import iptables-1.8.10-8.el10

.gitignore

@@ -0,0 +1 @@
+SOURCES/iptables-1.8.10.tar.xz

.iptables.metadata

@@ -0,0 +1 @@
+ddbebf81eacbf900dc6dd4ed409353930397e0c2 SOURCES/iptables-1.8.10.tar.xz

SOURCES/0001-libiptc-Fix-for-another-segfault-due-to-chain-index-.patch

@@ -0,0 +1,81 @@
+From 88d7c7c51b4523add8b7d48209b5b6a316442e0f Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Oct 2023 17:27:42 +0200
+Subject: [PATCH] libiptc: Fix for another segfault due to chain index NULL
+ pointer
+
+Chain rename code missed to adjust the num_chains value which is used to
+calculate the number of chain index buckets to allocate during an index
+rebuild. So with the right number of chains present, the last chain in a
+middle bucket being renamed (and ending up in another bucket) triggers
+an index rebuild based on false data. The resulting NULL pointer index
+bucket then causes a segfault upon reinsertion.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713
+Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc")
+(cherry picked from commit e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620)
+---
+ .../testcases/chain/0008rename-segfault2_0    | 32 +++++++++++++++++++
+ libiptc/libiptc.c                             |  4 +++
+ 2 files changed, 36 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+
+diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+new file mode 100755
+index 0000000000000..bc473d2511bbd
+--- /dev/null
++++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0
+@@ -0,0 +1,32 @@
++#!/bin/bash
++#
++# Another funny rename bug in libiptc:
++# If there is a chain index bucket with only a single chain in it and it is not
++# the last one and that chain is renamed, a chain index rebuild is triggered.
++# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an
++# extra index is allocated and remains NULL. The following insert of renamed
++# chain then segfaults.
++
++(
++	echo "*filter"
++	# first bucket
++	for ((i = 0; i < 40; i++)); do
++		echo ":chain-a-$i - [0:0]"
++	done
++	# second bucket
++	for ((i = 0; i < 40; i++)); do
++		echo ":chain-b-$i - [0:0]"
++	done
++	# third bucket, just make sure it exists
++	echo ":chain-c-0 - [0:0]"
++	echo "COMMIT"
++) | $XT_MULTI iptables-restore
++
++# rename all chains of the middle bucket
++(
++	echo "*filter"
++	for ((i = 0; i < 40; i++)); do
++		echo "-E chain-b-$i chain-d-$i"
++	done
++	echo "COMMIT"
++) | $XT_MULTI iptables-restore --noflush
+diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
+index e475063367c26..9712a36353b9a 100644
+--- a/libiptc/libiptc.c
++++ b/libiptc/libiptc.c
+@@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname,
+ 		return 0;
+ 	}
+ 
++	handle->num_chains--;
++
+ 	/* This only unlinks "c" from the list, thus no free(c) */
+ 	iptcc_chain_index_delete_chain(c, handle);
+ 
+ 	/* Change the name of the chain */
+ 	strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1);
+ 
++	handle->num_chains++;
++
+ 	/* Insert sorted into to list again */
+ 	iptc_insert_chain(handle, c);
+ 

SOURCES/0002-arptables-nft-remove-ARPT_INV-flags-usage.patch

@@ -0,0 +1,81 @@
+From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 3 Nov 2023 17:33:22 +0100
+Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
+
+ARPT_ and IPT_INV flags are not interchangeable, e.g.:
+define IPT_INV_SRCDEVADDR	0x0080
+define ARPT_INV_SRCDEVADDR	0x0010
+
+as these flags can be tested by libarp_foo.so such checks can yield
+incorrect results.
+
+Because arptables-nft uses existing code, e.g. xt_mark, it makes
+sense to unify this completely by converting the last users of
+ARPT_INV_ constants.
+
+Note that arptables-legacy does not do run-time module loading via
+dlopen(). Functionaliy implemented by "extensions" in the
+arptables-legacy git tree are built-in, so this doesn't break
+arptables-legacy binaries.
+
+Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
+---
+ extensions/libarpt_mangle.c | 4 ++--
+ iptables/nft-arp.c          | 2 +-
+ iptables/xshared.h          | 4 +++-
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
+index 765edf34781f3..a846e97ec8f27 100644
+--- a/extensions/libarpt_mangle.c
++++ b/extensions/libarpt_mangle.c
+@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
+ 		if (e->arp.arhln_mask == 0)
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "no --h-length defined");
+-		if (e->arp.invflags & ARPT_INV_ARPHLN)
++		if (e->arp.invflags & IPT_INV_ARPHLN)
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "! --h-length not allowed for "
+ 				      "--mangle-mac-s");
+@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
+ 		if (e->arp.arhln_mask == 0)
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "no --h-length defined");
+-		if (e->arp.invflags & ARPT_INV_ARPHLN)
++		if (e->arp.invflags & IPT_INV_ARPHLN)
+ 			xtables_error(PARAMETER_PROBLEM,
+ 				      "! hln not allowed for --mangle-mac-d");
+ 		if (e->arp.arhln != 6)
+diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
+index aed39ebdd5166..535dd6b83237b 100644
+--- a/iptables/nft-arp.c
++++ b/iptables/nft-arp.c
+@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
+ 					 &args->d.naddrs);
+ 
+ 	if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
+-	    (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
++	    (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
+ 		xtables_error(PARAMETER_PROBLEM,
+ 			      "! not allowed with multiple"
+ 			      " source or destination IP addresses");
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index a200e0d620ad3..5586385456a4d 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -80,7 +80,9 @@ struct xtables_target;
+ #define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
+ #define EBT_OPTSTRING	OPTSTRING_COMMON "hv"
+ 
+-/* define invflags which won't collide with IPT ones */
++/* define invflags which won't collide with IPT ones.
++ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
++ */
+ #define IPT_INV_SRCDEVADDR	0x0080
+ #define IPT_INV_TGTDEVADDR	0x0100
+ #define IPT_INV_ARPHLN		0x0200

SOURCES/0003-ebtables-Fix-corner-case-noflush-restore-bug.patch

@@ -0,0 +1,63 @@
+From b7051898e28854b21bc7a37ef24ca037ef977e4a Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 7 Nov 2023 19:12:14 +0100
+Subject: [PATCH] ebtables: Fix corner-case noflush restore bug
+
+Report came from firwalld, but this is actually rather hard to trigger.
+Since a regular chain line prevents it, typical dump/restore use-cases
+are unaffected.
+
+Fixes: 73611d5582e72 ("ebtables-nft: add broute table emulation")
+Cc: Eric Garver <eric@garver.life>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit c1083acea70787eea3f7929fd04718434bb05ba8)
+---
+ .../testcases/ebtables/0009-broute-bug_0      | 25 +++++++++++++++++++
+ iptables/xtables-eb.c                         |  2 ++
+ 2 files changed, 27 insertions(+)
+ create mode 100755 iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+
+diff --git a/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0 b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+new file mode 100755
+index 0000000000000..0def0ac58e7be
+--- /dev/null
++++ b/iptables/tests/shell/testcases/ebtables/0009-broute-bug_0
+@@ -0,0 +1,25 @@
++#!/bin/sh
++#
++# Missing BROUTING-awareness in ebt_get_current_chain() caused an odd caching bug when restoring:
++# - with --noflush
++# - a second table after the broute one
++# - A policy command but no chain line for BROUTING chain
++
++set -e
++
++case "$XT_MULTI" in
++*xtables-nft-multi)
++	;;
++*)
++	echo "skip $XT_MULTI"
++	exit 0
++	;;
++esac
++
++$XT_MULTI ebtables-restore --noflush <<EOF
++*broute
++-P BROUTING ACCEPT
++*nat
++-P PREROUTING ACCEPT
++COMMIT
++EOF
+diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
+index 08eec79d80400..a8ad57c735cc5 100644
+--- a/iptables/xtables-eb.c
++++ b/iptables/xtables-eb.c
+@@ -169,6 +169,8 @@ int ebt_get_current_chain(const char *chain)
+ 		return NF_BR_LOCAL_OUT;
+ 	else if (strcmp(chain, "POSTROUTING") == 0)
+ 		return NF_BR_POST_ROUTING;
++	else if (strcmp(chain, "BROUTING") == 0)
++		return NF_BR_BROUTING;
+ 
+ 	/* placeholder for user defined chain */
+ 	return NF_BR_NUMHOOKS;

SOURCES/0004-xshared-struct-xt_cmd_parse-xlate-is-unused.patch

@@ -0,0 +1,42 @@
+From 37622ca0f4c29c9a06b0d2f3f1abc6695c57d560 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 19 Nov 2023 13:18:26 +0100
+Subject: [PATCH] xshared: struct xt_cmd_parse::xlate is unused
+
+Drop the boolean, it was meant to disable some existence checks in
+do_parse() prior to the caching rework. Now that do_parse() runs before
+any caching is done, the checks in question don't exist anymore so drop
+this relict.
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit b180d9c86d2cce6ab6fd3e3617faf320a8a1babb)
+---
+ iptables/xshared.h           | 1 -
+ iptables/xtables-translate.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index 5586385456a4d..c77556a1987dc 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -284,7 +284,6 @@ struct xt_cmd_parse {
+ 	bool				restore;
+ 	int				line;
+ 	int				verbose;
+-	bool				xlate;
+ 	struct xt_cmd_parse_ops		*ops;
+ };
+ 
+diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
+index 88e0a6b639494..c019cd2991305 100644
+--- a/iptables/xtables-translate.c
++++ b/iptables/xtables-translate.c
+@@ -249,7 +249,6 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
+ 		.table		= *table,
+ 		.restore	= restore,
+ 		.line		= line,
+-		.xlate		= true,
+ 		.ops		= &h->ops->cmd_parse,
+ 	};
+ 	struct iptables_command_state cs = {

SOURCES/0005-xshared-All-variants-support-v-update-OPTSTRING_COMM.patch

@@ -0,0 +1,31 @@
+From 436dd5a6ba5639c8e83183f6252ce7bd37760e1c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 19 Nov 2023 13:25:36 +0100
+Subject: [PATCH] xshared: All variants support -v, update OPTSTRING_COMMON
+
+Fixes: 51d9d9e081344 ("ebtables: Support verbose mode")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 9a9ff768cab58aea02828e422184873e52e9846a)
+---
+ iptables/xshared.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/iptables/xshared.h b/iptables/xshared.h
+index c77556a1987dc..815b9d3e98726 100644
+--- a/iptables/xshared.h
++++ b/iptables/xshared.h
+@@ -75,10 +75,10 @@ struct xtables_globals;
+ struct xtables_rule_match;
+ struct xtables_target;
+ 
+-#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:"
+-#define IPT_OPTSTRING	OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nvw::x"
+-#define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
+-#define EBT_OPTSTRING	OPTSTRING_COMMON "hv"
++#define OPTSTRING_COMMON "-:A:C:D:E:F::I:L::M:N:P:VX::Z::" "c:d:i:j:o:p:s:t:v"
++#define IPT_OPTSTRING	OPTSTRING_COMMON "R:S::W::" "46bfg:h::m:nw::x"
++#define ARPT_OPTSTRING	OPTSTRING_COMMON "R:S::" "h::l:nx" /* "m:" */
++#define EBT_OPTSTRING	OPTSTRING_COMMON "h"
+ 
+ /* define invflags which won't collide with IPT ones.
+  * arptables-nft does NOT use the legacy ARPT_INV_* defines.

SOURCES/0006-ebtables-Align-line-number-formatting-with-legacy.patch

@@ -0,0 +1,28 @@
+From ffd0c96de7bbc558b9b7a8bcbeebd9576fec8e59 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 21 Nov 2023 22:58:47 +0100
+Subject: [PATCH] ebtables: Align line number formatting with legacy
+
+Legacy ebtables appends a dot to the number printed in first column if
+--Ln flag was given.
+
+Fixes: da871de2a6efb ("nft: bootstrap ebtables-compat")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 74253799f0ca0735256327e834b7dffedde96ebf)
+---
+ iptables/nft-bridge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
+index d9a8ad2b0f373..e414ef5584392 100644
+--- a/iptables/nft-bridge.c
++++ b/iptables/nft-bridge.c
+@@ -354,7 +354,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ 	struct iptables_command_state cs = {};
+ 
+ 	if (format & FMT_LINENUMBERS)
+-		printf("%d ", num);
++		printf("%d. ", num);
+ 
+ 	nft_rule_to_ebtables_command_state(h, r, &cs);
+ 	__nft_bridge_save_rule(&cs, format);

SOURCES/0007-man-Do-not-escape-exclamation-marks.patch

@@ -0,0 +1,44 @@
+From 1c9549af3566e6c0b5573d6f91b25934d8d99f79 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 28 Nov 2023 13:29:17 +0100
+Subject: [PATCH] man: Do not escape exclamation marks
+
+This appears to be not necessary, also mandoc complains about it:
+
+| mandoc: iptables/iptables-extensions.8:2170:52: UNSUPP: unsupported escape sequence: \!
+
+Fixes: 71eddedcbf7ae ("libip6t_DNPT: add manpage")
+Fixes: 0a4c357cb91e1 ("libip6t_SNPT: add manpage")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit d8c64911cfd602f57354f36e5ca79bbedd62aa7a)
+---
+ extensions/libip6t_DNPT.man | 2 +-
+ extensions/libip6t_SNPT.man | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
+index 9b060f5b7179b..72c6ae5d422a2 100644
+--- a/extensions/libip6t_DNPT.man
++++ b/extensions/libip6t_DNPT.man
+@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
+ .PP
+ You have to use the SNPT target to undo the translation. Example:
+ .IP
+-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
++ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
+ \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
+ .IP
+ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
+diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
+index 97e0071b43cc1..0c926978377a7 100644
+--- a/extensions/libip6t_SNPT.man
++++ b/extensions/libip6t_SNPT.man
+@@ -15,7 +15,7 @@ Set destination prefix that you want to use in the translation and length
+ .PP
+ You have to use the DNPT target to undo the translation. Example:
+ .IP
+-ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
++ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 ! \-o vboxnet0
+ \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
+ .IP
+ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64

SOURCES/0008-libxtables-xtoptions-Fix-for-non-CIDR-compatible-hos.patch

@@ -0,0 +1,49 @@
+From f667f577e6d29e62f55cdc4e1e39414913bf7c4c Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 28 Nov 2023 20:21:49 +0100
+Subject: [PATCH] libxtables: xtoptions: Fix for non-CIDR-compatible hostmasks
+
+In order to parse the mask, xtopt_parse_hostmask() calls
+xtopt_parse_plenmask() thereby limiting netmask support to prefix
+lengths (alternatively specified in IP address notation).
+
+In order to lift this impractical restriction, make
+xtopt_parse_plenmask() aware of the fact that xtopt_parse_plen() may
+fall back to xtopt_parse_mask() which correctly initializes val.hmask
+itself and indicates non-CIDR-compatible masks by setting val.hlen to
+-1.
+
+So in order to support these odd masks, it is sufficient for
+xtopt_parse_plenmask() to skip its mask building from val.hlen value and
+take whatever val.hmask contains.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 41139aee5e53304182a25f1e573f034b313f7232)
+---
+ libxtables/xtoptions.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index b16bbfbe32311..d91a78f470eda 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -711,6 +711,10 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
+ 
+ 	xtopt_parse_plen(cb);
+ 
++	/* may not be convertible to CIDR notation */
++	if (cb->val.hlen == (uint8_t)-1)
++		goto out_put;
++
+ 	memset(mask, 0xFF, sizeof(union nf_inet_addr));
+ 	/* This shifting is AF-independent. */
+ 	if (cb->val.hlen == 0) {
+@@ -731,6 +735,7 @@ static void xtopt_parse_plenmask(struct xt_option_call *cb)
+ 	mask[1] = htonl(mask[1]);
+ 	mask[2] = htonl(mask[2]);
+ 	mask[3] = htonl(mask[3]);
++out_put:
+ 	if (entry->flags & XTOPT_PUT)
+ 		memcpy(XTOPT_MKPTR(cb), mask, sizeof(union nf_inet_addr));
+ }

SOURCES/0009-iptables-legacy-Fix-for-mandatory-lock-waiting.patch

@@ -0,0 +1,114 @@
+From 2568af12c3cf96a8b28082e6188dba94441b21c1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 19 Dec 2023 00:56:07 +0100
+Subject: [PATCH] iptables-legacy: Fix for mandatory lock waiting
+
+Parameter 'wait' passed to xtables_lock() signals three modes of
+operation, depending on its value:
+
+ 0: --wait not specified, do not wait if lock is busy
+-1: --wait specified without value, wait indefinitely until lock becomes
+    free
+>0: Wait for 'wait' seconds for lock to become free, abort otherwise
+
+Since fixed commit, the first two cases were treated the same apart from
+calling alarm(0), but that is a nop if no alarm is pending. Fix the code
+by requesting a non-blocking flock() in the second case. While at it,
+restrict the alarm setup to the third case only.
+
+Cc: Jethro Beekman <jethro@fortanix.com>
+Cc: howardjohn@google.com
+Cc: Antonio Ojea <antonio.ojea.garcia@gmail.com>
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1728
+Fixes: 07e2107ef0cbc ("xshared: Implement xtables lock timeout using signals")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+(cherry picked from commit 63ab5b8906f6913a14d38ec231f21daa760339a9)
+---
+ .../shell/testcases/iptables/0010-wait_0      | 55 +++++++++++++++++++
+ iptables/xshared.c                            |  4 +-
+ 2 files changed, 57 insertions(+), 2 deletions(-)
+ create mode 100755 iptables/tests/shell/testcases/iptables/0010-wait_0
+
+diff --git a/iptables/tests/shell/testcases/iptables/0010-wait_0 b/iptables/tests/shell/testcases/iptables/0010-wait_0
+new file mode 100755
+index 0000000000000..4481f966ce435
+--- /dev/null
++++ b/iptables/tests/shell/testcases/iptables/0010-wait_0
+@@ -0,0 +1,55 @@
++#!/bin/bash
++
++case "$XT_MULTI" in
++*xtables-legacy-multi)
++	;;
++*)
++	echo skip $XT_MULTI
++	exit 0
++	;;
++esac
++
++coproc RESTORE { $XT_MULTI iptables-restore; }
++echo "*filter" >&${RESTORE[1]}
++
++
++$XT_MULTI iptables -A FORWARD -j ACCEPT &
++ipt_pid=$!
++
++waitpid -t 1 $ipt_pid
++[[ $? -eq 3 ]] && {
++	echo "process waits when it should not"
++	exit 1
++}
++wait $ipt_pid
++[[ $? -eq 0 ]] && {
++	echo "process exited 0 despite busy lock"
++	exit 1
++}
++
++t0=$(date +%s)
++$XT_MULTI iptables -w 3 -A FORWARD -j ACCEPT
++t1=$(date +%s)
++[[ $((t1 - t0)) -ge 3 ]] || {
++	echo "wait time not expired"
++	exit 1
++}
++
++$XT_MULTI iptables -w -A FORWARD -j ACCEPT &
++ipt_pid=$!
++
++waitpid -t 3 $ipt_pid
++[[ $? -eq 3 ]] || {
++	echo "no indefinite wait"
++	exit 1
++}
++kill $ipt_pid
++waitpid -t 3 $ipt_pid
++[[ $? -eq 3 ]] && {
++	echo "killed waiting iptables call did not exit in time"
++	exit 1
++}
++
++kill $RESTORE_PID
++wait
++exit 0
+diff --git a/iptables/xshared.c b/iptables/xshared.c
+index 5f75a0a57a023..690502c457dd0 100644
+--- a/iptables/xshared.c
++++ b/iptables/xshared.c
+@@ -270,7 +270,7 @@ static int xtables_lock(int wait)
+ 		return XT_LOCK_FAILED;
+ 	}
+ 
+-	if (wait != -1) {
++	if (wait > 0) {
+ 		sigact_alarm.sa_handler = alarm_ignore;
+ 		sigact_alarm.sa_flags = SA_RESETHAND;
+ 		sigemptyset(&sigact_alarm.sa_mask);
+@@ -278,7 +278,7 @@ static int xtables_lock(int wait)
+ 		alarm(wait);
+ 	}
+ 
+-	if (flock(fd, LOCK_EX) == 0)
++	if (flock(fd, LOCK_EX | (wait ? 0 : LOCK_NB)) == 0)
+ 		return fd;
+ 
+ 	if (errno == EINTR) {

SOURCES/0010-libxtables-xtoptions-Prevent-XTOPT_PUT-with-XTTYPE_H.patch

@@ -0,0 +1,40 @@
+From 07ab8c7e7a1eeb6a5bb4028d92d713034df39167 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 17 Dec 2023 13:02:36 +0100
+Subject: [PATCH] libxtables: xtoptions: Prevent XTOPT_PUT with XTTYPE_HOSTMASK
+
+Do as the comment in xtopt_parse_hostmask() claims and omit
+XTTYPE_HOSTMASK from xtopt_psize array so xtables_option_metavalidate()
+will catch the incompatibility.
+
+Fixes: 66266abd17adc ("libxtables: XTTYPE_HOSTMASK support")
+(cherry picked from commit 17d724f20e3c97ea8ce8765ca532a3cf49a98b31)
+---
+ include/xtables.h      | 1 -
+ libxtables/xtoptions.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/include/xtables.h b/include/xtables.h
+index 087a1d600f9ae..9def9b43b6e58 100644
+--- a/include/xtables.h
++++ b/include/xtables.h
+@@ -61,7 +61,6 @@ struct in_addr;
+  * %XTTYPE_SYSLOGLEVEL:	syslog level by name or number
+  * %XTTYPE_HOST:	one host or address (ptr: union nf_inet_addr)
+  * %XTTYPE_HOSTMASK:	one host or address, with an optional prefix length
+- * 			(ptr: union nf_inet_addr; only host portion is stored)
+  * %XTTYPE_PROTOCOL:	protocol number/name from /etc/protocols (ptr: uint8_t)
+  * %XTTYPE_PORT:	16-bit port name or number (supports %XTOPT_NBO)
+  * %XTTYPE_PORTRC:	colon-separated port range (names acceptable),
+diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
+index d91a78f470eda..ba68056dc99f7 100644
+--- a/libxtables/xtoptions.c
++++ b/libxtables/xtoptions.c
+@@ -57,7 +57,6 @@ static const size_t xtopt_psize[] = {
+ 	[XTTYPE_STRING]      = -1,
+ 	[XTTYPE_SYSLOGLEVEL] = sizeof(uint8_t),
+ 	[XTTYPE_HOST]        = sizeof(union nf_inet_addr),
+-	[XTTYPE_HOSTMASK]    = sizeof(union nf_inet_addr),
+ 	[XTTYPE_PROTOCOL]    = sizeof(uint8_t),
+ 	[XTTYPE_PORT]        = sizeof(uint16_t),
+ 	[XTTYPE_PORTRC]      = sizeof(uint16_t[2]),

SOURCES/arptables-nft-helper

@@ -0,0 +1,73 @@
+#!/bin/sh
+
+ARPTABLES_CONFIG=/etc/sysconfig/arptables
+
+# compat for removed initscripts dependency
+
+success() {
+	echo "[  OK  ]"
+	return 0
+}
+
+failure() {
+	echo "[FAILED]"
+	return 1
+}
+
+start() {
+	if [ ! -x /usr/sbin/arptables ]; then
+		exit 4
+	fi
+
+	# don't do squat if we don't have the config file
+	if [ -f $ARPTABLES_CONFIG ]; then
+		printf "Applying arptables firewall rules: "
+		/usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \
+			success || \
+			failure
+		touch /var/lock/subsys/arptables
+	else
+		failure
+		echo "Configuration file /etc/sysconfig/arptables missing"
+		exit 6
+	fi
+}
+
+stop() {
+	printf "Removing user defined chains: "
+	arptables -X && success || failure
+	printf "Flushing all chains: "
+	arptables -F && success || failure
+	printf "Resetting built-in chains to the default ACCEPT policy: "
+	arptables -P INPUT ACCEPT && \
+		arptables -P OUTPUT ACCEPT && \
+		success || \
+		failure
+	rm -f /var/lock/subsys/arptables
+}
+
+case "$1" in
+start)
+	start
+	;;
+
+stop)
+	stop
+	;;
+
+restart|reload)
+	# "restart" is really just "start" as this isn't a daemon,
+	# and "start" clears any pre-defined rules anyway.
+	# This is really only here to make those who expect it happy
+	start
+	;;
+
+condrestart|try-restart|force-reload)
+	[ -e /var/lock/subsys/arptables ] && start
+	;;
+
+*)
+	exit 2
+esac
+
+exit 0

SOURCES/iptables-config

@@ -0,0 +1,59 @@
+# Load additional iptables modules (nat helpers)
+#   Default: -none-
+# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
+# are loaded after the firewall rules are applied. Options for the helpers are
+# stored in /etc/modprobe.conf.
+IPTABLES_MODULES=""
+
+# Save current firewall rules on stop.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
+# (e.g. on system shutdown).
+IPTABLES_SAVE_ON_STOP="no"
+
+# Save current firewall rules on restart.
+#   Value: yes|no,  default: no
+# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
+# restarted.
+IPTABLES_SAVE_ON_RESTART="no"
+
+# Save (and restore) rule and chain counter.
+#   Value: yes|no,  default: no
+# Save counters for rules and chains to /etc/sysconfig/iptables if
+# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
+# SAVE_ON_RESTART is enabled.
+IPTABLES_SAVE_COUNTER="no"
+
+# Numeric status output
+#   Value: yes|no,  default: yes
+# Print IP addresses and port numbers in numeric format in the status output.
+IPTABLES_STATUS_NUMERIC="yes"
+
+# Verbose status output
+#   Value: yes|no,  default: yes
+# Print info about the number of packets and bytes plus the "input-" and
+# "outputdevice" in the status output.
+IPTABLES_STATUS_VERBOSE="no"
+
+# Status output with numbered lines
+#   Value: yes|no,  default: yes
+# Print a counter/number for every rule in the status output.
+IPTABLES_STATUS_LINENUMBERS="yes"
+
+# Reload sysctl settings on start and restart
+#   Default: -none-
+# Space separated list of sysctl items which are to be reloaded on start.
+# List items will be matched by fgrep.
+#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
+
+# Set wait option for iptables-restore calls in seconds
+#   Default: 600
+# Set to 0 to deactivate the wait.
+#IPTABLES_RESTORE_WAIT=600
+
+# Set wait interval option for iptables-restore calls in microseconds
+#   Default: 1000000
+# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a
+# second.
+# Only usable with IPTABLES_RESTORE_WAIT > 0
+#IPTABLES_RESTORE_WAIT_INTERVAL=1000000

SOURCES/iptables.init

@@ -0,0 +1,450 @@
+#!/bin/bash
+#
+# iptables	Start iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Starts, stops and saves iptables firewall
+#
+# config: /etc/sysconfig/iptables
+# config: /etc/sysconfig/iptables-config
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: start and stop iptables firewall
+# Description: Start, stop and save iptables firewall
+### END INIT INFO
+
+# compat for removed initscripts dependency
+
+success() {
+	echo -n "[  OK  ]"
+	return 0
+}
+
+warning() {
+	echo -n "[WARNING]"
+	return 1
+}
+
+failure() {
+	echo -n "[FAILED]"
+	return 1
+}
+
+IPTABLES=iptables
+IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
+IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
+IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
+[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
+PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+# only usable for root
+if [ $EUID != 0 ]; then
+    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
+    exit 4
+fi
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
+    exit 5
+fi
+
+# Default firewall configuration:
+IPTABLES_MODULES=""
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_ON_RESTART="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="yes"
+IPTABLES_STATUS_VERBOSE="no"
+IPTABLES_STATUS_LINENUMBERS="yes"
+IPTABLES_SYSCTL_LOAD_LIST=""
+IPTABLES_RESTORE_WAIT=600
+IPTABLES_RESTORE_WAIT_INTERVAL=1000000
+
+# Load firewall configuration.
+[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+
+is_iptables_nft() {
+	iptables --version | grep -q '(nf_tables)'
+}
+
+netfilter_active() {
+	is_iptables_nft && return 0
+	[ -e "$PROC_IPTABLES_NAMES" ]
+}
+
+netfilter_tables() {
+	netfilter_active || return 1
+	is_iptables_nft && {
+		# explicitly omit security table from this list as
+		# it should be reserved for SELinux use
+		echo "raw mangle filter nat"
+		return 0
+	}
+	cat "$PROC_IPTABLES_NAMES" 2>/dev/null
+}
+
+# Get active tables
+NF_TABLES=$(netfilter_tables)
+
+
+flush_n_delete() {
+    # Flush firewall rules and delete chains.
+    netfilter_active || return 0
+
+    # Check if firewall is configured (has tables)
+    [ -z "$NF_TABLES" ] && return 1
+
+    echo -n $"${IPTABLES}: Flushing firewall rules: "
+    ret=0
+    # For all tables
+    for i in $NF_TABLES; do
+        # Flush firewall rules.
+	$IPTABLES -t $i -F;
+	let ret+=$?;
+
+        # Delete firewall chains.
+	$IPTABLES -t $i -X;
+	let ret+=$?;
+
+	# Set counter to zero.
+	$IPTABLES -t $i -Z;
+	let ret+=$?;
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+set_policy() {
+    # Set policy for configured tables.
+    policy=$1
+
+    # Check if iptable module is loaded
+    netfilter_active || return 0
+
+    # Check if firewall is configured (has tables)
+    tables=$(netfilter_tables)
+    [ -z "$tables" ] && return 1
+
+    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
+    ret=0
+    for i in $tables; do
+	echo -n "$i "
+	case "$i" in
+	    raw)
+		$IPTABLES -t raw -P PREROUTING $policy \
+		    && $IPTABLES -t raw -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    filter)
+                $IPTABLES -t filter -P INPUT $policy \
+		    && $IPTABLES -t filter -P OUTPUT $policy \
+		    && $IPTABLES -t filter -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    nat)
+		$IPTABLES -t nat -P PREROUTING $policy \
+		    && $IPTABLES -t nat -P POSTROUTING $policy \
+		    && $IPTABLES -t nat -P OUTPUT $policy \
+		    || let ret+=1
+		;;
+	    mangle)
+	        $IPTABLES -t mangle -P PREROUTING $policy \
+		    && $IPTABLES -t mangle -P POSTROUTING $policy \
+		    && $IPTABLES -t mangle -P INPUT $policy \
+		    && $IPTABLES -t mangle -P OUTPUT $policy \
+		    && $IPTABLES -t mangle -P FORWARD $policy \
+		    || let ret+=1
+		;;
+	    *)
+	        let ret+=1
+		;;
+        esac
+    done
+
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+load_sysctl() {
+    # load matched sysctl values
+    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
+        echo -n $"Loading sysctl settings: "
+        ret=0
+        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
+            fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null
+            let ret+=$?;
+        done
+        [ $ret -eq 0 ] && success || failure
+        echo
+    fi
+    return $ret
+}
+
+start() {
+    # Do not start if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Applying firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo;
+	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
+	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
+	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
+	    if [ $? -eq 0 ]; then
+		success; echo
+	    else
+		failure; echo; return 1
+	    fi
+	else
+	    return 1
+	fi
+    fi
+ 
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+ 
+    # Load sysctl settings
+    load_sysctl
+
+    touch $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+stop() {
+    # Do not stop if iptables module is not loaded.
+    netfilter_active || return 0
+
+    # Set default chain policy to ACCEPT, in order to not break shutdown
+    # on systems where the default policy is DROP and root device is
+    # network-based (i.e.: iSCSI, NFS)
+    set_policy ACCEPT
+    # And then, flush the rules and delete chains
+    flush_n_delete
+
+    rm -f $VAR_SUBSYS_IPTABLES
+    return $ret
+}
+
+save() {
+    # Check if iptable module is loaded
+    if ! netfilter_active; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 0
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
+	return 6
+    fi
+
+    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+    ret=0
+    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
+	&& chmod 600 "$TMP_FILE" \
+	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
+	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
+	|| ret=1
+    if [ $ret -eq 0 ]; then
+	if [ -e $IPTABLES_DATA ]; then
+	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
+		&& chmod 600 $IPTABLES_DATA.save \
+		&& restorecon $IPTABLES_DATA.save \
+		|| ret=1
+	fi
+	if [ $ret -eq 0 ]; then
+	    mv -f $TMP_FILE $IPTABLES_DATA \
+		&& chmod 600 $IPTABLES_DATA \
+		&& restorecon $IPTABLES_DATA \
+	        || ret=1
+	fi
+    fi
+    rm -f $TMP_FILE
+    [ $ret -eq 0 ] && success || failure
+    echo
+    return $ret
+}
+
+status() {
+    if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not running."
+	return 3
+    fi
+
+    # Do not print status if lockfile is missing and iptables modules are not 
+    # loaded.
+    # Check if iptable modules are loaded
+    if ! netfilter_active; then
+	echo $"${IPTABLES}: Firewall modules are not loaded."
+	return 3
+    fi
+
+    # Check if firewall is configured (has tables)
+    if [ -z "$NF_TABLES" ]; then
+	echo $"${IPTABLES}: Firewall is not configured. "
+	return 3
+    fi
+
+    NUM=
+    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
+    VERBOSE=
+    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
+    COUNT=
+    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
+
+    for table in $NF_TABLES; do
+	echo $"Table: $table"
+	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
+    done
+
+    return 0
+}
+
+reload() {
+    # Do not reload if there is no config file.
+    if [ ! -f "$IPTABLES_DATA" ]; then
+	echo -n $"${IPTABLES}: No config file."; warning; echo
+	return 6
+    fi
+
+    # check if ipv6 module load is deactivated
+    if [ "${_IPV}" = "ipv6" ] \
+	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
+	echo $"${IPTABLES}: ${_IPV} is disabled."
+	return 150
+    fi
+
+    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
+
+    OPT=
+    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
+       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
+       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
+           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
+       fi
+    fi
+
+    $IPTABLES-restore $OPT $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+	success; echo
+    else
+	failure; echo; echo "Firewall rules are not changed."; return 1
+    fi
+
+    # Load additional modules (helpers)
+    if [ -n "$IPTABLES_MODULES" ]; then
+	echo -n $"${IPTABLES}: Loading additional modules: "
+	ret=0
+	for mod in $IPTABLES_MODULES; do
+	    echo -n "$mod "
+	    modprobe $mod > /dev/null 2>&1
+	    let ret+=$?;
+	done
+	[ $ret -eq 0 ] && success || failure
+	echo
+    fi
+
+    # Load sysctl settings
+    load_sysctl
+
+    return $ret
+}
+
+restart() {
+    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
+    stop
+    start
+}
+
+
+case "$1" in
+    start)
+	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	start
+	RETVAL=$?
+	;;
+    stop)
+	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
+	stop
+	RETVAL=$?
+	;;
+    restart|force-reload)
+	restart
+	RETVAL=$?
+	;;
+    reload)
+	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+	RETVAL=$?
+	;;      
+    condrestart|try-restart)
+	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
+	restart
+	RETVAL=$?
+	;;
+    status)
+	status
+	RETVAL=$?
+	;;
+    panic)
+	set_policy DROP
+	RETVAL=$?
+        ;;
+    save)
+	save
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL

SOURCES/iptables.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=IPv4 firewall with iptables
+AssertPathExists=/etc/sysconfig/iptables
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/iptables/iptables.init start
+ExecReload=/usr/libexec/iptables/iptables.init reload
+ExecStop=/usr/libexec/iptables/iptables.init stop
+Environment=BOOTUP=serial
+Environment=CONSOLETYPE=serial
+
+[Install]
+WantedBy=multi-user.target

SOURCES/sysconfig_ip6tables

@@ -0,0 +1,15 @@
+# sample configuration for ip6tables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

SOURCES/sysconfig_iptables

@@ -0,0 +1,14 @@
+# sample configuration for iptables service
+# you can edit this manually or use system-config-firewall
+# please do not ask us to add additional ports/services to this default configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT