merge: branch 'bg/deprecate-wext'

build: deprecate Wireless Extensions https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2309
rpm: disable wireless extensions on Fedora
2025-12-20 08:10:06 +01:00 · 2025-12-18 15:14:45 +00:00 · 2025-12-18 16:06:44 +01:00 · 2025-12-18 16:06:42 +01:00 · 2025-12-17 11:59:20 +01:00 · 2025-12-17 10:55:51 +01:00
340 changed files with 24611 additions and 15982 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,7 +81,6 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
 /data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -60,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-da1ae96102c6'
+  ALPINE_TAG:  'tag-0c3a6f855fb8'
-  CENTOS_TAG:  'tag-c8df7d2b249f'
+  CENTOS_TAG:  'tag-c1c23df75dda'
-  DEBIAN_TAG:  'tag-e68f538711ec'
+  DEBIAN_TAG:  'tag-d4bf5db9e214'
-  FEDORA_TAG:  'tag-c8df7d2b249f'
+  FEDORA_TAG:  'tag-c1c23df75dda'
-  UBUNTU_TAG:  'tag-e68f538711ec'
+  UBUNTU_TAG:  'tag-d4bf5db9e214'
  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -128,6 +128,20 @@ tier2:fedora:rawhide@prep:
      when: manual
      allow_failure: true
 tier2:centos:stream10@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
@ -198,6 +212,20 @@ tier2:alpine:edge@prep:
      when: manual
      allow_failure: true
 tier3:fedora:43@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:fedora:41@prep:
  extends:
    - .fdo.container-build@fedora
@ -226,20 +254,6 @@ tier3:ubuntu:25.04@prep:
      when: manual
      allow_failure: true
 tier3:ubuntu:24.10@prep:
  extends:
    - .fdo.container-build@ubuntu
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '24.10'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:ubuntu:24.04@prep:
  extends:
    - .fdo.container-build@ubuntu
@ -268,6 +282,20 @@ tier3:ubuntu:22.04@prep:
      when: manual
      allow_failure: true
 tier3:debian:13@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:debian:12@prep:
  extends:
    - .fdo.container-build@debian
@ -282,6 +310,20 @@ tier3:debian:12@prep:
      when: manual
      allow_failure: true
 tier3:alpine:3.22@prep:
  extends:
    - .fdo.container-build@alpine
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:alpine:3.21@prep:
  extends:
    - .fdo.container-build@alpine
@ -377,6 +419,20 @@ t_fedora:rawhide:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream10:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier2:centos:stream10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream9:
  extends:
    - .build@template
@ -447,6 +503,20 @@ t_alpine:edge:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_fedora:43:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
    - "tier3:fedora:43@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_fedora:41:
  extends:
    - .build@template
@ -475,20 +545,6 @@ t_ubuntu:25.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:24.10:
  extends:
    - .build@template
    - .fdo.distribution-image@ubuntu
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '24.10'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
  needs:
    - "tier3:ubuntu:24.10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:24.04:
  extends:
    - .build@template
@ -517,6 +573,20 @@ t_ubuntu:22.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:13:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
    - "tier3:debian:13@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:12:
  extends:
    - .build@template
@ -531,6 +601,20 @@ t_debian:12:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:3.22:
  extends:
    - .build@template
    - .fdo.distribution-image@alpine
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
  needs:
    - "tier3:alpine:3.22@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:3.21:
  extends:
    - .build@template
@ -629,7 +713,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
    - "t_fedora:42: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -240,7 +240,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
    - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/config.yml
+++ b/.gitlab-ci/config.yml
@ -34,6 +34,7 @@ distributions:
  - name: centos
    tier: 2
    versions:
      - 'stream10'
      - 'stream9'
  - name: ubuntu
    tier: 2
@ -54,21 +55,23 @@ distributions:
  - name: fedora
    tier: 3
    versions:
      - '43'
      - '41'
  - name: ubuntu
    tier: 3
    versions:
      - '25.04'
      - '24.10'
      - '24.04'
      - '22.04'
  - name: debian
    tier: 3
    versions:
      - '13'
      - '12'
  - name: alpine
    tier: 3
    versions:
      - '3.22'
      - '3.21'
      - '3.20'
      - '3.19'
--- a/.gitlab-ci/distros-info.yml
+++ b/.gitlab-ci/distros-info.yml
@ -8,6 +8,9 @@ fedora:
 - version: rawhide
  support: yes
  nm: main
 - version: 43
  support: 2026-12-02
  nm: 1.54
 - version: 42
  support: 2026-05-13
  nm: 1.52
@ -18,8 +21,11 @@ fedora:
 # CentOS Stream
 centos:
 - version: stream10
  support: 2030-12-31 # exact date unknown, only the year
  nm: main
 - version: stream9
-  support: 2027-05-31
+  support: 2027-12-31 # exact date unknown, only the year
  nm: main
 # RHEL:
@ -31,33 +37,43 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
- version: 9.6  # not released yet
+# Not released yet
 - version: 10.1
  support: yes
-  nm: main
+  nm: 1.54
- version: 9.5
+- version: 9.7  # not released yet
  support: yes
-  nm: 1.48
+  nm: 1.54
 # Full support or EUS support:
 - version: 10.0
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.6
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.4
  support: 2026-04-30
  extended-support: 2028-04-30
  nm: 1.46
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.42
 - version: 8.10  # last RHEL 8 release, maintenaince support only
  support: 2029-05-31
  extended-support: no
  nm: 1.40
- version: 8.8
+# SAP / Enhaced EUS only:
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
-  nm: 1.40
+  nm: 1.42
 # SAP / Enhaced EUS only:
 - version: 9.0
  support: 2024-05-31
  extended-support: 2026-05-31
  nm: 1.36
 - version: 8.8
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.40
 - version: 8.6
  support: 2024-05-31
  extended-support: 2026-05-31
@ -81,10 +97,6 @@ ubuntu:
  name: plucky
  support: 2026-01-15
  nm: 1.52
 - version: 24.10
  name: oracular
  support: 2025-07-10
  nm: 1.48
 - version: 24.04
  name: noble
  support: 2029-05-31
@ -109,6 +121,11 @@ debian:
 - version: sid
  support: yes
  nm: main
 - version: 13
  name: trixie
  support: 2028-08-09
  extended-support: 2030-06-30
  nm: 1.52
 - version: 12
  name: bookworm
  support: 2026-06-11
@ -130,6 +147,9 @@ alpine:
 - version: edge
  support: yes
  nm: main
 - version: 3.22
  support: 2027-05-01
  nm: 1.52
 - version: 3.21
  support: 2026-11-01
  nm: 1.50
--- a/.gitlab-ci/fedora-install.sh
+++ b/.gitlab-ci/fedora-install.sh
@ -13,6 +13,8 @@ if [ $IS_CENTOS = 1 ]; then
        CENTOS_VERSION=8
    elif grep -q '^VERSION_ID=.*\<9\>' /etc/os-release ; then
        CENTOS_VERSION=9
    elif grep -q '^VERSION_ID=.*\<10\>' /etc/os-release ; then
        CENTOS_VERSION=10
    else
        exit 1
    fi
@ -33,6 +35,11 @@ fi
        dnf install -y 'dnf-command(config-manager)'
        dnf config-manager --set-enabled crb
        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-9/nmstate-nm-build-deps-epel-9.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-9.repo
    elif [ "$CENTOS_VERSION" = stream10 ]; then
        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
        dnf install -y 'dnf-command(config-manager)'
        dnf config-manager --set-enabled crb
        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-10/nmstate-nm-build-deps-epel-10.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-10.repo
    else
        exit 1
    fi
--- a/.gitlab-ci/run-test.sh
+++ b/.gitlab-ci/run-test.sh
@ -17,10 +17,17 @@ grep -q '^NAME=.*\(CentOS\)' /etc/os-release && IS_CENTOS=1
 grep -q '^NAME=.*\(Fedora\)' /etc/os-release && IS_FEDORA=1
 grep -q '^NAME=.*\(Alpine\)' /etc/os-release && IS_ALPINE=1
 IS_CENTOS_7=0
 if [ $IS_CENTOS = 1 ]; then
-    if grep -q '^VERSION_ID=.*\<7\>' /etc/os-release ; then
+    CENTOS_VER_LINE="$(grep '^VERSION_ID=' /etc/os-release)"
-        IS_CENTOS_7=1
+    if [[ $CENTOS_VER_LINE =~ ^VERSION_ID=\"?([0-9]+)\"?$ ]]; then
        CENTOS_VER="${BASH_REMATCH[1]}"
    else
        echo "Error detecting CentOS Stream version" >&2
        exit 1
    fi
    if (( $CENTOS_VER >= 10 )); then
        export WITH_LIBTEAM=0
    fi
 fi
@ -148,12 +155,7 @@ test_subtree() {
    do_clean
    pushd ./src/$d
-    ARGS=()
+    CC="$cc" CFLAGS="-Werror -Wall" meson build
    if [ "$d" = n-acd ]; then
        ARGS+=('-Debpf=false')
    fi
    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
    ninja -v -C build test
    popd
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -252,17 +252,25 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
  versioning scheme than the main NM project despite there are no development
  versions here.
 Before starting:
 - You need to have the maintainer role in the project.
 - The GPG key used to sign the release must be added to your GNOME's Gitlab
  profile and uploaded to a keyserver.
 - All details: https://handbook.gnome.org/maintainers/making-a-release.html
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build`, commit and tag the commit. Example:
+2. Increment the version in `meson.build` or `configure.ac`.
-   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
+3. Commit and push to the `main` branch.
-3. Ensure that you are on the right commit and create the tarball:
+4. Check that the Gitlab's pipeline finishes without errors.
-   `git clean -fdx && meson setup build && cd build && meson dist`
+5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
-4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
+6. Push the tag. Example: `git push origin 1.2.8`.  
-5. Login to `master.gnome.org` and run `ftpadmin install`.  
+   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
-   Ensure the new tarballs show up at https://download.gnome.org/sources/
+   to delete tags, any error detected after this will force a new version bump.
-   (happens after a short delay)
+7. Check that the Gitlab's pipeline finishes without errors. If that happens,
-6. Announce the release on the mailing list.
+   the release is done and available both in the Gitlab's releases section and
   https://download.gnome.org/sources/*
 8. Announce the release on the mailing list.
 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
--- a/63
+++ b/63
@ -1,3 +1,66 @@
 =============================================
 NetworkManager-1.58
 Overview of changes since NetworkManager-1.56
 =============================================
 This is a snapshot of NetworkManager development. The API is
 subject to change and not guaranteed to be compatible with
 the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 * Restrict the connectivity check to use the DNS servers defined on the
  same link. If the link has no DNS servers, the connectivity check will
  use any servers available in the system.
 * Install the systemd units in the initramfs using a systemd generator.
 * A new "check-connectivity" configuration option is available to disable the
  connectivity check for selected interfaces.
 * Remove the modify_system build option that allowed setting up the
  polkit permissions to allow non-admin users to create system-wide
  connection. That configuration is discouraged because it can be used
  to bypass filesystem permissions.
 * For private connections (the ones that specify a user in the
  "connection.permissions" property), verify that the user can access
  the 802.1X certificates and keys set in the connection.
 * Introduce a libnm function that can be used by VPN plugins to check
  user permissions on certificate and keys.
 * The support for Wireless Extensions is deprecated and will be
  removed in a future release. Wireless Extensions are now disabled by
  default.
 =============================================
 NetworkManager-1.56
 Overview of changes since NetworkManager-1.54
 =============================================
 * nmcli now supports viewing and managing WireGuard peers.
 * Support reapplying the "sriov.vfs" property as long as
  "sriov.total-vfs" is not changed.
 * Support reapplying "bond-port.vlans".
 * Accept hostnames longer than 64 characters from DNS lookup.
 * Make that global-dns configuration overwrites DNS searches and
  options from connections, instead of merging all together.
 * Add support for a new rd.net.dhcp.client-id option in
  nm-initrd-generator.
 * Add gsm device-uid setting to restrict the devices the connection applies to.
 * Support configuring the HSR protocol version via the
  "hsr.protocol-version" property.
 * Fix a bug that makes broadband connections auto-connect getting 
  blocked if the connection tries to reconnect when modem status is 
  "disconnecting" / "disconnected".
 * Treat modem connection not having an operator code available
  as a recoverable error.
 * Add support for configuring systemd-resolved's DNSSEC option
  per-connection via the "connection.dnssec" connection property.
 * Support configuring the HSR interlink port via the
  "hsr.interlink" property.
 * Fix some connection properties not being applied to vpn connections
  (connection.mdns, connection.llmnr, connection.dns-over-tls,
   connection.mptcp-flags, ipv6.ip6-privacy)
 * Update n-acd to always compile with eBPF enabled, as support
  for eBPF is now detected at run time.
 * Add new MPTCP 'laminar' endpoint type, and set it by default alongside
  the 'subflow' one.
 =============================================
 NetworkManager-1.54
 Overview of changes since NetworkManager-1.52
--- a/config.h.meson
+++ b/config.h.meson
@ -239,6 +239,15 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH
 /* Whether we build with team support */
 #mesondefine WITH_TEAMDCTL
 /* Whether we build with Wi-Fi support */
 #mesondefine WITH_WIFI
 /* Whether we build with WWAN support */
 #mesondefine WITH_WWAN
 /* Define if you have PPP support */
 #mesondefine WITH_PPP
--- a/contrib/alpine/REQUIRED_PACKAGES
+++ b/contrib/alpine/REQUIRED_PACKAGES
@ -11,6 +11,7 @@ apk add \
    'clang' \
    'curl-dev' \
    'dbus' \
    'dbus-dev' \
    'elogind-dev' \
    'eudev-dev' \
    'gcc' \
@ -29,7 +30,6 @@ apk add \
    'libpsl-dev' \
    'libsoup-dev' \
    'libteam-dev' \
    'libtool' \
    'linux-headers' \
    'meson' \
    'mobile-broadband-provider-info' \
--- a/contrib/debian/REQUIRED_PACKAGES
+++ b/contrib/debian/REQUIRED_PACKAGES
@ -62,7 +62,6 @@ install \
    libreadline-dev \
    libsystemd-dev \
    libteam-dev \
    libtool \
    libudev-dev \
    locales \
    meson \
--- a/contrib/fedora/REQUIRED_PACKAGES
+++ b/contrib/fedora/REQUIRED_PACKAGES
@ -68,7 +68,6 @@ install \
    libndp-devel \
    libnvme-devel \
    libselinux-devel \
    libtool \
    libuuid-devel \
    meson \
    mobile-broadband-provider-info-devel \
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@ -14,6 +14,7 @@
 %global epoch_version 1
 %global real_version __VERSION__
 %global git_tag_version __GIT_TAG_VERSION__
 %global rpm_version %{real_version}
 %global release_version __RELEASE_VERSION__
 %global snapshot __SNAPSHOT__
@ -106,6 +107,11 @@
 %else
 %bcond_without iwd
 %endif
 %if 0%{?fedora} <= 43 || 0%{?rhel} <= 10
 %bcond_without polkit_noauth_group
 %else
 %bcond_with polkit_noauth_group
 %endif
 ###############################################################################
@ -153,17 +159,6 @@
 %bcond_with ifcfg_migrate
 %endif
 %if 0%{?fedora}
 # Although eBPF would be available on Fedora's kernel, it seems
 # we often get SELinux denials (rh#1651654). But even aside them,
 # bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
 # be related to `ulimit -l`. Anyway, this is not usable at the
 # moment.
 %global ebpf_enabled "no"
 %else
 %global ebpf_enabled "no"
 %endif
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@ -180,7 +175,7 @@ Group: System Environment/Base
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://networkmanager.dev/
-#Source: https://download.gnome.org/sources/NetworkManager/%{real_version_major}/%{name}-%{real_version}.tar.xz
+#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{git_tag_version}/downloads/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@ -253,7 +248,6 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif
 BuildRequires: gcc
 BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@ -627,14 +621,10 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
 %if 0%{?fedora}
 	-Dwext=true \
 %else
 	-Dwext=false \
 %endif
 %else
 	-Dwifi=false \
 %endif
 	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
@ -676,22 +666,20 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-	-Dmodify_system=true \
+%if %{with polkit_noauth_group}
 	-Dpolkit_noauth_group=wheel \
 %endif
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
 %endif
 %if %{ebpf_enabled} != "yes"
 	-Debpf=false \
 %else
 	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystem_ca_path=/etc/pki/tls/cert.pem \
+	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
 	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
 	-Dvalgrind=no \
@ -763,6 +751,7 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la
 # Don't use the *-initrd.service files yet, wait dracut to support them
 rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@ -896,6 +885,7 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
 %{_libexecdir}/nm-libnm-helper
 %{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
@ -927,6 +917,9 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
 %if %{with polkit_noauth_group}
 %{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
 %endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
--- a/contrib/fedora/rpm/build.sh
+++ b/contrib/fedora/rpm/build.sh
@ -12,6 +12,7 @@ set -o pipefail
 #   RELEASE_VERSION=
 #   SNAPSHOT=
 #   VERSION=
 #   GIT_TAG_VERSION=
 #   COMMIT_FULL=
 #   COMMIT=
 #   USERNAME=
@ -112,6 +113,7 @@ UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
 SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
 GIT_TAG_VERSION="${GIT_TAG_VERSION:-$VERSION}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
 BCOND_DEFAULT_DEBUG="${BCOND_DEFAULT_DEBUG:-0}"
@ -155,6 +157,7 @@ if [[ "$SOURCE_FROM_GIT" == "1" ]]; then
 fi
 LOG "VERSION=$VERSION"
 LOG "GIT_TAG_VERSION=$GIT_TAG_VERSION"
 LOG "RELEASE_VERSION=$RELEASE_VERSION"
 LOG "SNAPSHOT=$SNAPSHOT"
 LOG "COMMIT_FULL=$COMMIT_FULL"
@ -207,6 +210,7 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 write_changelog
 sed -e "s/__VERSION__/$VERSION/g" \
    -e "s/__GIT_TAG_VERSION__/$GIT_TAG_VERSION/g" \
    -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__COMMIT__/$COMMIT/g" \
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@ -155,7 +155,6 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
 P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@ -174,6 +173,7 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
 P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
        P_FEDORA="$x"
        P_RHEL=0
    else
-        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
+        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
        if test "$x" -gt 0 ; then
            P_FEDORA=0
            P_RHEL="$x"
@ -294,6 +294,14 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
    fi
 fi
 if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
    P_TEAM=0
 fi
 if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
    P_IFCFG_RH=1
 fi
 if bool "$P_DEBUG" ; then
    P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@ -379,7 +387,7 @@ meson setup\
    -Db_lto="$(bool_true "$P_LTO")" \
    -Dlibaudit=yes-disabled-by-default \
    -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
    $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
    -Diwd="$(bool_true "$P_IWD")" \
    -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@ -393,18 +401,17 @@ meson setup\
    -Dselinux=true \
    -Dpolkit=true  \
    -Dconfig_auth_polkit_default=true \
    -Dmodify_system=true \
    -Dconcheck=true \
    -Dlibpsl="$(bool_true "$P_FEDORA")" \
    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
    -Dsession_tracking=systemd \
    -Dsuspend_resume=systemd \
    -Dsystemdsystemunitdir=/usr/lib/systemd/system \
    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
    -Dsystem_ca_path=/etc/pki/tls/cert.pem \
    -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
    -Dtests=yes \
    -Dvalgrind=no \
-    -Difcfg_rh=true \
+    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
    -Difupdown=false \
    $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
    $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \
--- a/contrib/scripts/nm-ci-run.sh
+++ b/contrib/scripts/nm-ci-run.sh
@ -84,6 +84,14 @@ if [ "$CC" != gcc ]; then
    _WITH_CRYPTO=nss
 fi
 if [ "$WITH_LIBTEAM" != "" ]; then
    if _is_true "$WITH_LIBTEAM"; then
        _WITH_LIBTEAM="true"
    else
        _WITH_LIBTEAM="false"
    fi
 fi
 if [ "$WITH_DOCS" != "" ]; then
    if _is_true "$WITH_DOCS"; then
        _WITH_DOCS="true"
@ -161,18 +169,18 @@ meson setup build \
    -D ld_gc=false \
    -D session_tracking=no \
    -D systemdsystemunitdir=no \
    -D systemdsystemgeneratordir=no \
    -D systemd_journal=false \
    -D selinux=false \
    -D libaudit=no \
    -D libpsl=false \
    -D vapi=false \
    -D introspection=$_WITH_DOCS \
    -D man=$_WITH_DOCS \
    -D qt=false \
    -D crypto=$_WITH_CRYPTO \
    -D docs=$_WITH_DOCS \
    \
    -D ebpf=false \
    \
    -D iwd=true \
    -D ofono=true \
    -D teamdctl=$_WITH_LIBTEAM \
--- a/data/NetworkManager-config-initrd.service.in
+++ b/data/NetworkManager-config-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
 ConditionPathExists=/etc/initrd-release
 [Service]
 Type=oneshot
@ -22,6 +22,3 @@ ExecStartPost=/bin/sh -c ' \
    fi \
 '
 RemainAfterExit=yes
 [Install]
 WantedBy=initrd.target
--- a/data/NetworkManager-initrd.service.in
+++ b/data/NetworkManager-initrd.service.in
@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
 ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@ -22,11 +22,3 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
 [Install]
 WantedBy=initrd.target
 # We want to enable NetworkManager-wait-online-initrd.service whenever this
 # service is enabled. NetworkManager-wait-online-initrd.service has
 # WantedBy=network-online.target, so enabling it only has an effect if
 # network-online.target itself is enabled or pulled in by some other unit.
 Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service
--- a/data/NetworkManager-wait-online-initrd.service.in
+++ b/data/NetworkManager-wait-online-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
 ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 [Service]
@ -21,6 +21,3 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
 [Install]
 WantedBy=initrd.target network-online.target
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -19,7 +19,7 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 ProtectSystem=true
 ProtectHome=read-only
--- a/data/meson.build
+++ b/data/meson.build
@ -55,21 +55,22 @@ if install_udevdir
 endif
 if enable_polkit
  policy = 'org.freedesktop.NetworkManager.policy'
  policy_in = configure_file(
    input: policy + '.in.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
  i18n.merge_file(
-    input: policy_in,
+    input: 'org.freedesktop.NetworkManager.policy.in',
    output: '@BASENAME@',
    po_dir: po_dir,
    install: true,
-    install_dir: polkit_gobject_policydir,
+    install_dir: polkit_policydir,
  )
  if polkit_noauth_group != ''
    configure_file(
      input: 'org.freedesktop.NetworkManager.rules.in',
      output: '@BASENAME@',
      install_dir: polkit_rulesdir,
      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
    )
  endif
 endif
 if enable_firewalld_zone
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -117,8 +117,8 @@
    <message>System policy prevents modification of network settings for all users</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
+      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
+      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
--- a/data/org.freedesktop.NetworkManager.rules.in
+++ b/data/org.freedesktop.NetworkManager.rules.in
@ -0,0 +1,17 @@
 // NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
 //
 // DO NOT EDIT THIS FILE, it will be overwritten on update.
 //
 // Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
 // prompted for a password if they are in a local console.
 // This is optional and is only recommended to maintain backwards compatibility
 // in systems where it was already working in this way. It is discouraged
 // otherwise.
 polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
        subject.local) {
        return polkit.Result.YES;
    }
 });
--- a/docs/api/meson.build
+++ b/docs/api/meson.build
@ -1,6 +1,8 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 if enable_introspection
  xsltproc = find_program('xsltproc')
  settings = 'settings-spec'
  output = settings + '.xml'
--- a/examples/C/glib/monitor-nm-state-gdbus.c
+++ b/examples/C/glib/monitor-nm-state-gdbus.c
@ -23,8 +23,8 @@ static const char *
 nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_ASLEEP:
+    case NM_STATE_DISABLED:
-        return "asleep";
+        return "network off";
    case NM_STATE_CONNECTING:
        return "connecting";
    case NM_STATE_CONNECTED_LOCAL:
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -83,6 +83,11 @@
    note that your distribution or other packages may drop configuration snippets for NetworkManager, such
    that they are part of the factory default.
    </para>
    <para>
    The options that are indicated as boolean can be set to one of these values:
    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
    </para>
  </refsect1>
@ -895,11 +900,15 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dnssec</varname></term>
          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
@ -1245,12 +1254,13 @@ managed=1
          <term><varname>managed</varname></term>
          <listitem>
            <para>
-              Whether the device is managed or not. A device can be
+              A boolean value specifying whether the device is
-              marked as managed via udev rules (ENV{NM_UNMANAGED}),
+              managed or not. A device can be marked as managed via
-              or via setting plugins (keyfile.unmanaged-devices).
+              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
-              This is yet another way. Note that this configuration
+              (keyfile.unmanaged-devices).  This is yet another
-              can be overruled at runtime via D-Bus. Also, it has
+              way. Note that this configuration can be overruled at
-              higher priority then udev rules.
+              runtime via D-Bus. Also, it has higher priority than
              udev rules.
            </para>
          </listitem>
        </varlistentry>
@ -1319,9 +1329,27 @@ managed=1
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="check-connectivity">
          <term><varname>check-connectivity</varname></term>
          <listitem>
            <para>
              A boolean value specifying whether NetworkManager will perform a connectivity check
              for this device. Defaults to <literal>yes</literal>.
            </para>
            <para>
              This setting does nothing if the connectivity check has been
              disabled globally using the
              <literal>connectivity.enabled</literal> setting.
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="keep-configuration">
          <term><varname>keep-configuration</varname></term>
          <listitem>
            <para>
              A boolean value indicating whether the existing device
              configuration is kept at startup.
            </para>
            <para>
              On startup, NetworkManager tries to not interfere with
              interfaces that are already configured. It does so by
@ -1418,16 +1446,16 @@ managed=1
          <term><varname>wifi.iwd.autoconnect</varname></term>
          <listitem>
            <para>
-              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
+              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
-              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
+              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
-              this device and connections will only be initiated by NetworkManager whether
+              disabled for this device and connections will only be initiated by NetworkManager
-              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
+              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
-              stops NetworkManager from automatically initiating connections and allows
+              (default) stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks
+              IWD to use its network ranking and scanning logic to decide the best networks to
-              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
-              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
+              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
-              with IWD connection attempts.
+              IWD connection attempts.
            </para>
          </listitem>
        </varlistentry>
@ -1486,7 +1514,7 @@ managed=1
      <variablelist>
        <varlistentry>
          <term><varname>enabled</varname></term>
-          <listitem><para>Whether connectivity check is enabled.
+          <listitem><para>A boolean indicating whether connectivity check is enabled.
          Note that to enable connectivity check, a valid uri must
          also be configured. The value defaults to true, but since
          the uri is unset by default, connectivity check may be disabled.
@ -1540,8 +1568,12 @@ managed=1
  <refsect1>
    <title><literal>global-dns</literal> section</title>
-    <para>This section specifies DNS settings that are applied
+    <para>This section specifies DNS settings that are applied globally. They
-    globally, in addition to connection-specific ones.</para>
+    override the equivalent options defined in individual connections, making
    them to be ignored. If a [global-dns-domain-*] section is defined, but this
    section isn't, an empty [global-dns] section is assumed, thus overwriting
    connection specific configurations too.
    </para>
    <para>
      <variablelist>
        <varlistentry>
@ -1601,6 +1633,10 @@ managed=1
    default domain "*". When the global DNS domains are valid, the
    name servers and domains defined globally override the ones from
    active connections.
    If any global DNS domain is defined but a [global-dns] section isn't,
    an empty [global-dns] section is assumed, thus overwriting its
    connection specific configurations too.
    </para>
    <para>
      <variablelist>
--- a/man/meson.build
+++ b/man/meson.build
@ -1,29 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 common_ent_file = configure_file(
  input: 'common.ent.in',
  output: '@BASENAME@',
  configuration: data_conf,
 )
 xsltproc_options = [
  xsltproc,
  '--output', '@OUTPUT@',
  '--path', meson.current_build_dir(),
  '--xinclude',
  '--nonet',
  '--stringparam', 'man.output.quietly', '1',
  '--stringparam', 'funcsynopsis.style', 'ansi',
  '--stringparam', 'man.th.extra1.suppress', '1',
  '--stringparam', 'man.authors.section.enabled', '0',
  '--stringparam', 'man.copyright.section.enabled', '0',
  '--stringparam', 'man.th.title.max.length', '30',
 ]
 docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
 mans_xmls = []
 mans = [
  ['NetworkManager', '8'],
  ['NetworkManager-dispatcher', '8'],
@ -44,12 +20,62 @@ if enable_nm_cloud_setup
  mans += [['nm-cloud-setup', '8']]
 endif
 introspection_mans = [
  ['nm-settings-keyfile', '5'],
  ['nm-settings-dbus',    '5'],
  ['nm-settings-nmcli',   '5'],
 ]
 if enable_ifcfg_rh
  introspection_mans += [['nm-settings-ifcfg-rh', '5']]
 endif
 built_mans = []
 foreach man: mans + introspection_mans
  name = man[0] + '.' + man[1]
  if not fs.exists(name)
    built_mans = []
    break
  endif
  built_mans += name
 endforeach
 if enable_introspection or enable_docs
  common_ent_file = configure_file(
    input: 'common.ent.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
 endif
 if enable_introspection and (enable_man or enable_docs)
  xsltproc_options = [
    find_program('xsltproc'),
    '--output', '@OUTPUT@',
    '--path', meson.current_build_dir(),
    '--xinclude',
    '--nonet',
    '--stringparam', 'man.output.quietly', '1',
    '--stringparam', 'funcsynopsis.style', 'ansi',
    '--stringparam', 'man.th.extra1.suppress', '1',
    '--stringparam', 'man.authors.section.enabled', '0',
    '--stringparam', 'man.copyright.section.enabled', '0',
    '--stringparam', 'man.th.title.max.length', '30',
  ]
  docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
  mans_xmls = []
  foreach man: mans
    input = man[0] + '.xml'
    content_files += join_paths(meson.current_source_dir(), input)
    output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
      custom_target(
        output,
        input: input,
@ -59,9 +85,9 @@ foreach man: mans
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
    endif
  endforeach
 if enable_introspection
  merge_cmd = files(source_root / 'tools' / 'generate-docs-nm-settings-docs-merge.py')
  name = 'dbus'
@ -124,6 +150,8 @@ if enable_introspection
    output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
      custom_target(
        output,
        input: input,
@ -132,5 +160,13 @@ if enable_introspection
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
-  endforeach
+    endif
  endforeach
 # not needed if only html requested
 elif enable_man
  if built_mans.length() > 0
    install_man(built_mans)
  else
    error('Building manpages requires xsltproc and -Dintrospection=true, and no prebuilt manpages were found. Try building from a release tarball or using -Dman=false.')
  endif
 endif
--- a/man/nm-initrd-generator.xml
+++ b/man/nm-initrd-generator.xml
@ -162,6 +162,7 @@
            <member><option>rd.net.dns-backend</option></member>
            <member><option>rd.net.dns-resolve-mode</option></member>
            <member><option>rd.net.timeout.dhcp</option></member>
            <member><option>rd.net.dhcp.client-id</option></member>
            <member><option>rd.net.dhcp.retry</option></member>
            <member><option>rd.net.dhcp.vendor-class</option></member>
            <member><option>rd.net.dhcp.dscp</option></member>
@ -268,6 +269,23 @@
        </para>
      </listitem>
      <listitem>
        <para>NetworkManager supports the
        <option>rd.net.dhcp.client-id</option>=<replaceable>interface</replaceable>:<replaceable>client-id</replaceable>
        kernel command line option to set a specific DHCPv4 client identifier
        for the given interface. The client-id can be specified either as a
        sequence of bytes in hexadecimal format separated by dashes, or as the
        character '@' followed by a non-empty string. When using the second
        format, NetworkManager prepends a zero byte to the given string,
        according to section 9.14 of RFC 2132. See the "ipv4.dhcp-client-id"
        section of <link
        linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
        for more details. Examples:
        <literal>rd.net.dhcp.client-id=eth0:01-52-54-00-45-87-42</literal>,
        <literal>rd.net.dhcp.client-id=enp1s0:@example.com</literal>.
        </para>
      </listitem>
    </itemizedlist>
  </refsect1>
@ -278,6 +296,7 @@
  <refsect1 id='see_also'><title>See Also</title>
    <para><link linkend='dracut.cmdline'><citerefentry><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
-    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>.</para>
+    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
    <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.</para>
  </refsect1>
 </refentry>
--- a/man/nm-openvswitch.xml
+++ b/man/nm-openvswitch.xml
@ -91,6 +91,10 @@
      NetworkManager inserts the records for Bridges into OVSDB when a Port is
      attached.
      </para>
      <para>Known limitation: when the last NetworkManager's owned port is removed,
      the bridge is removed too, even if there are other externally attached ports.
      </para>
    </refsect2>
    <refsect2>
@ -102,6 +106,10 @@
      exist.  Ports can also be configured to do VLAN tagging or Bonding.
      NetworkManager inserts the records for Ports into OVSDB when an Interface is
      attached. Ports must be attached to a Bridge.</para>
      <para>Known limitation: when the last NetworkManager's owned interface is removed,
      the port is removed too, even if there are other externally attached interfaces.
      </para>
    </refsect2>
    <refsect2>
--- a/man/nmcli.xml
+++ b/man/nmcli.xml
@ -1066,15 +1066,16 @@
            <listitem><para><literal>dummy</literal></para></listitem>
            <listitem><para><literal>generic</literal></para></listitem>
            <listitem><para><literal>gsm</literal></para></listitem>
            <listitem><para><literal>hsr</literal></para></listitem>
            <listitem><para><literal>infiniband</literal></para></listitem>
            <listitem><para><literal>ip-tunnel</literal></para></listitem>
            <listitem><para><literal>ipvlan</literal></para></listitem>
            <listitem><para><literal>loopback</literal></para></listitem>
            <listitem><para><literal>macsec</literal></para></listitem>
            <listitem><para><literal>macvlan</literal></para></listitem>
            <listitem><para><literal>olpc-mesh</literal></para></listitem>
            <listitem><para><literal>ovs-bridge</literal></para></listitem>
            <listitem><para><literal>ovs-dpdk</literal></para></listitem>
            <listitem><para><literal>ovs-interface</literal></para></listitem>
            <listitem><para><literal>ovs-patch</literal></para></listitem>
            <listitem><para><literal>ovs-port</literal></para></listitem>
            <listitem><para><literal>pppoe</literal></para></listitem>
            <listitem><para><literal>team</literal></para></listitem>
--- a/meson.build
+++ b/meson.build
@ -5,14 +5,14 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.54.0',
+  version: '1.57.1',
  license: 'GPL2+',
  default_options: [
    'buildtype=debugoptimized',
    'c_std=gnu11',
    'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
  ],
-  meson_version: '>= 0.51.0',
+  meson_version: '>= 0.53.0',
 )
 nm_name = meson.project_name()
@ -77,6 +77,7 @@ libnm_version = '@0@.@1@.@2@'.format(current - age, age, revision)
 libnm_pkgincludedir = join_paths(nm_includedir, libnm_name)
 fs = import('fs')
 gnome = import('gnome')
 i18n = import('i18n')
 pkg = import('pkgconfig')
@ -89,7 +90,6 @@ po_dir = source_root / 'po'
 top_inc = include_directories('.')
 perl = find_program('perl')
 xsltproc = find_program('xsltproc')
 check_exports = find_program(join_paths(source_root, 'tools', 'check-exports.sh'))
@ -327,12 +327,17 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)
 enable_wifi = get_option('wifi')
 config_h.set10('WITH_WIFI', enable_wifi)
 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)
-enable_wext = get_option('wext')
+wext = get_option('wext')
 if wext == 'true'
  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
 endif
 enable_wext = (wext == 'force')
 config_h.set10('HAVE_WEXT', enable_wext)
 # Checks for libdl - on certain platforms its part of libc
@ -382,6 +387,14 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
  systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
 install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
 if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
  assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@ -476,19 +489,6 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)
 # eBPF support
 ebpf_opt = get_option('ebpf')
 # 'auto' means 'false', because there are still issues.
 if ebpf_opt != 'true'
  enable_ebpf = false
 else
  enable_ebpf = true
  if not cc.has_header('linux/bpf.h')
    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
    enable_ebpf = false
  endif
 endif
 # libaudit support
 libaudit = get_option('libaudit')
 enable_libaudit = libaudit.contains('yes')
@ -507,12 +507,14 @@ if enable_teamdctl
  libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
  assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
 config_h.set10('WITH_TEAMDCTL', enable_teamdctl)
 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
  # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
+  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
 endif
 config_auth_polkit_default = get_option('config_auth_polkit_default')
@ -522,6 +524,12 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 enable_modify_system = get_option('modify_system')
 if enable_modify_system
  # FIXME: remove this after everyone has stopped using modify_system
  error('modify_system=true is no longer allowed due to security reasons')
 endif
 polkit_noauth_group = get_option('polkit_noauth_group')
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@ -616,6 +624,7 @@ if enable_modem_manager
  endif
  config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
 config_h.set10('WITH_WWAN', enable_modem_manager)
 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@ -816,6 +825,7 @@ if enable_nm_cloud_setup
  assert(jansson_dep.found(), 'nm-cloud-setup requires jansson library. Use -Dnm_cloud_setup=false to disable it')
 endif
 enable_man = get_option('man')
 enable_docs = get_option('docs')
 more_asserts = get_option('more_asserts')
@ -914,7 +924,6 @@ endif
 test_args = [
  '--called-from-make',
  build_root,
  '',
  enable_valgrind ? valgrind_path : '',
  enable_valgrind ? valgrind_suppressions_path : '',
  '--launch-dbus=auto',
@ -953,7 +962,6 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
 data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@ -964,38 +972,6 @@ data_conf.set('nmstatedir',                              nm_pkgstatedir)
 data_conf.set('sbindir',                                 nm_sbindir)
 data_conf.set('sysconfdir',                              nm_sysconfdir)
 # check if we can build setting property documentation
 '''
 build_docs=no
 if test -n "$INTROSPECTION_MAKEFILE"; then
  # If g-i is installed we know we have python, but we might not have pygobject
  if ! "$PYTHON" -c 'from gi.repository import GObject' >& /dev/null; then
    AC_MSG_ERROR(["--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)])
  fi
  AC_PATH_PROG(PERL, perl)
  if test -z "$PERL"; then
    AC_MSG_ERROR([--enable-introspection requires perl])
  fi
  AC_PATH_PROG(XSLTPROC, xsltproc)
  if test -z "$XSLTPROC"; then
    AC_MSG_ERROR([--enable-introspection requires xsltproc])
  fi
  have_introspection=yes
  if test "$enable_gtk_doc" = "yes"; then
    build_docs=yes
  fi
 else
  if test "$enable_gtk_doc" = "yes"; then
    # large parts of the documentation require introspection/pygobject to extract
    # the documentation out of the source files. You cannot enable gtk-doc without alone.
    AC_MSG_ERROR(["--with-gtk-doc requires --enable-introspection"])
  fi
  have_introspection=no
 fi
 '''
 content_files = []
 subdir('introspection')
@ -1033,9 +1009,14 @@ if enable_qt != 'false'
  endif
 endif
 # The man/ directory builds a couple targets needed by the docs build too.
 # If we build with docs but no man, then enter the subdir and only build
 # some targets.
 if enable_docs or enable_man
  subdir('man')
 endif
 if enable_docs
  assert(enable_introspection, '-Ddocs=true requires -Dintrospection=true')
  subdir('man')
  subdir('docs')
  meson.add_dist_script(
    'tools/meson-dist-data.sh',
@ -1086,7 +1067,7 @@ meson.add_install_script(
  nm_pkgstatedir,
  nm_mandir,
  nm_sysconfdir,
-  enable_docs ? '1' : '0',
+  enable_man ? '1' : '0',
  enable_ifcfg_rh ? '1' : '0',
  enable_nm_cloud_setup ? '1' : '0',
  install_systemdunitdir ? '1' : '0',
@ -1096,6 +1077,7 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
 output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@ -1110,17 +1092,7 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
 if enable_polkit
  output += ' ('
  if enable_modify_system
    output += 'permissive'
  else
    output += 'restrictive'
  endif
  output += ' modify.system)'
 endif
 output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@ -1184,6 +1156,5 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
 output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -1,5 +1,6 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
 option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@ -18,7 +19,8 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
 option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@ -28,7 +30,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')
 # features
-option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
+option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@ -44,7 +46,7 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')
 # configuration plugins
@ -67,6 +69,7 @@ option('config_dhcp_default', type: 'combo', choices: ['dhclient', 'dhcpcd', 'in
 option('introspection', type: 'boolean', value: true, description: 'Enable introspection for this build')
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('man', type: 'boolean', value: true, description: 'Install manpages')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
 option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'auto', description: 'Enable more assertions for debugging (0 = no, 100 = all, default: auto)')
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -1,6 +1,6 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in.in
+data/org.freedesktop.NetworkManager.policy.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
--- a/po/ca.po
+++ b/po/ca.po
@ -8,14 +8,15 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
 # Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2023-06-17 00:07+0200\n"
+"PO-Revision-Date: 2025-09-28 00:07+0200\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@ -355,7 +356,7 @@ msgstr "Connexió WPAN"
 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió equip"
+msgstr "Connexió d'equip"
 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@ -648,7 +649,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
+"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@ -795,7 +796,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."
 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
+msgstr "La connexió i el dispositiu difereixen als subcanals S390."
 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@ -881,7 +882,7 @@ msgstr "La connexió no era una connexió tun."
 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió equip."
+msgstr "La connexió no era una connexió d'equip."
 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@ -1325,27 +1326,27 @@ msgstr ""
 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignorarà el número faltant"
+msgstr "s'ignora el número faltant"
 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignorarà el número «%s» no vàlid"
+msgstr "s'ignora el número «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignorarà l'adreça %s no vàlida: %s"
+msgstr "s'ignora l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignorarà la ruta %s no vàlida: %s"
+msgstr "s'ignora la ruta %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@ -1361,7 +1362,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@ -1413,11 +1414,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignorarà l'SSID no vàlida"
+msgstr "s'ignora l'SSID no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignorarà la contrasenya sense processar no vàlida"
+msgstr "s'ignora la contrasenya sense processar no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@ -1458,7 +1459,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: «%s»"
+msgstr "el paràmetre no és vàlid: %s"
 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@ -1973,7 +1974,7 @@ msgstr "file:// URI no és UTF-8 vàlida"
 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@ -2086,7 +2087,7 @@ msgstr "«%s» no és un número"
 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buda o de mida incorrecta"
+msgstr "la propietat és buida o de mida incorrecta"
 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@ -2098,12 +2099,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"
 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@ -2156,12 +2157,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@ -2208,7 +2209,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un nom de ruta vàlid"
+msgstr "%s no és un tipus de ruta vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@ -2432,7 +2433,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: «%s»"
+msgstr "atribut no vàlid: %s"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@ -4105,7 +4106,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@ -4676,7 +4677,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:620
@ -4698,7 +4699,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:886
@ -4709,7 +4710,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:893
@ -5418,9 +5419,9 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
 "(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
@ -5493,7 +5494,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benviguda"
+msgstr "Temps de benvinguda"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@ -5567,7 +5568,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@ -5676,7 +5677,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@ -5696,7 +5697,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
+"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@ -8151,12 +8152,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@ -10722,7 +10723,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"
 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobar totes les connexions actives."
+msgstr "Error: No s'han trobat totes les connexions actives."
 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@ -11041,7 +11042,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticaent amb l'opció «fix».\n"
+"automàticament amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@ -11063,7 +11064,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@ -11485,7 +11486,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmere «%s»: %s\n"
+msgstr "Verifica el paràmetre «%s»: %s\n"
 #: src/nmcli/connections.c:8501
 #, c-format
@ -11552,12 +11553,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
+"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
 "continuar)\n"
 #: src/nmcli/connections.c:8721
@ -11582,7 +11583,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
 #: src/nmcli/connections.c:8985
 #, fuzzy
@ -12396,7 +12397,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositu: %s"
+msgstr "Error: no s'ha pogut activar el dispositiu: %s"
 #: src/nmcli/devices.c:2322
 #, c-format
@ -12603,7 +12604,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPS PSK vàlida"
+msgstr "«%s» no és una WPA PSK vàlida"
 #: src/nmcli/devices.c:4193
 #, c-format
@ -13538,7 +13539,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»."
+msgstr "Error: argument inesperat «%s»"
 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@ -13897,7 +13898,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomendat)"
+msgstr "MII (recomanat)"
 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@ -14543,7 +14544,7 @@ msgstr ""
 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexions nova"
+msgstr "Connexió nova"
 #: src/nmtui/nmtui-edit.c:452
 #, c-format
--- a/po/it.po
+++ b/po/it.po
@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po
--- a/po/sl.po
+++ b/po/sl.po
--- a/src/contrib/nm-vpn-plugin-utils.c
+++ b/src/contrib/nm-vpn-plugin-utils.c
@ -155,3 +155,33 @@ nm_vpn_plugin_utils_load_editor(const char                   *module_path,
    g_return_val_if_fail(NM_IS_VPN_EDITOR(editor), NULL);
    return editor;
 }
 char *
 nm_vpn_plugin_utils_get_cert_path(const char *plugin)
 {
    const char *path;
    g_return_val_if_fail(plugin, NULL);
    /* Users can set NM_CERT_PATH=~/.cert to be compatible with the certificate
     * directory used in the past. */
    path = g_getenv("NM_CERT_PATH");
    if (path)
        return g_build_filename(path, plugin, NULL);
    /* Otherwise use XDG_DATA_HOME. We use subdirectory "networkmanagement/certificates"
     * because the SELinux policy already has rules to set the correct labels in that
     * directory. */
    path = g_getenv("XDG_DATA_HOME");
    if (path)
        return g_build_filename(path, "networkmanagement", "certificates", plugin, NULL);
    /* Use the default value for XDG_DATA_HOME */
    return g_build_filename(g_get_home_dir(),
                            ".local",
                            "share",
                            "networkmanagement",
                            "certificates",
                            plugin,
                            NULL);
 }
--- a/src/contrib/nm-vpn-plugin-utils.h
+++ b/src/contrib/nm-vpn-plugin-utils.h
@ -24,4 +24,6 @@ NMVpnEditor *nm_vpn_plugin_utils_load_editor(const char                   *modul
                                             gpointer                      user_data,
                                             GError                      **error);
 char *nm_vpn_plugin_utils_get_cert_path(const char *plugin);
 #endif /* __NM_VPN_PLUGIN_UTILS_H__ */
--- a/src/core/devices/nm-device-bond.c
+++ b/src/core/devices/nm-device-bond.c
@ -52,8 +52,7 @@
        NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
        NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
        NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX,    \
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
        NM_SETTING_BOND_OPTION_LACP_ACTIVE
 #define OPTIONS_REAPPLY_FULL                                     \
    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE, \
--- a/src/core/devices/nm-device-bridge.c
+++ b/src/core/devices/nm-device-bridge.c
@ -1066,7 +1066,7 @@ attach_port(NMDevice                  *device,
            plat_vlans = setting_vlans_to_platform(vlans, &num_vlans);
-            /* Since the link was just enportd, there are no existing VLANs
+            /* Since the link was just attached, there are no existing VLANs
             * (except for the default one) and so there's no need to flush. */
            if (plat_vlans
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -14,7 +14,6 @@
 #include <libudev.h>
 #include <linux/if_ether.h>
 #include "NetworkManagerUtils.h"
 #include "NetworkManagerUtils.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-core-intern/nm-core-internal.h"
@ -630,10 +629,17 @@ build_supplicant_config(NMDeviceEthernet *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
                                      nm_utils_get_connection_first_permissions_user(connection));
    security = nm_connection_get_setting_802_1x(connection);
-    if (!nm_supplicant_config_add_setting_8021x(config, security, con_uuid, mtu, TRUE, error)) {
+    if (!nm_supplicant_config_add_setting_8021x(config,
                                                security,
                                                con_uuid,
                                                mtu,
                                                TRUE,
                                                nm_device_get_private_files(NM_DEVICE(self)),
                                                error)) {
        g_prefix_error(error, "802-1x-setting: ");
        g_clear_object(&config);
    }
@ -701,6 +707,9 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -715,6 +724,16 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
@ -1894,7 +1913,7 @@ get_ip_method_auto(NMDevice *device, int addr_family)
        /* We cannot do DHCPv4 on a PPP link, instead we get "auto" IP addresses
         * by pppd. Return "manual" here, which has the suitable effect to a
         * (zero) manual addresses in addition. */
-        return NM_SETTING_IP6_CONFIG_METHOD_MANUAL;
+        return NM_SETTING_IP4_CONFIG_METHOD_MANUAL;
    }
    return NM_SETTING_IP6_CONFIG_METHOD_AUTO;
--- a/src/core/devices/nm-device-hsr.c
+++ b/src/core/devices/nm-device-hsr.c
@ -117,28 +117,50 @@ create_and_realize(NMDevice              *device,
                   GError               **error)
 {
    const char        *iface   = nm_device_get_iface(device);
    nm_auto_free char *err_msg = NULL;
    NMSettingHsr      *s_hsr;
    NMPlatformLnkHsr   lnk = {};
-    int              r;
+    int                r   = 0;
    s_hsr = _nm_connection_get_setting(connection, NM_TYPE_SETTING_HSR);
    nm_assert(s_hsr);
    if (nm_setting_hsr_get_port1(s_hsr) != NULL)
        lnk.port1 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port1(s_hsr));
    if (nm_setting_hsr_get_port2(s_hsr) != NULL)
        lnk.port2 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port2(s_hsr));
    if (nm_setting_hsr_get_interlink(s_hsr) != NULL) {
        const char *ifname  = nm_setting_hsr_get_interlink(s_hsr);
        int         ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, ifname);
        if (ifindex <= 0) {
            err_msg = g_strdup_printf("interlink port '%s' does not exist", ifname);
            goto out;
        }
        lnk.interlink = ifindex;
    }
    lnk.multicast_spec   = nm_setting_hsr_get_multicast_spec(s_hsr);
    lnk.prp              = nm_setting_hsr_get_prp(s_hsr);
    lnk.protocol_version = nm_setting_hsr_get_protocol_version(s_hsr);
    r = nm_platform_link_hsr_add(nm_device_get_platform(device), iface, &lnk, out_plink);
    if (r < 0) {
        err_msg = g_strdup(nm_strerror(r) ?: "unknown");
    }
 out:
    if (err_msg) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create HSR interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
-                    nm_strerror(r));
+                    err_msg);
        return FALSE;
    }
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -201,7 +201,8 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
                                      nm_utils_get_connection_first_permissions_user(connection));
    s_macsec = nm_device_get_applied_setting(NM_DEVICE(self), NM_TYPE_SETTING_MACSEC);
@ -227,7 +228,13 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    if (nm_setting_macsec_get_mode(s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
        s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_8021x(config, s_8021x, con_uuid, mtu, TRUE, error)) {
+        if (!nm_supplicant_config_add_setting_8021x(config,
                                                    s_8021x,
                                                    con_uuid,
                                                    mtu,
                                                    TRUE,
                                                    nm_device_get_private_files(NM_DEVICE(self)),
                                                    error)) {
            g_prefix_error(error, "802-1x-setting: ");
            return NULL;
        }
@ -433,6 +440,9 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -445,6 +455,16 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-private.h
+++ b/src/core/devices/nm-device-private.h
@ -115,9 +115,6 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,
 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);
 NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
                                                                NMConnection *connection);
 void nm_device_ip_method_dhcp4_start(NMDevice *self);
 void nm_device_ip_method_autoconf6_start(NMDevice *self);
@ -179,4 +176,6 @@ void nm_device_auth_request(NMDevice                      *self,
 void nm_device_link_properties_set(NMDevice *self, gboolean reapply);
 GHashTable *nm_device_get_private_files(NMDevice *self);
 #endif /* NM_DEVICE_PRIVATE_H */
--- a/src/core/devices/nm-device-utils.c
+++ b/src/core/devices/nm-device-utils.c
@ -135,13 +135,17 @@ NM_UTILS_LOOKUP_STR_DEFINE(
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_LINK_NOT_INIT,
                             "unmanaged-link-not-init"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING, "unmanaged-quitting"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING, "unmanaged-sleeping"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED,
                             "unmanaged-nm-disabled"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_CONF, "unmanaged-user-conf"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_EXPLICIT,
                             "unmanaged-user-explicit"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                             "unmanaged-user-settings"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
                             "modem-no-operator-code"), );
 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                           NMDeviceMtuSource,
@ -235,7 +239,7 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data
    gs_free_error GError *error  = NULL;
    gs_free char         *output = NULL;
-    output = nm_utils_spawn_helper_finish(result, &error);
+    output = nm_utils_spawn_helper_finish_string(result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
@ -274,6 +278,7 @@ resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services)
    nm_inet_ntop(info->addr_family, &info->address, addr_str);
    _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str);
    nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str),
                          FALSE,
                          g_task_get_cancellable(info->task),
                          resolve_addr_helper_cb,
                          info);
--- a/src/core/devices/nm-device-wireguard.c
+++ b/src/core/devices/nm-device-wireguard.c
@ -1672,6 +1672,57 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    return ret;
 }
 static gboolean
 skip_peer_route(const NMIPAddr    *peer_addr,
                guint              peer_addr_prefix,
                int                addr_family,
                NMSettingIPConfig *s_ip)
 {
    guint num_addresses;
    guint i;
    /*
     * If the allowed-ip subnet is already reachable on the interface via the
     * prefix route of a static IP address, skip adding the peer route.
     * We don't want to override the prefix route with a new one because the
     * prefix route also specifies the correct source IP address.
     *
     * wg-quick does something similar here:
     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
     * The condition in wg-quick is a bit different because it checks that no
     * duplicate route exists on the interface. We can't do exactly the same
     * because here we don't have visibility on all the platform routes.
     */
    if (!s_ip)
        return FALSE;
    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
    for (i = 0; i < num_addresses; i++) {
        NMIPAddr     setting_addr;
        NMIPAddr     peer_addr_tmp;
        guint        setting_prefix;
        NMIPAddress *a;
        peer_addr_tmp = *peer_addr;
        a = nm_setting_ip_config_get_address(s_ip, i);
        nm_ip_address_get_address_binary(a, &setting_addr);
        setting_prefix = nm_ip_address_get_prefix(a);
        if (setting_prefix > peer_addr_prefix)
            continue;
        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
            return TRUE;
    }
    return FALSE;
 }
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@ -1738,6 +1789,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
        n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
        for (j = 0; j < n_aips; j++) {
            NMSettingIPConfig *s_ip;
            NMPlatformIPXRoute rt;
            NMIPAddr           addrbin;
            const char        *aip;
@ -1746,6 +1798,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            guint32            rtable_coerced;
            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
            if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                continue;
@ -1754,9 +1807,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                prefix = (addr_family == AF_INET) ? 32 : 128;
            if (prefix == 0) {
                NMSettingIPConfig *s_ip;
                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                if (nm_setting_ip_config_get_never_default(s_ip))
                    continue;
            }
@ -1769,6 +1819,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);
            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
                continue;
            rtable_coerced = route_table_coerced;
            if (prefix == 0 && auto_default_route_enabled) {
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@ -113,6 +113,19 @@ typedef enum {
    RELEASE_PORT_TYPE_CONFIG_FORCE,
 } ReleasePortType;
 /**
 * CleanupType:
 * @CLEANUP_TYPE_KEEP: Cleanup internally but keep the real device's config. This is
 *   often used when moving a partially managed device to "unmanaged" (but not only).
 * @CLEANUP_TYPE_REMOVED: The device suddently disappeared. Cleanup internally but don't
 *   make any action on the real device at all, as it no longer exists.
 * @CLEANUP_TYPE_DECONFIGURE: Also deconfigure the real device. This is the typical
 *   action when a connection or device is set to "down", or fully managed devices
 *   moved to "unmanaged".
 * @CLEANUP_TYPE_KEEP_REAPPLY: Like %CLEANUP_TYPE_KEEP, but indicating that it's a
 *   reapply. Some special actions can be done if we're doing a reapply, like keeping
 *   the existing DHCP lease, for example.
 */
 typedef enum {
    CLEANUP_TYPE_KEEP,
    CLEANUP_TYPE_REMOVED,
@ -266,7 +279,7 @@ typedef struct {
    union {
        struct {
            NMDnsMasqManager     *dnsmasq_manager;
-            NMNetnsSharedIPHandle *shared_ip_handle;
+            NMNetnsIPReservation *ip_reservation;
            NMFirewallConfig     *firewall_config;
            gulong                dnsmasq_state_id;
            const NML3ConfigData *l3cd;
@ -335,6 +348,12 @@ typedef struct {
    int           addr_family;
 } HostnameResolver;
 typedef enum {
    PRIVATE_FILES_STATE_UNKNOWN = 0,
    PRIVATE_FILES_STATE_READING,
    PRIVATE_FILES_STATE_DONE,
 } PrivateFilesState;
 /*****************************************************************************/
 enum {
@ -692,6 +711,8 @@ typedef struct _NMDevicePrivate {
    IPDevStateData ipdev_data_unspec;
    gulong sharing_ipv4_changed_id;
    struct {
        /* If we set the addrgenmode6, this records the previously set value. */
        guint8 previous_mode_val;
@ -769,6 +790,13 @@ typedef struct _NMDevicePrivate {
        guint64  rx_bytes;
    } stats;
    struct {
        GHashTable       *table;
        GCancellable     *cancellable;
        char             *user;
        PrivateFilesState state;
    } private_files;
    bool mtu_force_set_done : 1;
    bool needs_ip6_subnet : 1;
@ -779,7 +807,6 @@ typedef struct _NMDevicePrivate {
    char     *prop_ip_iface; /* IP interface D-Bus property */
    GList    *ping_operations;
    GSource  *ping_timeout;
    bool      refresh_forwarding_done : 1;
 } NMDevicePrivate;
 G_DEFINE_ABSTRACT_TYPE(NMDevice, nm_device, NM_TYPE_DBUS_OBJECT)
@ -867,6 +894,8 @@ static void _dev_ipshared4_spawn_dnsmasq(NMDevice *self);
 static void _dev_ipshared6_start(NMDevice *self);
 static void _dev_ipforwarding4_start(NMDevice *self, int addr_family);
 static void
 _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gboolean preserve_dhcp);
@ -1395,14 +1424,12 @@ _prop_get_ipvx_routed_dns(NMDevice *self, int addr_family)
 }
 static NMSettingConnectionMdns
-_prop_get_connection_mdns(NMDevice *self)
+_prop_get_connection_mdns(NMDevice *self, NMConnection *connection)
 {
    NMConnection           *connection;
    NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_MDNS_DEFAULT);
    connection = nm_device_get_applied_connection(self);
    if (connection)
        mdns = nm_setting_connection_get_mdns(nm_connection_get_setting_connection(connection));
    if (mdns != NM_SETTING_CONNECTION_MDNS_DEFAULT)
@ -1437,14 +1464,12 @@ _prop_get_sriov_preserve_on_down(NMDevice *self, NMSettingSriov *s_sriov)
 }
 static NMSettingConnectionLlmnr
-_prop_get_connection_llmnr(NMDevice *self)
+_prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
 {
    NMConnection            *connection;
    NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_LLMNR_DEFAULT);
    connection = nm_device_get_applied_connection(self);
    if (connection)
        llmnr = nm_setting_connection_get_llmnr(nm_connection_get_setting_connection(connection));
    if (llmnr != NM_SETTING_CONNECTION_LLMNR_DEFAULT)
@ -1459,14 +1484,12 @@ _prop_get_connection_llmnr(NMDevice *self)
 }
 static NMSettingConnectionDnsOverTls
-_prop_get_connection_dns_over_tls(NMDevice *self)
+_prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
 {
    NMConnection                 *connection;
    NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
    connection = nm_device_get_applied_connection(self);
    if (connection)
        dns_over_tls = nm_setting_connection_get_dns_over_tls(
            nm_connection_get_setting_connection(connection));
@ -1481,15 +1504,33 @@ _prop_get_connection_dns_over_tls(NMDevice *self)
                                                       NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 }
-static NMMptcpFlags
+static NMSettingConnectionDnssec
-_prop_get_connection_mptcp_flags(NMDevice *self)
+_prop_get_connection_dnssec(NMDevice *self, NMConnection *connection)
 {
    NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
    if (connection)
        dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
    if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
        return dnssec;
    return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
                                                       NM_CON_DEFAULT("connection.dnssec"),
                                                       self,
                                                       NM_SETTING_CONNECTION_DNSSEC_NO,
                                                       NM_SETTING_CONNECTION_DNSSEC_YES,
                                                       NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
 }
 static NMMptcpFlags
 _prop_get_connection_mptcp_flags(NMDevice *self, NMConnection *connection)
 {
    NMConnection *connection;
    NMMptcpFlags mptcp_flags = NM_MPTCP_FLAGS_NONE;
    g_return_val_if_fail(NM_IS_DEVICE(self), NM_MPTCP_FLAGS_DISABLED);
    connection = nm_device_get_applied_connection(self);
    if (connection) {
        mptcp_flags =
            nm_setting_connection_get_mptcp_flags(nm_connection_get_setting_connection(connection));
@ -2131,8 +2172,8 @@ _prop_get_ipvx_dhcp_send_hostname(NMDevice *self, int addr_family)
    return send_hostname_v2;
 }
-NMSettingIPConfigForwarding
+static NMSettingIPConfigForwarding
-nm_device_get_ipv4_forwarding(NMDevice *self)
+_prop_get_ipv4_forwarding(NMDevice *self)
 {
    NMSettingIPConfig          *s_ip;
    NMSettingIPConfigForwarding forwarding;
@ -2455,16 +2496,14 @@ _prop_get_ipv4_dhcp_vendor_class_identifier(NMDevice *self, NMSettingIP4Config *
 }
 static NMSettingIP6ConfigPrivacy
-_prop_get_ipv6_ip6_privacy(NMDevice *self)
+_prop_get_ipv6_ip6_privacy(NMDevice *self, NMConnection *connection)
 {
    NMSettingIP6ConfigPrivacy ip6_privacy;
    NMConnection             *connection;
    g_return_val_if_fail(self, NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN);
    /* 1.) First look at the per-connection setting. If it is not -1 (unknown),
     * use it. */
    connection = nm_device_get_applied_connection(self);
    if (connection) {
        NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);
@ -3597,11 +3636,12 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co
    l3cd =
        nm_l3_config_data_new_from_connection(nm_device_get_multi_index(self), ifindex, connection);
-    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
+    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self, connection));
-    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
+    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self, connection));
-    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
+    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self, connection));
-    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
+    nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self, connection));
-    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
+    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self, connection));
    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self, connection));
    return l3cd;
 }
@ -3778,7 +3818,7 @@ nm_device_assume_state_reset(NMDevice *self)
 /*****************************************************************************/
-char *
+static char *
 nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property)
 {
    const char *ifname;
@ -6304,6 +6344,14 @@ concheck_is_possible(NMDevice *self)
    if (priv->state == NM_DEVICE_STATE_UNKNOWN)
        return FALSE;
    if (!nm_config_data_get_device_config_boolean_by_device(
            NM_CONFIG_GET_DATA,
            NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
            self,
            TRUE,
            TRUE))
        return FALSE;
    return TRUE;
 }
@ -6324,8 +6372,10 @@ concheck_periodic_schedule_do(NMDevice *self, int addr_family, gint64 now_ns)
        goto out;
    }
-    if (!concheck_is_possible(self))
+    if (!concheck_is_possible(self)) {
        concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
        goto out;
    }
    nm_assert(now_ns > 0);
    nm_assert(priv->concheck_x[IS_IPv4].p_cur_interval > 0);
@ -6548,7 +6598,11 @@ concheck_update_interval(NMDevice *self, int addr_family, gboolean check_now)
        concheck_periodic_schedule_do(self, addr_family, 0);
        /* also update the fake connectivity state. */
        if (concheck_is_possible(self))
            concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
        else
            concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
        return;
    }
@ -6577,6 +6631,7 @@ concheck_update_state(NMDevice           *self,
    /* @state is a result of the connectivity check. We only expect a precise
     * number of possible values. */
    nm_assert(NM_IN_SET(state,
                        NM_CONNECTIVITY_UNKNOWN,
                        NM_CONNECTIVITY_LIMITED,
                        NM_CONNECTIVITY_PORTAL,
                        NM_CONNECTIVITY_FULL,
@ -6645,7 +6700,7 @@ concheck_update_state(NMDevice           *self,
    }
 }
-const char *
+static const char *
 nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family)
 {
    NMDeviceClass *klass;
@ -6900,8 +6955,11 @@ nm_device_check_connectivity(NMDevice                    *self,
                             NMDeviceConnectivityCallback callback,
                             gpointer                     user_data)
 {
-    if (!concheck_is_possible(self))
+    if (!concheck_is_possible(self)) {
        concheck_update_state(self, AF_INET, NM_CONNECTIVITY_UNKNOWN, FALSE);
        concheck_update_state(self, AF_INET6, NM_CONNECTIVITY_UNKNOWN, FALSE);
        return NULL;
    }
    concheck_periodic_schedule_set(self, addr_family, CONCHECK_SCHEDULE_CHECK_EXTERNAL);
    return concheck_start(self, addr_family, callback, user_data, FALSE);
@ -8289,6 +8347,17 @@ config_changed(NMConfig           *config,
            && !nm_device_get_applied_setting(self, NM_TYPE_SETTING_SRIOV))
            device_init_static_sriov_num_vfs(self);
    }
    if (NM_FLAGS_HAS(changes, NM_CONFIG_CHANGE_VALUES) && concheck_is_possible(self)) {
        /* restart (periodic) connectivity checks if they were previously disabled */
        if (!nm_config_data_get_device_config_boolean_by_device(
                old_data,
                NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
                self,
                TRUE,
                TRUE))
            nm_device_check_connectivity_update_interval(self);
    }
 }
 static void
@ -8639,6 +8708,8 @@ nm_device_unrealize(NMDevice *self, gboolean remove_resources, GError **error)
    g_object_thaw_notify(G_OBJECT(self));
    nm_device_managed_type_set(self, NM_DEVICE_MANAGED_TYPE_REMOVED);
    nm_device_set_unmanaged_flags(self, NM_UNMANAGED_PLATFORM_INIT, TRUE);
    nm_device_set_unmanaged_flags(self,
@ -9164,6 +9235,10 @@ is_available(NMDevice *self, NMDeviceCheckDevAvailableFlags flags)
 {
    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
    /* unrealized software devices are always available, hardware devices never */
    if (!nm_device_is_real(self))
        return nm_device_is_software(self);
    if (priv->carrier || priv->ignore_carrier)
        return TRUE;
@ -10390,6 +10465,43 @@ sriov_params_cb(GError *error, gpointer user_data)
    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
 }
 static gboolean
 sriov_gen_platform_vfs(NMDevice       *self,
                       NMSettingSriov *s_sriov,
                       NMPlatformVF ***plat_vfs_out,
                       GError        **error)
 {
    nm_auto_freev NMPlatformVF **plat_vfs = NULL;
    guint                        num;
    nm_assert(s_sriov);
    nm_assert(plat_vfs_out && !*plat_vfs_out);
    num      = nm_setting_sriov_get_num_vfs(s_sriov);
    plat_vfs = g_new0(NMPlatformVF *, num + 1);
    for (int i = 0; i < num; i++) {
        NMSriovVF            *vf    = nm_setting_sriov_get_vf(s_sriov, i);
        gs_free_error GError *local = NULL;
        plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &local);
        if (!plat_vfs[i]) {
            g_set_error(error,
                        local->domain,
                        local->code,
                        "VF '%s' is invalid: %s",
                        nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
                        local->message);
            return FALSE;
        }
    }
    *plat_vfs_out = g_steal_pointer(&plat_vfs);
    return TRUE;
 }
 /*
 * activate_stage1_device_prepare
 *
@ -10436,10 +10548,7 @@ activate_stage1_device_prepare(NMDevice *self)
        if (s_sriov && nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)) {
            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
            gs_free_error GError        *error    = NULL;
            NMSriovVF                   *vf;
            NMTernary                    autoprobe;
            guint                        num;
            guint                        i;
            autoprobe = nm_setting_sriov_get_autoprobe_drivers(s_sriov);
            if (autoprobe == NM_TERNARY_DEFAULT) {
@ -10452,22 +10561,13 @@ activate_stage1_device_prepare(NMDevice *self)
                    NM_OPTION_BOOL_TRUE);
            }
-            num      = nm_setting_sriov_get_num_vfs(s_sriov);
+            if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &error)) {
-            plat_vfs = g_new0(NMPlatformVF *, num + 1);
+                _LOGE(LOGD_DEVICE, "cannot parse the VF list: %s", error->message);
            for (i = 0; i < num; i++) {
                vf          = nm_setting_sriov_get_vf(s_sriov, i);
                plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &error);
                if (!plat_vfs[i]) {
                    _LOGE(LOGD_DEVICE,
                          "failed to apply SR-IOV VF '%s': %s",
                          nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
                          error->message);
                nm_device_state_changed(self,
                                        NM_DEVICE_STATE_FAILED,
                                        NM_DEVICE_STATE_REASON_SRIOV_CONFIGURATION_FAILED);
                return;
            }
            }
            /* When changing the number of VFs the kernel can block
             * for very long time in the write to sysfs, especially
@ -10773,6 +10873,49 @@ tc_commit(NMDevice *self)
    return TRUE;
 }
 static void
 read_private_files_cb(GObject *source_object, GAsyncResult *result, gpointer data)
 {
    gs_unref_hashtable GHashTable *table = NULL;
    gs_free_error GError          *error = NULL;
    NMDevice                      *self;
    NMDevicePrivate               *priv;
    table = nm_utils_read_private_files_finish(result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
    self = NM_DEVICE(data);
    priv = NM_DEVICE_GET_PRIVATE(self);
    if (error) {
        NMConnection *connection = nm_device_get_applied_connection(self);
        _LOGW(LOGD_DEVICE,
              "could not read files for private connection %s owned by user '%s': %s",
              connection ? nm_connection_get_uuid(connection) : NULL,
              priv->private_files.user,
              error->message);
        nm_device_state_changed(self, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_CONFIG_FAILED);
        return;
    }
    _LOGD(LOGD_DEVICE, "private files successfully read");
    priv->private_files.state = PRIVATE_FILES_STATE_DONE;
    priv->private_files.table = g_steal_pointer(&table);
    g_clear_pointer(&priv->private_files.user, g_free);
    g_clear_object(&priv->private_files.cancellable);
    nm_device_activate_schedule_stage2_device_config(self, FALSE);
 }
 GHashTable *
 nm_device_get_private_files(NMDevice *self)
 {
    return NM_DEVICE_GET_PRIVATE(self)->private_files.table;
 }
 /*
 * activate_stage2_device_config
 *
@ -10785,6 +10928,7 @@ activate_stage2_device_config(NMDevice *self)
 {
    NMDevicePrivate *priv  = NM_DEVICE_GET_PRIVATE(self);
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
    NMConnection    *applied;
    NMActStageReturn ret;
    NMSettingWired  *s_wired;
    gboolean         no_firmware = FALSE;
@ -10793,6 +10937,68 @@ activate_stage2_device_config(NMDevice *self)
    nm_device_state_changed(self, NM_DEVICE_STATE_CONFIG, NM_DEVICE_STATE_REASON_NONE);
    applied = nm_device_get_applied_connection(self);
    /* If the connection is private (owned by a specific user), we need to
     * verify that the user has permission to access any files specified in
     * the connection, such as certificates and keys. We do that by calling
     * nm_utils_read_private_files() and saving the file contents in a hash
     * table that can be accessed later during the activation. It is important
     * to never access the files again to avoid TOCTOU bugs.
     */
    switch (priv->private_files.state) {
    case PRIVATE_FILES_STATE_UNKNOWN:
    {
        gs_free const char **paths = NULL;
        NMSettingConnection *s_con;
        const char          *user;
        s_con = nm_connection_get_setting_connection(applied);
        nm_assert(s_con);
        user = _nm_setting_connection_get_first_permissions_user(s_con);
        priv->private_files.user = g_strdup(user);
        if (!priv->private_files.user) {
            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
            break;
        }
        paths = nm_utils_get_connection_private_files_paths(applied);
        if (!paths) {
            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
            break;
        }
        if (_nm_setting_connection_get_num_permissions_users(s_con) > 1) {
            _LOGW(LOGD_DEVICE,
                  "private connections with multiple users are not allowed to reference "
                  "certificates and keys on the filesystem. Specify only one user in the "
                  "connection.permissions property.");
            nm_device_state_changed(self,
                                    NM_DEVICE_STATE_FAILED,
                                    NM_DEVICE_STATE_REASON_CONFIG_FAILED);
            return;
        }
        priv->private_files.state       = PRIVATE_FILES_STATE_READING;
        priv->private_files.cancellable = g_cancellable_new();
        _LOGD(LOGD_DEVICE, "reading private files");
        nm_utils_read_private_files(paths,
                                    priv->private_files.user,
                                    priv->private_files.cancellable,
                                    read_private_files_cb,
                                    self);
        return;
    }
    case PRIVATE_FILES_STATE_READING:
        /* wait */
        return;
    case PRIVATE_FILES_STATE_DONE:
        /* proceed */
        break;
    }
    if (!nm_device_managed_type_is_external(self)) {
        _ethtool_state_set(self);
        nm_device_link_properties_set(self, FALSE);
@ -10809,7 +11015,7 @@ activate_stage2_device_config(NMDevice *self)
        priv->tc_committed = TRUE;
    }
-    nm_routing_rules_sync(nm_device_get_applied_connection(self),
+    nm_routing_rules_sync(applied,
                          NM_TERNARY_TRUE,
                          klass->get_extra_rules,
                          self,
@ -12821,7 +13027,7 @@ _dev_ipac6_start(NMDevice *self)
            .router_solicitations         = router_solicitations,
            .router_solicitation_interval = router_solicitation_interval,
            .ra_timeout                   = ra_timeout,
-            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self),
+            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self, connection),
        };
        priv->ipac6_data.ndisc = nm_lndp_ndisc_new(&config);
@ -13008,7 +13214,6 @@ _dev_addrgenmode6_set(NMDevice *self, guint8 addr_gen_mode)
    if (!priv->addrgenmode6_data.previous_mode_has) {
        priv->addrgenmode6_data.previous_mode_has = TRUE;
        priv->addrgenmode6_data.previous_mode_val = cur_addr_gen_mode;
        nm_assert(priv->addrgenmode6_data.previous_mode_val == cur_addr_gen_mode);
    }
    _LOGD_ip(AF_INET6,
@ -13135,17 +13340,12 @@ activate_stage3_ip_config_for_addr_family(NMDevice *self, int addr_family)
        goto out_devip;
    if (IS_IPv4) {
        NMSettingIPConfigForwarding ipv4_forwarding = nm_device_get_ipv4_forwarding(self);
        if (NM_IN_SET(ipv4_forwarding,
                      NM_SETTING_IP_CONFIG_FORWARDING_NO,
                      NM_SETTING_IP_CONFIG_FORWARDING_YES)) {
            nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", ipv4_forwarding ? "1" : "0");
        }
        priv->ipll_data_4.v4.mode = _prop_get_ipv4_link_local(self);
        if (priv->ipll_data_4.v4.mode == NM_SETTING_IP4_LL_ENABLED)
            _dev_ipll4_start(self);
        _dev_ipforwarding4_start(self, addr_family);
        if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_AUTO))
            _dev_ipdhcpx_start(self, AF_INET);
        else if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_LINK_LOCAL)) {
@ -13467,13 +13667,19 @@ _dev_ipsharedx_set_state(NMDevice *self, int addr_family, NMDeviceIPState state)
 {
    NMDevicePrivate *priv      = NM_DEVICE_GET_PRIVATE(self);
    const int        IS_IPv4   = NM_IS_IPv4(addr_family);
    NMDeviceIPState  old_state = priv->ipshared_data_x[IS_IPv4].state;
-    if (priv->ipshared_data_x[IS_IPv4].state != state) {
+    if (old_state != state) {
        _LOGD_ipshared(addr_family,
                       "set state %s (was %s)",
                       nm_device_ip_state_to_string(state),
-                       nm_device_ip_state_to_string(priv->ipshared_data_x[IS_IPv4].state));
+                       nm_device_ip_state_to_string(old_state));
        priv->ipshared_data_x[IS_IPv4].state = state;
        if (old_state == NM_DEVICE_IP_STATE_READY || state == NM_DEVICE_IP_STATE_READY)
            nm_manager_update_shared_connection(NM_MANAGER_GET,
                                                addr_family,
                                                state == NM_DEVICE_IP_STATE_READY);
    }
 }
@ -13496,7 +13702,7 @@ _dev_ipsharedx_cleanup(NMDevice *self, int addr_family)
            nm_clear_pointer(&priv->ipshared_data_4.v4.firewall_config, nm_firewall_config_free);
        }
-        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
        nm_clear_l3cd(&priv->ipshared_data_4.v4.l3cd);
        _dev_l3_register_l3cds_set_one(self, L3_CONFIG_DATA_TYPE_SHARED_4, NULL, FALSE);
@ -13530,13 +13736,14 @@ _dev_ipshared4_new_l3cd(NMDevice *self, NMConnection *connection, NMPlatformIP4A
        nm_ip_address_get_address_binary(user, &a);
        nm_platform_ip4_address_set_addr(&address, a, nm_ip_address_get_prefix(user));
-        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
    } else {
-        if (!priv->ipshared_data_4.v4.shared_ip_handle)
+        if (!priv->ipshared_data_4.v4.ip_reservation)
-            priv->ipshared_data_4.v4.shared_ip_handle =
+            priv->ipshared_data_4.v4.ip_reservation =
-                nm_netns_shared_ip_reserve(nm_device_get_netns(self));
+                nm_netns_ip_reservation_get(nm_device_get_netns(self),
                                            NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
        nm_platform_ip4_address_set_addr(&address,
-                                         priv->ipshared_data_4.v4.shared_ip_handle->addr,
+                                         priv->ipshared_data_4.v4.ip_reservation->addr,
                                         24);
    }
@ -13768,6 +13975,106 @@ _dev_ipshared6_start(NMDevice *self)
 /*****************************************************************************/
 /**
 * Set the device's forwarding to the specified value. If %NM_TERNARY_DEFAULT is specified,
 * it's set to the kernel's default, otherwise it's set to the specific value.
 */
 static void
 _dev_ipforwarding4_set(NMDevice *self, NMTernary val)
 {
    gs_free const char *default_forwarding = NULL;
    gs_free const char *current_forwarding = NULL;
    const char         *val_str;
    if (val != NM_TERNARY_DEFAULT) {
        val_str = val ? "1" : "0";
    } else {
        default_forwarding = nm_platform_sysctl_get(
            nm_device_get_platform(self),
            NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"));
        if (!default_forwarding) {
            _LOGW(LOGD_DEVICE,
                  "error setting IPv4 forwarding: can't read default forwarding value: %s",
                  nm_strerror_native(errno));
            return; /* Non fatal */
        }
        val_str = default_forwarding;
    }
    current_forwarding = nm_device_sysctl_ip_conf_get(self, AF_INET, "forwarding");
    if (nm_streq0(current_forwarding, val_str))
        return;
    if (!nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", val_str))
        _LOGW(LOGD_DEVICE,
              "error setting IPv4 forwarding to '%s': %s",
              val_str,
              nm_strerror_native(errno));
 }
 static void
 _dev_ipforwarding4_auto_cb(NMManager *manager, gboolean sharing_ipv4, gpointer data)
 {
    NMDevice *self = NM_DEVICE(data);
    _dev_ipforwarding4_set(self, sharing_ipv4 ? NM_TERNARY_TRUE : NM_TERNARY_DEFAULT);
 }
 static void
 _dev_ipforwarding4_start(NMDevice *self, int addr_family)
 {
    NMDevicePrivate            *priv            = NM_DEVICE_GET_PRIVATE(self);
    NMSettingIPConfigForwarding ipv4_forwarding = _prop_get_ipv4_forwarding(self);
    NMTernary                   new_forwarding  = NM_TERNARY_DEFAULT;
    /* IPv6 per-interface forwarding not supported yet */
    if (addr_family != AF_INET)
        return;
    if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
        new_forwarding = NM_TERNARY_TRUE;
    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_YES) {
        new_forwarding = NM_TERNARY_TRUE;
    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_NO) {
        new_forwarding = NM_TERNARY_FALSE;
    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO) {
        if (nm_manager_get_sharing_ipv4(NM_MANAGER_GET))
            new_forwarding = NM_TERNARY_TRUE;
        else
            new_forwarding = NM_TERNARY_DEFAULT;
        if (!priv->sharing_ipv4_changed_id)
            priv->sharing_ipv4_changed_id = g_signal_connect(NM_MANAGER_GET,
                                                             NM_MANAGER_SHARING_IPV4_CHANGED,
                                                             G_CALLBACK(_dev_ipforwarding4_auto_cb),
                                                             self);
    } else {
        nm_assert_not_reached();
    }
    _dev_ipforwarding4_set(self, new_forwarding);
 }
 static void
 _dev_ipforwarding_cleanup(NMDevice *self, int addr_family, CleanupType cleanup_type)
 {
    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
    if (!NM_IS_IPv4(addr_family))
        return;
    nm_clear_g_signal_handler(NM_MANAGER_GET, &priv->sharing_ipv4_changed_id);
    if (NM_IN_SET(cleanup_type, CLEANUP_TYPE_DECONFIGURE, CLEANUP_TYPE_KEEP_REAPPLY)) {
        /* Deconfigure by restoring kernel's default */
        _dev_ipforwarding4_set(self, NM_TERNARY_DEFAULT);
    }
 }
 /*****************************************************************************/
 static void
 act_request_set(NMDevice *self, NMActRequest *act_request)
 {
@ -13880,6 +14187,8 @@ _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gbool
    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
    gboolean         keep_reapply = (cleanup_type == CLEANUP_TYPE_KEEP_REAPPLY);
    _dev_ipforwarding_cleanup(self, addr_family, cleanup_type);
    _dev_ipsharedx_cleanup(self, addr_family);
    _dev_ipdev_cleanup(self, AF_UNSPEC);
@ -14027,6 +14336,7 @@ can_reapply_change(NMDevice   *self,
                                                 NM_SETTING_CONNECTION_MDNS,
                                                 NM_SETTING_CONNECTION_LLMNR,
                                                 NM_SETTING_CONNECTION_DNS_OVER_TLS,
                                                 NM_SETTING_CONNECTION_DNSSEC,
                                                 NM_SETTING_CONNECTION_MPTCP_FLAGS,
                                                 NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
    }
@ -14062,7 +14372,8 @@ can_reapply_change(NMDevice   *self,
        return nm_device_hash_check_invalid_keys(diffs,
                                                 NM_SETTING_SRIOV_SETTING_NAME,
                                                 error,
-                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN);
+                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN,
                                                 NM_SETTING_SRIOV_VFS);
    }
 out_fail:
@ -14240,9 +14551,35 @@ check_and_reapply_connection(NMDevice            *self,
    nm_device_link_properties_set(self, TRUE);
-    if (priv->state >= NM_DEVICE_STATE_CONFIG)
+    if (priv->state >= NM_DEVICE_STATE_CONFIG) {
        GHashTable *sriov_diff;
        lldp_setup(self, NM_TERNARY_DEFAULT);
        sriov_diff = nm_g_hash_table_lookup(diffs, NM_SETTING_SRIOV_SETTING_NAME);
        if (sriov_diff && nm_g_hash_table_lookup(sriov_diff, NM_SETTING_SRIOV_VFS)) {
            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
            NMSettingSriov              *s_sriov;
            s_sriov = (NMSettingSriov *) nm_connection_get_setting(applied, NM_TYPE_SETTING_SRIOV);
            if (s_sriov) {
                gs_free_error GError *local = NULL;
                if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &local)
                    || !nm_platform_link_set_sriov_vfs(nm_device_get_platform(self),
                                                       priv->ifindex,
                                                       (const NMPlatformVF *const *) plat_vfs)) {
                    _LOGE(LOGD_DEVICE,
                          "failed to reapply SRIOV VFs%s%s",
                          local ? ": " : "",
                          local ? local->message : "");
                }
            }
        }
    }
    if (priv->state >= NM_DEVICE_STATE_IP_CONFIG) {
        /* Allow reapply of MTU */
        priv->mtu_source = NM_DEVICE_MTU_SOURCE_NONE;
@ -14258,6 +14595,7 @@ check_and_reapply_connection(NMDevice            *self,
                NM_SETTING_CONNECTION_MDNS,
                NM_SETTING_CONNECTION_LLMNR,
                NM_SETTING_CONNECTION_DNS_OVER_TLS,
                NM_SETTING_CONNECTION_DNSSEC,
                NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
            priv->ip_data_4.do_reapply = TRUE;
            priv->ip_data_6.do_reapply = TRUE;
@ -14696,13 +15034,15 @@ impl_device_delete(NMDBusObject                      *obj,
                           NULL);
 }
-static void
+static gboolean
 _device_activate(NMDevice *self, NMActRequest *req)
 {
    NMConnection *connection;
-    g_return_if_fail(NM_IS_DEVICE(self));
+    /* Returns TRUE on success, FALSE if the activation request could not be started */
-    g_return_if_fail(NM_IS_ACT_REQUEST(req));
+
    g_return_val_if_fail(NM_IS_DEVICE(self), FALSE);
    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), FALSE);
    nm_assert(nm_device_is_real(self));
    /* Ensure the activation request is still valid; the controller may have
@ -14710,7 +15050,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
     */
    if (nm_active_connection_get_state(NM_ACTIVE_CONNECTION(req))
        >= NM_ACTIVE_CONNECTION_STATE_DEACTIVATING)
-        return;
+        return FALSE;
    if (!nm_device_get_managed(self, FALSE)) {
        /* It's unclear why the device would be unmanaged at this point.
@ -14721,7 +15061,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
        nm_active_connection_set_state_fail((NMActiveConnection *) req,
                                            NM_ACTIVE_CONNECTION_STATE_REASON_UNKNOWN,
                                            NULL);
-        return;
+        return FALSE;
    }
    connection = nm_act_request_get_applied_connection(req);
@ -14737,6 +15077,8 @@ _device_activate(NMDevice *self, NMActRequest *req)
    act_request_set(self, req);
    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
    return TRUE;
 }
 static void
@ -14756,7 +15098,9 @@ _carrier_wait_check_queued_act_request(NMDevice *self)
        _LOGD(LOGD_DEVICE, "Activate queued activation request as we now have carrier");
        queued_req = g_steal_pointer(&priv->queued_act_request);
-        _device_activate(self, queued_req);
+        if (!_device_activate(self, queued_req)) {
            delete_on_deactivate_check_and_schedule(self);
        }
    }
 }
@ -15603,7 +15947,7 @@ nm_device_get_firmware_missing(NMDevice *self)
 NM_UTILS_FLAGS2STR_DEFINE(nm_unmanaged_flags2str,
                          NMUnmanagedFlags,
-                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_SLEEPING, "sleeping"),
+                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_MANAGER_DISABLED, "nm-disabled"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_QUITTING, "quitting"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_PLATFORM_INIT, "platform-init"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_USER_EXPLICIT, "user-explicit"),
@ -15667,8 +16011,8 @@ unmanaged_flags_to_reason(NMUnmanagedFlags flags)
    /* Even if there are multiple flags, we can only return one reason.
     * Return the most important reason.
     */
-    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_SLEEPING))
+    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_MANAGER_DISABLED))
-        return NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING;
+        return NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_QUITTING))
        return NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_USER_SETTINGS))
@ -16913,8 +17257,6 @@ _cleanup_generic_post(NMDevice *self, NMDeviceStateReason reason, CleanupType cl
    priv->v4_route_table_all_sync_before = FALSE;
    priv->v6_route_table_all_sync_before = FALSE;
    priv->refresh_forwarding_done = FALSE;
    priv->mtu_force_set_done = FALSE;
    priv->needs_ip6_subnet = FALSE;
@ -16960,7 +17302,6 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    NMDevicePrivate *priv;
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
    int              ifindex;
    gint32           default_forwarding_v4;
    g_return_if_fail(NM_IS_DEVICE(self));
@ -16983,27 +17324,41 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
        nm_device_sysctl_ip_conf_set(self, AF_INET6, "use_tempaddr", "0");
    }
    /* Restoring the device's forwarding to the sysctl default is necessary because
     * `refresh_forwarding()` only updates forwarding on activated devices. */
    default_forwarding_v4 = nm_platform_sysctl_get_int32(
        nm_device_get_platform(self),
        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
        0);
    nm_device_sysctl_ip_conf_set(self,
                                 AF_INET,
                                 "forwarding",
                                 default_forwarding_v4 == 1 ? "1" : "0");
    /* Call device type-specific deactivation */
    if (klass->deactivate)
        klass->deactivate(self);
    /* Clean up private files */
    nm_clear_g_cancellable(&priv->private_files.cancellable);
    g_clear_pointer(&priv->private_files.table, g_hash_table_unref);
    g_clear_pointer(&priv->private_files.user, g_free);
    priv->private_files.state = PRIVATE_FILES_STATE_UNKNOWN;
    ifindex = nm_device_get_ip_ifindex(self);
    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* controller: release ports */
        nm_device_controller_release_ports_all(self);
        /* port: detach from controller */
        if (priv->controller) {
            nm_device_controller_release_port(priv->controller,
                                              self,
                                              RELEASE_PORT_TYPE_CONFIG,
                                              reason);
        }
    }
    /* port: mark no longer attached */
    if (priv->controller && priv->ifindex > 0
        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
        nm_device_controller_release_port(priv->controller,
                                          self,
                                          RELEASE_PORT_TYPE_NO_CONFIG,
                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
    }
    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* Take out any entries in the routing table and any IP address the device had. */
        if (ifindex > 0) {
            NMPlatform *platform = nm_device_get_platform(self);
@ -17027,15 +17382,6 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    if (ifindex > 0)
        nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL);
    /* port: mark no longer attached */
    if (priv->controller && priv->ifindex > 0
        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
        nm_device_controller_release_port(priv->controller,
                                          self,
                                          RELEASE_PORT_TYPE_NO_CONFIG,
                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
    }
    lldp_setup(self, NM_TERNARY_FALSE);
    nm_device_update_metered(self);
@ -17534,7 +17880,8 @@ _set_state_full(NMDevice *self, NMDeviceState state, NMDeviceStateReason reason,
            gs_unref_object NMActRequest *queued_req = NULL;
            queued_req = g_steal_pointer(&priv->queued_act_request);
-            _device_activate(self, queued_req);
+            if (!_device_activate(self, queued_req))
                delete_on_deactivate_check_and_schedule(self);
        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
@ -18936,19 +19283,6 @@ nm_device_get_hostname_from_dns_lookup(NMDevice *self, int addr_family, gboolean
    return nm_assert_unreachable_val(NULL);
 }
 gboolean
 nm_device_get_refresh_forwarding_done(NMDevice *self)
 {
    return NM_DEVICE_GET_PRIVATE(self)->refresh_forwarding_done;
 }
 void
 nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done)
 {
    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
    priv->refresh_forwarding_done = is_refresh_forwarding_done;
 }
 /*****************************************************************************/
 static const char *
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@ -581,7 +581,8 @@ void nm_device_copy_ip6_dns_config(NMDevice *self, NMDevice *from_device);
 /**
 * NMUnmanagedFlags:
 * @NM_UNMANAGED_NONE: placeholder value
- * @NM_UNMANAGED_SLEEPING: %TRUE when unmanaged because NM is sleeping.
+ * @NM_UNMANAGED_MANAGER_DISABLED: %TRUE when unmanaged because NM is disabled.
 *   Currently, this happens when sleeping or with networking disabled.
 * @NM_UNMANAGED_QUITTING: %TRUE when unmanaged because NM is shutting down.
 * @NM_UNMANAGED_PLATFORM_INIT: %TRUE when unmanaged because platform link not
 *   yet initialized. Unrealized device are also unmanaged for this reason.
@ -610,7 +611,7 @@ typedef enum {
    /* these flags are authoritative. If one of them is set,
     * the device cannot be managed. */
-    NM_UNMANAGED_SLEEPING      = (1LL << 0),
+    NM_UNMANAGED_MANAGER_DISABLED = (1LL << 0),
    NM_UNMANAGED_QUITTING         = (1LL << 1),
    NM_UNMANAGED_PLATFORM_INIT    = (1LL << 2),
    NM_UNMANAGED_USER_EXPLICIT    = (1LL << 3),
@ -852,14 +853,7 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                           NMDevice *self,
                           NMNetns  *netns);
-NMSettingIPConfigForwarding nm_device_get_ipv4_forwarding(NMDevice *self);
+NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
-
+                                                                NMConnection *connection);
 const char *nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family);
 char *nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property);
 gboolean nm_device_get_refresh_forwarding_done(NMDevice *self);
 void nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done);
 #endif /* __NETWORKMANAGER_DEVICE_H__ */
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@ -1460,40 +1460,42 @@ _delete_interface(NMOvsdb *self, json_t *params, const char *ifname)
                json_array_append_new(new_interfaces, json_pack("[s,s]", "uuid", interface_uuid));
            }
-            if (num_nm_interfaces == 0) {
+            if (interfaces_changed && num_nm_interfaces == 0) {
-                /* The port no longer has any NM interface. Don't add it to "new_ports" and set
+                /* We are deleting the last nm-interface of this port. Don't add it to "new_ports"
-                 * ports_changed=TRUE, so that it will be deleted. */
+                 * and set ports_changed=TRUE, so that it will be deleted. */
                ports_changed = TRUE;
            } else {
-                if (interfaces_changed) {
+                /* Keep this port: it's still alive, or it's unrelated to the deleted interface */
                    /* An interface needs to be deleted from this port */
                    _expect_port_interfaces(params, ovs_port->name, interfaces);
                    _set_port_interfaces(params, ovs_port->name, new_interfaces);
                }
                /* The port is still alive */
                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
                if (ovs_port->connection_uuid)
                    num_nm_ports++;
                if (interfaces_changed) {
                    /* This port is still alive, but an interface needs to be deleted from it */
                    _expect_port_interfaces(params, ovs_port->name, interfaces);
                    _set_port_interfaces(params, ovs_port->name, new_interfaces);
                }
            }
        }
-        if (num_nm_ports == 0) {
+        if (ports_changed && num_nm_ports == 0) {
-            /* The bridge no longer has any NM port. Don't add it to "new_bridges" and set
+            /* We are deleting the last nm-port of this bridge. Don't add it to "new_bridges"
-             * bridges_changed=TRUE, so that it will be deleted. */
+             * and set bridges_changed=TRUE, so that it will be deleted. */
            bridges_changed = TRUE;
        } else {
            /* Keep this bridge: it's still alive, or it's unrelated to the deleted interface */
            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
            if (ports_changed) {
-                /* A port needs to be deleted from this bridge */
+                /* This bridge is still alive, but a port needs to be deleted from it */
                _expect_bridge_ports(params, ovs_bridge->name, ports);
                _set_bridge_ports(params, ovs_bridge->name, new_ports);
            }
            /* The bridge is still alive */
            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
        }
    }
    if (bridges_changed) {
-        /* A port needs to be deleted from this bridge */
+        /* A bridge needs to be deleted */
        _expect_ovs_bridges(params, priv->db_uuid, bridges);
        _set_ovs_bridges(params, priv->db_uuid, new_bridges);
    }
@ -1888,7 +1890,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
        == -1) {
        /* This doesn't really have to be an error; the key might
         * be missing if there really are no bridges present. */
-        _LOGD("Bad update: %s", json_error.text);
+        _LOGD("monitor: bad update: %s", json_error.text);
    }
    if (ovs) {
@ -1934,12 +1936,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
+            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
                  key,
                  ovs_interface->type,
                  ovs_interface->name,
                  ovs_interface->type,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self,
@ -1987,13 +1989,14 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                _LOGT(
                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
                    "other-config=%s",
                      key,
                      type,
                    ovs_interface->name,
                    type,
                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_interface->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2013,13 +2016,13 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT(
+            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
+                  "other-config=%s",
                key,
                ovs_interface->type,
                  ovs_interface->name,
                  ovs_interface->type,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                     ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2069,11 +2072,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
            if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                continue;
-            _LOGT("obj[port:%s]: removed a port: %s%s%s",
+            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
                  key,
                  ovs_port->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@ -2120,11 +2123,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
+                _LOGT(
-                      key,
+                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                    ovs_port->name,
                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_port->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2144,11 +2148,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
+            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                  key,
                  ovs_port->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2190,11 +2194,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
+            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
                  key,
                  ovs_bridge->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@ -2241,11 +2245,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
+                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
-                      key,
+                      "other-config=%s",
                      ovs_bridge->name,
                      key,
                      NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", ",
+                                           ", connection=",
                                           ovs_bridge->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@ -2265,11 +2270,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
+            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
                  key,
                  ovs_bridge->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -191,12 +191,19 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                  GParamSpec            *pspec,
                                                  NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void periodic_update(NMDeviceWifi *self);
 static void ap_add_remove(NMDeviceWifi *self,
                          gboolean      is_adding,
                          NMWifiAP     *ap,
-                          gboolean      recheck_available_connections);
+                          gboolean      recheck_available_connections,
                          gboolean      recheck_auto_activate);
 static void _hw_addr_set_scanning(NMDeviceWifi *self, gboolean do_reset);
@ -623,6 +630,14 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                     "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                     G_CALLBACK(supplicant_iface_notify_p2p_available),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
                     self);
    _scan_notify_is_scanning(self);
@ -714,7 +729,10 @@ update_seen_bssids_cache(NMDeviceWifi *self, NMWifiAP *ap)
 }
 static void
-set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_connections)
+set_current_ap(NMDeviceWifi *self,
               NMWifiAP     *new_ap,
               gboolean      recheck_available_connections,
               gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv;
    NMWifiAP            *old_ap;
@ -741,7 +759,11 @@ set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_
        /* Remove any AP from the internal list if it was created by NM or isn't known to the supplicant */
        if (NM_IN_SET(mode, _NM_802_11_MODE_ADHOC, _NM_802_11_MODE_AP)
            || nm_wifi_ap_get_fake(old_ap))
-            ap_add_remove(self, FALSE, old_ap, recheck_available_connections);
+            ap_add_remove(self,
                          FALSE,
                          old_ap,
                          recheck_available_connections,
                          recheck_auto_activate);
        g_object_unref(old_ap);
    }
@ -814,7 +836,8 @@ static void
 ap_add_remove(NMDeviceWifi *self,
              gboolean      is_adding, /* or else removing */
              NMWifiAP     *ap,
-              gboolean      recheck_available_connections)
+              gboolean      recheck_available_connections,
              gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
@ -845,13 +868,14 @@ ap_add_remove(NMDeviceWifi *self,
        nm_dbus_object_clear_and_unexport(&ap);
    }
    if (recheck_auto_activate)
        nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
    if (recheck_available_connections)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }
 static void
-remove_all_aps(NMDeviceWifi *self)
+remove_all_aps(NMDeviceWifi *self, gboolean disposing)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
    NMWifiAP            *ap;
@ -859,11 +883,12 @@ remove_all_aps(NMDeviceWifi *self)
    if (c_list_is_empty(&priv->aps_lst_head))
        return;
-    set_current_ap(self, NULL, FALSE);
+    set_current_ap(self, NULL, FALSE, !disposing);
    while ((ap = c_list_first_entry(&priv->aps_lst_head, NMWifiAP, aps_lst)))
-        ap_add_remove(self, FALSE, ap, FALSE);
+        ap_add_remove(self, FALSE, ap, FALSE, !disposing);
    if (!disposing)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }
@ -951,7 +976,7 @@ deactivate(NMDevice *device)
    priv->rate = 0;
-    set_current_ap(self, NULL, TRUE);
+    set_current_ap(self, NULL, TRUE, TRUE);
    if (!wake_on_wlan_restore(self))
        _LOGW(LOGD_DEVICE | LOGD_WIFI, "Cannot unconfigure WoWLAN.");
@ -2000,7 +2025,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            if (nm_wifi_ap_set_fake(found_ap, TRUE))
                _ap_dump(self, LOGL_DEBUG, found_ap, "updated", 0);
        } else {
-            ap_add_remove(self, FALSE, found_ap, TRUE);
+            ap_add_remove(self, FALSE, found_ap, TRUE, TRUE);
            schedule_ap_list_dump(self);
        }
        return;
@ -2043,7 +2068,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            }
        }
-        ap_add_remove(self, TRUE, ap, TRUE);
+        ap_add_remove(self, TRUE, ap, TRUE, TRUE);
    }
    /* Update the current AP if the supplicant notified a current BSS change
@ -2268,7 +2293,7 @@ link_timeout_cb(gpointer user_data)
    if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED)
        return FALSE;
-    set_current_ap(self, NULL, TRUE);
+    set_current_ap(self, NULL, TRUE, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_FAILED,
@ -2387,6 +2412,9 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
    g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return FALSE;
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_val_if_fail(req != NULL, FALSE);
@ -2684,7 +2712,7 @@ supplicant_iface_notify_current_bss(NMSupplicantInterface *iface,
            }
        }
-        set_current_ap(self, new_ap, TRUE);
+        set_current_ap(self, new_ap, TRUE, TRUE);
        req = nm_device_get_act_request(NM_DEVICE(self));
        if (req) {
@ -2830,6 +2858,62 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
    return TRUE;
 }
 static void
 supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 static void
 supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 /*
 * supplicant_connection_timeout_cb
 *
@ -2935,7 +3019,8 @@ build_supplicant_config(NMDeviceWifi         *self,
    s_wireless = nm_connection_get_setting_wireless(connection);
    g_return_val_if_fail(s_wireless != NULL, NULL);
-    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface));
+    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface),
                                      nm_utils_get_connection_first_permissions_user(connection));
    /* Warn if AP mode may not be supported */
    if (nm_streq0(nm_setting_wireless_get_mode(s_wireless), NM_SETTING_WIRELESS_MODE_AP)
@ -3011,6 +3096,7 @@ build_supplicant_config(NMDeviceWifi         *self,
                mtu,
                pmf,
                fils,
                nm_device_get_private_files(NM_DEVICE(self)),
                error)) {
            g_prefix_error(error, "802-11-wireless-security: ");
            goto error;
@ -3118,7 +3204,7 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
        priv->mode = _NM_802_11_MODE_AP;
        /* Scanning not done in AP mode; clear the scan list */
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);
    } else if (g_strcmp0(mode, NM_SETTING_WIRELESS_MODE_MESH) == 0)
        priv->mode = _NM_802_11_MODE_MESH;
    _notify(self, PROP_MODE);
@ -3155,14 +3241,14 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            nm_wifi_ap_set_address(ap_fake, nm_device_get_hw_address(device));
        g_object_freeze_notify(G_OBJECT(self));
-        ap_add_remove(self, TRUE, ap_fake, TRUE);
+        ap_add_remove(self, TRUE, ap_fake, TRUE, TRUE);
        g_object_thaw_notify(G_OBJECT(self));
        ap = ap_fake;
    }
    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
-    set_current_ap(self, ap, FALSE);
+    set_current_ap(self, ap, FALSE, TRUE);
    nm_active_connection_set_specific_object(NM_ACTIVE_CONNECTION(req),
                                             nm_dbus_object_get_path(NM_DBUS_OBJECT(ap)));
    return NM_ACT_STAGE_RETURN_SUCCESS;
@ -3528,7 +3614,7 @@ device_state_changed(NMDevice           *device,
        cleanup_association_attempt(self, TRUE);
        cleanup_supplicant_failures(self);
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);
    }
    switch (new_state) {
@ -3566,7 +3652,7 @@ device_state_changed(NMDevice           *device,
    }
    if (clear_aps)
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);
    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 }
@ -3808,7 +3894,7 @@ dispose(GObject *object)
    g_clear_object(&priv->sup_mgr);
-    remove_all_aps(self);
+    remove_all_aps(self, TRUE);
    if (priv->p2p_device) {
        /* Destroy the P2P device. */
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
     * in the last few filename characters -- it cannot end in .open, .psk
     * or .8021x.
     */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
 }
 static const char *
--- a/src/core/devices/wwan/nm-modem-broadband.c
+++ b/src/core/devices/wwan/nm-modem-broadband.c
@ -510,6 +510,7 @@ try_create_connect_properties(NMModemBroadband *self)
 {
    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
    ConnectContext          *ctx         = priv->ctx;
    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;
    if (MODEM_CAPS_3GPP(ctx->caps)) {
        NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@ -522,7 +523,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (s_gsm)
                network_id = nm_setting_gsm_get_network_id(s_gsm);
            if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
                    return FALSE;
                modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@ -530,6 +531,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (!network_id) {
                _LOGW("failed to connect '%s': unable to determine the network id",
                      nm_connection_get_id(ctx->connection));
                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                goto out;
            }
@ -558,7 +560,7 @@ try_create_connect_properties(NMModemBroadband *self)
    }
 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
    connect_context_clear(self);
    return TRUE;
 }
@ -1649,6 +1651,8 @@ nm_modem_broadband_new(GObject *object, GError **error)
                        driver,
                        NM_MODEM_OPERATOR_CODE,
                        operator_code,
                        NM_MODEM_DEVICE_UID,
                        mm_modem_get_device(modem_iface),
                        NULL);
 }
--- a/src/core/devices/wwan/nm-modem.c
+++ b/src/core/devices/wwan/nm-modem.c
@ -39,7 +39,8 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                             PROP_IP_TYPES,
                             PROP_SIM_OPERATOR_ID,
                             PROP_OPERATOR_CODE,
-                             PROP_APN, );
+                             PROP_APN,
                             PROP_DEVICE_UID, );
 enum {
    PPP_STATS,
@ -78,6 +79,7 @@ typedef struct _NMModemPrivate {
    char           *sim_operator_id;
    char           *operator_code;
    char           *apn;
    char           *device_uid;
    NMPPPManager *ppp_manager;
    NMPppMgr     *ppp_mgr;
@ -618,6 +620,12 @@ nm_modem_get_apn(NMModem *self)
    return NM_MODEM_GET_PRIVATE(self)->apn;
 }
 const char *
 nm_modem_get_device_uid(NMModem *self)
 {
    return NM_MODEM_GET_PRIVATE(self)->device_uid;
 }
 /*****************************************************************************/
 static void
@ -1121,6 +1129,22 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
            }
        }
        str = nm_setting_gsm_get_device_uid(s_gsm);
        if (str) {
            if (!priv->device_uid) {
                nm_utils_error_set_literal(error,
                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                           "GSM profile has device-uid, device does not");
                return FALSE;
            }
            if (!nm_streq(str, priv->device_uid)) {
                nm_utils_error_set_literal(error,
                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                           "device has differing device-uid than GSM profile");
                return FALSE;
            }
        }
        /* SIM properties may not be available before the SIM is unlocked, so
         * to ensure that autoconnect works, the connection's SIM properties
         * are only compared if present on the device.
@ -1644,6 +1668,9 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
    case PROP_APN:
        g_value_set_string(value, priv->apn);
        break;
    case PROP_DEVICE_UID:
        g_value_set_string(value, priv->device_uid);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1699,6 +1726,10 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
        /* construct-only */
        priv->operator_code = g_value_dup_string(value);
        break;
    case PROP_DEVICE_UID:
        /* construct-only */
        priv->device_uid = g_value_dup_string(value);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1758,6 +1789,7 @@ finalize(GObject *object)
    g_free(priv->sim_operator_id);
    g_free(priv->operator_code);
    g_free(priv->apn);
    g_free(priv->device_uid);
    G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@ -1863,6 +1895,13 @@ nm_modem_class_init(NMModemClass *klass)
    obj_properties[PROP_APN] =
        g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DEVICE_UID] =
        g_param_spec_string(NM_MODEM_DEVICE_UID,
                            "",
                            "",
                            NULL,
                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
    signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,
--- a/src/core/devices/wwan/nm-modem.h
+++ b/src/core/devices/wwan/nm-modem.h
@ -30,6 +30,7 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
 #define NM_MODEM_DEVICE_UID      "device-uid"
 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@ -154,6 +155,7 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
 const char *nm_modem_get_device_uid(NMModem *modem);
 gboolean nm_modem_set_data_port(NMModem        *self,
                                NMPlatform     *platform,
--- a/src/core/dhcp/nm-dhcp-utils.c
+++ b/src/core/dhcp/nm-dhcp-utils.c
@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                  in_addr_t       address,
                                  guint32        *out_gwaddr)
 {
-    gs_free const char **routes = NULL;
+    gs_free char **routes = NULL;
-    const char         **r;
+    char         **r;
    gboolean       have_routes = FALSE;
-    routes = nm_strsplit_set(str, " ");
+    routes = (char **) nm_strsplit_set(str, " ");
    if (!routes)
        return FALSE;
--- a/src/core/dns/nm-dns-dnsconfd.c
+++ b/src/core/dns/nm-dns-dnsconfd.c
@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
    NMDnsServer dns_server;
    gsize       addr_size;
-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
        return FALSE;
    addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);
--- a/src/core/dns/nm-dns-dnsmasq.c
+++ b/src/core/dns/nm-dns-dnsmasq.c
@ -521,9 +521,10 @@ _gl_pid_spawn_next_step(void)
    argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
    argv[argv_idx++] = "--keep-in-foreground";
    argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-interfaces";
+    argv[argv_idx++] = "--bind-dynamic";
    argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
+    argv[argv_idx++] = "--listen-address=127.0.0.1";
    argv[argv_idx++] = "--listen-address=::1";
    argv[argv_idx++] = "--cache-size=400";
    argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
    argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -26,6 +26,7 @@
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
 #include "libnm-glib-aux/nm-io-utils.h"
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@ -586,7 +587,11 @@ add_dns_domains(GPtrArray            *array,
 }
 static void
-merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3ConfigData *l3cd)
+merge_one_l3cd(NMResolvConfData     *rc,
               int                   addr_family,
               int                   ifindex,
               const NML3ConfigData *l3cd,
               gboolean              ignore_searches_and_options)
 {
    char               buf[NM_INET_ADDRSTRLEN + 50];
    gboolean           has_trust_ad;
@ -624,6 +629,7 @@ merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3Con
        add_string_item(rc->nameservers, buf, TRUE);
    }
    if (!ignore_searches_and_options) {
        add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);
        has_trust_ad = FALSE;
@ -648,6 +654,7 @@ merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3Con
                rc->has_trust_ad = NM_TERNARY_TRUE;
        } else
            rc->has_trust_ad = NM_TERNARY_FALSE;
    }
    if (addr_family == AF_INET) {
        const in_addr_t *nis_servers;
@ -1001,6 +1008,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"
 #define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
 #define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@ -1013,7 +1021,14 @@ update_resolv_conf_no_stub(NMDnsManager      *self,
    content = create_resolv_conf(searches, nameservers, options);
-    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
+    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
                                    content,
                                    -1,
                                    0644,
                                    NULL,
                                    NO_STUB_RESOLV_CONF_TMP,
                                    NULL,
                                    &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;
@ -1231,12 +1246,15 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
 {
    nm_auto_free_checksum GChecksum *sum = NULL;
    NMDnsConfigIPData               *ip_data;
    gboolean                         has_global_dns_section = FALSE;
    sum = g_checksum_new(G_CHECKSUM_SHA1);
    nm_assert(HASH_LEN == g_checksum_type_get_length(G_CHECKSUM_SHA1));
-    if (global)
+    if (global) {
        nm_global_dns_config_update_checksum(global, sum);
        has_global_dns_section = nm_global_dns_has_global_dns_section(global);
    }
    if (!global || !nm_global_dns_config_lookup_domain(global, "*")) {
        const CList *head;
@ -1248,7 +1266,8 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
            nm_l3_config_data_hash_dns(ip_data->l3cd,
                                       sum,
                                       ip_data->addr_family,
-                                       ip_data->ip_config_type);
+                                       ip_data->ip_config_type,
                                       has_global_dns_section);
        }
    }
@ -1264,6 +1283,9 @@ merge_global_dns_config(NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
    const char *const *servers;
    guint              i;
    /* Global config must be processed before connections' config */
    nm_assert(rc->nameservers->len == 0);
    if (!global_conf)
        return FALSE;
@ -1351,12 +1373,17 @@ _collect_resolv_conf_data(NMDnsManager      *self,
            .nis_servers  = g_ptr_array_new(),
            .has_trust_ad = NM_TERNARY_DEFAULT,
    };
    gboolean has_global_dns_section = FALSE;
    priv = NM_DNS_MANAGER_GET_PRIVATE(self);
-    if (global_config)
+    if (global_config) {
        merge_global_dns_config(&rc, global_config);
        has_global_dns_section = nm_global_dns_has_global_dns_section(global_config);
    }
    /* If global nameservers are defined, no DNS configs are used from connections at all,
     * including searches and options. */
    if (!global_config || !nm_global_dns_config_lookup_domain(global_config, "*")) {
        nm_auto_str_buf NMStrBuf tmp_strbuf = NM_STR_BUF_INIT(0, FALSE);
        int                      first_prio = 0;
@ -1390,8 +1417,16 @@ _collect_resolv_conf_data(NMDnsManager      *self,
                  skip ? "<SKIP>" : "",
                  get_nameserver_list(ip_data->addr_family, ip_data->l3cd, &tmp_strbuf));
-            if (!skip)
+            if (!skip) {
-                merge_one_l3cd(&rc, ip_data->addr_family, ip_data->data->ifindex, ip_data->l3cd);
+                /* Merge the configs from connections. However, if there was a [global-dns]
                 * it overwrites searches and options from the connections, thus we only
                 * merge the nameservers. */
                merge_one_l3cd(&rc,
                               ip_data->addr_family,
                               ip_data->data->ifindex,
                               ip_data->l3cd,
                               has_global_dns_section);
            }
        }
    }
@ -1475,7 +1510,7 @@ _domain_track_is_shadowed(GHashTable  *ht,
                          const char **out_parent,
                          int         *out_parent_priority)
 {
-    char *parent;
+    const char *parent;
    int         parent_priority;
    if (!ht)
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@ -37,6 +37,7 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
 static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";
 /*****************************************************************************/
@ -398,7 +399,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
    for (i = 0; i < n; i++) {
        NMDnsServer dns_server;
-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
            continue;
        if (!NM_IN_SET(dns_server.scheme,
@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    const char                   *mdns_arg          = NULL;
    const char                   *llmnr_arg         = NULL;
    const char                   *dns_over_tls_arg  = NULL;
    const char                   *dnssec_arg        = NULL;
    gboolean                      has_config        = FALSE;
    gboolean                      has_default_route = FALSE;
    guint                         i;
@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                dns_over_tls =
                    NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
            }
        }
    }
@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    }
    nm_assert(dns_over_tls_arg);
    switch (dnssec) {
    case NM_SETTING_CONNECTION_DNSSEC_NO:
        dnssec_arg = "no";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
        dnssec_arg = "allow-downgrade";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_YES:
        dnssec_arg = "yes";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
        dnssec_arg = "";
        break;
    }
    nm_assert(dnssec_arg);
    if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg))
+        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
        has_config = TRUE;
    _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                         DBUS_OP_SET_LINK_DNS_OVER_TLS,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
    _request_item_append(self,
                         DBUS_OP_SET_LINK_DNSSEC,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
    return has_config;
 }
--- a/src/core/main-utils.c
+++ b/src/core/main-utils.c
@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
    char                  pid[16];
    nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
        fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
        return FALSE;
    }
--- a/src/core/main.c
+++ b/src/core/main.c
@ -339,7 +339,7 @@ main(int argc, char *argv[])
        char *path, *slash;
        int   g;
-        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
+        /* exe is <builddir>/src/core/NetworkManager, so chop off
         * the last three components */
        path = realpath("/proc/self/exe", NULL);
        g_assert(path != NULL);
--- a/src/core/ndisc/nm-lndp-ndisc.c
+++ b/src/core/ndisc/nm-lndp-ndisc.c
@ -19,6 +19,7 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
 #include "nm-core-utils.h"
 #define _NMLOG_PREFIX_NAME "ndisc-lndp"
@ -27,6 +28,14 @@
 typedef struct {
    struct ndp *ndp;
    GSource    *event_source;
    struct {
        NMRateLimit pio_lft;
        NMRateLimit mtu;
        NMRateLimit omit_prefix;
        NMRateLimit omit_dns;
        NMRateLimit omit_dnssl;
    } msg_ratelimit;
 } NMLndpNDiscPrivate;
 /*****************************************************************************/
@ -49,6 +58,36 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)
 /*****************************************************************************/
 /*
 * If we log a message about an invalid RA packet, don't repeat the same message
 * at every packet received or sent. Rate limit the message to 6 every 12 hours
 * per type and per ndisc instance.
 */
 #define LOG_INV_RA_WINDOW (12 * 3600)
 #define LOG_INV_RA_BURST  6
 #define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
    G_STMT_START                                                                 \
    {                                                                            \
        NMNDisc     *__ndisc  = (ndisc);                                         \
        NMRateLimit *__rl     = (rate_limit);                                    \
        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
                                                                                 \
        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
            nm_log(LOGL_WARN,                                                    \
                   LOGD_IP6,                                                     \
                   __ifname,                                                     \
                   NULL,                                                         \
                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
        }                                                                        \
    }                                                                            \
    G_STMT_END
 /*****************************************************************************/
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@ -113,6 +152,7 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
    NMNDisc             *ndisc   = (NMNDisc *) user_data;
    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
    NMNDiscDataInternal *rdata   = ndisc->rdata;
    NMNDiscConfigMap     changed = 0;
    NMNDiscGateway       gateway;
@ -229,7 +269,11 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * log a system management error in this case.
             */
            if (preferred_time > valid_time) {
-                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
+                _LOG_INVALID_RA(
                    ndisc,
                    &priv->msg_ratelimit.pio_lft,
                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
                    "router advertisement");
                continue;
            }
@ -349,7 +393,11 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * Kernel would set it, but would flush out all IPv6 addresses away
             * from the link, even the link-local, and we wouldn't be able to
             * listen for further RAs that could fix the MTU. */
-            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
+            _LOG_INVALID_RA(ndisc,
                            &priv->msg_ratelimit.mtu,
                            "ignoring too small MTU %u in received IPv6 "
                            "router advertisement",
                            mtu);
        }
    }
@ -445,8 +493,11 @@ send_ra(NMNDisc *ndisc, GError **error)
        prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
        if (!prefix) {
-            /* Maybe we could sent separate RAs, but why bother... */
+            /* Maybe we could send separate RAs, but why bother... */
-            _LOGW("The RA is too big, had to omit some some prefixes.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_prefix,
                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
            break;
        }
@ -475,7 +526,10 @@ send_ra(NMNDisc *ndisc, GError **error)
        option = _ndp_msg_add_option(msg, len);
        if (!option) {
-            _LOGW("The RA is too big, had to omit DNS information.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_dns,
                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
            goto dns_servers_done;
        }
@ -553,7 +607,10 @@ dns_servers_done:
        nm_assert(len / 8u >= 2u);
        if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOGW("The RA is too big, had to omit DNS search list.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_dnssl,
                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
            goto dns_domains_done;
        }
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@ -160,7 +160,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
    nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
    gs_free char                   *base_dir = NULL;
-    char                           *sep;
+    const char                     *sep;
    keyfile = g_key_file_new();
    if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
--- a/src/core/nm-config-data.c
+++ b/src/core/nm-config-data.c
@ -50,9 +50,9 @@ struct _NMGlobalDnsConfig {
    char           **options;
    GHashTable      *domains;
    const char     **domain_list;
    gboolean         internal;
    char            *cert_authority;
    NMDnsResolveMode resolve_mode;
    gboolean         internal;
 };
 /*****************************************************************************/
@ -941,6 +941,14 @@ next:
 /*****************************************************************************/
 gboolean
 nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config)
 {
    g_return_val_if_fail(dns_config, FALSE);
    return dns_config->searches != NULL || dns_config->options != NULL;
 }
 const char *const *
 nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config)
 {
@ -1236,6 +1244,7 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
    gs_free char      *cert_authority = NULL;
    gs_free char      *resolve_mode   = NULL;
    NMDnsResolveMode   parsed_resolve_mode;
    gboolean           has_global_dns_section;
    if (internal) {
        group         = NM_CONFIG_KEYFILE_GROUP_INTERN_GLOBAL_DNS;
@ -1386,6 +1395,22 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
        return NULL;
    }
    /* Defining [global-dns-domain-*] implies defining [global-dns] too (maybe empty) */
    if (default_found)
        has_global_dns_section = TRUE;
    else
        has_global_dns_section = g_key_file_has_group(keyfile, group);
    /* If there exist a [global-dns] section, always initialize "searches" and "options" so
     * they appear in D-Bus. Clients can use this to know if it's defined, so they can know
     * if DNS configs from connections are relevant or not. */
    if (has_global_dns_section) {
        if (!dns_config->searches)
            dns_config->searches = nm_strv_empty_new();
        if (!dns_config->options)
            dns_config->options = nm_strv_empty_new();
    }
    dns_config->internal = internal;
    global_dns_config_seal_domains(dns_config);
    return dns_config;
@ -1606,17 +1631,6 @@ nm_global_dns_config_from_dbus(const GValue *value, GError **error)
        g_variant_unref(val);
    }
    /* An empty value is valid and clears the internal configuration */
    if (!nm_global_dns_config_is_empty(dns_config)
        && !nm_global_dns_config_lookup_domain(dns_config, "*")) {
        g_set_error_literal(error,
                            NM_MANAGER_ERROR,
                            NM_MANAGER_ERROR_FAILED,
                            "Global DNS configuration is missing the default domain");
        nm_global_dns_config_free(dns_config);
        return NULL;
    }
    global_dns_config_seal_domains(dns_config);
    return dns_config;
 }
--- a/src/core/nm-config-data.h
+++ b/src/core/nm-config-data.h
@ -274,6 +274,7 @@ gboolean nm_config_data_is_intern_atomic_group(const NMConfigData *self, const c
 GKeyFile *nm_config_data_clone_keyfile_intern(const NMConfigData *self);
 gboolean           nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_options(const NMGlobalDnsConfig *dns_config);
 const char *nm_global_dns_config_get_certification_authority(const NMGlobalDnsConfig *dns_config);
--- a/src/core/nm-config.c
+++ b/src/core/nm-config.c
@ -18,6 +18,7 @@
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-core-intern/nm-keyfile-internal.h"
 #include "libnm-core-intern/nm-keyfile-utils.h"
 #include "libnm-glib-aux/nm-keyfile-aux.h"
 #define DEFAULT_CONFIG_MAIN_FILE     NMCONFDIR "/NetworkManager.conf"
 #define DEFAULT_CONFIG_DIR           NMCONFDIR "/conf.d"
@ -891,6 +892,7 @@ static const ConfigGroup config_groups[] = {
        .is_prefix = TRUE,
        .keys      = NM_MAKE_STRV(NM_CONFIG_KEYFILE_KEY_DEVICE_CARRIER_WAIT_TIMEOUT,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION,
@ -1046,6 +1048,10 @@ read_config(GKeyFile   *keyfile,
            /* internal groups cannot be set by user configuration. */
            continue;
        }
        if (!g_key_file_has_group(keyfile, group))
            nm_key_file_add_group(keyfile, group);
        keys = g_key_file_get_keys(kf, group, &nkeys, NULL);
        if (!keys)
            continue;
@ -1639,6 +1645,12 @@ intern_config_read(const char        *filename,
                                 "");
        }
        if (!g_key_file_has_group(keyfile_intern, group)) {
            nm_key_file_add_group(keyfile_intern, group);
            if (is_intern)
                has_intern = TRUE;
        }
        for (k = 0; keys[k]; k++) {
            gs_free char *value_set = NULL;
            const char   *key       = keys[k];
@ -1823,6 +1835,9 @@ intern_config_write(const char        *filename,
            }
        }
        if (!g_key_file_has_group(keyfile, group))
            nm_key_file_add_group(keyfile, group);
        for (k = 0; keys[k]; k++) {
            const char   *key       = keys[k];
            gs_free char *value_set = NULL;
--- a/src/core/nm-connectivity.c
+++ b/src/core/nm-connectivity.c
@ -77,6 +77,8 @@ struct _NMConnectivityCheckHandle {
        ConConfig *con_config;
        GCancellable      *resolve_cancellable;
        int                resolve_ifindex;
        GDBusConnection   *dbus_connection;
        CURLM             *curl_mhandle;
        CURL              *curl_ehandle;
        struct curl_slist *request_headers;
@ -953,6 +955,113 @@ systemd_resolved_resolve_cb(GObject *object, GAsyncResult *res, gpointer user_da
    do_curl_request(cb_data, nm_str_buf_get_str(&strbuf_hosts));
 }
 static void
 systemd_resolved_resolve(NMConnectivityCheckHandle *cb_data)
 {
    _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved with ifindex %d)",
           cb_data->concheck.con_config->uri,
           cb_data->concheck.con_config->host,
           cb_data->concheck.resolve_ifindex);
    g_dbus_connection_call(cb_data->concheck.dbus_connection,
                           "org.freedesktop.resolve1",
                           "/org/freedesktop/resolve1",
                           "org.freedesktop.resolve1.Manager",
                           "ResolveHostname",
                           g_variant_new("(isit)",
                                         (gint32) cb_data->concheck.resolve_ifindex,
                                         cb_data->concheck.con_config->host,
                                         (gint32) cb_data->addr_family,
                                         SD_RESOLVED_DNS),
                           G_VARIANT_TYPE("(a(iiay)st)"),
                           G_DBUS_CALL_FLAGS_NONE,
                           -1,
                           cb_data->concheck.resolve_cancellable,
                           systemd_resolved_resolve_cb,
                           cb_data);
 }
 static void
 systemd_resolved_link_scopes_cb(GObject *object, GAsyncResult *res, gpointer user_data)
 {
    NMConnectivityCheckHandle *cb_data;
    gs_unref_variant GVariant *result     = NULL;
    gs_unref_variant GVariant *value      = NULL;
    gs_free_error GError      *error      = NULL;
    guint64                    scope_mask = 0;
    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
    cb_data = user_data;
    if (!result) {
        _LOG2D("unable to obtain systemd-resolved link ScopesMask for interface %d: %s",
               cb_data->concheck.resolve_ifindex,
               error->message);
        cb_data->concheck.resolve_ifindex = 0;
        systemd_resolved_resolve(cb_data);
        return;
    }
    g_variant_get(result, "(v)", &value);
    g_variant_get(value, "t", &scope_mask);
    if (!(scope_mask & SD_RESOLVED_DNS)) {
        /* there is no per-link DNS configured / active; query all available /
         * system DNS resolvers instead of restricting the lookup to just this
         * one, which would turn up no results. */
        _LOG2D("no per-link DNS available (scope mask %" G_GUINT64_FORMAT
               "); falling back to system-wide lookups",
               scope_mask);
        cb_data->concheck.resolve_ifindex = 0;
    }
    systemd_resolved_resolve(cb_data);
 }
 static void
 systemd_resolved_get_link_cb(GObject *object, GAsyncResult *res, gpointer user_data)
 {
    NMConnectivityCheckHandle *cb_data;
    gs_unref_variant GVariant *result    = NULL;
    gs_free char              *link_path = NULL;
    gs_free_error GError      *error     = NULL;
    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
    cb_data = user_data;
    if (!result) {
        _LOG2D("unable to obtain systemd-resolved link D-Bus object for interface %d: %s",
               cb_data->concheck.resolve_ifindex,
               error->message);
        cb_data->concheck.resolve_ifindex = 0;
        systemd_resolved_resolve(cb_data);
        return;
    }
    g_variant_get(result, "(o)", &link_path);
    g_dbus_connection_call(cb_data->concheck.dbus_connection,
                           "org.freedesktop.resolve1",
                           link_path,
                           "org.freedesktop.DBus.Properties",
                           "Get",
                           g_variant_new("(ss)", "org.freedesktop.resolve1.Link", "ScopesMask"),
                           G_VARIANT_TYPE("(v)"),
                           G_DBUS_CALL_FLAGS_NONE,
                           -1,
                           cb_data->concheck.resolve_cancellable,
                           systemd_resolved_link_scopes_cb,
                           cb_data);
 }
 static NMConnectivityState
 check_platform_config(NMConnectivity *self,
                      NMPlatform     *platform,
@ -1067,6 +1176,7 @@ nm_connectivity_check_start(NMConnectivity             *self,
        }
        cb_data->concheck.resolve_cancellable = g_cancellable_new();
        cb_data->concheck.resolve_ifindex     = ifindex;
        /* note that we pick up support for systemd-resolved right away when we need it.
         * We don't need to remember the setting, because we can (cheaply) check anew
@ -1089,10 +1199,8 @@ nm_connectivity_check_start(NMConnectivity             *self,
        has_systemd_resolved = !!nm_dns_manager_get_systemd_resolved(nm_dns_manager_get());
        if (has_systemd_resolved) {
-            GDBusConnection *dbus_connection;
+            cb_data->concheck.dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
-
+            if (!cb_data->concheck.dbus_connection) {
            dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
            if (!dbus_connection) {
                /* we have no D-Bus connection? That might happen in configure and quit mode.
                 *
                 * Anyway, something is very odd, just fail connectivity check. */
@ -1103,25 +1211,19 @@ nm_connectivity_check_start(NMConnectivity             *self,
                return cb_data;
            }
-            g_dbus_connection_call(dbus_connection,
+            /* first check whether there has been a per-link DNS configured */
            g_dbus_connection_call(cb_data->concheck.dbus_connection,
                                   "org.freedesktop.resolve1",
                                   "/org/freedesktop/resolve1",
                                   "org.freedesktop.resolve1.Manager",
-                                   "ResolveHostname",
+                                   "GetLink",
-                                   g_variant_new("(isit)",
+                                   g_variant_new("(i)", ifindex),
-                                                 0,
+                                   G_VARIANT_TYPE("(o)"),
                                                 cb_data->concheck.con_config->host,
                                                 (gint32) cb_data->addr_family,
                                                 SD_RESOLVED_DNS),
                                   G_VARIANT_TYPE("(a(iiay)st)"),
                                   G_DBUS_CALL_FLAGS_NONE,
                                   -1,
                                   cb_data->concheck.resolve_cancellable,
-                                   systemd_resolved_resolve_cb,
+                                   systemd_resolved_get_link_cb,
                                   cb_data);
            _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved)",
                   cb_data->concheck.con_config->uri,
                   cb_data->concheck.con_config->host);
            return cb_data;
        }
--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@ -2865,6 +2865,7 @@ _host_id_read(guint8 **out_host_id, gsize *out_host_id_len)
                                               0600,
                                               NULL,
                                               NULL,
                                               NULL,
                                               &error)) {
            nm_log_warn(
                LOGD_CORE,
@ -5011,6 +5012,7 @@ typedef struct {
    int      child_stdin;
    int      child_stdout;
    int      child_stderr;
    gboolean binary_output;
    GSource *input_source;
    GSource *output_source;
    GSource *error_source;
@ -5090,9 +5092,17 @@ helper_complete(HelperInfo *info, GError *error)
    }
    nm_clear_g_cancellable_disconnect(g_task_get_cancellable(info->task), &info->cancellable_id);
    if (info->binary_output) {
        g_task_return_pointer(
            info->task,
            g_bytes_new(nm_str_buf_get_str_unsafe(&info->in_buffer), info->in_buffer.len),
            (GDestroyNotify) (g_bytes_unref));
    } else {
        g_task_return_pointer(info->task,
                              nm_str_buf_finalize(&info->in_buffer, NULL) ?: g_new0(char, 1),
                              g_free);
    }
    helper_info_free(info);
 }
@ -5235,6 +5245,7 @@ helper_cancelled(GObject *object, gpointer user_data)
 void
 nm_utils_spawn_helper(const char *const  *args,
                      gboolean            binary_output,
                      GCancellable       *cancellable,
                      GAsyncReadyCallback callback,
                      gpointer            cb_data)
@ -5251,8 +5262,13 @@ nm_utils_spawn_helper(const char *const  *args,
    info  = g_new(HelperInfo, 1);
    *info = (HelperInfo) {
        .task          = nm_g_task_new(NULL, cancellable, nm_utils_spawn_helper, callback, cb_data),
        .binary_output = binary_output,
    };
    /* Store if the caller requested binary output so that we can check later
     * that the right result function is called. */
    g_task_set_task_data(info->task, GINT_TO_POINTER(binary_output), NULL);
    if (!g_spawn_async_with_pipes("/",
                                  (char **) NM_MAKE_STRV(LIBEXECDIR "/nm-daemon-helper"),
                                  (char **) NM_MAKE_STRV(),
@ -5363,11 +5379,25 @@ nm_utils_spawn_helper(const char *const  *args,
 }
 char *
-nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error)
+nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error)
 {
    GTask *task = G_TASK(result);
    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
    /* Check binary_output */
    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == FALSE);
    return g_task_propagate_pointer(task, error);
 }
 GBytes *
 nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error)
 {
    GTask *task = G_TASK(result);
    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
    /* Check binary_output */
    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == TRUE);
    return g_task_propagate_pointer(task, error);
 }
@ -5474,3 +5504,334 @@ nm_utils_shorten_hostname(const char *hostname, char **shortened)
    *shortened = g_steal_pointer(&s);
    return TRUE;
 }
 /**
 * nm_utils_connection_supported:
 * @connection: the connection
 * @error: on return, the reason why the connection in not supported
 *
 * Returns whether the given connection is supported by this version
 * of NetworkManager.
 */
 gboolean
 nm_utils_connection_supported(NMConnection *connection, GError **error)
 {
    const char *type;
    const char *feature = NULL;
    g_return_val_if_fail(connection, FALSE);
    g_return_val_if_fail(!error || !*error, FALSE);
    type = nm_connection_get_connection_type(connection);
    if (!WITH_TEAMDCTL) {
        NMSettingConnection *s_con;
        if (nm_streq0(type, NM_SETTING_TEAM_SETTING_NAME)) {
            feature = "team";
            goto out_disabled;
        }
        /* Match team ports */
        if ((s_con = nm_connection_get_setting_connection(connection))
            && nm_streq0(nm_setting_connection_get_port_type(s_con),
                         NM_SETTING_TEAM_SETTING_NAME)) {
            feature = "team";
            goto out_disabled;
        }
    }
    if (!WITH_OPENVSWITCH) {
        if (NM_IN_STRSET(type,
                         NM_SETTING_OVS_BRIDGE_SETTING_NAME,
                         NM_SETTING_OVS_PORT_SETTING_NAME,
                         NM_SETTING_OVS_INTERFACE_SETTING_NAME)) {
            feature = "Open vSwitch";
            goto out_disabled;
        }
        /* Match OVS system interfaces */
        if (nm_connection_get_setting_ovs_interface(connection)) {
            feature = "Open vSwitch";
            goto out_disabled;
        }
    }
    if (!WITH_WIFI
        && NM_IN_STRSET(type,
                        NM_SETTING_WIRELESS_SETTING_NAME,
                        NM_SETTING_OLPC_MESH_SETTING_NAME,
                        NM_SETTING_WIFI_P2P_SETTING_NAME)) {
        feature = "Wi-Fi";
        goto out_disabled;
    }
    if (!WITH_WWAN
        && NM_IN_STRSET(type, NM_SETTING_GSM_SETTING_NAME, NM_SETTING_CDMA_SETTING_NAME)) {
        feature = "WWAN";
        goto out_disabled;
    }
    if (nm_streq0(type, NM_SETTING_WIMAX_SETTING_NAME)) {
        feature = "WiMAX";
        goto out_removed;
    }
    return TRUE;
 out_disabled:
    nm_assert(feature);
    g_set_error(error,
                NM_SETTINGS_ERROR,
                NM_SETTINGS_ERROR_FEATURE_DISABLED,
                "%s support is disabled in this build",
                feature);
    return FALSE;
 out_removed:
    nm_assert(feature);
    g_set_error(error,
                NM_SETTINGS_ERROR,
                NM_SETTINGS_ERROR_FEATURE_REMOVED,
                "%s is no longer supported",
                feature);
    return FALSE;
 }
 /*****************************************************************************/
 /**
 * nm_rate_limit_check():
 * @rate_limit: the NMRateLimit instance
 * @window_sec: the time window in seconds, between 1 and 864000 (ten days)
 * @burst: the number of max allowed event occurrences in the given time
 *   window
 *
 * The function rate limits an event. Call it multiple times with the
 * same @window_sec, and @burst values.
 *
 * Returns: TRUE if the event is allowed, FALSE if it is rate-limited
 */
 gboolean
 nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst)
 {
    gint64 now;
    gint64 old_ts_msec;
    gint64 window_msec;
    gint64 capacity;
    gint64 elapsed;
    nm_assert(window_sec >= 1 && window_sec <= 864000);
    nm_assert(burst >= 1);
    /* This implements a simple token bucket algorithm. For each millisecond,
     * refill "burst" tokens. Thus, during a full time window we
     * refill (window_msec * burst) tokens. Each event consumes @window_msec
     * tokens. */
    window_msec         = (gint64) window_sec * NM_UTILS_MSEC_PER_SEC;
    capacity            = window_msec * (gint64) burst;
    old_ts_msec         = rate_limit->ts_msec;
    now                 = nm_utils_get_monotonic_timestamp_msec();
    rate_limit->ts_msec = now;
    elapsed = now - old_ts_msec;
    if (old_ts_msec == 0 || elapsed > window_msec) {
        /* On the first call, or in case a whole window passed, (re)start with
         * a full budget */
        rate_limit->tokens = capacity;
    } else {
        rate_limit->tokens += elapsed * (gint64) burst;
        rate_limit->tokens = NM_MIN(rate_limit->tokens, capacity);
    }
    /* Consume the tokens */
    if (rate_limit->tokens >= window_msec) {
        rate_limit->tokens -= window_msec;
        return TRUE;
    }
    return FALSE;
 }
 const char *
 nm_utils_get_connection_first_permissions_user(NMConnection *connection)
 {
    NMSettingConnection *s_con;
    s_con = nm_connection_get_setting_connection(connection);
    nm_assert(s_con);
    return _nm_setting_connection_get_first_permissions_user(s_con);
 }
 /*****************************************************************************/
 const char **
 nm_utils_get_connection_private_files_paths(NMConnection *connection)
 {
    GPtrArray          *files;
    gs_free NMSetting **settings = NULL;
    guint               num_settings;
    guint               i;
    files    = g_ptr_array_new();
    settings = nm_connection_get_settings(connection, &num_settings);
    for (i = 0; i < num_settings; i++) {
        _nm_setting_get_private_files(settings[i], files);
    }
    g_ptr_array_add(files, NULL);
    return (const char **) g_ptr_array_free(files, files->len == 1);
 }
 typedef struct _ReadInfo ReadInfo;
 typedef struct {
    char     *path;
    ReadInfo *read_info;
 } FileInfo;
 struct _ReadInfo {
    GTask      *task;
    GHashTable *table;
    GPtrArray  *file_infos; /* of FileInfo */
    GError     *first_error;
    guint       num_pending;
 };
 static void
 read_file_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
    FileInfo              *file_info = user_data;
    ReadInfo              *read_info = file_info->read_info;
    gs_unref_bytes GBytes *output    = NULL;
    gs_free_error GError  *error     = NULL;
    output = nm_utils_spawn_helper_finish_binary(result, &error);
    nm_assert(read_info->num_pending > 0);
    read_info->num_pending--;
    if (nm_utils_error_is_cancelled(error)) {
        /* nop */
    } else if (error) {
        nm_log_dbg(LOGD_CORE,
                   "read-private-files: failed to read file '%s': %s",
                   file_info->path,
                   error->message);
        if (!read_info->first_error) {
            /* @error just says "helper process exited with status X".
             * Return a more human-friendly one. */
            read_info->first_error = g_error_new(NM_UTILS_ERROR,
                                                 NM_UTILS_ERROR_UNKNOWN,
                                                 "error reading file '%s'",
                                                 file_info->path);
        }
    } else {
        nm_log_dbg(LOGD_SUPPLICANT,
                   "read-private-files: successfully read file '%s'",
                   file_info->path);
        /* Store the file contents in the hash table */
        if (!read_info->table) {
            read_info->table = g_hash_table_new_full(nm_str_hash,
                                                     g_str_equal,
                                                     g_free,
                                                     (GDestroyNotify) g_bytes_unref);
        }
        g_hash_table_insert(read_info->table,
                            g_steal_pointer(&file_info->path),
                            g_steal_pointer(&output));
    }
    g_clear_pointer(&file_info->path, g_free);
    /* If all operations are completed, return  */
    if (read_info->num_pending == 0) {
        if (read_info->first_error) {
            g_task_return_error(read_info->task, g_steal_pointer(&read_info->first_error));
        } else {
            g_task_return_pointer(read_info->task,
                                  g_steal_pointer(&read_info->table),
                                  (GDestroyNotify) g_hash_table_unref);
        }
        if (read_info->table)
            g_hash_table_unref(read_info->table);
        if (read_info->file_infos)
            g_ptr_array_unref(read_info->file_infos);
        g_object_unref(read_info->task);
        g_free(read_info);
    }
 }
 /**
 * nm_utils_read_private_files:
 * @paths: array of file paths to be read
 * @user: name of the user to impersonate when reading the files
 * @cancellable: cancellable to cancel the operation
 * @callback: callback to invoke on completion
 * @cb_data: data for @callback
 *
 * Reads the given list of files @paths on behalf of user @user. Invokes
 * @callback asynchronously on completion. The callback must use
 * nm_utils_read_private_files_finish() to obtain the result.
 */
 void
 nm_utils_read_private_files(const char *const  *paths,
                            const char         *user,
                            GCancellable       *cancellable,
                            GAsyncReadyCallback callback,
                            gpointer            cb_data)
 {
    ReadInfo *read_info;
    FileInfo *file_info;
    guint     i;
    g_return_if_fail(paths && paths[0]);
    g_return_if_fail(cancellable);
    g_return_if_fail(callback);
    g_return_if_fail(cb_data);
    read_info  = g_new(ReadInfo, 1);
    *read_info = (ReadInfo) {
        .task = nm_g_task_new(NULL, cancellable, nm_utils_read_private_files, callback, cb_data),
        .file_infos = g_ptr_array_new_with_free_func(g_free),
    };
    for (i = 0; paths[i]; i++) {
        file_info  = g_new(FileInfo, 1);
        *file_info = (FileInfo) {
            .path      = g_strdup(paths[i]),
            .read_info = read_info,
        };
        g_ptr_array_add(read_info->file_infos, file_info);
        read_info->num_pending++;
        nm_utils_spawn_helper(NM_MAKE_STRV("read-file-as-user", user, paths[i]),
                              TRUE,
                              cancellable,
                              read_file_helper_cb,
                              file_info);
    }
 }
 /**
 * nm_utils_read_private_files_finish:
 * @result: the GAsyncResult
 * @error: on return, the error
 *
 * Returns the files read by nm_utils_read_private_files(). The return value
 * is a hash table {char * -> GBytes *}. Free it with g_hash_table_unref().
 */
 GHashTable *
 nm_utils_read_private_files_finish(GAsyncResult *result, GError **error)
 {
    GTask *task = G_TASK(result);
    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_read_private_files));
    return g_task_propagate_pointer(task, error);
 }
--- a/src/core/nm-core-utils.h
+++ b/src/core/nm-core-utils.h
@ -478,11 +478,13 @@ guint8 nm_wifi_utils_level_to_quality(int val);
 /*****************************************************************************/
 void nm_utils_spawn_helper(const char *const  *args,
                           gboolean            binary_output,
                           GCancellable       *cancellable,
                           GAsyncReadyCallback callback,
                           gpointer            cb_data);
-char *nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error);
+char   *nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error);
 GBytes *nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error);
 /*****************************************************************************/
@ -490,4 +492,32 @@ uid_t nm_utils_get_nm_uid(void);
 gid_t nm_utils_get_nm_gid(void);
 /*****************************************************************************/
 gboolean nm_utils_connection_supported(NMConnection *connection, GError **error);
 /*****************************************************************************/
 typedef struct {
    gint64 ts_msec;
    gint64 tokens;
 } NMRateLimit;
 gboolean nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst);
 /*****************************************************************************/
 const char *nm_utils_get_connection_first_permissions_user(NMConnection *connection);
 /*****************************************************************************/
 const char **nm_utils_get_connection_private_files_paths(NMConnection *connection);
 void        nm_utils_read_private_files(const char *const  *paths,
                                        const char         *user,
                                        GCancellable       *cancellable,
                                        GAsyncReadyCallback callback,
                                        gpointer            cb_data);
 GHashTable *nm_utils_read_private_files_finish(GAsyncResult *result, GError **error);
 #endif /* __NM_CORE_UTILS_H__ */
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@ -120,6 +120,7 @@ struct _NML3ConfigData {
    NMSettingConnectionMdns       mdns;
    NMSettingConnectionLlmnr      llmnr;
    NMSettingConnectionDnsOverTls dns_over_tls;
    NMSettingConnectionDnssec     dnssec;
    NMUtilsIPv6IfaceId            ip6_token;
    NML3ConfigDatFlags flags;
@ -577,6 +578,16 @@ nm_l3_config_data_log(const NML3ConfigData *self,
                                           NULL)));
    }
    if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
        gs_free char *s = NULL;
        _L("dnssec: %s",
           (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
                                           self->dnssec,
                                           " ",
                                           NULL)));
    }
    if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
        gs_free char *s = NULL;
@ -694,6 +705,7 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
        .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
        .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
        .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
        .dnssec                         = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
        .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
        .metered                        = NM_TERNARY_DEFAULT,
        .proxy_browser_only             = NM_TERNARY_DEFAULT,
@ -1767,6 +1779,26 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
    return TRUE;
 }
 NMSettingConnectionDnssec
 nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
 {
    nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
    return self->dnssec;
 }
 gboolean
 nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
 {
    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
    if (self->dnssec == dnssec)
        return FALSE;
    self->dnssec = dnssec;
    return TRUE;
 }
 NMIPRouteTableSyncMode
 nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
 {
@ -2446,6 +2478,7 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
        NM_CMP_DIRECT(a->mdns, b->mdns);
        NM_CMP_DIRECT(a->llmnr, b->llmnr);
        NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
        NM_CMP_DIRECT(a->dnssec, b->dnssec);
    }
    if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@ -3139,7 +3172,8 @@ void
 nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                           GChecksum            *sum,
                           int                   addr_family,
-                           NMDnsIPConfigType     dns_ip_config_type)
+                           NMDnsIPConfigType     dns_ip_config_type,
                           gboolean              ignore_searches_and_options)
 {
    guint              i;
    int                val;
@ -3178,6 +3212,7 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }
    if (!ignore_searches_and_options) {
        searches = nm_l3_config_data_get_searches(l3cd, addr_family, &num_searches);
        for (i = 0; i < num_searches; i++) {
            g_checksum_update(sum, (const guint8 *) searches[i], strlen(searches[i]));
@ -3189,6 +3224,7 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
            g_checksum_update(sum, (const guint8 *) options[i], strlen(options[i]));
            empty = FALSE;
        }
    }
    val = nm_l3_config_data_get_mdns(l3cd);
    if (val != NM_SETTING_CONNECTION_MDNS_DEFAULT) {
@ -3208,6 +3244,12 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }
    val = nm_l3_config_data_get_dnssec(l3cd);
    if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
        g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
        empty = FALSE;
    }
    if (!empty) {
        int prio = 0;
@ -3458,6 +3500,9 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
    if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
        self->dns_over_tls = src->dns_over_tls;
    if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
        self->dnssec = src->dnssec;
    if (self->ip6_token.id == 0)
        self->ip6_token.id = src->ip6_token.id;
--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@ -458,6 +458,10 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
 gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData               *self,
                                            NMSettingConnectionDnsOverTls dns_over_tls);
 NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
 gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
 NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
                                                              int                   addr_family);
@ -615,6 +619,7 @@ nmtst_l3_config_data_get_best_gateway(const NML3ConfigData *self, int addr_famil
 void nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                                GChecksum            *sum,
                                int                   addr_family,
-                                NMDnsIPConfigType     dns_ip_config_type);
+                                NMDnsIPConfigType     dns_ip_config_type,
                                gboolean              ignore_searches_and_options);
 #endif /* __NM_L3_CONFIG_DATA_H__ */
--- a/src/core/nm-l3cfg.c
+++ b/src/core/nm-l3cfg.c
@ -40,8 +40,7 @@ G_STATIC_ASSERT(NM_ACD_TIMEOUT_RFC5227_MSEC == N_ACD_TIMEOUT_RFC5227);
 #define ACD_SUPPORTED_ETH_ALEN                  ETH_ALEN
 #define ACD_ENSURE_RATELIMIT_MSEC               ((guint32) 4000u)
-#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (1000u + ACD_ENSURE_RATELIMIT_MSEC))
+#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (2000u + ACD_ENSURE_RATELIMIT_MSEC))
 #define ACD_WAIT_PROBING_EXTRA_TIME2_MSEC       ((guint32) 1000u)
 #define ACD_WAIT_TIME_PROBING_FULL_RESTART_MSEC ((guint32) 30000u)
 #define ACD_WAIT_TIME_CONFLICT_RESTART_MSEC     ((guint32) 120000u)
 #define ACD_WAIT_TIME_ANNOUNCE_RESTART_MSEC     ((guint32) 30000u)
@ -2740,9 +2739,8 @@ handle_init:
            nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);
            if (acd_data->info.state == NM_L3_ACD_ADDR_STATE_PROBING) {
-                if ((*p_now_msec) > acd_data->probing_timestamp_msec
+                if ((*p_now_msec)
-                                        + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
+                    > acd_data->probing_timestamp_msec + ACD_WAIT_PROBING_EXTRA_TIME_MSEC) {
                                        + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC) {
                    /* hm. We failed to create a new probe too long. Something is really wrong
                     * internally, but let's ignore the issue and assume the address is good. What
                     * else would we do? Assume the address is USED? */
@ -2948,7 +2946,7 @@ handle_init:
            nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);
            if (acd_data->probing_timestamp_msec + acd_data->probing_timeout_msec
-                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC
+                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
                >= (*p_now_msec)) {
                /* The probing already started quite a while ago. We ignore the link event
                 * and let the probe come to it's natural end. */
@ -3058,9 +3056,10 @@ handle_start_probing:
        }
        _LOGT_acd(acd_data,
-                  "%sstart probing (timeout %u msec, %s)",
+                  "%sstart probing (timeout %u msec, ebpf %s; %s)",
                  orig_state == NM_L3_ACD_ADDR_STATE_INIT ? "" : "re",
                  acd_data->probing_timeout_msec,
                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled",
                  log_reason);
        return;
    }
@ -3155,10 +3154,11 @@ handle_start_defending:
        }
        _LOGT_acd(acd_data,
-                  "start announcing (defend=%s) (probe created)",
+                  "start announcing (defend=%s) (probe created with ebpf %s)",
                  _l3_acd_defend_type_to_string(acd_data->acd_defend_type_current,
                                                sbuf256,
-                                                sizeof(sbuf256)));
+                                                sizeof(sbuf256)),
                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled");
        acd_data->acd_defend_type_is_active = FALSE;
        acd_data->nacd_probe                = probe;
        return;
@ -3989,7 +3989,7 @@ _l3cfg_routed_dns_apply(NML3Cfg *self, const NML3ConfigData *l3cd)
            NMDnsServer               dns;
            int                       r;
-            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns))
+            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns, NULL))
                continue;
            /* Find the gateway to the DNS over the current interface. When
@ -5054,8 +5054,8 @@ _l3_commit_mptcp_af(NML3Cfg          *self,
            (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SIGNAL) ? MPTCP_PM_ADDR_FLAG_SIGNAL : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SUBFLOW) ? MPTCP_PM_ADDR_FLAG_SUBFLOW : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_BACKUP) ? MPTCP_PM_ADDR_FLAG_BACKUP : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH : 0)
-                                                                  : 0);
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_LAMINAR) ? MPTCP_PM_ADDR_FLAG_LAMINAR : 0);
        NMPlatformMptcpAddr a = {
            .ifindex     = self->priv.ifindex,
            .id          = 0,
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@ -136,6 +136,7 @@ enum {
    ACTIVE_CONNECTION_REMOVED,
    CONFIGURE_QUIT,
    DEVICE_IFINDEX_CHANGED,
    SHARING_IPV4_CHANGED,
    LAST_SIGNAL
 };
@ -238,6 +239,8 @@ typedef struct {
    guint8 device_state_prune_ratelimit_count;
    guint shared_connections_ip4_count;
    bool startup : 1;
    bool devices_inited : 1;
@ -1960,7 +1963,7 @@ find_device_by_iface(NMManager    *self,
 }
 static gboolean
-manager_sleeping(NMManager *self)
+manager_is_disabled(NMManager *self)
 {
    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
@ -1973,8 +1976,8 @@ static const char *
 _nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_ASLEEP:
+    case NM_STATE_DISABLED:
-        return "ASLEEP";
+        return "DISABLED";
    case NM_STATE_DISCONNECTED:
        return "DISCONNECTED";
    case NM_STATE_DISCONNECTING:
@ -2078,15 +2081,18 @@ nm_manager_update_state(NMManager *self)
 {
    NMManagerPrivate *priv;
    NMState           new_state = NM_STATE_DISCONNECTED;
    const char       *detail    = "";
    g_return_if_fail(NM_IS_MANAGER(self));
    priv = NM_MANAGER_GET_PRIVATE(self);
-    if (manager_sleeping(self))
+    if (manager_is_disabled(self)) {
-        new_state = NM_STATE_ASLEEP;
+        new_state = NM_STATE_DISABLED;
-    else
+        detail    = priv->sleeping ? " (ASLEEP)" : " (NETWORKING OFF)";
    } else {
        new_state = find_best_device_state(self);
    }
    if (new_state >= NM_STATE_CONNECTED_LOCAL && priv->connectivity_state == NM_CONNECTIVITY_FULL) {
        new_state = NM_STATE_CONNECTED_GLOBAL;
@ -2097,7 +2103,7 @@ nm_manager_update_state(NMManager *self)
    priv->state = new_state;
-    _LOGI(LOGD_CORE, "NetworkManager state is now %s", _nm_state_to_string(new_state));
+    _LOGI(LOGD_CORE, "NetworkManager state is now %s%s", _nm_state_to_string(new_state), detail);
    _notify(self, PROP_STATE);
    nm_dbus_object_emit_signal(NM_DBUS_OBJECT(self),
@ -2956,7 +2962,7 @@ _rfkill_update_devices(NMManager *self, NMRfkillType rtype, gboolean enabled)
    _notify(self, _rfkill_type_desc[rtype].prop_id);
    /* Don't touch devices if asleep/networking disabled */
-    if (manager_sleeping(self))
+    if (manager_is_disabled(self))
        return;
    /* enable/disable wireless devices as required */
@ -3120,7 +3126,7 @@ _rfkill_update_from_user(NMManager *self, NMRfkillType rtype, gboolean enabled)
    gboolean          old_enabled, new_enabled;
    /* Don't touch devices if asleep/networking disabled */
-    if (manager_sleeping(self))
+    if (manager_is_disabled(self))
        return;
    _LOGD(LOGD_RFKILL,
@ -4079,7 +4085,7 @@ add_device(NMManager *self, NMDevice *device, GError **error)
    nm_device_set_unmanaged_by_user_settings(device, TRUE);
-    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_SLEEPING, manager_sleeping(self));
+    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED, manager_is_disabled(self));
    dbus_path = nm_dbus_object_export(NM_DBUS_OBJECT(device));
    _LOG2I(LOGD_DEVICE, device, "new %s device (%s)", type_desc, dbus_path);
@ -5718,6 +5724,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    GError                  *local = NULL;
    NMConnectionMultiConnect multi_connect;
    const char              *parent_spec;
    gboolean                 did_realize = FALSE;
    g_return_val_if_fail(NM_IS_MANAGER(self), FALSE);
    g_return_val_if_fail(NM_IS_ACTIVE_CONNECTION(active), FALSE);
@ -5892,6 +5899,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                               nm_device_get_iface(device));
                return FALSE;
            }
            did_realize = TRUE;
        }
    }
@ -5923,7 +5931,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                        "The controller connection '%s' is not compatible with '%s'",
                        nm_settings_connection_get_id(controller_connection),
                        nm_settings_connection_get_id(sett_conn));
-            return FALSE;
+            goto err_unrealize;
        }
        if (!controller_ac) {
@ -5946,7 +5954,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                   "Controller connection '%s' can't be activated: ",
                                   nm_settings_connection_get_id(controller_connection));
                }
-                return FALSE;
+                goto err_unrealize;
            }
        }
@ -6040,7 +6048,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                NM_MANAGER_ERROR,
                                NM_MANAGER_ERROR_DEPENDENCY_FAILED,
                                "Activation failed because the device is unmanaged");
-            return FALSE;
+            goto err_unrealize;
        }
    }
@ -6048,6 +6056,11 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    active_connection_add(self, active);
    nm_device_queue_activation(device, NM_ACT_REQUEST(active));
    return TRUE;
 err_unrealize:
    if (did_realize)
        nm_device_unrealize(device, TRUE, NULL);
    return FALSE;
 }
 static gboolean
@ -7292,7 +7305,7 @@ device_sleep_cb(NMDevice *device, GParamSpec *pspec, NMManager *self)
    case NM_DEVICE_STATE_DISCONNECTED:
        _LOGD(LOGD_SUSPEND, "sleep: unmanaging device %s", nm_device_get_ip_iface(device));
        nm_device_set_unmanaged_by_flags_queue(device,
-                                               NM_UNMANAGED_SLEEPING,
+                                               NM_UNMANAGED_MANAGER_DISABLED,
                                               NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                               NM_DEVICE_STATE_REASON_SLEEPING);
        break;
@ -7314,24 +7327,26 @@ _handle_device_takedown(NMManager *self,
                        gboolean   suspending,
                        gboolean   is_shutdown)
 {
    gboolean            is_sleep = suspending || is_shutdown;
    NMDeviceStateReason reason =
        is_sleep ? NM_DEVICE_STATE_REASON_SLEEPING : NM_DEVICE_STATE_REASON_NETWORKING_OFF;
    nm_device_notify_sleeping(device);
    if (nm_device_is_activating(device)
        || nm_device_get_state(device) == NM_DEVICE_STATE_ACTIVATED) {
-        _LOGD(LOGD_SUSPEND,
+        _LOGD(is_sleep ? LOGD_SUSPEND : LOGD_CORE,
              "%s: wait disconnection of device %s",
-              is_shutdown ? "shutdown" : "sleep",
+              is_sleep ? (is_shutdown ? "shutdown" : "sleep") : "networking off",
              nm_device_get_ip_iface(device));
        if (sleep_devices_add(self, device, suspending))
-            nm_device_queue_state(device,
+            nm_device_queue_state(device, NM_DEVICE_STATE_DEACTIVATING, reason);
                                  NM_DEVICE_STATE_DEACTIVATING,
                                  NM_DEVICE_STATE_REASON_SLEEPING);
    } else {
        nm_device_set_unmanaged_by_flags(device,
-                                         NM_UNMANAGED_SLEEPING,
+                                         NM_UNMANAGED_MANAGER_DISABLED,
                                         NM_UNMAN_FLAG_OP_SET_UNMANAGED,
-                                         NM_DEVICE_STATE_REASON_SLEEPING);
+                                         reason);
    }
 }
@ -7345,8 +7360,10 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
    suspending          = sleeping_changed && priv->sleeping;
    waking_from_suspend = sleeping_changed && !priv->sleeping;
-    if (manager_sleeping(self)) {
+    if (manager_is_disabled(self)) {
-        _LOGD(LOGD_SUSPEND, "sleep: %s...", suspending ? "sleeping" : "disabling");
+        _LOGD(suspending ? LOGD_SUSPEND : LOGD_CORE,
              "%s...",
              suspending ? "sleep: sleeping" : "networking: disabling");
        /* FIXME: are there still hardware devices that need to be disabled around
         * suspend/resume?
@ -7372,7 +7389,9 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            _handle_device_takedown(self, device, suspending, FALSE);
        }
    } else {
-        _LOGD(LOGD_SUSPEND, "sleep: %s...", waking_from_suspend ? "waking up" : "re-enabling");
+        _LOGD(waking_from_suspend ? LOGD_SUSPEND : LOGD_CORE,
              "%s...",
              waking_from_suspend ? "sleep: waking up" : "networking: re-enabling");
        sleep_devices_clear(self);
@ -7386,7 +7405,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                 */
                if (device_is_wake_on_lan(priv->platform, device))
                    nm_device_set_unmanaged_by_flags(device,
-                                                     NM_UNMANAGED_SLEEPING,
+                                                     NM_UNMANAGED_MANAGER_DISABLED,
                                                     NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                                     NM_DEVICE_STATE_REASON_SLEEPING);
@ -7414,10 +7433,12 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            guint               i;
            if (nm_device_is_software(device)
-                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_SLEEPING)) {
+                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED)) {
                /* DHCP leases of software devices could have gone stale
                 * so we need to renew them. */
-                nm_device_update_dynamic_ip_setup(device, "wake up");
+                nm_device_update_dynamic_ip_setup(device,
                                                  waking_from_suspend ? "wake up"
                                                                      : "networking on");
                continue;
            }
@ -7448,7 +7469,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                    ? NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED
                    : NM_DEVICE_STATE_REASON_NOW_MANAGED;
            nm_device_set_unmanaged_by_flags(device,
-                                             NM_UNMANAGED_SLEEPING,
+                                             NM_UNMANAGED_MANAGER_DISABLED,
                                             NM_UNMAN_FLAG_OP_SET_MANAGED,
                                             reason);
        }
@ -8811,6 +8832,41 @@ nm_manager_emit_device_ifindex_changed(NMManager *self, NMDevice *device)
    g_signal_emit(self, signals[DEVICE_IFINDEX_CHANGED], 0, device);
 }
 void
 nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled)
 {
    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
    gboolean          state_changed, state;
    /* Only IPv4 supported for the moment */
    if (addr_family != AF_INET)
        return;
    if (enabled) {
        g_return_if_fail(priv->shared_connections_ip4_count < G_MAXUINT);
        priv->shared_connections_ip4_count++;
        state_changed = priv->shared_connections_ip4_count == 1;
    } else {
        g_return_if_fail(priv->shared_connections_ip4_count > 0);
        priv->shared_connections_ip4_count--;
        state_changed = priv->shared_connections_ip4_count == 0;
    }
    if (state_changed) {
        state = priv->shared_connections_ip4_count > 0;
        _LOGD(LOGD_SHARING, "sharing-ipv4 state change %d -> %d", !state, state);
        g_signal_emit(self, signals[SHARING_IPV4_CHANGED], 0, state);
    }
 }
 gboolean
 nm_manager_get_sharing_ipv4(NMManager *self)
 {
    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
    return priv->shared_connections_ip4_count > 0;
 }
 /*****************************************************************************/
 NM_DEFINE_SINGLETON_REGISTER(NMManager);
@ -9914,6 +9970,17 @@ nm_manager_class_init(NMManagerClass *manager_class)
                                                   G_TYPE_NONE,
                                                   1,
                                                   NM_TYPE_DEVICE);
    signals[SHARING_IPV4_CHANGED] = g_signal_new(NM_MANAGER_SHARING_IPV4_CHANGED,
                                                 G_OBJECT_CLASS_TYPE(object_class),
                                                 G_SIGNAL_RUN_FIRST,
                                                 0,
                                                 NULL,
                                                 NULL,
                                                 NULL,
                                                 G_TYPE_NONE,
                                                 1,
                                                 G_TYPE_BOOLEAN);
 }
 NMConfig *
--- a/src/core/nm-manager.h
+++ b/src/core/nm-manager.h
@ -61,6 +61,7 @@
 #define NM_MANAGER_CONFIGURE_QUIT            "configure-quit"
 #define NM_MANAGER_INTERNAL_DEVICE_ADDED     "internal-device-added"
 #define NM_MANAGER_INTERNAL_DEVICE_REMOVED   "internal-device-removed"
 #define NM_MANAGER_SHARING_IPV4_CHANGED      "sharing-ipv4-changed"
 GType nm_manager_get_type(void);
@ -212,6 +213,9 @@ struct _NMDnsManager;
 struct _NMDnsManager *nm_manager_get_dns_manager(NMManager *self);
 void     nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled);
 gboolean nm_manager_get_sharing_ipv4(NMManager *self);
 /*****************************************************************************/
 void nm_manager_notify_delete_settings_connections(NMManager            *self,
--- a/src/core/nm-netns.c
+++ b/src/core/nm-netns.c
@ -68,7 +68,7 @@ typedef struct {
    NMPNetns         *platform_netns;
    NMPGlobalTracker *global_tracker;
    GHashTable       *l3cfgs;
-    GHashTable       *shared_ips;
+    GHashTable       *ip_reservation[_NM_NETNS_IP_RESERVATION_TYPE_NUM];
    GHashTable       *ecmp_track_by_obj;
    GHashTable       *ecmp_track_by_ecmpid;
@ -571,106 +571,150 @@ notify_watcher:
 /*****************************************************************************/
-NMNetnsSharedIPHandle *
+typedef struct {
-nm_netns_shared_ip_reserve(NMNetns *self)
+    const char *name;
    guint32     start_addr; /* host byte order */
    guint       prefix_len;
    guint       num_addrs;
    gboolean    allow_reuse;
 } IPReservationTypeDesc;
 static const IPReservationTypeDesc ip_reservation_types[_NM_NETNS_IP_RESERVATION_TYPE_NUM] = {
    [NM_NETNS_IP_RESERVATION_TYPE_SHARED4] =
        {
            .name        = "shared-ip4",
            .start_addr  = 0x0a2a0001, /* 10.42.0.1 */
            .prefix_len  = 24,
            .num_addrs   = 256,
            .allow_reuse = TRUE,
        },
 };
 NMNetnsIPReservation *
 nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type)
 {
    NMNetnsPrivate              *priv;
-    NMNetnsSharedIPHandle *handle;
+    const IPReservationTypeDesc *desc;
-    const in_addr_t        addr_start = ntohl(0x0a2a0001u); /* 10.42.0.1 */
+    NMNetnsIPReservation        *res;
    GHashTable                 **table;
    in_addr_t                    addr;
-    char                   sbuf_addr[NM_INET_ADDRSTRLEN];
+    char                         buf[NM_INET_ADDRSTRLEN];
    /* Find an unused address in the 10.42.x.x range */
    g_return_val_if_fail(NM_IS_NETNS(self), NULL);
    g_return_val_if_fail(type < _NM_NETNS_IP_RESERVATION_TYPE_NUM, NULL);
    priv  = NM_NETNS_GET_PRIVATE(self);
    desc  = &ip_reservation_types[type];
    table = &priv->ip_reservation[type];
-    if (!priv->shared_ips) {
+    if (!*table) {
-        addr             = addr_start;
+        addr   = htonl(desc->start_addr);
-        priv->shared_ips = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
+        *table = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
        g_object_ref(self);
    } else {
        guint32 count;
-        nm_assert(g_hash_table_size(priv->shared_ips) > 0);
+        nm_assert(g_hash_table_size(*table) > 0);
        nm_assert(desc->prefix_len > 0 && desc->prefix_len <= 32);
        count = 0u;
        for (;;) {
-            addr = addr_start + htonl(count << 8u);
+            addr = htonl(desc->start_addr + (count << (32 - desc->prefix_len)));
-            handle = g_hash_table_lookup(priv->shared_ips, &addr);
+            res = g_hash_table_lookup(*table, &addr);
-            if (!handle)
+            if (!res)
                break;
            count++;
-            if (count > 0xFFu) {
+            if (count >= desc->num_addrs) {
-                if (handle->_ref_count == 1) {
+                if (!desc->allow_reuse) {
-                    _LOGE("shared-ip4: ran out of shared IP addresses. Reuse %s/24",
+                    _LOGE("%s: ran out of IP addresses", desc->name);
-                          nm_inet4_ntop(handle->addr, sbuf_addr));
+                    return NULL;
                } else {
                    _LOGD("shared-ip4: reserved IP address range %s/24 (duplicate)",
                          nm_inet4_ntop(handle->addr, sbuf_addr));
                }
-                handle->_ref_count++;
+
-                return handle;
+                if (res->_ref_count == 1) {
                    _LOGE("%s: ran out of IP addresses. Reuse %s/%u",
                          desc->name,
                          nm_inet4_ntop(res->addr, buf),
                          desc->prefix_len);
                } else {
                    _LOGD("%s: reserved IP address %s/%u (duplicate)",
                          desc->name,
                          nm_inet4_ntop(res->addr, buf),
                          desc->prefix_len);
                }
                res->_ref_count++;
                return res;
            }
        }
    }
-    handle  = g_slice_new(NMNetnsSharedIPHandle);
+    res  = g_slice_new(NMNetnsIPReservation);
-    *handle = (NMNetnsSharedIPHandle) {
+    *res = (NMNetnsIPReservation) {
        .addr       = addr,
        ._ref_count = 1,
        ._self      = self,
        ._type      = type,
    };
-    g_hash_table_add(priv->shared_ips, handle);
+    g_hash_table_add(*table, res);
-    _LOGD("shared-ip4: reserved IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+    _LOGD("%s: reserved IP address %s/%u",
-    return handle;
+          desc->name,
          nm_inet4_ntop(res->addr, buf),
          desc->prefix_len);
    return res;
 }
 void
-nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle)
+nm_netns_ip_reservation_release(NMNetnsIPReservation *res)
 {
    NMNetns                     *self;
    NMNetnsPrivate              *priv;
-    char            sbuf_addr[NM_INET_ADDRSTRLEN];
+    const IPReservationTypeDesc *desc;
    GHashTable                 **table;
    char                         buf[NM_INET_ADDRSTRLEN];
-    g_return_if_fail(handle);
+    g_return_if_fail(res);
-
+    g_return_if_fail(res->_type < _NM_NETNS_IP_RESERVATION_TYPE_NUM);
    self = handle->_self;
    self = res->_self;
    g_return_if_fail(NM_IS_NETNS(self));
    priv  = NM_NETNS_GET_PRIVATE(self);
    desc  = &ip_reservation_types[res->_type];
    table = &priv->ip_reservation[res->_type];
-    nm_assert(handle->_ref_count > 0);
+    nm_assert(res->_ref_count > 0);
-    nm_assert(handle == nm_g_hash_table_lookup(priv->shared_ips, handle));
+    nm_assert(res == nm_g_hash_table_lookup(*table, res));
-    if (handle->_ref_count > 1) {
+    if (res->_ref_count > 1) {
-        nm_assert(handle->addr == ntohl(0x0A2AFF01u)); /* 10.42.255.1 */
+        nm_assert(desc->allow_reuse);
-        handle->_ref_count--;
+        res->_ref_count--;
-        _LOGD("shared-ip4: release IP address range %s/24 (%d more references held)",
+        _LOGD("%s: release IP address reservation %s/%u (%d more references held)",
-              nm_inet4_ntop(handle->addr, sbuf_addr),
+              desc->name,
-              handle->_ref_count);
+              nm_inet4_ntop(res->addr, buf),
              desc->prefix_len,
              res->_ref_count);
        return;
    }
-    if (!g_hash_table_remove(priv->shared_ips, handle))
+    if (!g_hash_table_remove(*table, res))
        nm_assert_not_reached();
-    if (g_hash_table_size(priv->shared_ips) == 0) {
+    _LOGD("%s: release IP address reservation %s/%u",
-        nm_clear_pointer(&priv->shared_ips, g_hash_table_unref);
+          desc->name,
          nm_inet4_ntop(res->addr, buf),
          desc->prefix_len);
    if (g_hash_table_size(*table) == 0) {
        nm_clear_pointer(table, g_hash_table_unref);
        g_object_unref(self);
    }
-    _LOGD("shared-ip4: release IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+    res->_self = NULL;
-
+    nm_g_slice_free(res);
    handle->_self = NULL;
    nm_g_slice_free(handle);
 }
 /*****************************************************************************/
@ -1560,11 +1604,14 @@ dispose(GObject *object)
    nm_assert(nm_g_hash_table_size(priv->l3cfgs) == 0);
    nm_assert(c_list_is_empty(&priv->l3cfg_signal_pending_lst_head));
    nm_assert(!priv->shared_ips);
    nm_assert(nm_g_hash_table_size(priv->watcher_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_by_tag_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_ip_data_idx) == 0);
    for (guint i = 0; i < _NM_NETNS_IP_RESERVATION_TYPE_NUM; i++) {
        nm_assert(!priv->ip_reservation[i]);
    }
    nm_clear_pointer(&priv->ecmp_track_by_obj, g_hash_table_destroy);
    nm_clear_pointer(&priv->ecmp_track_by_ecmpid, g_hash_table_destroy);
--- a/src/core/nm-netns.h
+++ b/src/core/nm-netns.h
@ -41,15 +41,22 @@ NML3Cfg *nm_netns_l3cfg_acquire(NMNetns *netns, int ifindex);
 /*****************************************************************************/
 typedef enum {
    NM_NETNS_IP_RESERVATION_TYPE_SHARED4,
    _NM_NETNS_IP_RESERVATION_TYPE_NUM,
 } NMNetnsIPReservationType;
 typedef struct {
    in_addr_t                addr;
    int                      _ref_count;
    NMNetnsIPReservationType _type;
    NMNetns                 *_self;
-} NMNetnsSharedIPHandle;
+} NMNetnsIPReservation;
-NMNetnsSharedIPHandle *nm_netns_shared_ip_reserve(NMNetns *self);
+NMNetnsIPReservation *nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type);
-void nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle);
+void nm_netns_ip_reservation_release(NMNetnsIPReservation *reservation);
 /*****************************************************************************/
--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@ -18,7 +18,6 @@
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
 #include "devices/nm-device-factory.h"
 #include "devices/nm-device-private.h"
 #include "dns/nm-dns-manager.h"
 #include "nm-act-request.h"
 #include "nm-auth-utils.h"
@ -98,6 +97,7 @@ typedef struct {
    bool updating_dns : 1;
    GArray *ip6_prefix_delegations; /* pool of ip6 prefixes delegated to all devices */
 } NMPolicyPrivate;
 struct _NMPolicy {
@ -1845,7 +1845,7 @@ nm_policy_device_recheck_auto_activate_schedule(NMPolicy *self, NMDevice *device
    priv = NM_POLICY_GET_PRIVATE(self);
-    if (nm_manager_get_state(priv->manager) == NM_STATE_ASLEEP)
+    if (nm_manager_get_state(priv->manager) == NM_STATE_DISABLED)
        return;
    if (!nm_device_autoconnect_allowed(device))
@ -2083,65 +2083,6 @@ unblock_autoconnect_for_ports_for_sett_conn(NMPolicy *self, NMSettingsConnection
    unblock_autoconnect_for_ports(self, controller_device, controller_uuid_settings, NULL);
 }
 static void
 refresh_forwarding(NMPolicy *self, NMDevice *device, gboolean is_activated_shared_device)
 {
    NMActiveConnection *ac;
    NMDevice           *tmp_device;
    NMPolicyPrivate    *priv = NM_POLICY_GET_PRIVATE(self);
    const CList        *tmp_lst;
    gboolean            any_shared_active = false;
    gint32              default_forwarding_v4;
    const char         *new_value = NULL;
    /* FIXME: This implementation is still inefficient because refresh_forwarding()
     * is called every time a device goes up or down, requiring a full scan of all
     * active connections to determine if any shared connection is active. */
    nm_manager_for_each_active_connection (priv->manager, ac, tmp_lst) {
        NMSettingIPConfig *s_ip;
        NMDevice          *to_device = nm_active_connection_get_device(ac);
        if (to_device) {
            s_ip = nm_device_get_applied_setting(to_device, NM_TYPE_SETTING_IP4_CONFIG);
            if (s_ip) {
                if (nm_streq0(nm_device_get_effective_ip_config_method(to_device, AF_INET),
                              NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
                    any_shared_active = true;
                    break;
                }
            }
        }
    }
    default_forwarding_v4 = nm_platform_sysctl_get_int32(
        NM_PLATFORM_GET,
        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
        0);
    new_value = any_shared_active ? "1" : (default_forwarding_v4 ? "1" : "0");
    nm_manager_for_each_device (priv->manager, tmp_device, tmp_lst) {
        NMDeviceState               state;
        NMSettingIPConfigForwarding ipv4_forwarding;
        state = nm_device_get_state(tmp_device);
        if (state != NM_DEVICE_STATE_ACTIVATED)
            continue;
        ipv4_forwarding = nm_device_get_ipv4_forwarding(tmp_device);
        if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO
            || (device == tmp_device && is_activated_shared_device)) {
            gs_free char *sysctl_value = NULL;
            sysctl_value = nm_device_sysctl_ip_conf_get(tmp_device, AF_INET, "forwarding");
            if (!nm_streq0(sysctl_value, new_value))
                nm_device_sysctl_ip_conf_set(tmp_device, AF_INET, "forwarding", new_value);
        }
    }
 }
 static void
 activate_port_or_children_connections(NMPolicy *self,
                                      NMDevice *device,
@ -2288,7 +2229,6 @@ device_state_changed(NMDevice           *device,
    NMActiveConnection   *ac;
    NMSettingsConnection *sett_conn = nm_device_get_settings_connection(device);
    NMSettingConnection  *s_con     = NULL;
    gboolean              is_activated_shared_device = FALSE;
    switch (nm_device_state_reason_check(reason)) {
    case NM_DEVICE_STATE_REASON_GSM_SIM_PIN_REQUIRED:
@ -2404,10 +2344,6 @@ device_state_changed(NMDevice           *device,
                }
            }
        }
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
        if (nm_device_get_device_type(device) == NM_DEVICE_TYPE_OVS_INTERFACE) {
@ -2417,7 +2353,10 @@ device_state_changed(NMDevice           *device,
        }
        if (sett_conn) {
            /* Reset auto retries back to default since connection was successful */
-            nm_manager_devcon_autoconnect_retries_reset(priv->manager, device, sett_conn);
+            nm_manager_devcon_autoconnect_reset_reconnect_all(priv->manager,
                                                              device,
                                                              sett_conn,
                                                              FALSE);
        }
        /* Since there is no guarantee that device_l3cd_changed() is called
@ -2440,20 +2379,11 @@ device_state_changed(NMDevice           *device,
        update_system_hostname(self, "routing and dns", TRUE);
        nm_dns_manager_end_updates(priv->dns_manager, __func__);
        is_activated_shared_device =
            nm_streq0(nm_device_get_effective_ip_config_method(device, AF_INET),
                      NM_SETTING_IP4_CONFIG_METHOD_SHARED);
        refresh_forwarding(self, device, is_activated_shared_device);
        nm_device_set_refresh_forwarding_done(device, FALSE);
        break;
    case NM_DEVICE_STATE_UNMANAGED:
    case NM_DEVICE_STATE_UNAVAILABLE:
        if (old_state > NM_DEVICE_STATE_DISCONNECTED)
            update_routing_and_dns(self, FALSE, device);
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_DEACTIVATING:
        if (sett_conn) {
@ -2489,10 +2419,6 @@ device_state_changed(NMDevice           *device,
            }
        }
        ip6_remove_device_prefix_delegations(self, device);
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_DISCONNECTED:
        g_signal_handlers_disconnect_by_func(device, device_dns_lookup_done, self);
@ -2509,10 +2435,6 @@ device_state_changed(NMDevice           *device,
        /* Device is now available for auto-activation */
        nm_policy_device_recheck_auto_activate_schedule(self, device);
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_PREPARE:
@ -2528,10 +2450,6 @@ device_state_changed(NMDevice           *device,
            g_object_weak_unref(G_OBJECT(ac), pending_ac_gone, self);
            g_object_unref(self);
        }
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_IP_CONFIG:
        /* We must have secrets if we got here. */
@ -2542,10 +2460,6 @@ device_state_changed(NMDevice           *device,
                sett_conn,
                NM_SETTINGS_AUTOCONNECT_BLOCKED_REASON_FAILED,
                FALSE);
        if (!nm_device_get_refresh_forwarding_done(device)) {
            refresh_forwarding(self, device, FALSE);
            nm_device_set_refresh_forwarding_done(device, TRUE);
        }
        break;
    case NM_DEVICE_STATE_SECONDARIES:
        if (sett_conn)
--- a/src/core/platform/tests/monitor.c
+++ b/src/core/platform/tests/monitor.c
@ -186,6 +186,7 @@ ip_again:
                               00644,
                               NULL,
                               NULL,
                               NULL,
                               NULL);
    nm_log_dbg(LOGD_PLATFORM, "dump to file complete");
--- a/src/core/platform/tests/test-link.c
+++ b/src/core/platform/tests/test-link.c
@ -124,6 +124,7 @@ software_add(NMLinkType link_type, const char *name)
        int      r;
        const NMPlatformLnkBond nm_platform_lnk_bond_default = {
            .mode        = nmtst_rand_select(3, 1),
            .use_carrier = 1,
        };
        r = nm_platform_link_bond_add(NM_PLATFORM_GET, name, &nm_platform_lnk_bond_default, NULL);
--- a/src/core/platform/tests/test-route.c
+++ b/src/core/platform/tests/test-route.c
@ -623,6 +623,79 @@ test_ip4_zero_gateway(void)
    nmtstp_wait_for_signal(NM_PLATFORM_GET, 50);
 }
 static void
 test_via(void)
 {
    int                ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, DEVICE_NAME);
    GPtrArray         *routes;
    NMPlatformIP4Route rts[1];
    struct in6_addr    gateway6;
    const int          metric = 22987;
    NMPlatformIP4Route route4;
    guint              mss = 1000;
    in_addr_t          net4;
    /* Test IPv4 routes with a IPv6 gateway (using RTA_VIA attribute) */
    inet_pton(AF_INET6, "fd01::1", &gateway6);
    inet_pton(AF_INET, "1.2.3.4", &net4);
    /* Add direct route to IPv6 gateway: ip route add dev $DEV fd01::1/128 */
    nmtstp_ip6_route_add(NM_PLATFORM_GET,
                         ifindex,
                         NM_IP_CONFIG_SOURCE_USER,
                         gateway6,
                         128,
                         in6addr_any,
                         in6addr_any,
                         metric,
                         mss);
    g_assert(nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
    /* Add IPv4 route via IPv6 gateway: ip route add dev $DEV 1.2.3.4/32 via inet6 fd01::1 */
    route4 = (NMPlatformIP4Route) {
        .ifindex         = ifindex,
        .rt_source       = NM_IP_CONFIG_SOURCE_USER,
        .network         = net4,
        .plen            = 32,
        .metric          = metric,
        .via.addr_family = AF_INET6,
        .via.addr.addr6  = gateway6,
        .mss             = mss,
    };
    g_assert(NMTST_NM_ERR_SUCCESS(
        nm_platform_ip4_route_add(NM_PLATFORM_GET, NMP_NLM_FLAG_REPLACE, &route4, NULL)));
    g_assert(nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
    /* Test route listing */
    routes = nmtstp_ip4_route_get_all(NM_PLATFORM_GET, ifindex);
    g_assert_cmpint(routes->len, ==, 1);
    memset(rts, 0, sizeof(rts));
    rts[0].rt_source       = nmp_utils_ip_config_source_round_trip_rtprot(NM_IP_CONFIG_SOURCE_USER);
    rts[0].scope_inv       = nm_platform_route_scope_inv(RT_SCOPE_LINK);
    rts[0].network         = net4;
    rts[0].plen            = 32;
    rts[0].ifindex         = ifindex;
    rts[0].gateway         = INADDR_ANY;
    rts[0].metric          = metric;
    rts[0].mss             = mss;
    rts[0].via.addr_family = AF_INET6;
    rts[0].via.addr.addr6  = gateway6;
    rts[0].n_nexthops      = 1;
    nmtst_platform_ip4_routes_equal_aptr((const NMPObject *const *) routes->pdata,
                                         rts,
                                         routes->len,
                                         TRUE);
    g_ptr_array_unref(routes);
    /* Delete routes */
    g_assert(nmtstp_platform_ip6_route_delete(NM_PLATFORM_GET, ifindex, gateway6, 128, metric));
    g_assert(!nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
    g_assert(nmtstp_platform_ip4_route_delete(NM_PLATFORM_GET, ifindex, net4, 32, metric));
    g_assert(!nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
 }
 static void
 test_ip4_route_options(gconstpointer test_data)
 {
@ -2421,6 +2494,7 @@ _nmtstp_setup_tests(void)
        add_test_func("/route/ip4_route_get", test_ip4_route_get);
        add_test_func("/route/ip6_route_get", test_ip6_route_get);
        add_test_func("/route/ip4_zero_gateway", test_ip4_zero_gateway);
        add_test_func("/route/via", test_via);
    }
    if (nmtstp_is_root_test()) {
--- a/src/core/settings/nm-settings-storage.h
+++ b/src/core/settings/nm-settings-storage.h
@ -27,6 +27,19 @@
 struct _NMSettingsPlugin;
 /**
 * NMSettingsStorage:
 * @_plugin: The settings plugin that provides this storage.
 * @_uuid: UUID of the profile represented by this storage.
 * @_filename: Backing filename (can be NULL for in-memory or meta-data).
 * @_storage_lst: Node in the per-plugin storage list.
 * @_storage_by_uuid_lst: Node in the per-UUID storage list.
 *
 * Describes the origin and identity of one profile instance as provided by a
 * specific settings plugin and (optionally) a backing file. A single UUID may
 * have multiple storages from different plugins; plugin order determines
 * priority.
 */
 typedef struct NMSettingsStorage {
    GObject                   parent;
    struct _NMSettingsPlugin *_plugin;
--- a/src/core/settings/nm-settings.c
+++ b/src/core/settings/nm-settings.c
@ -76,6 +76,17 @@ static NM_CACHED_QUARK_FCN("default-wired-connection-blocked",
 /*****************************************************************************/
 /**
 * StorageData:
 * @sd_lst: Node used in per-UUID storage lists.
 * @storage: Storage provider instance for this UUID.
 * @connection: Connection object backed by @storage, or NULL for meta-data.
 * @prioritize: Request to prioritize this storage during merge.
 *
 * Per-UUID storage entry used to accumulate and merge updates from plugins.
 * Items live temporarily in the dirty list and are merged into the current list
 * with stable priority ordering.
 */
 typedef struct _StorageData {
    CList              sd_lst;
    NMSettingsStorage *storage;
@ -165,6 +176,20 @@ _storage_data_is_alive(StorageData *sd)
 /*****************************************************************************/
 /**
 * SettConnEntry:
 * @uuid: Normalized UUID key for this entry (points to @_uuid_data).
 * @sett_conn: Current NMSettingsConnection selected for @uuid, or NULL.
 * @storage: The storage that currently owns @sett_conn, or NULL.
 * @sd_lst_head: Head of current storages list for @uuid (high to low priority).
 * @dirty_sd_lst_head: Head of pending storage updates to merge.
 * @sce_dirty_lst: Node in the global dirty queue.
 * @_uuid_data: Inline storage backing @uuid.
 *
 * Tracks one connection profile across all storages and its dirty state.
 * It holds the authoritative in-memory connection and the sets of storages
 * providing or updating it.
 */
 typedef struct {
    const char           *uuid;
    NMSettingsConnection *sett_conn;
@ -1372,6 +1397,7 @@ _connection_changed_track(NMSettings        *self,
    SettConnEntry        *sett_conn_entry;
    StorageData          *sd;
    const char           *uuid;
    gs_free_error GError *error = NULL;
    nm_assert_valid_settings_storage(NULL, storage);
@ -1382,6 +1408,17 @@ _connection_changed_track(NMSettings        *self,
              || (_nm_connection_verify(connection, NULL) == NM_SETTING_VERIFY_SUCCESS));
    nm_assert(!connection || nm_streq0(uuid, nm_connection_get_uuid(connection)));
    if (connection && !nm_utils_connection_supported(connection, &error)) {
        _LOGD("storage[%s," NM_SETTINGS_STORAGE_PRINT_FMT
              "]: ignoring connection \"%s\" from file \"%s\": %s",
              uuid,
              NM_SETTINGS_STORAGE_PRINT_ARG(storage),
              nm_connection_get_id(connection),
              nm_settings_storage_get_filename(storage),
              error->message);
        connection = NULL;
    }
    nm_assert_connection_unchanging(connection);
    sett_conn_entry =
@ -1851,6 +1888,9 @@ nm_settings_add_connection(NMSettings                     *self,
    NM_SET_OUT(out_sett_conn, NULL);
    if (!nm_utils_connection_supported(connection, error))
        return FALSE;
    uuid = nm_connection_get_uuid(connection);
    sett_conn_entry = _sett_conn_entries_get(self, uuid);
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@ -77,7 +77,7 @@ get_full_file_path(const char *ifcfg_path, const char *file_path)
 {
    const char   *base    = file_path;
    gs_free char *dirname = NULL;
-    char         *p;
+    const char   *p;
    g_return_val_if_fail(ifcfg_path != NULL, NULL);
    g_return_val_if_fail(file_path != NULL, NULL);
@ -2058,6 +2058,7 @@ make_ip4_setting(shvarFile *ifcfg,
        for (i = 1; i < 10000; i++) {
            NMDnsServer           dns;
            char                  tag[256];
            gs_free_error GError *local = NULL;
            numbered_tag(tag, "DNS", i);
            nm_clear_g_free(&value);
@ -2065,12 +2066,13 @@ make_ip4_setting(shvarFile *ifcfg,
            if (!v)
                break;
-            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
+            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &local)) {
                g_set_error(error,
                            NM_SETTINGS_ERROR,
                            NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                            "Invalid DNS server address '%s'",
+                            "Invalid DNS server address '%s': %s",
-                            v);
+                            v,
                            local->message);
                return NULL;
            }
@ -2607,6 +2609,7 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
     * Pick up just IPv6 addresses (IPv4 addresses are taken by make_ip4_setting())
     */
    for (i = 1; i < 10000; i++) {
        gs_free_error GError *err = NULL;
        NMDnsServer           dns;
        char                  tag[256];
@ -2616,14 +2619,15 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
        if (!v)
            break;
-        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
+        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &err)) {
            if (is_disabled)
                continue;
            g_set_error(error,
                        NM_SETTINGS_ERROR,
                        NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                        "Invalid DNS server address '%s'",
+                        "Invalid DNS server address '%s': %s",
-                        v);
+                        v,
                        err->message);
            return NULL;
        }
        if (dns.addr_family == AF_INET6) {
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@ -320,6 +320,7 @@ write_blobs(GHashTable *blobs, GError **error)
                                        0600,
                                        NULL,
                                        NULL,
                                        NULL,
                                        &write_error)) {
            g_set_error(error,
                        NM_SETTINGS_ERROR,
@ -3626,6 +3627,14 @@ do_write_construct(NMConnection                   *connection,
    write_ip_routing_rules(connection, ifcfg, route_ignore);
    if (nm_setting_connection_get_dnssec(s_con) != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
        set_error_unsupported(error,
                              connection,
                              NM_SETTING_CONNECTION_SETTING_NAME "." NM_SETTING_CONNECTION_DNSSEC,
                              TRUE);
        return FALSE;
    }
    write_connection_setting(s_con, ifcfg, interface_name);
    NM_SET_OUT(out_ifcfg, g_steal_pointer(&ifcfg));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
@ -280,6 +280,7 @@ nms_keyfile_nmmeta_write(const char *dirname,
                                        length,
                                        0600,
                                        NULL,
                                        NULL,
                                        &errsv,
                                        NULL)) {
            NM_SET_OUT(out_full_filename, g_steal_pointer(&full_filename_tmp));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
@ -133,6 +133,7 @@ cert_writer(NMConnection                     *connection,
                                             0600,
                                             NULL,
                                             NULL,
                                             NULL,
                                             &local);
        if (success) {
            /* Write the path value to the keyfile.
@ -384,7 +385,14 @@ _internal_write_connection(NMConnection                   *connection,
        }
    }
-    nm_utils_file_set_contents(path, kf_content_buf, kf_content_len, 0600, NULL, NULL, &local_err);
+    nm_utils_file_set_contents(path,
                               kf_content_buf,
                               kf_content_len,
                               0600,
                               NULL,
                               NULL,
                               NULL,
                               &local_err);
    if (local_err) {
        g_set_error(error,
                    NM_SETTINGS_ERROR,
--- a/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
+++ b/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
@ -8,6 +8,7 @@ timestamp=305415219
 [gsm]
 apn=internet2.voicestream.com
 device-id=da812de91eec16620b06cd0ca5cbc7ea25245222
 device-uid=MODEM1
 home-only=true
 network-id=254098
 password=parliament2
--- a/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
+++ b/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
@ -1408,6 +1408,8 @@ test_write_gsm_connection(void)
                 "89148000000060671234",
                 NM_SETTING_GSM_SIM_OPERATOR_ID,
                 "310260",
                 NM_SETTING_GSM_DEVICE_UID,
                 "MODEM1",
                 NULL);
    write_test_connection_and_reread(connection, TRUE, TEST_KEYFILES_DIR "/Test_Write_GSM");
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -30,6 +30,7 @@ typedef struct {
 typedef struct {
    GHashTable    *config;
    GHashTable    *blobs;
    char          *private_user;
    NMSupplCapMask capabilities;
    guint32        ap_scan;
    bool           fast_required : 1;
@ -60,7 +61,7 @@ _get_capability(NMSupplicantConfigPrivate *priv, NMSupplCapType type)
 }
 NMSupplicantConfig *
-nm_supplicant_config_new(NMSupplCapMask capabilities)
+nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user)
 {
    NMSupplicantConfigPrivate *priv;
    NMSupplicantConfig        *self;
@ -69,6 +70,7 @@ nm_supplicant_config_new(NMSupplCapMask capabilities)
    priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
    priv->capabilities = capabilities;
    priv->private_user = g_strdup(private_user);
    return self;
 }
@ -258,19 +260,19 @@ static gboolean
 nm_supplicant_config_add_blob_for_connection(NMSupplicantConfig *self,
                                             GBytes             *field,
                                             const char         *name,
-                                             const char         *con_uid,
+                                             const char         *con_uuid,
                                             GError            **error)
 {
    if (field && g_bytes_get_size(field)) {
-        gs_free char *uid = NULL;
+        gs_free char *blob_id = NULL;
        char         *p;
-        uid = g_strdup_printf("%s-%s", con_uid, name);
+        blob_id = g_strdup_printf("%s-%s", con_uuid, name);
-        for (p = uid; *p; p++) {
+        for (p = blob_id; *p; p++) {
            if (*p == '/')
                *p = '-';
        }
-        if (!nm_supplicant_config_add_blob(self, name, field, uid, error))
+        if (!nm_supplicant_config_add_blob(self, name, field, blob_id, error))
            return FALSE;
    }
    return TRUE;
@ -283,6 +285,7 @@ nm_supplicant_config_finalize(GObject *object)
    g_hash_table_destroy(priv->config);
    nm_clear_pointer(&priv->blobs, g_hash_table_destroy);
    nm_clear_pointer(&priv->private_user, g_free);
    G_OBJECT_CLASS(nm_supplicant_config_parent_class)->finalize(object);
 }
@ -930,6 +933,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                   guint32                       mtu,
                                                   NMSettingWirelessSecurityPmf  pmf,
                                                   NMSettingWirelessSecurityFils fils,
                                                   GHashTable                   *files,
                                                   GError                      **error)
 {
    NMSupplicantConfigPrivate    *priv          = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
@ -1012,7 +1016,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SAE)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)
-            && (!is_ap || pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
+            && (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
            g_string_append(key_mgmt_conf, " SAE");
            if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
                g_string_append(key_mgmt_conf, " FT-SAE");
@ -1284,6 +1288,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                        con_uuid,
                                                        mtu,
                                                        FALSE,
                                                        files,
                                                        error))
                return FALSE;
        }
@ -1365,6 +1370,7 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                       const char         *con_uuid,
                                       guint32             mtu,
                                       gboolean            wired,
                                       GHashTable         *files,
                                       GError            **error)
 {
    NMSupplicantConfigPrivate    *priv;
@ -1594,24 +1600,21 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    }
    /* CA certificate */
    path  = NULL;
    bytes = NULL;
    if (ca_cert_override) {
-        if (!add_string_val(self, ca_cert_override, "ca_cert", FALSE, NULL, error))
+        /* This is a build-time-configured system-wide file path, no need to pass
-            return FALSE;
+         * it as a blob */
        path = ca_cert_override;
    } else {
        switch (nm_setting_802_1x_get_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_ca_cert_blob(setting);
            if (!nm_supplicant_config_add_blob_for_connection(self,
                                                              bytes,
                                                              "ca_cert",
                                                              con_uuid,
                                                              error))
                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_ca_cert_path(setting);
-            if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
+            if (priv->private_user)
-                return FALSE;
+                bytes = nm_g_hash_table_lookup(files, path);
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(self,
@ -1627,26 +1630,32 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
    if (bytes) {
        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert", con_uuid, error))
            return FALSE;
    } else if (path) {
        /* Private connections cannot use paths other than the system CA store */
        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
        if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
            return FALSE;
    }
    /* Phase 2 CA certificate */
    path  = NULL;
    bytes = NULL;
    if (ca_cert_override) {
-        if (!add_string_val(self, ca_cert_override, "ca_cert2", FALSE, NULL, error))
+        /* This is a build-time-configured system-wide file path, no need to pass
-            return FALSE;
+         * it as a blob */
        path = ca_cert_override;
    } else {
        switch (nm_setting_802_1x_get_phase2_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_phase2_ca_cert_blob(setting);
            if (!nm_supplicant_config_add_blob_for_connection(self,
                                                              bytes,
                                                              "ca_cert2",
                                                              con_uuid,
                                                              error))
                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_phase2_ca_cert_path(setting);
-            if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
+            if (priv->private_user)
-                return FALSE;
+                bytes = nm_g_hash_table_lookup(files, path);
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(
@ -1663,6 +1672,15 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
    if (bytes) {
        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert2", con_uuid, error))
            return FALSE;
    } else if (path) {
        /* Private connections cannot use paths other than the system CA store */
        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
        if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
            return FALSE;
    }
    /* Subject match */
    value = nm_setting_802_1x_get_subject_match(setting);
@ -1714,21 +1732,17 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    /* Private key */
    added = FALSE;
    path  = NULL;
    bytes = NULL;
    switch (nm_setting_802_1x_get_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_private_key_blob(setting);
        if (!nm_supplicant_config_add_blob_for_connection(self,
                                                          bytes,
                                                          "private_key",
                                                          con_uuid,
                                                          error))
            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_private_key_path(setting);
-        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
+        if (priv->private_user)
-            return FALSE;
+            bytes = nm_g_hash_table_lookup(files, path);
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1745,6 +1759,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
    if (bytes) {
        if (!nm_supplicant_config_add_blob_for_connection(self,
                                                          bytes,
                                                          "private_key",
                                                          con_uuid,
                                                          error))
            return FALSE;
    } else if (path) {
        /* Private connections cannot use paths */
        g_return_val_if_fail(!priv->private_user, FALSE);
        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
            return FALSE;
    }
    if (added) {
        NMSetting8021xCKFormat format;
@ -1768,20 +1795,16 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
            path  = NULL;
            bytes = NULL;
            switch (nm_setting_802_1x_get_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_client_cert_blob(setting);
                if (!nm_supplicant_config_add_blob_for_connection(self,
                                                                  bytes,
                                                                  "client_cert",
                                                                  con_uuid,
                                                                  error))
                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_client_cert_path(setting);
-                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
+                if (priv->private_user)
-                    return FALSE;
+                    bytes = nm_g_hash_table_lookup(files, path);
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1797,26 +1820,35 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
            if (bytes) {
                if (!nm_supplicant_config_add_blob_for_connection(self,
                                                                  bytes,
                                                                  "client_cert",
                                                                  con_uuid,
                                                                  error))
                    return FALSE;
            } else if (path) {
                /* Private connections cannot use paths */
                g_return_val_if_fail(!priv->private_user, FALSE);
                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
                    return FALSE;
            }
        }
    }
    /* Phase 2 private key */
    added = FALSE;
    path  = NULL;
    bytes = NULL;
    switch (nm_setting_802_1x_get_phase2_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_phase2_private_key_blob(setting);
        if (!nm_supplicant_config_add_blob_for_connection(self,
                                                          bytes,
                                                          "private_key2",
                                                          con_uuid,
                                                          error))
            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_phase2_private_key_path(setting);
-        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
+        if (priv->private_user)
-            return FALSE;
+            bytes = nm_g_hash_table_lookup(files, path);
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1834,6 +1866,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
    if (bytes) {
        if (!nm_supplicant_config_add_blob_for_connection(self,
                                                          bytes,
                                                          "private_key2",
                                                          con_uuid,
                                                          error))
            return FALSE;
    } else if (path) {
        /* Private connections cannot use paths */
        g_return_val_if_fail(!priv->private_user, FALSE);
        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
            return FALSE;
    }
    if (added) {
        NMSetting8021xCKFormat format;
@ -1857,20 +1902,16 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
            path  = NULL;
            bytes = NULL;
            switch (nm_setting_802_1x_get_phase2_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_phase2_client_cert_blob(setting);
                if (!nm_supplicant_config_add_blob_for_connection(self,
                                                                  bytes,
                                                                  "client_cert2",
                                                                  con_uuid,
                                                                  error))
                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_phase2_client_cert_path(setting);
-                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
+                if (priv->private_user)
-                    return FALSE;
+                    bytes = nm_g_hash_table_lookup(files, path);
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1886,6 +1927,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
            if (bytes) {
                if (!nm_supplicant_config_add_blob_for_connection(self,
                                                                  bytes,
                                                                  "client_cert2",
                                                                  con_uuid,
                                                                  error))
                    return FALSE;
            } else if (path) {
                /* Private connections cannot use paths */
                g_return_val_if_fail(!priv->private_user, FALSE);
                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
                    return FALSE;
            }
        }
    }
--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@ -29,7 +29,7 @@ typedef struct _NMSupplicantConfigClass NMSupplicantConfigClass;
 GType nm_supplicant_config_get_type(void);
-NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities);
+NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user);
 guint32 nm_supplicant_config_get_ap_scan(NMSupplicantConfig *self);
@ -57,6 +57,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                            guint32         mtu,
                                                            NMSettingWirelessSecurityPmf  pmf,
                                                            NMSettingWirelessSecurityFils fils,
                                                            GHashTable                   *files,
                                                            GError                      **error);
 gboolean nm_supplicant_config_add_no_security(NMSupplicantConfig *self, GError **error);
@ -66,6 +67,7 @@ gboolean nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                                const char         *con_uuid,
                                                guint32             mtu,
                                                gboolean            wired,
                                                GHashTable         *files,
                                                GError            **error);
 gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig    *self,
--- a/src/core/supplicant/nm-supplicant-interface.c
+++ b/src/core/supplicant/nm-supplicant-interface.c
@ -46,6 +46,7 @@ typedef struct {
    gpointer                     user_data;
    guint                        fail_on_idle_id;
    guint                        blobs_left;
    guint                        remove_blobs_left;
    guint                        calls_left;
    struct _AddNetworkData      *add_network_data;
 } AssocData;
@ -65,6 +66,8 @@ enum {
    WPS_CREDENTIALS, /* WPS credentials received */
    GROUP_STARTED,   /* a new Group (interface) was created */
    GROUP_FINISHED,  /* a Group (interface) has been finished */
    PSK_MISMATCH,    /* supplicant reported incorrect PSK */
    SAE_MISMATCH,    /* supplicant reported incorrect SAE Password */
    LAST_SIGNAL
 };
@ -2264,6 +2267,7 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        return;
    }
    nm_assert(priv->assoc_data->blobs_left > 0);
    priv->assoc_data->blobs_left--;
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob added (%u left)",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
@ -2272,6 +2276,148 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        assoc_call_select_network(self);
 }
 static void
 assoc_add_blobs(NMSupplicantInterface *self)
 {
    NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
    GHashTable                   *blobs;
    GHashTableIter                iter;
    const char                   *blob_name;
    GBytes                       *blob_data;
    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
    priv->assoc_data->blobs_left = nm_g_hash_table_size(blobs);
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to add %u blobs",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
          priv->assoc_data->blobs_left);
    if (priv->assoc_data->blobs_left == 0) {
        assoc_call_select_network(self);
        return;
    }
    g_hash_table_iter_init(&iter, blobs);
    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: adding blob '%s'",
              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
              blob_name);
        _dbus_connection_call(
            self,
            NM_WPAS_DBUS_IFACE_INTERFACE,
            "AddBlob",
            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
            G_VARIANT_TYPE("()"),
            G_DBUS_CALL_FLAGS_NONE,
            DBUS_TIMEOUT_MSEC,
            priv->assoc_data->cancellable,
            assoc_add_blob_cb,
            self);
    }
 }
 static void
 assoc_remove_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
    NMSupplicantInterface        *self;
    NMSupplicantInterfacePrivate *priv;
    gs_free_error GError         *error = NULL;
    gs_unref_variant GVariant    *res   = NULL;
    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
    self = NM_SUPPLICANT_INTERFACE(user_data);
    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
    /* We don't consider a failure fatal. The new association might be able
     * to proceed even with the existing blobs, if they don't conflict with new
     * ones. */
    nm_assert(priv->assoc_data->remove_blobs_left > 0);
    priv->assoc_data->remove_blobs_left--;
    if (error) {
        g_dbus_error_strip_remote_error(error);
        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to delete blob: %s",
              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
              error->message);
    } else {
        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob removed (%u left)",
              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
              priv->assoc_data->remove_blobs_left);
    }
    if (priv->assoc_data->remove_blobs_left == 0)
        assoc_add_blobs(self);
 }
 static void
 assoc_get_blobs_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
    NMSupplicantInterface        *self;
    NMSupplicantInterfacePrivate *priv;
    gs_free_error GError         *error = NULL;
    gs_unref_variant GVariant    *res   = NULL;
    gs_unref_variant GVariant    *value = NULL;
    GVariantIter                  iter;
    const char                   *blob_name;
    GVariant                     *blob_data;
    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
    self = NM_SUPPLICANT_INTERFACE(user_data);
    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
    if (error) {
        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: %s",
              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
              error->message);
        assoc_add_blobs(self);
        return;
    }
    g_variant_get(res, "(v)", &value);
    /* While the "Blobs" property is documented as type "as", it is actually "a{say}" */
    if (!value || !g_variant_is_of_type(value, G_VARIANT_TYPE("a{say}"))) {
        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: wrong return type %s",
              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
              value ? g_variant_get_type_string(value) : "NULL");
        assoc_add_blobs(self);
        return;
    }
    g_variant_iter_init(&iter, value);
    priv->assoc_data->remove_blobs_left = g_variant_iter_n_children(&iter);
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to delete %u blobs",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
          priv->assoc_data->remove_blobs_left);
    if (priv->assoc_data->remove_blobs_left == 0) {
        assoc_add_blobs(self);
    } else {
        while (g_variant_iter_loop(&iter, "{&s@ay}", &blob_name, &blob_data)) {
            _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: removing blob '%s'",
                  NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
                  blob_name);
            _dbus_connection_call(self,
                                  NM_WPAS_DBUS_IFACE_INTERFACE,
                                  "RemoveBlob",
                                  g_variant_new("(s)", blob_name),
                                  G_VARIANT_TYPE("()"),
                                  G_DBUS_CALL_FLAGS_NONE,
                                  DBUS_TIMEOUT_MSEC,
                                  priv->assoc_data->cancellable,
                                  assoc_remove_blob_cb,
                                  self);
        }
    }
 }
 static void
 assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
@ -2281,10 +2427,6 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    NMSupplicantInterfacePrivate   *priv;
    gs_unref_variant GVariant      *res         = NULL;
    gs_free_error GError           *error       = NULL;
    GHashTable                     *blobs;
    GHashTableIter                  iter;
    const char                     *blob_name;
    GBytes                         *blob_data;
    nm_auto_ref_string NMRefString *name_owner  = NULL;
    nm_auto_ref_string NMRefString *object_path = NULL;
@ -2336,35 +2478,22 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    nm_assert(!priv->net_path);
    g_variant_get(res, "(o)", &priv->net_path);
-    /* Send blobs first; otherwise jump to selecting the network */
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s)",
    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
    priv->assoc_data->blobs_left = blobs ? g_hash_table_size(blobs) : 0u;
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s) (%u blobs left)",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-          priv->net_path,
+          priv->net_path);
          priv->assoc_data->blobs_left);
-    if (priv->assoc_data->blobs_left == 0) {
+    /* Delete any existing blobs before adding new ones */
-        assoc_call_select_network(self);
+    _dbus_connection_call(self,
-        return;
+                          DBUS_INTERFACE_PROPERTIES,
-    }
+                          "Get",
-
+                          g_variant_new("(ss)", NM_WPAS_DBUS_IFACE_INTERFACE, "Blobs"),
-    g_hash_table_iter_init(&iter, blobs);
+                          G_VARIANT_TYPE("(v)"),
    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
        _dbus_connection_call(
            self,
            NM_WPAS_DBUS_IFACE_INTERFACE,
            "AddBlob",
            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
            G_VARIANT_TYPE("()"),
                          G_DBUS_CALL_FLAGS_NONE,
                          DBUS_TIMEOUT_MSEC,
                          priv->assoc_data->cancellable,
-            assoc_add_blob_cb,
+                          assoc_get_blobs_cb,
                          self);
 }
 }
 static void
 add_network(NMSupplicantInterface *self)
@ -3105,6 +3234,15 @@ _signal_handle(NMSupplicantInterface *self,
            return;
        }
        if (nm_streq(signal_name, "PskMismatch")) {
            g_signal_emit(self, signals[PSK_MISMATCH], 0);
            return;
        }
        if (nm_streq(signal_name, "SaePasswordMismatch")) {
            g_signal_emit(self, signals[SAE_MISMATCH], 0);
            return;
        }
        return;
    }
@ -3737,4 +3875,23 @@ nm_supplicant_interface_class_init(NMSupplicantInterfaceClass *klass)
                                           G_TYPE_NONE,
                                           1,
                                           G_TYPE_STRING);
    signals[PSK_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
                                         G_OBJECT_CLASS_TYPE(object_class),
                                         G_SIGNAL_RUN_LAST,
                                         0,
                                         NULL,
                                         NULL,
                                         NULL,
                                         G_TYPE_NONE,
                                         0);
    signals[SAE_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
                                         G_OBJECT_CLASS_TYPE(object_class),
                                         G_SIGNAL_RUN_LAST,
                                         0,
                                         NULL,
                                         NULL,
                                         NULL,
                                         G_TYPE_NONE,
                                         0);
 }
--- a/src/core/supplicant/nm-supplicant-interface.h
+++ b/src/core/supplicant/nm-supplicant-interface.h
@ -86,6 +86,8 @@ typedef enum {
 #define NM_SUPPLICANT_INTERFACE_WPS_CREDENTIALS "wps-credentials"
 #define NM_SUPPLICANT_INTERFACE_GROUP_STARTED   "group-started"
 #define NM_SUPPLICANT_INTERFACE_GROUP_FINISHED  "group-finished"
 #define NM_SUPPLICANT_INTERFACE_PSK_MISMATCH    "wpa-psk-mismatch"
 #define NM_SUPPLICANT_INTERFACE_SAE_MISMATCH    "wpa-sae-password-mismatch"
 typedef struct _NMSupplicantInterfaceClass NMSupplicantInterfaceClass;
--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@ -212,18 +212,19 @@ validate_type_utf8(const struct Opt *opt, const char *value, const guint32 len)
 }
 static gboolean
-validate_type_keyword(const struct Opt *opt, const char *value, const guint32 len)
+validate_type_keyword(const struct Opt *opt, const char *value_in, const guint32 len)
 {
    gs_free char *value_free = NULL;
    char         *value;
    nm_assert(opt);
-    nm_assert(value);
+    nm_assert(value_in);
    /* Allow everything */
    if (!opt->str_allowed)
        return TRUE;
-    value = nm_strndup_a(300, value, len, &value_free);
+    value = nm_strndup_a(300, value_in, len, &value_free);
    /* validate each space-separated word in 'value' */
--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@ -98,7 +98,8 @@ build_supplicant_config(NMConnection  *connection,
    NMSetting8021x                     *s_8021x;
    gboolean                            success;
-    config = nm_supplicant_config_new(capabilities);
+    config = nm_supplicant_config_new(capabilities,
                                      nm_utils_get_connection_first_permissions_user(connection));
    s_wifi = nm_connection_get_setting_wireless(connection);
    g_assert(s_wifi);
@ -120,6 +121,7 @@ build_supplicant_config(NMConnection  *connection,
                                                               mtu,
                                                               pmf,
                                                               fils,
                                                               NULL,
                                                               &error);
    } else {
        success = nm_supplicant_config_add_no_security(config, &error);
--- a/src/core/tests/config/global-dns-empty.conf
+++ b/src/core/tests/config/global-dns-empty.conf
@ -0,0 +1,3 @@
 # Good configuration, an empty global-dns section must be valid
 [global-dns]
--- a/src/core/tests/config/global-dns-not-set.conf
+++ b/src/core/tests/config/global-dns-not-set.conf
@ -0,0 +1,5 @@
 # Good configuration, an empty [global-dns] must be implicitly assumed because a domain is defined
 [global-dns-domain-*]
 servers=4.5.6.7
 options=myoption1
--- a/Show more
+++ b/Show more
		`@ -0,0 +1,3 @@`
							`# Good configuration, an empty global-dns section must be valid`

							`[global-dns]`