diff --git a/backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch b/backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2b46a52f94d357843f7f9115b7a38dc67404b934
--- /dev/null
+++ b/backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
@@ -0,0 +1,106 @@
+From 1c97bd67ee6c1097196ad12b36d011fbd3855f2d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 21 Jan 2021 16:41:35 +0100
+Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from
+ concatenations
+
+Extend 8b043938e77b ("evaluate: disallow ct original {s,d}ddr from
+maps") to cover concatenations too.
+
+Error: specify either ip or ip6 for address matching
+add rule x y meta mark set ct original saddr . meta mark map { 1.1.1.1 . 20 : 30 }
+                           ^^^^^^^^^^^^^^^^^
+
+The old syntax for ct original saddr without either ip or ip6 results
+in unknown key size, which breaks the listing. The old syntax is only
+allowed in simple rules for backward compatibility.
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
+
+Conflict:NA
+Reference:https://git.netfilter.org/nftables/commit/?id=7d3a0799cfd0a7dbd179f2742b6632e66d1e9b6a
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/evaluate.c           | 17 +++++++++++++++++
+ tests/py/ip/ct.t         |  4 ++++
+ tests/py/ip/ct.t.payload | 19 +++++++++++++++++++
+ 3 files changed, 40 insertions(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 53806424..a2274445 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -1241,6 +1241,12 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr,
+ 	list_for_each_entry_safe(i, next, &(*expr)->expressions, list) {
+ 		unsigned dsize_bytes;
+ 
++		if (i->etype == EXPR_CT &&
++		    (i->ct.key == NFT_CT_SRC ||
++		     i->ct.key == NFT_CT_DST))
++			return expr_error(ctx->msgs, i,
++					  "specify either ip or ip6 for address matching");
++
+ 		if (expr_is_constant(*expr) && dtype && off == 0)
+ 			return expr_binary_error(ctx->msgs, i, *expr,
+ 						 "unexpected concat component, "
+@@ -1423,6 +1429,17 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
+ 	     map->map->ct.key == NFT_CT_DST))
+ 		return expr_error(ctx->msgs, map->map,
+ 				  "specify either ip or ip6 for address matching");
++	else if (map->map->etype == EXPR_CONCAT) {
++		struct expr *i;
++
++		list_for_each_entry(i, &map->map->expressions, list) {
++			if (i->etype == EXPR_CT &&
++			    (i->ct.key == NFT_CT_SRC ||
++			     i->ct.key == NFT_CT_DST))
++				return expr_error(ctx->msgs, i,
++					  "specify either ip or ip6 for address matching");
++		}
++	}
+ 
+ 	expr_set_context(&ctx->ectx, NULL, 0);
+ 	if (expr_evaluate(ctx, &map->map) < 0)
+diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
+index c5ce1274..a387863e 100644
+--- a/tests/py/ip/ct.t
++++ b/tests/py/ip/ct.t
+@@ -24,3 +24,7 @@ ct reply ip daddr dead::beef;fail
+ 
+ meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
+ meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
++meta mark set ct original saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };fail
++meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e };ok
++ct original saddr . meta mark { 1.1.1.1 . 0x00000014 };fail
++ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 };ok
+diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
+index 4f9e9809..6e2f23a7 100644
+--- a/tests/py/ip/ct.t.payload
++++ b/tests/py/ip/ct.t.payload
+@@ -69,3 +69,22 @@ ip
+   [ ct load dst_ip => reg 1 , dir original ]
+   [ lookup reg 1 set __map%d dreg 1 ]
+   [ meta set mark with reg 1 ]
++
++# meta mark set ct original ip saddr . meta mark map { 1.1.1.1 . 0x00000014 : 0x0000001e }
++__map%d test-ip4 b
++__map%d test-ip4 0
++        element 01010101 00000014  : 0000001e 0 [end]
++ip
++  [ ct load src_ip => reg 1 , dir original ]
++  [ meta load mark => reg 9 ]
++  [ lookup reg 1 set __map%d dreg 1 ]
++  [ meta set mark with reg 1 ]
++
++# ct original ip saddr . meta mark { 1.1.1.1 . 0x00000014 }
++__set%d test-ip4 3
++__set%d test-ip4 0
++        element 01010101 00000014  : 0 [end]
++ip
++  [ ct load src_ip => reg 1 , dir original ]
++  [ meta load mark => reg 9 ]
++  [ lookup reg 1 set __set%d ]
+-- 
+2.27.0
+
diff --git a/backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch b/backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aa00bfc003ca68d13165dd613efedcbeb8feb3a8
--- /dev/null
+++ b/backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
@@ -0,0 +1,70 @@
+From 93c192706eac3bbb017cfb5a8e1d56b81050ad3b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 15 Jan 2021 18:40:11 +0100
+Subject: [PATCH] evaluate: disallow ct original {s,d}ddr from maps
+
+test.nft:6:55-71: Error: specify either ip or ip6 for address matching
+add rule ip mangle manout ct direction reply mark set ct original daddr map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
+                                                      ^^^^^^^^^^^^^^^^^
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1489
+
+Conflict:NA
+Reference:https://git.netfilter.org/nftables/commit/?id=8b043938e77b1f421beccff595117d6e4ff8eecc
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+---
+ src/evaluate.c           | 6 ++++++
+ tests/py/ip/ct.t         | 3 +++
+ tests/py/ip/ct.t.payload | 9 +++++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 303ae280..53806424 100644
+--- a/src/evaluate.c
++++ b/src/evaluate.c
+@@ -1418,6 +1418,12 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr)
+ 	const struct datatype *dtype;
+ 	struct expr *key, *data;
+ 
++	if (map->map->etype == EXPR_CT &&
++	    (map->map->ct.key == NFT_CT_SRC ||
++	     map->map->ct.key == NFT_CT_DST))
++		return expr_error(ctx->msgs, map->map,
++				  "specify either ip or ip6 for address matching");
++
+ 	expr_set_context(&ctx->ectx, NULL, 0);
+ 	if (expr_evaluate(ctx, &map->map) < 0)
+ 		return -1;
+diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
+index d3247f79..c5ce1274 100644
+--- a/tests/py/ip/ct.t
++++ b/tests/py/ip/ct.t
+@@ -21,3 +21,6 @@ ct original protocol 17 ct reply proto-src 53;ok;ct protocol 17 ct reply proto-s
+ 
+ # wrong address family
+ ct reply ip daddr dead::beef;fail
++
++meta mark set ct original daddr map { 1.1.1.1 : 0x00000011 };fail
++meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 };ok
+diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
+index d5faed4c..4f9e9809 100644
+--- a/tests/py/ip/ct.t.payload
++++ b/tests/py/ip/ct.t.payload
+@@ -60,3 +60,12 @@ ip test-ip4 output
+   [ cmp eq reg 1 0x00000011 ]
+   [ ct load proto_src => reg 1 , dir reply ]
+   [ cmp eq reg 1 0x00003500 ]
++
++# meta mark set ct original ip daddr map { 1.1.1.1 : 0x00000011 }
++__map%d test-ip4 b
++__map%d test-ip4 0
++        element 01010101  : 00000011 0 [end]
++ip
++  [ ct load dst_ip => reg 1 , dir original ]
++  [ lookup reg 1 set __map%d dreg 1 ]
++  [ meta set mark with reg 1 ]
+-- 
+2.27.0
+
diff --git a/nftables.spec b/nftables.spec
index dea5bfc4f91ea0777c47e2ef11915601353d35ab..9618c36f5498c843096939f48d296a5a80697319 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        0.9.6
-Release:        3
+Release:        4
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@@ -16,6 +16,8 @@ Patch6003:      backport-evaluate-Reject-quoted-strings-containing-only-wildcard
 Patch6004:      backport-Solves-Bug-1462-nft-j-list-set-does-not-show-counters.patch
 Patch6005:      backport-json-Fix-memleak-in-set_dtype_json.patch
 Patch6006:      backport-mnl-reply-netlink-error-message-might-be-larger-than-MNL_SOCKET_BUFFER_SIZE.patch
+Patch6007:      backport-evaluate-disallow-ct-original-s-d-ddr-from-maps.patch
+Patch6008:      backport-evaluate-disallow-ct-original-s-d-ddr-from-concatena.patch
 
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
@@ -106,6 +108,13 @@ install -d $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
 %{python3_sitelib}/nftables/
 
 %changelog
+* Fri Jul 30 2021 xiaqirong <xiaqirong1@huawei.com> - 0.9.6-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:evaluate disallow ct original s d ddr from maps
+       evaluate disallow ct original s d ddr from concatena
+
 * Tue Jul 27 2021 yanan <yanan@huawei.com> - 0.9.6-3
 - Type:bugfix
 - CVE:NA