diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 3de1da0cb..e267bc1e5 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -7,6 +7,8 @@ Changes in 3.2.0 Beta 5
 
 3)  Fix DETECT_DNAT_IPADDRS=No bug.
 
+4)  Handle absense of mangle FORWARD chain.
+
 Changes in 3.2.0 Beta 4
 
 1)  Fix 'routeback' with bridge ports.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index e4ddd4163..25a00f35e 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -3470,7 +3470,7 @@ setup_tc1() {
     #
 
     createmanglechain tcpre
-    createmanglechain tcfor
+    [ -n "$MANGLE_FORWARD" ] && createmanglechain tcfor
     createmanglechain tcout
     createmanglechain tcpost
     #
@@ -3498,7 +3498,7 @@ setup_tc1() {
     run_iptables -t mangle -A PREROUTING $mark_part -j tcpre
     run_iptables -t mangle -A OUTPUT     $mark_part -j tcout
 
-    run_iptables -t mangle -A FORWARD     -j tcfor
+    [ -n "$MANGLE_FORWARD" ] && run_iptables -t mangle -A FORWARD -j tcfor
     run_iptables -t mangle -A POSTROUTING -j tcpost
 
     if [ -n "$HIGH_ROUTE_MARKS" ]; then
diff --git a/Shorewall/functions b/Shorewall/functions
index f01a23127..224158557 100644
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1139,6 +1139,7 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    MANGLE_FORWARD=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -1158,35 +1159,38 @@ determine_capabilities() {
 	fi
     fi
 
-    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT                           && OWNER_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
 
     if qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT; then
 	CONNMARK_MATCH=Yes
 	qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
     fi
 
-    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT                          && IPP2P_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT                         && LENGTH_MATCH=Yes
-    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited               && ENHANCED_REJECT=Yes
+    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT            && IPP2P_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
 
-    qt $IPTABLES -t mangle -N fooX1234
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IPTABLES -t mangle -N fooX1234
 
-    if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
-	MARK=Yes
-	qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+	if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+	fi
+
+	if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -F fooX1234
+	qt $IPTABLES -t mangle -X fooX1234
+	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
     fi
 
-    if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
-	CONNMARK=Yes
-	qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
-    fi
-
-    qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1                      && CLASSIFY_TARGET=Yes
-    qt $IPTABLES -t mangle -F fooX1234
-    qt $IPTABLES -t mangle -X fooX1234
-
-    qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes
+    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
 
     if qt mywhich ipset; then
 	qt ipset -X fooX1234 # Just in case something went wrong the last time
@@ -1242,6 +1246,7 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index b660c649a..94a20245c 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -40,6 +40,9 @@ Problems Corrected in 3.2.0 Beta 5
 
 2)  With DETECT_DNAT_IPADDRS=No in shorewall.conf, DNAT rules didn't work.
 
+3)  Previously, if your kernel did not supply the mangle table FORWARD chain
+    then "shorewall [re]start" would fail.
+
 Other changes in 3.2.0 Beta 5
 
 1)  The "shorewall refresh" command no longer refreshes traffic shaping.
diff --git a/Shorewall/shorecap b/Shorewall/shorecap
index d8f7efd50..b96bb0200 100755
--- a/Shorewall/shorecap
+++ b/Shorewall/shorecap
@@ -236,6 +236,7 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    MANGLE_FORWARD=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -267,22 +268,25 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT                         && LENGTH_MATCH=Yes
     qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited               && ENHANCED_REJECT=Yes
 
-    qt $IPTABLES -t mangle -N fooX1234
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IPTABLES -t mangle -N fooX1234
 
-    if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
-	MARK=Yes
-	qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+	if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+	fi
+
+	if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -F fooX1234
+	qt $IPTABLES -t mangle -X fooX1234
+	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
     fi
 
-    if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
-	CONNMARK=Yes
-	qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
-    fi
-
-    qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1                      && CLASSIFY_TARGET=Yes
-    qt $IPTABLES -t mangle -F fooX1234
-    qt $IPTABLES -t mangle -X fooX1234
-
     qt $IPTABLES -t raw	   -L -n							&& RAW_TABLE=Yes
 
     if qt mywhich ipset; then
@@ -336,6 +340,7 @@ report_capabilities() {
     report_capability KLUDGEFREE
     report_capability MARK
     report_capability XMARK
+    report_capability MANGLE_FORWARD
 }
 
 load_kernel_modules