diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 553cf6e63..03e14f75b 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -731,6 +731,7 @@ sub initialize( $;$$) {
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
AUTOHELPERS => undef,
+ RESTORE_ROUTEMARKS => undef,
#
# Packet Disposition
#
@@ -4552,6 +4553,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
+ default_yes_no 'RESTORE_ROUTEMARKS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 9cd225e79..008c703eb 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -121,7 +121,11 @@ sub setup_route_marking() {
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
- add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+ if ( $config{RESTORE_ROUTEMARKS} ) {
+ add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+ } else {
+ add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+ }
my $chainref = new_chain 'mangle', 'routemark';
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 512802886..9f2f7cf5c 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=Yes
RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_ROUTEMARKS=Yes
+
RETAIN_ALIASES=No
ROUTE_FILTER=No
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 6eabebf6d..d6e718e0b 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -197,6 +197,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_ROUTEMARKS=Yes
+
RETAIN_ALIASES=No
ROUTE_FILTER=No
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index 9d6ba575f..c0f6c8fff 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -195,6 +195,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_ROUTEMARKS=Yes
+
RETAIN_ALIASES=No
ROUTE_FILTER=No
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 2db35263c..ea3416b59 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_ROUTEMARKS=Yes
+
RETAIN_ALIASES=No
ROUTE_FILTER=No
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 68b6b97c7..d159ea98f 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
+RESTORE_ROUTEMARKS=Yes
+
RETAIN_ALIASES=No
ROUTE_FILTER=No
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index bc010f3d8..dbb58787a 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
role="bold">none}
-
+
@@ -106,7 +106,7 @@
role="bold">none}
-
+
@@ -116,7 +116,7 @@
role="bold">none}
-
+
@@ -126,7 +126,7 @@
role="bold">none}
-
+
@@ -525,7 +525,7 @@
-
+
If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@@ -932,7 +932,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
If this variable is not set or is given an empty value
@@ -1142,7 +1142,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -1159,7 +1159,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1823,7 +1823,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
@@ -1934,6 +1934,22 @@ net all DROP infothen the chain name is 'net2all'
+
+ RESTORE_ROUTEMARKS=[Yes|No]
+
+
+ Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
+ restored unconditionally at the top of the mangle OUTPUT and
+ PREROUTING chains, even if the saved mark is zero. When this option
+ is set to No, the mark is restored
+ even when it is zero. If you have problems with IPSEC ESP packets
+ not being routed correctly on output, try setting this option to
+ No.
+
+
+
RESTOREFILE=filename
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 826db4099..63c3c8d87 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=Yes
+RESTORE_ROUTEMARKS=Yes
+
TC_ENABLED=No
TC_EXPERT=No
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 518ac9030..68922aabf 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
+RESTORE_ROUTEMARKS=Yes
+
TC_ENABLED=No
TC_EXPERT=No
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 01b81f97f..912b9af28 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
+RESTORE_ROUTEMARKS=Yes
+
TC_ENABLED=No
TC_EXPERT=No
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 0d9360a14..86c3e7f65 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
+RESTORE_ROUTEMARKS=Yes
+
TC_ENABLED=No
TC_EXPERT=No
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 946060722..e31a52ecf 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
+RESTORE_ROUTEMARKS=Yes
+
TC_ENABLED=No
TC_EXPERT=No
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 7f7d38de0..52a1a377b 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -82,7 +82,7 @@
role="bold">none}
-
+
@@ -92,7 +92,7 @@
role="bold">none}
-
+
@@ -102,7 +102,7 @@
role="bold">none}
-
+
@@ -112,7 +112,7 @@
role="bold">none}
-
+
@@ -1005,7 +1005,7 @@ net all DROP infothen the chain name is 'net2all'
-
+
For example, using the default LOGFORMAT, the log prefix for
@@ -1022,7 +1022,7 @@ net all DROP infothen the chain name is 'net2all'
control your firewall after you enable this option.
-
+
Do not use this option if the resulting log messages will
@@ -1621,7 +1621,7 @@ net all DROP infothen the chain name is 'net2all'
role="bold">"
-
+
@@ -1712,6 +1712,22 @@ net all DROP infothen the chain name is 'net2all'
+
+ RESTORE_ROUTEMARKS=[Yes|No]
+
+
+ Added in Shorewall 4.5.9. When set to Yes (the default), provider marks are
+ restored unconditionally at the top of the mangle OUTPUT and
+ PREROUTING chains, even if the saved mark is zero. When this option
+ is set to No, the mark is restored
+ even when it is zero. If you have problems with IPSEC ESP packets
+ not being routed correctly on output, try setting this option to
+ No.
+
+
+
RESTOREFILE=filename