diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 7ca39c0e7..14b4e746c 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,3 +2,4 @@ Changes since 1.4.9
 
 1) Implement destination list in masq file.
 
+2) Appled Frédéric LESPEZ's patch for packet marking by user/group id.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 3c28f11e0..18d1ca2aa 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1709,6 +1709,25 @@ process_tc_rule()
 	    esac
 	fi
 
+	if [ "x$user" != "x-" ]; then
+
+	    [ "$chain" != tcout ] && \
+		fatal_error "Invalid use of a user/group: rule \"$rule\""
+
+	    case "$user" in
+		*:*)
+		    r="$r-m owner"
+		    temp="${user%:*}"
+		    [ -n "$temp" ] && r="$r --uid-owner $temp " 
+		    temp="${user#*:}"
+		    [ -n "$temp" ] && r="$r --gid-owner $temp "
+		    ;;
+		*)
+		    r="$r-m owner --uid-owner $user "
+		    ;;
+	    esac
+	fi
+
 	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
@@ -1767,9 +1786,9 @@ setup_tc1() {
     #
     strip_file tcrules
 
-    while read mark sources dests proto ports sports; do
-	expandv mark sources dests proto ports sports
-	rule=`echo "$mark $sources $dests $proto $ports $sports"`
+    while read mark sources dests proto ports sports user; do
+	expandv mark sources dests proto ports sports user
+	rule=`echo "$mark $sources $dests $proto $ports $sports $user"`
 	process_tc_rule
     done < $TMP_DIR/tcrules
     #
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 4c9772fd7..4b4819201 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -20,3 +20,18 @@ New Features:
 
    If the list begins with "!" then SNAT will occur only if the
    destination IP address is NOT included in the list.
+
+2) Output traffic control rules (those with the firewall as the source)
+   may now be qualified by the effective userid and/or effective group
+   id of the program generating the output. This feature is courtesy of 
+   Frédéric LESPEZ.
+
+   A new USER column has been added to /etc/shorewall/tcrules.
+
+   It may contain :
+
+      [<user name or number>]:[<group name or number>]
+
+   The colon is optionnal when specifying only a user.
+
+       Examples : john: / john / :users / john:users	
diff --git a/Shorewall/tcrules b/Shorewall/tcrules
index 7ae8f7d7a..e15a68d80 100755
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@@ -57,7 +57,22 @@
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
+#
+#	USER		This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective user and/or group.
+#
+#			It may contain :
+#
+#			   [<user name or number>]:[<group name or number>]
+#
+#			The colon is optionnal when specifying only a user.
+#			Examples : john: / john / :users / john:users	
+#
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE