diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a73ba6d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/kronosnet-1.21.tar.xz
diff --git a/.kronosnet.metadata b/.kronosnet.metadata
new file mode 100644
index 0000000..9fe3e2f
--- /dev/null
+++ b/.kronosnet.metadata
@@ -0,0 +1 @@
+c377962a50c474ceb3d644d05c81e568bef29bfa SOURCES/kronosnet-1.21.tar.xz
diff --git a/SOURCES/bz1954551-enable-stack-clash-protection.patch b/SOURCES/bz1954551-enable-stack-clash-protection.patch
new file mode 100644
index 0000000..d63c718
--- /dev/null
+++ b/SOURCES/bz1954551-enable-stack-clash-protection.patch
@@ -0,0 +1,58 @@
+commit e13b7c74634c511d44603a203a328f4d67920321
+Author: Christine Caulfield <ccaulfie@redhat.com>
+Date:   Mon May 10 13:00:58 2021 +0100
+
+    [build] Add -fstack-clash-protection to release builds
+    
+    CentOS Stream CI insists on this but it's generally a 'good thing'
+
+diff --git a/configure.ac b/configure.ac
+index e429dcc..020cbe1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -173,6 +173,23 @@ AC_ARG_ENABLE([libnozzle],
+ 
+ AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes])
+ 
++## local helper functions
++# this function checks if CC support options passed as
++# args. Global CPPFLAGS are ignored during this test.
++cc_supports_flag() {
++	saveCPPFLAGS="$CPPFLAGS"
++	CPPFLAGS="$@"
++	if echo $CC | grep -q clang; then
++		CPPFLAGS="-Werror $CPPFLAGS"
++	fi
++	AC_MSG_CHECKING([whether $CC supports "$@"])
++	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
++			  [RC=0; AC_MSG_RESULT([yes])],
++			  [RC=1; AC_MSG_RESULT([no])])
++	CPPFLAGS="$saveCPPFLAGS"
++	return $RC
++}
++
+ # Checks for libraries.
+ AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])])
+ saved_LIBS="$LIBS"
+@@ -297,12 +314,20 @@ AC_ARG_WITH([testdir],
+ 
+ AC_SUBST([TESTDIR])
+ 
++# Check for availablility of hardening options
++HARDENING_FLAGS="-fstack-clash-protection"
++for j in $HARDENING_FLAGS; do
++    if cc_supports_flag $j; then
++       EXTRA_HARDENING_FLAGS="$EXTRA_HARDENING_FLAGS $j";
++    fi
++done
++
+ # debug build stuff
+ if test "x${enable_debug}" = xyes; then
+ 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
+ 	OPT_CFLAGS="-O0"
+ else
+-	OPT_CFLAGS="-O3"
++	OPT_CFLAGS="-O3 $EXTRA_HARDENING_FLAGS"
+ fi
+ 
+ # gdb flags
diff --git a/SPECS/kronosnet.spec b/SPECS/kronosnet.spec
new file mode 100644
index 0000000..e707f04
--- /dev/null
+++ b/SPECS/kronosnet.spec
@@ -0,0 +1,542 @@
+###############################################################################
+###############################################################################
+##
+##  Copyright (C) 2012-2019 Red Hat, Inc.  All rights reserved.
+##
+##  This copyrighted material is made available to anyone wishing to use,
+##  modify, copy, or redistribute it subject to the terms and conditions
+##  of the GNU General Public License v.2 or higher
+##
+###############################################################################
+###############################################################################
+
+# set defaults from ./configure invocation
+%bcond_without sctp
+%bcond_without nss
+%bcond_without openssl
+%bcond_without zlib
+%bcond_without lz4
+%bcond_without lzo2
+%bcond_without lzma
+%bcond_without bzip2
+%bcond_without zstd
+%bcond_without libnozzle
+%bcond_without runautogen
+%bcond_with rpmdebuginfo
+%bcond_with overriderpmdebuginfo
+%bcond_without buildman
+%bcond_with installtests
+
+%if %{with overriderpmdebuginfo}
+%undefine _enable_debug_packages
+%endif
+
+# main (empty) package
+# http://www.rpm.org/max-rpm/s1-rpm-subpack-spec-file-changes.html
+
+Name: kronosnet
+Summary: Multipoint-to-Multipoint VPN daemon
+Version: 1.21
+Release: 4%{?dist}
+License: GPLv2+ and LGPLv2+
+URL: https://kronosnet.org
+Source0: https://kronosnet.org/releases/%{name}-%{version}.tar.xz
+
+Patch0: bz1954551-enable-stack-clash-protection.patch
+
+# Build dependencies
+BuildRequires: make
+BuildRequires: gcc libqb-devel
+# required to build man pages
+%if %{with buildman}
+BuildRequires: libxml2-devel doxygen doxygen2man
+%endif
+%if %{with sctp}
+BuildRequires: lksctp-tools-devel
+%endif
+%if %{with nss}
+BuildRequires: nss-devel
+%endif
+%if %{with openssl}
+BuildRequires: openssl-devel
+%endif
+%if %{with zlib}
+BuildRequires: zlib-devel
+%endif
+%if %{with lz4}
+BuildRequires: lz4-devel
+%endif
+%if %{with lzo2}
+BuildRequires: lzo-devel
+%endif
+%if %{with lzma}
+BuildRequires: xz-devel
+%endif
+%if %{with bzip2}
+BuildRequires: bzip2-devel
+%endif
+%if %{with zstd}
+BuildRequires: libzstd-devel
+%endif
+%if %{with libnozzle}
+BuildRequires: libnl3-devel
+%endif
+%if %{with runautogen}
+BuildRequires: autoconf automake libtool
+%endif
+
+%prep
+%setup -q -n %{name}-%{version}
+%patch0 -p1 -b .bz1954551-enable-stack-clash-protection
+
+%build
+%if %{with runautogen}
+./autogen.sh
+%endif
+
+%{configure} \
+%if %{with installtests}
+	--enable-install-tests \
+%else
+	--disable-install-tests \
+%endif
+%if %{with buildman}
+	--enable-man \
+%else
+	--disable-man \
+%endif
+%if %{with sctp}
+	--enable-libknet-sctp \
+%else
+	--disable-libknet-sctp \
+%endif
+%if %{with nss}
+	--enable-crypto-nss \
+%else
+	--disable-crypto-nss \
+%endif
+%if %{with openssl}
+	--enable-crypto-openssl \
+%else
+	--disable-crypto-openssl \
+%endif
+%if %{with zlib}
+	--enable-compress-zlib \
+%else
+	--disable-compress-zlib \
+%endif
+%if %{with lz4}
+	--enable-compress-lz4 \
+%else
+	--disable-compress-lz4 \
+%endif
+%if %{with lzo2}
+	--enable-compress-lzo2 \
+%else
+	--disable-compress-lzo2 \
+%endif
+%if %{with lzma}
+	--enable-compress-lzma \
+%else
+	--disable-compress-lzma \
+%endif
+%if %{with bzip2}
+	--enable-compress-bzip2 \
+%else
+	--disable-compress-bzip2 \
+%endif
+%if %{with zstd}
+	--enable-compress-zstd \
+%else
+	--disable-compress-zstd \
+%endif
+%if %{with libnozzle}
+	--enable-libnozzle \
+%else
+	--disable-libnozzle \
+%endif
+	--with-initdefaultdir=%{_sysconfdir}/sysconfig/ \
+	--with-systemddir=%{_unitdir}
+
+make %{_smp_mflags}
+
+%install
+rm -rf %{buildroot}
+make install DESTDIR=%{buildroot}
+
+# tree cleanup
+# remove static libraries
+find %{buildroot} -name "*.a" -exec rm {} \;
+# remove libtools leftovers
+find %{buildroot} -name "*.la" -exec rm {} \;
+
+# remove init scripts
+rm -rf %{buildroot}/etc/init.d
+
+# remove docs
+rm -rf %{buildroot}/usr/share/doc/kronosnet
+
+# main empty package
+%description
+ The kronosnet source
+
+%if %{with libnozzle}
+%package -n libnozzle1
+Summary: Simple userland wrapper around kernel tap devices
+License: LGPLv2+
+
+%description -n libnozzle1
+ This is an over-engineered commodity library to manage a pool
+ of tap devices and provides the basic
+ pre-up.d/up.d/down.d/post-down.d infrastructure.
+
+%files -n libnozzle1
+%license COPYING.* COPYRIGHT
+%{_libdir}/libnozzle.so.*
+
+%if 0%{?ldconfig_scriptlets}
+%ldconfig_scriptlets -n libnozzle1
+%else
+%post -n libnozzle1 -p /sbin/ldconfig
+%postun -n libnozzle1 -p /sbin/ldconfig
+%endif
+
+%package -n libnozzle1-devel
+Summary: Simple userland wrapper around kernel tap devices (developer files)
+License: LGPLv2+
+Requires: libnozzle1%{_isa} = %{version}-%{release}
+Requires: pkgconfig
+
+%description -n libnozzle1-devel
+ This is an over-engineered commodity library to manage a pool
+ of tap devices and provides the basic
+ pre-up.d/up.d/down.d/post-down.d infrastructure.
+
+%files -n libnozzle1-devel
+%license COPYING.* COPYRIGHT
+%{_libdir}/libnozzle.so
+%{_includedir}/libnozzle.h
+%{_libdir}/pkgconfig/libnozzle.pc
+%if %{with buildman}
+%{_mandir}/man3/nozzle*.3.gz
+%endif
+%endif
+
+%package -n libknet1
+Summary: Kronosnet core switching implementation
+License: LGPLv2+
+
+%description -n libknet1
+ The whole kronosnet core is implemented in this library.
+ Please refer to the not-yet-existing documentation for further
+ information.
+
+%files -n libknet1
+%license COPYING.* COPYRIGHT
+%{_libdir}/libknet.so.*
+%dir %{_libdir}/kronosnet
+
+%if 0%{?ldconfig_scriptlets}
+%ldconfig_scriptlets -n libknet1
+%else
+%post -n libknet1 -p /sbin/ldconfig
+%postun -n libknet1 -p /sbin/ldconfig
+%endif
+
+%package -n libknet1-devel
+Summary: Kronosnet core switching implementation (developer files)
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+Requires: pkgconfig
+
+%description -n libknet1-devel
+ The whole kronosnet core is implemented in this library.
+ Please refer to the not-yet-existing documentation for further
+ information. 
+
+%files -n libknet1-devel
+%license COPYING.* COPYRIGHT
+%{_libdir}/libknet.so
+%{_includedir}/libknet.h
+%{_libdir}/pkgconfig/libknet.pc
+%if %{with buildman}
+%{_mandir}/man3/knet*.3.gz
+%endif
+
+%if %{with nss}
+%package -n libknet1-crypto-nss-plugin
+Summary: Provides libknet1 nss support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-crypto-nss-plugin
+ Provides NSS crypto support for libknet1.
+
+%files -n libknet1-crypto-nss-plugin
+%{_libdir}/kronosnet/crypto_nss.so
+%endif
+
+%if %{with openssl}
+%package -n libknet1-crypto-openssl-plugin
+Summary: Provides libknet1 openssl support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-crypto-openssl-plugin
+ Provides OpenSSL crypto support for libknet1.
+
+%files -n libknet1-crypto-openssl-plugin
+%{_libdir}/kronosnet/crypto_openssl.so
+%endif
+
+%if %{with zlib}
+%package -n libknet1-compress-zlib-plugin
+Summary: Provides libknet1 zlib support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-zlib-plugin
+ Provides zlib compression support for libknet1.
+
+%files -n libknet1-compress-zlib-plugin
+%{_libdir}/kronosnet/compress_zlib.so
+%endif
+
+%if %{with lz4}
+%package -n libknet1-compress-lz4-plugin
+Summary: Provides libknet1 lz4 and lz4hc support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-lz4-plugin
+ Provides lz4 and lz4hc compression support for libknet1.
+
+%files -n libknet1-compress-lz4-plugin
+%{_libdir}/kronosnet/compress_lz4.so
+%{_libdir}/kronosnet/compress_lz4hc.so
+%endif
+
+%if %{with lzo2}
+%package -n libknet1-compress-lzo2-plugin
+Summary: Provides libknet1 lzo2 support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-lzo2-plugin
+ Provides lzo2 compression support for libknet1.
+
+%files -n libknet1-compress-lzo2-plugin
+%{_libdir}/kronosnet/compress_lzo2.so
+%endif
+
+%if %{with lzma}
+%package -n libknet1-compress-lzma-plugin
+Summary: Provides libknet1 lzma support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-lzma-plugin
+ Provides lzma compression support for libknet1.
+
+%files -n libknet1-compress-lzma-plugin
+%{_libdir}/kronosnet/compress_lzma.so
+%endif
+
+%if %{with bzip2}
+%package -n libknet1-compress-bzip2-plugin
+Summary: Provides libknet1 bzip2 support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-bzip2-plugin
+ Provides bzip2 compression support for libknet1.
+
+%files -n libknet1-compress-bzip2-plugin
+%{_libdir}/kronosnet/compress_bzip2.so
+%endif
+
+%if %{with zstd}
+%package -n libknet1-compress-zstd-plugin
+Summary: Provides libknet1 zstd support
+License: LGPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n libknet1-compress-zstd-plugin
+ Provides zstd compression support for libknet1.
+
+%files -n libknet1-compress-zstd-plugin
+%{_libdir}/kronosnet/compress_zstd.so
+%endif
+
+%package -n libknet1-crypto-plugins-all
+Summary: Provides libknet1 crypto plugins meta package
+License: LGPLv2+
+%if %{with nss}
+Requires: libknet1-crypto-nss-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with openssl}
+Requires: libknet1-crypto-openssl-plugin%{_isa} = %{version}-%{release}
+%endif
+
+%description -n libknet1-crypto-plugins-all
+ Provides meta package to install all of libknet1 crypto plugins
+
+%files -n libknet1-crypto-plugins-all
+
+%package -n libknet1-compress-plugins-all
+Summary: Provides libknet1 compress plugins meta package
+License: LGPLv2+
+%if %{with zlib}
+Requires: libknet1-compress-zlib-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with lz4}
+Requires: libknet1-compress-lz4-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with lzo2}
+Requires: libknet1-compress-lzo2-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with lzma}
+Requires: libknet1-compress-lzma-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with bzip2}
+Requires: libknet1-compress-bzip2-plugin%{_isa} = %{version}-%{release}
+%endif
+%if %{with zstd}
+Requires: libknet1-compress-zstd-plugin%{_isa} = %{version}-%{release}
+%endif
+
+%description -n libknet1-compress-plugins-all
+ Meta package to install all of libknet1 compress plugins
+
+%files -n libknet1-compress-plugins-all
+
+%package -n libknet1-plugins-all
+Summary: Provides libknet1 plugins meta package
+License: LGPLv2+
+Requires: libknet1-compress-plugins-all%{_isa} = %{version}-%{release}
+Requires: libknet1-crypto-plugins-all%{_isa} = %{version}-%{release}
+
+%description -n libknet1-plugins-all
+ Meta package to install all of libknet1 plugins
+
+%files -n libknet1-plugins-all
+
+%if %{with installtests}
+%package -n kronosnet-tests
+Summary: Provides kronosnet test suite
+License: GPLv2+
+Requires: libknet1%{_isa} = %{version}-%{release}
+
+%description -n kronosnet-tests
+ This package contains all the libknet and libnozzle test suite.
+
+%files -n kronosnet-tests
+%{_libdir}/kronosnet/tests/*
+%endif
+
+%if %{with rpmdebuginfo}
+%debug_package
+%endif
+
+%changelog
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.21-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jun 16 2021 Florian Weimer <fweimer@redhat.com> - 1.21-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Thu May 13 2021 Christine Caulfield <ccaulfie@redhat.com> - 1.21-2
+- add -fstack-clash-protection to the build. For the CI
+  Resolves: rhbz#1954551
+
+* Wed Apr 28 2021 Christine Caulfield <ccaulfie@redhat.com> - 1.21-1
+- Rebase to 1.21 to incorporate fixes for CI complaints & openssl3
+  Resolves: rhbz#1954551
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.20-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Oct 19 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.20-1
+- New upstream release
+- Fix TX/RX stats collections
+- Minor test suite improvements
+- Minor build fixes
+
+* Mon Aug 17 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.19-1
+- New upstream release
+- Add native support for openssl 3.0 (drop API COMPAT macros).
+- Code cleanup of public APIs. Lots of lines of code moved around, no
+  functional changes.
+- Removed kronosnetd unsupported code completely
+- Removed unused poc-code from the source tree
+- Make sure to initialize epoll events structures
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.18-1
+- New upstream release
+- Add ability to change crypto configuration at runtime without
+  restarting knet and without packet drop
+- Add compatibility support for openssl 3.0
+- Add functional testing framework and new test cases
+- Minor build fixes
+- Fix BuildRequires to use libqb doxygen2man vs internal copy
+
+* Thu Apr 23 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.16-1
+- New upstream release
+- Fix major issues with SCTP transport
+- Fix build with recent gcc
+- Minor bug fixes
+- Update BuildRequires now that libqb is used unconditionally
+
+* Wed Mar 04 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.15-1
+- New upstream release
+- Fix major interaction issues between stats gathering and PMTUd
+- Fix UDP socket options that could lead to knet not being properly
+  functional
+- Man pages updates
+- Minor bug fixes
+
+* Fri Jan 31 2020 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.14-1
+- New upstream release
+- Fixes several major issues with newer kernels
+- Fix build with gcc10
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Oct 16 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.13-1
+- New upstream release
+- Fixes more memory corruption problems on unstable networks.
+
+* Fri Sep 20 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.12-1
+- New upstream release
+- Fixes memory corruption problem on unstable networks.
+
+* Wed Aug 21 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.11-1
+- New upstream release
+- Fixes major issues with PMTUd implementation when used in combination with
+  crypto.
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Jun 12 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.10-1
+- New upstream release
+- fix URL in spec file (rhbz#1708616)
+
+* Thu May 09 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.9-1
+- New upstream release
+
+* Wed May 08 2019 Fabio M. Di Nitto <fdinitto@redhat.com> - 1.8-2
+- Fix ldconfig scriptlet (Resolves rhbz#1699074)
+- Cleanup .gitignore (Resolves rhbz#1699093)
+
+* Wed Apr 03 2019 Madison Kelly <mkelly@alteeve.ca> - 1.8-1
+- Updated to upstream release v1.8.