diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index f4a5db690..bc0fb6c47 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -897,6 +897,7 @@ sub initialize( $;$$) {
 	  PAGER => undef ,
 	  MINIUPNPD => undef ,
 	  VERBOSE_MESSAGES => undef ,
+	  ZERO_MARKS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -6292,6 +6293,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
     default_yes_no 'MINIUPNPD'                  , '';
     default_yes_no 'VERBOSE_MESSAGES'           , 'Yes';
+    default_yes_no 'ZERO_MARKS'                 , '';
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index a2d6e7e99..ab8df8a22 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -128,7 +128,10 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-    add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+
+    if ( $config{ZERO_MARKS} ) {
+	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
+    }
 
     if ( $config{RESTORE_ROUTEMARKS} ) {
 	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 328b920f5..7ffba83cf 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index 7d61ea0fd..15226aec3 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index df2beb76b..02be53bda 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -256,6 +256,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index 84eca2fcf..6bf0ab559 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 1b4861787..9559b200d 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index c007f24c3..ffb2e55f1 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -2947,6 +2947,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 29b55790b..345930707 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 5be1e7f83..ef77acd95 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -220,6 +220,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 1e01ed7ed..6a06d2005 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 87a8775a0..66efc3894 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 838afd342..07085fef0 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
 
 WORKAROUNDS=No
 
+ZERO_MARKS=No
+
 ZONE2ZONE=-
 
 ###############################################################################
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index b9ac4b0ce..0d7463915 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2604,6 +2604,23 @@ INLINE          -       -       -       ;; -j REJECT
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.12, this is a workaround for an issue
+          where packet marks are not zeroed by the kernel. It should be set to
+          No (the default) unless you find that incoming packets are being
+          mis-routed for no apparent reasons.</para>
+
+          <caution>
+            <para>Do not set this option to Yes if you have IPSEC software
+            running on the firewall system.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>
