diff --git a/SOURCES/iptables.service.in b/SOURCES/iptables.service.in
index 6722c7a..3277621 100644
--- a/SOURCES/iptables.service.in
+++ b/SOURCES/iptables.service.in
@@ -1,5 +1,7 @@
[Unit]
Description=IPv4 firewall with iptables
+Before=network-pre.target
+Wants=network-pre.target
After=syslog.target
AssertPathExists=/etc/sysconfig/iptables
diff --git a/SOURCES/xtables-restore-Fix-table-parameter-check.patch b/SOURCES/xtables-restore-Fix-table-parameter-check.patch
new file mode 100644
index 0000000..1be5962
--- /dev/null
+++ b/SOURCES/xtables-restore-Fix-table-parameter-check.patch
@@ -0,0 +1,81 @@
+From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 23 Oct 2019 12:06:55 +0200
+Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
+Upstream Status: iptables commit 3dc433b55bbfa
+Conflicts: Downstream does not support nft-variants.
+
+commit 3dc433b55bbfaf9df3ee408aaa6282742f377864
+Author: Phil Sutter <phil@nwl.cc>
+Date: Fri Sep 20 17:31:58 2019 +0200
+
+ xtables-restore: Fix --table parameter check
+
+ Xtables-restore tries to reject rule commands in input which contain a
+ --table parameter (since it is adding this itself based on the previous
+ table line). The manual check was not perfect though as it caught any
+ parameter starting with a dash and containing a 't' somewhere, even in
+ rule comments:
+
+ | *filter
+ | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
+ | COMMIT
+
+ Instead of error-prone manual checking, go a much simpler route: All
+ do_command callbacks are passed a boolean indicating they're called from
+ *tables-restore. React upon this when handling a table parameter and
+ error out if it's not the first one.
+
+ Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Acked-by: Florian Westphal <fw@strlen.de>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/iptables.c | 4 ++++
+ iptables/xshared.c | 12 ------------
+ 2 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/iptables/iptables.c b/iptables/iptables.c
+index dc70cc6e9b0ec..d106a18949407 100644
+--- a/iptables/iptables.c
++++ b/iptables/iptables.c
+@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table,
+ if (cs.invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "unexpected ! flag before --table");
++ if (restore && *table)
++ xtables_error(PARAMETER_PROBLEM,
++ "The -t option (seen in line %u) cannot be used in %s.\n",
++ line, xt_params->program_name);
+ *table = optarg;
+ break;
+
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 84dbea562576e..058b5e8b63896 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line)
+ }
+
+ param_buffer[param_len] = '\0';
+-
+- /* check if table name specified */
+- if ((param_buffer[0] == '-' &&
+- param_buffer[1] != '-' &&
+- strchr(param_buffer, 't')) ||
+- (!strncmp(param_buffer, "--t", 3) &&
+- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
+- xtables_error(PARAMETER_PROBLEM,
+- "The -t option (seen in line %u) cannot be used in %s.\n",
+- line, xt_params->program_name);
+- }
+-
+ add_argv(param_buffer, 0);
+ param_len = 0;
+ }
+--
+2.23.0
+
diff --git a/SOURCES/xtables-restore-Unbreak-tables-restore.patch b/SOURCES/xtables-restore-Unbreak-tables-restore.patch
new file mode 100644
index 0000000..619c274
--- /dev/null
+++ b/SOURCES/xtables-restore-Unbreak-tables-restore.patch
@@ -0,0 +1,90 @@
+From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 23 Oct 2019 12:07:39 +0200
+Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
+Upstream Status: iptables commit 4e470fa347610
+Conflicts: Downstream does not support nft-variants.
+
+commit 4e470fa34761085144640fb561a9ad26b2cde382
+Author: Phil Sutter <phil@nwl.cc>
+Date: Tue Oct 22 12:25:28 2019 +0200
+
+ xtables-restore: Unbreak *tables-restore
+
+ Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
+ installed an error check which evaluated true in all cases as all
+ callers of do_command callbacks pass a pointer to a table name already.
+ Attached test case passed as it tested error condition only.
+
+ Fix the whole mess by introducing a boolean to indicate whether a table
+ parameter was seen already. Extend the test case to cover positive as
+ well as negative behaviour and to test ebtables-restore and
+ ip6tables-restore as well. Also add the required checking code to the
+ latter since the original commit missed it.
+
+ Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
+ Signed-off-by: Phil Sutter <phil@nwl.cc>
+ Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/ip6tables.c | 6 ++++++
+ iptables/iptables.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index fc2fd37cfe919..42edf7a55ec6e 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table,
+ struct xtables_rule_match *matchp;
+ struct xtables_target *t;
+ unsigned long long cnt;
++ bool table_set = false;
+
+ memset(&cs, 0, sizeof(cs));
+ cs.jumpto = "";
+@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table,
+ if (cs.invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "unexpected ! flag before --table");
++ if (restore && table_set)
++ xtables_error(PARAMETER_PROBLEM,
++ "The -t option (seen in line %u) cannot be used in %s.\n",
++ line, xt_params->program_name);
+ *table = optarg;
++ table_set = true;
+ break;
+
+ case 'x':
+diff --git a/iptables/iptables.c b/iptables/iptables.c
+index d106a18949407..0ad87fd98684d 100644
+--- a/iptables/iptables.c
++++ b/iptables/iptables.c
+@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table,
+ struct xtables_rule_match *matchp;
+ struct xtables_target *t;
+ unsigned long long cnt;
++ bool table_set = false;
+
+ memset(&cs, 0, sizeof(cs));
+ cs.jumpto = "";
+@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table,
+ if (cs.invert)
+ xtables_error(PARAMETER_PROBLEM,
+ "unexpected ! flag before --table");
+- if (restore && *table)
++ if (restore && table_set)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
+ *table = optarg;
++ table_set = true;
+ break;
+
+ case 'x':
+--
+2.23.0
+
diff --git a/SPECS/iptables.spec b/SPECS/iptables.spec
index 1725e69..59c05bc 100644
--- a/SPECS/iptables.spec
+++ b/SPECS/iptables.spec
@@ -7,7 +7,7 @@
Name: iptables
Summary: Tools for managing Linux kernel packet filtering capabilities
Version: 1.4.21
-Release: 33%{?dist}
+Release: 34%{?dist}
Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
Source1: iptables.init
Source2: iptables-config
@@ -75,6 +75,8 @@ Patch55: extensions-Initialize-linear-mapping-of-symbols-in-_.patch
Patch56: xtables-Introduce-and-use-common-function-to-parse-v.patch
Patch57: iptables-xml-fix-segfault-if-missing-space-after-A.patch
Patch58: man-iptables-save-Add-note-about-module-autoloading.patch
+Patch59: xtables-restore-Fix-table-parameter-check.patch
+Patch60: xtables-restore-Unbreak-tables-restore.patch
Group: System Environment/Base
URL: http://www.netfilter.org/
@@ -304,6 +306,10 @@ done
%changelog
+* Wed Oct 23 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-34
+- Fix iptables-restore for rules with '-' and 't' in comments (RHBZ#1749700)
+- Make services start before network-pre.target is reached (RHBZ#1736765)
+
* Thu Apr 18 2019 Phil Sutter <psutter@redhat.com> - 1.4.21-33
- man: iptables-save: Add note about module autoloading (RHBZ#1691380)