diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index b4204c0c5..a76811344 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -1420,8 +1420,10 @@ sub log_rule_limit( $$$$$$$$ ) {
 	warning_message "Log Prefix shortened to \"$prefix\"";
     }
 
-    if ( $level eq 'ULOG' ) {
-	$prefix = "-j ULOG $globals{LOGPARMS}--ulog-prefix \"$prefix\" ";
+    if ( $level =~ '^ULOG' ) {
+	$prefix = "-j $level --ulog-prefix \"$prefix\" ";
+    } elsif  ( $level =~ /^NFLOG/ ) {
+	$prefix = "-j $level --nflog-prefix \"$prefix\" ";
     } else {
 	$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
     }
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index e2f0e5bba..0bb877b5a 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -1159,7 +1159,8 @@ my %validlevels = ( debug   => 7,
 		    emerg   => 0,
 		    panic   => 0,
 		    none    => '',
-		    ULOG    => 'ULOG' );
+		    ULOG    => 'ULOG',
+		    NFLOG   => 'NFLOG');
 
 #
 # Validate a log level -- Drop the trailing '!' and translate to numeric value if appropriate"
@@ -1172,6 +1173,37 @@ sub validate_level( $ ) {
 	my $value = $validlevels{$level};
 	return $value if defined $value;
 	return $level if $level =~ /^[0-7]$/;
+
+	if ( $level =~ /^NFLOG[(](.*)[)]$/ ) {
+	    my @options = split /,/, $1;
+	    
+	    $level = 'NFLOG';
+	    $level .= " --nflog-group $options[0]"      if defined $options[0] && $options[0] ne '';
+	    $level .= " --nflog-range $options[1]"      if defined $options[1] && $options[1] ne '';
+	    $level .= " --nflog-threshhold $options[2]" if defined $options[2] && $options[2] ne '';
+	    
+	    return $level;
+	}
+
+	if ( $level =~ /^NFLOG --/ ) {
+	    return $level;
+	}
+
+	if ( $level =~ /^ULOG[(](.*)[)]$/ ) {
+	    my @options = split /,/, $1;
+	    
+	    $level = 'ULOG';
+	    $level .= " --ulog-group $options[0]"      if defined $options[0] && $options[0] ne '';
+	    $level .= " --ulog-range $options[1]"      if defined $options[1] && $options[1] ne '';
+	    $level .= " --ulog-threshhold $options[2]" if defined $options[2] && $options[2] ne '';
+	    
+	    return $level;
+	}
+
+	if ( $level =~ /^ULOG --/ ) {
+	    return $level;
+	}
+
 	fatal_error "Invalid log level ($level)";
     }
 
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 81333c34f..d98d9c340 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -590,7 +590,7 @@ sub add_common_rules() {
 
 	    my $savelogparms = $globals{LOGPARMS};
 
-	    $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options " unless $config{TCP_FLAGS_LOG_LEVEL} eq 'ULOG';
+	    $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";
 
 	    log_rule $config{TCP_FLAGS_LOG_LEVEL} , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';