initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
9 months ago · fc247bc667
21 changed files with 4123 additions and 0 deletions
--- a/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
+++ b/SOURCES/0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
@ -0,0 +1,334 @@
				@@ -0,0 +1,334 @@
+From 7ef75f20c338d0f09b50633aa0d5d83c868015ab Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Thu, 17 Jun 2021 18:44:28 +0200
+Subject: [PATCH] doc: Add deprecation notices to all relevant man pages
+
+This is RHEL9 trying to friendly kick people towards nftables.
+---
+ iptables/arptables-nft-restore.8       | 13 ++++++++++++-
+ iptables/arptables-nft-save.8          | 14 +++++++++++++-
+ iptables/arptables-nft.8               | 19 ++++++++++++++++++-
+ iptables/ebtables-nft.8                | 15 ++++++++++++++-
+ iptables/iptables-apply.8.in           | 14 +++++++++++++-
+ iptables/iptables-extensions.8.tmpl.in | 14 ++++++++++++++
+ iptables/iptables-restore.8.in         | 17 ++++++++++++++++-
+ iptables/iptables-save.8.in            | 15 ++++++++++++++-
+ iptables/iptables.8.in                 | 17 +++++++++++++++++
+ iptables/xtables-monitor.8.in          | 11 +++++++++++
+ 10 files changed, 142 insertions(+), 7 deletions(-)
+
+diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8
+index 09d9082cf9fd3..b1bf02998f9cc 100644
+--- a/iptables/arptables-nft-restore.8
+++ b/iptables/arptables-nft-restore.8
+@@ -24,6 +24,17 @@ arptables-restore \- Restore ARP Tables (nft-based)
+ .SH SYNOPSIS
+ \fBarptables\-restore
+ .SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+ .PP
+ .B arptables-restore
+ is used to restore ARP Tables from data specified on STDIN or
+@@ -35,5 +46,5 @@ flushes (deletes) all previous contents of the respective ARP Table.
+ .SH AUTHOR
+ Jesper Dangaard Brouer <brouer@redhat.com>
+ .SH SEE ALSO
+-\fBarptables\-save\fP(8), \fBarptables\fP(8)
+\fBarptables\-save\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
+ .PP
+diff --git a/iptables/arptables-nft-save.8 b/iptables/arptables-nft-save.8
+index 905e59854cc28..49bb0f6260f2f 100644
+--- a/iptables/arptables-nft-save.8
+++ b/iptables/arptables-nft-save.8
+@@ -27,6 +27,18 @@ arptables-save \- dump arptables rules to stdout (nft-based)
+ \fBarptables\-save\fP [\fB\-V\fP]
+ .SH DESCRIPTION
+ .PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
+ .B arptables-save
+ is used to dump the contents of an ARP Table in easily parseable format
+ to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+@@ -43,5 +55,5 @@ Print version information and exit.
+ .SH AUTHOR
+ Jesper Dangaard Brouer <brouer@redhat.com>
+ .SH SEE ALSO
+-\fBarptables\-restore\fP(8), \fBarptables\fP(8)
+\fBarptables\-restore\fP(8), \fBarptables\fP(8), \fBnft\fP(8)
+ .PP
+diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8
+index ea31e0842acd4..ec5b993a41e8b 100644
+--- a/iptables/arptables-nft.8
+++ b/iptables/arptables-nft.8
+@@ -39,6 +39,19 @@ arptables \- ARP table administration (nft-based)
+ .BR "arptables " [ "-t table" ] " -P chain target " [ options ]
+ 
+ .SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
+ .B arptables
+ is a user space tool, it is used to set up and maintain the
+ tables of ARP rules in the Linux kernel. These rules inspect
+@@ -340,9 +353,13 @@ bridges, the same may be achieved using
+ chain in
+ .BR ebtables .
+ 
+This tool is deprecated in Red Hat Enterprise Linux. It is maintenance only and
+will not receive new features. New setups should use \fBnft\fP(8). Existing
+setups should migrate to \fBnft\fP(8) when possible.
+
+ .SH MAILINGLISTS
+ .BR "" "See " http://netfilter.org/mailinglists.html
+ .SH SEE ALSO
+-.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip "(8), " nft (8)
+ .PP
+ .BR "" "See " https://wiki.nftables.org
+diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
+index d75aae240bc05..ed1bf8f2db55b 100644
+--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
+@@ -46,6 +46,19 @@ ebtables \- Ethernet bridge frame table administration (nft-based)
+ .br
+ 
+ .SH DESCRIPTION
+.PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
+ .B ebtables
+ is an application program used to set up and maintain the
+ tables of rules (inside the Linux kernel) that inspect
+@@ -1069,6 +1082,6 @@ has not been implemented, although
+ might replace them entirely given the inherent atomicity of nftables.
+ Finally, this list is probably not complete.
+ .SH SEE ALSO
+-.BR xtables-nft "(8), " iptables "(8), " ip (8)
+.BR xtables-nft "(8), " iptables "(8), " ip "(8), " nft (8)
+ .PP
+ .BR "" "See " https://wiki.nftables.org
+diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
+index f0ed4e5f8d450..7f99a21ed2b61 100644
+--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
+@@ -11,6 +11,18 @@ iptables-apply \- a safer way to update iptables remotely
+ \fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
+ .SH "DESCRIPTION"
+ .PP
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
+ iptables\-apply will try to apply a new rulesfile (as output by
+ iptables-save, read by iptables-restore) or run a command to configure
+ iptables and then prompt the user whether the changes are okay. If the
+@@ -47,7 +59,7 @@ Display usage information.
+ Display version information.
+ .SH "SEE ALSO"
+ .PP
+-\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
+\fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8), \fBnft\fP(8).
+ .SH LEGALESE
+ .PP
+ Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
+diff --git a/iptables/iptables-extensions.8.tmpl.in b/iptables/iptables-extensions.8.tmpl.in
+index 99d89a1fe44ad..73d40bbfe9c52 100644
+--- a/iptables/iptables-extensions.8.tmpl.in
+++ b/iptables/iptables-extensions.8.tmpl.in
+@@ -7,6 +7,20 @@ iptables-extensions \(em list of extensions in the standard iptables distributio
+ .PP
+ \fBiptables\fP [\fB\-m\fP \fIname\fP [\fImodule-options\fP...]]
+ [\fB\-j\fP \fItarget-name\fP [\fItarget-options\fP...]
+.SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
+ .SH MATCH EXTENSIONS
+ iptables can use extended packet matching modules
+ with the \fB\-m\fP or \fB\-\-match\fP
+diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
+index 20216842d8358..8f4811c72f2ec 100644
+--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
+@@ -31,6 +31,19 @@ ip6tables-restore \(em Restore IPv6 Tables
+ [\fB\-W\fP \fIusecs\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP]
+ [\fBfile\fP]
+ .SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-restore\-translate (8)/ ip6tables\-restore\-translate (8)
+to help with the migration.
+ .PP
+ .B iptables-restore
+ and
+@@ -81,7 +94,9 @@ from Rusty Russell.
+ .br
+ Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
+ .SH SEE ALSO
+-\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8), \fBiptables\-save\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8), \fBiptables\-restore\-translate\fP(8),
+\fBip6tables\-restore\-translate\fP(8)
+ .PP
+ The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+ which details NAT, and the netfilter-hacking-HOWTO which details the
+diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
+index 7683fd3780f72..6fe50b2d446e5 100644
+--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
+@@ -30,6 +30,18 @@ ip6tables-save \(em dump iptables rules
+ [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+ .SH DESCRIPTION
+ .PP
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+.PP
+ .B iptables-save
+ and
+ .B ip6tables-save
+@@ -62,7 +74,8 @@ Rusty Russell <rusty@rustcorp.com.au>
+ .br
+ Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
+ .SH SEE ALSO
+-\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8),
+\fBnft\fP(8)
+ .PP
+ The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+ which details NAT, and the netfilter-hacking-HOWTO which details the
+diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
+index 627ff0e4da7a4..a8b31206d45b2 100644
+--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
+@@ -55,6 +55,20 @@ match = \fB\-m\fP \fImatchname\fP [\fIper-match-options\fP]
+ .PP
+ target = \fB\-j\fP \fItargetname\fP [\fIper\-target\-options\fP]
+ .SH DESCRIPTION
+These tools are
+.B deprecated
+in Red Hat Enterprise Linux. They are maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details. There is also
+.BR iptables\-translate (8)/ ip6tables\-translate (8)
+to help with the migration.
+.PP
+ \fBIptables\fP and \fBip6tables\fP are used to set up, maintain, and inspect the
+ tables of IPv4 and IPv6 packet
+ filter rules in the Linux kernel.  Several different tables
+@@ -447,6 +461,9 @@ There are several other changes in iptables.
+ \fBiptables\-save\fP(8),
+ \fBiptables\-restore\fP(8),
+ \fBiptables\-extensions\fP(8),
+\fBnft\fP(8),
+\fBiptables\-translate\fP(8),
+\fBip6tables\-translate\fP(8)
+ .PP
+ The packet-filtering-HOWTO details iptables usage for
+ packet filtering, the NAT-HOWTO details NAT,
+diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
+index a7f22c0d8c08e..e21d7ff23035f 100644
+--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
+@@ -6,6 +6,17 @@ xtables-monitor \(em show changes to rule set and trace-events
+ .PP
+ \
+ .SH DESCRIPTION
+This tool is
+.B deprecated
+in Red Hat Enterprise Linux. It is maintenance only and will not receive new
+features. New setups should use
+.BR nft (8).
+Existing setups should migrate to
+.BR nft (8)
+when possible. See
+.UR https://red.ht/nft_your_tables
+.UE
+for details.
+ .PP
+ .B xtables-monitor
+ is used to monitor changes to the ruleset or to show rule evaluation events
+-- 
+2.34.1
+
--- a/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
+++ b/SOURCES/0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
@ -0,0 +1,26 @@
				@@ -0,0 +1,26 @@
+From 231626933e5fd54b8d9e66dfc9a8a374a9192121 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 16 Jul 2021 21:51:49 +0200
+Subject: [PATCH] extensions: SECMARK: Use a better context in test case
+
+RHEL SELinux policies don't allow setting
+system_u:object_r:firewalld_exec_t:s0 context. Use one instead which has
+'packet_type' attribute (identified via
+'seinfo -xt | grep packet_type').
+---
+ extensions/libxt_SECMARK.t | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_SECMARK.t b/extensions/libxt_SECMARK.t
+index 39d4c09348bf4..295e7a7244902 100644
+--- a/extensions/libxt_SECMARK.t
+++ b/extensions/libxt_SECMARK.t
+@@ -1,4 +1,4 @@
+ :INPUT,FORWARD,OUTPUT
+ *security
+--j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0;=;OK
+-j SECMARK --selctx system_u:object_r:ssh_server_packet_t:s0;=;OK
+ -j SECMARK;;FAIL
+-- 
+2.34.1
+
--- a/SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch
+++ b/SOURCES/0003-xshared-Fix-build-for-Werror-format-security.patch
@ -0,0 +1,29 @@
				@@ -0,0 +1,29 @@
+From 4350a1e4daabc4ec1f9b692425d9bd0d48d27488 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 13 May 2022 16:51:58 +0200
+Subject: [PATCH] xshared: Fix build for -Werror=format-security
+
+Gcc complains about the omitted format string.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit b72eb12ea5a61df0655ad99d5048994e916be83a)
+---
+ iptables/xshared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index fae5ddd5df93e..a8512d3808154 100644
+--- a/iptables/xshared.c
+++ b/iptables/xshared.c
+@@ -1307,7 +1307,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
+ 		return;
+ 
+ 	if (args->family != NFPROTO_ARP)
+-		xtables_error(PARAMETER_PROBLEM, msg);
+		xtables_error(PARAMETER_PROBLEM, "%s", msg);
+ 
+ 	fprintf(stderr, "%s", msg);
+ }
+-- 
+2.34.1
+
--- a/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
+++ b/SOURCES/0004-tests-shell-Check-overhead-in-iptables-save-and-rest.patch
@ -0,0 +1,61 @@
				@@ -0,0 +1,61 @@
+From e7a2e0f70ed69c7b1ed1b4e6474ccf0924f81b23 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Jun 2022 13:44:45 +0200
+Subject: [PATCH] tests: shell: Check overhead in iptables-save and -restore
+
+Some repeated calls have been reduced recently, assert this in a test
+evaluating strace output.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 0416ae5dea134b33e22c97e68b64010d679debe1)
+---
+ .../shell/testcases/ipt-save/0007-overhead_0  | 37 +++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+
+diff --git a/iptables/tests/shell/testcases/ipt-save/0007-overhead_0 b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+new file mode 100755
+index 0000000000000..b86d71f209471
+--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0007-overhead_0
+@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# Test recent performance improvements in iptables-save due to reduced
+# overhead.
+
+strace --version >/dev/null || { echo "skip for missing strace"; exit 0; }
+
+RULESET=$(
+	echo "*filter"
+	for ((i = 0; i < 100; i++)); do
+		echo ":mychain$i -"
+		echo "-A FORWARD -p tcp --dport 22 -j mychain$i"
+	done
+	echo "COMMIT"
+)
+
+RESTORE_STRACE=$(strace $XT_MULTI iptables-restore <<< "$RULESET" 2>&1 >/dev/null)
+SAVE_STRACE=$(strace $XT_MULTI iptables-save 2>&1 >/dev/null)
+
+do_grep() { # (name, threshold, pattern)
+	local cnt=$(grep -c "$3")
+	[[ $cnt -le $2 ]] && return 0
+	echo "ERROR: Too many $3 lookups for $1: $cnt > $2"
+	exit 1
+}
+
+# iptables prefers hard-coded protocol names instead of looking them up first
+
+do_grep "$XT_MULTI iptables-restore" 0 /etc/protocols <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 0 /etc/protocols <<< "$SAVE_STRACE"
+
+# iptables-nft-save pointlessly checked whether chain jumps are targets
+
+do_grep "$XT_MULTI iptables-restore" 10 libxt_ <<< "$RESTORE_STRACE"
+do_grep "$XT_MULTI iptables-save" 10 libxt_ <<< "$SAVE_STRACE"
+
+exit 0
+-- 
+2.34.1
+
--- a/SOURCES/0005-arptables-Support-x-exact-flag.patch
+++ b/SOURCES/0005-arptables-Support-x-exact-flag.patch
@ -0,0 +1,33 @@
				@@ -0,0 +1,33 @@
+From 5d197a9a4c0f456243894aea4b5fd059ecf6c402 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 7 Jun 2022 18:07:00 +0200
+Subject: [PATCH] arptables: Support -x/--exact flag
+
+Legacy arptables accepts but ignores the flag. Yet there are remains of
+the functionality in sources, like OPT_EXPANDED define and a print_num()
+function which acts on FMT_KILOMEGAGIGA flag being set or not. So
+instead of mimicking legacy behaviour by explicitly ignoring -x flag for
+arptables, just enable the feature for it.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 24c5b593156de29a49146bcc3497ebb7d8d40ef0)
+---
+ iptables/xshared.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index 14568bb00fb65..a50c8b7298072 100644
+--- a/iptables/xshared.h
+++ b/iptables/xshared.h
+@@ -69,7 +69,7 @@ struct xtables_target;
+ 
+ #define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
+ #define IPT_OPTSTRING	OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
+-#define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nv" /* "m:" */
+#define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
+ #define EBT_OPTSTRING	OPTSTRING_COMMON "hv"
+ 
+ /* define invflags which won't collide with IPT ones */
+-- 
+2.34.1
+
--- a/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
+++ b/SOURCES/0006-libxtables-Fix-unsupported-extension-warning-corner-.patch
@ -0,0 +1,91 @@
				@@ -0,0 +1,91 @@
+From 18fda96510a8e518e22523843050b824fa97cf2c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 30 Jun 2022 18:04:39 +0200
+Subject: [PATCH] libxtables: Fix unsupported extension warning corner case
+
+Some extensions are not supported in revision 0 by user space anymore,
+for those the warning in xtables_compatible_revision() does not print as
+no revision 0 is tried.
+
+To fix this, one has to track if none of the user space supported
+revisions were accepted by the kernel. Therefore add respective logic to
+xtables_find_{target,match}().
+
+Note that this does not lead to duplicated warnings for unsupported
+extensions that have a revision 0 because xtables_compatible_revision()
+returns true for them to allow for extension's help output.
+
+For the record, these ip6tables extensions are affected: set/SET,
+socket, tos/TOS, TPROXY and SNAT. In addition to that, TEE is affected
+for both families.
+
+Fixes: 17534cb18ed0a ("Improve error messages for unsupported extensions")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 552c4a2f9e5706fef5f7abb27d1492a78bbb2a37)
+---
+ libxtables/xtables.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/libxtables/xtables.c b/libxtables/xtables.c
+index 96fd783a066cf..7abc63bcfd83e 100644
+--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
+@@ -773,6 +773,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
+ 	struct xtables_match *ptr;
+ 	const char *icmp6 = "icmp6";
+ 	bool found = false;
+	bool seen = false;
+ 
+ 	if (strlen(name) >= XT_EXTENSION_MAXNAMELEN)
+ 		xtables_error(PARAMETER_PROBLEM,
+@@ -791,6 +792,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
+ 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
+ 			ptr = *dptr;
+ 			*dptr = (*dptr)->next;
+			seen = true;
+ 			if (!found &&
+ 			    xtables_fully_register_pending_match(ptr, prev)) {
+ 				found = true;
+@@ -804,6 +806,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
+ 		dptr = &((*dptr)->next);
+ 	}
+ 
+	if (seen && !found)
+		fprintf(stderr,
+			"Warning: Extension %s is not supported, missing kernel module?\n",
+			name);
+
+ 	for (ptr = xtables_matches; ptr; ptr = ptr->next) {
+ 		if (extension_cmp(name, ptr->name, ptr->family)) {
+ 			struct xtables_match *clone;
+@@ -896,6 +903,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
+ 	struct xtables_target **dptr;
+ 	struct xtables_target *ptr;
+ 	bool found = false;
+	bool seen = false;
+ 
+ 	/* Standard target? */
+ 	if (strcmp(name, "") == 0
+@@ -914,6 +922,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
+ 		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
+ 			ptr = *dptr;
+ 			*dptr = (*dptr)->next;
+			seen = true;
+ 			if (!found &&
+ 			    xtables_fully_register_pending_target(ptr, prev)) {
+ 				found = true;
+@@ -927,6 +936,11 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
+ 		dptr = &((*dptr)->next);
+ 	}
+ 
+	if (seen && !found)
+		fprintf(stderr,
+			"Warning: Extension %s is not supported, missing kernel module?\n",
+			name);
+
+ 	for (ptr = xtables_targets; ptr; ptr = ptr->next) {
+ 		if (extension_cmp(name, ptr->name, ptr->family)) {
+ 			struct xtables_target *clone;
+-- 
+2.34.1
+
--- a/SOURCES/0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch
+++ b/SOURCES/0007-nft-fix-ebtables-among-match-when-mac-ip-addresses-a.patch
@ -0,0 +1,36 @@
				@@ -0,0 +1,36 @@
+From f24d2449693558d3fbf2a8313a7eb65ecf25f6af Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 2 Aug 2022 14:52:30 +0200
+Subject: [PATCH] nft: fix ebtables among match when mac+ip addresses are used
+
+When matching mac and ip addresses, the ip address needs to be placed
+into then 2nd 32bit register, the switch to dynamic register allocation
+instead re-uses reg1, this partially clobbers the mac address, so
+set lookup comes up empty even though it should find a match.
+
+Fixes: 7e38890c6b4fb ("nft: prepare for dynamic register allocation")
+Reported-by: Yi Chen <yiche@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 2ba74d421cd622757df7a93720afc3b5b4b3b4e0)
+---
+ iptables/nft.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index ec79f2bc5e98b..ee003511ab7f3 100644
+--- a/iptables/nft.c
+++ b/iptables/nft.c
+@@ -1208,8 +1208,8 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 	nftnl_rule_add_expr(r, e);
+ 
+ 	if (ip) {
+-		e = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
+-				sizeof(struct in_addr), &reg);
+		e = __gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
+				sizeof(struct in_addr), NFT_REG32_02);
+ 		if (!e)
+ 			return -ENOMEM;
+ 		nftnl_rule_add_expr(r, e);
+-- 
+2.38.0
+
--- a/SOURCES/0008-nft-un-break-among-match-with-concatenation.patch
+++ b/SOURCES/0008-nft-un-break-among-match-with-concatenation.patch
@ -0,0 +1,958 @@
				@@ -0,0 +1,958 @@
+From 22e12e53b1378f0e3da23ea298dda59985d5b99b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 22 Sep 2022 13:33:50 +0200
+Subject: [PATCH] nft: un-break among match with concatenation
+
+The kernel commit 88cccd908d51 ("netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags")
+breaks ebtables-nft 'among' emulation, it sets NFTA_SET_ELEM_KEY_END but
+doesn't set the CONCAT flag.
+
+Update uapi header and also set CONCAT.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 32efb4ffc33ae874b3f26f3380e2184ad6ceb26f)
+---
+ include/linux/netfilter/nf_tables.h | 483 +++++++++++++++++++++++++++-
+ iptables/nft.c                      |   2 +-
+ 2 files changed, 476 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 66dceee0ae307..e94d1fa554cb2 100644
+--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
+@@ -8,6 +8,7 @@
+ #define NFT_SET_MAXNAMELEN	NFT_NAME_MAXLEN
+ #define NFT_OBJ_MAXNAMELEN	NFT_NAME_MAXLEN
+ #define NFT_USERDATA_MAXLEN	256
+#define NFT_OSF_MAXGENRELEN	16
+ 
+ /**
+  * enum nft_registers - nf_tables registers
+@@ -47,6 +48,7 @@ enum nft_registers {
+ 
+ #define NFT_REG_SIZE	16
+ #define NFT_REG32_SIZE	4
+#define NFT_REG32_COUNT	(NFT_REG32_15 - NFT_REG32_00 + 1)
+ 
+ /**
+  * enum nft_verdicts - nf_tables internal verdicts
+@@ -131,7 +133,7 @@ enum nf_tables_msg_types {
+  * @NFTA_LIST_ELEM: list element (NLA_NESTED)
+  */
+ enum nft_list_attributes {
+-	NFTA_LIST_UNPEC,
+	NFTA_LIST_UNSPEC,
+ 	NFTA_LIST_ELEM,
+ 	__NFTA_LIST_MAX
+ };
+@@ -143,12 +145,14 @@ enum nft_list_attributes {
+  * @NFTA_HOOK_HOOKNUM: netfilter hook number (NLA_U32)
+  * @NFTA_HOOK_PRIORITY: netfilter hook priority (NLA_U32)
+  * @NFTA_HOOK_DEV: netdevice name (NLA_STRING)
+ * @NFTA_HOOK_DEVS: list of netdevices (NLA_NESTED)
+  */
+ enum nft_hook_attributes {
+ 	NFTA_HOOK_UNSPEC,
+ 	NFTA_HOOK_HOOKNUM,
+ 	NFTA_HOOK_PRIORITY,
+ 	NFTA_HOOK_DEV,
+	NFTA_HOOK_DEVS,
+ 	__NFTA_HOOK_MAX
+ };
+ #define NFTA_HOOK_MAX		(__NFTA_HOOK_MAX - 1)
+@@ -160,7 +164,10 @@ enum nft_hook_attributes {
+  */
+ enum nft_table_flags {
+ 	NFT_TABLE_F_DORMANT	= 0x1,
+	NFT_TABLE_F_OWNER	= 0x2,
+ };
+#define NFT_TABLE_F_MASK	(NFT_TABLE_F_DORMANT | \
+				 NFT_TABLE_F_OWNER)
+ 
+ /**
+  * enum nft_table_attributes - nf_tables table netlink attributes
+@@ -168,6 +175,8 @@ enum nft_table_flags {
+  * @NFTA_TABLE_NAME: name of the table (NLA_STRING)
+  * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
+  * @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
+ * @NFTA_TABLE_USERDATA: user data (NLA_BINARY)
+ * @NFTA_TABLE_OWNER: owner of this table through netlink portID (NLA_U32)
+  */
+ enum nft_table_attributes {
+ 	NFTA_TABLE_UNSPEC,
+@@ -176,10 +185,21 @@ enum nft_table_attributes {
+ 	NFTA_TABLE_USE,
+ 	NFTA_TABLE_HANDLE,
+ 	NFTA_TABLE_PAD,
+	NFTA_TABLE_USERDATA,
+	NFTA_TABLE_OWNER,
+ 	__NFTA_TABLE_MAX
+ };
+ #define NFTA_TABLE_MAX		(__NFTA_TABLE_MAX - 1)
+ 
+enum nft_chain_flags {
+	NFT_CHAIN_BASE		= (1 << 0),
+	NFT_CHAIN_HW_OFFLOAD	= (1 << 1),
+	NFT_CHAIN_BINDING	= (1 << 2),
+};
+#define NFT_CHAIN_FLAGS		(NFT_CHAIN_BASE		| \
+				 NFT_CHAIN_HW_OFFLOAD	| \
+				 NFT_CHAIN_BINDING)
+
+ /**
+  * enum nft_chain_attributes - nf_tables chain netlink attributes
+  *
+@@ -191,6 +211,9 @@ enum nft_table_attributes {
+  * @NFTA_CHAIN_USE: number of references to this chain (NLA_U32)
+  * @NFTA_CHAIN_TYPE: type name of the string (NLA_NUL_STRING)
+  * @NFTA_CHAIN_COUNTERS: counter specification of the chain (NLA_NESTED: nft_counter_attributes)
+ * @NFTA_CHAIN_FLAGS: chain flags
+ * @NFTA_CHAIN_ID: uniquely identifies a chain in a transaction (NLA_U32)
+ * @NFTA_CHAIN_USERDATA: user data (NLA_BINARY)
+  */
+ enum nft_chain_attributes {
+ 	NFTA_CHAIN_UNSPEC,
+@@ -203,6 +226,9 @@ enum nft_chain_attributes {
+ 	NFTA_CHAIN_TYPE,
+ 	NFTA_CHAIN_COUNTERS,
+ 	NFTA_CHAIN_PAD,
+	NFTA_CHAIN_FLAGS,
+	NFTA_CHAIN_ID,
+	NFTA_CHAIN_USERDATA,
+ 	__NFTA_CHAIN_MAX
+ };
+ #define NFTA_CHAIN_MAX		(__NFTA_CHAIN_MAX - 1)
+@@ -218,6 +244,7 @@ enum nft_chain_attributes {
+  * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
+  * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
+  * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
+ * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
+  */
+ enum nft_rule_attributes {
+ 	NFTA_RULE_UNSPEC,
+@@ -230,6 +257,8 @@ enum nft_rule_attributes {
+ 	NFTA_RULE_USERDATA,
+ 	NFTA_RULE_PAD,
+ 	NFTA_RULE_ID,
+	NFTA_RULE_POSITION_ID,
+	NFTA_RULE_CHAIN_ID,
+ 	__NFTA_RULE_MAX
+ };
+ #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
+@@ -266,8 +295,10 @@ enum nft_rule_compat_attributes {
+  * @NFT_SET_INTERVAL: set contains intervals
+  * @NFT_SET_MAP: set is used as a dictionary
+  * @NFT_SET_TIMEOUT: set uses timeouts
+- * @NFT_SET_EVAL: set contains expressions for evaluation
+ * @NFT_SET_EVAL: set can be updated from the evaluation path
+  * @NFT_SET_OBJECT: set contains stateful objects
+ * @NFT_SET_CONCAT: set contains a concatenation
+ * @NFT_SET_EXPR: set contains expressions
+  */
+ enum nft_set_flags {
+ 	NFT_SET_ANONYMOUS		= 0x1,
+@@ -277,6 +308,8 @@ enum nft_set_flags {
+ 	NFT_SET_TIMEOUT			= 0x10,
+ 	NFT_SET_EVAL			= 0x20,
+ 	NFT_SET_OBJECT			= 0x40,
+	NFT_SET_CONCAT			= 0x80,
+	NFT_SET_EXPR			= 0x100,
+ };
+ 
+ /**
+@@ -294,14 +327,28 @@ enum nft_set_policies {
+  * enum nft_set_desc_attributes - set element description
+  *
+  * @NFTA_SET_DESC_SIZE: number of elements in set (NLA_U32)
+ * @NFTA_SET_DESC_CONCAT: description of field concatenation (NLA_NESTED)
+  */
+ enum nft_set_desc_attributes {
+ 	NFTA_SET_DESC_UNSPEC,
+ 	NFTA_SET_DESC_SIZE,
+	NFTA_SET_DESC_CONCAT,
+ 	__NFTA_SET_DESC_MAX
+ };
+ #define NFTA_SET_DESC_MAX	(__NFTA_SET_DESC_MAX - 1)
+ 
+/**
+ * enum nft_set_field_attributes - attributes of concatenated fields
+ *
+ * @NFTA_SET_FIELD_LEN: length of single field, in bits (NLA_U32)
+ */
+enum nft_set_field_attributes {
+	NFTA_SET_FIELD_UNSPEC,
+	NFTA_SET_FIELD_LEN,
+	__NFTA_SET_FIELD_MAX
+};
+#define NFTA_SET_FIELD_MAX	(__NFTA_SET_FIELD_MAX - 1)
+
+ /**
+  * enum nft_set_attributes - nf_tables set netlink attributes
+  *
+@@ -320,6 +367,8 @@ enum nft_set_desc_attributes {
+  * @NFTA_SET_USERDATA: user data (NLA_BINARY)
+  * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
+  * @NFTA_SET_HANDLE: set handle (NLA_U64)
+ * @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
+ * @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
+  */
+ enum nft_set_attributes {
+ 	NFTA_SET_UNSPEC,
+@@ -339,6 +388,8 @@ enum nft_set_attributes {
+ 	NFTA_SET_PAD,
+ 	NFTA_SET_OBJ_TYPE,
+ 	NFTA_SET_HANDLE,
+	NFTA_SET_EXPR,
+	NFTA_SET_EXPRESSIONS,
+ 	__NFTA_SET_MAX
+ };
+ #define NFTA_SET_MAX		(__NFTA_SET_MAX - 1)
+@@ -347,9 +398,11 @@ enum nft_set_attributes {
+  * enum nft_set_elem_flags - nf_tables set element flags
+  *
+  * @NFT_SET_ELEM_INTERVAL_END: element ends the previous interval
+ * @NFT_SET_ELEM_CATCHALL: special catch-all element
+  */
+ enum nft_set_elem_flags {
+ 	NFT_SET_ELEM_INTERVAL_END	= 0x1,
+	NFT_SET_ELEM_CATCHALL		= 0x2,
+ };
+ 
+ /**
+@@ -363,6 +416,8 @@ enum nft_set_elem_flags {
+  * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
+  * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
+  * @NFTA_SET_ELEM_OBJREF: stateful object reference (NLA_STRING)
+ * @NFTA_SET_ELEM_KEY_END: closing key value (NLA_NESTED: nft_data)
+ * @NFTA_SET_ELEM_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
+  */
+ enum nft_set_elem_attributes {
+ 	NFTA_SET_ELEM_UNSPEC,
+@@ -375,6 +430,8 @@ enum nft_set_elem_attributes {
+ 	NFTA_SET_ELEM_EXPR,
+ 	NFTA_SET_ELEM_PAD,
+ 	NFTA_SET_ELEM_OBJREF,
+	NFTA_SET_ELEM_KEY_END,
+	NFTA_SET_ELEM_EXPRESSIONS,
+ 	__NFTA_SET_ELEM_MAX
+ };
+ #define NFTA_SET_ELEM_MAX	(__NFTA_SET_ELEM_MAX - 1)
+@@ -440,11 +497,13 @@ enum nft_data_attributes {
+  *
+  * @NFTA_VERDICT_CODE: nf_tables verdict (NLA_U32: enum nft_verdicts)
+  * @NFTA_VERDICT_CHAIN: jump target chain name (NLA_STRING)
+ * @NFTA_VERDICT_CHAIN_ID: jump target chain ID (NLA_U32)
+  */
+ enum nft_verdict_attributes {
+ 	NFTA_VERDICT_UNSPEC,
+ 	NFTA_VERDICT_CODE,
+ 	NFTA_VERDICT_CHAIN,
+	NFTA_VERDICT_CHAIN_ID,
+ 	__NFTA_VERDICT_MAX
+ };
+ #define NFTA_VERDICT_MAX	(__NFTA_VERDICT_MAX - 1)
+@@ -477,6 +536,20 @@ enum nft_immediate_attributes {
+ };
+ #define NFTA_IMMEDIATE_MAX	(__NFTA_IMMEDIATE_MAX - 1)
+ 
+/**
+ * enum nft_bitwise_ops - nf_tables bitwise operations
+ *
+ * @NFT_BITWISE_BOOL: mask-and-xor operation used to implement NOT, AND, OR and
+ *                    XOR boolean operations
+ * @NFT_BITWISE_LSHIFT: left-shift operation
+ * @NFT_BITWISE_RSHIFT: right-shift operation
+ */
+enum nft_bitwise_ops {
+	NFT_BITWISE_BOOL,
+	NFT_BITWISE_LSHIFT,
+	NFT_BITWISE_RSHIFT,
+};
+
+ /**
+  * enum nft_bitwise_attributes - nf_tables bitwise expression netlink attributes
+  *
+@@ -485,16 +558,20 @@ enum nft_immediate_attributes {
+  * @NFTA_BITWISE_LEN: length of operands (NLA_U32)
+  * @NFTA_BITWISE_MASK: mask value (NLA_NESTED: nft_data_attributes)
+  * @NFTA_BITWISE_XOR: xor value (NLA_NESTED: nft_data_attributes)
+ * @NFTA_BITWISE_OP: type of operation (NLA_U32: nft_bitwise_ops)
+ * @NFTA_BITWISE_DATA: argument for non-boolean operations
+ *                     (NLA_NESTED: nft_data_attributes)
+  *
+- * The bitwise expression performs the following operation:
+ * The bitwise expression supports boolean and shift operations.  It implements
+ * the boolean operations by performing the following operation:
+  *
+  * dreg = (sreg & mask) ^ xor
+  *
+- * which allow to express all bitwise operations:
+ * with these mask and xor values:
+  *
+  * 		mask	xor
+  * NOT:		1	1
+- * OR:		0	x
+ * OR:		~x	x
+  * XOR:		1	x
+  * AND:		x	0
+  */
+@@ -505,6 +582,8 @@ enum nft_bitwise_attributes {
+ 	NFTA_BITWISE_LEN,
+ 	NFTA_BITWISE_MASK,
+ 	NFTA_BITWISE_XOR,
+	NFTA_BITWISE_OP,
+	NFTA_BITWISE_DATA,
+ 	__NFTA_BITWISE_MAX
+ };
+ #define NFTA_BITWISE_MAX	(__NFTA_BITWISE_MAX - 1)
+@@ -631,10 +710,12 @@ enum nft_lookup_attributes {
+ enum nft_dynset_ops {
+ 	NFT_DYNSET_OP_ADD,
+ 	NFT_DYNSET_OP_UPDATE,
+	NFT_DYNSET_OP_DELETE,
+ };
+ 
+ enum nft_dynset_flags {
+ 	NFT_DYNSET_F_INV	= (1 << 0),
+	NFT_DYNSET_F_EXPR	= (1 << 1),
+ };
+ 
+ /**
+@@ -648,6 +729,7 @@ enum nft_dynset_flags {
+  * @NFTA_DYNSET_TIMEOUT: timeout value for the new element (NLA_U64)
+  * @NFTA_DYNSET_EXPR: expression (NLA_NESTED: nft_expr_attributes)
+  * @NFTA_DYNSET_FLAGS: flags (NLA_U32)
+ * @NFTA_DYNSET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
+  */
+ enum nft_dynset_attributes {
+ 	NFTA_DYNSET_UNSPEC,
+@@ -660,6 +742,7 @@ enum nft_dynset_attributes {
+ 	NFTA_DYNSET_EXPR,
+ 	NFTA_DYNSET_PAD,
+ 	NFTA_DYNSET_FLAGS,
+	NFTA_DYNSET_EXPRESSIONS,
+ 	__NFTA_DYNSET_MAX,
+ };
+ #define NFTA_DYNSET_MAX		(__NFTA_DYNSET_MAX - 1)
+@@ -682,10 +765,12 @@ enum nft_payload_bases {
+  *
+  * @NFT_PAYLOAD_CSUM_NONE: no checksumming
+  * @NFT_PAYLOAD_CSUM_INET: internet checksum (RFC 791)
+ * @NFT_PAYLOAD_CSUM_SCTP: CRC-32c, for use in SCTP header (RFC 3309)
+  */
+ enum nft_payload_csum_types {
+ 	NFT_PAYLOAD_CSUM_NONE,
+ 	NFT_PAYLOAD_CSUM_INET,
+	NFT_PAYLOAD_CSUM_SCTP,
+ };
+ 
+ enum nft_payload_csum_flags {
+@@ -727,10 +812,14 @@ enum nft_exthdr_flags {
+  *
+  * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
+  * @NFT_EXTHDR_OP_TCP: match against tcp options
+ * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
+ * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
+  */
+ enum nft_exthdr_op {
+ 	NFT_EXTHDR_OP_IPV6,
+ 	NFT_EXTHDR_OP_TCPOPT,
+	NFT_EXTHDR_OP_IPV4,
+	NFT_EXTHDR_OP_SCTP,
+ 	__NFT_EXTHDR_OP_MAX
+ };
+ #define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)
+@@ -788,6 +877,15 @@ enum nft_exthdr_attributes {
+  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
+  * @NFT_META_PRANDOM: a 32bit pseudo-random number
+  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
+ * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
+ * @NFT_META_BRI_IIFVPROTO: packet input bridge vlan proto
+ * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
+ * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
+ * @NFT_META_TIME_HOUR: hour of day (in seconds)
+ * @NFT_META_SDIF: slave device interface index
+ * @NFT_META_SDIFNAME: slave device interface name
+  */
+ enum nft_meta_keys {
+ 	NFT_META_LEN,
+@@ -816,6 +914,15 @@ enum nft_meta_keys {
+ 	NFT_META_CGROUP,
+ 	NFT_META_PRANDOM,
+ 	NFT_META_SECPATH,
+	NFT_META_IIFKIND,
+	NFT_META_OIFKIND,
+	NFT_META_BRI_IIFPVID,
+	NFT_META_BRI_IIFVPROTO,
+	NFT_META_TIME_NS,
+	NFT_META_TIME_DAY,
+	NFT_META_TIME_HOUR,
+	NFT_META_SDIF,
+	NFT_META_SDIFNAME,
+ };
+ 
+ /**
+@@ -825,13 +932,17 @@ enum nft_meta_keys {
+  * @NFT_RT_NEXTHOP4: routing nexthop for IPv4
+  * @NFT_RT_NEXTHOP6: routing nexthop for IPv6
+  * @NFT_RT_TCPMSS: fetch current path tcp mss
+ * @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
+  */
+ enum nft_rt_keys {
+ 	NFT_RT_CLASSID,
+ 	NFT_RT_NEXTHOP4,
+ 	NFT_RT_NEXTHOP6,
+ 	NFT_RT_TCPMSS,
+	NFT_RT_XFRM,
+	__NFT_RT_MAX
+ };
+#define NFT_RT_MAX		(__NFT_RT_MAX - 1)
+ 
+ /**
+  * enum nft_hash_types - nf_tables hash expression types
+@@ -854,6 +965,8 @@ enum nft_hash_types {
+  * @NFTA_HASH_SEED: seed value (NLA_U32)
+  * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)
+  * @NFTA_HASH_TYPE: hash operation (NLA_U32: nft_hash_types)
+ * @NFTA_HASH_SET_NAME: name of the map to lookup (NLA_STRING)
+ * @NFTA_HASH_SET_ID: id of the map (NLA_U32)
+  */
+ enum nft_hash_attributes {
+ 	NFTA_HASH_UNSPEC,
+@@ -864,6 +977,8 @@ enum nft_hash_attributes {
+ 	NFTA_HASH_SEED,
+ 	NFTA_HASH_OFFSET,
+ 	NFTA_HASH_TYPE,
+	NFTA_HASH_SET_NAME,	/* deprecated */
+	NFTA_HASH_SET_ID,	/* deprecated */
+ 	__NFTA_HASH_MAX,
+ };
+ #define NFTA_HASH_MAX	(__NFTA_HASH_MAX - 1)
+@@ -898,6 +1013,39 @@ enum nft_rt_attributes {
+ };
+ #define NFTA_RT_MAX		(__NFTA_RT_MAX - 1)
+ 
+/**
+ * enum nft_socket_attributes - nf_tables socket expression netlink attributes
+ *
+ * @NFTA_SOCKET_KEY: socket key to match
+ * @NFTA_SOCKET_DREG: destination register
+ * @NFTA_SOCKET_LEVEL: cgroups2 ancestor level (only for cgroupsv2)
+ */
+enum nft_socket_attributes {
+	NFTA_SOCKET_UNSPEC,
+	NFTA_SOCKET_KEY,
+	NFTA_SOCKET_DREG,
+	NFTA_SOCKET_LEVEL,
+	__NFTA_SOCKET_MAX
+};
+#define NFTA_SOCKET_MAX		(__NFTA_SOCKET_MAX - 1)
+
+/*
+ * enum nft_socket_keys - nf_tables socket expression keys
+ *
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
+ * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
+ * @NFT_SOCKET_CGROUPV2: Match on cgroups version 2
+ */
+enum nft_socket_keys {
+	NFT_SOCKET_TRANSPARENT,
+	NFT_SOCKET_MARK,
+	NFT_SOCKET_WILDCARD,
+	NFT_SOCKET_CGROUPV2,
+	__NFT_SOCKET_MAX
+};
+#define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
+
+ /**
+  * enum nft_ct_keys - nf_tables ct expression keys
+  *
+@@ -909,8 +1057,8 @@ enum nft_rt_attributes {
+  * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
+  * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
+  * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
+- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
+- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
+  * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
+  * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
+  * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
+@@ -920,6 +1068,11 @@ enum nft_rt_attributes {
+  * @NFT_CT_AVGPKT: conntrack average bytes per packet
+  * @NFT_CT_ZONE: conntrack zone
+  * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
+ * @NFT_CT_ID: conntrack id
+  */
+ enum nft_ct_keys {
+ 	NFT_CT_STATE,
+@@ -941,7 +1094,14 @@ enum nft_ct_keys {
+ 	NFT_CT_AVGPKT,
+ 	NFT_CT_ZONE,
+ 	NFT_CT_EVENTMASK,
+	NFT_CT_SRC_IP,
+	NFT_CT_DST_IP,
+	NFT_CT_SRC_IP6,
+	NFT_CT_DST_IP6,
+	NFT_CT_ID,
+	__NFT_CT_MAX
+ };
+#define NFT_CT_MAX		(__NFT_CT_MAX - 1)
+ 
+ /**
+  * enum nft_ct_attributes - nf_tables ct expression netlink attributes
+@@ -1002,6 +1162,24 @@ enum nft_limit_attributes {
+ };
+ #define NFTA_LIMIT_MAX		(__NFTA_LIMIT_MAX - 1)
+ 
+enum nft_connlimit_flags {
+	NFT_CONNLIMIT_F_INV	= (1 << 0),
+};
+
+/**
+ * enum nft_connlimit_attributes - nf_tables connlimit expression netlink attributes
+ *
+ * @NFTA_CONNLIMIT_COUNT: number of connections (NLA_U32)
+ * @NFTA_CONNLIMIT_FLAGS: flags (NLA_U32: enum nft_connlimit_flags)
+ */
+enum nft_connlimit_attributes {
+	NFTA_CONNLIMIT_UNSPEC,
+	NFTA_CONNLIMIT_COUNT,
+	NFTA_CONNLIMIT_FLAGS,
+	__NFTA_CONNLIMIT_MAX
+};
+#define NFTA_CONNLIMIT_MAX	(__NFTA_CONNLIMIT_MAX - 1)
+
+ /**
+  * enum nft_counter_attributes - nf_tables counter expression netlink attributes
+  *
+@@ -1017,6 +1195,21 @@ enum nft_counter_attributes {
+ };
+ #define NFTA_COUNTER_MAX	(__NFTA_COUNTER_MAX - 1)
+ 
+/**
+ * enum nft_last_attributes - nf_tables last expression netlink attributes
+ *
+ * @NFTA_LAST_SET: last update has been set, zero means never updated (NLA_U32)
+ * @NFTA_LAST_MSECS: milliseconds since last update (NLA_U64)
+ */
+enum nft_last_attributes {
+	NFTA_LAST_UNSPEC,
+	NFTA_LAST_SET,
+	NFTA_LAST_MSECS,
+	NFTA_LAST_PAD,
+	__NFTA_LAST_MAX
+};
+#define NFTA_LAST_MAX	(__NFTA_LAST_MAX - 1)
+
+ /**
+  * enum nft_log_attributes - nf_tables log expression netlink attributes
+  *
+@@ -1039,6 +1232,33 @@ enum nft_log_attributes {
+ };
+ #define NFTA_LOG_MAX		(__NFTA_LOG_MAX - 1)
+ 
+/**
+ * enum nft_log_level - nf_tables log levels
+ *
+ * @NFT_LOGLEVEL_EMERG: system is unusable
+ * @NFT_LOGLEVEL_ALERT: action must be taken immediately
+ * @NFT_LOGLEVEL_CRIT: critical conditions
+ * @NFT_LOGLEVEL_ERR: error conditions
+ * @NFT_LOGLEVEL_WARNING: warning conditions
+ * @NFT_LOGLEVEL_NOTICE: normal but significant condition
+ * @NFT_LOGLEVEL_INFO: informational
+ * @NFT_LOGLEVEL_DEBUG: debug-level messages
+ * @NFT_LOGLEVEL_AUDIT: enabling audit logging
+ */
+enum nft_log_level {
+	NFT_LOGLEVEL_EMERG,
+	NFT_LOGLEVEL_ALERT,
+	NFT_LOGLEVEL_CRIT,
+	NFT_LOGLEVEL_ERR,
+	NFT_LOGLEVEL_WARNING,
+	NFT_LOGLEVEL_NOTICE,
+	NFT_LOGLEVEL_INFO,
+	NFT_LOGLEVEL_DEBUG,
+	NFT_LOGLEVEL_AUDIT,
+	__NFT_LOGLEVEL_MAX
+};
+#define NFT_LOGLEVEL_MAX	(__NFT_LOGLEVEL_MAX - 1)
+
+ /**
+  * enum nft_queue_attributes - nf_tables queue expression netlink attributes
+  *
+@@ -1083,6 +1303,21 @@ enum nft_quota_attributes {
+ };
+ #define NFTA_QUOTA_MAX		(__NFTA_QUOTA_MAX - 1)
+ 
+/**
+ * enum nft_secmark_attributes - nf_tables secmark object netlink attributes
+ *
+ * @NFTA_SECMARK_CTX: security context (NLA_STRING)
+ */
+enum nft_secmark_attributes {
+	NFTA_SECMARK_UNSPEC,
+	NFTA_SECMARK_CTX,
+	__NFTA_SECMARK_MAX,
+};
+#define NFTA_SECMARK_MAX	(__NFTA_SECMARK_MAX - 1)
+
+/* Max security context length */
+#define NFT_SECMARK_CTX_MAXLEN		256
+
+ /**
+  * enum nft_reject_types - nf_tables reject expression reject types
+  *
+@@ -1164,6 +1399,22 @@ enum nft_nat_attributes {
+ };
+ #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
+ 
+/**
+ * enum nft_tproxy_attributes - nf_tables tproxy expression netlink attributes
+ *
+ * NFTA_TPROXY_FAMILY: Target address family (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_ADDR: Target address register (NLA_U32: nft_registers)
+ * NFTA_TPROXY_REG_PORT: Target port register (NLA_U32: nft_registers)
+ */
+enum nft_tproxy_attributes {
+	NFTA_TPROXY_UNSPEC,
+	NFTA_TPROXY_FAMILY,
+	NFTA_TPROXY_REG_ADDR,
+	NFTA_TPROXY_REG_PORT,
+	__NFTA_TPROXY_MAX
+};
+#define NFTA_TPROXY_MAX		(__NFTA_TPROXY_MAX - 1)
+
+ /**
+  * enum nft_masq_attributes - nf_tables masquerade expression attributes
+  *
+@@ -1214,10 +1465,14 @@ enum nft_dup_attributes {
+  * enum nft_fwd_attributes - nf_tables fwd expression netlink attributes
+  *
+  * @NFTA_FWD_SREG_DEV: source register of output interface (NLA_U32: nft_register)
+ * @NFTA_FWD_SREG_ADDR: source register of destination address (NLA_U32: nft_register)
+ * @NFTA_FWD_NFPROTO: layer 3 family of source register address (NLA_U32: enum nfproto)
+  */
+ enum nft_fwd_attributes {
+ 	NFTA_FWD_UNSPEC,
+ 	NFTA_FWD_SREG_DEV,
+	NFTA_FWD_SREG_ADDR,
+	NFTA_FWD_NFPROTO,
+ 	__NFTA_FWD_MAX
+ };
+ #define NFTA_FWD_MAX	(__NFTA_FWD_MAX - 1)
+@@ -1302,12 +1557,38 @@ enum nft_ct_helper_attributes {
+ };
+ #define NFTA_CT_HELPER_MAX	(__NFTA_CT_HELPER_MAX - 1)
+ 
+enum nft_ct_timeout_timeout_attributes {
+	NFTA_CT_TIMEOUT_UNSPEC,
+	NFTA_CT_TIMEOUT_L3PROTO,
+	NFTA_CT_TIMEOUT_L4PROTO,
+	NFTA_CT_TIMEOUT_DATA,
+	__NFTA_CT_TIMEOUT_MAX,
+};
+#define NFTA_CT_TIMEOUT_MAX	(__NFTA_CT_TIMEOUT_MAX - 1)
+
+enum nft_ct_expectation_attributes {
+	NFTA_CT_EXPECT_UNSPEC,
+	NFTA_CT_EXPECT_L3PROTO,
+	NFTA_CT_EXPECT_L4PROTO,
+	NFTA_CT_EXPECT_DPORT,
+	NFTA_CT_EXPECT_TIMEOUT,
+	NFTA_CT_EXPECT_SIZE,
+	__NFTA_CT_EXPECT_MAX,
+};
+#define NFTA_CT_EXPECT_MAX	(__NFTA_CT_EXPECT_MAX - 1)
+
+ #define NFT_OBJECT_UNSPEC	0
+ #define NFT_OBJECT_COUNTER	1
+ #define NFT_OBJECT_QUOTA	2
+ #define NFT_OBJECT_CT_HELPER	3
+ #define NFT_OBJECT_LIMIT	4
+-#define __NFT_OBJECT_MAX	5
+#define NFT_OBJECT_CONNLIMIT	5
+#define NFT_OBJECT_TUNNEL	6
+#define NFT_OBJECT_CT_TIMEOUT	7
+#define NFT_OBJECT_SECMARK	8
+#define NFT_OBJECT_CT_EXPECT	9
+#define NFT_OBJECT_SYNPROXY	10
+#define __NFT_OBJECT_MAX	11
+ #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
+ 
+ /**
+@@ -1319,6 +1600,7 @@ enum nft_ct_helper_attributes {
+  * @NFTA_OBJ_DATA: stateful object data (NLA_NESTED)
+  * @NFTA_OBJ_USE: number of references to this expression (NLA_U32)
+  * @NFTA_OBJ_HANDLE: object handle (NLA_U64)
+ * @NFTA_OBJ_USERDATA: user data (NLA_BINARY)
+  */
+ enum nft_object_attributes {
+ 	NFTA_OBJ_UNSPEC,
+@@ -1329,10 +1611,24 @@ enum nft_object_attributes {
+ 	NFTA_OBJ_USE,
+ 	NFTA_OBJ_HANDLE,
+ 	NFTA_OBJ_PAD,
+	NFTA_OBJ_USERDATA,
+ 	__NFTA_OBJ_MAX
+ };
+ #define NFTA_OBJ_MAX		(__NFTA_OBJ_MAX - 1)
+ 
+/**
+ * enum nft_flowtable_flags - nf_tables flowtable flags
+ *
+ * @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
+ * @NFT_FLOWTABLE_COUNTER: enable flow counters
+ */
+enum nft_flowtable_flags {
+	NFT_FLOWTABLE_HW_OFFLOAD	= 0x1,
+	NFT_FLOWTABLE_COUNTER		= 0x2,
+	NFT_FLOWTABLE_MASK		= (NFT_FLOWTABLE_HW_OFFLOAD |
+					   NFT_FLOWTABLE_COUNTER)
+};
+
+ /**
+  * enum nft_flowtable_attributes - nf_tables flow table netlink attributes
+  *
+@@ -1341,6 +1637,7 @@ enum nft_object_attributes {
+  * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
+  * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
+  * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
+  */
+ enum nft_flowtable_attributes {
+ 	NFTA_FLOWTABLE_UNSPEC,
+@@ -1350,6 +1647,7 @@ enum nft_flowtable_attributes {
+ 	NFTA_FLOWTABLE_USE,
+ 	NFTA_FLOWTABLE_HANDLE,
+ 	NFTA_FLOWTABLE_PAD,
+	NFTA_FLOWTABLE_FLAGS,
+ 	__NFTA_FLOWTABLE_MAX
+ };
+ #define NFTA_FLOWTABLE_MAX	(__NFTA_FLOWTABLE_MAX - 1)
+@@ -1370,6 +1668,42 @@ enum nft_flowtable_hook_attributes {
+ };
+ #define NFTA_FLOWTABLE_HOOK_MAX	(__NFTA_FLOWTABLE_HOOK_MAX - 1)
+ 
+/**
+ * enum nft_osf_attributes - nftables osf expression netlink attributes
+ *
+ * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers)
+ * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8)
+ * @NFTA_OSF_FLAGS: flags (NLA_U32)
+ */
+enum nft_osf_attributes {
+	NFTA_OSF_UNSPEC,
+	NFTA_OSF_DREG,
+	NFTA_OSF_TTL,
+	NFTA_OSF_FLAGS,
+	__NFTA_OSF_MAX,
+};
+#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
+
+enum nft_osf_flags {
+	NFT_OSF_F_VERSION = (1 << 0),
+};
+
+/**
+ * enum nft_synproxy_attributes - nf_tables synproxy expression netlink attributes
+ *
+ * @NFTA_SYNPROXY_MSS: mss value sent to the backend (NLA_U16)
+ * @NFTA_SYNPROXY_WSCALE: wscale value sent to the backend (NLA_U8)
+ * @NFTA_SYNPROXY_FLAGS: flags (NLA_U32)
+ */
+enum nft_synproxy_attributes {
+	NFTA_SYNPROXY_UNSPEC,
+	NFTA_SYNPROXY_MSS,
+	NFTA_SYNPROXY_WSCALE,
+	NFTA_SYNPROXY_FLAGS,
+	__NFTA_SYNPROXY_MAX,
+};
+#define NFTA_SYNPROXY_MAX (__NFTA_SYNPROXY_MAX - 1)
+
+ /**
+  * enum nft_device_attributes - nf_tables device netlink attributes
+  *
+@@ -1382,6 +1716,35 @@ enum nft_devices_attributes {
+ };
+ #define NFTA_DEVICE_MAX		(__NFTA_DEVICE_MAX - 1)
+ 
+/*
+ * enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
+ *
+ * @NFTA_XFRM_DREG: destination register (NLA_U32)
+ * @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
+ * @NFTA_XFRM_DIR: direction (NLA_U8)
+ * @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
+ */
+enum nft_xfrm_attributes {
+	NFTA_XFRM_UNSPEC,
+	NFTA_XFRM_DREG,
+	NFTA_XFRM_KEY,
+	NFTA_XFRM_DIR,
+	NFTA_XFRM_SPNUM,
+	__NFTA_XFRM_MAX
+};
+#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
+
+enum nft_xfrm_keys {
+	NFT_XFRM_KEY_UNSPEC,
+	NFT_XFRM_KEY_DADDR_IP4,
+	NFT_XFRM_KEY_DADDR_IP6,
+	NFT_XFRM_KEY_SADDR_IP4,
+	NFT_XFRM_KEY_SADDR_IP6,
+	NFT_XFRM_KEY_REQID,
+	NFT_XFRM_KEY_SPI,
+	__NFT_XFRM_KEY_MAX,
+};
+#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
+ 
+ /**
+  * enum nft_trace_attributes - nf_tables trace netlink attributes
+@@ -1442,6 +1805,8 @@ enum nft_trace_types {
+  * @NFTA_NG_MODULUS: maximum counter value (NLA_U32)
+  * @NFTA_NG_TYPE: operation type (NLA_U32)
+  * @NFTA_NG_OFFSET: offset to be added to the counter (NLA_U32)
+ * @NFTA_NG_SET_NAME: name of the map to lookup (NLA_STRING)
+ * @NFTA_NG_SET_ID: id of the map (NLA_U32)
+  */
+ enum nft_ng_attributes {
+ 	NFTA_NG_UNSPEC,
+@@ -1449,6 +1814,8 @@ enum nft_ng_attributes {
+ 	NFTA_NG_MODULUS,
+ 	NFTA_NG_TYPE,
+ 	NFTA_NG_OFFSET,
+	NFTA_NG_SET_NAME,	/* deprecated */
+	NFTA_NG_SET_ID,		/* deprecated */
+ 	__NFTA_NG_MAX
+ };
+ #define NFTA_NG_MAX	(__NFTA_NG_MAX - 1)
+@@ -1460,4 +1827,104 @@ enum nft_ng_types {
+ };
+ #define NFT_NG_MAX	(__NFT_NG_MAX - 1)
+ 
+enum nft_tunnel_key_ip_attributes {
+	NFTA_TUNNEL_KEY_IP_UNSPEC,
+	NFTA_TUNNEL_KEY_IP_SRC,
+	NFTA_TUNNEL_KEY_IP_DST,
+	__NFTA_TUNNEL_KEY_IP_MAX
+};
+#define NFTA_TUNNEL_KEY_IP_MAX	(__NFTA_TUNNEL_KEY_IP_MAX - 1)
+
+enum nft_tunnel_ip6_attributes {
+	NFTA_TUNNEL_KEY_IP6_UNSPEC,
+	NFTA_TUNNEL_KEY_IP6_SRC,
+	NFTA_TUNNEL_KEY_IP6_DST,
+	NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
+	__NFTA_TUNNEL_KEY_IP6_MAX
+};
+#define NFTA_TUNNEL_KEY_IP6_MAX	(__NFTA_TUNNEL_KEY_IP6_MAX - 1)
+
+enum nft_tunnel_opts_attributes {
+	NFTA_TUNNEL_KEY_OPTS_UNSPEC,
+	NFTA_TUNNEL_KEY_OPTS_VXLAN,
+	NFTA_TUNNEL_KEY_OPTS_ERSPAN,
+	NFTA_TUNNEL_KEY_OPTS_GENEVE,
+	__NFTA_TUNNEL_KEY_OPTS_MAX
+};
+#define NFTA_TUNNEL_KEY_OPTS_MAX	(__NFTA_TUNNEL_KEY_OPTS_MAX - 1)
+
+enum nft_tunnel_opts_vxlan_attributes {
+	NFTA_TUNNEL_KEY_VXLAN_UNSPEC,
+	NFTA_TUNNEL_KEY_VXLAN_GBP,
+	__NFTA_TUNNEL_KEY_VXLAN_MAX
+};
+#define NFTA_TUNNEL_KEY_VXLAN_MAX	(__NFTA_TUNNEL_KEY_VXLAN_MAX - 1)
+
+enum nft_tunnel_opts_erspan_attributes {
+	NFTA_TUNNEL_KEY_ERSPAN_UNSPEC,
+	NFTA_TUNNEL_KEY_ERSPAN_VERSION,
+	NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
+	NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
+	NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
+	__NFTA_TUNNEL_KEY_ERSPAN_MAX
+};
+#define NFTA_TUNNEL_KEY_ERSPAN_MAX	(__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1)
+
+enum nft_tunnel_opts_geneve_attributes {
+	NFTA_TUNNEL_KEY_GENEVE_UNSPEC,
+	NFTA_TUNNEL_KEY_GENEVE_CLASS,
+	NFTA_TUNNEL_KEY_GENEVE_TYPE,
+	NFTA_TUNNEL_KEY_GENEVE_DATA,
+	__NFTA_TUNNEL_KEY_GENEVE_MAX
+};
+#define NFTA_TUNNEL_KEY_GENEVE_MAX	(__NFTA_TUNNEL_KEY_GENEVE_MAX - 1)
+
+enum nft_tunnel_flags {
+	NFT_TUNNEL_F_ZERO_CSUM_TX	= (1 << 0),
+	NFT_TUNNEL_F_DONT_FRAGMENT	= (1 << 1),
+	NFT_TUNNEL_F_SEQ_NUMBER		= (1 << 2),
+};
+#define NFT_TUNNEL_F_MASK	(NFT_TUNNEL_F_ZERO_CSUM_TX | \
+				 NFT_TUNNEL_F_DONT_FRAGMENT | \
+				 NFT_TUNNEL_F_SEQ_NUMBER)
+
+enum nft_tunnel_key_attributes {
+	NFTA_TUNNEL_KEY_UNSPEC,
+	NFTA_TUNNEL_KEY_ID,
+	NFTA_TUNNEL_KEY_IP,
+	NFTA_TUNNEL_KEY_IP6,
+	NFTA_TUNNEL_KEY_FLAGS,
+	NFTA_TUNNEL_KEY_TOS,
+	NFTA_TUNNEL_KEY_TTL,
+	NFTA_TUNNEL_KEY_SPORT,
+	NFTA_TUNNEL_KEY_DPORT,
+	NFTA_TUNNEL_KEY_OPTS,
+	__NFTA_TUNNEL_KEY_MAX
+};
+#define NFTA_TUNNEL_KEY_MAX	(__NFTA_TUNNEL_KEY_MAX - 1)
+
+enum nft_tunnel_keys {
+	NFT_TUNNEL_PATH,
+	NFT_TUNNEL_ID,
+	__NFT_TUNNEL_MAX
+};
+#define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
+
+enum nft_tunnel_mode {
+	NFT_TUNNEL_MODE_NONE,
+	NFT_TUNNEL_MODE_RX,
+	NFT_TUNNEL_MODE_TX,
+	__NFT_TUNNEL_MODE_MAX
+};
+#define NFT_TUNNEL_MODE_MAX	(__NFT_TUNNEL_MODE_MAX - 1)
+
+enum nft_tunnel_attributes {
+	NFTA_TUNNEL_UNSPEC,
+	NFTA_TUNNEL_KEY,
+	NFTA_TUNNEL_DREG,
+	NFTA_TUNNEL_MODE,
+	__NFTA_TUNNEL_MAX
+};
+#define NFTA_TUNNEL_MAX	(__NFTA_TUNNEL_MAX - 1)
+
+ #endif /* _LINUX_NF_TABLES_H */
+diff --git a/iptables/nft.c b/iptables/nft.c
+index ee003511ab7f3..4807090cc4306 100644
+--- a/iptables/nft.c
+++ b/iptables/nft.c
+@@ -1167,7 +1167,7 @@ static int __add_nft_among(struct nft_handle *h, const char *table,
+ 		type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
+ 		len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
+ 		len &= ~(NETLINK_ALIGN - 1);
+-		flags = NFT_SET_INTERVAL;
+		flags = NFT_SET_INTERVAL | NFT_SET_CONCAT;
+ 	}
+ 
+ 	s = add_anon_set(h, table, flags, type, len, cnt);
+-- 
+2.38.0
+
--- a/SOURCES/arptables-nft-helper
+++ b/SOURCES/arptables-nft-helper
@ -0,0 +1,73 @@
				@@ -0,0 +1,73 @@
+#!/bin/sh
+
+ARPTABLES_CONFIG=/etc/sysconfig/arptables
+
+# compat for removed initscripts dependency
+
+success() {
+	echo "[  OK  ]"
+	return 0
+}
+
+failure() {
+	echo "[FAILED]"
+	return 1
+}
+
+start() {
+	if [ ! -x /usr/sbin/arptables ]; then
+		exit 4
+	fi
+
+	# don't do squat if we don't have the config file
+	if [ -f $ARPTABLES_CONFIG ]; then
+		printf "Applying arptables firewall rules: "
+		/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
+			success || \
+			failure
+		touch /var/lock/subsys/arptables
+	else
+		failure
+		echo "Configuration file /etc/sysconfig/arptables missing"
+		exit 6
+	fi
+}
+
+stop() {
+	printf "Removing user defined chains: "
+	arptables -X && success || failure
+	printf "Flushing all chains: "
+	arptables -F && success || failure
+	printf "Resetting built-in chains to the default ACCEPT policy: "
+	arptables -P INPUT ACCEPT && \
+		arptables -P OUTPUT ACCEPT && \
+		success || \
+		failure
+	rm -f /var/lock/subsys/arptables
+}
+
+case "$1" in
+start)
+	start
+	;;
+
+stop)
+	stop
+	;;
+
+restart|reload)
+	# "restart" is really just "start" as this isn't a daemon,
+	# and "start" clears any pre-defined rules anyway.
+	# This is really only here to make those who expect it happy
+	start
+	;;
+
+condrestart|try-restart|force-reload)
+	[ -e /var/lock/subsys/arptables ] && start
+	;;
+
+*)
+	exit 2
+esac
+
+exit 0
--- a/SOURCES/arptables.service
+++ b/SOURCES/arptables.service
@ -0,0 +1,12 @@
				@@ -0,0 +1,12 @@
+[Unit]
+Description=Automates a packet filtering firewall with arptables
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/arptables-helper start
+ExecStop=/usr/libexec/arptables-helper stop
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/ebtables-config
+++ b/SOURCES/ebtables-config
@ -0,0 +1,11 @@
				@@ -0,0 +1,11 @@
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules if firewall gets stopped
+# (e.g. on system shutdown).
+EBTABLES_SAVE_ON_STOP="no"
+
+# Save (and restore) rule counters.
+#   Value: yes|no,  default: no
+# Save rule counters when saving a kernel table to a file. If the
+# rule counters were saved, they will be restored when restoring the table.
+EBTABLES_SAVE_COUNTER="no"
--- a/SOURCES/ebtables-helper
+++ b/SOURCES/ebtables-helper
@ -0,0 +1,104 @@
				@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# compat for removed initscripts dependency
+
+success() {
+       echo "[  OK  ]"
+       return 0
+}
+
+failure() {
+       echo "[FAILED]"
+       return 1
+}
+
+# internal variables
+EBTABLES_CONFIG=/etc/sysconfig/ebtables-config
+EBTABLES_DATA=/etc/sysconfig/ebtables
+EBTABLES_TABLES="filter nat"
+if ebtables --version | grep -q '(legacy)'; then
+	EBTABLES_TABLES+=" broute"
+fi
+VAR_SUBSYS_EBTABLES=/var/lock/subsys/ebtables
+
+# ebtables-config defaults
+EBTABLES_SAVE_ON_STOP="no"
+EBTABLES_SAVE_COUNTER="no"
+
+# load config if existing
+[ -f "$EBTABLES_CONFIG" ] && . "$EBTABLES_CONFIG"
+
+initialize() {
+	local ret=0
+	for table in $EBTABLES_TABLES; do
+		ebtables -t $table --init-table || ret=1
+	done
+	return $ret
+}
+
+sanitize_dump() {
+	local drop=false
+
+	export EBTABLES_TABLES
+
+	cat $1 | while read line; do
+		case $line in
+		\**)
+			drop=false
+			local table="${line#\*}"
+			local found=false
+			for t in $EBTABLES_TABLES; do
+				if [[ $t == "$table" ]]; then
+					found=true
+					break
+				fi
+			done
+			$found || drop=true
+			;;
+		esac
+		$drop || echo "$line"
+	done
+}
+
+start() {
+	if [ -f $EBTABLES_DATA ]; then
+		echo -n $"ebtables: loading ruleset from $EBTABLES_DATA: "
+		sanitize_dump $EBTABLES_DATA | ebtables-restore
+	else
+		echo -n $"ebtables: no stored ruleset, initializing empty tables: "
+		initialize
+	fi
+	local ret=$?
+	touch $VAR_SUBSYS_EBTABLES
+	return $ret
+}
+
+save() {
+	echo -n $"ebtables: saving active ruleset to $EBTABLES_DATA: "
+	export EBTABLES_SAVE_COUNTER
+	ebtables-save >$EBTABLES_DATA && success || failure
+}
+
+case $1 in
+	start)
+		[ -f "$VAR_SUBSYS_EBTABLES" ] && exit 0
+		start && success || failure
+		RETVAL=$?
+		;;
+	stop)
+		[ "x$EBTABLES_SAVE_ON_STOP" = "xyes" ] && save
+		echo -n $"ebtables: stopping firewall: "
+		initialize && success || failure
+		RETVAL=$?
+		rm -f $VAR_SUBSYS_EBTABLES
+		;;
+	save)
+		save
+		;;
+	*)
+		echo "usage: ${0##*/} {start|stop|save}" >&2
+		RETVAL=2
+		;;
+esac
+
+exit $RETVAL
--- a/SOURCES/ebtables.service
+++ b/SOURCES/ebtables.service
@ -0,0 +1,11 @@
				@@ -0,0 +1,11 @@
+[Unit]
+Description=Ethernet Bridge Filtering tables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ebtables-helper start
+ExecStop=/usr/libexec/ebtables-helper stop
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/iptables-1.8.8.tar.bz2
+++ b/SOURCES/iptables-1.8.8.tar.bz2
--- a/SOURCES/iptables-config
+++ b/SOURCES/iptables-config
@ -0,0 +1,59 @@
				@@ -0,0 +1,59 @@
+# Load additional iptables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IPTABLES_MODULES=""
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
+IPTABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IPTABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
+
+# Set wait option for iptables-restore calls in seconds
+#   Default: 600
+# Set to 0 to deactivate the wait.
+#IPTABLES_RESTORE_WAIT=600
+
+# Set wait interval option for iptables-restore calls in microseconds
+#   Default: 1000000
+# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
+# second.
+# Only usable with IPTABLES_RESTORE_WAIT > 0
+#IPTABLES_RESTORE_WAIT_INTERVAL=1000000
--- a/SOURCES/iptables-test.stderr.expect
+++ b/SOURCES/iptables-test.stderr.expect
@ -0,0 +1,35 @@
				@@ -0,0 +1,35 @@
+extensions/libip6t_srh.t: ERROR: line 2 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17)
+extensions/libip6t_srh.t: ERROR: line 3 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-eq 8)
+extensions/libip6t_srh.t: ERROR: line 4 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-gt 8)
+extensions/libip6t_srh.t: ERROR: line 5 (cannot load: ip6tables -A INPUT -m srh --srh-hdr-len-lt 8)
+extensions/libip6t_srh.t: ERROR: line 6 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-eq 1)
+extensions/libip6t_srh.t: ERROR: line 7 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-gt 1)
+extensions/libip6t_srh.t: ERROR: line 8 (cannot load: ip6tables -A INPUT -m srh --srh-segs-left-lt 1)
+extensions/libip6t_srh.t: ERROR: line 9 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-eq 4)
+extensions/libip6t_srh.t: ERROR: line 10 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-gt 4)
+extensions/libip6t_srh.t: ERROR: line 11 (cannot load: ip6tables -A INPUT -m srh --srh-last-entry-lt 4)
+extensions/libip6t_srh.t: ERROR: line 12 (cannot load: ip6tables -A INPUT -m srh --srh-tag 0)
+extensions/libip6t_srh.t: ERROR: line 13 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17)
+extensions/libip6t_srh.t: ERROR: line 14 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-eq 8)
+extensions/libip6t_srh.t: ERROR: line 15 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-gt 8)
+extensions/libip6t_srh.t: ERROR: line 16 (cannot load: ip6tables -A INPUT -m srh ! --srh-hdr-len-lt 8)
+extensions/libip6t_srh.t: ERROR: line 17 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-eq 1)
+extensions/libip6t_srh.t: ERROR: line 18 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-gt 1)
+extensions/libip6t_srh.t: ERROR: line 19 (cannot load: ip6tables -A INPUT -m srh ! --srh-segs-left-lt 1)
+extensions/libip6t_srh.t: ERROR: line 20 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-eq 4)
+extensions/libip6t_srh.t: ERROR: line 21 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-gt 4)
+extensions/libip6t_srh.t: ERROR: line 22 (cannot load: ip6tables -A INPUT -m srh ! --srh-last-entry-lt 4)
+extensions/libip6t_srh.t: ERROR: line 23 (cannot load: ip6tables -A INPUT -m srh ! --srh-tag 0)
+extensions/libip6t_srh.t: ERROR: line 24 (cannot load: ip6tables -A INPUT -m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0)
+extensions/libip6t_srh.t: ERROR: line 25 (cannot load: ip6tables -A INPUT -m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0)
+extensions/libip6t_srh.t: ERROR: line 26 (cannot load: ip6tables -A INPUT -m srh --srh-psid a::/64 --srh-nsid b::/128 --srh-lsid c::/0)
+extensions/libip6t_srh.t: ERROR: line 27 (cannot load: ip6tables -A INPUT -m srh ! --srh-psid a::/64 ! --srh-nsid b::/128 ! --srh-lsid c::/0)
+extensions/libip6t_srh.t: ERROR: line 28 (cannot load: ip6tables -A INPUT -m srh)
+extensions/libxt_LED.t: ERROR: line 3 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo")
+extensions/libxt_LED.t: ERROR: line 4 (cannot load: iptables -A INPUT -j LED --led-trigger-id "foo" --led-delay 42 --led-always-blink)
+extensions/libxt_ipcomp.t: ERROR: line 2 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp --ipcompspi 18 -j DROP)
+extensions/libxt_ipcomp.t: ERROR: line 3 (cannot load: iptables -A INPUT -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT)
+extensions/libxt_time.t: ERROR: line 2 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz)
+extensions/libxt_time.t: ERROR: line 3 (cannot load: iptables -A INPUT -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05)
+extensions/libxt_time.t: ERROR: line 4 (cannot load: iptables -A INPUT -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00)
+extensions/libxt_u32.t: ERROR: line 2 (cannot load: iptables -A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1")
--- a/SOURCES/iptables.init
+++ b/SOURCES/iptables.init
@ -0,0 +1,450 @@
				@@ -0,0 +1,450 @@
+#!/bin/bash
+#
+# iptables	Start iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Starts, stops and saves iptables firewall
+#
+# config: /etc/sysconfig/iptables
+# config: /etc/sysconfig/iptables-config
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop iptables firewall
+# Description: Start, stop and save iptables firewall
+### END INIT INFO
+
+# compat for removed initscripts dependency
+
+success() {
+	echo -n "[  OK  ]"
+	return 0
+}
+
+warning() {
+	echo -n "[WARNING]"
+	return 1
+}
+
+failure() {
+	echo -n "[FAILED]"
+	return 1
+}
+
+IPTABLES=iptables
+IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
+IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
+IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
+[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
+PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+if [ $EUID != 0 ]; then
+    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
+    exit 4
+fi
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+    exit 5
+fi
+
+# Default firewall configuration:
+IPTABLES_MODULES=""
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_ON_RESTART="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="yes"
+IPTABLES_STATUS_VERBOSE="no"
+IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""
+IPTABLES_RESTORE_WAIT=600
+IPTABLES_RESTORE_WAIT_INTERVAL=1000000
+
+# Load firewall configuration.
+[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+
+is_iptables_nft() {
+	iptables --version | grep -q '(nf_tables)'
+}
+
+netfilter_active() {
+	is_iptables_nft && return 0
+	[ -e "$PROC_IPTABLES_NAMES" ]
+}
+
+netfilter_tables() {
+	netfilter_active || return 1
+	is_iptables_nft && {
+		# explicitly omit security table from this list as
+		# it should be reserved for SELinux use
+		echo "raw mangle filter nat"
+		return 0
+	}
+	cat "$PROC_IPTABLES_NAMES" 2>/dev/null
+}
+
+# Get active tables
+NF_TABLES=$(netfilter_tables)
+
+
+flush_n_delete() {
+    # Flush firewall rules and delete chains.
+    netfilter_active || return 0
+
+    # Check if firewall is configured (has tables)
+    [ -z "$NF_TABLES" ] && return 1
+
+    echo -n $"${IPTABLES}: Flushing firewall rules: "
+    ret=0
+    # For all tables
+    for i in $NF_TABLES; do
+        # Flush firewall rules.
+	$IPTABLES -t $i -F;
+	let ret+=$?;
+
+        # Delete firewall chains.
+	$IPTABLES -t $i -X;
+	let ret+=$?;
+
+	# Set counter to zero.
+	$IPTABLES -t $i -Z;
+	let ret+=$?;
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+set_policy() {
+    # Set policy for configured tables.
+    policy=$1
+
+    # Check if iptable module is loaded
+    netfilter_active || return 0
+
+    # Check if firewall is configured (has tables)
+    tables=$(netfilter_tables)
+    [ -z "$tables" ] && return 1
+
+    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
+    ret=0
+    for i in $tables; do
+	echo -n "$i "
+	case "$i" in
+	    raw)
+		$IPTABLES -t raw -P PREROUTING $policy \
+		    && $IPTABLES -t raw -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    filter)
+                $IPTABLES -t filter -P INPUT $policy \
+		    && $IPTABLES -t filter -P OUTPUT $policy \
+		    && $IPTABLES -t filter -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    nat)
+		$IPTABLES -t nat -P PREROUTING $policy \
+		    && $IPTABLES -t nat -P POSTROUTING $policy \
+		    && $IPTABLES -t nat -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    mangle)
+	        $IPTABLES -t mangle -P PREROUTING $policy \
+		    && $IPTABLES -t mangle -P POSTROUTING $policy \
+		    && $IPTABLES -t mangle -P INPUT $policy \
+		    && $IPTABLES -t mangle -P OUTPUT $policy \
+		    && $IPTABLES -t mangle -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    *)
+	        let ret+=1
+		;;
+        esac
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
+start() {
+    # Do not start if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Applying firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
+    fi
+ 
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+ 
+    # Load sysctl settings
+    load_sysctl
+
+    touch $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+stop() {
+    # Do not stop if iptables module is not loaded.
+    netfilter_active || return 0
+
+    # Set default chain policy to ACCEPT, in order to not break shutdown
+    # on systems where the default policy is DROP and root device is
+    # network-based (i.e.: iSCSI, NFS)
+    set_policy ACCEPT
+    # And then, flush the rules and delete chains
+    flush_n_delete
+
+    rm -f $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+save() {
+    # Check if iptable module is loaded
+    if ! netfilter_active; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 0
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 6
+    fi
+
+    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    ret=0
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
+	&& chmod 600 "$TMP_FILE" \
+	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
+	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
+	|| ret=1
+    if [ $ret -eq 0 ]; then
+	if [ -e $IPTABLES_DATA ]; then
+	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
+		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
+		|| ret=1
+	fi
+	if [ $ret -eq 0 ]; then
+	    mv -f $TMP_FILE $IPTABLES_DATA \
+		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
+	        || ret=1
+	fi
+    fi
+    rm -f $TMP_FILE
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+status() {
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not running."
+	return 3
+    fi
+
+    # Do not print status if lockfile is missing and iptables modules are not 
+    # loaded.
+    # Check if iptable modules are loaded
+    if ! netfilter_active; then
+	echo $"${IPTABLES}: Firewall modules are not loaded."
+	return 3
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not configured. "
+	return 3
+    fi
+
+    NUM=
+    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
+    VERBOSE=
+    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
+    COUNT=
+    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
+
+    for table in $NF_TABLES; do
+	echo $"Table: $table"
+	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
+    done
+
+    return 0
+}
+
+reload() {
+    # Do not reload if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
+restart() {
+    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
+    stop
+    start
+}
+
+
+case "$1" in
+    start)
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	start
+	RETVAL=$?
+	;;
+    stop)
+	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
+	stop
+	RETVAL=$?
+	;;
+    restart|force-reload)
+	restart
+	RETVAL=$?
+	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;      
+    condrestart|try-restart)
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	restart
+	RETVAL=$?
+	;;
+    status)
+	status
+	RETVAL=$?
+	;;
+    panic)
+	set_policy DROP
+	RETVAL=$?
+        ;;
+    save)
+	save
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL
--- a/SOURCES/iptables.service
+++ b/SOURCES/iptables.service
@ -0,0 +1,17 @@
				@@ -0,0 +1,17 @@
+[Unit]
+Description=IPv4 firewall with iptables
+AssertPathExists=/etc/sysconfig/iptables
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/iptables/iptables.init start
+ExecReload=/usr/libexec/iptables/iptables.init reload
+ExecStop=/usr/libexec/iptables/iptables.init stop
+Environment=BOOTUP=serial
+Environment=CONSOLETYPE=serial
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/sysconfig_ip6tables
+++ b/SOURCES/sysconfig_ip6tables
@ -0,0 +1,15 @@
				@@ -0,0 +1,15 @@
+# sample configuration for ip6tables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
--- a/SOURCES/sysconfig_iptables
+++ b/SOURCES/sysconfig_iptables
@ -0,0 +1,14 @@
				@@ -0,0 +1,14 @@
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec