diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 62950d8e6..2ea786058 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -499,6 +499,25 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
},
},
+ ECN => {
+ defaultchain => POSTROUTING,
+ allowedchains => PREROUTING | FORWARD | OUTPUT | INPUT | POSTROUTING,
+ minparams => 0,
+ maxparams => 0,
+ function => sub() {
+ fatal_error "The ECN target is only available with IPv4" if $family == F_IPV6;
+
+ if ( $proto eq '-' ) {
+ $proto = TCP;
+ } else {
+ $proto = resolve_proto( $proto ) || 0;
+ fatal_error "Only PROTO tcp (6) is allowed with the ECN action" unless $proto == TCP;
+ }
+
+ $target = 'ECN --ecn-tcp-remove';
+ }
+ },
+
HL => {
defaultchain => FORWARD,
allowedchains => PREROUTING | FORWARD,
diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml
index 87eede757..e6aeb050f 100644
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -339,6 +339,18 @@ DIVERTHA - - tcp
+
+ ECN
+
+
+ Added in Shorewall 5.0.6 as an alternative to entries in
+ shorewall-ecn(5). If a
+ PROTO is specified, it must be 'tcp' (6). If no PROTO is
+ supplied, TCP is assumed. This action causes all ECN bits in
+ the TCP header to be cleared.
+
+
+
IMQ(number)
diff --git a/docs/ECN.xml b/docs/ECN.xml
index 41e5e51df..b73ae6351 100644
--- a/docs/ECN.xml
+++ b/docs/ECN.xml
@@ -118,6 +118,10 @@
+
+ Beginning with Shorewall 5.0.6, you may also specify clearing of the
+ ECN flags through use of the ECN action in shorewall-mangle(8).