diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 03dca0a80..ae1c02781 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -80,7 +80,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
# Netfilter development list
#
$action = 'CT --notrack' if have_capability 'CT_TARGET';
- } else {
+ } elsif ( $action ne 'DROP' ) {
( $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 33289134e..c9fe273d7 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -67,8 +67,8 @@
This column is only present when FORMAT = 2. Values other than
- NOTRACK require CT Target support in your
- iptables and kernel.
+ NOTRACK or DROP require CT Target support in
+ your iptables and kernel.
@@ -78,6 +78,13 @@
Disables connection tracking for this packet.
+
+
+
+ Added in Shorewall 4.5.10. Silently discard the
+ packet.
+
+
:name
@@ -143,6 +150,14 @@
+
+
+
+
+
+
+
+
sane
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index a1eab9dd5..b2087c337 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -77,6 +77,13 @@
Disables connection tracking for this packet.
+
+ DROP
+
+ Added in Shorewall 4.5.10. Silently discard the
+ packet.
+
+
:name