diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index fffe16346..5f3cfd638 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2219,11 +2219,14 @@ sub process_secmark_rule() {
I => 'tcin' ,
O => 'tcout' , );
- my %state = ( N => 'NEW' ,
- I => 'INVALID',
- NI => 'NEW,INVALID',
- E => 'ESTABLISHED' ,
- ER => 'ESTABLISHED,RELATED',
+ my %state = ( N => 'NEW' ,
+ I => 'INVALID',
+ U => 'UNTRACKED',
+ NI => 'NEW,INVALID',
+ NU => 'NEW,UNTRACKED',
+ NIU => 'NEW,INVALID,UNTRACKED',
+ E => 'ESTABLISHED' ,
+ ER => 'ESTABLISHED,RELATED',
);
my ( $chain , $state, $rest) = split ':', $chainin , 3;
diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml
index d8bed9ed7..af0d49a4e 100644
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -92,7 +92,7 @@
CHAIN:STATE (chain) -
- {P|I|F|O|T}[:{N|I|NI|E|ER}]
+ {P|I|F|O|T}[:{N|I|U|NI|NU|NIU|NUI:E|ER}]
This column determines the CHAIN where the SElinux context is
@@ -125,6 +125,17 @@
:ER - ESTABLISHED or RELATED connection
+
+ Beginning with Shorewall 4.5.10, the following additional
+ options are available
+
+
+ :U - UNTRACKED connection
+
+ :NU - NEW or UNTRACKED connection
+
+ :NIU - NEW, INVALID or UNTRACKED connection.
+
diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml
index 53c6339cd..a39a1b3de 100644
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -122,6 +122,17 @@
:ER - ESTABLISHED or RELATED connection
+
+ Beginning with Shorewall 4.5.10, the following additional
+ options are available
+
+
+ :U - UNTRACKED connection
+
+ :NU - NEW or UNTRACKED connection
+
+ :NIU - NEW, INVALID or UNTRACKED connection.
+