diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index d2d87cb45..f493ef841 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -8,6 +8,8 @@ Changes in 4.0.1
 
 4)  Corrent handling of 'PATH' in Shorewall-perl.
 
+5)  Correct handling of ECN with MANGLE_FORWARD.
+
 Changes in 4.0.0 Final
 
 1)  Fix lite install.sh manpage problem.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 77196fbc1..946e89c23 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -58,6 +58,10 @@ Problems corrected in 4.0.1.
 6)   If no PATH was available when Shorewall-perl is run, a Perl run-time
      warning was issued.
 
+7)   If the "Mangle FORWARD Chain" capability was supported, entries in
+     the /etc/shorewall/ecn file would cause invalid iptables
+     commands to be generated.
+
 Other changes in Shorewall 4.0.1.
 
 1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler
index 3734a2212..a26c67d26 100755
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@@ -869,13 +869,8 @@ setup_ecn() # $1 = file name
 		    flushmangle $chain
 		else
 		    createmanglechain $chain
-		    
-		    if [ -n "$MANGLE_FORWARD" ]; then
-			run_iptables -t mangle -A PREROUTING -p tcp -o $interface -j $chain
-		    else
-			run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
-			run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
-		    fi
+		    run_iptables -t mangle -A POSTROUTING -p tcp -o $interface -j $chain
+		    run_iptables -t mangle -A OUTPUT      -p tcp -o $interface -j $chain
 		fi
 	    done