Add INVALID section to the rules file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-24 08:33:59 -08:00 · 2013-01-24 08:33:59 -08:00 · c2bc74cdfe
commit c2bc74cdfe
parent a03e793907
15 changed files with 206 additions and 25 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -131,6 +131,7 @@ our %EXPORT_TAGS = (
 				       rules_chain
 				       blacklist_chain
 				       related_chain
+				       invalid_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@ -293,6 +294,7 @@ our $VERSION = 'MODULEVERSION';
 #                                                               level 8.
 #                                               complete     => The last rule in the chain is a -g or a simple -j to a terminating target
 #                                                               Suppresses adding additional rules to the chain end of the chain
+#                                               sections     => { <section> = 1, ... } - Records sections that have been completed.
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@ -1628,6 +1630,13 @@ sub related_chain($$) {
    '+' . &rules_chain(@_);
 }

+#
+# Name of the invalid chain between an ordered pair of zones
+#
+sub invalid_chain($$) {
+    '_' . &rules_chain(@_);
+}
+
 #
 # Create the base for a chain involving the passed interface -- we make this a function so it will be
 # easy to change the mapping should the need ever arrive.
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -642,7 +642,7 @@ sub initialize( $;$$) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    VERSION    => "4.5.13-Beta1",
+		    VERSION    => "4.5.13-Beta3",
 		    CAPVERSION => 40512 ,
 		  );
    #
@ -663,6 +663,7 @@ sub initialize( $;$$) {
 	  LOGALLNEW => undef,
 	  BLACKLIST_LOGLEVEL => undef,
 	  RELATED_LOG_LEVEL => undef,
+	  INVALID_LOG_LEVEL => undef,
 	  RFC1918_LOG_LEVEL => undef,
 	  MACLIST_LOG_LEVEL => undef,
 	  TCP_FLAGS_LOG_LEVEL => undef,
@ -782,6 +783,7 @@ sub initialize( $;$$) {
 	  SFILTER_DISPOSITION => undef,
 	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
+	  INVALID_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@ -5224,6 +5226,7 @@ sub get_configuration( $$$$ ) {
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
    default_log_level 'RELATED_LOG_LEVEL',   '';
+    default_log_level 'INVALID_LOG_LEVEL',   '';

    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

@ -5278,12 +5281,31 @@ sub get_configuration( $$$$ ) {
 	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
 	}

-	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+	require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{RELATED_DISPOSITION}  =
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }

+    if ( $val = $config{INVALID_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{INVALID_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{INVALID_TARGET} = '';
+	} else {
+	    fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{INVALID_DISPOSITION}  = 'CONTINUE';
+	$globals{INVALID_TARGET}      = '';
+    }
+
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -67,14 +67,16 @@ use constant { NULL_SECTION          => 0,
 	       ALL_SECTION           => 2,
 	       ESTABLISHED_SECTION   => 4,
 	       RELATED_SECTION       => 8,
-	       NEW_SECTION           => 16,
-	       DEFAULTACTION_SECTION => 32 };
+	       INVALID_SECTION       => 16,
+	       NEW_SECTION           => 32,
+	       DEFAULTACTION_SECTION => 64 };
 #
 # These are the sections that may appear in a section header
 #
 our %section_map = ( ALL           => ALL_SECTION,
 		     ESTABLISHED   => ESTABLISHED_SECTION,
 		     RELATED       => RELATED_SECTION,
+                     INVALID       => INVALID_SECTION,
 		     NEW           => NEW_SECTION );

 our @policy_chains;
@ -170,6 +172,7 @@ sub initialize( $ ) {
    %sections = ( ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
+		  INVALID     => 0,
 		  NEW         => 0
 		  );
    #
@ -212,6 +215,15 @@ sub initialize( $ ) {
    }
 }

+#
+# Create a rules chain
+#
+sub new_rules_chain( $ ) {
+    my $chainref = new_chain( 'filter', $_[0] );
+    $chainref->{sections} = {};
+    $chainref;
+}
+
 ###############################################################################
 # Functions moved from the former Policy Module
 ###############################################################################
@ -250,7 +262,7 @@ sub new_policy_chain($$$$$)
 {
    my ($source, $dest, $policy, $provisional, $audit) = @_;

-    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_rules_chain( rules_chain( ${source}, ${dest} ) );

    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional, $audit );

@ -266,7 +278,7 @@ sub set_policy_chain($$$$$)

    my $chainref1 = $filter_table->{$chain1};

-    $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
+    $chainref1 = new_rules_chain $chain1 unless $chainref1;

    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
@ -837,10 +849,12 @@ sub ensure_rules_chain( $ )

    my $chainref = $filter_table->{$chain};

-    $chainref = new_chain( 'filter', $chain ) unless $chainref;
+    $chainref = new_rules_chain( $chain ) unless $chainref;

    unless ( $chainref->{referenced} ) {
 	if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED,INVALID';
+	} elsif ( $section == INVALID_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED,RELATED';
 	} elsif ( $section == RELATED_SECTION ) {
 	    finish_chain_section $chainref , $chainref, 'ESTABLISHED';
@ -853,7 +867,7 @@ sub ensure_rules_chain( $ )
 }

 #
-# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
+# Add ESTABLISHED,RELATED,INVALID rules and synparam jumps to the passed chain
 #
 sub finish_chain_section ($$$) {
    my ($chainref,
@ -862,8 +876,20 @@ sub finish_chain_section ($$$) {
    my $chain               = $chainref->{name};
    my $related_level       = $config{RELATED_LOG_LEVEL};
    my $related_target      = $globals{RELATED_TARGET};
+    my $invalid_level       = $config{INVALID_LOG_LEVEL};
+    my $invalid_target      = $globals{INVALID_TARGET};
    my $save_comment        = push_comment;
    my $relatedchain        = $chainref->{name} =~ /^\+/;
+    my $invalidchain        = $chainref->{name} =~ /^_/;
+    my %state;
+
+    $state{$_} = 1 for split ',', $state;
+
+    for ( qw/ESTABLISHED RELATED INVALID/ ) {
+	delete $state{$_} if $chain1ref->{sections}{$_};
+    }
+
+    $chain1ref->{sections}{$_} = 1 for keys %state;

    if ( $state =~ /RELATED/ && ( $relatedchain || $related_level || $related_target ne 'ACCEPT' ) ) {

@ -879,7 +905,7 @@ sub finish_chain_section ($$$) {
 	    log_rule( $related_level,
 		      $relatedref,
 		      $config{RELATED_DISPOSITION},
-		      '' ) if $related_level;
+		      '' );

 	    $related_target = ensure_audit_chain( $related_target ) if ( $targets{$related_target} || 0 ) & AUDIT;

@ -890,15 +916,53 @@ sub finish_chain_section ($$$) {

        if ( $relatedchain ) {
 	    add_ijump $chainref, g => $related_target;
-	    $state = '';
+	    %state = ();
 	} else {
 	    add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
-	    $state =~ s/,?RELATED//;
+	    delete $state{RELATED};
 	}
    }

-    if ( $state ) {
-	add_ijump $chain1ref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    if ( $state =~ /INVALID/ && ( $invalidchain || $invalid_level || $invalid_target ne 'ACCEPT' ) ) {
+
+	if ( $invalid_level ) {
+	    my $invalidref;
+
+	    if ( $invalidchain ) {
+		$invalidref = $chainref;
+	    } else {
+		$invalidref = new_chain( 'filter', "_$chainref->{name}" );
+	    }
+
+	    log_rule( $invalid_level,
+		      $invalidref,
+		      $config{INVALID_DISPOSITION},
+		      '' );
+
+	    $invalid_target = ensure_audit_chain( $invalid_target ) if ( $targets{$invalid_target} || 0 ) & AUDIT;
+
+	    add_ijump( $invalidref, g => $invalid_target ) if $invalid_target;
+
+	    $invalid_target = $invalidref->{name} unless $invalidchain;
+	}
+
+        if ( $invalidchain ) {
+	    add_ijump $chainref, g => $invalid_target;
+	    %state = ();
+	} else {
+	    add_ijump $chainref, g => $invalid_target, state_imatch 'INVALID' if $invalid_target;
+	    delete $state{INVALID};
+	}
+    }
+
+    if ( keys %state && ! $config{FASTACCEPT} ) {
+	my @state;
+
+	for ( qw/ESTABLISHED RELATED/ ) {
+	    push @state, $_ if $state{$_};
+	}
+
+	add_ijump $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) if @state;
    }

    if ($sections{NEW} ) {
@ -939,6 +1003,8 @@ sub finish_section ( $ ) {

    if ( $section == RELATED_SECTION ) {
 	$function = \&related_chain;
+    } elsif ( $section == INVALID_SECTION ) {
+	$function = \&invalid_chain;
    } else {
 	$function = \&rules_chain;
    }
@ -2258,14 +2324,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Handle rules in the BLACKLIST and RELATED sections
+	    # Handle rules in the BLACKLIST, RELATED and INVALID sections
 	    #
-	    if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION ) ) {
+	    if ( $section & ( BLACKLIST_SECTION | RELATED_SECTION | INVALID_SECTION ) ) {
 		my $auxchain;
 		my $auxref;

 		if ( $blacklist ) {
 		    $auxchain = blacklist_chain( ${sourcezone}, ${destzone} );
+		} elsif ( $section == INVALID_SECTION ) {
+		    $auxchain = invalid_chain( ${sourcezone}, ${destzone} );
 		} else {
 		    $auxchain = related_chain( ${sourcezone}, ${destzone} );
 		}
@ -2280,6 +2348,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		    if ( $blacklist ) {
 			@state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
 			$auxref->{blacklistsection} = 1;
+		    } elsif ( $section == INVALID_SECTION ) {
+			@state = state_imatch( 'INVALID' );
 		    } else {
 			@state = state_imatch 'RELATED';
 		    };
@ -2369,7 +2439,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_headers( $headers ) ,
 		      do_condition( $condition , $chain ) ,
 		    );
-    } elsif ( $section == RELATED_SECTION ) {
+    } elsif ( $section & ( INVALID_SECTION | RELATED_SECTION ) ) {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
@ -2400,8 +2470,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	     $basictarget eq 'dropInvalid' ) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
-		$section == RELATED_SECTION && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
-	    }
+		( $section & ( RELATED_SECTION | INVALID_SECTION ) ) && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} )
+	     }

 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} ESTABLISHED " if $section == ESTABLISHED_SECTION;
@ -2535,7 +2605,6 @@ sub process_section ($) {
    #
    fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
-    $sections{$sect} = 1;

    if ( $sect eq 'BLACKLIST' ) {
 	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
@ -2544,9 +2613,14 @@ sub process_section ($) {
    } elsif ( $sect eq 'RELATED' ) {
 	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
-    } elsif ( $sect eq 'NEW' ) {
+    } elsif ( $sect eq 'INVALID' ) {
 	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
+    } elsif ( $sect eq 'NEW' ) {
+	@sections{'ALL','ESTABLISHED','RELATED','INVALID','NEW'} = ( 1, 1, 1, 1, 1 );
+	finish_section ( ( $section == RELATED_SECTION ) ? 'RELATED,INVALID' : 
+			 ( $section == INVALID_SECTION ) ? 'INVALID' :
+			 'ESTABLISHED,RELATED,INVALID' );
    }

    $section = $section_map{$sect};
@ -2822,7 +2896,9 @@ sub process_rules( $ ) {

 	process_rule while read_a_line( NORMAL_READ );
    }
-
+    #
+    # No need to finish the NEW section since no rules need to be generated
+    #
    $section = DEFAULTACTION_SECTION;
 }

--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -23,6 +23,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@ -224,6 +226,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -34,6 +34,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@ -235,6 +237,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -32,6 +32,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@ -233,6 +235,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -35,6 +35,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@ -236,6 +238,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -23,6 +23,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@ -224,6 +226,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@ -81,8 +81,25 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@ -197,6 +199,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@ -197,6 +199,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@ -197,6 +199,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@ -197,6 +199,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@ -197,6 +199,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@ -74,8 +74,25 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>