diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 73029af96..7d1d5f251 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -268,6 +268,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
 		 LOG_TARGET      => 'LOG Target',
+		 ULOG_TARGET     => 'ULOG Target',
+		 NFLOG_TARGET    => 'NFLOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
@@ -656,6 +658,8 @@ sub initialize( $ ) {
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       ULOG_TARGET => undef,
+	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       TPROXY_TARGET => undef,
@@ -2139,66 +2143,79 @@ sub validate_level( $ ) {
     my $level    = uc $rawlevel;
 
     if ( supplied ( $level ) ) {
-	$level =~ s/!$//;
-	my $value = $validlevels{$level};
+	my $value = $level;
+	my $qualifier;
 
-	if ( defined $value ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
+	$value =~ s/^!//;
+
+	unless ( $value =~ /^[0-7]$/ ) {
+	    level_error( $level ) unless $level =~ /^!?([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    $qualifier = $2;
+	}
+
+	if ( $value =~ /^[0-7]$/ ) {
+	    #
+	    # Syslog Level
+	    #
+	    level_error( $rawlevel ) if supplied $qualifier;
+
+	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' ) unless $value eq '';
 	    return $value;
 	}
 
-	if ( $level =~ /^[0-7]$/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $level;
-	}
+	return '' unless $value;
 
-	if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) {
-	    my $olevel  = $1;
-	    my @options = split /,/, $2;
-	    my $prefix  = lc $olevel;
-	    my $index   = $prefix eq 'ulog' ? 3 : 0;
+	require_capability( "${value}_TARGET", "Log level $level", 's' );
 
-	    level_error( $level ) if @options > 3;
+	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
+	    my $olevel  = $value;
 
-	    for ( @options ) {
-		if ( supplied( $_ ) ) {
-		    level_error( $level ) unless /^\d+/;
-		    $olevel .= " --${prefix}-$suffixes[$index] $_";
+	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
+		my @options = split /,/, $1;
+		my $prefix  = lc $olevel;
+		my $index   = $prefix eq 'ulog' ? 3 : 0;
+
+		level_error( $rawlevel ) if @options > 3;
+
+		for ( @options ) {
+		    if ( supplied( $_ ) ) {
+			level_error( $rawlevel ) unless /^\d+/;
+			$olevel .= " --${prefix}-$suffixes[$index] $_";
+		    }
+
+		    $index++;
 		}
 
-		$index++;
+	    } elsif ( $qualifier =~ /^ --/ ) {
+		return $rawlevel;
 	    }
 
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    return $olevel;
 	}
 
-	if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
+	#
+	# Must be LOGMARK
+	#
+	if ( $qualifier =~ /^ --/ ) {
 	    return $rawlevel;
 	}
 
-	if ( $level =~ /^LOGMARK --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $rawlevel;
-	}
+	my $sublevel;
 
-	if ( $level =~ /LOGMARK([(](.+)[)])?$/ ) {
-	    my $sublevel = $2;
+	if ( supplied $qualifier ) {
+	    if ( $qualifier =~ /[(](.+)[)]?$/ ) {
+		$sublevel = $1;
 
-	    if ( $1 ) {	    
 		$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
-		level_error( $level ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
+		level_error( $rawlevel ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
 	    } else {
-		$sublevel = 6; # info
+		level_error( $rawlevel );
 	    }
-	    
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
-	    return "LOGMARK --log-level $sublevel";
+	} else {
+	    $sublevel = 6; # info
 	}
 
-	level_error( $rawlevel );
+	return "LOGMARK --log-level $sublevel";
     }
 
     '';
@@ -2672,6 +2689,14 @@ sub Log_Target() {
     qt1( "$iptables -A $sillyname -j LOG" );
 }
 
+sub Ulog_Target() {
+    qt1( "$iptables -A $sillyname -j ULOG" );
+}
+
+sub NFLog_Target() {
+    qt1( "$iptables -A $sillyname -j NFLOG" );
+}
+
 sub Logmark_Target() {
     qt1( "$iptables -A $sillyname -j LOGMARK" );
 }
@@ -2747,6 +2772,8 @@ our %detect_capability =
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
       LOG_TARGET => \&Log_Target,
+      ULOG_TARGET => \&Ulog_Target,
+      NFLOG_TARGET => \&NFLog_Target,
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
@@ -2890,6 +2917,8 @@ sub determine_capabilities() {
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
+	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
+	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
diff --git a/Shorewall/lib.base b/Shorewall/lib.base
index 0d55ac651..893077345 100644
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -28,7 +28,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40425
+SHOREWALL_CAPVERSION=40426
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli
index ef27889f0..a94bd1192 100644
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1729,6 +1729,8 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    ULOG_TARGET=
+    NFLOG_TARGET=
     PERSISTENT_SNAT=
     FLOW_FILTER=
     FWMARK_RT_MASK=
@@ -1886,6 +1888,8 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $IPTABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
@@ -1977,6 +1981,8 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
@@ -2050,6 +2056,8 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 ULOG_TARGET
+    report_capability1 NFLOG_TARGET
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base
index 2f42e2249..a020f98a3 100644
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -32,7 +32,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40425
+SHOREWALL_CAPVERSION=40426
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli
index 432d00b16..0e5257ac8 100644
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -1556,6 +1556,9 @@ determine_capabilities() {
     GOTO_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    ULOG_TARGET=
+    NFLOG_TARGET=
+    LOGMARK_TARGET=
     FLOW_FILTER=
     FWMARK_RT_MASK=
     MARK_ANYWHERE=
@@ -1712,7 +1715,10 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
     qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
     qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
@@ -1804,7 +1810,10 @@ report_capabilities() {
 	report_capability "Time Match" $TIME_MATCH
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
@@ -1874,7 +1883,10 @@ report_capabilities1() {
     report_capability1 TIME_MATCH
     report_capability1 GOTO_TARGET
     report_capability1 IPMARK_TARGET
+    report_capability1 LOGMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 ULOG_TARGET
+    report_capability1 NFLOG_TARGET
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
     report_capability1 FWMARK_RT_MASK