diff --git a/0001-extensions-NAT-Fix-for-Werror-format-security.patch b/0001-extensions-NAT-Fix-for-Werror-format-security.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1d14727fd9e2f6c38413728ab263a01c287035ad
--- /dev/null
+++ b/0001-extensions-NAT-Fix-for-Werror-format-security.patch
@@ -0,0 +1,28 @@
+From ed4082a7405a5838c205a34c1559e289949200cc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 12 Jan 2023 14:38:44 +0100
+Subject: [iptables PATCH] extensions: NAT: Fix for -Werror=format-security
+ 
+Have to pass either a string literal or format string to xt_xlate_add().
+ 
+Fixes: f30c5edce0413 ("extensions: Merge SNAT, DNAT, REDIRECT and MASQUERADE")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ extensions/libxt_NAT.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/extensions/libxt_NAT.c b/extensions/libxt_NAT.c
+index da9f22012c5d6..2a6343986d54f 100644
+--- a/extensions/libxt_NAT.c
++++ b/extensions/libxt_NAT.c
+@@ -424,7 +424,7 @@ __NAT_xlate(struct xt_xlate *xl, const struct nf_nat_range2 *r,
+ 	if (r->flags & NF_NAT_RANGE_PROTO_OFFSET)
+ 		return 0;
+ 
+-	xt_xlate_add(xl, tgt);
++	xt_xlate_add(xl, "%s", tgt);
+ 	if (strlen(range_str))
+ 		xt_xlate_add(xl, " to %s", range_str);
+ 	if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) {
+-- 
+2.38.0
diff --git a/iptables-1.8.7.tar.bz2 b/iptables-1.8.7.tar.bz2
deleted file mode 100644
index edb1d79c071a24ae0146550a2b13898262356125..0000000000000000000000000000000000000000
Binary files a/iptables-1.8.7.tar.bz2 and /dev/null differ
diff --git a/iptables-1.8.9.tar.xz b/iptables-1.8.9.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..08bd0f88f59012754a59ab799d98f416c322cf74
Binary files /dev/null and b/iptables-1.8.9.tar.xz differ
diff --git a/iptables.spec b/iptables.spec
index cac79fe7c077830d00a2e4b9c1a963a836f321ad..19dcec71b2cb2d93ca62199f5df0af08915ad0c9 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -1,19 +1,19 @@
 %global script_path %{_libexecdir}/iptables
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
-Version:	  1.8.7
-Release:	  11
+Version:	  1.8.9
+Release:	  1
 Summary:	  IP packet filter administration utilities
 License:	  GPLv2 and Artistic Licence 2.0 and ISC
 URL:		  https://www.netfilter.org/
-Source0:  	  https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.bz2
+Source0:  	  https://www.netfilter.org/projects/iptables/files/iptables-%{version}.tar.xz
 Source1:          iptables.init
 Source2:          iptables-config
 Source3:          iptables.service
 Source4:          sysconfig_iptables
 Source5:          sysconfig_ip6tables
 
-Patch0:           enabled-makecheck-in-extensions.patch
+Patch01:          0001-extensions-NAT-Fix-for-Werror-format-security.patch
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
 BuildRequires:    libmnl-devel libnetfilter_conntrack-devel libnfnetlink-devel libnftnl-devel
@@ -78,9 +78,6 @@ rm -f include/linux/types.h
 
 %make_build
 
-%check
-make check
-
 %install
 %make_install 
 
@@ -91,7 +88,6 @@ install -m 0644 include/ip*tables.h %{buildroot}%{_includedir}
 install -m 0644 include/iptables/internal.h %{buildroot}%{_includedir}/iptables
 
 install -m 0755 -d %{buildroot}%{_includedir}/libipulog/
-install -m 0644 include/libipulog/*.h %{buildroot}%{_includedir}/libipulog
 
 install -m 0755 -d %{buildroot}/%{script_path}
 install -m 0755 -c %{SOURCE1} %{buildroot}/%{script_path}/iptables.init
@@ -145,6 +141,13 @@ touch %{buildroot}%{_mandir}/man8/arptables-save.8
 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
 touch %{buildroot}%{_mandir}/man8/ebtables.8
 
+# Drop xtables.conf, it's not used
+rm -f %{buildroot}%{_sysconfdir}/xtables.conf
+ 
+# fix absolute symlink
+rm -f %{buildroot}%{_bindir}/iptables-xml
+ln -s ../sbin/xtables-legacy-multi %{buildroot}%{_bindir}/iptables-xml
+
 %ldconfig_scriptlets
 
 %post
@@ -287,6 +290,7 @@ fi
 %{_sbindir}/arptables-nft*
 %{_sbindir}/xtables-nft-multi
 %{_sbindir}/xtables-monitor
+%{_sbindir}/ebtables-translate
 %dir %{_libdir}/xtables
 %{_libdir}/xtables/libarpt*
 %{_libdir}/xtables/libebt*
@@ -306,11 +310,11 @@ fi
 
 %files            help
 %defattr(-,root,root)
-%doc INCOMPATIBILITIES
 %ghost %{_mandir}/man8/arptables.8.gz
 %ghost %{_mandir}/man8/arptables-save.8.gz
 %ghost %{_mandir}/man8/arptables-restore.8.gz
 %ghost %{_mandir}/man8/ebtables.8.gz
+%{_mandir}/man8/ebtables-translate*
 %{_mandir}/man8/xtables-monitor*
 %{_mandir}/man8/xtables-translate*
 %{_mandir}/man8/*-nft*
@@ -320,8 +324,15 @@ fi
 %{_mandir}/man8/iptables*
 %{_mandir}/man8/ip6tables*
 %{_mandir}/man8/xtables-legacy*
+%{_datadir}/xtables/iptables.xslt
 
 %changelog
+* Wed Feb 08 2023 zhanghao <zhanghao383@huawei.com> - 1.8.9-1
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:update to 1.8.9
+
 * Tue Nov 29 2022 huangyu <huangyu106@huawei.com> - 1.8.7-11
 - Type:bugfix
 - ID:NA