INCOMPATIBILITIES: - The REJECT target has an '--reject-with admin-prohib' option which used with kernels that do not support it, will result in a plain DROP instead of REJECT. Use with caution. Kernels that do support it: - There are some issues related to upgrading from 1.2.x to 1.3.x on a system with dynamic ruleset changes during runtime. (Please see https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=334). After upgrading from 1.2 to 1.3, it suggest go do an iptables-save, then iptables-restore to ensure your dynamic rule changes continue to work.