diff --git a/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch
new file mode 100644
index 0000000..e7658b0
--- /dev/null
+++ b/SOURCES/extensions-libxt_tcpmss-Detect-invalid-ranges.patch
@@ -0,0 +1,61 @@
+From 12852e5c973ef9e5d33c1dc1a21c659f4dc6227b Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 15:28:07 +0200
+Subject: [PATCH] extensions: libxt_tcpmss: Detect invalid ranges
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1128510
+Upstream Status: iptables commit dbbab0aa328f1
+
+commit dbbab0aa328f136502373a1031e64eb53fa113e5
+Author: Phil Sutter <phil@nwl.cc>
+Date: Mon Oct 9 15:47:39 2017 +0200
+
+ extensions: libxt_tcpmss: Detect invalid ranges
+
+ Previously, an MSS range of e.g. 65535:1000 was silently accepted but
+ would then never match a packet since the kernel checks whether the MSS
+ value is greater than or equal to the first *and* less than or equal to
+ the second value.
+
+ Detect this as a parameter problem and update the man page accordingly.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libxt_tcpmss.c | 6 +++++-
+ extensions/libxt_tcpmss.man | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
+index c7c5971716294..bcd357aa3d8e2 100644
+--- a/extensions/libxt_tcpmss.c
++++ b/extensions/libxt_tcpmss.c
+@@ -27,8 +27,12 @@ static void tcpmss_parse(struct xt_option_call *cb)
+ xtables_option_parse(cb);
+ mssinfo->mss_min = cb->val.u16_range[0];
+ mssinfo->mss_max = mssinfo->mss_min;
+- if (cb->nvals == 2)
++ if (cb->nvals == 2) {
+ mssinfo->mss_max = cb->val.u16_range[1];
++ if (mssinfo->mss_max < mssinfo->mss_min)
++ xtables_error(PARAMETER_PROBLEM,
++ "tcpmss: invalid range given");
++ }
+ if (cb->invert)
+ mssinfo->invert = 1;
+ }
+diff --git a/extensions/libxt_tcpmss.man b/extensions/libxt_tcpmss.man
+index 8ee715cdbfb07..8253c363418f8 100644
+--- a/extensions/libxt_tcpmss.man
++++ b/extensions/libxt_tcpmss.man
+@@ -1,4 +1,4 @@
+ This matches the TCP MSS (maximum segment size) field of the TCP header. You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+ .TP
+ [\fB!\fP] \fB\-\-mss\fP \fIvalue\fP[\fB:\fP\fIvalue\fP]
+-Match a given TCP MSS value or range.
++Match a given TCP MSS value or range. If a range is given, the second \fIvalue\fP must be greater than or equal to the first \fIvalue\fP.
+--
+2.17.0
+
diff --git a/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
new file mode 100644
index 0000000..60f605f
--- /dev/null
+++ b/SOURCES/ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
@@ -0,0 +1,61 @@
+From a7da716205fb6009f665a4e91b28c7782cf47ce2 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 16:34:48 +0200
+Subject: [PATCH] ip{,6}tables-restore: Don't accept wait-interval without wait
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit 21ba5b3874fb3
+
+commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2
+Author: Phil Sutter <phil@nwl.cc>
+Date: Wed Sep 20 19:34:36 2017 +0200
+
+ ip{,6}tables-restore: Don't accept wait-interval without wait
+
+ If -W <val> was given, error out if -w wasn't since that doesn't make
+ sense.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ip6tables-restore.c | 5 +++++
+ iptables/iptables-restore.c | 5 +++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
+index 0f85fee3593d5..e2a82c57bd426 100644
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -271,6 +271,11 @@ int ip6tables_restore_main(int argc, char *argv[])
+ }
+ else in = stdin;
+
++ if (!wait_interval.tv_sec && !wait) {
++ fprintf(stderr, "Option --wait-interval requires option --wait\n");
++ exit(1);
++ }
++
+ /* Grab standard input. */
+ while (fgets(buffer, sizeof(buffer), in)) {
+ int ret = 0;
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index 6d0df8d1c0f36..af0c79408631d 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -270,6 +270,11 @@ iptables_restore_main(int argc, char *argv[])
+ }
+ else in = stdin;
+
++ if (!wait_interval.tv_sec && !wait) {
++ fprintf(stderr, "Option --wait-interval requires option --wait\n");
++ exit(1);
++ }
++
+ /* Grab standard input. */
+ while (fgets(buffer, sizeof(buffer), in)) {
+ int ret = 0;
+--
+2.17.0
+
diff --git a/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
new file mode 100644
index 0000000..d69e43a
--- /dev/null
+++ b/SOURCES/ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
@@ -0,0 +1,42 @@
+From f5757357c0bb6b5df843d15b90f235190d3b4448 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 16:34:48 +0200
+Subject: [PATCH] ip{,6}tables-restore: Don't ignore missing wait-interval
+ value
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit 60e0ffd365a2d
+
+commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92
+Author: Phil Sutter <phil@nwl.cc>
+Date: Wed Sep 20 19:34:35 2017 +0200
+
+ ip{,6}tables-restore: Don't ignore missing wait-interval value
+
+ Passing -W without a value doesn't make sense so bail out if none was
+ given.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/xshared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 3fbe3b1a99b77..b8a81fd968361 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -318,7 +318,7 @@ void parse_wait_interval(int argc, char *argv[], struct timeval *wait_interval)
+ else if (xs_has_arg(argc, argv))
+ arg = argv[optind++];
+ else
+- return;
++ xtables_error(PARAMETER_PROBLEM, "wait interval value required");
+
+ ret = sscanf(arg, "%u", &usec);
+ if (ret == 1) {
+--
+2.17.0
+
diff --git a/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch
new file mode 100644
index 0000000..750fa48
--- /dev/null
+++ b/SOURCES/iptables-restore-save-exit-when-given-an-unknown-opt.patch
@@ -0,0 +1,152 @@
+From 7450d63abf0608efba8d48858e54ff23f2179300 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Fri, 11 May 2018 15:29:24 +0200
+Subject: [PATCH] iptables-restore/save: exit when given an unknown option
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1465078
+Upstream Status: iptables commit d89dc47ab3875
+Conflicts:
+ * Context changes in ip{6,}tables-restore.c
+ * xtables-{save,restore}.c not present here.
+
+commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e
+Author: Vincent Bernat <vincent@bernat.im>
+Date: Sat Apr 15 12:16:47 2017 +0200
+
+ iptables-restore/save: exit when given an unknown option
+
+ When an unknown option is given, iptables-restore should exit instead of
+ continue its operation. For example, if `--table` was misspelled, this
+ could lead to an unwanted change. Moreover, exit with a status code of
+ 1. Make the same change for iptables-save.
+
+ OTOH, exit with a status code of 0 when requesting help.
+
+ Signed-off-by: Vincent Bernat <vincent@bernat.im>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ip6tables-restore.c | 10 +++++-----
+ iptables/ip6tables-save.c | 4 ++++
+ iptables/iptables-restore.c | 10 +++++-----
+ iptables/iptables-save.c | 4 ++++
+ 4 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c
+index 0b8b95607febf..0f85fee3593d5 100644
+--- a/iptables/ip6tables-restore.c
++++ b/iptables/ip6tables-restore.c
+@@ -48,8 +48,6 @@ static const struct option options[] = {
+ {NULL},
+ };
+
+-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
+-
+ #define prog_name ip6tables_globals.program_name
+ #define prog_vers ip6tables_globals.program_version
+
+@@ -66,8 +64,6 @@ static void print_usage(const char *name, const char *version)
+ " [ --wait-interval=<usecs>\n"
+ " [ --noflush ]\n"
+ " [ --modprobe=<command>]\n", name);
+-
+- exit(1);
+ }
+
+ static struct xtc_handle *create_handle(const char *tablename)
+@@ -238,7 +234,7 @@ int ip6tables_restore_main(int argc, char *argv[])
+ case 'h':
+ print_usage("ip6tables-restore",
+ IPTABLES_VERSION);
+- break;
++ exit(0);
+ case 'n':
+ noflush = 1;
+ break;
+@@ -254,6 +250,10 @@ int ip6tables_restore_main(int argc, char *argv[])
+ case 'T':
+ tablename = optarg;
+ break;
++ default:
++ fprintf(stderr,
++ "Try `ip6tables-restore -h' for more information.\n");
++ exit(1);
+ }
+ }
+
+diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
+index 3a1ded162fad1..a64d169fc1211 100644
+--- a/iptables/ip6tables-save.c
++++ b/iptables/ip6tables-save.c
+@@ -157,6 +157,10 @@ int ip6tables_save_main(int argc, char *argv[])
+ case 'd':
+ do_output(tablename);
+ exit(0);
++ default:
++ fprintf(stderr,
++ "Look at manual page `ip6tables-save.8' for more information.\n");
++ exit(1);
+ }
+ }
+
+diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
+index 7aab1e78d7e0e..6d0df8d1c0f36 100644
+--- a/iptables/iptables-restore.c
++++ b/iptables/iptables-restore.c
+@@ -45,8 +45,6 @@ static const struct option options[] = {
+ {NULL},
+ };
+
+-static void print_usage(const char *name, const char *version) __attribute__((noreturn));
+-
+ #define prog_name iptables_globals.program_name
+ #define prog_vers iptables_globals.program_version
+
+@@ -64,8 +62,6 @@ static void print_usage(const char *name, const char *version)
+ " [ --wait-interval=<usecs>\n"
+ " [ --table=<TABLE> ]\n"
+ " [ --modprobe=<command>]\n", name);
+-
+- exit(1);
+ }
+
+ static struct xtc_handle *create_handle(const char *tablename)
+@@ -237,7 +233,7 @@ iptables_restore_main(int argc, char *argv[])
+ case 'h':
+ print_usage("iptables-restore",
+ IPTABLES_VERSION);
+- break;
++ exit(0);
+ case 'n':
+ noflush = 1;
+ break;
+@@ -253,6 +249,10 @@ iptables_restore_main(int argc, char *argv[])
+ case 'T':
+ tablename = optarg;
+ break;
++ default:
++ fprintf(stderr,
++ "Try `iptables-restore -h' for more information.\n");
++ exit(1);
+ }
+ }
+
+diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
+index 21f8839e8cd82..87bc885735dc3 100644
+--- a/iptables/iptables-save.c
++++ b/iptables/iptables-save.c
+@@ -156,6 +156,10 @@ iptables_save_main(int argc, char *argv[])
+ case 'd':
+ do_output(tablename);
+ exit(0);
++ default:
++ fprintf(stderr,
++ "Look at manual page `iptables-save.8' for more information.\n");
++ exit(1);
+ }
+ }
+
+--
+2.17.0
+
diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init
index 0ca8453..73656d3 100755
--- a/SOURCES/iptables.init
+++ b/SOURCES/iptables.init
@@ -187,6 +187,9 @@ set_policy() {
&& $IPTABLES_CMD -t mangle -P FORWARD $policy \
|| let ret+=1
;;
+ security)
+ # Ignore the security table
+ ;;
*)
let ret+=1
;;
diff --git a/SOURCES/iptables.service b/SOURCES/iptables.service
deleted file mode 100644
index 6722c7a..0000000
--- a/SOURCES/iptables.service
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=IPv4 firewall with iptables
-After=syslog.target
-AssertPathExists=/etc/sysconfig/iptables
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/libexec/iptables/iptables.init start
-ExecReload=/usr/libexec/iptables/iptables.init reload
-ExecStop=/usr/libexec/iptables/iptables.init stop
-Environment=BOOTUP=serial
-Environment=CONSOLETYPE=serial
-StandardOutput=syslog
-StandardError=syslog
-
-[Install]
-WantedBy=basic.target
diff --git a/SOURCES/iptables.service.in b/SOURCES/iptables.service.in
new file mode 100644
index 0000000..6722c7a
--- /dev/null
+++ b/SOURCES/iptables.service.in
@@ -0,0 +1,18 @@
+[Unit]
+Description=IPv4 firewall with iptables
+After=syslog.target
+AssertPathExists=/etc/sysconfig/iptables
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/iptables/iptables.init start
+ExecReload=/usr/libexec/iptables/iptables.init reload
+ExecStop=/usr/libexec/iptables/iptables.init stop
+Environment=BOOTUP=serial
+Environment=CONSOLETYPE=serial
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=basic.target
diff --git a/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch
new file mode 100644
index 0000000..53e1a4d
--- /dev/null
+++ b/SOURCES/utils-Add-a-man-page-for-nfnl_osf.patch
@@ -0,0 +1,145 @@
+From 77ff3d215f2a28a9ffc9fe1943c7f2b12d5e4f69 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 5 Jun 2018 14:49:54 +0200
+Subject: [PATCH 2/2] utils: Add a man page for nfnl_osf
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
+Upstream Status: iptables commit af468b6e7f35d
+
+commit af468b6e7f35db09af10ae4ec65cc7803180a4b4
+Author: Phil Sutter <phil@nwl.cc>
+Date: Wed Sep 20 18:54:09 2017 +0200
+
+ utils: Add a man page for nfnl_osf
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ configure.ac | 3 +-
+ utils/.gitignore | 1 +
+ utils/Makefile.am | 4 +++
+ utils/nfnl_osf.8.in | 67 +++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 74 insertions(+), 1 deletion(-)
+ create mode 100644 utils/nfnl_osf.8.in
+
+diff --git a/configure.ac b/configure.ac
+index af710cf5481c0..9046633ce5a4d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -173,7 +173,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
+ libiptc/Makefile libiptc/libiptc.pc
+ libiptc/libip4tc.pc libiptc/libip6tc.pc
+ libxtables/Makefile utils/Makefile
+- include/xtables-version.h include/iptables/internal.h])
++ include/xtables-version.h include/iptables/internal.h
++ utils/nfnl_osf.8])
+ AC_OUTPUT
+
+
+diff --git a/utils/.gitignore b/utils/.gitignore
+index 216d1e4a621ed..7c6afbf4e6a52 100644
+--- a/utils/.gitignore
++++ b/utils/.gitignore
+@@ -1,2 +1,3 @@
+ /nfnl_osf
++/nfnl_osf.8
+ /nfbpf_compile
+diff --git a/utils/Makefile.am b/utils/Makefile.am
+index c4192a9e73688..80029e303ff3b 100644
+--- a/utils/Makefile.am
++++ b/utils/Makefile.am
+@@ -6,8 +6,10 @@ AM_CPPFLAGS = ${regular_CPPFLAGS} -I${top_builddir}/include \
+
+ sbin_PROGRAMS =
+ pkgdata_DATA =
++man_MANS =
+
+ if HAVE_LIBNFNETLINK
++man_MANS += nfnl_osf.8
+ sbin_PROGRAMS += nfnl_osf
+ pkgdata_DATA += pf.os
+
+@@ -23,3 +25,5 @@ if ENABLE_SYNCONF
+ sbin_PROGRAMS += nfsynproxy
+ nfsynproxy_LDADD = -lpcap
+ endif
++
++CLEANFILES = nfnl_osf.8
+diff --git a/utils/nfnl_osf.8.in b/utils/nfnl_osf.8.in
+new file mode 100644
+index 0000000000000..140b5c3f99a42
+--- /dev/null
++++ b/utils/nfnl_osf.8.in
+@@ -0,0 +1,67 @@
++.TH NFNL_OSF 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
++
++.SH NAME
++nfnl_osf \- OS fingerprint loader utility
++.SH SYNOPSIS
++
++.ad l
++.in +8
++.ti -8
++.B nfnl_osf
++.BI -f " fingerprints"
++[
++.B -d
++]
++
++.SH DESCRIPTION
++The
++.B nfnl_osf
++utility allows to load a set of operating system signatures into the kernel for
++later matching against using iptables'
++.B osf
++match.
++
++.SH OPTIONS
++
++.TP
++.BI -f " fingerprints"
++Read signatures from file
++.IR fingerprints .
++
++.TP
++.B -d
++Instead of adding the signatures from
++.I fingerprints
++into the kernel, remove them.
++
++.SH EXIT STATUS
++Exit status is 0 if command succeeded, otherwise a negative return code
++indicates the type of error which happened:
++
++.TP
++.B -1
++Illegal arguments passed, fingerprints file not readable or failure in netlink
++communication.
++
++.TP
++.B -ENOENT
++Fingerprints file not specified.
++
++.TP
++.B -EINVAL
++Netlink handle initialization failed or fingerprints file format invalid.
++
++.SH FILES
++
++An up to date set of operating system signatures can be downloaded from
++http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
++
++.SH SEE ALSO
++
++The description of
++.B osf
++match in
++.BR iptables-extensions (8)
++contains further information about the topic as well as example
++.B nfnl_osf
++invocations.
+--
+2.17.0
+
diff --git a/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch
new file mode 100644
index 0000000..4c77002
--- /dev/null
+++ b/SOURCES/utils-nfnl_osf-Fix-synopsis-in-help-text.patch
@@ -0,0 +1,43 @@
+From 89c09c279e53abd66a7ca9b0dd8d2c2a5c8f2d9d Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Tue, 5 Jun 2018 14:49:54 +0200
+Subject: [PATCH 1/2] utils: nfnl_osf: Fix synopsis in help text
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1487331
+Upstream Status: iptables commit 1773dcaabb738
+
+commit 1773dcaabb73884666d30b926677f8232e5c04b3
+Author: Phil Sutter <phil@nwl.cc>
+Date: Wed Sep 20 18:54:08 2017 +0200
+
+ utils: nfnl_osf: Fix synopsis in help text
+
+ * -d is optional
+ * -h is not really a flag, just anything not recognized triggers the
+ help output.
+ * That '<del rules>' bit is rather confusing than helpful.
+
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ utils/nfnl_osf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
+index bb5f92dc6d0aa..972128f47ba04 100644
+--- a/utils/nfnl_osf.c
++++ b/utils/nfnl_osf.c
+@@ -438,7 +438,7 @@ int main(int argc, char *argv[])
+ break;
+ default:
+ fprintf(stderr,
+- "Usage: %s -f fingerprints -d <del rules> -h\n",
++ "Usage: %s -f fingerprints [-d]\n",
+ argv[0]);
+ return -1;
+ }
+--
+2.17.0
+
diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
index b3c208d..22d331f 100644
--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
@@ -7,11 +7,11 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.4.21
-Release: 24.1%{?dist}
+Release: 28%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
-Source3: iptables.service
+Source3: iptables.service.in
Source4: iptables.save-legacy
Source5: sysconfig_iptables
Source6: sysconfig_ip6tables
@@ -33,6 +33,12 @@ Patch13: iptables-1.4.21-restore_support_acquiring_the_lock.patch
Patch14: iptables-do_not_set_changed_for_check_options.patch
Patch15: iptables-1.4.21-restore_version.patch
Patch16: iptables-1.4.21-restore_wait_man.patch
+Patch17: extensions-libxt_tcpmss-Detect-invalid-ranges.patch
+Patch18: iptables-restore-save-exit-when-given-an-unknown-opt.patch
+Patch19: ip-6-tables-restore-Don-t-ignore-missing-wait-interv.patch
+Patch20: ip-6-tables-restore-Don-t-accept-wait-interval-witho.patch
+Patch21: utils-nfnl_osf-Fix-synopsis-in-help-text.patch
+Patch22: utils-Add-a-man-page-for-nfnl_osf.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
@@ -115,6 +121,12 @@ Currently only provides nfnl_osf with the pf.os database.
%patch14 -p1 -b .do_not_set_changed_for_check_options
%patch15 -p1 -b .restore_version
%patch16 -p1 -b .restore_wait_man
+%patch17 -p1 -b .tcpmss_detect_invalid_ranges
+%patch18 -p1 -b .exit_unknown_option
+%patch19 -p1 -b .require_wait_value
+%patch20 -p1 -b .wait_interval_needs_wait
+%patch21 -p1 -b .nfnl_osf_synopsis
+%patch22 -p1 -b .nfnl_osf_man_page
%build
# Since patches above touch configure.ac we must regen configure
@@ -164,8 +176,9 @@ sed -e 's;iptables;ip6tables;g' \
-e 's;/usr/libexec/ip6tables;/usr/libexec/iptables;g' \
-e 's;^\(After=.*\)$;\1 iptables.service;' \
< %{SOURCE3} > ip6tables.service
-sed -i -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' %{SOURCE3}
-install -c -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}
+sed -e 's;^\(After=.*\)$;Before=ip6tables.service\n\1;' \
+ < %{SOURCE3} > iptables.service
+install -c -m 644 iptables.service %{buildroot}/%{_unitdir}
install -c -m 644 ip6tables.service %{buildroot}/%{_unitdir}
# install legacy actions for service command
@@ -273,13 +286,27 @@ done
%{_sbindir}/nfnl_osf
%dir %{_datadir}/xtables
%{_datadir}/xtables/pf.os
+%{_mandir}/man8/nfnl_osf*
%changelog
-* Tue Apr 03 2018 Phil Sutter - 1.4.21-24.1
-- Fix for stopping iptables and ip6tables at the same time (RHBZ#1563168)
-- Propagate errors on service stop (RHBZ#1563168)
-- Avoid overwriting parent's return code (RHBZ#1563168)
+* Tue Jun 05 2018 Phil Sutter - 1.4.21-28
+- Add nfnl_osf.8 man page (RHBZ#1487331)
+
+* Fri May 11 2018 Phil Sutter - 1.4.21-27
+- libxt_tcpmss: Detect invalid ranges (RHBZ#1128510)
+- ip(6)tables-save/restore: Exit if invalid option was given (RHBZ#1465078)
+- ip(6)tables-save/restore: Require value to -W option (RHBZ#1465078)
+- ip(6)tables-save/restore: Don't accept -W without -w (RHBZ#1465078)
+- Ignore security table when setting policies (RHBZ#1494012)
+- Fix spec file changing SRPM content (RHBZ#1531290)
+
+* Thu Mar 29 2018 Phil Sutter - 1.4.21-26
+- Avoid overwriting parent's return code (RHBZ#1560012)
+
+* Thu Mar 29 2018 Phil Sutter - 1.4.21-25
+- Fix for stopping iptables and ip6tables at the same time (RHBZ#1560012)
+- Propagate errors on service stop (RHBZ#1560012)
* Fri Nov 17 2017 Phil Sutter - 1.4.21-24
- Fix fgrep call over multiple files in iptables.init