From 254e1ed784409e64698296219df17296b182826b Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 2 Jun 2011 11:43:55 -0700
Subject: [PATCH] Add 'I' STATE to secmarks

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm    | 1 +
 Shorewall/changelog.txt           | 2 +-
 Shorewall/releasenotes.txt        | 3 ++-
 manpages/shorewall-secmarks.xml   | 4 +++-
 manpages6/shorewall6-secmarks.xml | 4 +++-
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 88c61caa1..e09fa6f08 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1604,6 +1604,7 @@ sub process_secmark_rule() {
 		 O => 'tcout'   , );
 
     my %state = ( N =>  'NEW' ,
+		  I => 'INVALID',
 		  NI => 'NEW,INVALID',
 		  E =>  'ESTABLISHED' ,
 		  ER => 'ESTABLISHED,RELATED',
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 815e32516..b7bc99f5d 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,7 +2,7 @@ Changes in Shorewall 4.4.20 Final
 
 1)  Set /proc/sys/net/bridge/bridge_nf_call_ip6?tables.
 
-2)  Add 'NI' STATE in secmarks.
+2)  Add 'I' and 'NI' STATEs in secmarks.
 
 Changes in Shorewall 4.4.20 RC 1
 
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index e294563f4..10c474c0e 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -253,7 +253,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     versions are available in the configfiles directory within the
     tarball.
 
-11) The STATE subcolumn of the secmarks file now allow the value 'NI'
+11) The STATE subcolumn of the secmarks file now allows the values 'I'
+    which will match packets in the INVALID state, and 'NI'
     which will match packets in either NEW or INVALID state.
 
 ----------------------------------------------------------------------------
diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml
index aaf94d650..06eb86049 100644
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -90,7 +90,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">CHAIN:STATE -
-        {P|I|F|O|T}[:{N|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
 
         <listitem>
           <para>This column determines the CHAIN where the SElinux context is
@@ -115,6 +115,8 @@
           <simplelist>
             <member>:N - NEW connection</member>
 
+            <member>:I - INVALID connection</member>
+
             <member>:NI - NEW or INVALID connection</member>
 
             <member>:E - ESTABLISHED connection</member>
diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml
index 3c693ff9a..7a62c0150 100644
--- a/manpages6/shorewall6-secmarks.xml
+++ b/manpages6/shorewall6-secmarks.xml
@@ -90,7 +90,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">CHAIN -
-        {P|I|F|O|T}[:{N|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
 
         <listitem>
           <simplelist>
@@ -112,6 +112,8 @@
           <simplelist>
             <member>:N - NEW connection</member>
 
+            <member>:I - INVALID connection</member>
+
             <member>:NI - New or INVALID connection</member>
 
             <member>:E - ESTABLISHED connection</member>