diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 11e8084f0..60667e0ac 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -843,6 +843,7 @@ sub initialize( $;$$) {
 	  TRACK_RULES => undef,
 	  REJECT_ACTION => undef,
 	  INLINE_MATCHES => undef,
+	  BASIC_FILTERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -5585,6 +5586,9 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'CHAIN_SCRIPTS'              , 'Yes';
     default_yes_no 'TRACK_RULES'                , '';
     default_yes_no 'INLINE_MATCHES'             , '';
+    default_yes_no 'BASIC_FILTERS'              , '';
+
+    require_capability( 'BASIC_EMATCH', 'BASIC_FILTERS=Yes', 's' ) if $config{BASIC_FILTERS};
 
     if ( $val = $config{REJECT_ACTION} ) {
 	fatal_error "Invalid Reject Action Name ($val)" unless $val =~ /^[a-zA-Z][\w-]*$/;
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a49434589..b4da4d87c 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2512,7 +2512,7 @@ sub process_tc_filter() {
 
     fatal_error 'CLASS must be specified' if $devclass eq '-';
 
-    if ( have_capability 'BASIC_EMATCH' ) {
+    if ( $config{BASIC_FILTERS} ) {
 	for my $proto ( split_list $protos, 'Protocol' ) {
 	    process_tc_filter2( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
 	}
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index a0d2ebe3b..1e01be800 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -120,6 +120,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 8c18e586f..6a95de9a9 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -131,6 +131,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 2b10a5873..ce30abb8a 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -129,6 +129,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 43b284705..a1373d32b 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -132,6 +132,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index f3dd065a7..26bb4aec6 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -120,6 +120,8 @@ ADD_SNAT_ALIASES=No
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 82fa1e181..787b840e0 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -389,6 +389,30 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall-4.6.0. When set to <emphasis
+          role="bold">Yes</emphasis>, causes entries in <ulink
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
+          requires the <firstterm>Basic Ematch</firstterm> capability in your
+          kernel and iptables.</para>
+
+          <note>
+            <para>One of the advantages of basic filters is that ipset matches
+            are supported in newer iproute2 and kernel versions. Because
+            Shorewall cannot reliably detect this capability, use of basic
+            filters is controlled by this option.</para>
+          </note>
+
+          <para>The default value is <emphasis role="bold">No</emphasis> which
+          causes u32 filters to be generated.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
         role="bold">ALL</emphasis>|<emphasis
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index db28db28e..c47383b37 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index acf40013c..1f1e74b04 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index c4a35f988..982d5b5c1 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index cb60abe55..7405b7f21 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index f167a99e8..7d3bf4942 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -113,6 +113,8 @@ ACCOUNTING_TABLE=filter
 
 ADMINISABSENTMINDED=Yes
 
+BASIC_FILTERS=No
+
 IGNOREUNKNOWNVARIABLES=No
 
 AUTOCOMMENT=Yes
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 2490a6f40..d0790ad51 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -326,6 +326,30 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall-4.6.0. When set to <emphasis
+          role="bold">Yes</emphasis>, causes entries in <ulink
+          url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
+          requires the <firstterm>Basic Ematch</firstterm> capability in your
+          kernel and iptables.</para>
+
+          <note>
+            <para>One of the advantages of basic filters is that ipset matches
+            are supported in newer iproute2 and kernel versions. Because
+            Shorewall6 cannot reliably detect this capability, use of basic
+            filters is controlled by this option.</para>
+          </note>
+
+          <para>The default value is No which causes u32 filters to be
+          generated.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
         role="bold">ALL</emphasis>|<emphasis
