diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 0378e5747..e80dc6929 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -245,6 +245,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
+		 FLOW_FILTER     => 'Flow Classifier',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -283,6 +284,7 @@ our $Product;                 # $product with initial cap.
 our $sillyname;               # Name of temporary filter chains for testing capabilities
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
+our $tc;                      # Path to tc
 
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -336,7 +338,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    UNTRACKED => 0,
 		    VERSION => "4.4.7",
-		    CAPVERSION => 40407 ,
+		    CAPVERSION => 40408 ,
 		  );
 
     #
@@ -2297,6 +2299,10 @@ sub Logmark_Target() {
     qt1( "$iptables -A $sillyname -j LOGMARK" );
 }
 
+sub Flow_Filter() {
+    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 our %detect_capability =
     ( ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
@@ -2307,6 +2313,7 @@ our %detect_capability =
       CONNTRACK_MATCH => \&Conntrack_Match,
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
+      FLOW_FILTER => \&Flow_Filter,
       GOTO_TARGET => \&Goto_Target,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HELPER_MATCH => \&Helper_Match,
@@ -2369,9 +2376,8 @@ sub have_capability( $ ) {
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
-sub determine_capabilities( $ ) {
+sub determine_capabilities() {
 
-    $iptables   = $_[0];
     my $pid     = $$;
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
@@ -2603,7 +2609,7 @@ sub get_capabilities( $ ) {
     my $export = $_[0];
 
     if ( ! $export && $> == 0 ) { # $> == $EUID
-	my $iptables = $config{$toolNAME};
+	$iptables = $config{$toolNAME};
 
 	if ( $iptables ) {
 	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
@@ -2615,12 +2621,18 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
+	$tc = $config{TC};
+
+	if ( $tc ) {
+	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+	}
+
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
-	    determine_capabilities $iptables;
+	    determine_capabilities;
 	}
     } else {
 	unless ( open_file 'capabilities' ) {
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index b6d3466f7..bf052c247 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -515,7 +515,7 @@ sub process_simple_device() {
     while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" unless $type eq '-' || have_capability 'OLD_HL_MATCH';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
 
diff --git a/Shorewall/lib.base b/Shorewall/lib.base
index c05d53373..3a2f0e6c4 100644
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -784,6 +784,10 @@ determine_capabilities() {
 	exit 1
     fi
 
+    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
+
+    [ -n "$TC" -a -x "$TC" ] || TC=
+
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -830,6 +834,7 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
+    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -968,6 +973,8 @@ determine_capabilities() {
     qt $IPTABLES -F $chain1
     qt $IPTABLES -X $chain1
 
+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@@ -1033,6 +1040,7 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1094,6 +1102,7 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base
index 47287ab44..592755e68 100644
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -737,6 +737,7 @@ determine_capabilities() {
     GOTO_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    FLOW_FILTER=
 
     chain=fooX$$
 
@@ -747,6 +748,10 @@ determine_capabilities() {
 	exit 1
     fi
 
+    [ -n "$IP" ] || IP=$(which ip)
+
+    [ -n "$IP" -a -x "$IP" ] || IP=
+
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
     qt $IP6TABLES -F $chain
@@ -875,6 +880,8 @@ determine_capabilities() {
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@@ -937,6 +944,7 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -995,6 +1003,7 @@ report_capabilities1() {
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
     report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION