diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 9332e51fd..11fad5b93 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1996,6 +1996,7 @@ determine_capabilities() {
     DSCP_TARGET=
     GEOIP_MATCH=
     RPFILTER_MATCH=
+    NFACCT_MATCH=
 
     chain=fooX$$
 
@@ -2130,6 +2131,12 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
 
+	if qt nfacct add $chain; then
+	    qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
+	    qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
+	    qt nfacct del $chain
+	fi
+
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
 
@@ -2322,6 +2329,7 @@ report_capabilities() {
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
+	report_capability "NFAcct match" $NFACCT_MATCH
 
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2414,6 +2422,7 @@ report_capabilities1() {
     report_capability1 DSCP_TARGET
     report_capability1 GEOIP_MATCH
     report_capability1 RPFILTER_MATCH
+    report_capability1 NFACCT_MATCH
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 1a086e3ed..6a17aeb62 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -308,7 +308,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
-		 RPFILTER_MATCH  => 'RPFilter Match', 
+		 RPFILTER_MATCH  => 'RPFilter Match',
+		 NFACCT_MATCH    => 'NFAcct Match',
 		 #
 		 # Constants
 		 #
@@ -763,6 +764,7 @@ sub initialize( $;$ ) {
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
 	       RPFILTER_MATCH => undef,
+	       NFACCT_MATCH => undef,
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
@@ -3216,6 +3218,18 @@ sub RPFilter_Match() {
     have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
 }
 
+sub NFAcct_Match() {
+    my $result;
+
+    if ( qt1( "nfacct add $sillyname" ) ) {
+	$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "iptables -D $sillyname -m nfacct $sillyname" );
+	qt( "nfacct del $sillyname" );
+    }
+
+    $result;
+}
+
 sub GeoIP_Match() {
     qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }
@@ -3265,6 +3279,7 @@ our %detect_capability =
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
+      NFACCT_MATCH => \&NFAcct_Match,
       NFQUEUE_TARGET => \&Nfqueue_Target,
       OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
       OLD_HL_MATCH => \&Old_Hashlimit_Match,
@@ -3420,6 +3435,7 @@ sub determine_capabilities() {
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
+	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
 
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );