diff --git a/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js b/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
index 8468fde..d3cc24b 100644
--- a/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
+++ b/luci-app-zapret/htdocs/luci-static/resources/view/zapret/settings.js
@@ -167,6 +167,11 @@ return view.extend({
         //o.description = _("nfqws option for DPI desync attack");
         o.rmempty     = false;
         o.datatype    = 'string';
+
+        o = s.taboption(tabname, form.Value, 'FILTER_MARK', _('FILTER_MARK'));
+        o.rmempty     = false;
+        o.validate = function(section_id, value) { return true; };
+        o.write = function(section_id, value) { return form.Value.prototype.write.call(this, section_id, (value == null || value.trim() == '') ? "\t" : value.trim()); };
         
         o = s.taboption(tabname, form.Value, 'NFQWS_PORTS_TCP', _('NFQWS_PORTS_TCP'));
         o.rmempty     = false;
diff --git a/zapret/config.default b/zapret/config.default
index 08c90af..69b4da5 100644
--- a/zapret/config.default
+++ b/zapret/config.default
@@ -56,6 +56,13 @@ DESYNC_MARK=0x40000000
 DESYNC_MARK_POSTNAT=0x20000000
 
 
+# do not pass outgoing traffic to tpws/nfqws not marked with this bit
+# this setting allows to write your own rules to limit traffic that should be fooled
+# for example based on source IP or incoming interface name
+# no filter if not defined
+FILTER_MARK=""
+
+
 TPWS_SOCKS_ENABLE=0
 # tpws socks listens on this port on localhost and LAN interfaces
 TPPORT_SOCKS=987
diff --git a/zapret/def-cfg.sh b/zapret/def-cfg.sh
index a1d3f96..85ff7b7 100755
--- a/zapret/def-cfg.sh
+++ b/zapret/def-cfg.sh
@@ -29,6 +29,7 @@ function set_cfg_default_values
 		set $cfgname.config.NFQWS_ENABLE='1'
 		set $cfgname.config.DESYNC_MARK='0x40000000'
 		set $cfgname.config.DESYNC_MARK_POSTNAT='0x20000000'
+		set $cfgname.config.FILTER_MARK='$TAB'
 		set $cfgname.config.NFQWS_PORTS_TCP='80,443'
 		set $cfgname.config.NFQWS_PORTS_UDP='443'
 		set $cfgname.config.NFQWS_TCP_PKT_OUT='9'
diff --git a/zapret/sync_config.sh b/zapret/sync_config.sh
index 6229614..fbc9b94 100755
--- a/zapret/sync_config.sh
+++ b/zapret/sync_config.sh
@@ -95,6 +95,7 @@ sync_param AUTOHOSTLIST_DEBUGLOG
 sync_param NFQWS_ENABLE
 sync_param DESYNC_MARK
 sync_param DESYNC_MARK_POSTNAT
+sync_param FILTER_MARK str
 sync_param NFQWS_PORTS_TCP str
 sync_param NFQWS_PORTS_UDP str
 sync_param NFQWS_TCP_PKT_OUT str