diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 89687e5d3..6065f822a 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -6,6 +6,10 @@ Changes in 4.1.5
 
 3)  Update modules file for 2.6.25.
 
+4)  Restore 3.4 code to work around busybox limination.
+
+5)   Add restriction handling in tcrules file.
+
 Changes in 4.1.4
 
 1)  Fix do_test() to accept 0 and to use the same mask as
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index c4c7c5ba7..4236f8969 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -64,7 +64,29 @@ Migration Issues.
 
 Problems corrected in 4.1.5.
 
-None.
+1)  An optimization added to Shorewall-shell in 4.0.0 has been backed
+    out to work around a limitation of Busybox 'sed'.
+
+2)  Previously, Shorewall would accept both an interface and an IP
+    address in tcrules POSTROUTING entries (such as CLASSIFY).
+
+    Example:
+
+    1:11      eth1:192.168.4.9	-	tcp	22
+
+    It also allows both a destination interface and address.
+
+    Example:
+
+    1:P	      -		eth1:192.168.4.9	tcp	22
+
+    Because Netfilter does not allow an input interface to be specified
+    in POSTROUTING or an output interface to be specified in
+    PREROUTING, Shorewall must use the routing table to generate a list
+    of networks accessed through any interface specified in these
+    cases. Given that a specific address (or set of addresses) has
+    already been specified, it makes no sense qualify it (them) by
+    another list of addresses.
 
 New Features in 4.1.5.
 
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 2312ee07c..6a1a03db5 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -1941,6 +1941,9 @@ sub expand_rule( $$$$$$$$$$ )
     $dnets = ALLIPv4 unless $dnets;
     $onets = ALLIPv4 unless $onets;
 
+    fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain"      if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4;
+    fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && $dnets ne ALLIPv4;
+
     if ( $iexcl || $dexcl || $oexcl ) {
 	#
 	# We have non-trivial exclusion -- need to create an exclusion chain
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index 44ce526e9..f3de85b4a 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -152,6 +152,10 @@ our %tcclasses;
 
 our $prefix;
 
+our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
+		      tcpost     => POSTROUTE_RESTRICT ,
+		      tcfor      => NO_RESTRICT ,
+		      tcout      => OUTPUT_RESTRICT );
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
@@ -226,7 +230,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    $target  = 'CLASSIFY --set-class';
 	}
     }
-
+        
     my $mask = 0xffff;
 
     my ($cmd, $rest) = split( '/', $mark, 2 );
@@ -275,7 +279,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
     }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     NO_RESTRICT ,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) ,
 				     $source ,
 				     $dest ,