diff --git a/STABLE2/action.Drop b/STABLE2/action.Drop
index 04feb4ce7..721a46126 100644
--- a/STABLE2/action.Drop
+++ b/STABLE2/action.Drop
@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 DropSMB
 DropUPnP
 dropNotSyn
diff --git a/STABLE2/action.Reject b/STABLE2/action.Reject
index 1799ecc6c..8cfd666ec 100644
--- a/STABLE2/action.Reject
+++ b/STABLE2/action.Reject
@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 RejectSMB
 DropUPnP
 dropNotSyn
diff --git a/STABLE2/actions.std b/STABLE2/actions.std
index b762d2730..99515bd83 100644
--- a/STABLE2/actions.std
+++ b/STABLE2/actions.std
@@ -10,6 +10,8 @@
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
+#    dropInvalid	#Silently Drop packets that are in the INVALID
+#                       #conntrack state.
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt
index 4613615a2..ead43ac31 100644
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@@ -29,5 +29,5 @@ Change in 2.0.6
 
 
 3) Don't give shorewall.conf and zones execute permission.
-
   
+4) Backport 'dropInvalid' from 2.1
diff --git a/STABLE2/firewall b/STABLE2/firewall
index dd25563b8..b3e1116a8 100755
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@@ -2790,7 +2790,7 @@ createactionchain() # $1 = chain name
 
 process_actions1() {
 	
-    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn dropInvalid"
     USEDACTIONS=
 
     strip_file actions
@@ -2973,6 +2973,9 @@ process_actions2() {
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
+	    dropInvalid)
+		[ "$COMMAND" != check ] && run_iptables -A dropInvalid -m state --state INVALID -j DROP
+		;;
 	    *)
 		f=action.$xaction
 		fn=$(find_file $f)
diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt
index 5dbfedf7b..f2496bad2 100644
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@@ -23,9 +23,20 @@ Problems Corrected in version 2.0.6
    Netfilter failing to match certain broadcast packets. The result 
    is that the firewall log shows a lot of broadcast packets.
 
-   Users experiencing this problem can use PKTTYPE=No in
+   Other users have complained of the following message when 
+   starting Shorewall:
+
+	    modprobe: cant locate module ipt_pkttype
+
+   Users experiencing either of these problems can use PKTTYPE=No in
    shorewall.conf to cause Shorewall to use IP address filtering of 
    broadcasts rather than packet type.
 
 2) The shorewall.conf and zones file are no longer given execute
    permission by the installer script.
+
+3) ICMP packets that are in the INVALID state are now dropped by the
+   Reject and Drop default actions. They do so using the new 
+   'dropInvalid' builtin action.
+
+