diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 6c26f5dbb..61f5fdbdb 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -12,6 +12,8 @@ Changes in 3.3.3
 
 6)  Add macro.RDP.
 
+7)  Implement MACLIST_LOG_BROADCASTS.
+
 Changes in 3.3.1
 
 1)  Load the proxyarp lib when 'proxyarp' option is specified.
diff --git a/Shorewall/lib.config b/Shorewall/lib.config
index 3d8f5eb94..8ff4faf2f 100644
--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@@ -1731,6 +1731,7 @@ do_initialize() {
     REJECT_DEFAULT=
     ACCEPT_DEFAULT=
     QUEUE_DEFAULT=
+    MACLIST_LOG_BROADCASTS=
 
     LOGLIMIT=
     LOGPARMS=
@@ -1859,17 +1860,17 @@ do_initialize() {
     [ -n "$FORWARDPING" ] && \
 	fatal_error "FORWARDPING=Yes is no longer supported"
 
-    maclist_target=reject
+    MACLIST_TARGET=reject
 
     if [ -n "$MACLIST_DISPOSITION" ] ; then
 	case $MACLIST_DISPOSITION in
 	    REJECT)
 		;;
 	    DROP)
-		maclist_target=DROP
+		MACLIST_TARGET=DROP
 		;;
 	    ACCEPT)
-		maclist_target=RETURN
+		MACLIST_TARGET=RETURN
 		;;
 	    *)
 		fatal_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
@@ -1944,6 +1945,7 @@ do_initialize() {
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
     TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
+    MACLIST_LOG_BROADCASTS=$(added_param_value_yes MACLIST_LOG_BROADCASTS $MACLIST_LOG_BROADCASTS)
     [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
     
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
diff --git a/Shorewall/lib.maclist b/Shorewall/lib.maclist
index 48ca26cf2..bb6478dee 100644
--- a/Shorewall/lib.maclist
+++ b/Shorewall/lib.maclist
@@ -41,7 +41,7 @@ setup_mac_lists() {
     local ipsec
     local policy=
 
-    create_mac_chain()
+    create_mac_chain()			
     {
 	case $MACLIST_TABLE in
 	    filter)
@@ -198,7 +198,7 @@ setup_mac_lists() {
     for interface in $maclist_interfaces; do
 
 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
-
+	    
 	if [ -n "$MACLIST_LOG_LEVEL" -o $MACLIST_DISPOSITION != ACCEPT ]; then
 	    indent >&3 << __EOF__
 
@@ -221,20 +221,45 @@ __EOF__
 	fi
 
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
+	    if [ $MACLIST_DISPOSITION != ACCEPT -a -z "$MACLIST_LOG_BROADCASTS" ]; then
+		#
+		# Don't log broadcasts
+	        #
+	        if [ -n "$USEPKTTYPE" ]; then
+		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type broadcast -j DROP
+		    run_iptables -t $MACLIST_TABLE -A $chain -m pkttype --pkt-type multicast -j DROP
+		else
+		    for interface in $(find_bcastdetect_interfaces); do
+			indent >&3 << __EOF__
+
+ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u | while read address; do
+    run_iptables -t $MACLIST_TABLE -A $chain -d \$address -j DROP
+done
+
+__EOF__
+		    done
+
+		    for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
+			run_iptables -t $MACLIST_TABLE -A $chain -d $address -j DROP
+		    done
+		fi
+	    fi
+	    
 	    log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A -t $MACLIST_TABLE
 	fi
 
 	if [ $MACLIST_DISPOSITION != ACCEPT ]; then
-	    run_iptables -A $chain -t $MACLIST_TABLE -j $maclist_target
+	    run_iptables -A $chain -t $MACLIST_TABLE -j $MACLIST_TARGET
 	fi
     done
     #
     # Generate jumps from the input and forward chains
     #
+    [ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
+    
     for hosts in $maclist_hosts; do
 	ipsec=${hosts%^*}
 	hosts=${hosts#*^}
-	[ -n "$POLICY_MATCH" ] && policy="-m policy --pol $ipsec --dir in" || policy=
 	interface=${hosts%%:*}
 	hosts=${hosts#*:}
 	case $MACLIST_TABLE in
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index a4c98b96b..13535acc1 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -117,6 +117,14 @@ Other changes in 3.3.3
 4)  A new macro (macro.RDP) has been added for Microsoft Remote
     Desktop. This macro was contributed by Tuomo Soini.
 
+5)  A new MACLIST_LOG_BROADCASTS option has been added to
+    shorewall.conf. When set to 'No', suppresses logging of broadcast
+    and multicast traffic as a result of MACLIST_LOG_LEVEL having been
+    set to a non-empty value.
+
+    The default is MACLIST_LOG_BROADCASTS=Yes which is compatible with
+    the traditional behavior of MACLIST_LOG_LEVEL.
+
 Migration Considerations:
 
 1)  Shorewall supports the notion of "default actions". A default
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index f2a975c9a..dd075aae3 100644
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -228,11 +228,19 @@ BLACKLIST_LOGLEVEL=
 # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
 # such connection requests will not be logged.
 #
+# If MACLIST_LOG_LEVEL is non-empty, then MACLIST_LOG_BROADCASTS determines
+# whether broadcast/multicast traffic is dropped or rejected silently.
+#
+# 	MACLIST_LOG_BROADCASTS=No  -- Don't log broadcast/multicast
+# 	MACLIST_LOG_BROADCASTS=Yes -- Log broadcast/multicast (Default)
+#	
 # See the comment at the top of this section for a description of log levels
 #
 
 MACLIST_LOG_LEVEL=info
 
+MACLIST_LOG_BROADCASTS=Yes
+
 #
 # TCP FLAGS Log Level
 #