P_MATCH
+
 }