diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 16de84f17..52a50ce88 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207
 
 if [ -z "$g_basedir" ]; then
     #
@@ -2878,6 +2878,7 @@ determine_capabilities() {
     NETMAP_TARGET=
     NFLOG_SIZE=
     RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -3245,6 +3246,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
     fi
 
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3388,6 +3393,7 @@ report_capabilities_unsorted() {
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
     report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3494,6 +3500,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
     report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 8431b0ec3..6ad965a09 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -502,6 +502,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                  NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 CONNMARK_ACTION => 'TC connmark support',
 		 #
 		 # Helpers
 		 #
@@ -883,8 +884,8 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.4.1',
-		    CAPVERSION              => 50200 ,
+		    VERSION                 => '5.2.7-Beta1',
+		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -1178,6 +1179,7 @@ sub initialize($;$$$$) {
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
+	       CONNMARK_ACTION => undef ,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -5052,6 +5054,10 @@ sub Basic_Filter() {
     $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
+sub Connmark_Action() {
+    $tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 sub Basic_Ematch() {
     $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
 }
@@ -5181,6 +5187,7 @@ our %detect_capability =
       COMMENTS => \&Comments,
       CONNLIMIT_MATCH => \&Connlimit_Match,
       CONNMARK => \&Connmark,
+      CONNMARK_ACTION => \&Connmark_Action,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
       CPU_FANOUT => \&Cpu_Fanout,
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index c67aec99f..d72938f66 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -459,6 +459,7 @@ sub validate_tc_device( ) {
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
 		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
@@ -1870,7 +1871,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 ".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }
 
 	    for my $class ( @tcclasses ) {