diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index d227f3f54..d0393a8c4 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -2,6 +2,8 @@ Changes in 2.3.2
 
 1) Add support for -j ROUTE
 
+2) Add TEST column to /etc/shorewall/routes
+
 Changes in 2.3.1
 
 1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 23a83d6df..83aed3649 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -5255,6 +5255,7 @@ add_a_route()
 {
     local r=
     local chain=routefwd
+    local marktest=
 
     if [ "x$source" != "x-"	 ]; then
 	case ${source} in
@@ -5304,10 +5305,36 @@ add_a_route()
 	[ "x$proto"  = "x-"  ] && proto=all
 	[ "x$proto"  = "x"   ] && proto=all
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
-	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
+	[ "x$port"   = "x-"  ] || r="${r}-m multiport --dports $port "
     fi
 
-    [ "x${sport:--}"  = "x-"  ] || r="${r}--sport $sport "
+    if [ "x${sport:--}" != "x-"  ]; then
+	[ "x$port" = "x-"  ] && r="${r}-m multiport "
+	r="${r}--sports $sport "
+    fi
+
+    case $testval in
+	-)
+	    ;;
+	!*:C)
+	    marktest="connmark ! "
+	    testval=${testval%:*}
+	    testval=${testval#!}
+	    ;;
+	*:C)
+	    marktest="connmark "
+	    testval=${testval%:*}
+	    ;;
+	!*)
+	    marktest="mark ! "
+	    testval=${testval#!}
+	    ;;
+	*)
+	    [ -n "$testval" ] && marktest="mark "
+	    ;;
+    esac
+
+    [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
 
     r="${r}-j ROUTE "
 
@@ -5336,10 +5363,10 @@ setup_routes() # $1 = file name
 	run_iptables -t mangle -N routeout
 	run_iptables -t mangle -A OUTPUT -j routeout
 
-	while read source dest proto port sport interface gateway; do
+	while read source dest proto port sport testval interface gateway; do
 
-	    expandv source dest proto port sport interface gateway
-	    rule="$source $dest $proto $port $sport $interface $gateway"
+	    expandv source dest proto port sport testval interface gateway
+	    rule="$source $dest $proto $port $sport testval $interface $gateway"
 	    add_a_route
 	done < $TMP_DIR/routes
     fi
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 10ffb4ece..cdce5846b 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -64,6 +64,25 @@ New Features in version 2.3.2
 			comma-separated list of port names, port
 			numbers or port ranges.
 
+	TEST		Defines a test on the existing packet or
+			connection mark. 
+
+			The rule will match only if the test returns
+			true. Tests have the format
+			[!]<value>[/<mask>][:C]
+
+			Where:
+
+				!	Inverts the test (not equal)
+				<value> Value of the packet or
+					connection mark.
+
+				<mask>  A mask to be applied to the
+					mark before testing 
+				:C	Designates a connection
+					mark. If omitted, the packet
+					mark's value is tested.
+
 	INTERFACE	The interface that the packet is to be routed
 			out of. If you do not specify this field then
 			you must place "-" in this column and enter an
diff --git a/Shorewall2/routes b/Shorewall2/routes
index 22357b54a..6f93d96e4 100755
--- a/Shorewall2/routes
+++ b/Shorewall2/routes
@@ -11,6 +11,8 @@
 #	In order to use entries in this file, your kernel and iptables must
 #	have ROUTE target support.
 #
+#	To omit any column, enter "-" in that column.
+#
 # Columns are:
 #
 #
@@ -50,22 +52,30 @@
 #			for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.
 #
-#			This column is ignored if PROTOCOL = all but must be
-#			entered if any of the following field is supplied.
-#			In that case, it is suggested that this field contain
-#			 "-"
-#
 #	SOURCE PORT(S)	(Optional) Source port(s). If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
+#	TEST		Defines a test on the existing packet or connection mark. 
+#			The rule will match only if the test returns true. Tests
+#			have the format [!]<value>[/<mask>][:C]
+#
+#			Where:
+#
+#				!	Inverts the test (not equal)
+#				<value> Value of the packet or connection mark.
+#				<mask>  A mask to be applied to the mark before
+#					testing 
+#				:C	Designates a connection mark. If omitted,
+#					the packet mark's value is tested.
+#
 #	INTERFACE	The interface that the packet is to be routed out of.
 #
 #	GATEWAY		The gateway that the packet is to be forewarded through.
 #
 # See http://shorewall.net/Shorewall_and_Routing.html for additional information.
 #######################################################################################
-#SOURCE 		DEST		PROTO	PORT(S)	SOURCE	INTERFACE	GATEWAY
-#							PORT(S)
+#SOURCE 	DEST		PROTO	PORT(S)	SOURCE	TEST 	INTERFACE	GATEWAY
+#						PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE