diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index fff416752..26e75c625 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -132,6 +132,7 @@ our %EXPORT_TAGS = (
blacklist_chain
related_chain
invalid_chain
+ untracked_chain
zone_forward_chain
use_forward_chain
input_chain
@@ -1637,6 +1638,13 @@ sub invalid_chain($$) {
'_' . &rules_chain(@_);
}
+#
+# Name of the untracked chain between an ordered pair of zones
+#
+sub untracked_chain($$) {
+ '&' . &rules_chain(@_);
+}
+
#
# Create the base for a chain involving the passed interface -- we make this a function so it will be
# easy to change the mapping should the need ever arrive.
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 4a7ae9bd5..930c65805 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -663,7 +663,6 @@ sub initialize( $;$$) {
LOGALLNEW => undef,
BLACKLIST_LOGLEVEL => undef,
RELATED_LOG_LEVEL => undef,
- INVALID_LOG_LEVEL => undef,
RFC1918_LOG_LEVEL => undef,
MACLIST_LOG_LEVEL => undef,
TCP_FLAGS_LOG_LEVEL => undef,
@@ -673,6 +672,8 @@ sub initialize( $;$$) {
STARTUP_LOG => undef,
SFILTER_LOG_LEVEL => undef,
RPFILTER_LOG_LEVEL => undef,
+ INVALID_LOG_LEVEL => undef,
+ UNTRACKED_LOG_LEVEL => undef,
#
# Location of Files
#
@@ -784,6 +785,7 @@ sub initialize( $;$$) {
RPFILTER_DISPOSITION => undef,
RELATED_DISPOSITION => undef,
INVALID_DISPOSITION => undef,
+ UNTRACKED_DISPOSITION => undef,
#
# Mark Geometry
#
@@ -5227,6 +5229,7 @@ sub get_configuration( $$$$ ) {
default_log_level 'RFC1918_LOG_LEVEL', '';
default_log_level 'RELATED_LOG_LEVEL', '';
default_log_level 'INVALID_LOG_LEVEL', '';
+ default_log_level 'UNTRACKED_LOG_LEVEL', '';
warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
@@ -5300,12 +5303,29 @@ sub get_configuration( $$$$ ) {
fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
}
- require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
+ require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/;
} else {
$config{INVALID_DISPOSITION} = 'CONTINUE';
$globals{INVALID_TARGET} = '';
}
+ if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+ if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+ $globals{UNTRACKED_TARGET} = $val;
+ } elsif ( $val eq 'REJECT' ) {
+ $globals{UNTRACKED_TARGET} = 'reject';
+ } elsif ( $val eq 'A_REJECT' ) {
+ $globals{UNTRACKED_TARGET} = $val;
+ } else {
+ fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION"
+ }
+
+ require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/;
+ } else {
+ $config{UNTRACKED_DISPOSITION} = 'CONTINUE';
+ $globals{UNTRACKED_TARGET} = '';
+ }
+
if ( $val = $config{MACLIST_TABLE} ) {
if ( $val eq 'mangle' ) {
fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 91aa509ee..c2af9ae51 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -62,14 +62,15 @@ our %sections;
our $section;
-use constant { NULL_SECTION => 0,
- BLACKLIST_SECTION => 1,
- ALL_SECTION => 2,
- ESTABLISHED_SECTION => 4,
- RELATED_SECTION => 8,
- INVALID_SECTION => 16,
- NEW_SECTION => 32,
- DEFAULTACTION_SECTION => 64 };
+use constant { NULL_SECTION => 0x00,
+ BLACKLIST_SECTION => 0x01,
+ ALL_SECTION => 0x02,
+ ESTABLISHED_SECTION => 0x04,
+ RELATED_SECTION => 0x08,
+ INVALID_SECTION => 0x10,
+ UNTRACKED_SECTION => 0x20,
+ NEW_SECTION => 0x40,
+ DEFAULTACTION_SECTION => 0x80 };
#
# These are the sections that may appear in a section header
#
@@ -77,6 +78,7 @@ our %section_map = ( ALL => ALL_SECTION,
ESTABLISHED => ESTABLISHED_SECTION,
RELATED => RELATED_SECTION,
INVALID => INVALID_SECTION,
+ UNTRACKED => UNTRACKED_SECTION,
NEW => NEW_SECTION );
our @policy_chains;
@@ -173,6 +175,7 @@ sub initialize( $ ) {
ESTABLISHED => 0,
RELATED => 0,
INVALID => 0,
+ UNTRACKED => 0,
NEW => 0
);
#
@@ -848,20 +851,24 @@ sub finish_chain_section ($$$) {
my $related_target = $globals{RELATED_TARGET};
my $invalid_level = $config{INVALID_LOG_LEVEL};
my $invalid_target = $globals{INVALID_TARGET};
+ my $untracked_level = $config{UNTRACKED_LOG_LEVEL};
+ my $untracked_target = $globals{UNTRACKED_TARGET};
my $save_comment = push_comment;
my %state;
- my %statetable = ( RELATED => [ '+', $related_level, $related_target ] ,
- INVALID => [ '_', $invalid_level, $invalid_target ] );
+ my %statetable = ( RELATED => [ '+', $related_level, $related_target ] ,
+ INVALID => [ '_', $invalid_level, $invalid_target ] ,
+ UNTRACKED => [ '&', $untracked_level, $untracked_target ] ,
+ );
$state{$_} = 1 for split ',', $state;
- for ( qw/ESTABLISHED RELATED INVALID/ ) {
+ for ( qw/ESTABLISHED RELATED INVALID UNTRACKED/ ) {
delete $state{$_} if $chain1ref->{sections}{$_};
}
$chain1ref->{sections}{$_} = 1 for keys %state;
- for ( qw( RELATED INVALID ) ) {
+ for ( qw( RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) {
my ( $char, $level, $target ) = @{$statetable{$_}};
my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
@@ -951,6 +958,8 @@ sub ensure_rules_chain( $ )
unless ( $chainref->{referenced} ) {
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+ finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID,UNTRACKED';
+ } elsif ( $section == UNTRACKED_SECTION ) {
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
} elsif ( $section == INVALID_SECTION ) {
finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
@@ -978,6 +987,8 @@ sub finish_section ( $ ) {
$function = \&related_chain;
} elsif ( $section == INVALID_SECTION ) {
$function = \&invalid_chain;
+ } elsif ( $section == UNTRACKED_SECTION ) {
+ $function = \&untracked_chain;
} else {
$function = \&rules_chain;
}
@@ -2299,7 +2310,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
#
# Handle rules in the BLACKLIST, RELATED and INVALID sections
#
- if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) {
+ if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION | UNTRACKED_SECTION ) ) {
my $auxchain;
my $auxref;
@@ -2307,6 +2318,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
} elsif ( $section == INVALID_SECTION ) {
$auxchain = invalid_chain( ${sourcezone}, ${destzone} );
+ } elsif ( $section == UNTRACKED_SECTION ) {
+ $auxchain = related_chain( ${sourcezone}, ${destzone} );
} else {
$auxchain = related_chain( ${sourcezone}, ${destzone} );
}
@@ -2323,6 +2336,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$auxref->{blacklistsection} = 1;
} elsif ( $section == INVALID_SECTION ) {
@state = state_imatch( 'INVALID' );
+ } elsif ( $section == UNTRACKED_SECTION ) {
+ @state = state_imatch( 'UNTRACKED' );
} else {
@state = state_imatch 'RELATED';
};
@@ -2412,7 +2427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
do_headers( $headers ) ,
do_condition( $condition , $chain ) ,
);
- } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) {
+ } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION | UNTRACKED_SECTION ) ) {
$rule = join( '',
do_proto($proto, $ports, $sports),
do_ratelimit( $ratelimit, $basictarget ) ,
@@ -2588,12 +2603,13 @@ sub process_section ($) {
finish_section 'ESTABLISHED';
} elsif ( $sect eq 'INVALID' ) {
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
- finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
+ finish_section ( 'ESTABLISHED,RELATED' );
+ } elsif ( $sect eq 'UNTRACKED' ) {
+ @sections{'ALL','ESTABLISHED','RELATED', 'INVALID' } = ( 1, 1, 1, 1 );
+ finish_section ( 'ESTABLISHED,RELATED, INVALID' );
} elsif ( $sect eq 'NEW' ) {
- @sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 );
- finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' :
- ( $section == INVALID_SECTION ) ? 'INVALID' :
- 'ESTABLISHED,RELATED,INVALID' );
+ @sections{'ALL','ESTABLISHED','RELATED','INVALID','UNTRACKED', 'NEW'} = ( 1, 1, 1, 1, 1, 1 );
+ finish_section ( 'ESTABLISHED,RELATED,INVALID' );
}
$section = $section_map{$sect};
diff --git a/Shorewall/Samples/Universal/rules b/Shorewall/Samples/Universal/rules
index dd191d2cf..99baa901a 100644
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -12,6 +12,8 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
Invalid(DROP) net $FW tcp
SSH(ACCEPT) net $FW
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 30e3fc77d..a69ef3295 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall/Samples/one-interface/rules b/Shorewall/Samples/one-interface/rules
index e83cac99b..59eae5691 100644
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -16,6 +16,8 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
# Drop packets in the INVALID state
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index e9df443c9..b3c9581dd 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -64,6 +64,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -251,6 +253,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall/Samples/three-interfaces/rules b/Shorewall/Samples/three-interfaces/rules
index 33d5ca927..002a7dea0 100644
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -16,6 +16,8 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
# Don't allow connection pickup from the net
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index afde9972a..ffb0c07b6 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -62,6 +62,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -249,6 +251,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall/Samples/two-interfaces/rules b/Shorewall/Samples/two-interfaces/rules
index 2aefcc815..0eab21390 100644
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -16,6 +16,8 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
# Don't allow connection pickup from the net
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index a0502918f..c65eb818d 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -65,6 +65,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -252,6 +254,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules
index 688dd5071..2ae67a390 100644
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -12,4 +12,6 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 2c0ec4692..a325b8648 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -53,6 +53,8 @@ STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -240,6 +242,8 @@ SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index efaee8096..cb27963b6 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -942,6 +942,34 @@ net all DROP infothen the chain name is 'net2all'
+
+ INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
+
+
+ Added in Shorewall 4.5.13. Shorewall has traditionally passed
+ INVALID packets through the NEW section of shorewall-rules (5). When a
+ packet in INVALID state fails to match any rule in the INVALID
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
+ versions.
+
+
+
+
+ INVALID_LOG_LEVEL=log-level
+
+
+ Added in Shorewall 4.5.13. Packets in the INVALID state that
+ do not match any rule in the INVALID section of shorewall-rules (5) are
+ logged at this level. The default value is empty which means no
+ logging is performed.
+
+
+
IP=[pathname]
@@ -2439,6 +2467,34 @@ LOG:info:,bar net fw
+
+ UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
+
+
+ Added in Shorewall 4.5.13. Shorewall has traditionally passed
+ UNTRACKED packets through the NEW section of shorewall-rules (5). When a
+ packet in UNTRACKED state fails to match any rule in the UNTRACKED
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
+ versions.
+
+
+
+
+ UNTRACKED_LOG_LEVEL=log-level
+
+
+ Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+ do not match any rule in the UNTRACKED section of shorewall-rules (5) are logged at
+ this level. The default value is empty which means no logging is
+ performed.
+
+
+
USE_DEFAULT_RT=[Yes|No]
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 13b89547e..2183d92db 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 9e4e1f31f..6d44bad8a 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index 7ccd5bbeb..df6a9e909 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 9c691f931..e1a3a175c 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall6/configfiles/rules b/Shorewall6/configfiles/rules
index 243ecfc4e..207dead3f 100644
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -12,4 +12,6 @@
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
SECTION NEW
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 3bde1ff60..134a790ae 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -52,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL=info
+UNTRACKED_LOG_LEVEL=
+
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
@@ -213,6 +215,8 @@ SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
+UNTRACKED_DISPOSITION=CONTINUE
+
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index a0a044ef1..73cbf722e 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -818,6 +818,34 @@ net all DROP infothen the chain name is 'net2all'
+
+ INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
+
+
+ Added in Shorewall 4.5.13. Shorewall has traditionally passed
+ INVALID packets through the NEW section of shorewall-rules (5). When a
+ packet in INVALID state fails to match any rule in the INVALID
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
+ versions.
+
+
+
+
+ INVALID_LOG_LEVEL=log-level
+
+
+ Added in Shorewall 4.5.13. Packets in the INVALID state that
+ do not match any rule in the INVALID section of shorewall-rules (5) are
+ logged at this level. The default value is empty which means no
+ logging is performed.
+
+
+
IP=[pathname]
@@ -2113,6 +2141,34 @@ LOG:info:,bar net fw
+
+ UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]
+
+
+ Added in Shorewall 4.5.13. Shorewall has traditionally passed
+ UNTRACKED packets through the NEW section of shorewall6-rules (5). When a
+ packet in UNTRACKED state fails to match any rule in the UNTRACKED
+ section, the packet is disposed of based on this setting. The
+ default value is CONTINUE for compatibility with earlier
+ versions.
+
+
+
+
+ UNTRACKED_LOG_LEVEL=log-level
+
+
+ Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+ do not match any rule in the UNTRACKED section of shorewall-rules (5) are
+ logged at this level. The default value is empty which means no
+ logging is performed.
+
+
+
USE_DEFAULT_RT=[Yes|No]