diff --git a/.gitignore b/.gitignore
index a75975a..e9cc80a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -21,3 +21,4 @@ iptables-1.4.9.tar.bz2
 /iptables-1.4.18.tar.bz2
 /iptables-1.4.19.1.tar.bz2
 /iptables-1.4.21.tar.bz2
+/iptables-1.6.0.tar.bz2
diff --git a/iptables-config b/iptables-config
index d906dd5..d9f6c34 100644
--- a/iptables-config
+++ b/iptables-config
@@ -46,3 +46,9 @@ IPTABLES_STATUS_VERBOSE="no"
 #   Value: yes|no,  default: yes
 # Print a counter/number for every rule in the status output.
 IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
diff --git a/iptables.init b/iptables.init
index 663d82b..beeffa4 100755
--- a/iptables.init
+++ b/iptables.init
@@ -23,12 +23,18 @@
 
 IPTABLES=iptables
 IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
 IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
-RUN_SUBSYS=/run/lock/subsys
-RUN_SUBSYS_IPTABLES=${RUN_SUBSYS}/${IPTABLES}
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+if [ $EUID != 0 ]; then
+    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
+    exit 4
+fi
 
 if [ ! -x /sbin/$IPTABLES ]; then
     echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
@@ -36,7 +42,7 @@ if [ ! -x /sbin/$IPTABLES ]; then
 fi
 
 # Old or new modutils
-/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
     && NEW_MODUTILS=1 \
     || NEW_MODUTILS=0
 
@@ -49,6 +55,7 @@ IPTABLES_SAVE_COUNTER="no"
 IPTABLES_STATUS_NUMERIC="yes"
 IPTABLES_STATUS_VERBOSE="no"
 IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""
 
 # Load firewall configuration.
 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
@@ -174,9 +181,27 @@ set_policy() {
     return $ret
 }
 
+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
 start() {
     # Do not start if there is no config file.
-    [ ! -f "$IPTABLES_DATA" ] && return 6
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
 
     # check if ipv6 module load is deactivated
     if [ "${_IPV}" = "ipv6" ] \
@@ -194,7 +219,18 @@ start() {
     if [ $? -eq 0 ]; then
 	success; echo
     else
-	failure; echo; return 1
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
     fi
     
     # Load additional modules (helpers)
@@ -209,9 +245,11 @@ start() {
 	[ $ret -eq 0 ] && success || failure
 	echo
     fi
+    
+    # Load sysctl settings
+    load_sysctl
 
-    mkdir -p $RUN_SUBSYS
-    touch $RUN_SUBSYS_IPTABLES
+    touch $VAR_SUBSYS_IPTABLES
     return $ret
 }
 
@@ -223,10 +261,9 @@ stop() {
     # on systems where the default policy is DROP and root device is
     # network-based (i.e.: iSCSI, NFS)
     set_policy ACCEPT
-    
     # And then, flush the rules and delete chains
     flush_n_delete
-
+    
     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
 	echo -n $"${IPTABLES}: Unloading modules: "
 	ret=0
@@ -243,16 +280,22 @@ stop() {
 	echo
     fi
     
-    rm -f $RUN_SUBSYS_IPTABLES
+    rm -f $VAR_SUBSYS_IPTABLES
     return $ret
 }
 
 save() {
     # Check if iptable module is loaded
-    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
+    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 0
+    fi
 
     # Check if firewall is configured (has tables)
-    [ -z "$NF_TABLES" ] && return 6
+    if [ -z "$NF_TABLES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 6
+    fi
 
     echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
 
@@ -260,7 +303,7 @@ save() {
     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
 
     ret=0
-    TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
 	&& chmod 600 "$TMP_FILE" \
 	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
 	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
@@ -269,22 +312,24 @@ save() {
 	if [ -e $IPTABLES_DATA ]; then
 	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
 		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
 		|| ret=1
 	fi
 	if [ $ret -eq 0 ]; then
-	    cp -f $TMP_FILE $IPTABLES_DATA \
+	    mv -f $TMP_FILE $IPTABLES_DATA \
 		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
 	        || ret=1
 	fi
     fi
+    rm -f $TMP_FILE
     [ $ret -eq 0 ] && success || failure
     echo
-    rm -f $TMP_FILE
     return $ret
 }
 
 status() {
-    if [ ! -f "$RUN_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
 	echo $"${IPTABLES}: Firewall is not running."
 	return 3
     fi
@@ -318,6 +363,51 @@ status() {
     return 0
 }
 
+reload() {
+    # Do not reload if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
 restart() {
     [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
     stop
@@ -327,7 +417,7 @@ restart() {
 
 case "$1" in
     start)
-	[ -f "$RUN_SUBSYS_IPTABLES" ] && exit 0
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
 	start
 	RETVAL=$?
 	;;
@@ -340,8 +430,12 @@ case "$1" in
 	restart
 	RETVAL=$?
 	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;      
     condrestart|try-restart)
-	[ ! -e "$RUN_SUBSYS_IPTABLES" ] && exit 0
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
 	restart
 	RETVAL=$?
 	;;
@@ -350,7 +444,6 @@ case "$1" in
 	RETVAL=$?
 	;;
     panic)
-	flush_n_delete
 	set_policy DROP
 	RETVAL=$?
         ;;
@@ -359,7 +452,7 @@ case "$1" in
 	RETVAL=$?
 	;;
     *)
-	echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
 	RETVAL=2
 	;;
 esac
diff --git a/iptables.service b/iptables.service
index c970793..6722c7a 100644
--- a/iptables.service
+++ b/iptables.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=IPv4 firewall with iptables
-ConditionPathExists=/etc/sysconfig/iptables
+After=syslog.target
+AssertPathExists=/etc/sysconfig/iptables
 
 [Service]
 Type=oneshot
diff --git a/iptables.spec b/iptables.spec
index cbf9375..cea46d0 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -6,16 +6,19 @@
 
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
-Version: 1.4.21
-Release: 16%{?dist}
+Version: 1.6.0
+Release: 1%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Source3: iptables.service
 Source4: sysconfig_iptables
 Source5: sysconfig_ip6tables
+Patch1: iptables-1.6.0-iptables-apply_mktemp.patch
 URL: http://www.netfilter.org/
-License: GPLv2
+# pf.os: ISC license
+# iptables-apply: Artistic Licence 2.0
+License: GPLv2/Artistic Licence 2.0/ISC
 # libnetfilter_conntrack is needed for xt_connlabel
 BuildRequires: pkgconfig(libnetfilter_conntrack)
 # libnfnetlink-devel is requires for nfnl_osf
@@ -23,12 +26,36 @@ BuildRequires: pkgconfig(libnfnetlink)
 BuildRequires: libselinux-devel
 BuildRequires: kernel-headers
 BuildRequires: systemd
+BuildRequires: pkgconfig(libnftnl)
+BuildRequires: pkgconfig(libmnl) >= 1.0
+# libmnl, libnftnl, bison, flex for nftables
+BuildRequires: bison
+BuildRequires: flex
+BuildRequires: pkgconfig(libmnl) >= 1.0
+BuildRequires: pkgconfig(libnftnl) >= 1.0.5
+# libpcap-devel for nfbpf_compile
+BuildRequires: libpcap-devel
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description
 The iptables utility controls the network packet filtering code in the
 Linux kernel. If you need to set up firewalls and/or IP masquerading,
 you should install this package.
 
+%package libs
+Summary: iptables libraries
+Group: System Environment/Base
+
+%description libs
+iptables libraries.
+
+Please remember that libip*tc libraries do neither have a stable API nor a real so version.
+
+For more information about this, please have a look at
+
+  http://www.netfilter.org/documentation/FAQ/netfilter-faq-4.html#ss4.5
+
+
 %package devel
 Summary: Development package for iptables
 Group: System Environment/Base
@@ -38,7 +65,7 @@ Requires: pkgconfig
 %description devel
 iptables development headers and libraries.
 
-The iptc interface is upstream marked as not public. The interface is not 
+The iptc libraries are marked as not public by upstream. The interface is not
 stable and may change with every new version. It is therefore unsupported.
 
 %package services
@@ -71,13 +98,21 @@ Utils for iptables.
 
 Currently only provides nfnl_osf with the pf.os database.
 
+%package compat
+Summary: nftables compatibility for iptables, arptables and ebtables
+Group: System Environment/Base
+Requires: %{name} = %{version}-%{release}
+
+%description compat
+nftables compatibility for iptables, arptables and ebtables.
 
 %prep
 %setup -q
+%patch1 -p1 -b .iptables-apply_mktemp
 
 %build
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing " \
-%configure --enable-devel --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
+%configure --enable-devel --enable-bpf-compiler --with-kernel=/usr --with-kbuild=/usr --with-ksource=/usr
 
 # do not use rpath
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
@@ -139,6 +174,10 @@ chmod 755 %{buildroot}/%{legacy_actions}/iptables/panic
 sed -e 's;iptables.init;ip6tables.init;g' -e 's;IPTABLES;IP6TABLES;g' < %{buildroot}/%{legacy_actions}/iptables/panic > ip6tabes.panic-legacy
 install -c -m 755 ip6tabes.panic-legacy %{buildroot}/%{legacy_actions}/ip6tables/panic
 
+# install iptables-apply with man page
+install -m 755 iptables/iptables-apply %{buildroot}%{_sbindir}/
+install -m 644 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8/
+
 %if 0%{?rhel}
 %pre
 for p in %{_sysconfdir}/alternatives/{iptables,ip6tables}.*; do
@@ -170,17 +209,28 @@ done
 %doc INCOMPATIBILITIES
 %config(noreplace) %{_sysconfdir}/sysconfig/iptables-config
 %config(noreplace) %{_sysconfdir}/sysconfig/ip6tables-config
-%{_sbindir}/iptables*
-%{_sbindir}/ip6tables*
+%{_sysconfdir}/ethertypes
+%{_sbindir}/iptables
+%{_sbindir}/iptables-apply
+%{_sbindir}/iptables-restore
+%{_sbindir}/iptables-save
+%{_sbindir}/ip6tables
+%{_sbindir}/ip6tables-restore
+%{_sbindir}/ip6tables-save
 %{_sbindir}/xtables-multi
+%{_sbindir}/nfbpf_compile
 %{_bindir}/iptables-xml
 %{_mandir}/man1/iptables-xml*
 %{_mandir}/man8/iptables*
 %{_mandir}/man8/ip6tables*
 %dir %{_libdir}/xtables
+%{_libdir}/xtables/libarpt*
+%{_libdir}/xtables/libebt*
 %{_libdir}/xtables/libipt*
 %{_libdir}/xtables/libip6t*
 %{_libdir}/xtables/libxt*
+
+%files libs
 %{_libdir}/libip*tc.so.*
 %{_libdir}/libxtables.so.*
 
@@ -219,8 +269,26 @@ done
 %dir %{_datadir}/xtables
 %{_datadir}/xtables/pf.os
 
+%files compat
+%{_sbindir}/iptables-compat*
+%{_sbindir}/ip6tables-compat*
+%{_sbindir}/ebtables-compat*
+%{_sbindir}/arptables-compat
+%{_sbindir}/xtables-compat-multi
 
 %changelog
+* Wed Apr 13 2016 Thomas Woerner <twoerner@redhat.com> - 1.6.0-1
+- New upstream version 1.6.0 with nft-compat support and lots of fixes (RHBZ#1292990)
+  Upstream changelog:
+  http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
+- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
+- Using scripts form RHEL-7 (RHBZ#1240366)
+- New compat sub package for nftables compatibility
+- Install iptables-apply (RHBZ#912047)
+- Fixed module uninstall (RHBZ#1324101)
+- Incorporated changes by Petr Pisar
+- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.21-16
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
diff --git a/sources b/sources
index f8a1d71..5945bf2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-536d048c8e8eeebcd9757d0863ebb0c0  iptables-1.4.21.tar.bz2
+27ba3451cb622467fc9267a176f19a31  iptables-1.6.0.tar.bz2