diff --git a/SOURCES/iptables-1.4.21-rhbz_1261238.patch b/SOURCES/iptables-1.4.21-rhbz_1261238.patch
new file mode 100644
index 0000000..2584c74
--- /dev/null
+++ b/SOURCES/iptables-1.4.21-rhbz_1261238.patch
@@ -0,0 +1,14 @@
+diff -up iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238 iptables-1.4.21/extensions/libxt_TRACE.man
+--- iptables-1.4.21/extensions/libxt_TRACE.man.rhbz_1261238	2013-11-22 12:18:13.000000000 +0100
++++ iptables-1.4.21/extensions/libxt_TRACE.man	2016-07-01 11:43:59.775632018 +0200
+@@ -1,8 +1,8 @@
+ This target marks packets so that the kernel will log every rule which match 
+ the packets as those traverse the tables, chains, rules.
+ .PP
+-A logging backend, such as ip(6)t_LOG or nfnetlink_log, must be loaded for this
+-to be visible.
++A logging backend, such as nf_log_ipv4(6) or nfnetlink_log, must be loaded for
++this to be visible.
+ The packets are logged with the string prefix:
+ "TRACE: tablename:chainname:type:rulenum " where type can be "rule" for 
+ plain rule, "return" for implicit rule at the end of a user defined chain 
diff --git a/SOURCES/iptables-c513cc3-rhbz_1298879.patch b/SOURCES/iptables-c513cc3-rhbz_1298879.patch
new file mode 100644
index 0000000..136b648
--- /dev/null
+++ b/SOURCES/iptables-c513cc3-rhbz_1298879.patch
@@ -0,0 +1,34 @@
+From c513cc3dd10231f267548d644dcb7632516a2348 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Fri, 10 Jun 2016 14:57:58 +0200
+Subject: ip6tables: Warn about use of DROP in nat table
+
+Clone of 1eada72b with 9bb76094 and e0390bee on top.
+
+Signed-off-by: Thomas Woerner <twoerner@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ iptables/ip6tables.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 2731209..c48ddf9 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -1720,6 +1720,13 @@ int do_command6(int argc, char *argv[], char **table,
+ 		cs.invert = FALSE;
+ 	}
+ 
++	if (strcmp(*table, "nat") == 0 &&
++	    ((policy != NULL && strcmp(policy, "DROP") == 0) ||
++	    (cs.jumpto != NULL && strcmp(cs.jumpto, "DROP") == 0)))
++		xtables_error(PARAMETER_PROBLEM,
++			"\nThe \"nat\" table is not intended for filtering, "
++		        "the use of DROP is therefore inhibited.\n\n");
++
+ 	for (matchp = cs.matches; matchp; matchp = matchp->next)
+ 		xtables_option_mfcall(matchp->match);
+ 	if (cs.target != NULL)
+-- 
+cgit v0.12
+
diff --git a/SOURCES/iptables.init b/SOURCES/iptables.init
index 611f9da..8f3060e 100755
--- a/SOURCES/iptables.init
+++ b/SOURCES/iptables.init
@@ -29,6 +29,8 @@ IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
 VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+RESTORECON=/bin/restorecon
+[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true
 
 # only usable for root
 if [ $EUID != 0 ]; then
@@ -42,7 +44,7 @@ if [ ! -x /sbin/$IPTABLES ]; then
 fi
 
 # Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
     && NEW_MODUTILS=1 \
     || NEW_MODUTILS=0
 
@@ -312,13 +314,13 @@ save() {
 	if [ -e $IPTABLES_DATA ]; then
 	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
 		&& chmod 600 $IPTABLES_DATA.save \
-		&& restorecon $IPTABLES_DATA.save \
+		&& $RESTORECON $IPTABLES_DATA.save \
 		|| ret=1
 	fi
 	if [ $ret -eq 0 ]; then
 	    mv -f $TMP_FILE $IPTABLES_DATA \
 		&& chmod 600 $IPTABLES_DATA \
-		&& restorecon $IPTABLES_DATA \
+		&& $RESTORECON $IPTABLES_DATA \
 	        || ret=1
 	fi
     fi
diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
index 4e40d76..9e237dd 100644
--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
@@ -7,7 +7,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.4.21
-Release: 16%{?dist}
+Release: 17%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -20,6 +20,8 @@ Patch1: iptables-1.4.21-rhbz_1054871.patch
 Patch2: iptables-1.4.21-libxt_cgroup.patch
 Patch3: iptables-1.4.21-wait_seconds.patch
 Patch4: iptables-1.4.21-flock_wait.patch
+Patch5: iptables-1.4.21-rhbz_1261238.patch
+Patch6: iptables-c513cc3-rhbz_1298879.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 License: GPLv2
@@ -86,6 +88,8 @@ Currently only provides nfnl_osf with the pf.os database.
 %patch2 -p1 -b .libxt_cgroup
 %patch3 -p1 -b .wait_seconds
 %patch4 -p1 -b .flock_wait
+%patch5 -p1 -b .rhbz_1261238
+%patch6 -p1 -b .rhbz_1298879
 
 %build
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
@@ -239,8 +243,16 @@ done
 
 
 %changelog
+* Fri Jul  1 2016 Thomas Woerner <twoerner@redhat.com> 1.4.21-17
+- Fixed init script not to fail on missing restorecon (RHBZ#1246380)
+- Adapted man page snipplet for TRACE to use proper logging backend names
+  (RHBZ#1261238)
+- Warn about use of DROP in nat table (RHBZ#1298879)
+- Fixed modules unload in init script (RHBZ#1324102)
+
 * Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-16
-- Fix important coverity findings: missing include for flock and use bash for init script
+- Fix important coverity findings: missing include for flock and use bash for
+  init script (RHBZ#1264399)
 
 * Fri Sep 18 2015 Thomas Woerner <twoerner@redhat.com> 1.4.21-15
 - Use systemd AssertPathExists for /etc/sysconfig/iptables (RHBZ#1200415)