The whole concept is unfixably broken:
Some kernel modules are used by both IPv4 and IPv6 netfilter and the
algorithm has no way to identify this situation. Therefore if iptables
and ip6tables services are restarted in parallel, one's module unloading
tends to stomp onto the other's attempt at loading rules.
Another problem is with OVS: iptables service unloading conntrack
modules breaks a running OVS instance.
Upstream changelog:
http://netfilter.org/projects/iptables/files/changes-iptables-1.6.0.txt
- New libs sub package containing libxtables and unstable libip*tc libraries (RHBZ#1323161)
- Using scripts form RHEL-7 (RHBZ#1240366)
- New compat sub package for nftables compatibility
- Install iptables-apply (RHBZ#912047)
- Fixed module uninstall (RHBZ#1324101)
- Incorporated changes by Petr Pisar
- Enabled bpf compiler (RHBZ#1170227) Thanks to Yanko Kaneti for the patch
- new version 1.4.21
- doc: clarify DEBUG usage macro
- iptables: use autoconf to process .in man pages
- extensions: libipt_ULOG: man page should mention NFLOG as replacement
- extensions: libxt_connlabel: use libnetfilter_conntrack
- Introduce a new revision for the set match with the counters support
- libxt_CT: Add the "NOTRACK" alias
- libip6t_mh: Correct command to list named mh types in manpage
- extensions: libxt_DNAT, libxt_REDIRECT, libxt_NETMAP, libxt_SNAT, libxt_MASQUERADE, libxt_LOG: rename IPv4 manpage and tell about IPv6 support
- extensions: libxt_LED: fix parsing of delay
- ip{6}tables-restore: fix breakage due to new locking approach
- libxt_recent: restore minimum value for --seconds
- iptables-xml: fix parameter parsing (similar to 2165f38)
- extensions: add copyright statements
- xtables: improve get_modprobe handling
- ip[6]tables: Add locking to prevent concurrent instances
- iptables: Fix connlabel.conf install location
- ip6tables: don't print out /128
- libip6t_LOG: target output is different to libipt_LOG
- build: additional include path required after UAPI changes
- iptables: iptables-xml: Fix various parsing bugs
- libxt_recent: restore reap functionality to recent module
- build: fail in configure on missing dependency with --enable-bpf-compiler
- extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameter
- extensions: libxt_set, libxt_SET: check the set family too
- ip6tables: Use consistent exit code for EAGAIN
- iptables: libxt_hashlimit.man: correct address
- iptables: libxt_conntrack.man extraneous commas
- iptables: libip(6)t_REJECT.man default icmp types
- iptables: iptables-xm1.1 correct man section
- iptables: libxt_recent.{c,man} dead URL
- iptables: libxt_string.man add examples
- extensions: libxt_LOG: use generic syslog reference in manpage
- iptables: extensions/GNUMakefile.in use CPPFLAGS
- iptables: correctly reference generated file
- ip[6]tables: fix incorrect alignment in commands_v_options
- build: add software version to manpage first line at configure stage
- extensions: libxt_cluster: add note on arptables-jf
- utils: nfsynproxy: fix error while compiling the BPF filter
- extensions: add SYNPROXY extension
- utils: add nfsynproxy tool
- iptables: state match incompatibilty across versions
- libxtables: xtables_ipmask_to_numeric incorrect with non-CIDR masks
- iptables: improve chain name validation
- iptables: spurious error in load_extension
- xtables: trivial spelling fix
