diff --git a/0004-nft-Fix-for-broken-recover_rule_compat.patch b/0004-nft-Fix-for-broken-recover_rule_compat.patch
new file mode 100644
index 0000000..fb7e80e
--- /dev/null
+++ b/0004-nft-Fix-for-broken-recover_rule_compat.patch
@@ -0,0 +1,99 @@
+From 4c883007ecf15b5fe18a71688a4383686e7c0026 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 22 May 2024 18:26:58 +0200
+Subject: [PATCH] nft: Fix for broken recover_rule_compat()
+
+JIRA: https://issues.redhat.com/browse/RHEL-26619
+Upstream Status: iptables commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
+
+commit bb1a7a5b297aa271f7f59abbcb891cd94d7fb305
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Tue Feb 27 18:47:39 2024 +0100
+
+    nft: Fix for broken recover_rule_compat()
+
+    When IPv4 rule generator was changed to emit payload instead of
+    meta expressions for l4proto matches, the code reinserting
+    NFTNL_RULE_COMPAT_* attributes into rules being reused for counter
+    zeroing was broken by accident.
+
+    Make rule compat recovery aware of the alternative match, basically
+    reinstating the effect of commit 7a373f6683afb ("nft: Fix -Z for rules
+    with NFTA_RULE_COMPAT") but add a test case this time to make sure
+    things stay intact.
+
+    Fixes: 69278f9602b43 ("nft: use payload matching for layer 4 protocol")
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ iptables/nft.c                                | 27 ++++++++++++++++---
+ .../nft-only/0011-zero-needs-compat_0         | 12 +++++++++
+ 2 files changed, 35 insertions(+), 4 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
+
+diff --git a/iptables/nft.c b/iptables/nft.c
+index 97fd4f4..c4caf29 100644
+--- a/iptables/nft.c
++++ b/iptables/nft.c
+@@ -3679,6 +3679,27 @@ const char *nft_strerror(int err)
+ 	return strerror(err);
+ }
+ 
++static int l4proto_expr_get_dreg(struct nftnl_expr *e, uint32_t *dregp)
++{
++	const char *name = nftnl_expr_get_str(e, NFTNL_EXPR_NAME);
++	uint32_t poff = offsetof(struct iphdr, protocol);
++	uint32_t pbase = NFT_PAYLOAD_NETWORK_HEADER;
++
++	if (!strcmp(name, "payload") &&
++	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE) == pbase &&
++	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET) == poff &&
++	    nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN) == sizeof(uint8_t)) {
++		*dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_DREG);
++		return 0;
++	}
++	if (!strcmp(name, "meta") &&
++	    nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) == NFT_META_L4PROTO) {
++		*dregp = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
++		return 0;
++	}
++	return -1;
++}
++
+ static int recover_rule_compat(struct nftnl_rule *r)
+ {
+ 	struct nftnl_expr_iter *iter;
+@@ -3695,12 +3716,10 @@ next_expr:
+ 	if (!e)
+ 		goto out;
+ 
+-	if (strcmp("meta", nftnl_expr_get_str(e, NFTNL_EXPR_NAME)) ||
+-	    nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY) != NFT_META_L4PROTO)
++	/* may be 'ip protocol' or 'meta l4proto' with identical RHS */
++	if (l4proto_expr_get_dreg(e, &reg) < 0)
+ 		goto next_expr;
+ 
+-	reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+-
+ 	e = nftnl_expr_iter_next(iter);
+ 	if (!e)
+ 		goto out;
+diff --git a/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0 b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
+new file mode 100755
+index 0000000..e276a95
+--- /dev/null
++++ b/iptables/tests/shell/testcases/nft-only/0011-zero-needs-compat_0
+@@ -0,0 +1,12 @@
++#!/bin/bash
++
++[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
++
++set -e
++
++rule="-p tcp -m tcp --dport 27374 -c 23 42 -j TPROXY --on-port 50080"
++for cmd in iptables ip6tables; do
++	$XT_MULTI $cmd -t mangle -A PREROUTING $rule
++	$XT_MULTI $cmd -t mangle -Z
++	$XT_MULTI $cmd -t mangle -v -S | grep -q -- "${rule/23 42/0 0}"
++done
diff --git a/0005-extensions-libxt_sctp-Add-an-extra-assert.patch b/0005-extensions-libxt_sctp-Add-an-extra-assert.patch
new file mode 100644
index 0000000..47fe875
--- /dev/null
+++ b/0005-extensions-libxt_sctp-Add-an-extra-assert.patch
@@ -0,0 +1,43 @@
+From 6e4197dee5ff051f2daf1327faf1683fe350264f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <psutter@redhat.com>
+Date: Wed, 12 Jun 2024 22:49:48 +0200
+Subject: [PATCH] extensions: libxt_sctp: Add an extra assert()
+
+JIRA: https://issues.redhat.com/browse/RHEL-40928
+Upstream Status: iptables commit 0234117d24609070f08ef36a11795c3c8e4c19bf
+
+commit 0234117d24609070f08ef36a11795c3c8e4c19bf
+Author: Phil Sutter <phil@nwl.cc>
+Date:   Fri May 17 15:20:05 2024 +0200
+
+    extensions: libxt_sctp: Add an extra assert()
+
+    The code is sane, but this keeps popping up in static code analyzers.
+
+    Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Signed-off-by: Phil Sutter <psutter@redhat.com>
+---
+ extensions/libxt_sctp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
+index 6e2b274..e8312f0 100644
+--- a/extensions/libxt_sctp.c
++++ b/extensions/libxt_sctp.c
+@@ -7,6 +7,7 @@
+  * libipt_ecn.c borrowed heavily from libipt_dscp.c
+  *
+  */
++#include <assert.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -354,6 +355,7 @@ print_chunk_flags(uint32_t chunknum, uint8_t chunk_flags, uint8_t chunk_flags_ma
+ 
+ 	for (i = 7; i >= 0; i--) {
+ 		if (chunk_flags_mask & (1 << i)) {
++			assert(chunknum < ARRAY_SIZE(sctp_chunk_names));
+ 			if (chunk_flags & (1 << i)) {
+ 				printf("%c", sctp_chunk_names[chunknum].valid_flags[7-i]);
+ 			} else {
diff --git a/iptables.spec b/iptables.spec
index b9b8b95..1bfa602 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -1,5 +1,5 @@
 %define iptables_rpmversion 1.8.10
-%define iptables_specrelease 2
+%define iptables_specrelease 3
 
 # install init scripts to /usr/libexec with systemd
 %global script_path %{_libexecdir}/iptables
@@ -36,6 +36,8 @@ Source11: iptables-test.stderr.expect
 Patch1:             0001-doc-Add-deprecation-notices-to-all-relevant-man-page.patch
 Patch2:             0002-extensions-SECMARK-Use-a-better-context-in-test-case.patch
 Patch3:             0003-ebtables-Fix-corner-case-noflush-restore-bug.patch
+Patch4:             0004-nft-Fix-for-broken-recover_rule_compat.patch
+Patch5:             0005-extensions-libxt_sctp-Add-an-extra-assert.patch
 
 # pf.os: ISC license
 # iptables-apply: Artistic 2.0
@@ -264,6 +266,21 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
 touch %{buildroot}%{_mandir}/man8/ebtables.8
 
+# add symlinks for compatibility to merged extensions
+link_ext() { # (target, link)
+	local targetfile="%{buildroot}%{_libdir}/xtables/${1}.so"
+	local targetname="${1}.so"
+	local link="%{buildroot}%{_libdir}/xtables/${2}.so"
+	[[ -e "$link" ]] && return 0
+	[[ -e "$targetfile" ]] || return 0
+	ln -s $targetname $link
+}
+for fam in ip ip6; do
+	link_ext libxt_LOG lib${fam}t_LOG
+	link_ext libxt_NAT lib${fam}t_SNAT
+	link_ext libxt_NAT lib${fam}t_MASQUERADE
+done
+
 %ldconfig_scriptlets
 
 %post legacy
@@ -438,6 +455,7 @@ fi
 %{_sbindir}/ip{,6}tables-nft*
 %{_sbindir}/ip{,6}tables{,-restore}-translate
 %{_sbindir}/{eb,arp}tables-nft*
+%{_sbindir}/ebtables-translate
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
 %dir %{_libdir}/xtables
@@ -451,9 +469,15 @@ fi
 %ghost %{_sbindir}/{eb,arp}tables{,-save,-restore}
 %ghost %{_libexecdir}/arptables-helper
 %ghost %{_mandir}/man8/arptables{,-save,-restore}.8.gz
-%ghost %{_mandir}/man8/ebtables.8.gz
+%ghost %{_mandir}/man8/ebtables{,-translate}.8.gz
 
 %changelog
+* Wed Jun 12 2024 Phil Sutter <psutter@redhat.com> [1.8.10-3.el9]
+- extensions: libxt_sctp: Add an extra assert() (Phil Sutter) [RHEL-40928]
+- spec: Add symlinks for merged extension DSOs (Phil Sutter) [RHEL-32463]
+- nft: Fix for broken recover_rule_compat() (Phil Sutter) [RHEL-26619]
+- spec: Ship ebtables-translate and man page (Phil Sutter) [RHEL-32922]
+
 * Tue Nov 07 2023 Phil Sutter <psutter@redhat.com> [1.8.10-2.el9]
 - ebtables: Fix corner-case noflush restore bug (Phil Sutter) [RHEL-14147]