diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index e966ab9df..1b264ced9 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2143,9 +2143,9 @@ sub verify_mark( $ ) {
 
     if ( $value > $mask ) {
 	#
-	# Not a valid TC mark -- must be a provider mark
+	# Not a valid TC mark -- must be a provider mark or a user mark
 	#
-	fatal_error "Invalid Mark or Mask value ($mark)" unless ( $value & $globals{PROVIDER_MASK} ) == $value;
+	fatal_error "Invalid Mark or Mask value ($mark)" unless ( $value & $globals{PROVIDER_MASK} ) == $value || ( $value & $globals{USER_MASK} ) == $value;
     }
 }
 
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 476993788..334410ac2 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3033,6 +3033,12 @@ sub get_configuration( $ ) {
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
+    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+    } else {
+	$globals{USER_MASK} = 0;
+    }
+
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {
diff --git a/docs/PacketMarking.xml b/docs/PacketMarking.xml
index b71caec69..45e24eb7e 100644
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -313,7 +313,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
       </varlistentry>
     </variablelist>
 
-    <para> The relationship between these options is shown in this
+    <para>The relationship between these options is shown in this
     diagram.</para>
 
     <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
@@ -358,6 +358,13 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
         </tbody>
       </tgroup>
     </table>
+
+    <para>The existence of both TC_BITS and MASK_BITS is owed to the way that
+    WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather
+    than 16 when WIDE_TC_MARKS=Yes.</para>
+
+    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
+    PROVIDER_OFFSET can be used for any purpose you want. </para>
   </section>
 
   <section id="Shorewall">
diff --git a/docs/images/MarkGeometry.dia b/docs/images/MarkGeometry.dia
index 9242cbfdb..a4e727720 100644
Binary files a/docs/images/MarkGeometry.dia and b/docs/images/MarkGeometry.dia differ
diff --git a/docs/images/MarkGeometry.png b/docs/images/MarkGeometry.png
index 471691884..c5b589f8e 100644
Binary files a/docs/images/MarkGeometry.png and b/docs/images/MarkGeometry.png differ