diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 292b0518f..42b1fa357 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -15,6 +15,8 @@ Changes in 2.2.4
 
 7) Add support for SAME
 
+8) Add 'shorewall show capabilities'
+
 Changes in 2.2.3
 
 1) Added the 'continue' extension script.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 5c152137a..cff3bc873 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -2826,6 +2826,12 @@ check_config() {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
     fi
 
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
+
     echo "Determining Zones..."
 
     determine_zones
@@ -5743,6 +5749,11 @@ initialize_netfilter () {
 	[ -n "$PHYSDEV_MATCH" ] || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
     fi
 
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
 
     [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
 	startup_error "RFC1918_STRICT=Yes requires Connection Tracking match"
@@ -7562,12 +7573,6 @@ do_initialize() {
     LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
     DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
     RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
-
-    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
-
-    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
-    fi
     #
     # Strip the files that we use often
     #
@@ -7752,6 +7757,10 @@ case "$COMMAND" in
 	EMPTY=
 	$@
 	;;
+    capabilities)
+	do_initialize
+	report_capabilities
+	;;
     *)
 	usage
 	;;
diff --git a/Shorewall2/help b/Shorewall2/help
index a0e58a706..1ec86f6c0 100644
--- a/Shorewall2/help
+++ b/Shorewall2/help
@@ -254,6 +254,8 @@ show)
 
     shorewall show zones - displays the contents of all zones.
 
+    shorewall show capabilities - displays your kernel/iptables capabilities
+
     When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 1fddb0aba..0b26e4636 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -127,6 +127,30 @@ New Features in version 2.2.4
    the keyword SAME replacing DNAT. As in the masq file, changing the
    port number is not supported.
 
+5) A "shorewall show capabilities" command has been added to report the
+   capabilities of your kernel and iptables.
+
+   Example:
+
+      gateway:~# shorewall show capabilities
+      Loading /usr/share/shorewall/functions...
+      Processing /etc/shorewall/params ...
+      Processing /etc/shorewall/shorewall.conf...
+      Loading Modules...
+      Shorewall has detected the following iptables/netfilter capabilities:
+	     NAT: Available
+	     Packet Mangling: Available
+	     Multi-port Match: Available
+	     Extended Multi-port Match: Available
+	     Connection Tracking Match: Available
+	     Packet Type Match: Not available
+	     Policy Match: Available
+	     Physdev Match: Available
+	     IP range Match: Available
+	     Recent Match: Available
+	     Owner Match: Available
+      gateway:~#
+
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.3
 
diff --git a/Shorewall2/shorewall b/Shorewall2/shorewall
index 85079da45..650e95924 100755
--- a/Shorewall2/shorewall
+++ b/Shorewall2/shorewall
@@ -58,6 +58,7 @@
 #	   shorewall show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
+#          shorewall show capabilities             Display iptables/kernel capabilities
 #	   shorewall version			   Display the installed version id
 #	   shorewall check			   Verify the more heavily-used
 #						   configuration files.
@@ -537,7 +538,8 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
     host=$(echo $HOSTNAME | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
 
-    if [ $1 -lt 0 ]; then
+    if [ $1 -lt 0 ]; then> -Tom
+
 	timeout=$((- $1))
 	pause="Yes"
     else
@@ -616,7 +618,7 @@ usage() # $1 = exit status
     echo "   restart [ <directory> ]"
     echo "   restore [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos|zones]"
+    echo "   show [<chain> [ <chain> ... ]|capabilities|classifiers|connections|log|nat|tc|tos|zones]"
     echo "   start [ <directory> ]"
     echo "   stop"
     echo "   status"
@@ -938,6 +940,9 @@ case "$1" in
 		exit 1
 	    fi
 	    ;;
+	capabilities)
+	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock capabilities
+	    ;;
 	*)
 	    shift