merge: branch 'rr/controller-dhcp-send-release'

device: send dhcp send release before device removed https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2400
manager: Ensure DHCP interface delete first when daemon stop
2026-05-05 13:28:02 +02:00 · 2026-04-30 15:31:39 +00:00 · 2026-04-29 17:04:04 -04:00 · 2026-04-29 17:03:57 -04:00 · 2026-04-15 08:33:32 +00:00 · 2026-04-14 12:54:12 +02:00
441 changed files with 76745 additions and 45324 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,7 +81,6 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
 /data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -60,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-dcc430216167'
+  ALPINE_TAG:  'tag-8e4bbc59695b'
-  CENTOS_TAG:  'tag-feb1adbc208e'
+  CENTOS_TAG:  'tag-caf6673db1a7'
-  DEBIAN_TAG:  'tag-afb784497c2f'
+  DEBIAN_TAG:  'tag-e394e8e726e1'
-  FEDORA_TAG:  'tag-feb1adbc208e'
+  FEDORA_TAG:  'tag-caf6673db1a7'
-  UBUNTU_TAG:  'tag-afb784497c2f'
+  UBUNTU_TAG:  'tag-e394e8e726e1'
  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -102,19 +102,7 @@ variables:
 # Build a container for each distribution + version. The ci-templates
 # will re-use the containers if the tag doesn't change.
-tier1:fedora:43@prep:
+tier1:fedora:42@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule' || $SCHEDULED_PIPELINE_NAME == "weekly"
 tier3:fedora:42@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
@ -123,6 +111,116 @@ tier3:fedora:42@prep:
    FDO_DISTRIBUTION_VERSION: '42'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule' || $SCHEDULED_PIPELINE_NAME == "weekly"
 tier2:fedora:rawhide@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'rawhide'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:centos:stream10@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:ubuntu:devel@prep:
  extends:
    - .fdo.container-build@ubuntu
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'devel'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:debian:testing@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'testing'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:debian:sid@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'sid'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:alpine:edge@prep:
  extends:
    - .fdo.container-build@alpine
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'edge'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:fedora:43@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
@ -268,34 +366,6 @@ tier3:alpine:3.19@prep:
      when: manual
      allow_failure: true
 tier3:centos:stream10@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 #################################################################
 #                                                               #
 # tierN stage                                                   #
@ -312,7 +382,7 @@ tier3:centos:stream9@prep:
  dependencies: []
-t_fedora:43:
+t_fedora:42:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
@ -328,24 +398,122 @@ t_fedora:43:
        - tarball
        - subtree
  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_VERSION: '42'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
-    - "tier1:fedora:43@prep"
+    - "tier1:fedora:42@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
-t_fedora:42:
+t_fedora:rawhide:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'rawhide'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
    - "tier2:fedora:rawhide@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream10:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier2:centos:stream10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream9:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier2:centos:stream9@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:devel:
  extends:
    - .build@template
    - .fdo.distribution-image@ubuntu
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'devel'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
  needs:
    - "tier2:ubuntu:devel@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:testing:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'testing'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
    - "tier2:debian:testing@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:sid:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'sid'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
    - "tier2:debian:sid@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:edge:
  extends:
    - .build@template
    - .fdo.distribution-image@alpine
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'edge'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
  needs:
    - "tier2:alpine:edge@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_fedora:43:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
    - .nm_artifacts_debug
  stage: tier3
  variables:
-    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
-    - "tier3:fedora:42@prep"
+    - "tier3:fedora:43@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
@ -489,34 +657,6 @@ t_alpine:3.19:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream10:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier3:centos:stream10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream9:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier3:centos:stream9@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 #################################################################
 #                                                               #
 # specific jobs                                                 #
@ -527,10 +667,10 @@ check-patch:
  extends:
    - .fdo.distribution-image@fedora
  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_VERSION: '42'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
-    - "tier1:fedora:43@prep"
+    - "tier1:fedora:42@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
  stage: tier1
@ -542,10 +682,10 @@ check-tree:
  extends:
    - .fdo.distribution-image@fedora
  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_VERSION: '42'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
-    - "tier1:fedora:43@prep"
+    - "tier1:fedora:42@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH
      allow_failure: true
@ -573,11 +713,11 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
-    - "t_fedora:43: [meson+gcc+docs+valgrind]"
+    - "t_fedora:42: [meson+gcc+docs+valgrind]"
  needs:
-    - "t_fedora:43: [meson+gcc+docs+valgrind]"
+    - "t_fedora:42: [meson+gcc+docs+valgrind]"
 triage:issues:
  stage: triage
@ -594,11 +734,11 @@ coverity:
  extends:
    - .fdo.distribution-image@fedora
  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_VERSION: '42'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  stage: coverity
  needs:
-    - "tier1:fedora:43@prep"
+    - "tier1:fedora:42@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULED_PIPELINE_NAME == "weekly"
  script:
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -240,7 +240,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
    - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/config.yml
+++ b/.gitlab-ci/config.yml
@ -23,17 +23,39 @@ distributions:
  - name: fedora
    tier: 1
    versions:
-      - '43'
+      - '42'
  # TIER 2: distribution versions that will or might use the current NM version.
  # Run when doing a release.
  - name: fedora
    tier: 2
    versions:
      - 'rawhide'
  - name: centos
    tier: 2
    versions:
      - 'stream10'
      - 'stream9'
  - name: ubuntu
    tier: 2
    versions:
      - 'devel'
  - name: debian
    tier: 2
    versions:
      - 'testing'
      - 'sid'
  - name: alpine
    tier: 2
    versions:
      - 'edge'
  # TIER 3: distribution versions not in EOL but don't use the current NM version.
  # Run when doing a release, but a failure won't be blocking for the release.
  - name: fedora
    tier: 3
    versions:
-      - '42'
+      - '43'
      - '41'
  - name: ubuntu
    tier: 3
@ -53,8 +75,3 @@ distributions:
      - '3.21'
      - '3.20'
      - '3.19'
  - name: centos
    tier: 3
    versions:
      - 'stream10'
      - 'stream9'
--- a/.gitlab-ci/distros-info.yml
+++ b/.gitlab-ci/distros-info.yml
@ -8,6 +8,9 @@ fedora:
 - version: rawhide
  support: yes
  nm: main
 - version: 43
  support: 2026-12-02
  nm: 1.54
 - version: 42
  support: 2026-05-13
  nm: 1.52
@ -18,8 +21,11 @@ fedora:
 # CentOS Stream
 centos:
 - version: stream10
  support: 2030-12-31 # exact date unknown, only the year
  nm: main
 - version: stream9
-  support: 2027-05-31
+  support: 2027-12-31 # exact date unknown, only the year
  nm: main
 # RHEL:
@ -31,33 +37,43 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
- version: 9.6  # not released yet
+# Not released yet
 - version: 10.1
  support: yes
-  nm: main
+  nm: 1.54
- version: 9.5
+- version: 9.7  # not released yet
  support: yes
-  nm: 1.48
+  nm: 1.54
 # Full support or EUS support:
 - version: 10.0
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.6
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.4
  support: 2026-04-30
  extended-support: 2028-04-30
  nm: 1.46
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.42
 - version: 8.10  # last RHEL 8 release, maintenaince support only
  support: 2029-05-31
  extended-support: no
  nm: 1.40
- version: 8.8
+# SAP / Enhaced EUS only:
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
-  nm: 1.40
+  nm: 1.42
 # SAP / Enhaced EUS only:
 - version: 9.0
  support: 2024-05-31
  extended-support: 2026-05-31
  nm: 1.36
 - version: 8.8
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.40
 - version: 8.6
  support: 2024-05-31
  extended-support: 2026-05-31
@ -81,10 +97,6 @@ ubuntu:
  name: plucky
  support: 2026-01-15
  nm: 1.52
 - version: 24.10
  name: oracular
  support: 2025-07-10
  nm: 1.48
 - version: 24.04
  name: noble
  support: 2029-05-31
@ -109,6 +121,11 @@ debian:
 - version: sid
  support: yes
  nm: main
 - version: 13
  name: trixie
  support: 2028-08-09
  extended-support: 2030-06-30
  nm: 1.52
 - version: 12
  name: bookworm
  support: 2026-06-11
@ -130,6 +147,9 @@ alpine:
 - version: edge
  support: yes
  nm: main
 - version: 3.22
  support: 2027-05-01
  nm: 1.52
 - version: 3.21
  support: 2026-11-01
  nm: 1.50
--- a/.gitlab-ci/run-test.sh
+++ b/.gitlab-ci/run-test.sh
@ -155,12 +155,7 @@ test_subtree() {
    do_clean
    pushd ./src/$d
-    ARGS=()
+    CC="$cc" CFLAGS="-Werror -Wall" meson build
    if [ "$d" = n-acd ]; then
        ARGS+=('-Debpf=false')
    fi
    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
    ninja -v -C build test
    popd
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@ -12,9 +12,9 @@ Please read
 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/CONTRIBUTING.md
 before opening the merge request. In particular, check that:
- - [ ] the subject for all commits is concise and explicative
+ - [ ] The subject for all commits is concise, explanatory, and includes a prefix indicating the area of code changed (e.g., "nmcli: ", "core: ")
- - [ ] the message for all commits explains the reason for the change
+ - [ ] The message for all commits explains the reason for the change
- - [ ] the source is properly formatted
+ - [ ] The source is properly formatted
- - [ ] any relevant documentation is up to date
+ - [ ] Any relevant documentation is up to date
- - [ ] you have added unit tests if applicable
+ - [ ] You have added unit tests if applicable
- - [ ] the NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.
+ - [ ] The NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -252,17 +252,25 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
  versioning scheme than the main NM project despite there are no development
  versions here.
 Before starting:
 - You need to have the maintainer role in the project.
 - The GPG key used to sign the release must be added to your GNOME's Gitlab
  profile and uploaded to a keyserver.
 - All details: https://handbook.gnome.org/maintainers/making-a-release.html
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build`, commit and tag the commit. Example:
+2. Increment the version in `meson.build` or `configure.ac`.
-   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
+3. Commit and push to the `main` branch.
-3. Ensure that you are on the right commit and create the tarball:
+4. Check that the Gitlab's pipeline finishes without errors.
-   `git clean -fdx && meson setup build && cd build && meson dist`
+5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
-4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
+6. Push the tag. Example: `git push origin 1.2.8`.  
-5. Login to `master.gnome.org` and run `ftpadmin install`.  
+   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
-   Ensure the new tarballs show up at https://download.gnome.org/sources/
+   to delete tags, any error detected after this will force a new version bump.
-   (happens after a short delay)
+7. Check that the Gitlab's pipeline finishes without errors. If that happens,
-6. Announce the release on the mailing list.
+   the release is done and available both in the Gitlab's releases section and
   https://download.gnome.org/sources/*
 8. Announce the release on the mailing list.
 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
--- a/108
+++ b/108
@ -1,25 +1,103 @@
-===============================================
+=============================================
-NetworkManager-1.54.2
+NetworkManager-1.58
-Overview of changes since NetworkManager-1.54.1
+Overview of changes since NetworkManager-1.56
-===============================================
+=============================================
 This is a snapshot of NetworkManager development. The API is
 subject to change and not guaranteed to be compatible with
 the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 * Unify the versioning to use everywhere the scheme with the -rcX or -dev
  suffixes when appropriate. This affects, for example, the URL and filename
  of the release tarball and the version reported by nmcli and the daemon.
  As an exception, the C API will continue to use the 90+ scheme for RC versions.
 * Connection profiles with manual IP addressing and with gateways that are not
  directly reachable will generate a warning on activation and when they are
  added/modified via nmcli and nmtui. NetworkManager currently adds on-link
  routes for them automatically, but this will change in the future. To fix the
  warning, users should add addresses or routes whose subnets cover these
  gateways. A gateway (either the default gateway or the next-hop of a route) is
  considered directly reachable if it falls within the subnet of a direct route
  (a route without a next hop) or of a prefix route from a static address.
 * Restrict the connectivity check to use the DNS servers defined on the
  same link. If the link has no DNS servers, the connectivity check will
  use any servers available in the system.
 * Install the systemd units in the initramfs using a systemd generator.
 * A new "check-connectivity" configuration option is available to disable the
  connectivity check for selected interfaces.
 * Remove the modify_system build option that allowed setting up the
  polkit permissions to allow non-admin users to create system-wide
  connection. That configuration is discouraged because it can be used
  to bypass filesystem permissions.
 * For private connections (the ones that specify a user in the
  "connection.permissions" property), verify that the user can access
  the 802.1X certificates and keys set in the connection.
 * Introduce a libnm function that can be used by VPN plugins to check
  user permissions on certificate and keys.
 * The support for Wireless Extensions is deprecated and will be
  removed in a future release. Wireless Extensions are now disabled by
  default.
 * Use an internal implementation of the ping functionality when the
  "connection.gateway-ping-timeout" or "connection.ip-ping-addresses"
  properties are set, instead of relying on the "ping" tool.  
 * The powersave property now functions with the iwd backend.
 * The "band" property of Wi-fi connections now accepts the "6GHz"
  value.
 * Show the Wi-Fi band of APs in the scan results from nmcli.
 * New <Select...> button in nmtui that allows users to chose from list of
  available devices when creating connection profiles for physical interfaces
  (Ethernet, Wi-Fi, etc.).
 * Add support for CLAT (464XLAT) using a BPF program.
 * Change the default value of the ipv4.dhcp-ipv6-only-preferred property
  to a new value "auto" which automatically enables the option when CLAT
  is enabled ("yes" or "auto") in the connection profile.
 * WIFI connections using wpa-psk respect the setting connection.auth-retry
  and only prompt for new secrets during the last authentication attempt before
  failing.
 * Add support for GENEVE interface.
 * The DHCPv4 internal client now ignores option 3 (Router) if the lease
  contains option 121 (Classless Static Route), as recommended by RFC 3442.
 * Allow persisting the managed state across reboots from nmcli and the D-Bus API.
 * Allow changing the device's administrative state in the kernel at the same
  time as a change to the managed state from nmcli and the D-Bus API.
 * Allow configuring all bond options in nmtui by introducing a
  "other options" field, which covers options not already covered by a
  dedicated input field.
 =============================================
 NetworkManager-1.56
 Overview of changes since NetworkManager-1.54
 =============================================
 * nmcli now supports viewing and managing WireGuard peers.
 * Support reapplying the "sriov.vfs" property as long as
  "sriov.total-vfs" is not changed.
-* Support configuring the HSR protocol version via the
+* Support reapplying "bond-port.vlans".
-  "hsr.protocol-version" property.
+* Accept hostnames longer than 64 characters from DNS lookup.
 * Support configuring the HSR interlink port via the
  "hsr.interlink" property.
 ===============================================
 NetworkManager-1.54.1
 Overview of changes since NetworkManager-1.54.0
 ===============================================
 * Make that global-dns configuration overwrites DNS searches and
  options from connections, instead of merging all together.
 * Add support for a new rd.net.dhcp.client-id option in
  nm-initrd-generator.
-* Minor bug fixes.
+* Add gsm device-uid setting to restrict the devices the connection applies to.
 * Support configuring the HSR protocol version via the
  "hsr.protocol-version" property.
 * Fix a bug that makes broadband connections auto-connect getting 
  blocked if the connection tries to reconnect when modem status is 
  "disconnecting" / "disconnected".
 * Treat modem connection not having an operator code available
  as a recoverable error.
 * Add support for configuring systemd-resolved's DNSSEC option
  per-connection via the "connection.dnssec" connection property.
 * Support configuring the HSR interlink port via the
  "hsr.interlink" property.
 * Fix some connection properties not being applied to vpn connections
  (connection.mdns, connection.llmnr, connection.dns-over-tls,
   connection.mptcp-flags, ipv6.ip6-privacy)
 * Update n-acd to always compile with eBPF enabled, as support
  for eBPF is now detected at run time.
 * Add new MPTCP 'laminar' endpoint type, and set it by default alongside
  the 'subflow' one.
 =============================================
 NetworkManager-1.54
--- a/config.h.meson
+++ b/config.h.meson
@ -239,6 +239,15 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH
 /* Whether we build with team support */
 #mesondefine WITH_TEAMDCTL
 /* Whether we build with Wi-Fi support */
 #mesondefine WITH_WIFI
 /* Whether we build with WWAN support */
 #mesondefine WITH_WWAN
 /* Define if you have PPP support */
 #mesondefine WITH_PPP
@ -285,3 +294,6 @@
 /* Define to 1 if dlvsym() is available */
 #mesondefine HAVE_DLVSYM
 /* Define to 1 if you want CLAT support. */
 #mesondefine HAVE_CLAT
--- a/contrib/alpine/REQUIRED_PACKAGES
+++ b/contrib/alpine/REQUIRED_PACKAGES
@ -8,6 +8,7 @@ apk add \
    'alpine-sdk' \
    'autoconf' \
    'bash' \
    'bpftool' \
    'clang' \
    'curl-dev' \
    'dbus' \
@ -23,6 +24,7 @@ apk add \
    'iproute2' \
    'iptables' \
    'jansson-dev' \
    'libbpf-dev' \
    'libgudev-dev' \
    'libndp-dev' \
    'libnvme-dev' \
@ -30,7 +32,6 @@ apk add \
    'libpsl-dev' \
    'libsoup-dev' \
    'libteam-dev' \
    'libtool' \
    'linux-headers' \
    'meson' \
    'mobile-broadband-provider-info' \
--- a/contrib/debian/REQUIRED_PACKAGES
+++ b/contrib/debian/REQUIRED_PACKAGES
@ -32,6 +32,7 @@ install_ignore_missing() {
 install \
    \
    bpftool \
    clang \
    dbus \
    dbus-x11 \
@ -43,6 +44,7 @@ install \
    iproute2 \
    iptables \
    libaudit-dev \
    libbpf-dev \
    libcurl4-gnutls-dev \
    libdbus-1-dev \
    libgirepository1.0-dev \
@ -62,7 +64,6 @@ install \
    libreadline-dev \
    libsystemd-dev \
    libteam-dev \
    libtool \
    libudev-dev \
    locales \
    meson \
--- a/contrib/fedora/REQUIRED_PACKAGES
+++ b/contrib/fedora/REQUIRED_PACKAGES
@ -49,6 +49,7 @@ install \
    ModemManager-glib-devel \
    audit-libs-devel \
    bluez-libs-devel \
    bpftool \
    clang \
    dbus-devel \
    dbus-x11 \
@ -64,11 +65,11 @@ install \
    iptables \
    jansson-devel \
    jq \
    libbpf-devel \
    libcurl-devel \
    libndp-devel \
    libnvme-devel \
    libselinux-devel \
    libtool \
    libuuid-devel \
    meson \
    mobile-broadband-provider-info-devel \
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@ -6,18 +6,23 @@
 #
 # Note that it contains __PLACEHOLDERS__ that will be replaced by the accompanying 'build.sh' script.
 Name:    NetworkManager
 Summary: Network connection manager and user applications
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:     https://networkmanager.dev/
 Group:   System Environment/Base
 Epoch:   1
 Version: __VERSION__
 Release: __RELEASE_VERSION__%{?dist}
 ###############################################################################
 %global wpa_supplicant_version 1:1.1
 %global ppp_version %(pkg-config --modversion pppd 2>/dev/null || sed -n 's/^#define\\s*VERSION\\s*"\\([^\\s]*\\)"$/\\1/p' %{_includedir}/pppd/patchlevel.h 2>/dev/null | grep . || echo bad)
 %global glib2_version %(pkg-config --modversion glib-2.0 2>/dev/null || echo bad)
 %global epoch_version 1
 %global real_version __VERSION__
 %global rpm_version %{real_version}
 %global release_version __RELEASE_VERSION__
 %global snapshot __SNAPSHOT__
 %global git_sha __COMMIT__
 %global bcond_default_debug __BCOND_DEFAULT_DEBUG__
 %global bcond_default_lto __BCOND_DEFAULT_LTO__
 %global bcond_default_test __BCOND_DEFAULT_TEST__
@ -32,17 +37,6 @@
 %global _hardened_build 1
 %if "x%{?snapshot}" != "x"
 %global snapshot_dot .%{snapshot}
 %endif
 %if "x%{?git_sha}" != "x"
 %global git_sha_dot .%{git_sha}
 %endif
 %global snap %{?snapshot_dot}%{?git_sha_dot}
 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[0-9][0-9]*\\)\\.[0-9][0-9]*$/\\1/p')
 %global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
 %global systemd_units_cloud_setup nm-cloud-setup.service nm-cloud-setup.timer
@ -106,7 +100,13 @@
 %else
 %bcond_without iwd
 %endif
-
+%bcond_without polkit_noauth_group
 %ifarch %{ix86}
 # there is no bpftool in i686
 %bcond_with clat
 %else
 %bcond_without clat
 %endif
 ###############################################################################
 %global dbus_version 1.9.18
@ -153,17 +153,6 @@
 %bcond_with ifcfg_migrate
 %endif
 %if 0%{?fedora}
 # Although eBPF would be available on Fedora's kernel, it seems
 # we often get SELinux denials (rh#1651654). But even aside them,
 # bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
 # be related to `ulimit -l`. Anyway, this is not usable at the
 # moment.
 %global ebpf_enabled "no"
 %else
 %global ebpf_enabled "no"
 %endif
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@ -171,16 +160,7 @@
 ###############################################################################
-Name: NetworkManager
+#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{version_no_tilde}/downloads/%{name}-%{version_no_tilde}.tar.xz
 Summary: Network connection manager and user applications
 Epoch: %{epoch_version}
 Version: %{rpm_version}
 Release: %{release_version}%{?snap}%{?dist}
 Group: System Environment/Base
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://networkmanager.dev/
 #Source: https://download.gnome.org/sources/NetworkManager/%{real_version_major}/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@ -194,17 +174,16 @@ Source9: readme-ifcfg-rh-migrated.txt
 #Patch1: 0001-some.patch
 Requires(post): systemd
 Requires(post): systemd-udev
 Requires(post): /usr/sbin/update-alternatives
 Requires(preun): systemd
 Requires(preun): /usr/sbin/update-alternatives
 Requires(postun): systemd
 Requires: dbus >= %{dbus_version}
 Requires: glib2 >= %{glib2_version}
 Requires: %{name}-libnm%{?_isa} = %{epoch}:%{version}-%{release}
-Recommends: iputils
+%if %{with clat}
 Requires: libbpf
 %endif
 %if 0%{?rhel} == 8
 # Older libndp versions use select() (rh#1933041). On well known distros,
@ -253,7 +232,7 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif
 BuildRequires: gcc
-BuildRequires: libtool
+BuildRequires: clang
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@ -308,6 +287,10 @@ BuildRequires: firewalld-filesystem
 BuildRequires: iproute
 BuildRequires: iproute-tc
 BuildRequires: libnvme-devel >= 1.5
 %if %{with clat}
 BuildRequires: libbpf-devel
 BuildRequires: bpftool
 %endif
 Provides: %{name}-dispatcher%{?_isa} = %{epoch}:%{version}-%{release}
@ -576,6 +559,8 @@ Group: System Environment/Base
 BuildArch: noarch
 Requires: NetworkManager
 Requires: /usr/bin/nmcli
 Requires(post): /usr/sbin/update-alternatives
 Requires(preun): /usr/sbin/update-alternatives
 Obsoletes: NetworkManager < %{obsoletes_initscripts_updown}
 %description initscripts-updown
@ -586,7 +571,7 @@ Preferably use nmcli instead.
 %prep
-%autosetup -p1 -n NetworkManager-%{real_version}
+%autosetup -p1 -n NetworkManager-%{version_no_tilde}
 %build
@ -627,19 +612,20 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
 %if 0%{?fedora}
 	-Dwext=true \
 %else
 	-Dwext=false \
 %endif
 %else
 	-Dwifi=false \
 %endif
 	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
 	-Diwd=false \
 %endif
 %if %{with clat}
 	-Dclat=true \
 %else
 	-Dclat=false \
 %endif
 %if %{with bluetooth}
 	-Dbluez5_dun=true \
 %else
@ -676,21 +662,19 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-	-Dmodify_system=true \
+%if %{with polkit_noauth_group}
 	-Dpolkit_noauth_group=wheel \
 %endif
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
 %endif
 %if %{ebpf_enabled} != "yes"
 	-Debpf=false \
 %else
 	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
 	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
 	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
@ -763,6 +747,7 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la
 # Don't use the *-initrd.service files yet, wait dracut to support them
 rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@ -771,8 +756,8 @@ rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
 find %{buildroot}%{_datadir}/gtk-doc -exec touch --reference meson.build '{}' \+
 %if 0%{?__debug_package} && ! 0%{?flatpak}
-mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
+mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
-cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
+cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
 %endif
 %if %{with ifcfg_rh}
@ -854,8 +839,12 @@ fi
 %postun
 # skip triggering if udevd isn't even accessible, e.g. containers or
 # rpm-ostree-based systems
 if [ -S /run/udev/control ]; then
    /usr/bin/udevadm control --reload-rules || :
    /usr/bin/udevadm trigger --subsystem-match=net || :
 fi
 %firewalld_reload
 %systemd_postun %{systemd_units}
@ -896,6 +885,7 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
 %{_libexecdir}/nm-libnm-helper
 %{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
@ -927,6 +917,9 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
 %if %{with polkit_noauth_group}
 %{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
 %endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
--- a/contrib/fedora/rpm/build.sh
+++ b/contrib/fedora/rpm/build.sh
@ -110,7 +110,6 @@ exec 2>&1
 UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
 SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
@ -206,12 +205,8 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 write_changelog
-sed -e "s/__VERSION__/$VERSION/g" \
+sed -e "s/__VERSION__/${VERSION/-/\~}/g" \
    -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__COMMIT__/$COMMIT/g" \
    -e "s/__COMMIT_FULL__/$COMMIT_FULL/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__SOURCE1__/$(basename "$SOURCE")/g" \
    -e "s/__BCOND_DEFAULT_DEBUG__/$BCOND_DEFAULT_DEBUG/g" \
    -e "s/__BCOND_DEFAULT_LTO__/${BCOND_DEFAULT_LTO:-"%{nil}"}/g" \
@ -232,7 +227,12 @@ case "$BUILDTYPE" in
        ;;
 esac
-rpmbuild --define "_topdir $TEMP" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
+DIST=
 [[ "$COMMIT" != "" ]] && DIST=".${COMMIT}${DIST}"
 [[ "$SNAPSHOT" != "" ]] && DIST=".${SNAPSHOT}${DIST}"
 [[ "$DIST" != "" ]] && DIST=("--define" "dist ${DIST}$(rpmbuild --eval '%{dist}')")
 rpmbuild --define "_topdir $TEMP" "${DIST[@]}" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
 LS_EXTRA=()
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@ -155,7 +155,6 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
 P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@ -174,6 +173,7 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
 P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
        P_FEDORA="$x"
        P_RHEL=0
    else
-        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
+        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
        if test "$x" -gt 0 ; then
            P_FEDORA=0
            P_RHEL="$x"
@ -294,6 +294,14 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
    fi
 fi
 if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
    P_TEAM=0
 fi
 if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
    P_IFCFG_RH=1
 fi
 if bool "$P_DEBUG" ; then
    P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@ -379,7 +387,7 @@ meson setup\
    -Db_lto="$(bool_true "$P_LTO")" \
    -Dlibaudit=yes-disabled-by-default \
    -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
    $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
    -Diwd="$(bool_true "$P_IWD")" \
    -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@ -393,18 +401,17 @@ meson setup\
    -Dselinux=true \
    -Dpolkit=true  \
    -Dconfig_auth_polkit_default=true \
    -Dmodify_system=true \
    -Dconcheck=true \
    -Dlibpsl="$(bool_true "$P_FEDORA")" \
    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
    -Dsession_tracking=systemd \
    -Dsuspend_resume=systemd \
    -Dsystemdsystemunitdir=/usr/lib/systemd/system \
    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
    -Dsystem_ca_path=/etc/pki/tls/cert.pem \
    -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
    -Dtests=yes \
    -Dvalgrind=no \
-    -Difcfg_rh=true \
+    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
    -Difupdown=false \
    $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
    $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \
--- a/contrib/fedora/rpm/release.sh
+++ b/contrib/fedora/rpm/release.sh
@ -27,7 +27,7 @@
 #   * Run in a "clean" environment, i.e. no unusual environment variables set, on a recent
 #     Fedora, with suitable dependencies installed.
 #
-#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedestkop.org
+#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedesktop.org
 #     stored in ~/.config/nm-release-token, or pass one with --gitlab-token argument.
 #     Also, ensure you have a GPG key that you want to use for signing. Also, have gpg-agent running
 #     and possibly configure `git config --get user.signingkey` for the proper key.
@ -102,14 +102,8 @@ do_command() {
 SCRIPTDIR="$(dirname "$(readlink -f "$0")")"
 GITDIR="$(cd "$SCRIPTDIR" && git rev-parse --show-toplevel || die "Could not get GITDIR")"
-parse_version() {
+get_version() {
-    local VERSION=$(grep -E -m1 '^\s+version:' "$GITDIR/meson.build" \
+    grep -E -m1 '^\s+version:' "$GITDIR/meson.build" | cut -d"'" -f2
                    | cut -d"'" -f2 \
                    | sed 's/\./ /g')
    re='^(0|[1-9][0-9]*) (0|[1-9][0-9]*) (0|[1-9][0-9]*)$'
    [[ "$VERSION" =~ $re ]] || return 1
    echo "$VERSION"
 }
 number_is_even() {
@ -155,14 +149,12 @@ check_gitlab_pipeline() {
 set_version_number() {
    sed -i \
-        -e '1,20 s/^\( *version: *'\''\)[0-9]\+\.[0-9]\+\.[0-9]\+\('\'',\)$/\1'"$1.$2.$3"'\2/' \
+        -E "1,20 s/^( *version: *')[^']+(',) *\$/\1$1\2/" \
        meson.build
 }
 check_news() {
    local mode="$1"
    shift
    local ver_arr=("$@")
    case "$mode" in
        major|minor)
@ -259,12 +251,18 @@ done
 [ -n "$RELEASE_MODE" ] || die_usage "specify the desired release mode"
-VERSION_ARR=( $(parse_version) ) || die "cannot detect NetworkManager version"
+VERSION_STR="$(get_version)"
-VERSION_STR="$(IFS=.; echo "${VERSION_ARR[*]}")"
+VERSION_ARR=( $(echo "$VERSION_STR" | sed 's/[\.\-]/ /g') )
 if [[ ${VERSION_ARR[2]} =~ ^rc ]]; then
    RC_VERSION=${VERSION_ARR[2]#rc}
    VERSION_ARR[2]=0
 else
    RC_VERSION=
 fi
 echo "Current version before release: $VERSION_STR (do \"$RELEASE_MODE\" release)"
-grep -q "version: '${VERSION_ARR[0]}.${VERSION_ARR[1]}.${VERSION_ARR[2]}'," ./meson.build || die "meson.build does not have expected version"
+grep -q "version: '$VERSION_STR'," ./meson.build || die "meson.build does not have expected version"
 TMP="$(git status --porcelain)" || die "git status failed"
 test -z "$TMP" || die "git working directory is not clean (git status --porcelain)"
@ -280,50 +278,41 @@ if [ "$CUR_BRANCH" = main ]; then
    number_is_odd "${VERSION_ARR[1]}" || die "Unexpected version number on main. Should be an odd development version"
    [ "$RELEASE_MODE" = devel -o "$RELEASE_MODE" = rc1 -o "$RELEASE_MODE" = major-post ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
 else
    re='^nm-[0-9]+-[0-9]+$'
    [[ "$CUR_BRANCH" =~ $re ]] || die "Unexpected current branch $CUR_BRANCH. Should be main or nm-?-??"
    if number_is_odd "${VERSION_ARR[1]}"; then
        # we are on a release candiate branch.
        [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
    else
        [ "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
    [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}"
-    fi
+    [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
 fi
 RC_VERSION=
 RELEASE_BRANCH=
 case "$RELEASE_MODE" in
    minor)
        number_is_even "${VERSION_ARR[1]}" || die "cannot do minor release on top of version $VERSION_STR"
-        [ "$CUR_BRANCH" != main ] || die "cannot do a minor release on main"
+        [ "$RC_VERSION" = "" ] || die "cannot do a minor release on top of an RC version"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "minor release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
        ;;
    devel)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do devel release on top of version $VERSION_STR"
-        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "devel release must have a micro version smaller than 90 but current version is $VERSION_STR"
+        [ "$RC_VERSION" = "" ] || die "cannot do a devel release on top of an RC version"
        [ "$CUR_BRANCH" == main ] || die "devel release can only be on main"
        ;;
    rc)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
        [ "${VERSION_ARR[2]}" -ge 90 ] || die "rc release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
        RC_VERSION="$((${VERSION_ARR[2]} - 88))"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "devel release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
        ;;
    rc1)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
-        [ "${VERSION_ARR[2]}" -lt 90 ] || die "rc release must have a micro version smaller than ${VERSION_ARR[0]}.${VERSION_ARR[1]}.90 but current version is $VERSION_STR"
+        [ "$RC_VERSION" = "" ] || die "rc1 release cannot be done on top of an RC version"
        [ "$CUR_BRANCH" == main ] || die "rc1 release can only be on main"
        RELEASE_BRANCH="nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
        ;;
    rc)
        number_is_even "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
        [ "$RC_VERSION" != "" ] || die "rc release must be done on top of an RC version"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "rc release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
        ;;
    major)
-        number_is_odd "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
+        number_is_even "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
-        [ "${VERSION_ARR[2]}" -ge 90 ] || die "parent version for major release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
+        [ "$RC_VERSION" != "" ] || die "major release must be done on top of an RC version"
-        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
        ;;
    major-post)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do major-post release on top of version $VERSION_STR"
-        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "major-post release must have a micro version smaller than 90 but current version is $VERSION_STR"
+        [ "$RC_VERSION" = "" ] || die "major-post release cannot be done on top of an RC version"
        [ "$CUR_BRANCH" == main ] || die "major-post release can only be on main"
        ;;
    *)
@ -370,7 +359,7 @@ if [ "$ALLOW_LOCAL_BRANCHES" != 1 ]; then
    cmp <(git show "$ORIGIN/main:contrib/fedora/rpm/release.sh") "$BASH_SOURCE_ABSOLUTE" || die "$BASH_SOURCE is not identical to \`git show \"$ORIGIN/main:contrib/fedora/rpm/release.sh\"\`"
 fi
-if ! check_news "$RELEASE_MODE" "@{VERSION_ARR[@]}" ; then
+if ! check_news "$RELEASE_MODE"; then
    if [ "$CHECK_NEWS" == 1 ]; then
        die "NEWS file needs update to mention stable release (skip check with --no-check-news)"
    fi
@ -389,7 +378,7 @@ if [ "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ]; then
    fi
    echo "$(echo_color 36 -n "https://gitlab.freedesktop.org/NetworkManager/networkmanager.pages.freedesktop.org.git") by running"
    if [ "$RELEASE_MODE" = major ]; then
-        v="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
+        v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
    else
        v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
    fi
@ -418,71 +407,36 @@ if [ $CHECK_GITLAB = 1 ]; then
    fi
 fi
-BRANCHES=()
+# Work on a temporary branch
 BUILD_TAG=
 CLEANUP_CHECKOUT_BRANCH="$CUR_BRANCH"
 git checkout -B "$TMP_BRANCH"
 CLEANUP_REFS+=("refs/heads/$TMP_BRANCH")
 case "$RELEASE_MODE" in
    minor)
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        # Version is already correct in meson.build
-        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))" -a || die "failed to commit release"
+        BUILD_VERSION="$VERSION_STR"
-
+        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
        BRANCHES+=("$b")
        CLEANUP_REFS+=("refs/tags/$b")
        BUILD_TAG="$b"
        TAR_VERSION="$b"
        ;;
    devel)
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        # Version is already correct in meson.build
-        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1)) (development)" -a || die "failed to commit devel version bump"
+        BUILD_VERSION="$VERSION_STR"
-
+        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
        BRANCHES+=("$b-dev")
        CLEANUP_REFS+=("refs/tags/$b-dev")
        BUILD_TAG="$b-dev"
        TAR_VERSION="$b"
        ;;
    rc)
-        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
+        # Version is already correct in meson.build
-        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc$RC_VERSION"
+        BUILD_VERSION="$VERSION_STR"
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}-rc$((RC_VERSION + 1))"
        git commit -m "release: bump version to $b ($t) (development)" -a || die "failed to commit rc version bump"
        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release"
        BRANCHES+=("$t")
        CLEANUP_REFS+=("refs/tags/$t")
        BUILD_TAG="$t"
        TAR_VERSION="$b"
        ;;
    rc1)
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" 90
+        # Current version is wrong (dev version), need to set rc1 version
-        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.90"
+        BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc1"
-        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc1"
+        NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc2"
        git commit -m "release: bump version to $b ($t)" -a || die "failed to commit rc1 version bump"
        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release $t"
        BRANCHES+=("$t")
        CLEANUP_REFS+=("refs/tags/$t")
        BUILD_TAG="$t"
        TAR_VERSION="$b"
        ;;
    major)
-        b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
+        # Current version is wrong (rc version), need to set major version
-        set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 1))" 0
+        BUILD_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
-        git commit -m "release: bump version to $b" -a || die "failed to commit major version bump"
+        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.1"
        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
        BRANCHES+=("$b")
        CLEANUP_REFS+=("refs/tags/$b")
        BUILD_TAG="$b"
        TAR_VERSION="$b"
        ;;
    major-post)
        # We create a merge commit with the content of current "main", with two
@ -494,65 +448,77 @@ case "$RELEASE_MODE" in
        git merge -Xours --commit -m tmp main || die "merge1"
        git rm --cached -r . || die "merge2"
        git checkout main -- . || die "merge3"
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
        git commit --amend -m tmp -a || die "failed to commit major version bump"
        test x = "x$(git diff main HEAD)" || die "there is a diff after merge!"
-        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" "$((${VERSION_ARR[2]} + 1))"
+        # Version is already correct in meson.build
-        git commit --amend -m "release: bump version to $b (development)" -a || die "failed to commit major version bump"
+        BUILD_VERSION="$VERSION_STR"
-        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
+        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
        BRANCHES+=("$b-dev")
        CLEANUP_REFS+=("refs/tags/$b-dev")
        BUILD_TAG="$b-dev"
        TAR_VERSION="$b"
        ;;
    *)
        die "Release mode $RELEASE_MODE not yet implemented"
        ;;
 esac
-build_tag() {
+build_version() {
-    local BUILD_TAG="$1"
+    local CURR_VERSION="$(get_version)"
-    local TAR_FILE="NetworkManager-$2.tar.xz"
+    local BUILD_VERSION="$1"
    local NEXT_VERSION="$2"
    local BUILD_VERSION_DESCR="${BUILD_VERSION/-dev/ (development)}"
    local NEXT_VERSION_DESCR="${NEXT_VERSION/-dev/ (development)}"
    local TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
    local SUM_FILE="$TAR_FILE.sha256sum"
-    git checkout "$BUILD_TAG" || die "failed to checkout $BUILD_TAG"
+    # The current version is usually already correct, except for rc1 and major. Bump version in those cases.
    if [[ "$BUILD_VERSION" != "$CURR_VERSION" ]]; then
        set_version_number "$BUILD_VERSION"
        git commit -m "release: bump version to $BUILD_VERSION_DESCR" -a || die "failed to commit release"
    fi
    # Tag the release
    git tag -s -a -m "Release $BUILD_VERSION_DESCR" "$BUILD_VERSION" HEAD || die "failed to tag release"
    PUSH_REFS+=("$BUILD_VERSION")
    CLEANUP_REFS+=("refs/tags/$BUILD_VERSION")
    # Build to get the tarball for the release
    ./contrib/fedora/rpm/build_clean.sh -r || die "build release failed"
    cp "./build/meson-dist/$TAR_FILE" /tmp/ || die "failed to copy $TAR_FILE to /tmp"
    cp "./build/meson-dist/$SUM_FILE" /tmp/ || die "failed to copy $SUM_FILE to /tmp"
    git clean -fdx
    # Store the release version for later use
    RELEASE_VERSIONS+=("$BUILD_VERSION")
    # Bump to next version, so that build between now and the next release has the next version already.
    # Otherwise the macros in nm_version.h don't work correctly.
    set_version_number "$NEXT_VERSION"
    git commit -m "release: bump version to $NEXT_VERSION_DESCR" -a || die "failed to commit version bump"
 }
-RELEASE_TAR_VERSIONS=()
+# Build and create tarball. Bump version as needed.
-RELEASE_TAGS=()
+PUSH_REFS=()
-if [ -n "$BUILD_TAG" ]; then
+RELEASE_VERSIONS=()
-    build_tag "$BUILD_TAG" "$TAR_VERSION"
+build_version "$BUILD_VERSION" "$NEXT_VERSION"
    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
    RELEASE_TAGS+=("$BUILD_TAG")
 fi
 git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 BRANCHES+=( "$CUR_BRANCH" )
 if [ "$RELEASE_MODE" = rc1 ]; then
-    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
+    # Create the release branch (nm-1-xx)
-    BRANCHES+=( "$RELEASE_BRANCH" )
+    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $RELEASE_BRANCH"
    PUSH_REFS+=( "$RELEASE_BRANCH" )
    CLEANUP_REFS+=( "refs/heads/$RELEASE_BRANCH" )
-    git checkout "$TMP_BRANCH"
+
-    b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0"
+    # Go back to the commit of the rc1 release, nm-1-xx is one commit further now.
-    set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 2))" 0
+    git checkout -B "$TMP_BRANCH" "$BUILD_VERSION" || die "cannot checkout $TMP_BRANCH"
-    git commit -m "release: bump version to $b (development)" -a || die "failed to commit devel version bump"
+
-    git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
+    # Second release for rc1: create new dev version on main
-    BRANCHES+=("$b-dev")
+    BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0-dev"
-    CLEANUP_REFS+=("refs/tags/$b-dev")
+    NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).1-dev"
-    BUILD_TAG="$b-dev"
+    build_version "$BUILD_VERSION" "$NEXT_VERSION"
    TAR_VERSION="$b"
    build_tag "$BUILD_TAG" "$TAR_VERSION"
    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
    RELEASE_TAGS+=("$BUILD_TAG")
    git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 fi
 # Work was done on the temporary branch, advance the real branch
 git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 PUSH_REFS+=( "$CUR_BRANCH" )
 if [[ $GITLAB_TOKEN == "" ]]; then
    [[ -r ~/.config/nm-release-token ]] || die "cannot read ~/.config/nm-release-token"
    GITLAB_TOKEN=$(< ~/.config/nm-release-token)
@ -565,20 +531,21 @@ if [ -z "$GITLAB_USER_ID" ] || [ "$GITLAB_USER_ID" = "null" ]; then
    die "failed to authenticate to gitlab.freedesktop.org with the private token"
 fi
-do_command git push "$ORIGIN" "${BRANCHES[@]}" || die "failed to to push branches ${BRANCHES[@]} to $ORIGIN"
+# Push the modified branches and tags to the origin repository
 do_command git push "$ORIGIN" "${PUSH_REFS[@]}" || die "failed to to push branches ${PUSH_REFS[@]} to $ORIGIN"
 # Create the releases
 CREATE_RELEASE_FAIL=0
-for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
+for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
-    TAR_FILE="NetworkManager-${RELEASE_TAR_VERSIONS[$I]}.tar.xz"
+    TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
    SUM_FILE="$TAR_FILE.sha256sum"
    BUILD_TAG="${RELEASE_TAGS["$I"]}"
    FAIL=0
    # upload tarball and checksum file as generic packages
    for F in "$TAR_FILE" "$SUM_FILE"; do
        do_command curl --location --fail-with-body --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
            --upload-file "/tmp/$F" \
-            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$F" \
+            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$F" \
            || FAIL=1
        if [[ $FAIL = 1 ]]; then
@ -595,25 +562,25 @@ for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
         --request POST "https://gitlab.freedesktop.org/api/v4/projects/411/releases" \
         --data "$(cat <<END
            {
-                "name": "NetworkManager $BUILD_TAG",
+                "name": "NetworkManager $BUILD_VERSION",
-                "tag_name": "$BUILD_TAG", 
+                "tag_name": "$BUILD_VERSION", 
                "assets": {
                    "links": [
                        {
-                            "name": "NetworkManager $BUILD_TAG tarball with docs",
+                            "name": "NetworkManager $BUILD_VERSION tarball with docs",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$TAR_FILE",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$TAR_FILE",
                            "direct_asset_path": "/$TAR_FILE",
                            "link_type":"package"
                        },
                        {
-                            "name": "NetworkManager $BUILD_TAG tarball sha256sum",
+                            "name": "NetworkManager $BUILD_VERSION tarball sha256sum",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$SUM_FILE",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$SUM_FILE",
                            "direct_asset_path": "/$SUM_FILE",
                            "link_type":"package"
                        },
                        {
                            "name": "NEWS",
-                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_TAG/NEWS?ref_type=tags",
+                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_VERSION/NEWS?ref_type=tags",
                            "direct_asset_path": "/NEWS",
                            "link_type":"other"
                        }
@ -623,8 +590,8 @@ for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
 END
            )" || FAIL=1
-    if [[ $? != 0 ]]; then
+    if [[ $FAIL = 1 ]]; then
-        fail_msg "failed to create NetworkManager $BUILD_TAG release"
+        fail_msg "failed to create NetworkManager $BUILD_VERSION release"
        CREATE_RELEASE_FAIL=1
        continue
    fi
--- a/contrib/scripts/nm-ci-run.sh
+++ b/contrib/scripts/nm-ci-run.sh
@ -55,6 +55,7 @@ _WITH_LIBTEAM="true"
 _WITH_DOCS="true"
 _WITH_SYSTEMD_LOGIND="true"
 _WITH_NBFT="true"
 _WITH_CLAT="true"
 if [ $IS_ALPINE = 1 ]; then
    _WITH_SYSTEMD_LOGIND="false"
 fi
@ -63,6 +64,14 @@ if ! pkgconf 'libnvme >= 1.5'; then
    _WITH_NBFT="false"
 fi
 if ! pkgconf 'libndp >= 1.9'; then
    _WITH_CLAT="false"
 fi
 if ! pkgconf 'libbpf >= 1.3'; then
    _WITH_CLAT="false"
 fi
 if [ -z "${NMTST_SEED_RAND+x}" ]; then
    NMTST_SEED_RAND="$SRANDOM"
    if [ -z "$NMTST_SEED_RAND" ]; then
@ -169,18 +178,18 @@ meson setup build \
    -D ld_gc=false \
    -D session_tracking=no \
    -D systemdsystemunitdir=no \
    -D systemdsystemgeneratordir=no \
    -D systemd_journal=false \
    -D selinux=false \
    -D libaudit=no \
    -D libpsl=false \
    -D vapi=false \
    -D introspection=$_WITH_DOCS \
    -D man=$_WITH_DOCS \
    -D qt=false \
    -D crypto=$_WITH_CRYPTO \
    -D docs=$_WITH_DOCS \
    \
    -D ebpf=false \
    \
    -D iwd=true \
    -D ofono=true \
    -D teamdctl=$_WITH_LIBTEAM \
@ -195,6 +204,7 @@ meson setup build \
    -D ifupdown=true \
    \
    -D nbft=$_WITH_NBFT \
    -D clat=$_WITH_CLAT \
    \
    #end
--- a/data/NetworkManager-config-initrd.service.in
+++ b/data/NetworkManager-config-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
 ConditionPathExists=/etc/initrd-release
 [Service]
 Type=oneshot
@ -22,6 +22,3 @@ ExecStartPost=/bin/sh -c ' \
    fi \
 '
 RemainAfterExit=yes
 [Install]
 WantedBy=initrd.target
--- a/data/NetworkManager-initrd.service.in
+++ b/data/NetworkManager-initrd.service.in
@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
 ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@ -22,11 +22,3 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
 [Install]
 WantedBy=initrd.target
 # We want to enable NetworkManager-wait-online-initrd.service whenever this
 # service is enabled. NetworkManager-wait-online-initrd.service has
 # WantedBy=network-online.target, so enabling it only has an effect if
 # network-online.target itself is enabled or pulled in by some other unit.
 Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service
--- a/data/NetworkManager-wait-online-initrd.service.in
+++ b/data/NetworkManager-wait-online-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
 ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 [Service]
@ -21,6 +21,3 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
 [Install]
 WantedBy=initrd.target network-online.target
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -19,10 +19,18 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
-ProtectSystem=true
+PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=read-only
 ProtectKernelLogs=true
 ProtectSystem=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 # We require file descriptors for DHCP etc. When activating many interfaces,
 # the default limit of 1024 is easily reached.
--- a/data/meson.build
+++ b/data/meson.build
@ -55,21 +55,22 @@ if install_udevdir
 endif
 if enable_polkit
  policy = 'org.freedesktop.NetworkManager.policy'
  policy_in = configure_file(
    input: policy + '.in.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
  i18n.merge_file(
-    input: policy_in,
+    input: 'org.freedesktop.NetworkManager.policy.in',
    output: '@BASENAME@',
    po_dir: po_dir,
    install: true,
-    install_dir: polkit_gobject_policydir,
+    install_dir: polkit_policydir,
  )
  if polkit_noauth_group != ''
    configure_file(
      input: 'org.freedesktop.NetworkManager.rules.in',
      output: '@BASENAME@',
      install_dir: polkit_rulesdir,
      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
    )
  endif
 endif
 if enable_firewalld_zone
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -117,8 +117,8 @@
    <message>System policy prevents modification of network settings for all users</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
+      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
+      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>
--- a/data/org.freedesktop.NetworkManager.rules.in
+++ b/data/org.freedesktop.NetworkManager.rules.in
@ -0,0 +1,17 @@
 // NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
 //
 // DO NOT EDIT THIS FILE, it will be overwritten on update.
 //
 // Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
 // prompted for a password if they are in a local console.
 // This is optional and is only recommended to maintain backwards compatibility
 // in systems where it was already working in this way. It is discouraged
 // otherwise.
 polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
        subject.local) {
        return polkit.Result.YES;
    }
 });
--- a/docs/api/meson.build
+++ b/docs/api/meson.build
@ -1,6 +1,8 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 if enable_introspection
  xsltproc = find_program('xsltproc')
  settings = 'settings-spec'
  output = settings + '.xml'
--- a/docs/api/network-manager-docs.xml
+++ b/docs/api/network-manager-docs.xml
@ -183,6 +183,7 @@
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Bridge.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Dummy.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Generic.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Geneve.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Hsr.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.IPTunnel.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Infiniband.xml"/>
--- a/docs/libnm/libnm-docs.xml
+++ b/docs/libnm/libnm-docs.xml
@ -317,6 +317,7 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
    <xi:include href="xml/nm-setting-dummy.xml"/>
    <xi:include href="xml/nm-setting-ethtool.xml"/>
    <xi:include href="xml/nm-setting-generic.xml"/>
    <xi:include href="xml/nm-setting-geneve.xml"/>
    <xi:include href="xml/nm-setting-gsm.xml"/>
    <xi:include href="xml/nm-setting-hostname.xml"/>
    <xi:include href="xml/nm-setting-hsr.xml"/>
@ -377,6 +378,7 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
    <xi:include href="xml/nm-device-dummy.xml"/>
    <xi:include href="xml/nm-device-ethernet.xml"/>
    <xi:include href="xml/nm-device-generic.xml"/>
    <xi:include href="xml/nm-device-geneve.xml"/>
    <xi:include href="xml/nm-device-hsr.xml"/>
    <xi:include href="xml/nm-device-infiniband.xml"/>
    <xi:include href="xml/nm-device-ip-tunnel.xml"/>
--- a/docs/libnm/libnm.svg
+++ b/docs/libnm/libnm.svg
@ -202,7 +202,7 @@
         sodipodi:role="line"
         x="19.192902"
         y="360.40768"
-         id="tspan3839">Retrieves, adds, and notifes of changes</tspan><tspan
+         id="tspan3839">Retrieves, adds, and notifies of changes</tspan><tspan
         sodipodi:role="line"
         x="19.192902"
         y="372.90768"
--- a/introspection/meson.build
+++ b/introspection/meson.build
@ -15,6 +15,7 @@ ifaces = [
  'org.freedesktop.NetworkManager.Device.Bridge',
  'org.freedesktop.NetworkManager.Device.Dummy',
  'org.freedesktop.NetworkManager.Device.Generic',
  'org.freedesktop.NetworkManager.Device.Geneve',
  'org.freedesktop.NetworkManager.Device.Hsr',
  'org.freedesktop.NetworkManager.Device.IPTunnel',
  'org.freedesktop.NetworkManager.Device.Infiniband',
--- a/introspection/org.freedesktop.NetworkManager.Device.Geneve.xml
+++ b/introspection/org.freedesktop.NetworkManager.Device.Geneve.xml
@ -0,0 +1,63 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <node name="/">
  <!--
      org.freedesktop.NetworkManager.Device.Geneve:
      @short_description: GENEVE Device.
  -->
  <interface name="org.freedesktop.NetworkManager.Device.Geneve">
    <!--
        Id:
        @since: 1.58
        The GENEVE Virtual Network Identifier (VNI).
    -->
    <property name="Id" type="u" access="read"/>
    <!--
        Remote:
        @since: 1.58
        The IP (v4 or v6) address of the remote endpoint to which GENEVE packets
        are sent.
    -->
    <property name="Remote" type="s" access="read"/>
    <!--
        Tos:
        @since: 1.58
        The value to use in the IP ToS field for GENEVE packets sent to the remote
        endpoint.
    -->
    <property name="Tos" type="y" access="read"/>
    <!--
        Ttl:
        @since: 1.58
        The value to use in the IP TTL field for GENEVE packets sent to the remote
        endpoint.
    -->
    <property name="Ttl" type="i" access="read"/>
    <!--
        Df:
        @since: 1.58
        The Don't Fragment (DF) flag setting for GENEVE packets. 0 means unset,
        1 means set, 2 means inherit from the underlying interface.
    -->
    <property name="Df" type="y" access="read"/>
    <!--
        DstPort:
        @since: 1.58
        Destination port for outgoing GENEVE packets.
    -->
    <property name="DstPort" type="q" access="read"/>
  </interface>
 </node>
--- a/introspection/org.freedesktop.NetworkManager.Device.xml
+++ b/introspection/org.freedesktop.NetworkManager.Device.xml
@ -175,6 +175,9 @@
        property has a similar effect to configuring the device as unmanaged via
        the keyfile.unmanaged-devices setting in NetworkManager.conf. Changes to
        this value are not persistent and lost after NetworkManager restart.
        DEPRECATED: 1.58: Use the SetManaged method instead, which supports
        additional features like persisting the state to disk
    -->
    <property name="Managed" type="b" access="readwrite"/>
@ -391,6 +394,20 @@
    -->
    <method name="Delete"/>
    <!--
        SetManaged:
        @managed:(<link linkend="NMDeviceManaged">NMDeviceManaged</link>) Whether the device is managed. Possible values are "no" (0), "yes" (1) and "reset" (2).
        @flags: (<link linkend="NMDeviceManagedFlags">NMDeviceManagedFlags</link>) flags.
        @since: 1.58
        Set the managed state of the device. With the flags argument different
        behaviors can be achieved, like storing the new managed state to disk.
    -->
    <method name="SetManaged">
      <arg name="managed" type="u" direction="in"/>
      <arg name="flags" type="u" direction="in"/>
      </method>
    <!--
        StateChanged:
        @new_state: (<link linkend="NMDeviceState">NMDeviceState</link>) The new state of the device.
--- a/introspection/org.freedesktop.NetworkManager.Settings.Connection.xml
+++ b/introspection/org.freedesktop.NetworkManager.Settings.Connection.xml
@ -62,7 +62,7 @@
    <!--
        GetSecrets:
-        @setting_name: Name of the setting to return secrets for. If empty, all secrets will be returned.
+        @setting_name: Name of the setting to return secrets for (mandatory).
        @secrets: Nested settings maps containing secrets.
        Get the secrets belonging to this network configuration. Only secrets from
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -83,6 +83,11 @@
    note that your distribution or other packages may drop configuration snippets for NetworkManager, such
    that they are part of the factory default.
    </para>
    <para>
    The options that are indicated as boolean can be set to one of these values:
    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
    </para>
  </refsect1>
@ -895,11 +900,15 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dnssec</varname></term>
          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
@ -945,6 +954,10 @@ ipv6.ip6-privacy=0
          <term><varname>ipv4.forwarding</varname></term>
          <listitem><para>Whether to configure IPv4 sysctl interface-specific forwarding. When enabled, the interface will act as a router to forward the IPv4 packet from one interface to another. If left unspecified, "auto" is used, so NetworkManager sets the IPv4 forwarding if any shared connection is active, or it will use the kernel default value otherwise. The "ipv4.forwarding" property is ignored when "ipv4.method" is set to "shared", because forwarding is always enabled in this case. The accepted values are: 0: disabled, 1: enabled, 2: auto, 3: ignored (leave the forwarding unchanged).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.clat</varname></term>
          <listitem><para>If left unspecified, defaults to "no".</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.routed-dns</varname></term>
        </varlistentry>
@ -963,7 +976,7 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.dhcp-ipv6-only-preferred</varname></term>
-          <listitem><para>If left unspecified, the "IPv6-only preferred" DHCPv4 option is disabled.</para></listitem>
+          <listitem><para>If left unspecified, it defaults to "auto".</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.dhcp-hostname-flags</varname></term>
@ -1245,12 +1258,13 @@ managed=1
          <term><varname>managed</varname></term>
          <listitem>
            <para>
-              Whether the device is managed or not. A device can be
+              A boolean value specifying whether the device is
-              marked as managed via udev rules (ENV{NM_UNMANAGED}),
+              managed or not. A device can be marked as managed via
-              or via setting plugins (keyfile.unmanaged-devices).
+              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
-              This is yet another way. Note that this configuration
+              (keyfile.unmanaged-devices).  This is yet another
-              can be overruled at runtime via D-Bus. Also, it has
+              way. Note that this configuration can be overruled at
-              higher priority then udev rules.
+              runtime via D-Bus. Also, it has higher priority than
              udev rules.
            </para>
          </listitem>
        </varlistentry>
@ -1319,9 +1333,27 @@ managed=1
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="check-connectivity">
          <term><varname>check-connectivity</varname></term>
          <listitem>
            <para>
              A boolean value specifying whether NetworkManager will perform a connectivity check
              for this device. Defaults to <literal>yes</literal>.
            </para>
            <para>
              This setting does nothing if the connectivity check has been
              disabled globally using the
              <literal>connectivity.enabled</literal> setting.
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="keep-configuration">
          <term><varname>keep-configuration</varname></term>
          <listitem>
            <para>
              A boolean value indicating whether the existing device
              configuration is kept at startup.
            </para>
            <para>
              On startup, NetworkManager tries to not interfere with
              interfaces that are already configured. It does so by
@ -1418,16 +1450,16 @@ managed=1
          <term><varname>wifi.iwd.autoconnect</varname></term>
          <listitem>
            <para>
-              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
+              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
-              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
+              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
-              this device and connections will only be initiated by NetworkManager whether
+              disabled for this device and connections will only be initiated by NetworkManager
-              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
+              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
-              stops NetworkManager from automatically initiating connections and allows
+              (default) stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks
+              IWD to use its network ranking and scanning logic to decide the best networks to
-              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
-              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
+              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
-              with IWD connection attempts.
+              IWD connection attempts.
            </para>
          </listitem>
        </varlistentry>
@ -1486,7 +1518,7 @@ managed=1
      <variablelist>
        <varlistentry>
          <term><varname>enabled</varname></term>
-          <listitem><para>Whether connectivity check is enabled.
+          <listitem><para>A boolean indicating whether connectivity check is enabled.
          Note that to enable connectivity check, a valid uri must
          also be configured. The value defaults to true, but since
          the uri is unset by default, connectivity check may be disabled.
--- a/man/meson.build
+++ b/man/meson.build
@ -1,29 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 common_ent_file = configure_file(
  input: 'common.ent.in',
  output: '@BASENAME@',
  configuration: data_conf,
 )
 xsltproc_options = [
  xsltproc,
  '--output', '@OUTPUT@',
  '--path', meson.current_build_dir(),
  '--xinclude',
  '--nonet',
  '--stringparam', 'man.output.quietly', '1',
  '--stringparam', 'funcsynopsis.style', 'ansi',
  '--stringparam', 'man.th.extra1.suppress', '1',
  '--stringparam', 'man.authors.section.enabled', '0',
  '--stringparam', 'man.copyright.section.enabled', '0',
  '--stringparam', 'man.th.title.max.length', '30',
 ]
 docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
 mans_xmls = []
 mans = [
  ['NetworkManager', '8'],
  ['NetworkManager-dispatcher', '8'],
@ -44,12 +20,62 @@ if enable_nm_cloud_setup
  mans += [['nm-cloud-setup', '8']]
 endif
 introspection_mans = [
  ['nm-settings-keyfile', '5'],
  ['nm-settings-dbus',    '5'],
  ['nm-settings-nmcli',   '5'],
 ]
 if enable_ifcfg_rh
  introspection_mans += [['nm-settings-ifcfg-rh', '5']]
 endif
 built_mans = []
 foreach man: mans + introspection_mans
  name = man[0] + '.' + man[1]
  if not fs.exists(name)
    built_mans = []
    break
  endif
  built_mans += name
 endforeach
 if enable_introspection or enable_docs
  common_ent_file = configure_file(
    input: 'common.ent.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
 endif
 if enable_introspection and (enable_man or enable_docs)
  xsltproc_options = [
    find_program('xsltproc'),
    '--output', '@OUTPUT@',
    '--path', meson.current_build_dir(),
    '--xinclude',
    '--nonet',
    '--stringparam', 'man.output.quietly', '1',
    '--stringparam', 'funcsynopsis.style', 'ansi',
    '--stringparam', 'man.th.extra1.suppress', '1',
    '--stringparam', 'man.authors.section.enabled', '0',
    '--stringparam', 'man.copyright.section.enabled', '0',
    '--stringparam', 'man.th.title.max.length', '30',
  ]
  docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
  mans_xmls = []
  foreach man: mans
    input = man[0] + '.xml'
    content_files += join_paths(meson.current_source_dir(), input)
    output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
      custom_target(
        output,
        input: input,
@ -59,9 +85,9 @@ foreach man: mans
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
    endif
  endforeach
 if enable_introspection
  merge_cmd = files(source_root / 'tools' / 'generate-docs-nm-settings-docs-merge.py')
  name = 'dbus'
@ -124,6 +150,8 @@ if enable_introspection
    output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
      custom_target(
        output,
        input: input,
@ -132,5 +160,13 @@ if enable_introspection
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
-  endforeach
+    endif
  endforeach
 # not needed if only html requested
 elif enable_man
  if built_mans.length() > 0
    install_man(built_mans)
  else
    error('Building manpages requires xsltproc and -Dintrospection=true, and no prebuilt manpages were found. Try building from a release tarball or using -Dman=false.')
  endif
 endif
--- a/man/nm-cloud-setup.xml
+++ b/man/nm-cloud-setup.xml
@ -143,7 +143,7 @@
      script is to automatically pick up changes to the network.</para>
      <para>The dispatcher script will do nothing, unless the systemd service is
-      enabled. To use the dispatcher script you should therefor run
+      enabled. To use the dispatcher script you should therefore run
      <command>systemctl enable nm-cloud-setup.service</command> once.</para>
    </refsect2>
@ -197,7 +197,7 @@
    <para>Enable debug logging by setting <literal>NM_CLOUD_SETUP_LOG</literal> environment variable to <literal>TRACE</literal>.</para>
    <para>In the common case where nm-cloud-setup is running as systemd service, this can be done via <command>systemctl edit nm-cloud-setup.service</command>
    and add <literal>Environment=NM_CLOUD_SETUP_LOG=TRACE</literal> to the <literal>[Service]</literal> section. Afterwards, the log can
-    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as descibed
+    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as described
    in the DEBUGGING section in <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
    manual. When sharing logs, it's best to share complete logs and not preemptively filter for NetworkManager or nm-cloud-setup logs.</para>
  </refsect1>
--- a/man/nmcli.xml
+++ b/man/nmcli.xml
@ -1066,15 +1066,16 @@
            <listitem><para><literal>dummy</literal></para></listitem>
            <listitem><para><literal>generic</literal></para></listitem>
            <listitem><para><literal>gsm</literal></para></listitem>
            <listitem><para><literal>hsr</literal></para></listitem>
            <listitem><para><literal>infiniband</literal></para></listitem>
            <listitem><para><literal>ip-tunnel</literal></para></listitem>
            <listitem><para><literal>ipvlan</literal></para></listitem>
            <listitem><para><literal>loopback</literal></para></listitem>
            <listitem><para><literal>macsec</literal></para></listitem>
            <listitem><para><literal>macvlan</literal></para></listitem>
            <listitem><para><literal>olpc-mesh</literal></para></listitem>
            <listitem><para><literal>ovs-bridge</literal></para></listitem>
            <listitem><para><literal>ovs-dpdk</literal></para></listitem>
            <listitem><para><literal>ovs-interface</literal></para></listitem>
            <listitem><para><literal>ovs-patch</literal></para></listitem>
            <listitem><para><literal>ovs-port</literal></para></listitem>
            <listitem><para><literal>pppoe</literal></para></listitem>
            <listitem><para><literal>team</literal></para></listitem>
@ -1435,15 +1436,31 @@
          </arg>
          <arg>
            <option>managed</option>
            <group>
              <arg choice='plain'>--permanent</arg>
              <arg choice='plain'>--permanent-only</arg>
            </group>
            <group choice='req'>
              <arg choice='plain'>yes</arg>
              <arg choice='plain'>no</arg>
              <arg choice='plain'>up</arg>
              <arg choice='plain'>down</arg>
              <arg choice='plain'>reset</arg>
            </group>
          </arg>
        </term>
        <listitem>
          <para>Set device properties.</para>
          <para>The <option>managed</option> property accepts a <option>--permanent</option>
          option to persist the managed state to disk, and not only in runtime. With
          <option>--permanent-only</option> only the permanent managed state is set, and not the
          runtime managed state. The special values <option>up</option> and <option>down</option>
          can be used to set the administrative state of the device at the same time as the runtime
          managed state. The <option>reset</option> value clears the explicit managed setting, and
          with <option>--permanent</option> or <option>--permanent-only</option> it also removes
          the persisted managed setting.</para>
        </listitem>
      </varlistentry>
@ -1717,6 +1734,7 @@
            <group choice='req'>
              <arg choice='plain'>a</arg>
              <arg choice='plain'>bg</arg>
              <arg choice='plain'>6GHz</arg>
            </group>
          </arg>
          <arg><option>channel</option> <replaceable>channel</replaceable></arg>
@ -1850,9 +1868,9 @@
          connections with an option of restoring the network configuration to a
          known good state in case of an error.</para>
-          <para>If the a list of interface names is specified, the checkpoint is
+          <para>If a list of interface names is specified, the checkpoint is
-          taken, the checkpoint is takes only on the specified devices. Otherwise
+          taken only on the specified devices. Otherwise a checkpoint is taken for
-          a checkpoint is taken for all devices.</para>
+          all devices.</para>
          <para>Currently the timeout defaults to 15 seconds. This may change in
          a future version.</para>
--- a/meson.build
+++ b/meson.build
@ -5,23 +5,48 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.54.2',
+  version: '1.57.4-dev',
  license: 'GPL2+',
  default_options: [
    'buildtype=debugoptimized',
    'c_std=gnu11',
    'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
  ],
-  meson_version: '>= 0.51.0',
+  meson_version: '>= 0.56.0',
 )
 nm_name = meson.project_name()
 nm_version = meson.project_version()
-version_array = nm_version.split('.')
+
 version_and_suffix = nm_version.split('-')
 version_array = version_and_suffix[0].split('.')
 if version_and_suffix.length() == 2
  version_suffix = version_and_suffix[1]
 else
  assert(version_and_suffix.length() == 1)
  version_suffix = ''
 endif
 # In the C API we encode the version in 90+ scheme (1.56-rc1 = 1.55.90, rc2 = .91, etc)
 if version_suffix == '' or version_suffix == 'dev'
  assert(version_array.length() == 3)
  nm_major_version = version_array[0].to_int()
  nm_minor_version = version_array[1].to_int()
  nm_micro_version = version_array[2].to_int()
 elif version_suffix.startswith('rc')
  assert(version_array.length() == 2)
  nm_major_version = version_array[0].to_int()
  nm_minor_version = version_array[1].to_int() - 1
  nm_micro_version = version_suffix.substring(2).to_int() + 89
 else
  error('Invalid suffix: ' + version_suffix)
 endif
 if nm_minor_version % 2 == 1 and version_suffix == ''
  error('Expected a "-dev" or "-rc" suffix')
 elif nm_minor_version %2 == 0 and version_suffix != ''
  error('Unexpected "' + version_suffix + '" suffix')
 endif
 nm_id_prefix = 'NM'
@ -77,6 +102,7 @@ libnm_version = '@0@.@1@.@2@'.format(current - age, age, revision)
 libnm_pkgincludedir = join_paths(nm_includedir, libnm_name)
 fs = import('fs')
 gnome = import('gnome')
 i18n = import('i18n')
 pkg = import('pkgconfig')
@ -89,7 +115,6 @@ po_dir = source_root / 'po'
 top_inc = include_directories('.')
 perl = find_program('perl')
 xsltproc = find_program('xsltproc')
 check_exports = find_program(join_paths(source_root, 'tools', 'check-exports.sh'))
@ -271,7 +296,8 @@ config_h.set10('WITH_JANSSON', jansson_dep.found())
 jansson_msg = 'no'
 if jansson_dep.found()
  jansson_libdir = jansson_dep.get_variable(pkgconfig: 'libdir')
-  res = run_command(find_program('eu-readelf', 'readelf'), '-d', join_paths(jansson_libdir, 'libjansson.so'), check: false)
+  jansson_sysroot = meson.is_cross_build() ? meson.get_external_property('sys_root', '') : ''
  res = run_command(find_program('eu-readelf', 'readelf'), '-d', jansson_sysroot + join_paths(jansson_libdir, 'libjansson.so'), check: false)
  jansson_soname = ''
  foreach line: res.stdout().split('\n')
    if line.strip().contains('SONAME')
@ -327,12 +353,17 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)
 enable_wifi = get_option('wifi')
 config_h.set10('WITH_WIFI', enable_wifi)
 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)
-enable_wext = get_option('wext')
+wext = get_option('wext')
 if wext == 'true'
  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
 endif
 enable_wext = (wext == 'force')
 config_h.set10('HAVE_WEXT', enable_wext)
 # Checks for libdl - on certain platforms its part of libc
@ -382,6 +413,14 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
  systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
 install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
 if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
  assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@ -476,18 +515,15 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)
-# eBPF support
+# CLAT support
-ebpf_opt = get_option('ebpf')
+enable_clat = get_option('clat')
-# 'auto' means 'false', because there are still issues.
+if enable_clat
-if ebpf_opt != 'true'
+  libbpf = dependency('libbpf', version: '>= 1.3.0', required: false)
-  enable_ebpf = false
+  assert(libbpf.found(), 'You must have libbpf >= 1.3.0 installed to build. Use -Dclat=false to disable use of it')
-else
+  libndp_dep = dependency('libndp', version: '>= 1.9', required: false)
-  enable_ebpf = true
+  assert(libndp_dep.found(), 'You must have libndp >= 1.9 installed to build with CLAT support. Use -Dclat=false to disable it')
  if not cc.has_header('linux/bpf.h')
    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
    enable_ebpf = false
  endif
 endif
 config_h.set10('HAVE_CLAT', enable_clat)
 # libaudit support
 libaudit = get_option('libaudit')
@ -507,12 +543,14 @@ if enable_teamdctl
  libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
  assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
 config_h.set10('WITH_TEAMDCTL', enable_teamdctl)
 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
  # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
+  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
 endif
 config_auth_polkit_default = get_option('config_auth_polkit_default')
@ -522,6 +560,12 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 enable_modify_system = get_option('modify_system')
 if enable_modify_system
  # FIXME: remove this after everyone has stopped using modify_system
  error('modify_system=true is no longer allowed due to security reasons')
 endif
 polkit_noauth_group = get_option('polkit_noauth_group')
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@ -616,6 +660,7 @@ if enable_modem_manager
  endif
  config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
 config_h.set10('WITH_WWAN', enable_modem_manager)
 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@ -816,6 +861,7 @@ if enable_nm_cloud_setup
  assert(jansson_dep.found(), 'nm-cloud-setup requires jansson library. Use -Dnm_cloud_setup=false to disable it')
 endif
 enable_man = get_option('man')
 enable_docs = get_option('docs')
 more_asserts = get_option('more_asserts')
@ -914,7 +960,6 @@ endif
 test_args = [
  '--called-from-make',
  build_root,
  '',
  enable_valgrind ? valgrind_path : '',
  enable_valgrind ? valgrind_suppressions_path : '',
  '--launch-dbus=auto',
@ -953,7 +998,6 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
 data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@ -964,38 +1008,6 @@ data_conf.set('nmstatedir',                              nm_pkgstatedir)
 data_conf.set('sbindir',                                 nm_sbindir)
 data_conf.set('sysconfdir',                              nm_sysconfdir)
 # check if we can build setting property documentation
 '''
 build_docs=no
 if test -n "$INTROSPECTION_MAKEFILE"; then
  # If g-i is installed we know we have python, but we might not have pygobject
  if ! "$PYTHON" -c 'from gi.repository import GObject' >& /dev/null; then
    AC_MSG_ERROR(["--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)])
  fi
  AC_PATH_PROG(PERL, perl)
  if test -z "$PERL"; then
    AC_MSG_ERROR([--enable-introspection requires perl])
  fi
  AC_PATH_PROG(XSLTPROC, xsltproc)
  if test -z "$XSLTPROC"; then
    AC_MSG_ERROR([--enable-introspection requires xsltproc])
  fi
  have_introspection=yes
  if test "$enable_gtk_doc" = "yes"; then
    build_docs=yes
  fi
 else
  if test "$enable_gtk_doc" = "yes"; then
    # large parts of the documentation require introspection/pygobject to extract
    # the documentation out of the source files. You cannot enable gtk-doc without alone.
    AC_MSG_ERROR(["--with-gtk-doc requires --enable-introspection"])
  fi
  have_introspection=no
 fi
 '''
 content_files = []
 subdir('introspection')
@ -1033,9 +1045,14 @@ if enable_qt != 'false'
  endif
 endif
 # The man/ directory builds a couple targets needed by the docs build too.
 # If we build with docs but no man, then enter the subdir and only build
 # some targets.
 if enable_docs or enable_man
  subdir('man')
 endif
 if enable_docs
  assert(enable_introspection, '-Ddocs=true requires -Dintrospection=true')
  subdir('man')
  subdir('docs')
  meson.add_dist_script(
    'tools/meson-dist-data.sh',
@ -1086,7 +1103,7 @@ meson.add_install_script(
  nm_pkgstatedir,
  nm_mandir,
  nm_sysconfdir,
-  enable_docs ? '1' : '0',
+  enable_man ? '1' : '0',
  enable_ifcfg_rh ? '1' : '0',
  enable_nm_cloud_setup ? '1' : '0',
  install_systemdunitdir ? '1' : '0',
@ -1096,6 +1113,7 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
 output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@ -1110,17 +1128,7 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
 if enable_polkit
  output += ' ('
  if enable_modify_system
    output += 'permissive'
  else
    output += 'restrictive'
  endif
  output += ' modify.system)'
 endif
 output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@ -1148,6 +1156,7 @@ output += '  ofono: ' + enable_ofono.to_string() + '\n'
 output += '  concheck: ' + enable_concheck.to_string() + '\n'
 output += '  libteamdctl: ' + enable_teamdctl.to_string() + '\n'
 output += '  ovs: ' + enable_ovs.to_string() + '\n'
 output += '  clat: ' + enable_clat.to_string() + '\n'
 output += '  nmcli: ' + enable_nmcli.to_string() + '\n'
 output += '  nmtui: ' + enable_nmtui.to_string() + '\n'
 output += '  nm-cloud-setup: ' + enable_nm_cloud_setup.to_string() + '\n'
@ -1184,6 +1193,5 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
 output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -1,5 +1,6 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
 option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@ -18,7 +19,8 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
 option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@ -28,7 +30,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')
 # features
-option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
+option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@ -44,8 +46,11 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')
 option('clat', type: 'boolean', value: true, description: 'Build with CLAT support')
 option('bpf-compiler', type : 'combo', choices : ['auto', 'clang', 'gcc'],
       description : 'compiler used to build BPF programs')
 # configuration plugins
 option('config_plugins_default', type: 'string', value: '', description: 'Default configuration option for main.plugins setting, used as fallback if the configuration option is unset')
@ -67,6 +72,7 @@ option('config_dhcp_default', type: 'combo', choices: ['dhclient', 'dhcpcd', 'in
 option('introspection', type: 'boolean', value: true, description: 'Enable introspection for this build')
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('man', type: 'boolean', value: true, description: 'Install manpages')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
 option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'auto', description: 'Enable more assertions for debugging (0 = no, 100 = all, default: auto)')
--- a/po/LINGUAS
+++ b/po/LINGUAS
@ -30,6 +30,7 @@ id
 it
 ja
 ka
 kk
 kn
 ko
 ku
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -1,16 +1,18 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in.in
+data/org.freedesktop.NetworkManager.policy.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
 src/core/devices/bluetooth/nm-device-bt.c
 src/core/devices/nm-device.c
 src/core/devices/nm-device-6lowpan.c
 src/core/devices/nm-device-bond.c
 src/core/devices/nm-device-bridge.c
 src/core/devices/nm-device-dummy.c
 src/core/devices/nm-device-ethernet-utils.c
 src/core/devices/nm-device-ethernet.c
 src/core/devices/nm-device-geneve.c
 src/core/devices/nm-device-infiniband.c
 src/core/devices/nm-device-ip-tunnel.c
 src/core/devices/nm-device-loopback.c
@ -46,6 +48,7 @@ src/libnm-client-impl/nm-device-bt.c
 src/libnm-client-impl/nm-device-dummy.c
 src/libnm-client-impl/nm-device-ethernet.c
 src/libnm-client-impl/nm-device-generic.c
 src/libnm-client-impl/nm-device-geneve.c
 src/libnm-client-impl/nm-device-hsr.c
 src/libnm-client-impl/nm-device-infiniband.c
 src/libnm-client-impl/nm-device-ip-tunnel.c
@ -90,6 +93,7 @@ src/libnm-core-impl/nm-setting-connection.c
 src/libnm-core-impl/nm-setting-dcb.c
 src/libnm-core-impl/nm-setting-ethtool.c
 src/libnm-core-impl/nm-setting-generic.c
 src/libnm-core-impl/nm-setting-geneve.c
 src/libnm-core-impl/nm-setting-gsm.c
 src/libnm-core-impl/nm-setting-hsr.c
 src/libnm-core-impl/nm-setting-infiniband.c
--- a/po/bg.po
+++ b/po/bg.po
--- a/po/ca.po
+++ b/po/ca.po
@ -8,14 +8,15 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
 # Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2023-06-17 00:07+0200\n"
+"PO-Revision-Date: 2025-09-28 00:07+0200\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@ -355,7 +356,7 @@ msgstr "Connexió WPAN"
 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió equip"
+msgstr "Connexió d'equip"
 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@ -648,7 +649,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
+"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@ -795,7 +796,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."
 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
+msgstr "La connexió i el dispositiu difereixen als subcanals S390."
 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@ -881,7 +882,7 @@ msgstr "La connexió no era una connexió tun."
 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió equip."
+msgstr "La connexió no era una connexió d'equip."
 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@ -1325,27 +1326,27 @@ msgstr ""
 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignorarà el número faltant"
+msgstr "s'ignora el número faltant"
 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignorarà el número «%s» no vàlid"
+msgstr "s'ignora el número «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignorarà l'adreça %s no vàlida: %s"
+msgstr "s'ignora l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignorarà la ruta %s no vàlida: %s"
+msgstr "s'ignora la ruta %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@ -1361,7 +1362,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@ -1413,11 +1414,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignorarà l'SSID no vàlida"
+msgstr "s'ignora l'SSID no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignorarà la contrasenya sense processar no vàlida"
+msgstr "s'ignora la contrasenya sense processar no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@ -1458,7 +1459,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: «%s»"
+msgstr "el paràmetre no és vàlid: %s"
 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@ -1973,7 +1974,7 @@ msgstr "file:// URI no és UTF-8 vàlida"
 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@ -2086,7 +2087,7 @@ msgstr "«%s» no és un número"
 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buda o de mida incorrecta"
+msgstr "la propietat és buida o de mida incorrecta"
 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@ -2098,12 +2099,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"
 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@ -2156,12 +2157,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@ -2208,7 +2209,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un nom de ruta vàlid"
+msgstr "%s no és un tipus de ruta vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@ -2432,7 +2433,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: «%s»"
+msgstr "atribut no vàlid: %s"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@ -4105,7 +4106,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@ -4676,7 +4677,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:620
@ -4698,7 +4699,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:886
@ -4709,7 +4710,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:893
@ -5418,9 +5419,9 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
 "(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
@ -5493,7 +5494,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benviguda"
+msgstr "Temps de benvinguda"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@ -5567,7 +5568,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@ -5676,7 +5677,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@ -5696,7 +5697,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
+"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@ -8151,12 +8152,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@ -10722,7 +10723,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"
 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobar totes les connexions actives."
+msgstr "Error: No s'han trobat totes les connexions actives."
 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@ -11041,7 +11042,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticaent amb l'opció «fix».\n"
+"automàticament amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@ -11063,7 +11064,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@ -11485,7 +11486,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmere «%s»: %s\n"
+msgstr "Verifica el paràmetre «%s»: %s\n"
 #: src/nmcli/connections.c:8501
 #, c-format
@ -11552,12 +11553,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
+"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
 "continuar)\n"
 #: src/nmcli/connections.c:8721
@ -11582,7 +11583,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
 #: src/nmcli/connections.c:8985
 #, fuzzy
@ -12396,7 +12397,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositu: %s"
+msgstr "Error: no s'ha pogut activar el dispositiu: %s"
 #: src/nmcli/devices.c:2322
 #, c-format
@ -12603,7 +12604,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPS PSK vàlida"
+msgstr "«%s» no és una WPA PSK vàlida"
 #: src/nmcli/devices.c:4193
 #, c-format
@ -13538,7 +13539,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»."
+msgstr "Error: argument inesperat «%s»"
 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@ -13897,7 +13898,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomendat)"
+msgstr "MII (recomanat)"
 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@ -14543,7 +14544,7 @@ msgstr ""
 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexions nova"
+msgstr "Connexió nova"
 #: src/nmtui/nmtui-edit.c:452
 #, c-format
--- a/po/it.po
+++ b/po/it.po
@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075
--- a/po/kk.po
+++ b/po/kk.po
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po
--- a/po/sl.po
+++ b/po/sl.po
--- a/po/sr.po
+++ b/po/sr.po
--- a/po/sr@latin.po
+++ b/po/sr@latin.po
--- a/po/tr.po
+++ b/po/tr.po
--- a/src/contrib/nm-vpn-plugin-utils.c
+++ b/src/contrib/nm-vpn-plugin-utils.c
@ -155,3 +155,33 @@ nm_vpn_plugin_utils_load_editor(const char                   *module_path,
    g_return_val_if_fail(NM_IS_VPN_EDITOR(editor), NULL);
    return editor;
 }
 char *
 nm_vpn_plugin_utils_get_cert_path(const char *plugin)
 {
    const char *path;
    g_return_val_if_fail(plugin, NULL);
    /* Users can set NM_CERT_PATH=~/.cert to be compatible with the certificate
     * directory used in the past. */
    path = g_getenv("NM_CERT_PATH");
    if (path)
        return g_build_filename(path, plugin, NULL);
    /* Otherwise use XDG_DATA_HOME. We use subdirectory "networkmanagement/certificates"
     * because the SELinux policy already has rules to set the correct labels in that
     * directory. */
    path = g_getenv("XDG_DATA_HOME");
    if (path)
        return g_build_filename(path, "networkmanagement", "certificates", plugin, NULL);
    /* Use the default value for XDG_DATA_HOME */
    return g_build_filename(g_get_home_dir(),
                            ".local",
                            "share",
                            "networkmanagement",
                            "certificates",
                            plugin,
                            NULL);
 }
--- a/src/contrib/nm-vpn-plugin-utils.h
+++ b/src/contrib/nm-vpn-plugin-utils.h
@ -24,4 +24,6 @@ NMVpnEditor *nm_vpn_plugin_utils_load_editor(const char                   *modul
                                             gpointer                      user_data,
                                             GError                      **error);
 char *nm_vpn_plugin_utils_get_cert_path(const char *plugin);
 #endif /* __NM_VPN_PLUGIN_UTILS_H__ */
--- a/src/core/NetworkManagerUtils.c
+++ b/src/core/NetworkManagerUtils.c
@ -1495,11 +1495,10 @@ nm_utils_ip_route_attribute_to_platform(int                addr_family,
        r4->scope_inv = nm_platform_route_scope_inv(scope);
    }
-    /* Note that for IPv4 routes in kernel, the onlink flag can be set for
+    /* For IPv4 routes in kernel, the onlink flag is per-nexthop (rtnh_flags).
-     * each next hop separately (rtnh_flags). Not for NetworkManager. We can
+     * Here we set the flag on r_rtm_flags which represents the first nexthop's
-     * only merge routes as ECMP routes (when setting a weight) if they all
+     * flags. For ECMP routes, each nexthop carries its own onlink flag, so
-     * share the same onlink flag. See NM_PLATFORM_IP_ROUTE_CMP_TYPE_ECMP_ID.
+     * routes with different onlink settings per-nexthop can be merged. */
     * That simplifies the code. */
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_ONLINK, onlink, BOOLEAN, boolean, FALSE);
    r->r_rtm_flags = ((onlink) ? (unsigned) RTNH_F_ONLINK : 0u);
--- a/src/core/bpf/clat.bpf.c
+++ b/src/core/bpf/clat.bpf.c
--- a/src/core/bpf/clat.h
+++ b/src/core/bpf/clat.h
@ -0,0 +1,30 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef __NAT64_H__
 #define __NAT64_H__
 #include <linux/in6.h>
 struct clat_config {
    struct in6_addr local_v6;
    struct in6_addr pref64;
    struct in_addr  local_v4;
    unsigned        pref64_len;
 };
 struct clat_stats {
    /* egress: v4 to v6 */
    __u64 egress_tcp;
    __u64 egress_udp;
    __u64 egress_icmp;
    __u64 egress_other;
    __u64 egress_dropped;
    /* ingress: v6 to v4 */
    __u64 ingress_tcp;
    __u64 ingress_udp;
    __u64 ingress_icmp;
    __u64 ingress_other;
    __u64 ingress_fragment;
    __u64 ingress_dropped;
 };
 #endif
--- a/src/core/bpf/meson.build
+++ b/src/core/bpf/meson.build
@ -0,0 +1,239 @@
 # SPDX-License-Identifier: LGPL-2.1+
 # Ripped from systemd: https://github.com/systemd/systemd/pull/20429
 if not enable_clat
  subdir_done()
 endif
 bpf_compiler = get_option('bpf-compiler')
 clang_found = false
 clang_supports_bpf = false
 bpf_gcc_found = false
 bpftool_strip = false
 if bpf_compiler == 'clang' or bpf_compiler == 'auto'
  # Support 'versioned' clang/llvm-strip binaries, as seen on Debian/Ubuntu
  # (like clang-10/llvm-strip-10)
  if meson.is_cross_build() or cc.get_id() != 'clang' or cc.cmd_array()[0].contains('afl-clang') or cc.cmd_array()[0].contains('hfuzz-clang')
    r = find_program('clang',
                     version : '>= 10.0.0')
    clang_found = r.found()
    if clang_found
      if meson.version().version_compare('>= 0.55')
        clang = r.full_path()
      else
        clang = r.path()
      endif
    endif
  else
    clang_found = true
    clang = cc.cmd_array()
  endif
  if clang_found
    # Check if 'clang -target bpf' is supported.
    clang_supports_bpf = run_command(clang, '-target', 'bpf', '--print-supported-cpus', check : false).returncode() == 0
  endif
 elif bpf_compiler == 'gcc' or bpf_compiler == 'auto'
  bpf_gcc = find_program('bpf-gcc',
                         'bpf-none-gcc',
                         'bpf-unknown-none-gcc',
                         version : '>= 13.1.0')
  bpf_gcc_found = bpf_gcc.found()
 endif
 if bpf_compiler == 'auto'
  if clang_supports_bpf and bpf_gcc_found
    # Both supported, prefer the one matching our compiler:
    if cc.get_id() == 'gcc'
      bpf_compiler = 'gcc'
    else
      # Default to clang if we don't know this compiler
      bpf_compiler = 'clang'
    endif
  elif clang_supports_bpf
    bpf_compiler = 'clang'
  elif bpf_gcc_found
    bpf_compiler = 'clang'
  endif
 endif
 if clang_supports_bpf or bpf_gcc_found
  # Debian installs this in /usr/sbin/ which is not in $PATH.
  # We check for 'bpftool' first, honouring $PATH, and in /usr/sbin/ for Debian.
  # We use 'bpftool gen object' subcommand for bpftool strip, it was added by d80b2fcbe0a023619e0fc73112f2a02c2662f6ab (v5.13).
  bpftool = find_program('bpftool',
                         '/usr/sbin/bpftool',
                         required : bpf_compiler == 'gcc',
                         version : bpf_compiler == 'gcc' ? '>= 7.0.0' : '>= 5.13.0')
  if bpftool.found()
    bpftool_strip = true
  elif bpf_compiler == 'clang'
    # We require the 'bpftool gen skeleton' subcommand, it was added by 985ead416df39d6fe8e89580cc1db6aa273e0175 (v5.6).
    bpftool = find_program('bpftool',
                           '/usr/sbin/bpftool',
                           required : true,
                           version : '>= 5.6.0')
  endif
  # We use `llvm-strip` as a fallback if `bpftool gen object` strip support is not available.
  if not bpftool_strip and bpftool.found() and clang_supports_bpf
    if not meson.is_cross_build()
      llvm_strip_bin = run_command(clang, '--print-prog-name', 'llvm-strip',
                                   check : true).stdout().strip()
    else
      llvm_strip_bin = 'llvm-strip'
    endif
    llvm_strip = find_program(llvm_strip_bin,
                              required : true,
                              version : '>= 10.0.0')
  endif
 else
  error('clat support was enabled but couldn\'t find a suitable BPF compiler!')
 endif
 bpf_clang_flags = [
  '-std=gnu17',
  '-Wunused',
  '-Wimplicit-fallthrough',
  '-Wno-compare-distinct-pointer-types',
  '-fno-stack-protector',
  '-O2',
  '-target',
  'bpf',
  '-g',
  '-c',
 ]
 bpf_gcc_flags = [
  '-std=gnu17',
  '-Wunused',
  '-Wimplicit-fallthrough',
  '-fno-stack-protector',
  '-fno-ssa-phiopt',
  '-O2',
  '-mcpu=v3',
  '-mco-re',
  '-gbtf',
  '-c',
 ]
 clang_arch_flag = '-D__@0@__'.format(host_machine.cpu_family())
 libbpf_include_dir = dependency('libbpf').get_variable(pkgconfig : 'includedir')
 # Generate defines that are appropriate to tell the compiler what architecture
 # we're compiling for. By default we just map meson's cpu_family to __<cpu_family>__.
 # This dictionary contains the exceptions where this doesn't work.
 #
 # C.f. https://mesonbuild.com/Reference-tables.html#cpu-families
 # and src/basic/missing_syscall_def.h.
 cpu_arch_defines = {
  'ppc'         : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'],
  'ppc64'       : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'],
  'riscv32'     : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'],
  'riscv64'     : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'],
  'x86'         : ['-D__i386__', '-D__TARGET_ARCH_x86'],
  's390x'       : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'],
  # For arm, assume hardware fp is available.
  'arm'         : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'],
  'loongarch64' : ['-D__loongarch__', '-D__loongarch_grlen=64', '-D__TARGET_ARCH_loongarch']
 }
 bpf_arch_flags = cpu_arch_defines.get(host_machine.cpu_family(),
                                      ['-D__@0@__'.format(host_machine.cpu_family())])
 if bpf_compiler == 'gcc'
  bpf_arch_flags += ['-m' + host_machine.endian() + '-endian']
 endif
 bpf_o_unstripped_cmd = []
 if bpf_compiler == 'clang'
  bpf_o_unstripped_cmd += [
    clang,
    bpf_clang_flags,
    bpf_arch_flags,
  ]
 elif bpf_compiler == 'gcc'
  bpf_o_unstripped_cmd += [
    bpf_gcc,
    bpf_gcc_flags,
    bpf_arch_flags,
  ]
 endif
 bpf_o_unstripped_cmd += ['-I.']
 if cc.get_id() == 'gcc' or meson.is_cross_build()
  if cc.get_id() != 'gcc'
    warning('Cross compiler is not gcc. Guessing the target triplet for bpf likely fails.')
  endif
  target_triplet_cmd = run_command(cc.cmd_array(), '-print-multiarch', check: false)
 else
  # clang does not support -print-multiarch (D133170) and its -dump-machine
  # does not match multiarch. Query gcc instead.
  target_triplet_cmd = run_command('gcc', '-print-multiarch', check: false)
 endif
 if target_triplet_cmd.returncode() == 0
  target_triplet = target_triplet_cmd.stdout().strip()
  bpf_o_unstripped_cmd += [
    '-isystem',
    '/usr/include/@0@'.format(target_triplet)
  ]
 endif
 bpf_o_unstripped_cmd += [
  '-idirafter',
  libbpf_include_dir,
  '@INPUT@',
  '-o',
  '@OUTPUT@'
 ]
 if bpftool_strip
  bpf_o_cmd = [
    bpftool,
    'gen',
    'object',
    '@OUTPUT@',
    '@INPUT@'
  ]
 elif bpf_compiler == 'clang'
  bpf_o_cmd = [
    llvm_strip,
    '-g',
    '@INPUT@',
    '-o',
    '@OUTPUT@'
  ]
 endif
 skel_h_cmd = [
  bpftool,
  'g',
  's',
  '@INPUT@'
 ]
 clat_bpf_o_unstripped = custom_target(
  'clat.bpf.unstripped.o',
  input : 'clat.bpf.c',
  output : 'clat.bpf.unstripped.o',
  command : bpf_o_unstripped_cmd)
 clat_bpf_o = custom_target(
  'clat.bpf.o',
  input : clat_bpf_o_unstripped,
  output : 'clat.bpf.o',
  command : bpf_o_cmd)
 clat_skel_h = custom_target(
  'clat.skel.h',
  input : clat_bpf_o,
  output : 'clat.skel.h',
  command : skel_h_cmd,
  capture : true)
--- a/src/core/devices/nm-device-bond.c
+++ b/src/core/devices/nm-device-bond.c
@ -52,11 +52,12 @@
        NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
        NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
        NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY
 #define OPTIONS_REAPPLY_FULL                                                        \
    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE,                    \
-        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET
+        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET, \
        NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
 /*****************************************************************************/
@ -501,6 +502,8 @@ _platform_lnk_bond_init_from_setting(NMSettingBond *s_bond, NMPlatformLnkBond *p
    props->lp_interval_has      = props->lp_interval != 1;
    props->tlb_dynamic_lb_has   = NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB);
    props->lacp_active_has      = NM_IN_SET(props->mode, NM_BOND_MODE_8023AD);
    props->arp_missed_max_has =
        !NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD);
 }
 static void
@ -907,6 +910,8 @@ reapply_connection(NMDevice *device, NMConnection *con_old, NMConnection *con_ne
    set_bond_arp_ip_targets(device, s_bond);
    set_bond_attrs_or_default(device, s_bond, NM_MAKE_STRV(OPTIONS_REAPPLY_SUBSET));
    if (!NM_IN_SET(mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD))
        set_bond_attr_or_default(device, s_bond, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX);
    _balance_slb_setup(self, con_new);
 }
--- a/src/core/devices/nm-device-bridge.c
+++ b/src/core/devices/nm-device-bridge.c
@ -1066,7 +1066,7 @@ attach_port(NMDevice                  *device,
            plat_vlans = setting_vlans_to_platform(vlans, &num_vlans);
-            /* Since the link was just enportd, there are no existing VLANs
+            /* Since the link was just attached, there are no existing VLANs
             * (except for the default one) and so there's no need to flush. */
            if (plat_vlans
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -14,7 +14,6 @@
 #include <libudev.h>
 #include <linux/if_ether.h>
 #include "NetworkManagerUtils.h"
 #include "NetworkManagerUtils.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-core-intern/nm-core-internal.h"
@ -630,10 +629,17 @@ build_supplicant_config(NMDeviceEthernet *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
                                      nm_utils_get_connection_first_permissions_user(connection));
    security = nm_connection_get_setting_802_1x(connection);
-    if (!nm_supplicant_config_add_setting_8021x(config, security, con_uuid, mtu, TRUE, error)) {
+    if (!nm_supplicant_config_add_setting_8021x(config,
                                                security,
                                                con_uuid,
                                                mtu,
                                                TRUE,
                                                nm_device_get_private_files(NM_DEVICE(self)),
                                                error)) {
        g_prefix_error(error, "802-1x-setting: ");
        g_clear_object(&config);
    }
@ -701,6 +707,9 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -715,6 +724,16 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
@ -1894,7 +1913,7 @@ get_ip_method_auto(NMDevice *device, int addr_family)
        /* We cannot do DHCPv4 on a PPP link, instead we get "auto" IP addresses
         * by pppd. Return "manual" here, which has the suitable effect to a
         * (zero) manual addresses in addition. */
-        return NM_SETTING_IP6_CONFIG_METHOD_MANUAL;
+        return NM_SETTING_IP4_CONFIG_METHOD_MANUAL;
    }
    return NM_SETTING_IP6_CONFIG_METHOD_AUTO;
--- a/src/core/devices/nm-device-factory.c
+++ b/src/core/devices/nm-device-factory.c
@ -412,6 +412,7 @@ nm_device_factory_manager_load_factories(NMDeviceFactoryManagerFactoryFunc callb
    _ADD_INTERNAL(nm_dummy_device_factory_get_type);
    _ADD_INTERNAL(nm_ethernet_device_factory_get_type);
    _ADD_INTERNAL(nm_generic_device_factory_get_type);
    _ADD_INTERNAL(nm_geneve_device_factory_get_type);
    _ADD_INTERNAL(nm_hsr_device_factory_get_type);
    _ADD_INTERNAL(nm_infiniband_device_factory_get_type);
    _ADD_INTERNAL(nm_ip_tunnel_device_factory_get_type);
--- a/src/core/devices/nm-device-geneve.c
+++ b/src/core/devices/nm-device-geneve.c
@ -0,0 +1,487 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 /*
 * Copyright (C) 2026 Red Hat, Inc.
 */
 #include "src/core/nm-default-daemon.h"
 #include "nm-manager.h"
 #include "nm-device-geneve.h"
 #include "libnm-core-intern/nm-core-internal.h"
 #include "nm-act-request.h"
 #include "nm-device-private.h"
 #include "nm-setting-geneve.h"
 #include "libnm-platform/nm-platform.h"
 #include "nm-device-factory.h"
 #define _NMLOG_DEVICE_TYPE NMDeviceGeneve
 #include "nm-device-logging.h"
 NM_GOBJECT_PROPERTIES_DEFINE(NMDeviceGeneve,
                             PROP_ID,
                             PROP_REMOTE,
                             PROP_TOS,
                             PROP_TTL,
                             PROP_DF,
                             PROP_DST_PORT, );
 typedef struct {
    NMPlatformLnkGeneve props;
 } NMDeviceGenevePrivate;
 struct _NMDeviceGeneve {
    NMDevice              parent;
    NMDeviceGenevePrivate _priv;
 };
 struct _NMDeviceGeneveClass {
    NMDeviceClass parent;
 };
 G_DEFINE_TYPE(NMDeviceGeneve, nm_device_geneve, NM_TYPE_DEVICE)
 #define NM_DEVICE_GENEVE_GET_PRIVATE(self) \
    _NM_GET_PRIVATE(self, NMDeviceGeneve, NM_IS_DEVICE_GENEVE, NMDevice)
 /*****************************************************************************/
 static NMDeviceCapabilities
 get_generic_capabilities(NMDevice *dev)
 {
    return NM_DEVICE_CAP_IS_SOFTWARE;
 }
 static void
 update_properties(NMDevice *device)
 {
    NMDeviceGeneve            *self;
    NMDeviceGenevePrivate     *priv;
    const NMPlatformLink      *plink;
    const NMPlatformLnkGeneve *props;
    int                        ifindex;
    g_return_if_fail(NM_IS_DEVICE_GENEVE(device));
    self = NM_DEVICE_GENEVE(device);
    priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
    ifindex = nm_device_get_ifindex(device);
    g_return_if_fail(ifindex > 0);
    props = nm_platform_link_get_lnk_geneve(nm_device_get_platform(device), ifindex, &plink);
    if (!props) {
        _LOGW(LOGD_PLATFORM, "could not get GENEVE properties");
        return;
    }
    g_object_freeze_notify((GObject *) device);
 #define CHECK_PROPERTY_CHANGED(field, prop)      \
    G_STMT_START                                 \
    {                                            \
        if (priv->props.field != props->field) { \
            priv->props.field = props->field;    \
            _notify(self, prop);                 \
        }                                        \
    }                                            \
    G_STMT_END
 #define CHECK_PROPERTY_CHANGED_IN6ADDR(field, prop)                                 \
    G_STMT_START                                                                    \
    {                                                                               \
        if (memcmp(&priv->props.field, &props->field, sizeof(props->field)) != 0) { \
            priv->props.field = props->field;                                       \
            _notify(self, prop);                                                    \
        }                                                                           \
    }                                                                               \
    G_STMT_END
    CHECK_PROPERTY_CHANGED(id, PROP_ID);
    CHECK_PROPERTY_CHANGED(remote, PROP_REMOTE);
    CHECK_PROPERTY_CHANGED_IN6ADDR(remote6, PROP_REMOTE);
    CHECK_PROPERTY_CHANGED(tos, PROP_TOS);
    CHECK_PROPERTY_CHANGED(ttl, PROP_TTL);
    CHECK_PROPERTY_CHANGED(df, PROP_DF);
    CHECK_PROPERTY_CHANGED(dst_port, PROP_DST_PORT);
    g_object_thaw_notify((GObject *) device);
 }
 static void
 link_changed(NMDevice *device, const NMPlatformLink *pllink)
 {
    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->link_changed(device, pllink);
    update_properties(device);
 }
 static void
 unrealize_notify(NMDevice *device)
 {
    NMDeviceGeneve        *self = NM_DEVICE_GENEVE(device);
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
    guint                  i;
    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->unrealize_notify(device);
    memset(&priv->props, 0, sizeof(NMPlatformLnkGeneve));
    for (i = 1; i < _PROPERTY_ENUMS_LAST; i++)
        g_object_notify_by_pspec(G_OBJECT(self), obj_properties[i]);
 }
 static gboolean
 create_and_realize(NMDevice              *device,
                   NMConnection          *connection,
                   NMDevice              *parent,
                   const NMPlatformLink **out_plink,
                   GError               **error)
 {
    const char         *iface = nm_device_get_iface(device);
    NMPlatformLnkGeneve props = {};
    NMSettingGeneve    *s_geneve;
    const char         *str;
    int                 r;
    s_geneve = nm_connection_get_setting_geneve(connection);
    g_return_val_if_fail(s_geneve, FALSE);
    props.id = nm_setting_geneve_get_id(s_geneve);
    str = nm_setting_geneve_get_remote(s_geneve);
    if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.remote)
        && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.remote6)) {
        return nm_assert_unreachable_val(FALSE);
    }
    props.tos      = nm_setting_geneve_get_tos(s_geneve);
    props.ttl      = nm_setting_geneve_get_ttl(s_geneve);
    props.df       = nm_setting_geneve_get_df(s_geneve);
    props.dst_port = nm_setting_geneve_get_destination_port(s_geneve);
    r = nm_platform_link_geneve_add(nm_device_get_platform(device), iface, &props, out_plink);
    if (r < 0) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create geneve interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
                    nm_strerror(r));
        return FALSE;
    }
    return TRUE;
 }
 static gboolean
 address_matches(const char *candidate, in_addr_t addr4, struct in6_addr *addr6)
 {
    NMIPAddr candidate_addr;
    int      addr_family;
    if (!candidate)
        return addr4 == 0u && IN6_IS_ADDR_UNSPECIFIED(addr6);
    if (!nm_inet_parse_bin(AF_UNSPEC, candidate, &addr_family, &candidate_addr))
        return FALSE;
    if (!nm_ip_addr_equal(addr_family,
                          &candidate_addr,
                          NM_IS_IPv4(addr_family) ? (gpointer) &addr4 : addr6))
        return FALSE;
    if (NM_IS_IPv4(addr_family))
        return IN6_IS_ADDR_UNSPECIFIED(addr6);
    else
        return addr4 == 0u;
 }
 static gboolean
 check_connection_compatible(NMDevice     *device,
                            NMConnection *connection,
                            gboolean      check_properties,
                            GError      **error)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
    NMSettingGeneve       *s_geneve;
    if (!NM_DEVICE_CLASS(nm_device_geneve_parent_class)
             ->check_connection_compatible(device, connection, check_properties, error))
        return FALSE;
    if (check_properties && nm_device_is_real(device)) {
        s_geneve = nm_connection_get_setting_geneve(connection);
        if (priv->props.id != nm_setting_geneve_get_id(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve id mismatches");
            return FALSE;
        }
        if (!address_matches(nm_setting_geneve_get_remote(s_geneve),
                             priv->props.remote,
                             &priv->props.remote6)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve remote address mismatches");
            return FALSE;
        }
        if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve destination port mismatches");
            return FALSE;
        }
        if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve TOS mismatches");
            return FALSE;
        }
        if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve TTL mismatches");
            return FALSE;
        }
        if (priv->props.df != nm_setting_geneve_get_df(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve DF mismatches");
            return FALSE;
        }
    }
    return TRUE;
 }
 static gboolean
 complete_connection(NMDevice            *device,
                    NMConnection        *connection,
                    const char          *specific_object,
                    NMConnection *const *existing_connections,
                    GError             **error)
 {
    NMSettingGeneve *s_geneve;
    nm_utils_complete_generic(nm_device_get_platform(device),
                              connection,
                              NM_SETTING_GENEVE_SETTING_NAME,
                              existing_connections,
                              NULL,
                              _("Geneve connection"),
                              NULL,
                              NULL);
    s_geneve = nm_connection_get_setting_geneve(connection);
    if (!s_geneve) {
        g_set_error_literal(error,
                            NM_DEVICE_ERROR,
                            NM_DEVICE_ERROR_INVALID_CONNECTION,
                            "A 'geneve' setting is required.");
        return FALSE;
    }
    return TRUE;
 }
 static void
 update_connection(NMDevice *device, NMConnection *connection)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
    NMSettingGeneve *s_geneve   = _nm_connection_ensure_setting(connection, NM_TYPE_SETTING_GENEVE);
    char             sbuf[NM_INET_ADDRSTRLEN];
    if (priv->props.id != nm_setting_geneve_get_id(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_ID, priv->props.id, NULL);
    /* Handle remote (IPv4 or IPv6) */
    if (priv->props.remote) {
        g_object_set(s_geneve,
                     NM_SETTING_GENEVE_REMOTE,
                     nm_inet4_ntop(priv->props.remote, sbuf),
                     NULL);
    } else if (memcmp(&priv->props.remote6, &in6addr_any, sizeof(in6addr_any))) {
        g_object_set(s_geneve,
                     NM_SETTING_GENEVE_REMOTE,
                     nm_inet6_ntop(&priv->props.remote6, sbuf),
                     NULL);
    }
    if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve))
        g_object_set(G_OBJECT(s_geneve),
                     NM_SETTING_GENEVE_DESTINATION_PORT,
                     priv->props.dst_port,
                     NULL);
    if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TOS, priv->props.tos, NULL);
    if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TTL, priv->props.ttl, NULL);
    if (priv->props.df != nm_setting_geneve_get_df(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_DF, priv->props.df, NULL);
 }
 static void
 get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(object);
    switch (prop_id) {
    case PROP_ID:
        g_value_set_uint(value, priv->props.id);
        break;
    case PROP_REMOTE:
        if (priv->props.remote)
            g_value_take_string(value, nm_inet4_ntop_dup(priv->props.remote));
        else if (!IN6_IS_ADDR_UNSPECIFIED(&priv->props.remote6))
            g_value_take_string(value, nm_inet6_ntop_dup(&priv->props.remote6));
        break;
    case PROP_TOS:
        g_value_set_uchar(value, priv->props.tos);
        break;
    case PROP_TTL:
        g_value_set_uchar(value, priv->props.ttl);
        break;
    case PROP_DF:
        g_value_set_uint(value, priv->props.df);
        break;
    case PROP_DST_PORT:
        g_value_set_uint(value, priv->props.dst_port);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
    }
 }
 /*****************************************************************************/
 static void
 nm_device_geneve_init(NMDeviceGeneve *self)
 {}
 static const NMDBusInterfaceInfoExtended interface_info_device_geneve = {
    .parent = NM_DEFINE_GDBUS_INTERFACE_INFO_INIT(
        NM_DBUS_INTERFACE_DEVICE_GENEVE,
        .properties = NM_DEFINE_GDBUS_PROPERTY_INFOS(
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Id", "u", NM_DEVICE_GENEVE_ID),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Remote", "s", NM_DEVICE_GENEVE_REMOTE),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tos", "y", NM_DEVICE_GENEVE_TOS),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Ttl", "y", NM_DEVICE_GENEVE_TTL),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Df", "u", NM_DEVICE_GENEVE_DF),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("DstPort",
                                                           "q",
                                                           NM_DEVICE_GENEVE_DST_PORT), ), ),
 };
 static void
 nm_device_geneve_class_init(NMDeviceGeneveClass *klass)
 {
    GObjectClass      *object_class      = G_OBJECT_CLASS(klass);
    NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS(klass);
    NMDeviceClass     *device_class      = NM_DEVICE_CLASS(klass);
    object_class->get_property = get_property;
    dbus_object_class->interface_infos = NM_DBUS_INTERFACE_INFOS(&interface_info_device_geneve);
    device_class->connection_type_supported        = NM_SETTING_GENEVE_SETTING_NAME;
    device_class->connection_type_check_compatible = NM_SETTING_GENEVE_SETTING_NAME;
    device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES(NM_LINK_TYPE_GENEVE);
    device_class->link_changed                = link_changed;
    device_class->unrealize_notify            = unrealize_notify;
    device_class->create_and_realize          = create_and_realize;
    device_class->check_connection_compatible = check_connection_compatible;
    device_class->complete_connection         = complete_connection;
    device_class->get_generic_capabilities    = get_generic_capabilities;
    device_class->update_connection           = update_connection;
    obj_properties[PROP_ID] = g_param_spec_uint(NM_DEVICE_GENEVE_ID,
                                                "",
                                                "",
                                                0,
                                                G_MAXUINT32,
                                                0,
                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_REMOTE] = g_param_spec_string(NM_DEVICE_GENEVE_REMOTE,
                                                      "",
                                                      "",
                                                      NULL,
                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_TOS] = g_param_spec_uchar(NM_DEVICE_GENEVE_TOS,
                                                  "",
                                                  "",
                                                  0,
                                                  255,
                                                  0,
                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_TTL] = g_param_spec_uchar(NM_DEVICE_GENEVE_TTL,
                                                  "",
                                                  "",
                                                  0,
                                                  255,
                                                  0,
                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DF] = g_param_spec_uint(NM_DEVICE_GENEVE_DF,
                                                "",
                                                "",
                                                0,
                                                2,
                                                0,
                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DST_PORT] = g_param_spec_uint(NM_DEVICE_GENEVE_DST_PORT,
                                                      "",
                                                      "",
                                                      0,
                                                      65535,
                                                      0,
                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 }
 /*****************************************************************************/
 #define NM_TYPE_GENEVE_DEVICE_FACTORY (nm_geneve_device_factory_get_type())
 #define NM_GENEVE_DEVICE_FACTORY(obj) \
    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_GENEVE_DEVICE_FACTORY, NMGeneveDeviceFactory))
 static NMDevice *
 create_device(NMDeviceFactory      *factory,
              const char           *iface,
              const NMPlatformLink *plink,
              NMConnection         *connection,
              gboolean             *out_ignore)
 {
    return g_object_new(NM_TYPE_DEVICE_GENEVE,
                        NM_DEVICE_IFACE,
                        iface,
                        NM_DEVICE_TYPE_DESC,
                        "Geneve",
                        NM_DEVICE_DEVICE_TYPE,
                        NM_DEVICE_TYPE_GENEVE,
                        NM_DEVICE_LINK_TYPE,
                        NM_LINK_TYPE_GENEVE,
                        NULL);
 }
 NM_DEVICE_FACTORY_DEFINE_INTERNAL(
    GENEVE,
    Geneve,
    geneve,
    NM_DEVICE_FACTORY_DECLARE_LINK_TYPES(NM_LINK_TYPE_GENEVE)
        NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES(NM_SETTING_GENEVE_SETTING_NAME),
    factory_class->create_device = create_device;);
--- a/src/core/devices/nm-device-geneve.h
+++ b/src/core/devices/nm-device-geneve.h
@ -0,0 +1,33 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 /*
 * Copyright (C) 2026 Red Hat, Inc.
 */
 #ifndef __NETWORKMANAGER_DEVICE_GENEVE_H__
 #define __NETWORKMANAGER_DEVICE_GENEVE_H__
 #include "nm-device.h"
 #define NM_TYPE_DEVICE_GENEVE (nm_device_geneve_get_type())
 #define NM_DEVICE_GENEVE(obj) \
    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneve))
 #define NM_DEVICE_GENEVE_CLASS(klass) \
    (G_TYPE_CHECK_CLASS_CAST((klass), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
 #define NM_IS_DEVICE_GENEVE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), NM_TYPE_DEVICE_GENEVE))
 #define NM_IS_DEVICE_GENEVE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), NM_TYPE_DEVICE_GENEVE))
 #define NM_DEVICE_GENEVE_GET_CLASS(obj) \
    (G_TYPE_INSTANCE_GET_CLASS((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
 #define NM_DEVICE_GENEVE_ID       "id"
 #define NM_DEVICE_GENEVE_REMOTE   "remote"
 #define NM_DEVICE_GENEVE_TOS      "tos"
 #define NM_DEVICE_GENEVE_TTL      "ttl"
 #define NM_DEVICE_GENEVE_DF       "df"
 #define NM_DEVICE_GENEVE_DST_PORT "dst-port"
 typedef struct _NMDeviceGeneve      NMDeviceGeneve;
 typedef struct _NMDeviceGeneveClass NMDeviceGeneveClass;
 GType nm_device_geneve_get_type(void);
 #endif /* __NETWORKMANAGER_DEVICE_GENEVE_H__ */
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -201,7 +201,8 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
                                      nm_utils_get_connection_first_permissions_user(connection));
    s_macsec = nm_device_get_applied_setting(NM_DEVICE(self), NM_TYPE_SETTING_MACSEC);
@ -227,7 +228,13 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    if (nm_setting_macsec_get_mode(s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
        s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_8021x(config, s_8021x, con_uuid, mtu, TRUE, error)) {
+        if (!nm_supplicant_config_add_setting_8021x(config,
                                                    s_8021x,
                                                    con_uuid,
                                                    mtu,
                                                    TRUE,
                                                    nm_device_get_private_files(NM_DEVICE(self)),
                                                    error)) {
            g_prefix_error(error, "802-1x-setting: ");
            return NULL;
        }
@ -433,6 +440,9 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -445,6 +455,16 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-macvlan.c
+++ b/src/core/devices/nm-device-macvlan.c
@ -468,7 +468,12 @@ static const NMDBusInterfaceInfoExtended interface_info_device_macvlan = {
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("NoPromisc",
                                                           "b",
                                                           NM_DEVICE_MACVLAN_NO_PROMISC),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tab", "b", NM_DEVICE_MACVLAN_TAP), ), ),
+            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tap", "b", NM_DEVICE_MACVLAN_TAP),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE(
                "Tab",
                "b",
                NM_DEVICE_MACVLAN_TAP,
                .annotations = NM_GDBUS_ANNOTATION_INFO_LIST_DEPRECATED(), ), ), ),
 };
 static void
--- a/src/core/devices/nm-device-private.h
+++ b/src/core/devices/nm-device-private.h
@ -115,9 +115,6 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,
 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);
 NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
                                                                NMConnection *connection);
 void nm_device_ip_method_dhcp4_start(NMDevice *self);
 void nm_device_ip_method_autoconf6_start(NMDevice *self);
@ -179,4 +176,6 @@ void nm_device_auth_request(NMDevice                      *self,
 void nm_device_link_properties_set(NMDevice *self, gboolean reapply);
 GHashTable *nm_device_get_private_files(NMDevice *self);
 #endif /* NM_DEVICE_PRIVATE_H */
--- a/src/core/devices/nm-device-utils.c
+++ b/src/core/devices/nm-device-utils.c
@ -143,7 +143,9 @@ NM_UTILS_LOOKUP_STR_DEFINE(
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                             "unmanaged-user-settings"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
                             "modem-no-operator-code"), );
 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                           NMDeviceMtuSource,
@ -237,7 +239,7 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data
    gs_free_error GError *error  = NULL;
    gs_free char         *output = NULL;
-    output = nm_utils_spawn_helper_finish(result, &error);
+    output = nm_utils_spawn_helper_finish_string(result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;
@ -276,6 +278,7 @@ resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services)
    nm_inet_ntop(info->addr_family, &info->address, addr_str);
    _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str);
    nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str),
                          FALSE,
                          g_task_get_cancellable(info->task),
                          resolve_addr_helper_cb,
                          info);
--- a/src/core/devices/nm-device-veth.c
+++ b/src/core/devices/nm-device-veth.c
@ -53,7 +53,7 @@ update_properties(NMDevice *device)
    nm_device_parent_set_ifindex(device, peer_ifindex);
    peer = nm_device_parent_get_device(device);
-    if (peer && NM_IS_DEVICE_VETH(peer) && nm_device_parent_get_ifindex(peer) <= 0)
+    if (peer && NM_IS_DEVICE_VETH(peer) && !nm_device_parent_get_device(peer))
        update_properties(peer);
 }
--- a/src/core/devices/nm-device-vxlan.c
+++ b/src/core/devices/nm-device-vxlan.c
@ -176,14 +176,14 @@ create_and_realize(NMDevice              *device,
    if (str) {
        if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.local)
            && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.local6))
-            return FALSE;
+            return nm_assert_unreachable_val(FALSE);
    }
    str = nm_setting_vxlan_get_remote(s_vxlan);
    if (str) {
        if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.group)
            && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.group6))
-            return FALSE;
+            return nm_assert_unreachable_val(FALSE);
    }
    props.tos          = nm_setting_vxlan_get_tos(s_vxlan);
--- a/src/core/devices/nm-device-wireguard.c
+++ b/src/core/devices/nm-device-wireguard.c
@ -1672,6 +1672,57 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    return ret;
 }
 static gboolean
 skip_peer_route(const NMIPAddr    *peer_addr,
                guint              peer_addr_prefix,
                int                addr_family,
                NMSettingIPConfig *s_ip)
 {
    guint num_addresses;
    guint i;
    /*
     * If the allowed-ip subnet is already reachable on the interface via the
     * prefix route of a static IP address, skip adding the peer route.
     * We don't want to override the prefix route with a new one because the
     * prefix route also specifies the correct source IP address.
     *
     * wg-quick does something similar here:
     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
     * The condition in wg-quick is a bit different because it checks that no
     * duplicate route exists on the interface. We can't do exactly the same
     * because here we don't have visibility on all the platform routes.
     */
    if (!s_ip)
        return FALSE;
    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
    for (i = 0; i < num_addresses; i++) {
        NMIPAddr     setting_addr;
        NMIPAddr     peer_addr_tmp;
        guint        setting_prefix;
        NMIPAddress *a;
        peer_addr_tmp = *peer_addr;
        a = nm_setting_ip_config_get_address(s_ip, i);
        nm_ip_address_get_address_binary(a, &setting_addr);
        setting_prefix = nm_ip_address_get_prefix(a);
        if (setting_prefix > peer_addr_prefix)
            continue;
        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
            return TRUE;
    }
    return FALSE;
 }
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@ -1738,6 +1789,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
        n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
        for (j = 0; j < n_aips; j++) {
            NMSettingIPConfig *s_ip;
            NMPlatformIPXRoute rt;
            NMIPAddr           addrbin;
            const char        *aip;
@ -1746,6 +1798,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            guint32            rtable_coerced;
            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
            if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                continue;
@ -1754,9 +1807,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                prefix = (addr_family == AF_INET) ? 32 : 128;
            if (prefix == 0) {
                NMSettingIPConfig *s_ip;
                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                if (nm_setting_ip_config_get_never_default(s_ip))
                    continue;
            }
@ -1769,6 +1819,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);
            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
                continue;
            rtable_coerced = route_table_coerced;
            if (prefix == 0 && auto_default_route_enabled) {
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@ -791,6 +791,7 @@ void     nm_device_update_permanent_hw_address(NMDevice *self, gboolean force_fr
 void     nm_device_update_dynamic_ip_setup(NMDevice *self, const char *reason);
 guint    nm_device_get_supplicant_timeout(NMDevice *self);
 gboolean nm_device_auth_retries_has_next(NMDevice *self);
 gboolean nm_device_auth_retries_try_next(NMDevice *self);
 gboolean nm_device_hw_addr_get_cloned(NMDevice     *self,
@ -853,4 +854,7 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                           NMDevice *self,
                           NMNetns  *netns);
 NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
                                                                NMConnection *connection);
 #endif /* __NETWORKMANAGER_DEVICE_H__ */
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@ -1890,7 +1890,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
        == -1) {
        /* This doesn't really have to be an error; the key might
         * be missing if there really are no bridges present. */
-        _LOGD("Bad update: %s", json_error.text);
+        _LOGD("monitor: bad update: %s", json_error.text);
    }
    if (ovs) {
@ -1936,12 +1936,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
+            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
                  key,
                  ovs_interface->type,
                  ovs_interface->name,
                  ovs_interface->type,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self,
@ -1989,13 +1989,14 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                _LOGT(
                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
                    "other-config=%s",
                      key,
                      type,
                    ovs_interface->name,
                    type,
                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_interface->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2015,13 +2016,13 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT(
+            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
+                  "other-config=%s",
                key,
                ovs_interface->type,
                  ovs_interface->name,
                  ovs_interface->type,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                     ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2071,11 +2072,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
            if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                continue;
-            _LOGT("obj[port:%s]: removed a port: %s%s%s",
+            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
                  key,
                  ovs_port->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@ -2122,11 +2123,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
+                _LOGT(
-                      key,
+                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                    ovs_port->name,
                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_port->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2146,11 +2148,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
+            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                  key,
                  ovs_port->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2192,11 +2194,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
+            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
                  key,
                  ovs_bridge->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@ -2243,11 +2245,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
+                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
-                      key,
+                      "other-config=%s",
                      ovs_bridge->name,
                      key,
                      NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", ",
+                                           ", connection=",
                                           ovs_bridge->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@ -2267,11 +2270,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
+            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
                  key,
                  ovs_bridge->name,
                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@ -2270,6 +2270,37 @@ add_new:
    return NM_ACT_STAGE_RETURN_SUCCESS;
 }
 static void
 set_powersave(NMDevice *device)
 {
    NMDeviceIwd               *self = NM_DEVICE_IWD(device);
    NMSettingWireless         *s_wireless;
    NMSettingWirelessPowersave val;
    s_wireless = nm_device_get_applied_setting(device, NM_TYPE_SETTING_WIRELESS);
    g_return_if_fail(s_wireless);
    val = nm_setting_wireless_get_powersave(s_wireless);
    if (val == NM_SETTING_WIRELESS_POWERSAVE_DEFAULT) {
        val = nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
                                                          "wifi.powersave",
                                                          device,
                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE,
                                                          NM_SETTING_WIRELESS_POWERSAVE_ENABLE,
                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE);
    }
    _LOGT(LOGD_WIFI, "powersave is set to %u", (unsigned) val);
    if (val == NM_SETTING_WIRELESS_POWERSAVE_IGNORE)
        return;
    nm_platform_wifi_set_powersave(nm_device_get_platform(device),
                                   nm_device_get_ifindex(device),
                                   val == NM_SETTING_WIRELESS_POWERSAVE_ENABLE);
 }
 static NMActStageReturn
 act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 {
@ -2297,6 +2328,8 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            goto out_fail;
        }
        set_powersave(device);
        /* With priv->iwd_autoconnect we have to let IWD handle retries for
         * infrastructure networks.  IWD will not necessarily retry the same
         * network after a failure but it will likely go into an autoconnect
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -191,6 +191,12 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                  GParamSpec            *pspec,
                                                  NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void periodic_update(NMDeviceWifi *self);
 static void ap_add_remove(NMDeviceWifi *self,
@ -624,6 +630,14 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                     "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                     G_CALLBACK(supplicant_iface_notify_p2p_available),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
                     self);
    _scan_notify_is_scanning(self);
@ -2237,6 +2251,26 @@ wps_timeout_cb(gpointer user_data)
    return G_SOURCE_REMOVE;
 }
 static gboolean
 wifi_connection_is_new(NMDeviceWifi *self)
 {
    NMDevice             *device = NM_DEVICE(self);
    NMActRequest         *req;
    NMSettingsConnection *connection;
    guint64               timestamp = 0;
    req = nm_device_get_act_request(device);
    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), TRUE);
    connection = nm_act_request_get_settings_connection(req);
    g_return_val_if_fail(NM_IS_SETTINGS_CONNECTION(connection), TRUE);
    if (nm_settings_connection_get_timestamp(connection, &timestamp) && timestamp != 0)
        return FALSE;
    return TRUE;
 }
 static void
 wifi_secrets_get_secrets(NMDeviceWifi                *self,
                         const char                  *setting_name,
@ -2394,15 +2428,18 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
    NMDevice                    *device = NM_DEVICE(self);
    NMActRequest                *req;
    const char                  *setting_name = NULL;
-    gboolean      handled      = FALSE;
+    NMSecretAgentGetSecretsFlags secret_flags = NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                                | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
    g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return FALSE;
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_val_if_fail(req != NULL, FALSE);
-    if (need_new_8021x_secrets(self, old_state, &setting_name)
+    if (need_new_8021x_secrets(self, old_state, &setting_name)) {
        || need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
        nm_act_request_clear_secrets(req);
        _LOGI(LOGD_DEVICE | LOGD_WIFI,
@ -2412,14 +2449,54 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
        nm_device_state_changed(device,
                                NM_DEVICE_STATE_NEED_AUTH,
                                NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-        wifi_secrets_get_secrets(self,
+        wifi_secrets_get_secrets(self, setting_name, secret_flags);
-                                 setting_name,
+        return TRUE;
                                 NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                     | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
        handled = TRUE;
    }
-    return handled;
+    if (need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
        nm_act_request_clear_secrets(req);
        cleanup_association_attempt(self, TRUE);
        if (wifi_connection_is_new(self)) {
            _LOGI(LOGD_DEVICE | LOGD_WIFI,
                  "Activation: (wifi) new connection disconnected during association, asking for "
                  "new key");
            nm_device_state_changed(device,
                                    NM_DEVICE_STATE_NEED_AUTH,
                                    NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
            wifi_secrets_get_secrets(self, setting_name, secret_flags);
            return TRUE;
        }
        if (!nm_device_auth_retries_try_next(device)) {
            nm_device_state_changed(device,
                                    NM_DEVICE_STATE_FAILED,
                                    NM_DEVICE_STATE_REASON_NO_SECRETS);
            return TRUE;
        }
        if (nm_device_auth_retries_has_next(device)) {
            secret_flags &= ~NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
            _LOGI(
                LOGD_DEVICE | LOGD_WIFI,
                "Activation: (wifi) disconnected during association, reauthenticating connection");
        } else {
            _LOGI(LOGD_DEVICE | LOGD_WIFI,
                  "Activation: (wifi) disconnected during association, asking for new key");
        }
        nm_device_state_changed(device,
                                NM_DEVICE_STATE_NEED_AUTH,
                                NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
        wifi_secrets_get_secrets(self, setting_name, secret_flags);
        return TRUE;
    }
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) disconnected during association, retrying connection");
    return FALSE;
 }
 static gboolean
@ -2841,6 +2918,68 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
    return TRUE;
 }
 static void
 supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    if (!wifi_connection_is_new(self) && nm_device_auth_retries_has_next(device)) {
        _LOGI(LOGD_DEVICE | LOGD_WIFI,
              "Activation: (wifi) psk mismatch reported by supplicant, retrying connection");
        return;
    }
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 static void
 supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 /*
 * supplicant_connection_timeout_cb
 *
@ -2946,7 +3085,8 @@ build_supplicant_config(NMDeviceWifi         *self,
    s_wireless = nm_connection_get_setting_wireless(connection);
    g_return_val_if_fail(s_wireless != NULL, NULL);
-    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface));
+    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface),
                                      nm_utils_get_connection_first_permissions_user(connection));
    /* Warn if AP mode may not be supported */
    if (nm_streq0(nm_setting_wireless_get_mode(s_wireless), NM_SETTING_WIRELESS_MODE_AP)
@ -3022,6 +3162,7 @@ build_supplicant_config(NMDeviceWifi         *self,
                mtu,
                pmf,
                fils,
                nm_device_get_private_files(NM_DEVICE(self)),
                error)) {
            g_prefix_error(error, "802-11-wireless-security: ");
            goto error;
@ -3182,8 +3323,19 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 static void
 ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP *ap)
 {
-    guint32     a_freqs[]  = {5180, 5200, 5220, 5745, 5765, 5785, 5805, 0};
+    guint32     freqs_a[]    = {5180, /* only U-NII-1 channels: non-DFS and available everywhere */
-    guint32     bg_freqs[] = {2412, 2437, 2462, 2472, 0};
+                                5200,
                                5220,
                                5240,
                                0};
    guint32     freqs_bg[]   = {2412, 2437, 2462, 2472, 0};
    guint32     freqs_6ghz[] = {5975, /* only U-NII-5 PSC channels, for better compatibility */
                                6055,
                                6135,
                                6215,
                                6295,
                                6375,
                                0};
    guint32    *rnd_freqs;
    guint       rnd_freqs_len;
    NMDevice   *device = NM_DEVICE(self);
@ -3194,7 +3346,7 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
    guint       l;
    nm_assert(ap);
-    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg"));
+    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg", "6GHz"));
    if (nm_wifi_ap_get_freq(ap))
        return;
@ -3228,11 +3380,14 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
    }
    if (nm_streq0(band, "a")) {
-        rnd_freqs     = a_freqs;
+        rnd_freqs     = freqs_a;
-        rnd_freqs_len = G_N_ELEMENTS(a_freqs) - 1;
+        rnd_freqs_len = G_N_ELEMENTS(freqs_a) - 1;
    } else if (nm_streq0(band, "6GHz")) {
        rnd_freqs     = freqs_6ghz;
        rnd_freqs_len = G_N_ELEMENTS(freqs_6ghz) - 1;
    } else {
-        rnd_freqs     = bg_freqs;
+        rnd_freqs     = freqs_bg;
-        rnd_freqs_len = G_N_ELEMENTS(bg_freqs) - 1;
+        rnd_freqs_len = G_N_ELEMENTS(freqs_bg) - 1;
    }
    /* shuffle the frequencies (inplace). The idea is to choose
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
     * in the last few filename characters -- it cannot end in .open, .psk
     * or .8021x.
     */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
 }
 static const char *
--- a/src/core/devices/wifi/nm-wifi-ap.c
+++ b/src/core/devices/wifi/nm-wifi-ap.c
@ -574,16 +574,6 @@ nm_wifi_ap_to_string(const NMWifiAP *self, char *str_buf, gulong buf_len, gint64
    return str_buf;
 }
 static guint
 freq_to_band(guint32 freq)
 {
    if (freq >= 4915 && freq <= 5825)
        return 5;
    else if (freq >= 2412 && freq <= 2484)
        return 2;
    return 0;
 }
 gboolean
 nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
 {
@ -631,12 +621,12 @@ nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
    band = nm_setting_wireless_get_band(s_wireless);
    if (band) {
-        guint ap_band = freq_to_band(priv->freq);
+        const char *ap_band = nm_wifi_freq_to_band_prop(priv->freq);
-        if (!strcmp(band, "a") && ap_band != 5)
+        if (!nm_streq(band, ap_band))
            return FALSE;
        else if (!strcmp(band, "bg") && ap_band != 2)
            return FALSE;
        return TRUE;
    }
    channel = nm_setting_wireless_get_channel(s_wireless);
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@ -639,7 +639,7 @@ nm_wifi_utils_complete_connection(GBytes       *ap_ssid,
                chan_valid = FALSE;
            }
-            band = nm_utils_wifi_freq_to_band(ap_freq);
+            band = nm_wifi_freq_to_band_prop(ap_freq);
            if (band) {
                g_object_set(s_wifi, NM_SETTING_WIRELESS_BAND, band, NULL);
            } else {
@ -1929,3 +1929,19 @@ nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b)
    return a->source == b->source && a->sink == b->sink && a->port == b->port
           && a->has_audio == b->has_audio && a->has_uibc == b->has_uibc && a->has_cp == b->has_cp;
 }
 const char *
 nm_wifi_freq_to_band_prop(guint32 freq)
 {
    switch (nm_utils_wifi_freq_to_band(freq)) {
    case NM_WIFI_BAND_2_4_GHZ:
        return "bg";
    case NM_WIFI_BAND_5_GHZ:
        return "a";
    case NM_WIFI_BAND_6_GHZ:
        return "6GHz";
    default:
    case NM_WIFI_BAND_UNKNOWN:
        return NULL;
    }
 }
--- a/src/core/devices/wifi/nm-wifi-utils.h
+++ b/src/core/devices/wifi/nm-wifi-utils.h
@ -56,4 +56,6 @@ bool    nm_wifi_utils_parse_wfd_ies(GBytes *ies, NMIwdWfdInfo *out_wfd);
 GBytes *nm_wifi_utils_build_wfd_ies(const NMIwdWfdInfo *wfd);
 bool    nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b);
 const char *nm_wifi_freq_to_band_prop(guint32 freq);
 #endif /* __NM_WIFI_UTILS_H__ */
--- a/src/core/devices/wwan/nm-modem-broadband.c
+++ b/src/core/devices/wwan/nm-modem-broadband.c
@ -510,6 +510,7 @@ try_create_connect_properties(NMModemBroadband *self)
 {
    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
    ConnectContext          *ctx         = priv->ctx;
    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;
    if (MODEM_CAPS_3GPP(ctx->caps)) {
        NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@ -522,7 +523,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (s_gsm)
                network_id = nm_setting_gsm_get_network_id(s_gsm);
            if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
                    return FALSE;
                modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@ -530,6 +531,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (!network_id) {
                _LOGW("failed to connect '%s': unable to determine the network id",
                      nm_connection_get_id(ctx->connection));
                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                goto out;
            }
@ -558,7 +560,7 @@ try_create_connect_properties(NMModemBroadband *self)
    }
 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
    connect_context_clear(self);
    return TRUE;
 }
@ -1649,6 +1651,8 @@ nm_modem_broadband_new(GObject *object, GError **error)
                        driver,
                        NM_MODEM_OPERATOR_CODE,
                        operator_code,
                        NM_MODEM_DEVICE_UID,
                        mm_modem_get_device(modem_iface),
                        NULL);
 }
--- a/src/core/devices/wwan/nm-modem-manager.c
+++ b/src/core/devices/wwan/nm-modem-manager.c
@ -258,16 +258,7 @@ modm_handle_name_owner_changed(MMManager *modem_manager, GParamSpec *pspec, NMMo
    /* Available! */
    g_free(name_owner);
-    /* Hack alert: GDBusObjectManagerClient won't signal neither 'object-added'
+    modm_manager_available(self);
     * nor 'object-removed' if it was created while there was no ModemManager in
     * the bus. This hack avoids this issue until we get a GIO with the fix
     * included... */
    modm_clear_manager(self);
    modm_ensure_manager(self);
    /* Whenever GDBusObjectManagerClient is fixed, we can just do the following:
     * modm_manager_available (self);
     */
 }
 static void
--- a/src/core/devices/wwan/nm-modem.c
+++ b/src/core/devices/wwan/nm-modem.c
@ -39,7 +39,8 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                             PROP_IP_TYPES,
                             PROP_SIM_OPERATOR_ID,
                             PROP_OPERATOR_CODE,
-                             PROP_APN, );
+                             PROP_APN,
                             PROP_DEVICE_UID, );
 enum {
    PPP_STATS,
@ -78,6 +79,7 @@ typedef struct _NMModemPrivate {
    char           *sim_operator_id;
    char           *operator_code;
    char           *apn;
    char           *device_uid;
    NMPPPManager *ppp_manager;
    NMPppMgr     *ppp_mgr;
@ -618,6 +620,12 @@ nm_modem_get_apn(NMModem *self)
    return NM_MODEM_GET_PRIVATE(self)->apn;
 }
 const char *
 nm_modem_get_device_uid(NMModem *self)
 {
    return NM_MODEM_GET_PRIVATE(self)->device_uid;
 }
 /*****************************************************************************/
 static void
@ -1121,6 +1129,22 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
            }
        }
        str = nm_setting_gsm_get_device_uid(s_gsm);
        if (str) {
            if (!priv->device_uid) {
                nm_utils_error_set_literal(error,
                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                           "GSM profile has device-uid, device does not");
                return FALSE;
            }
            if (!nm_streq(str, priv->device_uid)) {
                nm_utils_error_set_literal(error,
                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                           "device has differing device-uid than GSM profile");
                return FALSE;
            }
        }
        /* SIM properties may not be available before the SIM is unlocked, so
         * to ensure that autoconnect works, the connection's SIM properties
         * are only compared if present on the device.
@ -1644,6 +1668,9 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
    case PROP_APN:
        g_value_set_string(value, priv->apn);
        break;
    case PROP_DEVICE_UID:
        g_value_set_string(value, priv->device_uid);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1699,6 +1726,10 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
        /* construct-only */
        priv->operator_code = g_value_dup_string(value);
        break;
    case PROP_DEVICE_UID:
        /* construct-only */
        priv->device_uid = g_value_dup_string(value);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1758,6 +1789,7 @@ finalize(GObject *object)
    g_free(priv->sim_operator_id);
    g_free(priv->operator_code);
    g_free(priv->apn);
    g_free(priv->device_uid);
    G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@ -1863,6 +1895,13 @@ nm_modem_class_init(NMModemClass *klass)
    obj_properties[PROP_APN] =
        g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DEVICE_UID] =
        g_param_spec_string(NM_MODEM_DEVICE_UID,
                            "",
                            "",
                            NULL,
                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
    signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,
--- a/src/core/devices/wwan/nm-modem.h
+++ b/src/core/devices/wwan/nm-modem.h
@ -30,6 +30,7 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
 #define NM_MODEM_DEVICE_UID      "device-uid"
 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@ -154,6 +155,7 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
 const char *nm_modem_get_device_uid(NMModem *modem);
 gboolean nm_modem_set_data_port(NMModem        *self,
                                NMPlatform     *platform,
--- a/src/core/dhcp/nm-dhcp-client.c
+++ b/src/core/dhcp/nm-dhcp-client.c
@ -1460,7 +1460,9 @@ nm_dhcp_client_schedule_ipv6_only_restart(NMDhcpClient *self, guint timeout)
    nm_assert(!priv->is_stopped);
    timeout = NM_MAX(priv->v4.ipv6_only_min_wait, timeout);
-    _LOGI("received option \"ipv6-only-preferred\": stopping DHCPv4 for %u seconds", timeout);
+    _LOGI("received option \"ipv6-only-preferred\": stopping DHCPv4 for %u seconds. Set "
          "ipv4.dhcp-ipv6-only-preferred=no to force the use of IPv4 on this IPv6-mostly network",
          timeout);
    nm_dhcp_client_stop(self, FALSE);
    nm_clear_g_source_inst(&priv->no_lease_timeout_source);
--- a/src/core/dhcp/nm-dhcp-manager.c
+++ b/src/core/dhcp/nm-dhcp-manager.c
@ -289,8 +289,10 @@ nm_dhcp_manager_init(NMDhcpManager *self)
                                 NM_CONFIG_GET_VALUE_STRIP | NM_CONFIG_GET_VALUE_NO_EMPTY);
    client = client_free;
    if (client) {
-        client_factory = _client_factory_available(_client_factory_find_by_name(client));
+        client_factory = _client_factory_find_by_name(client);
        if (!client_factory)
            _LOGW(AF_UNSPEC, "init: unknown DHCP client '%s', ignoring", client);
        else if (!(client_factory = _client_factory_available(client_factory)))
            _LOGW(AF_UNSPEC, "init: DHCP client '%s' not available", client);
    }
    if (!client_factory) {
--- a/src/core/dhcp/nm-dhcp-nettools.c
+++ b/src/core/dhcp/nm-dhcp-nettools.c
@ -418,7 +418,6 @@ lease_parse_routes(NDhcp4ClientLease *lease,
    in_addr_t     gateway;
    uint8_t       plen;
    guint32       m;
    gboolean      has_router_from_classless   = FALSE;
    gboolean      has_classless               = FALSE;
    guint32       default_route_metric_offset = 0;
    const guint8 *l_data;
@ -434,7 +433,7 @@ lease_parse_routes(NDhcp4ClientLease *lease,
     * We will however also parse one of the options into the "l3cd" for configuring routing.
     * Thereby we prefer 121 over 249 over 33.
     *
-     * Preferring 121 over 33 is defined by RFC 3443.
+     * Preferring 121 over 33 is defined by RFC 3442.
     * Preferring 121 over 249 over 33 is made up as it makes sense (the MS docs are not very clear).
     */
    for (i = 0; i < 2; i++) {
@ -461,7 +460,6 @@ lease_parse_routes(NDhcp4ClientLease *lease,
                /* if there are multiple default routes, we add them with differing
                 * metrics. */
                m = default_route_metric_offset++;
                has_router_from_classless = TRUE;
            } else
                m = 0;
@ -495,7 +493,7 @@ lease_parse_routes(NDhcp4ClientLease *lease,
            nm_str_buf_append_printf(sbuf, "%s/%d %s", dest_str, (int) plen, gateway_str);
            if (has_classless) {
-                /* RFC 3443: if the DHCP server returns both a Classless Static Routes
+                /* RFC 3442: if the DHCP server returns both a Classless Static Routes
                 * option and a Static Routes option, the DHCP client MUST ignore the
                 * Static Routes option. */
                continue;
@ -539,13 +537,10 @@ lease_parse_routes(NDhcp4ClientLease *lease,
                continue;
            }
-            if (has_router_from_classless) {
+            if (has_classless) {
-                /* If the DHCP server returns both a Classless Static Routes option and a
+                /* RFC 3442: if the DHCP server returns both a Classless Static Routes
-                 * Router option, the DHCP client MUST ignore the Router option [RFC 3442].
+                 * option and a Router option, the DHCP client MUST ignore the Router
-                 *
+                 * option. */
                 * Be more lenient and ignore the Router option only if Classless Static
                 * Routes contain a default gateway (as other DHCP backends do).
                 */
                continue;
            }
--- a/src/core/dhcp/nm-dhcp-utils.c
+++ b/src/core/dhcp/nm-dhcp-utils.c
@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                  in_addr_t       address,
                                  guint32        *out_gwaddr)
 {
-    gs_free const char **routes = NULL;
+    gs_free char **routes = NULL;
-    const char         **r;
+    char         **r;
    gboolean       have_routes = FALSE;
-    routes = nm_strsplit_set(str, " ");
+    routes = (char **) nm_strsplit_set(str, " ");
    if (!routes)
        return FALSE;
--- a/src/core/dns/nm-dns-dnsconfd.c
+++ b/src/core/dns/nm-dns-dnsconfd.c
@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
    NMDnsServer dns_server;
    gsize       addr_size;
-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
        return FALSE;
    addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);
--- a/src/core/dns/nm-dns-dnsmasq.c
+++ b/src/core/dns/nm-dns-dnsmasq.c
@ -521,9 +521,10 @@ _gl_pid_spawn_next_step(void)
    argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
    argv[argv_idx++] = "--keep-in-foreground";
    argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-interfaces";
+    argv[argv_idx++] = "--bind-dynamic";
    argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
+    argv[argv_idx++] = "--listen-address=127.0.0.1";
    argv[argv_idx++] = "--listen-address=::1";
    argv[argv_idx++] = "--cache-size=400";
    argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
    argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -26,6 +26,7 @@
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
 #include "libnm-glib-aux/nm-io-utils.h"
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@ -370,7 +371,7 @@ _ASSERT_dns_config_ip_data(const NMDnsConfigIPData *ip_data)
        gboolean has_default = FALSE;
        gsize    i;
-        for (i = 0; ip_data->domains.search && ip_data->domains.search; i++) {
+        for (i = 0; ip_data->domains.search && ip_data->domains.search[i]; i++) {
            const char *d = ip_data->domains.search[i];
            d = nm_utils_parse_dns_domain(d, NULL);
@ -1007,6 +1008,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"
 #define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
 #define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@ -1019,7 +1021,14 @@ update_resolv_conf_no_stub(NMDnsManager      *self,
    content = create_resolv_conf(searches, nameservers, options);
-    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
+    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
                                    content,
                                    -1,
                                    0644,
                                    NULL,
                                    NO_STUB_RESOLV_CONF_TMP,
                                    NULL,
                                    &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;
@ -1501,7 +1510,7 @@ _domain_track_is_shadowed(GHashTable  *ht,
                          const char **out_parent,
                          int         *out_parent_priority)
 {
-    char *parent;
+    const char *parent;
    int         parent_priority;
    if (!ht)
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@ -37,6 +37,7 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
 static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";
 /*****************************************************************************/
@ -398,7 +399,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
    for (i = 0; i < n; i++) {
        NMDnsServer dns_server;
-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
            continue;
        if (!NM_IN_SET(dns_server.scheme,
@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    const char                   *mdns_arg          = NULL;
    const char                   *llmnr_arg         = NULL;
    const char                   *dns_over_tls_arg  = NULL;
    const char                   *dnssec_arg        = NULL;
    gboolean                      has_config        = FALSE;
    gboolean                      has_default_route = FALSE;
    guint                         i;
@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                dns_over_tls =
                    NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
            }
        }
    }
@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    }
    nm_assert(dns_over_tls_arg);
    switch (dnssec) {
    case NM_SETTING_CONNECTION_DNSSEC_NO:
        dnssec_arg = "no";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
        dnssec_arg = "allow-downgrade";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_YES:
        dnssec_arg = "yes";
        break;
    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
        dnssec_arg = "";
        break;
    }
    nm_assert(dnssec_arg);
    if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg))
+        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
        has_config = TRUE;
    _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                         DBUS_OP_SET_LINK_DNS_OVER_TLS,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
    _request_item_append(self,
                         DBUS_OP_SET_LINK_DNSSEC,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
    return has_config;
 }
--- a/src/core/main-utils.c
+++ b/src/core/main-utils.c
@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
    char                  pid[16];
    nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
        fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
        return FALSE;
    }
--- a/src/core/main.c
+++ b/src/core/main.c
@ -298,12 +298,6 @@ main(int argc, char *argv[])
    _nm_utils_is_manager_process = TRUE;
    /* Known to cause a possible deadlock upon GDBus initialization:
     * https://bugzilla.gnome.org/show_bug.cgi?id=674885 */
    g_type_ensure(G_TYPE_SOCKET);
    g_type_ensure(G_TYPE_DBUS_CONNECTION);
    g_type_ensure(NM_TYPE_DBUS_MANAGER);
    /* we determine a first-start (contrary to a restart during the same boot)
     * based on the existence of NM_CONFIG_DEVICE_STATE_DIR directory. */
    config_cli = nm_config_cmd_line_options_new(
@ -328,6 +322,12 @@ main(int argc, char *argv[])
        exit(result);
    }
    /* Known to cause a possible deadlock upon GDBus initialization:
     * https://bugzilla.gnome.org/show_bug.cgi?id=674885 */
    g_type_ensure(G_TYPE_SOCKET);
    g_type_ensure(G_TYPE_DBUS_CONNECTION);
    g_type_ensure(NM_TYPE_DBUS_MANAGER);
    nm_main_utils_ensure_not_running_pidfile(global_opt.pidfile);
    nm_main_utils_ensure_statedir();
@ -339,7 +339,7 @@ main(int argc, char *argv[])
        char *path, *slash;
        int   g;
-        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
+        /* exe is <builddir>/src/core/NetworkManager, so chop off
         * the last three components */
        path = realpath("/proc/self/exe", NULL);
        g_assert(path != NULL);
@ -461,14 +461,8 @@ main(int argc, char *argv[])
    /* the first access to State causes the file to be read (and possibly print a warning) */
    nm_config_state_get(config);
-    nm_log_dbg(LOGD_CORE,
+    nm_log_dbg(LOGD_CORE, "WEXT support is %s", HAVE_WEXT ? "enabled" : "disabled");
-               "WEXT support is %s",
+    nm_log_dbg(LOGD_CORE, "CLAT support is %s", HAVE_CLAT ? "enabled" : "disabled");
 #if HAVE_WEXT
               "enabled"
 #else
               "disabled"
 #endif
    );
    if (!_dbus_manager_init(config))
        goto done_no_manager;
--- a/src/core/meson.build
+++ b/src/core/meson.build
@ -32,6 +32,15 @@ install_data(
 core_plugins = []
 subdir('bpf')
 base_sources_addon = []
 base_deps_addon = []
 if enable_clat
  base_sources_addon += [clat_skel_h]
  base_deps_addon += [libbpf]
 endif
 libNetworkManagerBase = static_library(
  'NetworkManagerBase',
  sources: files(
@ -55,13 +64,13 @@ libNetworkManagerBase = static_library(
    'nm-l3cfg.c',
    'nm-bond-manager.c',
    'nm-ip-config.c',
-  ),
+  ) + base_sources_addon,
  dependencies: [
    core_default_dep,
    libnm_core_public_dep,
    libsystemd_dep,
    libudev_dep,
-  ],
+  ] + base_deps_addon,
 )
 nm_deps = [
@ -102,6 +111,7 @@ libNetworkManager = static_library(
    'devices/nm-device-ethernet-utils.c',
    'devices/nm-device-factory.c',
    'devices/nm-device-generic.c',
    'devices/nm-device-geneve.c',
    'devices/nm-device-hsr.c',
    'devices/nm-device-infiniband.c',
    'devices/nm-device-ip-tunnel.c',
--- a/src/core/ndisc/nm-lndp-ndisc.c
+++ b/src/core/ndisc/nm-lndp-ndisc.c
@ -19,6 +19,7 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
 #include "nm-core-utils.h"
 #define _NMLOG_PREFIX_NAME "ndisc-lndp"
@ -27,6 +28,14 @@
 typedef struct {
    struct ndp *ndp;
    GSource    *event_source;
    struct {
        NMRateLimit pio_lft;
        NMRateLimit mtu;
        NMRateLimit omit_prefix;
        NMRateLimit omit_dns;
        NMRateLimit omit_dnssl;
    } msg_ratelimit;
 } NMLndpNDiscPrivate;
 /*****************************************************************************/
@ -49,6 +58,36 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)
 /*****************************************************************************/
 /*
 * If we log a message about an invalid RA packet, don't repeat the same message
 * at every packet received or sent. Rate limit the message to 6 every 12 hours
 * per type and per ndisc instance.
 */
 #define LOG_INV_RA_WINDOW (12 * 3600)
 #define LOG_INV_RA_BURST  6
 #define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
    G_STMT_START                                                                 \
    {                                                                            \
        NMNDisc     *__ndisc  = (ndisc);                                         \
        NMRateLimit *__rl     = (rate_limit);                                    \
        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
                                                                                 \
        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
            nm_log(LOGL_WARN,                                                    \
                   LOGD_IP6,                                                     \
                   __ifname,                                                     \
                   NULL,                                                         \
                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
        }                                                                        \
    }                                                                            \
    G_STMT_END
 /*****************************************************************************/
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@ -113,6 +152,7 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
    NMNDisc             *ndisc   = (NMNDisc *) user_data;
    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
    NMNDiscDataInternal *rdata   = ndisc->rdata;
    NMNDiscConfigMap     changed = 0;
    NMNDiscGateway       gateway;
@ -229,7 +269,11 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * log a system management error in this case.
             */
            if (preferred_time > valid_time) {
-                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
+                _LOG_INVALID_RA(
                    ndisc,
                    &priv->msg_ratelimit.pio_lft,
                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
                    "router advertisement");
                continue;
            }
@ -349,10 +393,38 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * Kernel would set it, but would flush out all IPv6 addresses away
             * from the link, even the link-local, and we wouldn't be able to
             * listen for further RAs that could fix the MTU. */
-            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
+            _LOG_INVALID_RA(ndisc,
                            &priv->msg_ratelimit.mtu,
                            "ignoring too small MTU %u in received IPv6 "
                            "router advertisement",
                            mtu);
        }
    }
 #if HAVE_CLAT
    /* PREF64 */
    ndp_msg_opt_for_each_offset (offset, msg, NDP_MSG_OPT_PREF64) {
        NMNDiscPref64 pref64;
        pref64 = (NMNDiscPref64) {
            .prefix             = *ndp_msg_opt_pref64_prefix(msg, offset),
            .plen               = ndp_msg_opt_pref64_prefix_length(msg, offset),
            .gateway            = gateway.address,
            .gateway_preference = gateway.preference,
            .expiry_msec =
                _nm_ndisc_lifetime_to_expiry(now_msec, ndp_msg_opt_pref64_lifetime(msg, offset)),
            .gateway_expiry_msec = gateway.expiry_msec,
        };
        /* libndp should only return lengths defined in RFC 8781 */
        nm_assert(NM_IN_SET(pref64.plen, 96, 64, 56, 48, 40, 32));
        if (nm_ndisc_add_pref64(ndisc, &pref64, now_msec)) {
            changed |= NM_NDISC_CONFIG_PREF64;
        }
    }
 #endif
    nm_ndisc_ra_received(ndisc, now_msec, changed);
    return 0;
 }
@ -445,8 +517,11 @@ send_ra(NMNDisc *ndisc, GError **error)
        prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
        if (!prefix) {
-            /* Maybe we could sent separate RAs, but why bother... */
+            /* Maybe we could send separate RAs, but why bother... */
-            _LOGW("The RA is too big, had to omit some some prefixes.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_prefix,
                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
            break;
        }
@ -475,7 +550,10 @@ send_ra(NMNDisc *ndisc, GError **error)
        option = _ndp_msg_add_option(msg, len);
        if (!option) {
-            _LOGW("The RA is too big, had to omit DNS information.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_dns,
                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
            goto dns_servers_done;
        }
@ -553,7 +631,10 @@ dns_servers_done:
        nm_assert(len / 8u >= 2u);
        if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOGW("The RA is too big, had to omit DNS search list.");
+            _LOG_INVALID_RA(
                ndisc,
                &priv->msg_ratelimit.omit_dnssl,
                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
            goto dns_domains_done;
        }
--- a/src/core/ndisc/nm-ndisc-private.h
+++ b/src/core/ndisc/nm-ndisc-private.h
@ -14,6 +14,7 @@ struct _NMNDiscDataInternal {
    NMNDiscData public;
    GArray *gateways;
    GArray *addresses;
    GArray *pref64;
    GArray *routes;
    GArray *dns_servers;
    GArray *dns_domains;
@ -28,6 +29,7 @@ gboolean nm_ndisc_add_gateway(NMNDisc *ndisc, const NMNDiscGateway *new_item, gi
 gboolean
 nm_ndisc_complete_and_add_address(NMNDisc *ndisc, const NMNDiscAddress *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_route(NMNDisc *ndisc, const NMNDiscRoute *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_pref64(NMNDisc *ndisc, const NMNDiscPref64 *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_dns_server(NMNDisc *ndisc, const NMNDiscDNSServer *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_dns_domain(NMNDisc *ndisc, const NMNDiscDNSDomain *new_item, gint64 now_msec);
--- a/src/core/ndisc/nm-ndisc.c
+++ b/src/core/ndisc/nm-ndisc.c
@ -34,6 +34,7 @@
 #define _SIZE_MAX_ROUTES      1000u
 #define _SIZE_MAX_DNS_SERVERS 64u
 #define _SIZE_MAX_DNS_DOMAINS 64u
 #define _SIZE_MAX_PREF64      8u
 /*****************************************************************************/
@ -109,7 +110,8 @@ nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_idx,
                      int                       ifindex,
                      const NMNDiscData        *rdata,
                      NMSettingIP6ConfigPrivacy ip6_privacy,
-                      NMUtilsIPv6IfaceId       *token)
+                      NMUtilsIPv6IfaceId       *token,
                      const char               *network_id)
 {
    nm_auto_unref_l3cd_init NML3ConfigData *l3cd = NULL;
    guint32                                 ifa_flags;
@ -211,13 +213,21 @@ nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_idx,
    for (i = 0; i < rdata->dns_domains_n; i++)
        nm_l3_config_data_add_search(l3cd, AF_INET6, rdata->dns_domains[i].domain);
    if (rdata->pref64_n > 0) {
        nm_l3_config_data_set_pref64(l3cd, rdata->pref64[0].prefix, rdata->pref64[0].plen);
    } else {
        nm_l3_config_data_set_pref64_valid(l3cd, FALSE);
    }
    nm_l3_config_data_set_ndisc_hop_limit(l3cd, rdata->hop_limit);
    nm_l3_config_data_set_ndisc_reachable_time_msec(l3cd, rdata->reachable_time_ms);
    nm_l3_config_data_set_ndisc_retrans_timer_msec(l3cd, rdata->retrans_timer_ms);
-    nm_l3_config_data_set_ip6_mtu(l3cd, rdata->mtu);
+    nm_l3_config_data_set_ip6_mtu_ra(l3cd, rdata->mtu);
    if (token)
        nm_l3_config_data_set_ip6_token(l3cd, *token);
    if (network_id)
        nm_l3_config_data_set_network_id(l3cd, network_id);
    return g_steal_pointer(&l3cd);
 }
@ -416,6 +426,7 @@ _data_complete(NMNDiscDataInternal *data)
    _SET(data, gateways);
    _SET(data, addresses);
    _SET(data, routes);
    _SET(data, pref64);
    _SET(data, dns_servers);
    _SET(data, dns_domains);
 #undef _SET
@ -437,7 +448,8 @@ nm_ndisc_emit_config_change(NMNDisc *self, NMNDiscConfigMap changed)
                                 nm_l3cfg_get_ifindex(priv->config.l3cfg),
                                 rdata,
                                 priv->config.ip6_privacy,
-                                 priv->iid_is_token ? &priv->iid : NULL);
+                                 priv->iid_is_token ? &priv->iid : NULL,
                                 priv->config.network_id);
    l3cd = nm_l3_config_data_seal(l3cd);
    if (!nm_l3_config_data_equal(priv->l3cd, l3cd))
@ -760,6 +772,59 @@ nm_ndisc_add_route(NMNDisc *ndisc, const NMNDiscRoute *new_item, gint64 now_msec
    return TRUE;
 }
 gboolean
 nm_ndisc_add_pref64(NMNDisc *ndisc, const NMNDiscPref64 *new_item, gint64 now_msec)
 {
    NMNDiscDataInternal *rdata = &NM_NDISC_GET_PRIVATE(ndisc)->rdata;
    guint                i;
    guint                insert_idx = G_MAXUINT;
    for (i = 0; i < rdata->pref64->len;) {
        NMNDiscPref64 *item = &nm_g_array_index(rdata->pref64, NMNDiscPref64, i);
        if (item->plen == new_item->plen && IN6_ARE_ADDR_EQUAL(&item->prefix, &new_item->prefix)
            && IN6_ARE_ADDR_EQUAL(&item->gateway, &new_item->gateway)) {
            if (new_item->expiry_msec <= now_msec) {
                g_array_remove_index(rdata->pref64, i);
                return TRUE;
            }
            if (item->gateway_preference != new_item->gateway_preference) {
                g_array_remove_index(rdata->pref64, i);
                continue;
            }
            item->gateway_expiry_msec = new_item->gateway_expiry_msec;
            if (item->expiry_msec == new_item->expiry_msec)
                return FALSE;
            item->expiry_msec = new_item->expiry_msec;
            return TRUE;
        }
        /* Put before less preferable gateways. */
        if (_preference_to_priority(item->gateway_preference)
                < _preference_to_priority(new_item->gateway_preference)
            && insert_idx == G_MAXUINT)
            insert_idx = i;
        i++;
    }
    if (rdata->pref64->len >= _SIZE_MAX_PREF64)
        return FALSE;
    if (new_item->expiry_msec <= now_msec)
        return FALSE;
    g_array_insert_val(rdata->pref64,
                       insert_idx == G_MAXUINT ? rdata->pref64->len : insert_idx,
                       *new_item);
    return TRUE;
 }
 gboolean
 nm_ndisc_add_dns_server(NMNDisc *ndisc, const NMNDiscDNSServer *new_item, gint64 now_msec)
 {
@ -1400,6 +1465,17 @@ _config_changed_log(NMNDisc *ndisc, NMNDiscConfigMap changed)
              nm_icmpv6_router_pref_to_string(route->preference, str_pref, sizeof(str_pref)),
              get_exp(str_exp, now_msec, route));
    }
    for (i = 0; i < rdata->pref64->len; i++) {
        const NMNDiscPref64 *pref64 = &nm_g_array_index(rdata->pref64, NMNDiscPref64, i);
        char                 addrstr2[NM_INET_ADDRSTRLEN];
        _LOGD("  pref64 %s/%u via %s exp %s",
              nm_inet6_ntop(&pref64->prefix, addrstr),
              pref64->plen,
              nm_inet6_ntop(&pref64->gateway, addrstr2),
              get_exp(str_exp, now_msec, pref64));
    }
    for (i = 0; i < rdata->dns_servers->len; i++) {
        const NMNDiscDNSServer *dns_server =
            &nm_g_array_index(rdata->dns_servers, NMNDiscDNSServer, i);
@ -1524,6 +1600,45 @@ clean_routes(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64
        *changed |= NM_NDISC_CONFIG_ROUTES;
 }
 static void
 clean_pref64(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64 *next_msec)
 {
    NMNDiscDataInternal *rdata = &NM_NDISC_GET_PRIVATE(ndisc)->rdata;
    NMNDiscPref64       *arr;
    guint                i;
    guint                j;
    if (rdata->pref64->len == 0)
        return;
    arr = &nm_g_array_first(rdata->pref64, NMNDiscPref64);
    for (i = 0, j = 0; i < rdata->pref64->len; i++) {
        if (!expiry_next(now_msec, arr[i].expiry_msec, next_msec)
            || !expiry_next(now_msec,
                            arr[i].gateway_expiry_msec,
                            next_msec)) { /* no gateway no party */
            if (i == 0) {
                /* Emit the changed signal only when the first PREF64 expires,
                 * because only the first item is exported into the l3cd. Changes
                 * in other PREF64s are not relevant. */
                *changed |= NM_NDISC_CONFIG_PREF64;
            }
            continue;
        }
        if (i != j)
            arr[j] = arr[i];
        j++;
    }
    if (i != j) {
        g_array_set_size(rdata->pref64, j);
    }
    _array_set_size_max(rdata->pref64, _SIZE_MAX_PREF64);
 }
 static void
 clean_dns_servers(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64 *next_msec)
 {
@ -1600,6 +1715,7 @@ check_timestamps(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap changed)
    clean_gateways(ndisc, now_msec, &changed, &next_msec);
    clean_addresses(ndisc, now_msec, &changed, &next_msec);
    clean_routes(ndisc, now_msec, &changed, &next_msec);
    clean_pref64(ndisc, now_msec, &changed, &next_msec);
    clean_dns_servers(ndisc, now_msec, &changed, &next_msec);
    clean_dns_domains(ndisc, now_msec, &changed, &next_msec);
@ -1919,6 +2035,7 @@ nm_ndisc_init(NMNDisc *ndisc)
    rdata->gateways    = g_array_new(FALSE, FALSE, sizeof(NMNDiscGateway));
    rdata->addresses   = g_array_new(FALSE, FALSE, sizeof(NMNDiscAddress));
    rdata->routes      = g_array_new(FALSE, FALSE, sizeof(NMNDiscRoute));
    rdata->pref64      = g_array_new(FALSE, FALSE, sizeof(NMNDiscPref64));
    rdata->dns_servers = g_array_new(FALSE, FALSE, sizeof(NMNDiscDNSServer));
    rdata->dns_domains = g_array_new(FALSE, FALSE, sizeof(NMNDiscDNSDomain));
    g_array_set_clear_func(rdata->dns_domains, dns_domain_free);
@ -1951,6 +2068,7 @@ finalize(GObject *object)
    g_array_unref(rdata->gateways);
    g_array_unref(rdata->addresses);
    g_array_unref(rdata->routes);
    g_array_unref(rdata->pref64);
    g_array_unref(rdata->dns_servers);
    g_array_unref(rdata->dns_domains);
--- a/src/core/ndisc/nm-ndisc.h
+++ b/src/core/ndisc/nm-ndisc.h
@ -119,6 +119,15 @@ typedef struct _NMNDiscRoute {
    bool               duplicate : 1;
 } NMNDiscRoute;
 typedef struct _NMNDiscPref64 {
    struct in6_addr    prefix;
    struct in6_addr    gateway;
    gint64             expiry_msec;
    gint64             gateway_expiry_msec;
    NMIcmpv6RouterPref gateway_preference;
    guint8             plen;
 } NMNDiscPref64;
 typedef struct {
    struct in6_addr address;
    gint64          expiry_msec;
@ -141,6 +150,7 @@ typedef enum {
    NM_NDISC_CONFIG_MTU            = 1 << 7,
    NM_NDISC_CONFIG_REACHABLE_TIME = 1 << 8,
    NM_NDISC_CONFIG_RETRANS_TIMER  = 1 << 9,
    NM_NDISC_CONFIG_PREF64         = 1 << 10,
 } NMNDiscConfigMap;
 typedef enum {
@ -188,12 +198,14 @@ typedef struct {
    guint gateways_n;
    guint addresses_n;
    guint routes_n;
    guint pref64_n;
    guint dns_servers_n;
    guint dns_domains_n;
    const NMNDiscGateway   *gateways;
    const NMNDiscAddress   *addresses;
    const NMNDiscRoute     *routes;
    const NMNDiscPref64    *pref64;
    const NMNDiscDNSServer *dns_servers;
    const NMNDiscDNSDomain *dns_domains;
 } NMNDiscData;
@ -282,6 +294,7 @@ struct _NML3ConfigData *nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_id
                                              int                       ifindex,
                                              const NMNDiscData        *rdata,
                                              NMSettingIP6ConfigPrivacy ip6_privacy,
-                                              NMUtilsIPv6IfaceId       *token);
+                                              NMUtilsIPv6IfaceId       *token,
                                              const char               *network_id);
 #endif /* __NETWORKMANAGER_NDISC_H__ */
--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@ -39,7 +39,9 @@ typedef struct {
    bool               activation_lifetime_bound_to_profile_visibility : 1;
    bool               settings_connection_is_unsaved : 1;
    bool               settings_connection_is_shadowed_owned : 1;
    bool               permanent_managed_by_mac : 1;
    NMUnmanFlagOp      unmanaged_explicit;
    NMTernary          permanent_managed;
    NMActivationReason activation_reason;
    gulong             dev_exported_change_id;
 } DeviceCheckpoint;
@ -160,7 +162,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
    nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
    gs_free char                   *base_dir = NULL;
-    char                           *sep;
+    const char                     *sep;
    keyfile = g_key_file_new();
    if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
@ -497,13 +499,18 @@ nm_checkpoint_rollback(NMCheckpoint *self)
    g_hash_table_iter_init(&iter, priv->devices);
    while (g_hash_table_iter_next(&iter, (gpointer *) &device, (gpointer *) &dev_checkpoint)) {
        guint32   result              = NM_ROLLBACK_RESULT_OK;
        NMTernary perm_managed        = NM_TERNARY_DEFAULT;
        gboolean  perm_managed_by_mac = FALSE;
        gboolean  force_perm_managed;
        _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d, "
-              "connection-unsaved %d, connection-shadowed %d, connection-shadowed-owned %d)",
+              "permanently managed %d, connection-unsaved %d, connection-shadowed %d, "
              "connection-shadowed-owned %d)",
              dev_checkpoint->original_dev_name,
              (int) dev_checkpoint->state,
              dev_checkpoint->realized,
              dev_checkpoint->unmanaged_explicit,
              dev_checkpoint->permanent_managed,
              dev_checkpoint->settings_connection_is_unsaved,
              !!dev_checkpoint->settings_connection_shadowed,
              dev_checkpoint->settings_connection_is_shadowed_owned);
@ -541,6 +548,43 @@ nm_checkpoint_rollback(NMCheckpoint *self)
                                                   NM_DEVICE_STATE_REASON_NOW_MANAGED);
        }
        force_perm_managed = !nm_config_get_device_managed(nm_config_get(),
                                                           device,
                                                           &perm_managed,
                                                           &perm_managed_by_mac,
                                                           NULL);
        if (force_perm_managed || (perm_managed != dev_checkpoint->permanent_managed)
            || (dev_checkpoint->permanent_managed != NM_TERNARY_DEFAULT
                && perm_managed_by_mac != dev_checkpoint->permanent_managed_by_mac)) {
            gs_free_error GError *error = NULL;
            NMUnmanFlagOp         set_op;
            _LOGD("rollback: restore permanent managed state");
            if (!nm_config_set_device_managed(nm_config_get(),
                                              device,
                                              dev_checkpoint->permanent_managed,
                                              dev_checkpoint->permanent_managed_by_mac,
                                              &error)) {
                _LOGE("rollback: failed to restore permanent managed state: %s", error->message);
                result = NM_ROLLBACK_RESULT_ERR_FAILED;
                /* even if this failed, we try to continue the rollback */
            }
            if (dev_checkpoint->permanent_managed == NM_TERNARY_TRUE)
                set_op = NM_UNMAN_FLAG_OP_SET_MANAGED;
            else if (dev_checkpoint->permanent_managed == NM_TERNARY_FALSE)
                set_op = NM_UNMAN_FLAG_OP_SET_UNMANAGED;
            else
                set_op = NM_UNMAN_FLAG_OP_FORGET;
            nm_device_set_unmanaged_by_flags_queue(device,
                                                   NM_UNMANAGED_USER_CONF,
                                                   set_op,
                                                   NM_DEVICE_STATE_REASON_NOW_MANAGED);
        }
        if (dev_checkpoint->state == NM_DEVICE_STATE_UNMANAGED) {
            if (nm_device_get_state(device) != NM_DEVICE_STATE_UNMANAGED
                || dev_checkpoint->unmanaged_explicit == NM_UNMAN_FLAG_OP_SET_UNMANAGED) {
@ -703,6 +747,8 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
    NMSettingsConnection *settings_connection;
    const char           *path;
    NMActRequest         *act_request;
    gboolean              perm_managed_by_mac;
    gs_free_error GError *error = NULL;
    nm_assert(NM_IS_DEVICE(device));
    nm_assert(nm_device_is_real(device));
@ -728,12 +774,26 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
    } else
        dev_checkpoint->unmanaged_explicit = NM_UNMAN_FLAG_OP_FORGET;
    if (nm_config_get_device_managed(nm_config_get(),
                                     device,
                                     &dev_checkpoint->permanent_managed,
                                     &perm_managed_by_mac,
                                     NULL)) {
        dev_checkpoint->permanent_managed_by_mac = perm_managed_by_mac;
    } else {
        dev_checkpoint->permanent_managed        = NM_TERNARY_DEFAULT;
        dev_checkpoint->permanent_managed_by_mac = FALSE;
        _LOGW("error getting permanent managed state for %s: %s",
              nm_device_get_iface(device),
              error->message);
        g_clear_error(&error);
    }
    act_request = nm_device_get_act_request(device);
    if (act_request) {
        NMSettingsStorage *storage;
        gboolean           shadowed_owned = FALSE;
        const char        *shadowed_file;
        gs_free_error GError *error = NULL;
        settings_connection = nm_act_request_get_settings_connection(act_request);
        applied_connection  = nm_act_request_get_applied_connection(act_request);
@ -764,6 +824,7 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
                _LOGW("error reading shadowed connection file for %s: %s",
                      nm_device_get_iface(device),
                      error->message);
                g_clear_error(&error);
            }
        }
    }
--- a/Show more
+++ b/Show more