iptables-1.8.9-4

- Backport fixes from upstream

0001-extensions-NAT-Fix-for-Werror-format-security.patch

@@ -1,12 +1,13 @@
-From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
+From ff8eacec604537d98eb912281fa0c5c6a83da717 Mon Sep 17 00:00:00 2001
 From: Phil Sutter <phil@nwl.cc>
 Date: Thu, 12 Jan 2023 14:38:44 +0100
-Subject: [iptables PATCH] extensions: NAT: Fix for -Werror=format-security
+Subject: [PATCH] extensions: NAT: Fix for -Werror=format-security
 
 Have to pass either a string literal or format string to xt_xlate_add().
 
 Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
 Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ed4082a7405a5838c205a34c1559e289949200cc)
 ---
  extensions/libxt_NAT.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
@@ -25,5 +26,5 @@ index da9f22012c5d6..2a6343986d54f 100644
  		xt_xlate_add(xl, " to %s", range_str);
  	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
 -- 
-2.38.0
+2.40.0
 

0002-etc-Drop-xtables.conf.patch

@@ -0,0 +1,132 @@
+From 55f3f1743934efa33df1ecbe11b31362fc45b03c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 17 Jan 2023 16:38:43 +0100
+Subject: [PATCH] etc: Drop xtables.conf
+
+The file is not used since the commit this one fixes. Also it wasn't
+installed until recently, when commit 3822a992bc277 ("Makefile: Fix for
+'make distcheck'") added it in the wrong spot in an attempt to reduce
+differences between tarballs generated by 'make tarball' and 'make
+dist'.
+
+While being at it, drop stale xtables_config_main() prototype from
+xtables-multi.h.
+
+Fixes: 06fd5e46d46f7 ("xtables: Drop support for /etc/xtables.conf")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit ca8fb6c21b298b3d96db2bfbf9c74d393bdd4728)
+---
+ Makefile.am              |  2 +-
+ etc/xtables.conf         | 74 ----------------------------------------
+ iptables/xtables-multi.h |  1 -
+ 3 files changed, 1 insertion(+), 76 deletions(-)
+ delete mode 100644 etc/xtables.conf
+
+diff --git a/Makefile.am b/Makefile.am
+index 451c3cb2d5887..299ab46d7b8e2 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -20,7 +20,7 @@ EXTRA_DIST	= autogen.sh iptables-test.py xlate-test.py
+ 
+ if ENABLE_NFTABLES
+ confdir		= $(sysconfdir)
+-dist_conf_DATA	= etc/ethertypes etc/xtables.conf
++dist_conf_DATA	= etc/ethertypes
+ endif
+ 
+ .PHONY: tarball
+diff --git a/etc/xtables.conf b/etc/xtables.conf
+deleted file mode 100644
+index 3c54ced043d82..0000000000000
+--- a/etc/xtables.conf
++++ /dev/null
+@@ -1,74 +0,0 @@
+-family ipv4 {
+-	table raw {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
+-	}
+-
+-	table mangle {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+-		chain INPUT hook NF_INET_LOCAL_IN prio -150
+-		chain FORWARD hook NF_INET_FORWARD prio -150
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+-		chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
+-	}
+-
+-	table filter {
+-		chain INPUT hook NF_INET_LOCAL_IN prio 0
+-		chain FORWARD hook NF_INET_FORWARD prio 0
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
+-	}
+-
+-	table nat {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+-		chain INPUT hook NF_INET_LOCAL_IN prio 100
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -100
+-		chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+-	}
+-
+-	table security {
+-		chain INPUT hook NF_INET_LOCAL_IN prio 50
+-		chain FORWARD hook NF_INET_FORWARD prio 50
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio 50
+-	}
+-}
+-
+-family ipv6 {
+-	table raw {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
+-	}
+-
+-	table mangle {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+-		chain INPUT hook NF_INET_LOCAL_IN prio -150
+-		chain FORWARD hook NF_INET_FORWARD prio -150
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+-		chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
+-	}
+-
+-	table filter {
+-		chain INPUT hook NF_INET_LOCAL_IN prio 0
+-		chain FORWARD hook NF_INET_FORWARD prio 0
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
+-	}
+-
+-	table nat {
+-		chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+-		chain INPUT hook NF_INET_LOCAL_IN prio 100
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio -100
+-		chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+-	}
+-
+-	table security {
+-		chain INPUT hook NF_INET_LOCAL_IN prio 50
+-		chain FORWARD hook NF_INET_FORWARD prio 50
+-		chain OUTPUT hook NF_INET_LOCAL_OUT prio 50
+-	}
+-}
+-
+-family arp {
+-	table filter {
+-		chain INPUT hook NF_ARP_IN prio 0
+-		chain OUTPUT hook NF_ARP_OUT prio 0
+-	}
+-}
+diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h
+index 94c24d5a22c7e..833c11a2ac914 100644
+--- a/iptables/xtables-multi.h
++++ b/iptables/xtables-multi.h
+@@ -20,7 +20,6 @@ extern int xtables_arp_save_main(int, char **);
+ extern int xtables_eb_main(int, char **);
+ extern int xtables_eb_restore_main(int, char **);
+ extern int xtables_eb_save_main(int, char **);
+-extern int xtables_config_main(int, char **);
+ extern int xtables_monitor_main(int, char **);
+ 
+ extern struct xtables_globals arptables_globals;
+-- 
+2.40.0
+

0003-Proper-fix-for-unknown-argument-error-message.patch

@@ -0,0 +1,148 @@
+From 01c76718d85985625ef53fb6b554bd44742ae6ef Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 25 Jan 2023 01:51:43 +0100
+Subject: [PATCH] Proper fix for "unknown argument" error message
+
+While commit 1b8210f848631 kind of fixed the corner-case of invalid
+short-options packed with others, it broke error reporting for
+long-options. Revert it and deploy a proper solution:
+
+When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long
+sets the variable 'optopt' to the invalid character's value. Use it for
+reporting instead of optind if set.
+
+To distinguish between invalid options and missing option arguments,
+ebtables-translate optstring needs adjustment.
+
+Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b)
+---
+ .../testcases/iptables/0009-unknown-arg_0     | 31 +++++++++++++++++++
+ iptables/xshared.c                            |  9 ++++--
+ iptables/xtables-eb-translate.c               |  8 ++---
+ iptables/xtables-eb.c                         | 17 ++++++----
+ 4 files changed, 50 insertions(+), 15 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
+
+diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
+new file mode 100755
+index 0000000000000..ac6e743966196
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
+@@ -0,0 +1,31 @@
++#!/bin/bash
++
++rc=0
++
++check() {
++	local cmd="$1"
++	local msg="$2"
++
++	$XT_MULTI $cmd 2>&1 | grep -q "$msg" || {
++		echo "cmd: $XT_MULTI $1"
++		echo "exp: $msg"
++		echo "res: $($XT_MULTI $cmd 2>&1)"
++		rc=1
++	}
++}
++
++cmds="iptables ip6tables"
++[[ $XT_MULTI == *xtables-nft-multi ]] && {
++	cmds+=" ebtables"
++	cmds+=" iptables-translate"
++	cmds+=" ip6tables-translate"
++	cmds+=" ebtables-translate"
++}
++
++for cmd in $cmds; do
++	check "${cmd} --foo" 'unknown option "--foo"'
++	check "${cmd} -A" 'option "-A" requires an argument'
++	check "${cmd} -aL" 'unknown option "-a"'
++done
++
++exit $rc
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index f93529b11a319..ac51fac5ce9ed 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -192,9 +192,12 @@ static int command_default(struct iptables_command_state *cs,
+ 	if (cs->c == ':')
+ 		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+ 		              "requires an argument", cs->argv[optind-1]);
+-	if (cs->c == '?')
+-		xtables_error(PARAMETER_PROBLEM, "unknown option "
+-			      "\"%s\"", cs->argv[optind-1]);
++	if (cs->c == '?') {
++		char optoptstr[3] = {'-', optopt, '\0'};
++
++		xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
++			      optopt ? optoptstr : cs->argv[optind - 1]);
++	}
+ 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+ }
+ 
+diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
+index 13b6b864a5f24..0c35272051752 100644
+--- a/iptables/xtables-eb-translate.c
++++ b/iptables/xtables-eb-translate.c
+@@ -201,7 +201,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
+ 	printf("nft ");
+ 	/* Getopt saves the day */
+ 	while ((c = getopt_long(argc, argv,
+-	   "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
++	   "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
+ 		cs.c = c;
+ 		switch (c) {
+ 		case 'A': /* Add a rule */
+@@ -491,11 +491,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
+ 			continue;
+ 		default:
+ 			ebt_check_inverse2(optarg, argc, argv);
+-
+-			if (ebt_command_default(&cs))
+-				xtables_error(PARAMETER_PROBLEM,
+-					      "Unknown argument: '%s'",
+-					      argv[optind - 1]);
++			ebt_command_default(&cs);
+ 
+ 			if (command != 'A' && command != 'I' &&
+ 			    command != 'D')
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index 7214a767ffe96..412b5cccdc46a 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -640,7 +640,16 @@ int ebt_command_default(struct iptables_command_state *cs)
+ 			return 0;
+ 		}
+ 	}
+-	return 1;
++	if (cs->c == ':')
++		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
++		              "requires an argument", cs->argv[optind - 1]);
++	if (cs->c == '?') {
++		char optoptstr[3] = {'-', optopt, '\0'};
++
++		xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
++			      optopt ? optoptstr : cs->argv[optind - 1]);
++	}
++	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+ }
+ 
+ int nft_init_eb(struct nft_handle *h, const char *pname)
+@@ -1084,11 +1093,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
+ 			continue;
+ 		default:
+ 			ebt_check_inverse2(optarg, argc, argv);
+-
+-			if (ebt_command_default(&cs))
+-				xtables_error(PARAMETER_PROBLEM,
+-					      "Unknown argument: '%s'",
+-					      argv[optind]);
++			ebt_command_default(&cs);
+ 
+ 			if (command != 'A' && command != 'I' &&
+ 			    command != 'D' && command != 'C' && command != 14)
+-- 
+2.40.0
+

0004-ebtables-Refuse-unselected-targets-options.patch

@@ -0,0 +1,232 @@
+From a53dfa149429c49789947e61c325f9a11e9a83d3 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 25 Jan 2023 02:01:56 +0100
+Subject: [PATCH] ebtables: Refuse unselected targets' options
+
+Unlike legacy, ebtables-nft would allow e.g.:
+
+| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be
+
+While the result is correct, it may mislead users into believing
+multiple targets are possible per rule. Better follow legacy's behaviour
+and reject target options unless they have been "enabled" by a previous
+'-j' option.
+
+To achieve this, one needs to distinguish targets from watchers also
+attached to 'xtables_targets' and otherwise behaving like regular
+matches. Introduce XTABLES_EXT_WATCHER to mark the two.
+
+The above works already, but error messages are misleading when using
+the now unsupported syntax since target options have been merged
+already. Solve this by not pre-loading the targets at all, code will
+just fall back to loading ad '-j' parsing time as iptables does.
+
+Note how this also fixes for 'counter' statement being in wrong position
+of ebtables-translate output.
+
+Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 27d37863a486352511dac385bde8f3d20526be5b)
+---
+ extensions/libebt_dnat.txlate                 | 12 ++++----
+ extensions/libebt_log.c                       |  1 +
+ extensions/libebt_mark.txlate                 | 16 +++++-----
+ extensions/libebt_nflog.c                     |  1 +
+ extensions/libebt_snat.txlate                 |  8 ++---
+ include/xtables.h                             |  1 +
+ .../ebtables/0002-ebtables-save-restore_0     |  4 +--
+ iptables/xtables-eb.c                         | 29 +++++++------------
+ 8 files changed, 33 insertions(+), 39 deletions(-)
+
+diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate
+index 9f305c76c954f..531a22aa3e14f 100644
+--- a/extensions/libebt_dnat.txlate
++++ b/extensions/libebt_dnat.txlate
+@@ -1,8 +1,8 @@
+-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff
+-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff
++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
+ 
+-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
+-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
+ 
+-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
+-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter'
++ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
++nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue'
+diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c
+index 045062196d20d..9f8d158956802 100644
+--- a/extensions/libebt_log.c
++++ b/extensions/libebt_log.c
+@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl,
+ static struct xtables_target brlog_target = {
+ 	.name		= "log",
+ 	.revision	= 0,
++	.ext_flags	= XTABLES_EXT_WATCHER,
+ 	.version	= XTABLES_VERSION,
+ 	.family		= NFPROTO_BRIDGE,
+ 	.size		= XT_ALIGN(sizeof(struct ebt_log_info)),
+diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate
+index d006e8ac94008..4ace1a1f5cfde 100644
+--- a/extensions/libebt_mark.txlate
++++ b/extensions/libebt_mark.txlate
+@@ -1,11 +1,11 @@
+-ebtables-translate -A INPUT --mark-set 42
+-nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter'
++ebtables-translate -A INPUT -j mark --mark-set 42
++nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept'
+ 
+-ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN
+-nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter'
++ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN
++nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return'
+ 
+-ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT
+-nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter'
++ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT
++nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept'
+ 
+-ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP
+-nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter'
++ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP
++nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop'
+diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c
+index 115e15da45845..762d6d5d8bbe2 100644
+--- a/extensions/libebt_nflog.c
++++ b/extensions/libebt_nflog.c
+@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl,
+ static struct xtables_target brnflog_watcher = {
+ 	.name		= "nflog",
+ 	.revision	= 0,
++	.ext_flags	= XTABLES_EXT_WATCHER,
+ 	.version	= XTABLES_VERSION,
+ 	.family		= NFPROTO_BRIDGE,
+ 	.size		= XT_ALIGN(sizeof(struct ebt_nflog_info)),
+diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate
+index 857a6052aed1a..37343d3a14754 100644
+--- a/extensions/libebt_snat.txlate
++++ b/extensions/libebt_snat.txlate
+@@ -1,5 +1,5 @@
+-ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff
+-nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter'
++ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff
++nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept'
+ 
+-ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
+-nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter'
++ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
++nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue'
+diff --git a/include/xtables.h b/include/xtables.h
+index 4ffc8ec5a17e9..087a1d600f9ae 100644
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -203,6 +203,7 @@ struct xtables_lmap {
+ 
+ enum xtables_ext_flags {
+ 	XTABLES_EXT_ALIAS = 1 << 0,
++	XTABLES_EXT_WATCHER = 1 << 1,
+ };
+ 
+ struct xt_xlate;
+diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+index 1091a4e80bebe..b4f9728bb9b6f 100755
+--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
++++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT
+ 
+ $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT
+ $XT_MULTI ebtables -A foo --log
+-$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT
++$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT
+ $XT_MULTI ebtables -A foo --nflog
+ $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT
+ $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT
+@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo
+ $XT_MULTI ebtables -N bar
+ $XT_MULTI ebtables -P bar RETURN
+ 
+-$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT
++$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT
+ #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01
+ 
+ $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index 412b5cccdc46a..3a73e79725489 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name)
+ 		xtables_error(OTHER_PROBLEM, "Can't alloc memory");
+ }
+ 
+-static void __ebt_load_watcher(const char *name, const char *typename)
++static void ebt_load_watcher(const char *name)
+ {
+ 	struct xtables_target *watcher;
+ 	size_t size;
+ 
+ 	watcher = xtables_find_target(name, XTF_TRY_LOAD);
+ 	if (!watcher) {
+-		fprintf(stderr, "Unable to load %s %s\n", name, typename);
++		fprintf(stderr, "Unable to load %s watcher\n", name);
+ 		return;
+ 	}
+ 
+@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename)
+ 		xtables_error(OTHER_PROBLEM, "Can't alloc memory");
+ }
+ 
+-static void ebt_load_watcher(const char *name)
+-{
+-	return __ebt_load_watcher(name, "watcher");
+-}
+-
+-static void ebt_load_target(const char *name)
+-{
+-	return __ebt_load_watcher(name, "target");
+-}
+-
+ void ebt_load_match_extensions(void)
+ {
+ 	opts = ebt_original_options;
+@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void)
+ 
+ 	ebt_load_watcher("log");
+ 	ebt_load_watcher("nflog");
+-
+-	ebt_load_target("mark");
+-	ebt_load_target("dnat");
+-	ebt_load_target("snat");
+-	ebt_load_target("arpreply");
+-	ebt_load_target("redirect");
+-	ebt_load_target("standard");
+ }
+ 
+ void ebt_add_match(struct xtables_match *m,
+@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs)
+ 
+ 	/* Is it a watcher option? */
+ 	for (t = xtables_targets; t; t = t->next) {
++		if (!(t->ext_flags & XTABLES_EXT_WATCHER))
++			continue;
++
+ 		if (t->parse &&
+ 		    t->parse(cs->c - t->option_offset, cs->argv,
+ 			     ebt_invert, &t->tflags, NULL, &t->t)) {
+@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
+ 	optind = 0;
+ 	opterr = false;
+ 
++	for (t = xtables_targets; t; t = t->next) {
++		t->tflags = 0;
++		t->used = 0;
++	}
++
+ 	/* Getopt saves the day */
+ 	while ((c = getopt_long(argc, argv, EBT_OPTSTRING,
+ 					opts, NULL)) != -1) {
+-- 
+2.40.0
+

0005-tests-xlate-Properly-split-input-in-replay-mode.patch

@@ -0,0 +1,31 @@
+From bb7f92a40360b49535dd3675f47cf989755a4978 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 3 Feb 2023 18:48:33 +0100
+Subject: [PATCH] tests: xlate: Properly split input in replay mode
+
+Source command may contain quotes, using shlex.split() does the right
+thing there.
+
+Fixes: 7705b2daa3bdc ("tests: xlate: Use --check to verify replay")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 914350a4586d2817ca7c4919c53142562f27bdaf)
+---
+ xlate-test.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xlate-test.py b/xlate-test.py
+index 4cb1401b71677..217d2f0062682 100755
+--- a/xlate-test.py
++++ b/xlate-test.py
+@@ -64,7 +64,7 @@ xtables_nft_multi = 'xtables-nft-multi'
+     if sourceline.find(';') >= 0:
+         sourceline, searchline = sourceline.split(';')
+ 
+-    srcwords = sourceline.split()
++    srcwords = shlex.split(sourceline)
+ 
+     srccmd = srcwords[0]
+     ipt = srccmd.split('-')[0]
+-- 
+2.40.0
+

0006-extensions-libebt_redirect-Fix-target-translation.patch

@@ -0,0 +1,48 @@
+From 75d208e729b3256fdbbf31709215d30064389d47 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 31 Jan 2023 22:28:24 +0100
+Subject: [PATCH] extensions: libebt_redirect: Fix target translation
+
+While EBT_ACCEPT is the default verdict for ebtables targets, omitting
+it from translation implicitly converts it into 'continue'. Omit the
+non-default EBT_CONTINUE instead.
+
+Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit bb6b243c481f90f7dc4a0bd89187ee2bb823f1f6)
+---
+ extensions/libebt_redirect.c      | 2 +-
+ extensions/libebt_redirect.txlate | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+ create mode 100644 extensions/libebt_redirect.txlate
+
+diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
+index 4d4c7a02cea89..389f3ccb53f60 100644
+--- a/extensions/libebt_redirect.c
++++ b/extensions/libebt_redirect.c
+@@ -84,7 +84,7 @@ static int brredir_xlate(struct xt_xlate *xl,
+ 	const struct ebt_redirect_info *red = (const void*)params->target->data;
+ 
+ 	xt_xlate_add(xl, "meta set pkttype host");
+-	if (red->target != EBT_ACCEPT)
++	if (red->target != EBT_CONTINUE)
+ 		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
+ 	return 1;
+ }
+diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
+new file mode 100644
+index 0000000000000..f0dd5deaf6406
+--- /dev/null
++++ b/extensions/libebt_redirect.txlate
+@@ -0,0 +1,8 @@
++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept'
++
++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return'
++
++ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host'
+-- 
+2.40.0
+

0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch

@@ -0,0 +1,48 @@
+From 345fb0551048b4b3c9f3f0a136c952a4ae5bf262 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 31 Jan 2023 23:32:50 +0100
+Subject: [PATCH] extensions: libebt_redirect: Fix for wrong syntax in
+ translation
+
+Meta key comes before 'set' in meta statement.
+
+Fixes: 24ce7465056ae ("ebtables-compat: add redirect match extension")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 6d1263002c2a9fc6dfa59c764dee767a084d428d)
+---
+ extensions/libebt_redirect.c      | 2 +-
+ extensions/libebt_redirect.txlate | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libebt_redirect.c b/extensions/libebt_redirect.c
+index 389f3ccb53f60..7821935e137aa 100644
+--- a/extensions/libebt_redirect.c
++++ b/extensions/libebt_redirect.c
+@@ -83,7 +83,7 @@ static int brredir_xlate(struct xt_xlate *xl,
+ {
+ 	const struct ebt_redirect_info *red = (const void*)params->target->data;
+ 
+-	xt_xlate_add(xl, "meta set pkttype host");
++	xt_xlate_add(xl, "meta pkttype set host");
+ 	if (red->target != EBT_CONTINUE)
+ 		xt_xlate_add(xl, " %s ", brredir_verdict(red->target));
+ 	return 1;
+diff --git a/extensions/libebt_redirect.txlate b/extensions/libebt_redirect.txlate
+index f0dd5deaf6406..d073ec774c4fa 100644
+--- a/extensions/libebt_redirect.txlate
++++ b/extensions/libebt_redirect.txlate
+@@ -1,8 +1,8 @@
+ ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect
+-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host accept'
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host accept'
+ 
+ ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target RETURN
+-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host return'
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host return'
+ 
+ ebtables-translate -t nat -A PREROUTING -d de:ad:00:00:be:ef -j redirect --redirect-target CONTINUE
+-nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta set pkttype host'
++nft 'add rule bridge nat PREROUTING ether daddr de:ad:00:00:be:ef counter meta pkttype set host'
+-- 
+2.40.0
+

0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch

@@ -0,0 +1,50 @@
+From 6177d53b1b5748d64eba68b42b173427815e454f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 3 Feb 2023 18:58:36 +0100
+Subject: [PATCH] extensions: libebt_ip: Do not use 'ip dscp' for translation
+
+Converting from TOS field match to DSCP one is irreversible, so replay
+testing is not possible. Use a raw payload expression to produce
+something that translates 1:1 back into an 'ip' match.
+
+Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 744c56bda974caaa274318d2825b3e43b55bf145)
+---
+ extensions/libebt_ip.c      | 4 ++--
+ extensions/libebt_ip.txlate | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
+index fd87dae7e2c62..8b381aa10b5b7 100644
+--- a/extensions/libebt_ip.c
++++ b/extensions/libebt_ip.c
+@@ -442,10 +442,10 @@ static int brip_xlate(struct xt_xlate *xl,
+ 	brip_xlate_nh(xl, info, EBT_IP_DEST);
+ 
+ 	if (info->bitmask & EBT_IP_TOS) {
+-		xt_xlate_add(xl, "ip dscp ");
++		xt_xlate_add(xl, "@nh,8,8 ");
+ 		if (info->invflags & EBT_IP_TOS)
+ 			xt_xlate_add(xl, "!= ");
+-		xt_xlate_add(xl, "0x%02x ", info->tos & 0x3f); /* remove ECN bits */
++		xt_xlate_add(xl, "0x%02x ", info->tos);
+ 	}
+ 	if (info->bitmask & EBT_IP_PROTO) {
+ 		struct protoent *pe;
+diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
+index 75c1db246fb81..562e3157d7b92 100644
+--- a/extensions/libebt_ip.txlate
++++ b/extensions/libebt_ip.txlate
+@@ -5,7 +5,7 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
+ nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
+ 
+ ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
+-nft 'insert rule bridge filter OUTPUT oifname "eth0" ip dscp 0x3f counter'
++nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter'
+ 
+ ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22
+ nft 'add rule bridge filter FORWARD tcp dport 22 counter'
+-- 
+2.40.0
+

0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch

@@ -0,0 +1,85 @@
+From 1429ad5300d85ae9e3f6114f609afb1ac6808c71 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 3 Feb 2023 17:37:40 +0100
+Subject: [PATCH] extensions: libebt_ip: Translation has to match on ether type
+
+On one hand, nft refuses th expression in bridge family if layer3
+protocol has not been assured by a previous match. On the other, ebt_ip
+kernel module will only match on IPv4 packets, so there might be a
+functional change in the translation versus the original.
+
+Instead of just always emitting an 'ether type' match, decide whether
+it's actually needed - explicit "ip <something>" payload matches (or
+icmp ones) cause implicit creation of a match on IPv4 by nft.
+
+Fixes: 03ecffe6c2cc0 ("ebtables-compat: add initial translations")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit b860e658200af8fdeced2896a1a6c2f0f0692b70)
+---
+ extensions/libebt_ip.c      | 21 +++++++++++++++++++++
+ extensions/libebt_ip.txlate |  6 +++---
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c
+index 8b381aa10b5b7..68f34bff97deb 100644
+--- a/extensions/libebt_ip.c
++++ b/extensions/libebt_ip.c
+@@ -432,6 +432,24 @@ static void brip_xlate_nh(struct xt_xlate *xl,
+ 				  xtables_ipmask_to_numeric(maskp));
+ }
+ 
++static bool may_skip_ether_type_dep(uint8_t flags)
++{
++	/* these convert to "ip (s|d)addr" matches */
++	if (flags & (EBT_IP_SOURCE | EBT_IP_DEST))
++		return true;
++
++	/* icmp match triggers implicit ether type dependency in nft */
++	if (flags & EBT_IP_ICMP)
++		return true;
++
++	/* allow if "ip protocol" match is created by brip_xlate() */
++	if (flags & EBT_IP_PROTO &&
++	    !(flags & (EBT_IP_SPORT | EBT_IP_DPORT | EBT_IP_ICMP)))
++		return true;
++
++	return false;
++}
++
+ static int brip_xlate(struct xt_xlate *xl,
+ 		      const struct xt_xlate_mt_params *params)
+ {
+@@ -441,6 +459,9 @@ static int brip_xlate(struct xt_xlate *xl,
+ 	brip_xlate_nh(xl, info, EBT_IP_SOURCE);
+ 	brip_xlate_nh(xl, info, EBT_IP_DEST);
+ 
++	if (!may_skip_ether_type_dep(info->bitmask))
++		xt_xlate_add(xl, "ether type ip ");
++
+ 	if (info->bitmask & EBT_IP_TOS) {
+ 		xt_xlate_add(xl, "@nh,8,8 ");
+ 		if (info->invflags & EBT_IP_TOS)
+diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
+index 562e3157d7b92..28996832225cb 100644
+--- a/extensions/libebt_ip.txlate
++++ b/extensions/libebt_ip.txlate
+@@ -5,13 +5,13 @@ ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
+ nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
+ 
+ ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
+-nft 'insert rule bridge filter OUTPUT oifname "eth0" @nh,8,8 0xff counter'
++nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter'
+ 
+ ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22
+-nft 'add rule bridge filter FORWARD tcp dport 22 counter'
++nft 'add rule bridge filter FORWARD ether type ip tcp dport 22 counter'
+ 
+ ebtables-translate -A FORWARD -p ip --ip-proto udp --ip-sport 1024:65535
+-nft 'add rule bridge filter FORWARD udp sport 1024-65535 counter'
++nft 'add rule bridge filter FORWARD ether type ip udp sport 1024-65535 counter'
+ 
+ ebtables-translate -A FORWARD -p ip --ip-proto 253
+ nft 'add rule bridge filter FORWARD ip protocol 253 counter'
+-- 
+2.40.0
+

0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch

@@ -0,0 +1,36 @@
+From 94052918c2fd1508afa15a9a83965755d354d69b Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 21 Feb 2023 12:19:42 -0500
+Subject: [PATCH] xt_sctp: add the missing chunk types in sctp_help
+
+Add the missing chunk types in sctp_help(), so that the help cmd can
+display these chunk types as below:
+
+  # iptables -p sctp --help
+
+  chunktypes - ... I_DATA RE_CONFIG PAD ... I_FORWARD_TSN ALL NONE
+
+Fixes: 6b04d9c34e25 ("xt_sctp: support a couple of new chunk types")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit f7c8d896f3305471746a8690f73587a65854d8fa)
+---
+ extensions/libxt_sctp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index fe5f5621a033d..6e2b2745dcbd5 100644
+--- a/extensions/libxt_sctp.c
++++ b/extensions/libxt_sctp.c
+@@ -50,7 +50,7 @@ static void sctp_help(void)
+ " --dport ...\n" 
+ "[!] --chunk-types (all|any|none) (chunktype[:flags])+	match if all, any or none of\n"
+ "						        chunktypes are present\n"
+-"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK FORWARD_TSN ALL NONE\n");
++"chunktypes - DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE I_DATA RE_CONFIG PAD ASCONF ASCONF_ACK FORWARD_TSN I_FORWARD_TSN ALL NONE\n");
+ }
+ 
+ static const struct option sctp_opts[] = {
+-- 
+2.40.0
+

0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch

@@ -0,0 +1,101 @@
+From 3311bf0d0fefd845d8d1d01b178bcd6701473a43 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 22 Feb 2023 16:36:16 +0100
+Subject: [PATCH] include: Add missing linux/netfilter/xt_LOG.h
+
+When merging IP-version-specific LOG extensions, a dependency to that
+header was introduced without caching it. Fix this and drop the now
+unused ip{,6}t_LOG.h files.
+
+Reported-by: Thomas Devoogdt <thomas@devoogdt.com>
+Fixes: 87e4f1bf0b87b ("extensions: libip*t_LOG: Merge extensions")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 8030e5444681e16ac2f481ddad73e33fab376147)
+---
+ include/linux/netfilter/xt_LOG.h        | 20 ++++++++++++++++++++
+ include/linux/netfilter_ipv4/ipt_LOG.h  | 19 -------------------
+ include/linux/netfilter_ipv6/ip6t_LOG.h | 19 -------------------
+ 3 files changed, 20 insertions(+), 38 deletions(-)
+ create mode 100644 include/linux/netfilter/xt_LOG.h
+ delete mode 100644 include/linux/netfilter_ipv4/ipt_LOG.h
+ delete mode 100644 include/linux/netfilter_ipv6/ip6t_LOG.h
+
+diff --git a/include/linux/netfilter/xt_LOG.h b/include/linux/netfilter/xt_LOG.h
+new file mode 100644
+index 0000000000000..167d4ddd2476b
+--- /dev/null
++++ b/include/linux/netfilter/xt_LOG.h
+@@ -0,0 +1,20 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++#ifndef _XT_LOG_H
++#define _XT_LOG_H
++
++/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
++#define XT_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
++#define XT_LOG_TCPOPT		0x02	/* Log TCP options */
++#define XT_LOG_IPOPT		0x04	/* Log IP options */
++#define XT_LOG_UID		0x08	/* Log UID owning local socket */
++#define XT_LOG_NFLOG		0x10	/* Unsupported, don't reuse */
++#define XT_LOG_MACDECODE	0x20	/* Decode MAC header */
++#define XT_LOG_MASK		0x2f
++
++struct xt_log_info {
++	unsigned char level;
++	unsigned char logflags;
++	char prefix[30];
++};
++
++#endif /* _XT_LOG_H */
+diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
+deleted file mode 100644
+index dcdbadf9fd4a9..0000000000000
+--- a/include/linux/netfilter_ipv4/ipt_LOG.h
++++ /dev/null
+@@ -1,19 +0,0 @@
+-#ifndef _IPT_LOG_H
+-#define _IPT_LOG_H
+-
+-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+-#define IPT_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
+-#define IPT_LOG_TCPOPT		0x02	/* Log TCP options */
+-#define IPT_LOG_IPOPT		0x04	/* Log IP options */
+-#define IPT_LOG_UID		0x08	/* Log UID owning local socket */
+-#define IPT_LOG_NFLOG		0x10	/* Unsupported, don't reuse */
+-#define IPT_LOG_MACDECODE	0x20	/* Decode MAC header */
+-#define IPT_LOG_MASK		0x2f
+-
+-struct ipt_log_info {
+-	unsigned char level;
+-	unsigned char logflags;
+-	char prefix[30];
+-};
+-
+-#endif /*_IPT_LOG_H*/
+diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
+deleted file mode 100644
+index 9dd5579e02ec7..0000000000000
+--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
++++ /dev/null
+@@ -1,19 +0,0 @@
+-#ifndef _IP6T_LOG_H
+-#define _IP6T_LOG_H
+-
+-/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+-#define IP6T_LOG_TCPSEQ		0x01	/* Log TCP sequence numbers */
+-#define IP6T_LOG_TCPOPT		0x02	/* Log TCP options */
+-#define IP6T_LOG_IPOPT		0x04	/* Log IP options */
+-#define IP6T_LOG_UID		0x08	/* Log UID owning local socket */
+-#define IP6T_LOG_NFLOG		0x10	/* Unsupported, don't use */
+-#define IP6T_LOG_MACDECODE	0x20	/* Decode MAC header */
+-#define IP6T_LOG_MASK		0x2f
+-
+-struct ip6t_log_info {
+-	unsigned char level;
+-	unsigned char logflags;
+-	char prefix[30];
+-};
+-
+-#endif /*_IPT_LOG_H*/
+-- 
+2.40.0
+

0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch

@@ -0,0 +1,67 @@
+From 1d37530ed4a9ece32ed94faa916845a883f8fd05 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 28 Feb 2023 18:09:25 +0100
+Subject: [PATCH] nft-restore: Fix for deletion of new, referenced rule
+
+Combining multiple corner-cases here:
+
+* Insert a rule before another new one which is not the first. Triggers
+  NFTNL_RULE_ID assignment of the latter.
+
+* Delete the referenced new rule in the same batch again. Causes
+  overwriting of the previously assigned RULE_ID.
+
+Consequently, iptables-nft-restore fails during *insert*, because the
+reference is dangling.
+
+Reported-by: Eric Garver <eric@garver.life>
+Fixes: 760b35b46e4cc ("nft: Fix for add and delete of same rule in single batch")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Tested-by: Eric Garver <eric@garver.life>
+(cherry picked from commit 5fd85822bd12a02f1a921243f605fc6238d705b4)
+---
+ iptables/nft.c                                   |  3 ++-
+ .../ipt-restore/0003-restore-ordering_0          | 16 ++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 63468cf3b1344..5896fd410ca78 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -2343,7 +2343,8 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r)
+ 
+ 	nftnl_rule_list_del(r);
+ 
+-	if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE))
++	if (!nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE) &&
++	    !nftnl_rule_get_u32(r, NFTNL_RULE_ID))
+ 		nftnl_rule_set_u32(r, NFTNL_RULE_ID, ++h->rule_id);
+ 
+ 	obj = batch_rule_add(h, NFT_COMPAT_RULE_DELETE, r);
+diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
+index 3f1d229e915ff..5482b7ea17298 100755
+--- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
++++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
+@@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT
+ -A FORWARD -m comment --comment "rule 3" -j ACCEPT'
+ 
+ diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
++
++# test adding, referencing and deleting the same rule in a batch
++
++$XT_MULTI iptables-restore <<EOF
++*filter
++-A FORWARD -m comment --comment "first rule" -j ACCEPT
++-A FORWARD -m comment --comment "referenced rule" -j ACCEPT
++-I FORWARD 2 -m comment --comment "referencing rule" -j ACCEPT
++-D FORWARD -m comment --comment "referenced rule" -j ACCEPT
++COMMIT
++EOF
++
++EXPECT='-A FORWARD -m comment --comment "first rule" -j ACCEPT
++-A FORWARD -m comment --comment "referencing rule" -j ACCEPT'
++
++diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
+-- 
+2.40.0
+

0013-ip6tables-Fix-checking-existence-of-rule.patch

@@ -0,0 +1,33 @@
+From f6338ac2776094b3fc27227511de53b5f96be16d Mon Sep 17 00:00:00 2001
+From: Markus Boehme <markubo@amazon.com>
+Date: Mon, 3 Apr 2023 23:13:47 +0200
+Subject: [PATCH] ip6tables: Fix checking existence of rule
+
+Pass the proper entry size when creating a match mask for checking the
+existence of a rule. Failing to do so causes wrong results.
+
+Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
+Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
+Signed-off-by: Markus Boehme <markubo@amazon.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 78850e7dba64a949c440dbdbe557f59409c6db48)
+---
+ iptables/ip6tables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 345af4519bfe7..9afc32c1a21ed 100644
+--- a/iptables/ip6tables.c
++++ b/iptables/ip6tables.c
+@@ -331,7 +331,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
+ 	int ret = 1;
+ 	unsigned char *mask;
+ 
+-	mask = make_delete_mask(matches, target, sizeof(fw));
++	mask = make_delete_mask(matches, target, sizeof(*fw));
+ 	for (i = 0; i < nsaddrs; i++) {
+ 		fw->ipv6.src = saddrs[i];
+ 		fw->ipv6.smsk = smasks[i];
+-- 
+2.40.0
+

0014-nft-shared-Drop-unused-include.patch

@@ -0,0 +1,29 @@
+From 1bf20a3bd929060cb9afdd798292f0463243e26d Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 29 Mar 2023 16:22:16 +0200
+Subject: [PATCH] nft-shared: Drop unused include
+
+Code does not refer to struct xt_comment_info anymore.
+
+Fixes: 3bb497c61d743 ("xtables: Fix for deleting rules with comment")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 465470184950d9035dcd1101c1f413f8a2051427)
+---
+ iptables/nft-shared.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
+index 4a7b5406892c4..4ba44a4aa4d17 100644
+--- a/iptables/nft-shared.c
++++ b/iptables/nft-shared.c
+@@ -22,7 +22,6 @@
+ #include <xtables.h>
+ 
+ #include <linux/netfilter/nf_log.h>
+-#include <linux/netfilter/xt_comment.h>
+ #include <linux/netfilter/xt_limit.h>
+ #include <linux/netfilter/xt_NFLOG.h>
+ #include <linux/netfilter/xt_mark.h>
+-- 
+2.40.0
+

0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch

@@ -0,0 +1,31 @@
+From 9a4b3bde58819e55a2d852800e87e66629a87081 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 28 Apr 2023 14:33:43 +0200
+Subject: [PATCH] arptables: Fix parsing of inverted 'arp operation' match
+
+The wrong bit was set in 'invflags', probably due to copy'n'paste from
+the previous case.
+
+Fixes: 84909d171585d ("xtables: bootstrap ARP compatibility layer for nftables")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 092e4b022152addc94524e2ba0cb608dac1a3a08)
+---
+ iptables/nft-arp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index 210f43d2cefbe..8fae5adc50216 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -244,7 +244,7 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
+ 		fw->arp.arhln = ar_hln;
+ 		fw->arp.arhln_mask = 0xff;
+ 		if (inv)
+-			fw->arp.invflags |= IPT_INV_ARPOP;
++			fw->arp.invflags |= IPT_INV_ARPHLN;
+ 		break;
+ 	case offsetof(struct arphdr, ar_pln):
+ 		get_cmp_data(e, &ar_pln, sizeof(ar_pln), &inv);
+-- 
+2.40.0
+

0016-arptables-Don-t-omit-standard-matches-if-inverted.patch

@@ -0,0 +1,42 @@
+From a900100d6d4be7c52e4cfd1ab06ce3ac626d71a1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 28 Apr 2023 14:37:47 +0200
+Subject: [PATCH] arptables: Don't omit standard matches if inverted
+
+Inverted --h-len and --h-type matches were omitted from output by
+accident if they matched on their standard value.
+
+Fixes: 84331e3ed3f8e ("arptables-nft: Don't print default h-len/h-type values")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 79f93b0943fa0e46ba29bb476362634509eb594e)
+---
+ iptables/nft-arp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index 8fae5adc50216..df3ad430cf701 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -408,7 +408,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
+ 
+ after_devdst:
+ 
+-	if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) {
++	if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6 ||
++	    fw->arp.invflags & IPT_INV_ARPHLN) {
+ 		printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHLN
+ 			? "! " : "");
+ 		printf("--h-length %d", fw->arp.arhln);
+@@ -432,7 +433,8 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
+ 		sep = " ";
+ 	}
+ 
+-	if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) {
++	if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1) ||
++	    fw->arp.invflags & IPT_INV_ARPHRD) {
+ 		uint16_t tmp = ntohs(fw->arp.arhrd);
+ 
+ 		printf("%s%s", sep, fw->arp.invflags & IPT_INV_ARPHRD
+-- 
+2.40.0
+

0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch

@@ -0,0 +1,211 @@
+From 174ef8164bc3b1f9454f77b3747f1591ea5b5a9f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Fri, 28 Apr 2023 14:41:08 +0200
+Subject: [PATCH] xshared: Fix parsing of option arguments in same word
+
+When merging commandline parsers, a decision between 'argv[optind - 1]'
+and 'optarg' had to be made in some spots. While the implementation of
+check_inverse() required the former, use of the latter allows for the
+common syntax of '--opt=arg' or even '-oarg' as 'optarg' will point at
+the suffix while 'argv[optind - 1]' will just point at the following
+option.
+
+Fix the mess by making check_inverse() update optarg pointer if needed
+so calling code may refer to and always correct 'optarg'.
+
+Fixes: 0af80a91b0a98 ("nft: Merge xtables-arp-standalone.c into xtables-standalone.c")
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1677
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 90a7a183a208b691810b8519cc57d3d9d3b7eb60)
+---
+ extensions/libarpt_standard.t |  2 ++
+ extensions/libxt_standard.t   |  3 ++
+ iptables/xshared.c            | 61 +++++++++++++++++------------------
+ 3 files changed, 35 insertions(+), 31 deletions(-)
+
+diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
+index e84a00b780488..007fa2b8335e8 100644
+--- a/extensions/libarpt_standard.t
++++ b/extensions/libarpt_standard.t
+@@ -12,3 +12,5 @@
+ -i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK
+ --source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK
+ ! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK
++--src-mac=01:02:03:04:05:06 --dst-mac=07:08:09:0A:0B:0C --h-length=6 --opcode=Request --h-type=Ethernet --proto-type=ipv4;--src-mac 01:02:03:04:05:06 --dst-mac 07:08:09:0a:0b:0c --opcode 1 --proto-type 0x800;OK
++--src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 1 ! --proto-type 0x800;OK
+diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
+index 56d6da2e5884e..6ed978e442b80 100644
+--- a/extensions/libxt_standard.t
++++ b/extensions/libxt_standard.t
+@@ -21,3 +21,6 @@
+ -s 10.11.12.13/255.128.0.0;-s 10.0.0.0/9;OK
+ -s 10.11.12.13/255.0.255.0;-s 10.0.12.0/255.0.255.0;OK
+ -s 10.11.12.13/255.0.12.0;-s 10.0.12.0/255.0.12.0;OK
++:FORWARD
++--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
++-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index ac51fac5ce9ed..17aed04e02b09 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -1318,7 +1318,7 @@ static void check_empty_interface(struct xtables_args *args, const char *arg)
+ }
+ 
+ static void check_inverse(struct xtables_args *args, const char option[],
+-			  bool *invert, int *optidx, int argc)
++			  bool *invert, int argc, char **argv)
+ {
+ 	switch (args->family) {
+ 	case NFPROTO_ARP:
+@@ -1337,12 +1337,11 @@ static void check_inverse(struct xtables_args *args, const char option[],
+ 		xtables_error(PARAMETER_PROBLEM,
+ 			      "Multiple `!' flags not allowed");
+ 	*invert = true;
+-	if (optidx) {
+-		*optidx = *optidx + 1;
+-		if (argc && *optidx > argc)
+-			xtables_error(PARAMETER_PROBLEM,
+-				      "no argument following `!'");
+-	}
++	optind++;
++	if (optind > argc)
++		xtables_error(PARAMETER_PROBLEM, "no argument following `!'");
++
++	optarg = argv[optind - 1];
+ }
+ 
+ static const char *optstring_lookup(int family)
+@@ -1555,16 +1554,16 @@ void do_parse(int argc, char *argv[],
+ 			 * Option selection
+ 			 */
+ 		case 'p':
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_PROTOCOL,
+ 				   &args->invflags, invert);
+ 
+ 			/* Canonicalize into lower case */
+-			for (cs->protocol = argv[optind - 1];
++			for (cs->protocol = optarg;
+ 			     *cs->protocol; cs->protocol++)
+ 				*cs->protocol = tolower(*cs->protocol);
+ 
+-			cs->protocol = argv[optind - 1];
++			cs->protocol = optarg;
+ 			args->proto = xtables_parse_protocol(cs->protocol);
+ 
+ 			if (args->proto == 0 &&
+@@ -1578,17 +1577,17 @@ void do_parse(int argc, char *argv[],
+ 			break;
+ 
+ 		case 's':
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_SOURCE,
+ 				   &args->invflags, invert);
+-			args->shostnetworkmask = argv[optind - 1];
++			args->shostnetworkmask = optarg;
+ 			break;
+ 
+ 		case 'd':
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_DESTINATION,
+ 				   &args->invflags, invert);
+-			args->dhostnetworkmask = argv[optind - 1];
++			args->dhostnetworkmask = optarg;
+ 			break;
+ 
+ #ifdef IPT_F_GOTO
+@@ -1601,71 +1600,71 @@ void do_parse(int argc, char *argv[],
+ #endif
+ 
+ 		case 2:/* src-mac */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_S_MAC, &args->invflags,
+ 				   invert);
+-			args->src_mac = argv[optind - 1];
++			args->src_mac = optarg;
+ 			break;
+ 
+ 		case 3:/* dst-mac */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_D_MAC, &args->invflags,
+ 				   invert);
+-			args->dst_mac = argv[optind - 1];
++			args->dst_mac = optarg;
+ 			break;
+ 
+ 		case 'l':/* hardware length */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_H_LENGTH, &args->invflags,
+ 				   invert);
+-			args->arp_hlen = argv[optind - 1];
++			args->arp_hlen = optarg;
+ 			break;
+ 
+ 		case 8: /* was never supported, not even in arptables-legacy */
+ 			xtables_error(PARAMETER_PROBLEM, "not supported");
+ 		case 4:/* opcode */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_OPCODE, &args->invflags,
+ 				   invert);
+-			args->arp_opcode = argv[optind - 1];
++			args->arp_opcode = optarg;
+ 			break;
+ 
+ 		case 5:/* h-type */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_H_TYPE, &args->invflags,
+ 				   invert);
+-			args->arp_htype = argv[optind - 1];
++			args->arp_htype = optarg;
+ 			break;
+ 
+ 		case 6:/* proto-type */
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_P_TYPE, &args->invflags,
+ 				   invert);
+-			args->arp_ptype = argv[optind - 1];
++			args->arp_ptype = optarg;
+ 			break;
+ 
+ 		case 'j':
+ 			set_option(&cs->options, OPT_JUMP, &args->invflags,
+ 				   invert);
+-			command_jump(cs, argv[optind - 1]);
++			command_jump(cs, optarg);
+ 			break;
+ 
+ 		case 'i':
+ 			check_empty_interface(args, optarg);
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_VIANAMEIN,
+ 				   &args->invflags, invert);
+-			xtables_parse_interface(argv[optind - 1],
++			xtables_parse_interface(optarg,
+ 						args->iniface,
+ 						args->iniface_mask);
+ 			break;
+ 
+ 		case 'o':
+ 			check_empty_interface(args, optarg);
+-			check_inverse(args, optarg, &invert, &optind, argc);
++			check_inverse(args, optarg, &invert, argc, argv);
+ 			set_option(&cs->options, OPT_VIANAMEOUT,
+ 				   &args->invflags, invert);
+-			xtables_parse_interface(argv[optind - 1],
++			xtables_parse_interface(optarg,
+ 						args->outiface,
+ 						args->outiface_mask);
+ 			break;
+-- 
+2.40.0
+

iptables.spec

@@ -11,7 +11,7 @@ Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.9
-Release: 3%{?dist}
+Release: 4%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.xz
 Source1: iptables.init
 Source2: iptables-config
@@ -20,7 +20,23 @@ Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
 Source6: arptables-nft-helper
 
-Patch01: 0001-extensions-NAT-Fix-for-Werror-format-security.patch
+Patch001: 0001-extensions-NAT-Fix-for-Werror-format-security.patch
+Patch002: 0002-etc-Drop-xtables.conf.patch
+Patch003: 0003-Proper-fix-for-unknown-argument-error-message.patch
+Patch004: 0004-ebtables-Refuse-unselected-targets-options.patch
+Patch005: 0005-tests-xlate-Properly-split-input-in-replay-mode.patch
+Patch006: 0006-extensions-libebt_redirect-Fix-target-translation.patch
+Patch007: 0007-extensions-libebt_redirect-Fix-for-wrong-syntax-in-t.patch
+Patch008: 0008-extensions-libebt_ip-Do-not-use-ip-dscp-for-translat.patch
+Patch009: 0009-extensions-libebt_ip-Translation-has-to-match-on-eth.patch
+Patch010: 0010-xt_sctp-add-the-missing-chunk-types-in-sctp_help.patch
+Patch011: 0011-include-Add-missing-linux-netfilter-xt_LOG.h.patch
+Patch012: 0012-nft-restore-Fix-for-deletion-of-new-referenced-rule.patch
+Patch013: 0013-ip6tables-Fix-checking-existence-of-rule.patch
+Patch014: 0014-nft-shared-Drop-unused-include.patch
+Patch015: 0015-arptables-Fix-parsing-of-inverted-arp-operation-matc.patch
+Patch016: 0016-arptables-Don-t-omit-standard-matches-if-inverted.patch
+Patch017: 0017-xshared-Fix-parsing-of-option-arguments-in-same-word.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic Licence 2.0
@@ -431,6 +447,9 @@ fi
 
 
 %changelog
+* Wed May 24 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-4
+- Backport fixes from upstream
+
 * Thu Apr 20 2023 Phil Sutter <psutter@redhat.com> - 1.8.9-3
 - Support %%_excludedocs macro in alternatives installation