diff --git a/New/Shorewall/Accounting.pm b/New/Shorewall/Accounting.pm
index 6e2023394..7c6fb0f99 100644
--- a/New/Shorewall/Accounting.pm
+++ b/New/Shorewall/Accounting.pm
@@ -83,6 +83,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
 
     expand_rule
 	$chainref ,
+	NO_RESTRICT ,
 	$rule ,
 	$source ,
 	$dest ,
@@ -95,6 +96,7 @@ sub process_accounting_rule( $$$$$$$$ ) {
     if ( $rule2 ) {
 	expand_rule 
 	    $jumpchainref ,
+	    NO_RESTRICT ,
 	    $rule ,
 	    $source ,
 	    $dest ,
diff --git a/New/Shorewall/Actions.pm b/New/Shorewall/Actions.pm
index f68a211ac..6b2154e62 100644
--- a/New/Shorewall/Actions.pm
+++ b/New/Shorewall/Actions.pm
@@ -388,6 +388,7 @@ sub process_action3( $$$$$ ) {
 	my ( $action , $level ) = split_action $target;
 	
 	expand_rule ( $chainref ,
+		      NO_RESTRICT ,
 		      do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate ) . do_user $user , 
 		      $source ,
 		      $dest ,
diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm
index f836ef0af..c7a9fbcc7 100644
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@@ -41,6 +41,9 @@ our @EXPORT = qw( STANDARD
 		  ACTION
 		  MACRO
 		  LOGRULE
+		  NO_RESTRICT
+		  PREROUTE_RESTRICT
+		  POSTROUTE_RESTRICT
 		  
 		  add_rule
 		  insert_rule
@@ -198,6 +201,13 @@ our %targets = ('ACCEPT'       => STANDARD,
 		'forwardUPnP'  => BUILTIN  + ACTION,
 		'Limit'        => BUILTIN  + ACTION,
 		);
+
+#
+# expand_rule() restrictions
+#
+use constant { NO_RESTRICT        => 0,
+	       PREROUTE_RESTRICT  => 1,
+	       POSTROUTE_RESTRICT => 2 };
 #
 # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
 #
@@ -208,7 +218,9 @@ my $exclseq = 0;
 my $ipsetmatch   = 0;
 my $iprangematch = 0;
 #
-
+# Keep track of whether there are run-time commands in the chain rules
+#
+my $slowstart = 0;
 #
 # Add a rule to a chain. Arguments are:
 #
@@ -228,6 +240,24 @@ sub add_rule($$)
     $ipsetmatch   = 0;
 }
 
+#
+# Add a run-time command to a chain. Arguments are:
+#
+#    Chain reference , Command
+#
+sub add_command($$)
+{
+    my ($chainref, $command) = @_;
+    
+    $command =~ s/^/~/mg;
+
+    push @{$chainref->{rules}}, $command;
+
+    $chainref->{referenced} = 1;
+
+    $slowstart = 1;
+}
+
 #
 # Insert a rule into a chain. Arguments are:
 #
@@ -904,9 +934,9 @@ sub log_rule( $$$$ ) {
 #
 # This function provides a uniform way to generate rules (something the original Shorewall sorely needed).
 # 
-sub expand_rule( $$$$$$$$$ )
+sub expand_rule( $$$$$$$$$$ )
 {
-    my ($chainref , $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_;
+    my ($chainref , $restrictions, $rule, $source, $dest, $origdest, $target, $loglevel , $disposition, $exceptionrule ) = @_;
     my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl );
 
     #
@@ -1146,7 +1176,7 @@ sub insertnatjump( $$$$ ) {
 sub create_netfilter_load() {
     emit 'setup_netfilter()';
     emit '{';
-    emit '    iptables-restore << __EOF__';
+    emit( $slowstart ? '    iptables_slow_restore << __EOF__' : '    iptables-restore << __EOF__' );
 
     for my $table qw/raw nat mangle filter/ {
 	emit "*$table";
diff --git a/New/Shorewall/Nat.pm b/New/Shorewall/Nat.pm
index 249f991a4..5fe1a5f0f 100644
--- a/New/Shorewall/Nat.pm
+++ b/New/Shorewall/Nat.pm
@@ -209,7 +209,7 @@ sub setup_one_masq($$$$$$)
     #
     # And Generate the Rule(s)
     #
-    expand_rule ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface), $rule, $networks, $destnets, '', $target, '', '' , '';
+    expand_rule ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface), POSTROUTE_RESTRICT , $rule, $networks, $destnets, '', $target, '', '' , '';
 
     progress_message "   Masq record \"$line\" $done";
 
diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm
index 048d06d14..f0ef41820 100644
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@@ -193,6 +193,7 @@ sub setup_blacklist() {
 
 		expand_rule 
 		    ensure_filter_chain( 'blacklst' , 0 ) ,
+		    NO_RESTRICT ,
 		    do_proto( $protocol , $ports, '' ) ,
 		    $networks ,
 		    '' ,
@@ -906,6 +907,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
 	#
 	expand_rule
 	    ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ) ,
+	    PREROUTE_RESTRICT ,
 	    $rule ,
 	    $source ,
 	    $origdest ,
@@ -929,6 +931,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
  
 	expand_rule
 	    ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
+	    PREROUTE_RESTRICT ,
 	    $rule ,
 	    $source ,
 	    $dest ,
@@ -950,6 +953,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
 
 	expand_rule
 	    ensure_chain ('filter', $chain ) ,
+	    NO_RESTRICT ,
 	    $rule ,
 	    $source ,
 	    $dest ,
diff --git a/New/Shorewall/Tc.pm b/New/Shorewall/Tc.pm
index 014f8ee2d..6270f5f11 100644
--- a/New/Shorewall/Tc.pm
+++ b/New/Shorewall/Tc.pm
@@ -199,6 +199,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 
     expand_rule 
 	ensure_chain( 'mangle' , $chain ) ,
+	NO_RESTRICT ,
 	do_proto( $proto, $ports, $sports) . do_test( $testval, $mask ) ,
 	$source ,
 	$dest ,