iptables package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch

@@ -0,0 +1,61 @@
+From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 15:28:07 +0200
+Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510
+Upstream Status: iptables commit dbbab0aa328f1
+
+commit dbbab0aa328f136502373a1031e64eb53fa113e5
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Mon Oct 9 15:47:39 2017 +0200
+
+    extensions: libxt_tcpmss: Detect invalid ranges
+
+    Previously, an MSS range of e.g. 65535:1000 was silently accepted but
+    would then never match a packet since the kernel checks whether the MSS
+    value is greater than or equal to the first *and* less than or equal to
+    the second value.
+
+    Detect this as a parameter problem and update the man page accordingly.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libxt_tcpmss.c   | 6 +++++-
+ extensions/libxt_tcpmss.man | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
+index c7c5971716294..bcd357aa3d8e2 100644
+--- a/extensions/libxt_tcpmss.c
++++ b/extensions/libxt_tcpmss.c
+@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
+ 	xtables_option_parse(cb);
+ 	mssinfo->mss_min = cb->val.u16_range[0];
+ 	mssinfo->mss_max = mssinfo->mss_min;
+-	if (cb->nvals == 2)
++	if (cb->nvals == 2) {
+ 		mssinfo->mss_max = cb->val.u16_range[1];
++		if (mssinfo->mss_max < mssinfo->mss_min)
++			xtables_error(PARAMETER_PROBLEM,
++				      "tcpmss: invalid range given");
++	}
+ 	if (cb->invert)
+ 		mssinfo->invert = 1;
+ }
+diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
+index 8ee715cdbfb07..8253c363418f8 100644
+--- a/extensions/libxt_tcpmss.man
++++ b/extensions/libxt_tcpmss.man
+@@ -1,4 +1,4 @@
+ This matches the TCP MSS (maximum segment size) field of the TCP header.  You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+ .TP
+ [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
+-Match a given TCP MSS value or range.
++Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
+-- 
+2.17.0
+

SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch

@@ -0,0 +1,61 @@
+From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 16:34:48 +0200
+Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit 21ba5b3874fb3
+
+commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Sep 20 19:34:36 2017 +0200
+
+    ip{,6}tables-restore: Don't accept wait-interval without wait
+
+    If -W <val> was given, error out if -w wasn't since that doesn't make
+    sense.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ip6tables-restore.c | 5 +++++
+ iptables/iptables-restore.c  | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
+index 0f85fee3593d5..e2a82c57bd426 100644
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[])
+ 	}
+ 	else in = stdin;
+ 
++	if (!wait_interval.tv_sec && !wait) {
++		fprintf(stderr, "Option --wait-interval requires option --wait\n");
++		exit(1);
++	}
++
+ 	/* Grab standard input. */
+ 	while (fgets(buffer, sizeof(buffer), in)) {
+ 		int ret = 0;
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index 6d0df8d1c0f36..af0c79408631d 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[])
+ 	}
+ 	else in = stdin;
+ 
++	if (!wait_interval.tv_sec && !wait) {
++		fprintf(stderr, "Option --wait-interval requires option --wait\n");
++		exit(1);
++	}
++
+ 	/* Grab standard input. */
+ 	while (fgets(buffer, sizeof(buffer), in)) {
+ 		int ret = 0;
+-- 
+2.17.0
+

SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch

@@ -0,0 +1,42 @@
+From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 16:34:48 +0200
+Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval
+ value
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit 60e0ffd365a2d
+
+commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Sep 20 19:34:35 2017 +0200
+
+    ip{,6}tables-restore: Don't ignore missing wait-interval value
+
+    Passing -W without a value doesn't make sense so bail out if none was
+    given.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/xshared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 3fbe3b1a99b77..b8a81fd968361 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval)
+ 	else if (xs_has_arg(argc, argv))
+ 		arg = argv[optind++];
+ 	else
+-		return;
++		xtables_error(PARAMETER_PROBLEM, "wait interval value required");
+ 
+ 	ret = sscanf(arg, "%u", &usec);
+ 	if (ret == 1) {
+-- 
+2.17.0
+

SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch

@@ -0,0 +1,152 @@
+From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 15:29:24 +0200
+Subject: [PATCH] iptables-restore/save: exit when given an unknown option
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit d89dc47ab3875
+Conflicts:
+ * Context changes in ip{6,}tables-restore.c
+ * xtables-{save,restore}.c not present here.
+
+commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e
+Author: Vincent Bernat <vincent@bernat.im>
+Date:   Sat Apr 15 12:16:47 2017 +0200
+
+    iptables-restore/save: exit when given an unknown option
+
+    When an unknown option is given, iptables-restore should exit instead of
+    continue its operation. For example, if `--table` was misspelled, this
+    could lead to an unwanted change. Moreover, exit with a status code of
+    1. Make the same change for iptables-save.
+
+    OTOH, exit with a status code of 0 when requesting help.
+
+    Signed-off-by: Vincent Bernat <vincent@bernat.im>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ip6tables-restore.c | 10 +++++-----
+ iptables/ip6tables-save.c    |  4 ++++
+ iptables/iptables-restore.c  | 10 +++++-----
+ iptables/iptables-save.c     |  4 ++++
+ 4 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
+index 0b8b95607febf..0f85fee3593d5 100644
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -48,8 +48,6 @@ static const struct option options[] = {
+ 	{NULL},
+ };
+ 
+-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
+-
+ #define prog_name ip6tables_globals.program_name
+ #define prog_vers ip6tables_globals.program_version
+ 
+@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version)
+ 			"	   [ --wait-interval=<usecs>\n"
+ 			"	   [ --noflush ]\n"
+ 			"	   [ --modprobe=<command>]\n", name);
+-
+-	exit(1);
+ }
+ 
+ static struct xtc_handle *create_handle(const char *tablename)
+@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[])
+ 			case 'h':
+ 				print_usage("ip6tables-restore",
+ 					    IPTABLES_VERSION);
+-				break;
++				exit(0);
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
+@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[])
+ 			case 'T':
+ 				tablename = optarg;
+ 				break;
++			default:
++				fprintf(stderr,
++					"Try `ip6tables-restore -h' for more information.\n");
++				exit(1);
+ 		}
+ 	}
+ 
+diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
+index 3a1ded162fad1..a64d169fc1211 100644
+--- a/iptables/ip6tables-save.c
++++ b/iptables/ip6tables-save.c
+@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[])
+ 		case 'd':
+ 			do_output(tablename);
+ 			exit(0);
++		default:
++			fprintf(stderr,
++				"Look at manual page `ip6tables-save.8' for more information.\n");
++			exit(1);
+ 		}
+ 	}
+ 
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index 7aab1e78d7e0e..6d0df8d1c0f36 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -45,8 +45,6 @@ static const struct option options[] = {
+ 	{NULL},
+ };
+ 
+-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
+-
+ #define prog_name iptables_globals.program_name
+ #define prog_vers iptables_globals.program_version
+ 
+@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version)
+ 			"	   [ --wait-interval=<usecs>\n"
+ 			"	   [ --table=<TABLE> ]\n"
+ 			"	   [ --modprobe=<command>]\n", name);
+-
+-	exit(1);
+ }
+ 
+ static struct xtc_handle *create_handle(const char *tablename)
+@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[])
+ 			case 'h':
+ 				print_usage("iptables-restore",
+ 					    IPTABLES_VERSION);
+-				break;
++				exit(0);
+ 			case 'n':
+ 				noflush = 1;
+ 				break;
+@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[])
+ 			case 'T':
+ 				tablename = optarg;
+ 				break;
++			default:
++				fprintf(stderr,
++					"Try `iptables-restore -h' for more information.\n");
++				exit(1);
+ 		}
+ 	}
+ 
+diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
+index 21f8839e8cd82..87bc885735dc3 100644
+--- a/iptables/iptables-save.c
++++ b/iptables/iptables-save.c
+@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[])
+ 		case 'd':
+ 			do_output(tablename);
+ 			exit(0);
++		default:
++			fprintf(stderr,
++				"Look at manual page `iptables-save.8' for more information.\n");
++			exit(1);
+ 		}
+ 	}
+ 
+-- 
+2.17.0
+

SOURCES/iptables.init

@@ -71,6 +71,17 @@ NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
 # Get active tables
 NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
 
+# Prepare commands for wait options
+IPTABLES_CMD="$IPTABLES"
+IPTABLES_RESTORE_CMD="$IPTABLES-restore"
+if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+	OPT="--wait ${IPTABLES_RESTORE_WAIT}"
+	if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+	    OPT+=" --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+	fi
+	IPTABLES_CMD+=" $OPT"
+	IPTABLES_RESTORE_CMD+=" $OPT"
+fi
 
 rmmod_r() {
     # Unload module with all referring modules.
@@ -105,6 +116,8 @@ rmmod_r() {
 }
 
 flush_n_delete() {
+    local ret=0
+
     # Flush firewall rules and delete chains.
     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
 
@@ -112,19 +125,18 @@ flush_n_delete() {
     [ -z "$NF_TABLES" ] && return 1
 
     echo -n $"${IPTABLES}: Flushing firewall rules: "
-    ret=0
     # For all tables
     for i in $NF_TABLES; do
         # Flush firewall rules.
-	$IPTABLES -t $i -F;
+	$IPTABLES_CMD -t $i -F;
 	let ret+=$?;
 
         # Delete firewall chains.
-	$IPTABLES -t $i -X;
+	$IPTABLES_CMD -t $i -X;
 	let ret+=$?;
 
 	# Set counter to zero.
-	$IPTABLES -t $i -Z;
+	$IPTABLES_CMD -t $i -Z;
 	let ret+=$?;
     done
 
@@ -134,6 +146,8 @@ flush_n_delete() {
 }
 
 set_policy() {
+    local ret=0
+
     # Set policy for configured tables.
     policy=$1
 
@@ -145,35 +159,37 @@ set_policy() {
     [ -z "$tables" ] && return 1
 
     echo -n $"${IPTABLES}: Setting chains to policy $policy: "
-    ret=0
     for i in $tables; do
 	echo -n "$i "
 	case "$i" in
 	    raw)
-		$IPTABLES -t raw -P PREROUTING $policy \
-		    && $IPTABLES -t raw -P OUTPUT $policy \
+		$IPTABLES_CMD -t raw -P PREROUTING $policy \
+		    && $IPTABLES_CMD -t raw -P OUTPUT $policy \
 		    || let ret+=1
 		;;
 	    filter)
-                $IPTABLES -t filter -P INPUT $policy \
-		    && $IPTABLES -t filter -P OUTPUT $policy \
-		    && $IPTABLES -t filter -P FORWARD $policy \
+                $IPTABLES_CMD -t filter -P INPUT $policy \
+		    && $IPTABLES_CMD -t filter -P OUTPUT $policy \
+		    && $IPTABLES_CMD -t filter -P FORWARD $policy \
 		    || let ret+=1
 		;;
 	    nat)
-		$IPTABLES -t nat -P PREROUTING $policy \
-		    && $IPTABLES -t nat -P POSTROUTING $policy \
-		    && $IPTABLES -t nat -P OUTPUT $policy \
+		$IPTABLES_CMD -t nat -P PREROUTING $policy \
+		    && $IPTABLES_CMD -t nat -P POSTROUTING $policy \
+		    && $IPTABLES_CMD -t nat -P OUTPUT $policy \
 		    || let ret+=1
 		;;
 	    mangle)
-	        $IPTABLES -t mangle -P PREROUTING $policy \
-		    && $IPTABLES -t mangle -P POSTROUTING $policy \
-		    && $IPTABLES -t mangle -P INPUT $policy \
-		    && $IPTABLES -t mangle -P OUTPUT $policy \
-		    && $IPTABLES -t mangle -P FORWARD $policy \
+	        $IPTABLES_CMD -t mangle -P PREROUTING $policy \
+		    && $IPTABLES_CMD -t mangle -P POSTROUTING $policy \
+		    && $IPTABLES_CMD -t mangle -P INPUT $policy \
+		    && $IPTABLES_CMD -t mangle -P OUTPUT $policy \
+		    && $IPTABLES_CMD -t mangle -P FORWARD $policy \
 		    || let ret+=1
 		;;
+	    security)
+	        # Ignore the security table
+	        ;;
 	    *)
 	        let ret+=1
 		;;
@@ -186,10 +202,11 @@ set_policy() {
 }
 
 load_sysctl() {
+    local ret=0
+
     # load matched sysctl values
     if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
         echo -n $"Loading sysctl settings: "
-        ret=0
         for item in $IPTABLES_SYSCTL_LOAD_LIST; do
             fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
             let ret+=$?;
@@ -201,6 +218,8 @@ load_sysctl() {
 }
 
 start() {
+    local ret=0
+
     # Do not start if there is no config file.
     if [ ! -f "$IPTABLES_DATA" ]; then
 	echo -n $"${IPTABLES}: No config file."; warning; echo
@@ -218,21 +237,15 @@ start() {
 
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
-    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
-	OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
-	if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
-	    OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
-	fi
-    fi
 
-    $IPTABLES-restore $OPT $IPTABLES_DATA
+    $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
     if [ $? -eq 0 ]; then
 	success; echo
     else
 	failure; echo;
 	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
 	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
-	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    $IPTABLES_RESTORE_CMD $OPT $IPTABLES_FALLBACK_DATA
 	    if [ $? -eq 0 ]; then
 		success; echo
 	    else
@@ -246,7 +259,6 @@ start() {
     # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
 	echo -n $"${IPTABLES}: Loading additional modules: "
-	ret=0
 	for mod in $IPTABLES_MODULES; do
 	    echo -n "$mod "
 	    modprobe $mod > /dev/null 2>&1
@@ -264,6 +276,8 @@ start() {
 }
 
 stop() {
+    local ret=0
+
     # Do not stop if iptables module is not loaded.
     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
 
@@ -271,23 +285,26 @@ stop() {
     # on systems where the default policy is DROP and root device is
     # network-based (i.e.: iSCSI, NFS)
     set_policy ACCEPT
+    let ret+=$?
     # And then, flush the rules and delete chains
     flush_n_delete
+    let ret+=$?
     
     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"${IPTABLES}: Unloading modules: "
-	ret=0
+	ret2=0
 	for mod in ${NF_MODULES[*]}; do
 	    rmmod_r $mod
-	    let ret+=$?;
+	    let ret2+=$?;
 	done
 	# try to unload remaining netfilter modules used by ipv4 and ipv6 
 	# netfilter
 	for mod in ${NF_MODULES_COMMON[*]}; do
 	    rmmod_r $mod >/dev/null
 	done
-	[ $ret -eq 0 ] && success || failure
+	[ $ret2 -eq 0 ] && success || failure
 	echo
+        let ret+=$ret2
     fi
     
     rm -f $VAR_SUBSYS_IPTABLES
@@ -295,6 +312,8 @@ stop() {
 }
 
 save() {
+    local ret=0
+
     # Check if iptable module is loaded
     if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
 	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
@@ -312,7 +331,6 @@ save() {
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
 
-    ret=0
     TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
 	&& chmod 600 "$TMP_FILE" \
 	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
@@ -374,6 +392,8 @@ status() {
 }
 
 reload() {
+    local ret=0
+
     # Do not reload if there is no config file.
     if [ ! -f "$IPTABLES_DATA" ]; then
 	echo -n $"${IPTABLES}: No config file."; warning; echo
@@ -391,14 +411,8 @@ reload() {
 
     OPT=
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
-    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
-	OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
-	if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
-	    OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
-	fi
-    fi
 
-    $IPTABLES-restore $OPT $IPTABLES_DATA
+    $IPTABLES_RESTORE_CMD $OPT $IPTABLES_DATA
     if [ $? -eq 0 ]; then
 	success; echo
     else
@@ -408,7 +422,6 @@ reload() {
     # Load additional modules (helpers)
     if [ -n "$IPTABLES_MODULES" ]; then
 	echo -n $"${IPTABLES}: Loading additional modules: "
-	ret=0
 	for mod in $IPTABLES_MODULES; do
 	    echo -n "$mod "
 	    modprobe $mod > /dev/null 2>&1

SOURCES/iptables.service.in

@@ -0,0 +1,18 @@
+[Unit]
+Description=IPv4 firewall with iptables
+After=syslog.target
+AssertPathExists=/etc/sysconfig/iptables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/iptables/iptables.init start
+ExecReload=/usr/libexec/iptables/iptables.init reload
+ExecStop=/usr/libexec/iptables/iptables.init stop
+Environment=BOOTUP=serial
+Environment=CONSOLETYPE=serial
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=basic.target

SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch

@@ -0,0 +1,145 @@
+From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 5 Jun 2018 14:49:54 +0200
+Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
+Upstream Status: iptables commit af468b6e7f35d
+
+commit af468b6e7f35db09af10ae4ec65cc7803180a4b4
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Sep 20 18:54:09 2017 +0200
+
+    utils: Add a man page for nfnl_osf
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ configure.ac        |  3 +-
+ utils/.gitignore    |  1 +
+ utils/Makefile.am   |  4 +++
+ utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 74 insertions(+), 1 deletion(-)
+ create mode 100644 utils/nfnl_osf.8.in
+
+diff --git a/configure.ac b/configure.ac
+index af710cf5481c0..9046633ce5a4d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
+ 	libiptc/Makefile libiptc/libiptc.pc
+ 	libiptc/libip4tc.pc libiptc/libip6tc.pc
+ 	libxtables/Makefile utils/Makefile
+-	include/xtables-version.h include/iptables/internal.h])
++	include/xtables-version.h include/iptables/internal.h
++	utils/nfnl_osf.8])
+ AC_OUTPUT
+ 
+ 
+diff --git a/utils/.gitignore b/utils/.gitignore
+index 216d1e4a621ed..7c6afbf4e6a52 100644
+--- a/utils/.gitignore
++++ b/utils/.gitignore
+@@ -1,2 +1,3 @@
+ /nfnl_osf
++/nfnl_osf.8
+ /nfbpf_compile
+diff --git a/utils/Makefile.am b/utils/Makefile.am
+index c4192a9e73688..80029e303ff3b 100644
+--- a/utils/Makefile.am
++++ b/utils/Makefile.am
+@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
+ 
+ sbin_PROGRAMS =
+ pkgdata_DATA =
++man_MANS =
+ 
+ if HAVE_LIBNFNETLINK
++man_MANS += nfnl_osf.8
+ sbin_PROGRAMS += nfnl_osf
+ pkgdata_DATA += pf.os
+ 
+@@ -23,3 +25,5 @@ if ENABLE_SYNCONF
+ sbin_PROGRAMS += nfsynproxy
+ nfsynproxy_LDADD = -lpcap
+ endif
++
++CLEANFILES = nfnl_osf.8
+diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in
+new file mode 100644
+index 0000000000000..140b5c3f99a42
+--- /dev/null
++++ b/utils/nfnl_osf.8.in
+@@ -0,0 +1,67 @@
++.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
++
++.SH NAME
++nfnl_osf \- OS fingerprint loader utility
++.SH SYNOPSIS
++
++.ad l
++.in +8
++.ti -8
++.B nfnl_osf
++.BI -f " fingerprints"
++[
++.B -d
++]
++
++.SH DESCRIPTION
++The
++.B nfnl_osf
++utility allows to load a set of operating system signatures into the kernel for
++later matching against using iptables'
++.B osf
++match.
++
++.SH OPTIONS
++
++.TP
++.BI -f " fingerprints"
++Read signatures from file
++.IR fingerprints .
++
++.TP
++.B -d
++Instead of adding the signatures from
++.I fingerprints
++into the kernel, remove them.
++
++.SH EXIT STATUS
++Exit status is 0 if command succeeded, otherwise a negative return code
++indicates the type of error which happened:
++
++.TP
++.B -1
++Illegal arguments passed, fingerprints file not readable or failure in netlink
++communication.
++
++.TP
++.B -ENOENT
++Fingerprints file not specified.
++
++.TP
++.B -EINVAL
++Netlink handle initialization failed or fingerprints file format invalid.
++
++.SH FILES
++
++An up to date set of operating system signatures can be downloaded from
++http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
++
++.SH SEE ALSO
++
++The description of
++.B osf
++match in
++.BR iptables-extensions (8)
++contains further information about the topic as well as example
++.B nfnl_osf
++invocations.
+-- 
+2.17.0
+

SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch

@@ -0,0 +1,43 @@
+From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 5 Jun 2018 14:49:54 +0200
+Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
+Upstream Status: iptables commit 1773dcaabb738
+
+commit 1773dcaabb73884666d30b926677f8232e5c04b3
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Wed Sep 20 18:54:08 2017 +0200
+
+    utils: nfnl_osf: Fix synopsis in help text
+
+    * -d is optional
+    * -h is not really a flag, just anything not recognized triggers the
+      help output.
+    * That '<del rules>' bit is rather confusing than helpful.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ utils/nfnl_osf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
+index bb5f92dc6d0aa..972128f47ba04 100644
+--- a/utils/nfnl_osf.c
++++ b/utils/nfnl_osf.c
+@@ -438,7 +438,7 @@ int main(int argc, char *argv[])
+ 				break;
+ 			default:
+ 				fprintf(stderr,
+-					"Usage: %s -f fingerprints -d <del rules> -h\n",
++					"Usage: %s -f fingerprints [-d]\n",
+ 					argv[0]);
+ 				return -1;
+ 		}
+-- 
+2.17.0
+

SPECS/iptables.spec

@@ -7,11 +7,11 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.4.21
-Release: 24%{?dist}
+Release: 28%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
-Source3: iptables.service
+Source3: iptables.service.in
 Source4: iptables.save-legacy
 Source5: sysconfig_iptables
 Source6: sysconfig_ip6tables
@@ -33,6 +33,12 @@ Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch
 Patch14: iptables-do_not_set_changed_for_check_options.patch
 Patch15: iptables-1.4.21-restore_version.patch
 Patch16: iptables-1.4.21-restore_wait_man.patch
+Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch
+Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch
+Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
+Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
+Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch
+Patch22: utils-Add-a-man-page-for-nfnl_osf.patch
 
 Group: System Environment/Base
 URL: http://www.netfilter.org/
@@ -115,6 +121,12 @@ Currently only provides nfnl_osf with the pf.os database.
 %patch14 -p1 -b .do_not_set_changed_for_check_options
 %patch15 -p1 -b .restore_version
 %patch16 -p1 -b .restore_wait_man
+%patch17 -p1 -b .tcpmss_detect_invalid_ranges
+%patch18 -p1 -b .exit_unknown_option
+%patch19 -p1 -b .require_wait_value
+%patch20 -p1 -b .wait_interval_needs_wait
+%patch21 -p1 -b .nfnl_osf_synopsis
+%patch22 -p1 -b .nfnl_osf_man_page
 
 %build
 # Since patches above touch configure.ac we must regen configure
@@ -164,8 +176,9 @@ sed -e 's;iptables;ip6tables;g' \
     -e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \
     -e 's;^\(After=.*\)$;\1 iptables.service;' \
     < %{SOURCE3} > ip6tables.service
-sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3}
-install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}
+sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \
+    < %{SOURCE3} > iptables.service
+install -c -m 644 iptables.service %{buildroot}/%{_unitdir}
 install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}
 
 # install legacy actions for service command
@@ -273,9 +286,28 @@ done
 %{_sbindir}/nfnl_osf
 %dir %{_datadir}/xtables
 %{_datadir}/xtables/pf.os
+%{_mandir}/man8/nfnl_osf*
 
 
 %changelog
+* Tue Jun 05 2018 Phil Sutter - 1.4.21-28
+- Add nfnl_osf.8 man page (RHBZ#1487331)
+
+* Fri May 11 2018 Phil Sutter - 1.4.21-27
+- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510)
+- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078)
+- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078)
+- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078)
+- Ignore security table when setting policies (RHBZ#1494012)
+- Fix spec file changing SRPM content (RHBZ#1531290)
+
+* Thu Mar 29 2018 Phil Sutter - 1.4.21-26
+- Avoid overwriting parent's return code (RHBZ#1560012)
+
+* Thu Mar 29 2018 Phil Sutter - 1.4.21-25
+- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012)
+- Propagate errors on service stop (RHBZ#1560012)
+
 * Fri Nov 17 2017 Phil Sutter - 1.4.21-24
 - Fix fgrep call over multiple files in iptables.init