diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index bd441fe07..88c61caa1 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1604,8 +1604,10 @@ sub process_secmark_rule() {
 		 O => 'tcout'   , );
 
     my %state = ( N =>  'NEW' ,
+		  NI => 'NEW,INVALID',
 		  E =>  'ESTABLISHED' ,
-		  ER => 'ESTABLISHED,RELATED' );
+		  ER => 'ESTABLISHED,RELATED',
+		);
 
     my ( $chain , $state, $rest) = split ':', $chainin , 3;
 
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 584350dc7..815e32516 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,6 +2,8 @@ Changes in Shorewall 4.4.20 Final
 
 1)  Set /proc/sys/net/bridge/bridge_nf_call_ip6?tables.
 
+2)  Add 'NI' STATE in secmarks.
+
 Changes in Shorewall 4.4.20 RC 1
 
 1)  Update release documents.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index be673868a..e294563f4 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -253,6 +253,9 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     versions are available in the configfiles directory within the
     tarball.
 
+11) The STATE subcolumn of the secmarks file now allow the value 'NI'
+    which will match packets in either NEW or INVALID state.
+
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml
index 30b24c60d..aaf94d650 100644
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -90,7 +90,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">CHAIN:STATE -
-        {P|I|F|O|T}[:{N|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|NI|E|ER}]</emphasis></term>
 
         <listitem>
           <para>This column determines the CHAIN where the SElinux context is
@@ -109,12 +109,14 @@
           </simplelist>
 
           <para>It may be optionally followed by a colon and an indication of
-          the connection state(s) at which the context is to be
+          the Netfilter connection state(s) at which the context is to be
           applied:</para>
 
           <simplelist>
             <member>:N - NEW connection</member>
 
+            <member>:NI - NEW or INVALID connection</member>
+
             <member>:E - ESTABLISHED connection</member>
 
             <member>:ER - ESTABLISHED or RELATED connection</member>
diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml
index f580069d7..3c693ff9a 100644
--- a/manpages6/shorewall6-secmarks.xml
+++ b/manpages6/shorewall6-secmarks.xml
@@ -90,7 +90,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">CHAIN -
-        {P|I|F|O|T}[:{N|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|NI|E|ER}]</emphasis></term>
 
         <listitem>
           <simplelist>
@@ -106,12 +106,14 @@
           </simplelist>
 
           <para>It may be optionally followed by a colon and an indication of
-          the connection state(s) at which the context is to be
+          the Netfilter connection state(s) at which the context is to be
           applied:</para>
 
           <simplelist>
             <member>:N - NEW connection</member>
 
+            <member>:NI - New or INVALID connection</member>
+
             <member>:E - ESTABLISHED connection</member>
 
             <member>:ER - ESTABLISHED or RELATED connection</member>