@@ -2640,6 +2640,7 @@ do_init_socket_1 (struct context *c, const int mode)

 			   c->options.mtu_discover_type,

 			   c->options.rcvbuf,

 			   c->options.sndbuf,

+			   c->options.mark,

 			   sockflags);

 }

@@ -1371,6 +1371,12 @@ Set the TCP/UDP socket receive buffer size.

 Currently defaults to 65536 bytes.

 .\"*********************************************************

 .TP

+.B \-\-mark value

+Mark encrypted packets being sent with value. The mark value can be

+matched in policy routing and packetfilter rules. This option is

+only supported in Linux and does nothing on other operating systems.

+.\"*********************************************************

+.TP

 .B \-\-socket-flags flags...

 Apply the given flags to the OpenVPN transport socket.

 Currently, only

@@ -280,6 +280,10 @@ static const char usage_message[] =

   "                  or --fragment max value, whichever is lower.\n"

   "--sndbuf size   : Set the TCP/UDP send buffer size.\n"

   "--rcvbuf size   : Set the TCP/UDP receive buffer size.\n"

+#ifdef TARGET_LINUX

+  "--mark value    : Mark encrypted packets being sent with value. The mark value\n"

+  "                  can be matched in policy routing and packetfilter rules.\n"

+#endif

   "--txqueuelen n  : Set the tun/tap TX queue length to n (Linux only).\n"

   "--mlock         : Disable Paging -- ensures key material and tunnel\n"

   "                  data will never be written to disk.\n"

@@ -1473,6 +1477,9 @@ show_settings (const struct options *o)

 #endif

   SHOW_INT (rcvbuf);

   SHOW_INT (sndbuf);

+#ifdef TARGET_LINUX

+  SHOW_INT (mark);

+#endif

   SHOW_INT (sockflags);

   SHOW_BOOL (fast_io);

@@ -4520,6 +4527,13 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_SOCKBUF);

       options->sndbuf = positive_atoi (p[1]);

     }

+  else if (streq (p[0], "mark") && p[1])

+    {

+#ifdef TARGET_LINUX

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->mark = atoi(p[1]);

+#endif

+    }

   else if (streq (p[0], "socket-flags"))

     {

       int j;

@@ -342,6 +342,9 @@ struct options

   int rcvbuf;

   int sndbuf;

+  /* mark value */

+  int mark;

+

   /* socket flags */

   unsigned int sockflags;

@@ -779,6 +779,15 @@ socket_set_tcp_nodelay (int sd, int state)

 #endif

 }

+static void

+socket_set_mark (int sd, int mark)

+{

+#ifdef TARGET_LINUX

+  if (mark && setsockopt (sd, SOL_SOCKET, SO_MARK, &mark, sizeof (mark)) != 0)

+    msg (M_WARN, "NOTE: setsockopt SO_MARK=%d failed", mark);

+#endif

+}

+

 static bool

 socket_set_flags (int sd, unsigned int sockflags)

 {

@@ -1599,6 +1608,7 @@ link_socket_init_phase1 (struct link_socket *sock,

 			 int mtu_discover_type,

 			 int rcvbuf,

 			 int sndbuf,

+			 int mark,

 			 unsigned int sockflags)

 {

   ASSERT (sock);

@@ -1716,6 +1726,9 @@ link_socket_init_phase1 (struct link_socket *sock,

       /* set socket buffers based on --sndbuf and --rcvbuf options */

       socket_set_buffers (sock->sd, &sock->socket_buffer_sizes);

+      /* set socket to --mark packets with given value */

+      socket_set_mark (sock->sd, mark);

+

       resolve_bind_local (sock);

       resolve_remote (sock, 1, NULL, NULL);

     }

@@ -324,6 +324,7 @@ link_socket_init_phase1 (struct link_socket *sock,

 			 int mtu_discover_type,

 			 int rcvbuf,

 			 int sndbuf,

+			 int mark,

 			 unsigned int sockflags);

 void link_socket_init_phase2 (struct link_socket *sock,