diff --git a/iptables.spec b/iptables.spec
index 55df123..e4a701c 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -10,11 +10,13 @@
 # build legacy sub-packages only on non-rhel distributions
 %global do_legacy_pkg ! 0%{?rhel}
 
+%define _unpackaged_files_terminate_build 0
+
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 URL: https://www.netfilter.org/projects/iptables
 Version: 1.8.7
-Release: 18%{?dist}
+Release: 19%{?dist}
 Source: %{url}/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -84,9 +86,7 @@ Conflicts: setup < 2.10.4-1
 Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 Obsoletes: %{name} < %{version}-%{release}
-%if 0%{?rhel} < 9
 Provides:	iptables
-%endif
 
 %description legacy
 The iptables utility controls the network packet filtering code in the
@@ -148,19 +148,23 @@ This package provides the services iptables and ip6tables that have been split
 out of the base package since they are not active by default anymore.
 
 %package nft-services
-Summary: arptables and ebtables services for iptables-nft
+Summary: Services for nft-variants of iptables, ebtables and arptables
 Requires: %{name}-nft%{?_isa} = %{version}-%{release}
-Requires: %{name}-services%{?_isa} = %{version}-%{release}
 Conflicts: arptables-services
 Conflicts: ebtables-services
+Provides: iptables-services = %{version}-%{release}
 Provides: arptables-services
 Provides: ebtables-services
+Obsoletes: iptables-services <= 1.8.4
+Obsoletes: iptables-arptables <= 1.8.4
+Obsoletes: iptables-ebtables <= 1.8.4
+%{?systemd_ordering}
 
 %description nft-services
-arptables and ebtables services for iptables-nft
+Services for nft-variants of iptables, ebtables and arptables
 
-This package provides the services arptables and ebtables for use
-with iptables-nft which provides nft-variants of these tools.
+This package provides the services iptables, ip6tables, arptables and ebtables
+for use with iptables-nft which provides nft-variants of these tools.
 
 %package utils
 Summary: iptables and ip6tables misc utilities
@@ -180,26 +184,13 @@ Requires(post): %{_sbindir}/update-alternatives
 Requires(postun): %{_sbindir}/update-alternatives
 Provides: arptables-helper
 Provides: iptables
+Provides: arptables
+Provides: ebtables
 Obsoletes: iptables <= 1.8.4
 
 %description nft
 nftables compatibility for iptables, arptables and ebtables.
 
-%package nft-compat
-Summary: Temporary transitioning package
-Provides: arptables
-Provides: ebtables
-Obsoletes: iptables-arptables <= 1.8.4
-Obsoletes: iptables-ebtables <= 1.8.4
-Requires: iptables-nft = %{version}-%{release}
-Requires: iptables-nft-services = %{version}-%{release}
-
-%description nft-compat
-This package only exists to help transition iptables-arptables and/or
-iptables-ebtables users to the new package split. It will be removed after one
-distribution release cycle, please do not reference it or depend on it in any
-way.
-
 %prep
 %autosetup -p1
 
@@ -310,13 +301,16 @@ fi
 %systemd_postun iptables.service ip6tables.service
 
 %post nft-services
+%systemd_post iptables.service ip6tables.service
 %systemd_post arptables.service ebtables.service
 
 %preun nft-services
+%systemd_preun iptables.service ip6tables.service
 %systemd_preun arptables.service ebtables.service
 
 %postun nft-services
 %?ldconfig
+%systemd_postun iptables.service ip6tables.service
 %systemd_postun arptables.service ebtables.service
 
 %post nft
@@ -398,11 +392,29 @@ fi
 %{_libdir}/libip*tc.so
 %{_libdir}/pkgconfig/libip{,4,6}tc.pc
 
+%files services
+
 # do_legacy_pkg
 %else
-%define _unpackaged_files_terminate_build 0
+
+%files nft-services
+%{_unitdir}/{arp,eb}tables.service
+%{_libexecdir}/ebtables-helper
+%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
+%ghost %{_sysconfdir}/sysconfig/arptables
+%ghost %{_sysconfdir}/sysconfig/ebtables
+
+# do_legacy_pkg
 %endif
 
+# the common files in services and nft-services
+%dir %{script_path}
+%{script_path}/ip{,6}tables.init
+%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
+%{_unitdir}/ip{,6}tables.service
+%dir %{legacy_actions}/ip{,6}tables
+%{legacy_actions}/ip{,6}tables/{save,panic}
+
 %files libs
 %license COPYING
 %{_libdir}/libxtables.so.12*
@@ -416,21 +428,6 @@ fi
 %{_libdir}/libxtables.so
 %{_libdir}/pkgconfig/xtables.pc
 
-%files services
-%dir %{script_path}
-%{script_path}/ip{,6}tables.init
-%config(noreplace) %{_sysconfdir}/sysconfig/ip{,6}tables{,-config}
-%{_unitdir}/ip{,6}tables.service
-%dir %{legacy_actions}/ip{,6}tables
-%{legacy_actions}/ip{,6}tables/{save,panic}
-
-%files nft-services
-%{_unitdir}/{arp,eb}tables.service
-%{_libexecdir}/ebtables-helper
-%config(noreplace) %{_sysconfdir}/sysconfig/ebtables-config
-%ghost %{_sysconfdir}/sysconfig/arptables
-%ghost %{_sysconfdir}/sysconfig/ebtables
-
 %files utils
 %license COPYING
 %{_sbindir}/nfnl_osf
@@ -461,9 +458,13 @@ fi
 %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
 %ghost %{_mandir}/man8/ebtables.8.gz
 
-%files nft-compat
-
 %changelog
+* Thu Jul 29 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-19
+- Build iptables-services on C9S only
+- Use systemd_ordering in nft-services, too
+- Drop compat package, nft-services serves well for that purpose
+- Make legacy unconditionally provide iptables, it's not built on RHEL
+
 * Wed Jul 28 2021 Phil Sutter <psutter@redhat.com> - 1.8.7-18
 - Make iptables-nft-services require iptables-services to avoid confusion
 - Add deprecation notice to iptables-extensions man page as well