diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base
index 086185727..82e2cc9c7 100644
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@@ -1211,7 +1211,7 @@ report_capabilities() {
 	report_capability "Multi-port Match" $MULTIPORT
 	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
 	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
-	report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	[ -n "$CONNTRACK_MATCH" ] && report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
 	report_capability "Packet Type Match" $USEPKTTYPE
 	report_capability "Policy Match" $POLICY_MATCH
 	report_capability "Physdev Match" $PHYSDEV_MATCH
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 85a7bb9b4..b93c0590c 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -175,6 +175,13 @@ Other changes in Shorewall 4.2.1
     do port mapping (change the destination port but not the
     destination IP address), the final destination port is not open.
 
+    Example:
+
+    DNAT net loc:206.124.146.177:22 tcp 2222 - 206.124.146.177
+
+    That rule maps port 2222 -> 22 but without this new feature, it
+    also opens port 22 directly.
+
     To use this feature, you must be running Shorewall-perl and the
     output of 'shorewall show capabilities' must show: