merge: branch 'bg/deprecate-wext'

build: deprecate Wireless Extensions https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2309
rpm: disable wireless extensions on Fedora
2025-12-20 07:00:05 +01:00 · 2025-12-18 15:14:45 +00:00 · 2025-12-18 16:06:44 +01:00 · 2025-12-18 16:06:42 +01:00 · 2025-12-17 11:59:20 +01:00 · 2025-12-17 10:55:51 +01:00
340 changed files with 24611 additions and 15982 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,7 +81,6 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
-/data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -60,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-da1ae96102c6'
-  CENTOS_TAG:  'tag-c8df7d2b249f'
-  DEBIAN_TAG:  'tag-e68f538711ec'
-  FEDORA_TAG:  'tag-c8df7d2b249f'
-  UBUNTU_TAG:  'tag-e68f538711ec'
+  ALPINE_TAG:  'tag-0c3a6f855fb8'
+  CENTOS_TAG:  'tag-c1c23df75dda'
+  DEBIAN_TAG:  'tag-d4bf5db9e214'
+  FEDORA_TAG:  'tag-c1c23df75dda'
+  UBUNTU_TAG:  'tag-d4bf5db9e214'

  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -128,6 +128,20 @@ tier2:fedora:rawhide@prep:
      when: manual
      allow_failure: true

+tier2:centos:stream10@prep:
+  extends:
+    - .fdo.container-build@centos
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: 'stream10'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier2:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
@ -198,6 +212,20 @@ tier2:alpine:edge@prep:
      when: manual
      allow_failure: true

+tier3:fedora:43@prep:
+  extends:
+    - .fdo.container-build@fedora
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier3:fedora:41@prep:
  extends:
    - .fdo.container-build@fedora
@ -226,20 +254,6 @@ tier3:ubuntu:25.04@prep:
      when: manual
      allow_failure: true

-tier3:ubuntu:24.10@prep:
-  extends:
-    - .fdo.container-build@ubuntu
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '24.10'
-    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
-    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:ubuntu:24.04@prep:
  extends:
    - .fdo.container-build@ubuntu
@ -268,6 +282,20 @@ tier3:ubuntu:22.04@prep:
      when: manual
      allow_failure: true

+tier3:debian:13@prep:
+  extends:
+    - .fdo.container-build@debian
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '13'
+    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
+    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier3:debian:12@prep:
  extends:
    - .fdo.container-build@debian
@ -282,6 +310,20 @@ tier3:debian:12@prep:
      when: manual
      allow_failure: true

+tier3:alpine:3.22@prep:
+  extends:
+    - .fdo.container-build@alpine
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '3.22'
+    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
+    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier3:alpine:3.21@prep:
  extends:
    - .fdo.container-build@alpine
@ -377,6 +419,20 @@ t_fedora:rawhide:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

+t_centos:stream10:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@centos
+    - .nm_artifacts_debug
+  stage: tier2
+  variables:
+    FDO_DISTRIBUTION_VERSION: 'stream10'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+  needs:
+    - "tier2:centos:stream10@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_centos:stream9:
  extends:
    - .build@template
@ -447,6 +503,20 @@ t_alpine:edge:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

+t_fedora:43:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@fedora
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+  needs:
+    - "tier3:fedora:43@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_fedora:41:
  extends:
    - .build@template
@ -475,20 +545,6 @@ t_ubuntu:25.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

-t_ubuntu:24.10:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@ubuntu
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '24.10'
-    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
-  needs:
-    - "tier3:ubuntu:24.10@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_ubuntu:24.04:
  extends:
    - .build@template
@ -517,6 +573,20 @@ t_ubuntu:22.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

+t_debian:13:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@debian
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: '13'
+    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
+  needs:
+    - "tier3:debian:13@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_debian:12:
  extends:
    - .build@template
@ -531,6 +601,20 @@ t_debian:12:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

+t_alpine:3.22:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@alpine
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: '3.22'
+    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
+  needs:
+    - "tier3:alpine:3.22@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_alpine:3.21:
  extends:
    - .build@template
@ -629,7 +713,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
    - "t_fedora:42: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -240,7 +240,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  dependencies:
    - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/config.yml
+++ b/.gitlab-ci/config.yml
@ -34,6 +34,7 @@ distributions:
  - name: centos
    tier: 2
    versions:
+      - 'stream10'
      - 'stream9'
  - name: ubuntu
    tier: 2
@ -54,21 +55,23 @@ distributions:
  - name: fedora
    tier: 3
    versions:
+      - '43'
      - '41'
  - name: ubuntu
    tier: 3
    versions:
      - '25.04'
-      - '24.10'
      - '24.04'
      - '22.04'
  - name: debian
    tier: 3
    versions:
+      - '13'
      - '12'
  - name: alpine
    tier: 3
    versions:
+      - '3.22'
      - '3.21'
      - '3.20'
      - '3.19'
--- a/.gitlab-ci/distros-info.yml
+++ b/.gitlab-ci/distros-info.yml
@ -8,6 +8,9 @@ fedora:
 - version: rawhide
  support: yes
  nm: main
+- version: 43
+  support: 2026-12-02
+  nm: 1.54
 - version: 42
  support: 2026-05-13
  nm: 1.52
@ -18,8 +21,11 @@ fedora:

 # CentOS Stream
 centos:
+- version: stream10
+  support: 2030-12-31 # exact date unknown, only the year
+  nm: main
 - version: stream9
-  support: 2027-05-31
+  support: 2027-12-31 # exact date unknown, only the year
  nm: main

 # RHEL:
@ -31,33 +37,43 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
- version: 9.6  # not released yet
+# Not released yet
+- version: 10.1
  support: yes
-  nm: main
- version: 9.5
+  nm: 1.54
+- version: 9.7  # not released yet
  support: yes
-  nm: 1.48
+  nm: 1.54
+# Full support or EUS support:
+- version: 10.0
+  support: 2027-05-31
+  extended-support: 2029-05-31
+  nm: 1.52
+- version: 9.6
+  support: 2027-05-31
+  extended-support: 2029-05-31
+  nm: 1.52
 - version: 9.4
  support: 2026-04-30
  extended-support: 2028-04-30
  nm: 1.46
- version: 9.2
-  support: 2025-05-31
-  extended-support: 2027-05-31
-  nm: 1.42
 - version: 8.10  # last RHEL 8 release, maintenaince support only
  support: 2029-05-31
  extended-support: no
  nm: 1.40
- version: 8.8
+# SAP / Enhaced EUS only:
+- version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
-  nm: 1.40
-# SAP / Enhaced EUS only:
+  nm: 1.42
 - version: 9.0
  support: 2024-05-31
  extended-support: 2026-05-31
  nm: 1.36
+- version: 8.8
+  support: 2025-05-31
+  extended-support: 2027-05-31
+  nm: 1.40
 - version: 8.6
  support: 2024-05-31
  extended-support: 2026-05-31
@ -81,10 +97,6 @@ ubuntu:
  name: plucky
  support: 2026-01-15
  nm: 1.52
- version: 24.10
-  name: oracular
-  support: 2025-07-10
-  nm: 1.48
 - version: 24.04
  name: noble
  support: 2029-05-31
@ -109,6 +121,11 @@ debian:
 - version: sid
  support: yes
  nm: main
+- version: 13
+  name: trixie
+  support: 2028-08-09
+  extended-support: 2030-06-30
+  nm: 1.52
 - version: 12
  name: bookworm
  support: 2026-06-11
@ -130,6 +147,9 @@ alpine:
 - version: edge
  support: yes
  nm: main
+- version: 3.22
+  support: 2027-05-01
+  nm: 1.52
 - version: 3.21
  support: 2026-11-01
  nm: 1.50
--- a/.gitlab-ci/fedora-install.sh
+++ b/.gitlab-ci/fedora-install.sh
@ -13,6 +13,8 @@ if [ $IS_CENTOS = 1 ]; then
        CENTOS_VERSION=8
    elif grep -q '^VERSION_ID=.*\<9\>' /etc/os-release ; then
        CENTOS_VERSION=9
+    elif grep -q '^VERSION_ID=.*\<10\>' /etc/os-release ; then
+        CENTOS_VERSION=10
    else
        exit 1
    fi
@ -33,6 +35,11 @@ fi
        dnf install -y 'dnf-command(config-manager)'
        dnf config-manager --set-enabled crb
        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-9/nmstate-nm-build-deps-epel-9.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-9.repo
+    elif [ "$CENTOS_VERSION" = stream10 ]; then
+        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
+        dnf install -y 'dnf-command(config-manager)'
+        dnf config-manager --set-enabled crb
+        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-10/nmstate-nm-build-deps-epel-10.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-10.repo
    else
        exit 1
    fi
--- a/.gitlab-ci/run-test.sh
+++ b/.gitlab-ci/run-test.sh
@ -17,10 +17,17 @@ grep -q '^NAME=.*\(CentOS\)' /etc/os-release && IS_CENTOS=1
 grep -q '^NAME=.*\(Fedora\)' /etc/os-release && IS_FEDORA=1
 grep -q '^NAME=.*\(Alpine\)' /etc/os-release && IS_ALPINE=1

-IS_CENTOS_7=0
 if [ $IS_CENTOS = 1 ]; then
-    if grep -q '^VERSION_ID=.*\<7\>' /etc/os-release ; then
-        IS_CENTOS_7=1
+    CENTOS_VER_LINE="$(grep '^VERSION_ID=' /etc/os-release)"
+    if [[ $CENTOS_VER_LINE =~ ^VERSION_ID=\"?([0-9]+)\"?$ ]]; then
+        CENTOS_VER="${BASH_REMATCH[1]}"
+    else
+        echo "Error detecting CentOS Stream version" >&2
+        exit 1
+    fi
+
+    if (( $CENTOS_VER >= 10 )); then
+        export WITH_LIBTEAM=0
    fi
 fi

@ -148,12 +155,7 @@ test_subtree() {
    do_clean
    pushd ./src/$d

-    ARGS=()
-    if [ "$d" = n-acd ]; then
-        ARGS+=('-Debpf=false')
-    fi
-
-    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
+    CC="$cc" CFLAGS="-Werror -Wall" meson build
    ninja -v -C build test

    popd
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -252,17 +252,25 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
  versioning scheme than the main NM project despite there are no development
  versions here.

+Before starting:
+- You need to have the maintainer role in the project.
+- The GPG key used to sign the release must be added to your GNOME's Gitlab
+  profile and uploaded to a keyserver.
+- All details: https://handbook.gnome.org/maintainers/making-a-release.html
+
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build`, commit and tag the commit. Example:
-   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
-3. Ensure that you are on the right commit and create the tarball:
-   `git clean -fdx && meson setup build && cd build && meson dist`
-4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
-5. Login to `master.gnome.org` and run `ftpadmin install`.  
-   Ensure the new tarballs show up at https://download.gnome.org/sources/
-   (happens after a short delay)
-6. Announce the release on the mailing list.
+2. Increment the version in `meson.build` or `configure.ac`.
+3. Commit and push to the `main` branch.
+4. Check that the Gitlab's pipeline finishes without errors.
+5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
+6. Push the tag. Example: `git push origin 1.2.8`.  
+   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
+   to delete tags, any error detected after this will force a new version bump.
+7. Check that the Gitlab's pipeline finishes without errors. If that happens,
+   the release is done and available both in the Gitlab's releases section and
+   https://download.gnome.org/sources/*
+8. Announce the release on the mailing list.

 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
--- a/63
+++ b/63
@ -1,3 +1,66 @@
+=============================================
+NetworkManager-1.58
+Overview of changes since NetworkManager-1.56
+=============================================
+
+This is a snapshot of NetworkManager development. The API is
+subject to change and not guaranteed to be compatible with
+the later release.
+USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
+
+* Restrict the connectivity check to use the DNS servers defined on the
+  same link. If the link has no DNS servers, the connectivity check will
+  use any servers available in the system.
+* Install the systemd units in the initramfs using a systemd generator.
+* A new "check-connectivity" configuration option is available to disable the
+  connectivity check for selected interfaces.
+* Remove the modify_system build option that allowed setting up the
+  polkit permissions to allow non-admin users to create system-wide
+  connection. That configuration is discouraged because it can be used
+  to bypass filesystem permissions.
+* For private connections (the ones that specify a user in the
+  "connection.permissions" property), verify that the user can access
+  the 802.1X certificates and keys set in the connection.
+* Introduce a libnm function that can be used by VPN plugins to check
+  user permissions on certificate and keys.
+* The support for Wireless Extensions is deprecated and will be
+  removed in a future release. Wireless Extensions are now disabled by
+  default.
+
+=============================================
+NetworkManager-1.56
+Overview of changes since NetworkManager-1.54
+=============================================
+
+* nmcli now supports viewing and managing WireGuard peers.
+* Support reapplying the "sriov.vfs" property as long as
+  "sriov.total-vfs" is not changed.
+* Support reapplying "bond-port.vlans".
+* Accept hostnames longer than 64 characters from DNS lookup.
+* Make that global-dns configuration overwrites DNS searches and
+  options from connections, instead of merging all together.
+* Add support for a new rd.net.dhcp.client-id option in
+  nm-initrd-generator.
+* Add gsm device-uid setting to restrict the devices the connection applies to.
+* Support configuring the HSR protocol version via the
+  "hsr.protocol-version" property.
+* Fix a bug that makes broadband connections auto-connect getting 
+  blocked if the connection tries to reconnect when modem status is 
+  "disconnecting" / "disconnected".
+* Treat modem connection not having an operator code available
+  as a recoverable error.
+* Add support for configuring systemd-resolved's DNSSEC option
+  per-connection via the "connection.dnssec" connection property.
+* Support configuring the HSR interlink port via the
+  "hsr.interlink" property.
+* Fix some connection properties not being applied to vpn connections
+  (connection.mdns, connection.llmnr, connection.dns-over-tls,
+   connection.mptcp-flags, ipv6.ip6-privacy)
+* Update n-acd to always compile with eBPF enabled, as support
+  for eBPF is now detected at run time.
+* Add new MPTCP 'laminar' endpoint type, and set it by default alongside
+  the 'subflow' one.
+
 =============================================
 NetworkManager-1.54
 Overview of changes since NetworkManager-1.52
--- a/config.h.meson
+++ b/config.h.meson
@ -239,6 +239,15 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH

+/* Whether we build with team support */
+#mesondefine WITH_TEAMDCTL
+
+/* Whether we build with Wi-Fi support */
+#mesondefine WITH_WIFI
+
+/* Whether we build with WWAN support */
+#mesondefine WITH_WWAN
+
 /* Define if you have PPP support */
 #mesondefine WITH_PPP

--- a/contrib/alpine/REQUIRED_PACKAGES
+++ b/contrib/alpine/REQUIRED_PACKAGES
@ -11,6 +11,7 @@ apk add \
    'clang' \
    'curl-dev' \
    'dbus' \
+    'dbus-dev' \
    'elogind-dev' \
    'eudev-dev' \
    'gcc' \
@ -29,7 +30,6 @@ apk add \
    'libpsl-dev' \
    'libsoup-dev' \
    'libteam-dev' \
-    'libtool' \
    'linux-headers' \
    'meson' \
    'mobile-broadband-provider-info' \
--- a/contrib/debian/REQUIRED_PACKAGES
+++ b/contrib/debian/REQUIRED_PACKAGES
@ -62,7 +62,6 @@ install \
    libreadline-dev \
    libsystemd-dev \
    libteam-dev \
-    libtool \
    libudev-dev \
    locales \
    meson \
--- a/contrib/fedora/REQUIRED_PACKAGES
+++ b/contrib/fedora/REQUIRED_PACKAGES
@ -68,7 +68,6 @@ install \
    libndp-devel \
    libnvme-devel \
    libselinux-devel \
-    libtool \
    libuuid-devel \
    meson \
    mobile-broadband-provider-info-devel \
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@ -14,6 +14,7 @@

 %global epoch_version 1
 %global real_version __VERSION__
+%global git_tag_version __GIT_TAG_VERSION__
 %global rpm_version %{real_version}
 %global release_version __RELEASE_VERSION__
 %global snapshot __SNAPSHOT__
@ -106,6 +107,11 @@
 %else
 %bcond_without iwd
 %endif
+%if 0%{?fedora} <= 43 || 0%{?rhel} <= 10
+%bcond_without polkit_noauth_group
+%else
+%bcond_with polkit_noauth_group
+%endif

 ###############################################################################

@ -153,17 +159,6 @@
 %bcond_with ifcfg_migrate
 %endif

-%if 0%{?fedora}
-# Although eBPF would be available on Fedora's kernel, it seems
-# we often get SELinux denials (rh#1651654). But even aside them,
-# bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
-# be related to `ulimit -l`. Anyway, this is not usable at the
-# moment.
-%global ebpf_enabled "no"
-%else
-%global ebpf_enabled "no"
-%endif
-
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@ -180,7 +175,7 @@ Group: System Environment/Base
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://networkmanager.dev/

-#Source: https://download.gnome.org/sources/NetworkManager/%{real_version_major}/%{name}-%{real_version}.tar.xz
+#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{git_tag_version}/downloads/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@ -253,7 +248,6 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif

 BuildRequires: gcc
-BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@ -627,14 +621,10 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
-%if 0%{?fedora}
-	-Dwext=true \
-%else
-	-Dwext=false \
-%endif
 %else
 	-Dwifi=false \
 %endif
+	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
@ -676,22 +666,20 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-	-Dmodify_system=true \
+%if %{with polkit_noauth_group}
+	-Dpolkit_noauth_group=wheel \
+%endif
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
-%endif
-%if %{ebpf_enabled} != "yes"
-	-Debpf=false \
-%else
-	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystem_ca_path=/etc/pki/tls/cert.pem \
+	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
+	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
 	-Dvalgrind=no \
@ -763,6 +751,7 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la

 # Don't use the *-initrd.service files yet, wait dracut to support them
+rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@ -896,6 +885,7 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
+%{_libexecdir}/nm-libnm-helper
 %{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
@ -927,6 +917,9 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
+%if %{with polkit_noauth_group}
+%{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
+%endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
--- a/contrib/fedora/rpm/build.sh
+++ b/contrib/fedora/rpm/build.sh
@ -12,6 +12,7 @@ set -o pipefail
 #   RELEASE_VERSION=
 #   SNAPSHOT=
 #   VERSION=
+#   GIT_TAG_VERSION=
 #   COMMIT_FULL=
 #   COMMIT=
 #   USERNAME=
@ -112,6 +113,7 @@ UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
 SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
+GIT_TAG_VERSION="${GIT_TAG_VERSION:-$VERSION}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
 BCOND_DEFAULT_DEBUG="${BCOND_DEFAULT_DEBUG:-0}"
@ -155,6 +157,7 @@ if [[ "$SOURCE_FROM_GIT" == "1" ]]; then
 fi

 LOG "VERSION=$VERSION"
+LOG "GIT_TAG_VERSION=$GIT_TAG_VERSION"
 LOG "RELEASE_VERSION=$RELEASE_VERSION"
 LOG "SNAPSHOT=$SNAPSHOT"
 LOG "COMMIT_FULL=$COMMIT_FULL"
@ -207,6 +210,7 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 write_changelog

 sed -e "s/__VERSION__/$VERSION/g" \
+    -e "s/__GIT_TAG_VERSION__/$GIT_TAG_VERSION/g" \
    -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__COMMIT__/$COMMIT/g" \
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@ -155,7 +155,6 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
-P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@ -174,6 +173,7 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
+P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
        P_FEDORA="$x"
        P_RHEL=0
    else
-        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
+        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
        if test "$x" -gt 0 ; then
            P_FEDORA=0
            P_RHEL="$x"
@ -294,6 +294,14 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
    fi
 fi

+if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
+    P_TEAM=0
+fi
+
+if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
+    P_IFCFG_RH=1
+fi
+
 if bool "$P_DEBUG" ; then
    P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@ -379,7 +387,7 @@ meson setup\
    -Db_lto="$(bool_true "$P_LTO")" \
    -Dlibaudit=yes-disabled-by-default \
    -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
    $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
    -Diwd="$(bool_true "$P_IWD")" \
    -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@ -393,18 +401,17 @@ meson setup\
    -Dselinux=true \
    -Dpolkit=true  \
    -Dconfig_auth_polkit_default=true \
-    -Dmodify_system=true \
    -Dconcheck=true \
    -Dlibpsl="$(bool_true "$P_FEDORA")" \
-    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
    -Dsession_tracking=systemd \
    -Dsuspend_resume=systemd \
    -Dsystemdsystemunitdir=/usr/lib/systemd/system \
+    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
    -Dsystem_ca_path=/etc/pki/tls/cert.pem \
    -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
    -Dtests=yes \
    -Dvalgrind=no \
-    -Difcfg_rh=true \
+    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
    -Difupdown=false \
    $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
    $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \
--- a/contrib/scripts/nm-ci-run.sh
+++ b/contrib/scripts/nm-ci-run.sh
@ -84,6 +84,14 @@ if [ "$CC" != gcc ]; then
    _WITH_CRYPTO=nss
 fi

+if [ "$WITH_LIBTEAM" != "" ]; then
+    if _is_true "$WITH_LIBTEAM"; then
+        _WITH_LIBTEAM="true"
+    else
+        _WITH_LIBTEAM="false"
+    fi
+fi
+
 if [ "$WITH_DOCS" != "" ]; then
    if _is_true "$WITH_DOCS"; then
        _WITH_DOCS="true"
@ -161,18 +169,18 @@ meson setup build \
    -D ld_gc=false \
    -D session_tracking=no \
    -D systemdsystemunitdir=no \
+    -D systemdsystemgeneratordir=no \
    -D systemd_journal=false \
    -D selinux=false \
    -D libaudit=no \
    -D libpsl=false \
    -D vapi=false \
    -D introspection=$_WITH_DOCS \
+    -D man=$_WITH_DOCS \
    -D qt=false \
    -D crypto=$_WITH_CRYPTO \
    -D docs=$_WITH_DOCS \
    \
-    -D ebpf=false \
-    \
    -D iwd=true \
    -D ofono=true \
    -D teamdctl=$_WITH_LIBTEAM \
--- a/data/NetworkManager-config-initrd.service.in
+++ b/data/NetworkManager-config-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
+AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
-ConditionPathExists=/etc/initrd-release

 [Service]
 Type=oneshot
@ -22,6 +22,3 @@ ExecStartPost=/bin/sh -c ' \
    fi \
 '
 RemainAfterExit=yes
-
-[Install]
-WantedBy=initrd.target
--- a/data/NetworkManager-initrd.service.in
+++ b/data/NetworkManager-initrd.service.in
@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
+AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
-ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@ -22,11 +22,3 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
-
-[Install]
-WantedBy=initrd.target
-# We want to enable NetworkManager-wait-online-initrd.service whenever this
-# service is enabled. NetworkManager-wait-online-initrd.service has
-# WantedBy=network-online.target, so enabling it only has an effect if
-# network-online.target itself is enabled or pulled in by some other unit.
-Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service
--- a/data/NetworkManager-wait-online-initrd.service.in
+++ b/data/NetworkManager-wait-online-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
+AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
-ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet

 [Service]
@ -21,6 +21,3 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
-
-[Install]
-WantedBy=initrd.target network-online.target
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -19,7 +19,7 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600

-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

 ProtectSystem=true
 ProtectHome=read-only
--- a/data/meson.build
+++ b/data/meson.build
@ -55,21 +55,22 @@ if install_udevdir
 endif

 if enable_polkit
-  policy = 'org.freedesktop.NetworkManager.policy'
-
-  policy_in = configure_file(
-    input: policy + '.in.in',
-    output: '@BASENAME@',
-    configuration: data_conf,
-  )
-
  i18n.merge_file(
-    input: policy_in,
+    input: 'org.freedesktop.NetworkManager.policy.in',
    output: '@BASENAME@',
    po_dir: po_dir,
    install: true,
-    install_dir: polkit_gobject_policydir,
+    install_dir: polkit_policydir,
  )
+
+  if polkit_noauth_group != ''
+    configure_file(
+      input: 'org.freedesktop.NetworkManager.rules.in',
+      output: '@BASENAME@',
+      install_dir: polkit_rulesdir,
+      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
+    )
+  endif
 endif

 if enable_firewalld_zone
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -117,8 +117,8 @@
    <message>System policy prevents modification of network settings for all users</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
-      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
+      <allow_inactive>auth_admin_keep</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
    </defaults>
  </action>

--- a/data/org.freedesktop.NetworkManager.rules.in
+++ b/data/org.freedesktop.NetworkManager.rules.in
@ -0,0 +1,17 @@
+// NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
+//
+// DO NOT EDIT THIS FILE, it will be overwritten on update.
+//
+// Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
+// prompted for a password if they are in a local console.
+// This is optional and is only recommended to maintain backwards compatibility
+// in systems where it was already working in this way. It is discouraged
+// otherwise.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
+        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
+        subject.local) {
+        return polkit.Result.YES;
+    }
+});
--- a/docs/api/meson.build
+++ b/docs/api/meson.build
@ -1,6 +1,8 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

 if enable_introspection
+  xsltproc = find_program('xsltproc')
+
  settings = 'settings-spec'
  output = settings + '.xml'

--- a/examples/C/glib/monitor-nm-state-gdbus.c
+++ b/examples/C/glib/monitor-nm-state-gdbus.c
@ -23,8 +23,8 @@ static const char *
 nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_ASLEEP:
-        return "asleep";
+    case NM_STATE_DISABLED:
+        return "network off";
    case NM_STATE_CONNECTING:
        return "connecting";
    case NM_STATE_CONNECTED_LOCAL:
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -83,6 +83,11 @@
    note that your distribution or other packages may drop configuration snippets for NetworkManager, such
    that they are part of the factory default.
    </para>
+    <para>
+    The options that are indicated as boolean can be set to one of these values:
+    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
+    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
+    </para>

  </refsect1>

@ -895,11 +900,15 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><varname>connection.dnssec</varname></term>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
@ -1245,12 +1254,13 @@ managed=1
          <term><varname>managed</varname></term>
          <listitem>
            <para>
-              Whether the device is managed or not. A device can be
-              marked as managed via udev rules (ENV{NM_UNMANAGED}),
-              or via setting plugins (keyfile.unmanaged-devices).
-              This is yet another way. Note that this configuration
-              can be overruled at runtime via D-Bus. Also, it has
-              higher priority then udev rules.
+              A boolean value specifying whether the device is
+              managed or not. A device can be marked as managed via
+              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
+              (keyfile.unmanaged-devices).  This is yet another
+              way. Note that this configuration can be overruled at
+              runtime via D-Bus. Also, it has higher priority than
+              udev rules.
            </para>
          </listitem>
        </varlistentry>
@ -1319,9 +1329,27 @@ managed=1
            </para>
          </listitem>
        </varlistentry>
+        <varlistentry id="check-connectivity">
+          <term><varname>check-connectivity</varname></term>
+          <listitem>
+            <para>
+              A boolean value specifying whether NetworkManager will perform a connectivity check
+              for this device. Defaults to <literal>yes</literal>.
+            </para>
+            <para>
+              This setting does nothing if the connectivity check has been
+              disabled globally using the
+              <literal>connectivity.enabled</literal> setting.
+            </para>
+          </listitem>
+        </varlistentry>
        <varlistentry id="keep-configuration">
          <term><varname>keep-configuration</varname></term>
          <listitem>
+            <para>
+              A boolean value indicating whether the existing device
+              configuration is kept at startup.
+            </para>
            <para>
              On startup, NetworkManager tries to not interfere with
              interfaces that are already configured. It does so by
@ -1418,16 +1446,16 @@ managed=1
          <term><varname>wifi.iwd.autoconnect</varname></term>
          <listitem>
            <para>
-              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
-              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
-              this device and connections will only be initiated by NetworkManager whether
-              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
-              stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks
-              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
-              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
-              with IWD connection attempts.
+              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
+              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
+              disabled for this device and connections will only be initiated by NetworkManager
+              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
+              (default) stops NetworkManager from automatically initiating connections and allows
+              IWD to use its network ranking and scanning logic to decide the best networks to
+              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
+              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
+              IWD connection attempts.
            </para>
          </listitem>
        </varlistentry>
@ -1486,7 +1514,7 @@ managed=1
      <variablelist>
        <varlistentry>
          <term><varname>enabled</varname></term>
-          <listitem><para>Whether connectivity check is enabled.
+          <listitem><para>A boolean indicating whether connectivity check is enabled.
          Note that to enable connectivity check, a valid uri must
          also be configured. The value defaults to true, but since
          the uri is unset by default, connectivity check may be disabled.
@ -1540,8 +1568,12 @@ managed=1

  <refsect1>
    <title><literal>global-dns</literal> section</title>
-    <para>This section specifies DNS settings that are applied
-    globally, in addition to connection-specific ones.</para>
+    <para>This section specifies DNS settings that are applied globally. They
+    override the equivalent options defined in individual connections, making
+    them to be ignored. If a [global-dns-domain-*] section is defined, but this
+    section isn't, an empty [global-dns] section is assumed, thus overwriting
+    connection specific configurations too.
+    </para>
    <para>
      <variablelist>
        <varlistentry>
@ -1601,6 +1633,10 @@ managed=1
    default domain "*". When the global DNS domains are valid, the
    name servers and domains defined globally override the ones from
    active connections.
+
+    If any global DNS domain is defined but a [global-dns] section isn't,
+    an empty [global-dns] section is assumed, thus overwriting its
+    connection specific configurations too.
    </para>
    <para>
      <variablelist>
--- a/man/meson.build
+++ b/man/meson.build
@ -1,29 +1,5 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

-common_ent_file = configure_file(
-  input: 'common.ent.in',
-  output: '@BASENAME@',
-  configuration: data_conf,
-)
-
-xsltproc_options = [
-  xsltproc,
-  '--output', '@OUTPUT@',
-  '--path', meson.current_build_dir(),
-  '--xinclude',
-  '--nonet',
-  '--stringparam', 'man.output.quietly', '1',
-  '--stringparam', 'funcsynopsis.style', 'ansi',
-  '--stringparam', 'man.th.extra1.suppress', '1',
-  '--stringparam', 'man.authors.section.enabled', '0',
-  '--stringparam', 'man.copyright.section.enabled', '0',
-  '--stringparam', 'man.th.title.max.length', '30',
-]
-
-docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
-
-mans_xmls = []
-
 mans = [
  ['NetworkManager', '8'],
  ['NetworkManager-dispatcher', '8'],
@ -44,12 +20,62 @@ if enable_nm_cloud_setup
  mans += [['nm-cloud-setup', '8']]
 endif

-foreach man: mans
+introspection_mans = [
+  ['nm-settings-keyfile', '5'],
+  ['nm-settings-dbus',    '5'],
+  ['nm-settings-nmcli',   '5'],
+]
+
+if enable_ifcfg_rh
+  introspection_mans += [['nm-settings-ifcfg-rh', '5']]
+endif
+
+built_mans = []
+foreach man: mans + introspection_mans
+  name = man[0] + '.' + man[1]
+  if not fs.exists(name)
+    built_mans = []
+    break
+  endif
+
+  built_mans += name
+endforeach
+
+if enable_introspection or enable_docs
+  common_ent_file = configure_file(
+    input: 'common.ent.in',
+    output: '@BASENAME@',
+    configuration: data_conf,
+  )
+endif
+
+if enable_introspection and (enable_man or enable_docs)
+  xsltproc_options = [
+    find_program('xsltproc'),
+    '--output', '@OUTPUT@',
+    '--path', meson.current_build_dir(),
+    '--xinclude',
+    '--nonet',
+    '--stringparam', 'man.output.quietly', '1',
+    '--stringparam', 'funcsynopsis.style', 'ansi',
+    '--stringparam', 'man.th.extra1.suppress', '1',
+    '--stringparam', 'man.authors.section.enabled', '0',
+    '--stringparam', 'man.copyright.section.enabled', '0',
+    '--stringparam', 'man.th.title.max.length', '30',
+  ]
+
+  docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
+
+  mans_xmls = []
+
+  foreach man: mans
    input = man[0] + '.xml'
    content_files += join_paths(meson.current_source_dir(), input)

    output = '@0@.@1@'.format(man[0], man[1])

+    # not needed if only html requested
+    if enable_man
      custom_target(
        output,
        input: input,
@ -59,9 +85,9 @@ foreach man: mans
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
-endforeach
+    endif
+  endforeach

-if enable_introspection
  merge_cmd = files(source_root / 'tools' / 'generate-docs-nm-settings-docs-merge.py')

  name = 'dbus'
@ -124,6 +150,8 @@ if enable_introspection

    output = '@0@.@1@'.format(man[0], man[1])

+    # not needed if only html requested
+    if enable_man
      custom_target(
        output,
        input: input,
@ -132,5 +160,13 @@ if enable_introspection
        install: true,
        install_dir: join_paths(nm_mandir, 'man' + man[1]),
      )
+    endif
  endforeach
+# not needed if only html requested
+elif enable_man
+  if built_mans.length() > 0
+    install_man(built_mans)
+  else
+    error('Building manpages requires xsltproc and -Dintrospection=true, and no prebuilt manpages were found. Try building from a release tarball or using -Dman=false.')
+  endif
 endif
--- a/man/nm-initrd-generator.xml
+++ b/man/nm-initrd-generator.xml
@ -162,6 +162,7 @@
            <member><option>rd.net.dns-backend</option></member>
            <member><option>rd.net.dns-resolve-mode</option></member>
            <member><option>rd.net.timeout.dhcp</option></member>
+            <member><option>rd.net.dhcp.client-id</option></member>
            <member><option>rd.net.dhcp.retry</option></member>
            <member><option>rd.net.dhcp.vendor-class</option></member>
            <member><option>rd.net.dhcp.dscp</option></member>
@ -268,6 +269,23 @@
        </para>
      </listitem>

+      <listitem>
+        <para>NetworkManager supports the
+        <option>rd.net.dhcp.client-id</option>=<replaceable>interface</replaceable>:<replaceable>client-id</replaceable>
+        kernel command line option to set a specific DHCPv4 client identifier
+        for the given interface. The client-id can be specified either as a
+        sequence of bytes in hexadecimal format separated by dashes, or as the
+        character '@' followed by a non-empty string. When using the second
+        format, NetworkManager prepends a zero byte to the given string,
+        according to section 9.14 of RFC 2132. See the "ipv4.dhcp-client-id"
+        section of <link
+        linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
+        for more details. Examples:
+        <literal>rd.net.dhcp.client-id=eth0:01-52-54-00-45-87-42</literal>,
+        <literal>rd.net.dhcp.client-id=enp1s0:@example.com</literal>.
+        </para>
+      </listitem>
+
    </itemizedlist>
  </refsect1>

@ -278,6 +296,7 @@

  <refsect1 id='see_also'><title>See Also</title>
    <para><link linkend='dracut.cmdline'><citerefentry><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
-    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>.</para>
+    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
+    <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.</para>
  </refsect1>
 </refentry>
--- a/man/nm-openvswitch.xml
+++ b/man/nm-openvswitch.xml
@ -91,6 +91,10 @@
      NetworkManager inserts the records for Bridges into OVSDB when a Port is
      attached.
      </para>
+
+      <para>Known limitation: when the last NetworkManager's owned port is removed,
+      the bridge is removed too, even if there are other externally attached ports.
+      </para>
    </refsect2>

    <refsect2>
@ -102,6 +106,10 @@
      exist.  Ports can also be configured to do VLAN tagging or Bonding.
      NetworkManager inserts the records for Ports into OVSDB when an Interface is
      attached. Ports must be attached to a Bridge.</para>
+
+      <para>Known limitation: when the last NetworkManager's owned interface is removed,
+      the port is removed too, even if there are other externally attached interfaces.
+      </para>
    </refsect2>

    <refsect2>
--- a/man/nmcli.xml
+++ b/man/nmcli.xml
@ -1066,15 +1066,16 @@
            <listitem><para><literal>dummy</literal></para></listitem>
            <listitem><para><literal>generic</literal></para></listitem>
            <listitem><para><literal>gsm</literal></para></listitem>
+            <listitem><para><literal>hsr</literal></para></listitem>
            <listitem><para><literal>infiniband</literal></para></listitem>
            <listitem><para><literal>ip-tunnel</literal></para></listitem>
+            <listitem><para><literal>ipvlan</literal></para></listitem>
+            <listitem><para><literal>loopback</literal></para></listitem>
            <listitem><para><literal>macsec</literal></para></listitem>
            <listitem><para><literal>macvlan</literal></para></listitem>
            <listitem><para><literal>olpc-mesh</literal></para></listitem>
            <listitem><para><literal>ovs-bridge</literal></para></listitem>
-            <listitem><para><literal>ovs-dpdk</literal></para></listitem>
            <listitem><para><literal>ovs-interface</literal></para></listitem>
-            <listitem><para><literal>ovs-patch</literal></para></listitem>
            <listitem><para><literal>ovs-port</literal></para></listitem>
            <listitem><para><literal>pppoe</literal></para></listitem>
            <listitem><para><literal>team</literal></para></listitem>
--- a/meson.build
+++ b/meson.build
@ -5,14 +5,14 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.54.0',
+  version: '1.57.1',
  license: 'GPL2+',
  default_options: [
    'buildtype=debugoptimized',
    'c_std=gnu11',
    'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
  ],
-  meson_version: '>= 0.51.0',
+  meson_version: '>= 0.53.0',
 )

 nm_name = meson.project_name()
@ -77,6 +77,7 @@ libnm_version = '@0@.@1@.@2@'.format(current - age, age, revision)

 libnm_pkgincludedir = join_paths(nm_includedir, libnm_name)

+fs = import('fs')
 gnome = import('gnome')
 i18n = import('i18n')
 pkg = import('pkgconfig')
@ -89,7 +90,6 @@ po_dir = source_root / 'po'
 top_inc = include_directories('.')

 perl = find_program('perl')
-xsltproc = find_program('xsltproc')

 check_exports = find_program(join_paths(source_root, 'tools', 'check-exports.sh'))

@ -327,12 +327,17 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)

 enable_wifi = get_option('wifi')
+config_h.set10('WITH_WIFI', enable_wifi)

 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)

-enable_wext = get_option('wext')
+wext = get_option('wext')
+if wext == 'true'
+  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
+endif
+enable_wext = (wext == 'force')
 config_h.set10('HAVE_WEXT', enable_wext)

 # Checks for libdl - on certain platforms its part of libc
@ -382,6 +387,14 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
  systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif

+systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
+install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
+
+if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
+  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
+  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
+endif
+
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
  assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@ -476,19 +489,6 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)

-# eBPF support
-ebpf_opt = get_option('ebpf')
-# 'auto' means 'false', because there are still issues.
-if ebpf_opt != 'true'
-  enable_ebpf = false
-else
-  enable_ebpf = true
-  if not cc.has_header('linux/bpf.h')
-    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
-    enable_ebpf = false
-  endif
-endif
-
 # libaudit support
 libaudit = get_option('libaudit')
 enable_libaudit = libaudit.contains('yes')
@ -507,12 +507,14 @@ if enable_teamdctl
  libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
  assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
+config_h.set10('WITH_TEAMDCTL', enable_teamdctl)

 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
  # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
+  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
+  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
 endif

 config_auth_polkit_default = get_option('config_auth_polkit_default')
@ -522,6 +524,12 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)

 enable_modify_system = get_option('modify_system')
+if enable_modify_system
+  # FIXME: remove this after everyone has stopped using modify_system
+  error('modify_system=true is no longer allowed due to security reasons')
+endif
+
+polkit_noauth_group = get_option('polkit_noauth_group')

 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@ -616,6 +624,7 @@ if enable_modem_manager
  endif
  config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
+config_h.set10('WITH_WWAN', enable_modem_manager)

 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@ -816,6 +825,7 @@ if enable_nm_cloud_setup
  assert(jansson_dep.found(), 'nm-cloud-setup requires jansson library. Use -Dnm_cloud_setup=false to disable it')
 endif

+enable_man = get_option('man')
 enable_docs = get_option('docs')

 more_asserts = get_option('more_asserts')
@ -914,7 +924,6 @@ endif
 test_args = [
  '--called-from-make',
  build_root,
-  '',
  enable_valgrind ? valgrind_path : '',
  enable_valgrind ? valgrind_suppressions_path : '',
  '--launch-dbus=auto',
@ -953,7 +962,6 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
-data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@ -964,38 +972,6 @@ data_conf.set('nmstatedir',                              nm_pkgstatedir)
 data_conf.set('sbindir',                                 nm_sbindir)
 data_conf.set('sysconfdir',                              nm_sysconfdir)

-# check if we can build setting property documentation
-'''
-build_docs=no
-if test -n "$INTROSPECTION_MAKEFILE"; then
-  # If g-i is installed we know we have python, but we might not have pygobject
-  if ! "$PYTHON" -c 'from gi.repository import GObject' >& /dev/null; then
-    AC_MSG_ERROR(["--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)])
-  fi
-
-  AC_PATH_PROG(PERL, perl)
-  if test -z "$PERL"; then
-    AC_MSG_ERROR([--enable-introspection requires perl])
-  fi
-  AC_PATH_PROG(XSLTPROC, xsltproc)
-  if test -z "$XSLTPROC"; then
-    AC_MSG_ERROR([--enable-introspection requires xsltproc])
-  fi
-
-  have_introspection=yes
-  if test "$enable_gtk_doc" = "yes"; then
-    build_docs=yes
-  fi
-else
-  if test "$enable_gtk_doc" = "yes"; then
-    # large parts of the documentation require introspection/pygobject to extract
-    # the documentation out of the source files. You cannot enable gtk-doc without alone.
-    AC_MSG_ERROR(["--with-gtk-doc requires --enable-introspection"])
-  fi
-  have_introspection=no
-fi
-'''
-
 content_files = []

 subdir('introspection')
@ -1033,9 +1009,14 @@ if enable_qt != 'false'
  endif
 endif

+# The man/ directory builds a couple targets needed by the docs build too.
+# If we build with docs but no man, then enter the subdir and only build
+# some targets.
+if enable_docs or enable_man
+  subdir('man')
+endif
 if enable_docs
  assert(enable_introspection, '-Ddocs=true requires -Dintrospection=true')
-  subdir('man')
  subdir('docs')
  meson.add_dist_script(
    'tools/meson-dist-data.sh',
@ -1086,7 +1067,7 @@ meson.add_install_script(
  nm_pkgstatedir,
  nm_mandir,
  nm_sysconfdir,
-  enable_docs ? '1' : '0',
+  enable_man ? '1' : '0',
  enable_ifcfg_rh ? '1' : '0',
  enable_nm_cloud_setup ? '1' : '0',
  install_systemdunitdir ? '1' : '0',
@ -1096,6 +1077,7 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
+output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@ -1110,17 +1092,7 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
-if enable_polkit
-  output += ' ('
-  if enable_modify_system
-    output += 'permissive'
-  else
-    output += 'restrictive'
-  endif
-  output += ' modify.system)'
-endif
-output += '\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@ -1184,6 +1156,5 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
-output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -1,5 +1,6 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
+option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@ -18,7 +19,8 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
+option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@ -28,7 +30,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')

 # features
-option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
+option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@ -44,7 +46,7 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')

 # configuration plugins
@ -67,6 +69,7 @@ option('config_dhcp_default', type: 'combo', choices: ['dhclient', 'dhcpcd', 'in
 option('introspection', type: 'boolean', value: true, description: 'Enable introspection for this build')
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
+option('man', type: 'boolean', value: true, description: 'Install manpages')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
 option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'auto', description: 'Enable more assertions for debugging (0 = no, 100 = all, default: auto)')
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -1,6 +1,6 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in.in
+data/org.freedesktop.NetworkManager.policy.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
--- a/po/ca.po
+++ b/po/ca.po
@ -8,14 +8,15 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
+# Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2023-06-17 00:07+0200\n"
-"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
+"PO-Revision-Date: 2025-09-28 00:07+0200\n"
+"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@ -355,7 +356,7 @@ msgstr "Connexió WPAN"

 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió equip"
+msgstr "Connexió d'equip"

 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@ -648,7 +649,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
+"No et converteixis en un dimoni, i envia el registre a la sortida d'error"

 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@ -795,7 +796,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."

 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
+msgstr "La connexió i el dispositiu difereixen als subcanals S390."

 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@ -881,7 +882,7 @@ msgstr "La connexió no era una connexió tun."

 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió equip."
+msgstr "La connexió no era una connexió d'equip."

 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@ -1325,27 +1326,27 @@ msgstr ""

 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignorarà el número faltant"
+msgstr "s'ignora el número faltant"

 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignorarà el número «%s» no vàlid"
+msgstr "s'ignora el número «%s» no vàlid"

 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignorarà l'adreça %s no vàlida: %s"
+msgstr "s'ignora l'adreça %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"

 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignorarà la ruta %s no vàlida: %s"
+msgstr "s'ignora la ruta %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@ -1361,7 +1362,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"

 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@ -1413,11 +1414,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignorarà l'SSID no vàlida"
+msgstr "s'ignora l'SSID no vàlida"

 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignorarà la contrasenya sense processar no vàlida"
+msgstr "s'ignora la contrasenya sense processar no vàlida"

 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@ -1458,7 +1459,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: «%s»"
+msgstr "el paràmetre no és vàlid: %s"

 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@ -1973,7 +1974,7 @@ msgstr "file:// URI no és UTF-8 vàlida"

 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"

 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@ -2086,7 +2087,7 @@ msgstr "«%s» no és un número"

 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buda o de mida incorrecta"
+msgstr "la propietat és buida o de mida incorrecta"

 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@ -2098,12 +2099,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"

 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P_Key si s'especifica el pare"

 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"

 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@ -2156,12 +2157,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlid"

 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlid"

 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@ -2208,7 +2209,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un nom de ruta vàlid"
+msgstr "%s no és un tipus de ruta vàlid"

 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@ -2432,7 +2433,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: «%s»"
+msgstr "atribut no vàlid: %s"

 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@ -4105,7 +4106,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"

 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@ -4676,7 +4677,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:620
@ -4698,7 +4699,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:886
@ -4709,7 +4710,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:893
@ -5418,10 +5419,10 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
-"(amb prefix opcional 0x/0X,i un 0 inicial opcional). \n"
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
+"(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
 "          ab 4 55 0xa6 ea 3a 74 C2\n"
@ -5493,7 +5494,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benviguda"
+msgstr "Temps de benvinguda"

 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@ -5567,7 +5568,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@ -5676,7 +5677,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@ -5696,7 +5697,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
+"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@ -8151,12 +8152,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@ -10722,7 +10723,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"

 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobar totes les connexions actives."
+msgstr "Error: No s'han trobat totes les connexions actives."

 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@ -11041,7 +11042,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticaent amb l'opció «fix».\n"
+"automàticament amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@ -11063,7 +11064,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@ -11485,7 +11486,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmere «%s»: %s\n"
+msgstr "Verifica el paràmetre «%s»: %s\n"

 #: src/nmcli/connections.c:8501
 #, c-format
@ -11552,12 +11553,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"

 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
+"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
 "continuar)\n"

 #: src/nmcli/connections.c:8721
@ -11582,7 +11583,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"

 #: src/nmcli/connections.c:8985
 #, fuzzy
@ -12396,7 +12397,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositu: %s"
+msgstr "Error: no s'ha pogut activar el dispositiu: %s"

 #: src/nmcli/devices.c:2322
 #, c-format
@ -12603,7 +12604,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPS PSK vàlida"
+msgstr "«%s» no és una WPA PSK vàlida"

 #: src/nmcli/devices.c:4193
 #, c-format
@ -13538,7 +13539,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»."
+msgstr "Error: argument inesperat «%s»"

 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@ -13897,7 +13898,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomendat)"
+msgstr "MII (recomanat)"

 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@ -14543,7 +14544,7 @@ msgstr ""

 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexions nova"
+msgstr "Connexió nova"

 #: src/nmtui/nmtui-edit.c:452
 #, c-format
--- a/po/it.po
+++ b/po/it.po
@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."

 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po
--- a/po/sl.po
+++ b/po/sl.po
--- a/src/contrib/nm-vpn-plugin-utils.c
+++ b/src/contrib/nm-vpn-plugin-utils.c
@ -155,3 +155,33 @@ nm_vpn_plugin_utils_load_editor(const char                   *module_path,
    g_return_val_if_fail(NM_IS_VPN_EDITOR(editor), NULL);
    return editor;
 }
+
+char *
+nm_vpn_plugin_utils_get_cert_path(const char *plugin)
+{
+    const char *path;
+
+    g_return_val_if_fail(plugin, NULL);
+
+    /* Users can set NM_CERT_PATH=~/.cert to be compatible with the certificate
+     * directory used in the past. */
+    path = g_getenv("NM_CERT_PATH");
+    if (path)
+        return g_build_filename(path, plugin, NULL);
+
+    /* Otherwise use XDG_DATA_HOME. We use subdirectory "networkmanagement/certificates"
+     * because the SELinux policy already has rules to set the correct labels in that
+     * directory. */
+    path = g_getenv("XDG_DATA_HOME");
+    if (path)
+        return g_build_filename(path, "networkmanagement", "certificates", plugin, NULL);
+
+    /* Use the default value for XDG_DATA_HOME */
+    return g_build_filename(g_get_home_dir(),
+                            ".local",
+                            "share",
+                            "networkmanagement",
+                            "certificates",
+                            plugin,
+                            NULL);
+}
--- a/src/contrib/nm-vpn-plugin-utils.h
+++ b/src/contrib/nm-vpn-plugin-utils.h
@ -24,4 +24,6 @@ NMVpnEditor *nm_vpn_plugin_utils_load_editor(const char                   *modul
                                             gpointer                      user_data,
                                             GError                      **error);

+char *nm_vpn_plugin_utils_get_cert_path(const char *plugin);
+
 #endif /* __NM_VPN_PLUGIN_UTILS_H__ */
--- a/src/core/devices/nm-device-bond.c
+++ b/src/core/devices/nm-device-bond.c
@ -52,8 +52,7 @@
        NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
        NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
        NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX,    \
-        NM_SETTING_BOND_OPTION_LACP_ACTIVE
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX

 #define OPTIONS_REAPPLY_FULL                                     \
    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE, \
--- a/src/core/devices/nm-device-bridge.c
+++ b/src/core/devices/nm-device-bridge.c
@ -1066,7 +1066,7 @@ attach_port(NMDevice                  *device,

            plat_vlans = setting_vlans_to_platform(vlans, &num_vlans);

-            /* Since the link was just enportd, there are no existing VLANs
+            /* Since the link was just attached, there are no existing VLANs
             * (except for the default one) and so there's no need to flush. */

            if (plat_vlans
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -14,7 +14,6 @@
 #include <libudev.h>
 #include <linux/if_ether.h>

-#include "NetworkManagerUtils.h"
 #include "NetworkManagerUtils.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-core-intern/nm-core-internal.h"
@ -630,10 +629,17 @@ build_supplicant_config(NMDeviceEthernet *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));

-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
+                                      nm_utils_get_connection_first_permissions_user(connection));

    security = nm_connection_get_setting_802_1x(connection);
-    if (!nm_supplicant_config_add_setting_8021x(config, security, con_uuid, mtu, TRUE, error)) {
+    if (!nm_supplicant_config_add_setting_8021x(config,
+                                                security,
+                                                con_uuid,
+                                                mtu,
+                                                TRUE,
+                                                nm_device_get_private_files(NM_DEVICE(self)),
+                                                error)) {
        g_prefix_error(error, "802-1x-setting: ");
        g_clear_object(&config);
    }
@ -701,6 +707,9 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
+    NMActRequest                       *request;
+    NMActiveConnection                 *controller_ac;
+    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -715,6 +724,16 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
+
+    /* Tell the supplicant in which bridge the interface is */
+    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
+        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
+        && (controller = nm_active_connection_get_device(controller_ac))
+        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
+    } else
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
+
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
@ -1894,7 +1913,7 @@ get_ip_method_auto(NMDevice *device, int addr_family)
        /* We cannot do DHCPv4 on a PPP link, instead we get "auto" IP addresses
         * by pppd. Return "manual" here, which has the suitable effect to a
         * (zero) manual addresses in addition. */
-        return NM_SETTING_IP6_CONFIG_METHOD_MANUAL;
+        return NM_SETTING_IP4_CONFIG_METHOD_MANUAL;
    }

    return NM_SETTING_IP6_CONFIG_METHOD_AUTO;
--- a/src/core/devices/nm-device-hsr.c
+++ b/src/core/devices/nm-device-hsr.c
@ -117,28 +117,50 @@ create_and_realize(NMDevice              *device,
                   GError               **error)
 {
    const char        *iface   = nm_device_get_iface(device);
+    nm_auto_free char *err_msg = NULL;
    NMSettingHsr      *s_hsr;
    NMPlatformLnkHsr   lnk = {};
-    int              r;
+    int                r   = 0;

    s_hsr = _nm_connection_get_setting(connection, NM_TYPE_SETTING_HSR);
+
    nm_assert(s_hsr);

    if (nm_setting_hsr_get_port1(s_hsr) != NULL)
        lnk.port1 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port1(s_hsr));
    if (nm_setting_hsr_get_port2(s_hsr) != NULL)
        lnk.port2 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port2(s_hsr));
+    if (nm_setting_hsr_get_interlink(s_hsr) != NULL) {
+        const char *ifname  = nm_setting_hsr_get_interlink(s_hsr);
+        int         ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, ifname);
+
+        if (ifindex <= 0) {
+            err_msg = g_strdup_printf("interlink port '%s' does not exist", ifname);
+            goto out;
+        }
+
+        lnk.interlink = ifindex;
+    }
+
    lnk.multicast_spec   = nm_setting_hsr_get_multicast_spec(s_hsr);
    lnk.prp              = nm_setting_hsr_get_prp(s_hsr);
+    lnk.protocol_version = nm_setting_hsr_get_protocol_version(s_hsr);
+
    r = nm_platform_link_hsr_add(nm_device_get_platform(device), iface, &lnk, out_plink);
+
    if (r < 0) {
+        err_msg = g_strdup(nm_strerror(r) ?: "unknown");
+    }
+
+out:
+    if (err_msg) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create HSR interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
-                    nm_strerror(r));
+                    err_msg);
        return FALSE;
    }

--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -201,7 +201,8 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));

-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
+                                      nm_utils_get_connection_first_permissions_user(connection));

    s_macsec = nm_device_get_applied_setting(NM_DEVICE(self), NM_TYPE_SETTING_MACSEC);

@ -227,7 +228,13 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)

    if (nm_setting_macsec_get_mode(s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
        s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_8021x(config, s_8021x, con_uuid, mtu, TRUE, error)) {
+        if (!nm_supplicant_config_add_setting_8021x(config,
+                                                    s_8021x,
+                                                    con_uuid,
+                                                    mtu,
+                                                    TRUE,
+                                                    nm_device_get_private_files(NM_DEVICE(self)),
+                                                    error)) {
            g_prefix_error(error, "802-1x-setting: ");
            return NULL;
        }
@ -433,6 +440,9 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
+    NMActRequest                       *request;
+    NMActiveConnection                 *controller_ac;
+    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -445,6 +455,16 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
+
+    /* Tell the supplicant in which bridge the interface is */
+    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
+        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
+        && (controller = nm_active_connection_get_device(controller_ac))
+        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
+    } else
+        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
+
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-private.h
+++ b/src/core/devices/nm-device-private.h
@ -115,9 +115,6 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,

 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);

-NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
-                                                                NMConnection *connection);
-
 void nm_device_ip_method_dhcp4_start(NMDevice *self);

 void nm_device_ip_method_autoconf6_start(NMDevice *self);
@ -179,4 +176,6 @@ void nm_device_auth_request(NMDevice                      *self,

 void nm_device_link_properties_set(NMDevice *self, gboolean reapply);

+GHashTable *nm_device_get_private_files(NMDevice *self);
+
 #endif /* NM_DEVICE_PRIVATE_H */
--- a/src/core/devices/nm-device-utils.c
+++ b/src/core/devices/nm-device-utils.c
@ -135,13 +135,17 @@ NM_UTILS_LOOKUP_STR_DEFINE(
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_LINK_NOT_INIT,
                             "unmanaged-link-not-init"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING, "unmanaged-quitting"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING, "unmanaged-sleeping"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED,
+                             "unmanaged-nm-disabled"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_CONF, "unmanaged-user-conf"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_EXPLICIT,
                             "unmanaged-user-explicit"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                             "unmanaged-user-settings"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
+                             "modem-no-operator-code"), );

 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                           NMDeviceMtuSource,
@ -235,7 +239,7 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data
    gs_free_error GError *error  = NULL;
    gs_free char         *output = NULL;

-    output = nm_utils_spawn_helper_finish(result, &error);
+    output = nm_utils_spawn_helper_finish_string(result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;

@ -274,6 +278,7 @@ resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services)
    nm_inet_ntop(info->addr_family, &info->address, addr_str);
    _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str);
    nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str),
+                          FALSE,
                          g_task_get_cancellable(info->task),
                          resolve_addr_helper_cb,
                          info);
--- a/src/core/devices/nm-device-wireguard.c
+++ b/src/core/devices/nm-device-wireguard.c
@ -1672,6 +1672,57 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    return ret;
 }

+static gboolean
+skip_peer_route(const NMIPAddr    *peer_addr,
+                guint              peer_addr_prefix,
+                int                addr_family,
+                NMSettingIPConfig *s_ip)
+{
+    guint num_addresses;
+    guint i;
+
+    /*
+     * If the allowed-ip subnet is already reachable on the interface via the
+     * prefix route of a static IP address, skip adding the peer route.
+     * We don't want to override the prefix route with a new one because the
+     * prefix route also specifies the correct source IP address.
+     *
+     * wg-quick does something similar here:
+     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
+     * The condition in wg-quick is a bit different because it checks that no
+     * duplicate route exists on the interface. We can't do exactly the same
+     * because here we don't have visibility on all the platform routes.
+     */
+
+    if (!s_ip)
+        return FALSE;
+
+    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
+    for (i = 0; i < num_addresses; i++) {
+        NMIPAddr     setting_addr;
+        NMIPAddr     peer_addr_tmp;
+        guint        setting_prefix;
+        NMIPAddress *a;
+
+        peer_addr_tmp = *peer_addr;
+
+        a = nm_setting_ip_config_get_address(s_ip, i);
+        nm_ip_address_get_address_binary(a, &setting_addr);
+        setting_prefix = nm_ip_address_get_prefix(a);
+
+        if (setting_prefix > peer_addr_prefix)
+            continue;
+
+        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
+        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
+
+        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
+            return TRUE;
+    }
+
+    return FALSE;
+}
+
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@ -1738,6 +1789,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)

        n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
        for (j = 0; j < n_aips; j++) {
+            NMSettingIPConfig *s_ip;
            NMPlatformIPXRoute rt;
            NMIPAddr           addrbin;
            const char        *aip;
@ -1746,6 +1798,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            guint32            rtable_coerced;

            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
+            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);

            if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                continue;
@ -1754,9 +1807,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                prefix = (addr_family == AF_INET) ? 32 : 128;

            if (prefix == 0) {
-                NMSettingIPConfig *s_ip;
-
-                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                if (nm_setting_ip_config_get_never_default(s_ip))
                    continue;
            }
@ -1769,6 +1819,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)

            nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);

+            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
+                continue;
+
            rtable_coerced = route_table_coerced;

            if (prefix == 0 && auto_default_route_enabled) {
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@ -113,6 +113,19 @@ typedef enum {
    RELEASE_PORT_TYPE_CONFIG_FORCE,
 } ReleasePortType;

+/**
+ * CleanupType:
+ * @CLEANUP_TYPE_KEEP: Cleanup internally but keep the real device's config. This is
+ *   often used when moving a partially managed device to "unmanaged" (but not only).
+ * @CLEANUP_TYPE_REMOVED: The device suddently disappeared. Cleanup internally but don't
+ *   make any action on the real device at all, as it no longer exists.
+ * @CLEANUP_TYPE_DECONFIGURE: Also deconfigure the real device. This is the typical
+ *   action when a connection or device is set to "down", or fully managed devices
+ *   moved to "unmanaged".
+ * @CLEANUP_TYPE_KEEP_REAPPLY: Like %CLEANUP_TYPE_KEEP, but indicating that it's a
+ *   reapply. Some special actions can be done if we're doing a reapply, like keeping
+ *   the existing DHCP lease, for example.
+ */
 typedef enum {
    CLEANUP_TYPE_KEEP,
    CLEANUP_TYPE_REMOVED,
@ -266,7 +279,7 @@ typedef struct {
    union {
        struct {
            NMDnsMasqManager     *dnsmasq_manager;
-            NMNetnsSharedIPHandle *shared_ip_handle;
+            NMNetnsIPReservation *ip_reservation;
            NMFirewallConfig     *firewall_config;
            gulong                dnsmasq_state_id;
            const NML3ConfigData *l3cd;
@ -335,6 +348,12 @@ typedef struct {
    int           addr_family;
 } HostnameResolver;

+typedef enum {
+    PRIVATE_FILES_STATE_UNKNOWN = 0,
+    PRIVATE_FILES_STATE_READING,
+    PRIVATE_FILES_STATE_DONE,
+} PrivateFilesState;
+
 /*****************************************************************************/

 enum {
@ -692,6 +711,8 @@ typedef struct _NMDevicePrivate {

    IPDevStateData ipdev_data_unspec;

+    gulong sharing_ipv4_changed_id;
+
    struct {
        /* If we set the addrgenmode6, this records the previously set value. */
        guint8 previous_mode_val;
@ -769,6 +790,13 @@ typedef struct _NMDevicePrivate {
        guint64  rx_bytes;
    } stats;

+    struct {
+        GHashTable       *table;
+        GCancellable     *cancellable;
+        char             *user;
+        PrivateFilesState state;
+    } private_files;
+
    bool mtu_force_set_done : 1;

    bool needs_ip6_subnet : 1;
@ -779,7 +807,6 @@ typedef struct _NMDevicePrivate {
    char     *prop_ip_iface; /* IP interface D-Bus property */
    GList    *ping_operations;
    GSource  *ping_timeout;
-    bool      refresh_forwarding_done : 1;
 } NMDevicePrivate;

 G_DEFINE_ABSTRACT_TYPE(NMDevice, nm_device, NM_TYPE_DBUS_OBJECT)
@ -867,6 +894,8 @@ static void _dev_ipshared4_spawn_dnsmasq(NMDevice *self);

 static void _dev_ipshared6_start(NMDevice *self);

+static void _dev_ipforwarding4_start(NMDevice *self, int addr_family);
+
 static void
 _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gboolean preserve_dhcp);

@ -1395,14 +1424,12 @@ _prop_get_ipvx_routed_dns(NMDevice *self, int addr_family)
 }

 static NMSettingConnectionMdns
-_prop_get_connection_mdns(NMDevice *self)
+_prop_get_connection_mdns(NMDevice *self, NMConnection *connection)
 {
-    NMConnection           *connection;
    NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_MDNS_DEFAULT);

-    connection = nm_device_get_applied_connection(self);
    if (connection)
        mdns = nm_setting_connection_get_mdns(nm_connection_get_setting_connection(connection));
    if (mdns != NM_SETTING_CONNECTION_MDNS_DEFAULT)
@ -1437,14 +1464,12 @@ _prop_get_sriov_preserve_on_down(NMDevice *self, NMSettingSriov *s_sriov)
 }

 static NMSettingConnectionLlmnr
-_prop_get_connection_llmnr(NMDevice *self)
+_prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
 {
-    NMConnection            *connection;
    NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_LLMNR_DEFAULT);

-    connection = nm_device_get_applied_connection(self);
    if (connection)
        llmnr = nm_setting_connection_get_llmnr(nm_connection_get_setting_connection(connection));
    if (llmnr != NM_SETTING_CONNECTION_LLMNR_DEFAULT)
@ -1459,14 +1484,12 @@ _prop_get_connection_llmnr(NMDevice *self)
 }

 static NMSettingConnectionDnsOverTls
-_prop_get_connection_dns_over_tls(NMDevice *self)
+_prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
 {
-    NMConnection                 *connection;
    NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);

-    connection = nm_device_get_applied_connection(self);
    if (connection)
        dns_over_tls = nm_setting_connection_get_dns_over_tls(
            nm_connection_get_setting_connection(connection));
@ -1481,15 +1504,33 @@ _prop_get_connection_dns_over_tls(NMDevice *self)
                                                       NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 }

-static NMMptcpFlags
-_prop_get_connection_mptcp_flags(NMDevice *self)
+static NMSettingConnectionDnssec
+_prop_get_connection_dnssec(NMDevice *self, NMConnection *connection)
+{
+    NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
+
+    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+
+    if (connection)
+        dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
+    if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+        return dnssec;
+
+    return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
+                                                       NM_CON_DEFAULT("connection.dnssec"),
+                                                       self,
+                                                       NM_SETTING_CONNECTION_DNSSEC_NO,
+                                                       NM_SETTING_CONNECTION_DNSSEC_YES,
+                                                       NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
+}
+
+static NMMptcpFlags
+_prop_get_connection_mptcp_flags(NMDevice *self, NMConnection *connection)
 {
-    NMConnection *connection;
    NMMptcpFlags mptcp_flags = NM_MPTCP_FLAGS_NONE;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_MPTCP_FLAGS_DISABLED);

-    connection = nm_device_get_applied_connection(self);
    if (connection) {
        mptcp_flags =
            nm_setting_connection_get_mptcp_flags(nm_connection_get_setting_connection(connection));
@ -2131,8 +2172,8 @@ _prop_get_ipvx_dhcp_send_hostname(NMDevice *self, int addr_family)
    return send_hostname_v2;
 }

-NMSettingIPConfigForwarding
-nm_device_get_ipv4_forwarding(NMDevice *self)
+static NMSettingIPConfigForwarding
+_prop_get_ipv4_forwarding(NMDevice *self)
 {
    NMSettingIPConfig          *s_ip;
    NMSettingIPConfigForwarding forwarding;
@ -2455,16 +2496,14 @@ _prop_get_ipv4_dhcp_vendor_class_identifier(NMDevice *self, NMSettingIP4Config *
 }

 static NMSettingIP6ConfigPrivacy
-_prop_get_ipv6_ip6_privacy(NMDevice *self)
+_prop_get_ipv6_ip6_privacy(NMDevice *self, NMConnection *connection)
 {
    NMSettingIP6ConfigPrivacy ip6_privacy;
-    NMConnection             *connection;

    g_return_val_if_fail(self, NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN);

    /* 1.) First look at the per-connection setting. If it is not -1 (unknown),
     * use it. */
-    connection = nm_device_get_applied_connection(self);
    if (connection) {
        NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);

@ -3597,11 +3636,12 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co

    l3cd =
        nm_l3_config_data_new_from_connection(nm_device_get_multi_index(self), ifindex, connection);
-    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
-    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
-    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
-    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
-    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
+    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self, connection));
+    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self, connection));
+    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self, connection));
+    nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self, connection));
+    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self, connection));
+    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self, connection));
    return l3cd;
 }

@ -3778,7 +3818,7 @@ nm_device_assume_state_reset(NMDevice *self)

 /*****************************************************************************/

-char *
+static char *
 nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property)
 {
    const char *ifname;
@ -6304,6 +6344,14 @@ concheck_is_possible(NMDevice *self)
    if (priv->state == NM_DEVICE_STATE_UNKNOWN)
        return FALSE;

+    if (!nm_config_data_get_device_config_boolean_by_device(
+            NM_CONFIG_GET_DATA,
+            NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
+            self,
+            TRUE,
+            TRUE))
+        return FALSE;
+
    return TRUE;
 }

@ -6324,8 +6372,10 @@ concheck_periodic_schedule_do(NMDevice *self, int addr_family, gint64 now_ns)
        goto out;
    }

-    if (!concheck_is_possible(self))
+    if (!concheck_is_possible(self)) {
+        concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
        goto out;
+    }

    nm_assert(now_ns > 0);
    nm_assert(priv->concheck_x[IS_IPv4].p_cur_interval > 0);
@ -6548,7 +6598,11 @@ concheck_update_interval(NMDevice *self, int addr_family, gboolean check_now)
        concheck_periodic_schedule_do(self, addr_family, 0);

        /* also update the fake connectivity state. */
+        if (concheck_is_possible(self))
            concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
+        else
+            concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
+
        return;
    }

@ -6577,6 +6631,7 @@ concheck_update_state(NMDevice           *self,
    /* @state is a result of the connectivity check. We only expect a precise
     * number of possible values. */
    nm_assert(NM_IN_SET(state,
+                        NM_CONNECTIVITY_UNKNOWN,
                        NM_CONNECTIVITY_LIMITED,
                        NM_CONNECTIVITY_PORTAL,
                        NM_CONNECTIVITY_FULL,
@ -6645,7 +6700,7 @@ concheck_update_state(NMDevice           *self,
    }
 }

-const char *
+static const char *
 nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family)
 {
    NMDeviceClass *klass;
@ -6900,8 +6955,11 @@ nm_device_check_connectivity(NMDevice                    *self,
                             NMDeviceConnectivityCallback callback,
                             gpointer                     user_data)
 {
-    if (!concheck_is_possible(self))
+    if (!concheck_is_possible(self)) {
+        concheck_update_state(self, AF_INET, NM_CONNECTIVITY_UNKNOWN, FALSE);
+        concheck_update_state(self, AF_INET6, NM_CONNECTIVITY_UNKNOWN, FALSE);
        return NULL;
+    }

    concheck_periodic_schedule_set(self, addr_family, CONCHECK_SCHEDULE_CHECK_EXTERNAL);
    return concheck_start(self, addr_family, callback, user_data, FALSE);
@ -8289,6 +8347,17 @@ config_changed(NMConfig           *config,
            && !nm_device_get_applied_setting(self, NM_TYPE_SETTING_SRIOV))
            device_init_static_sriov_num_vfs(self);
    }
+
+    if (NM_FLAGS_HAS(changes, NM_CONFIG_CHANGE_VALUES) && concheck_is_possible(self)) {
+        /* restart (periodic) connectivity checks if they were previously disabled */
+        if (!nm_config_data_get_device_config_boolean_by_device(
+                old_data,
+                NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
+                self,
+                TRUE,
+                TRUE))
+            nm_device_check_connectivity_update_interval(self);
+    }
 }

 static void
@ -8639,6 +8708,8 @@ nm_device_unrealize(NMDevice *self, gboolean remove_resources, GError **error)

    g_object_thaw_notify(G_OBJECT(self));

+    nm_device_managed_type_set(self, NM_DEVICE_MANAGED_TYPE_REMOVED);
+
    nm_device_set_unmanaged_flags(self, NM_UNMANAGED_PLATFORM_INIT, TRUE);

    nm_device_set_unmanaged_flags(self,
@ -9164,6 +9235,10 @@ is_available(NMDevice *self, NMDeviceCheckDevAvailableFlags flags)
 {
    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);

+    /* unrealized software devices are always available, hardware devices never */
+    if (!nm_device_is_real(self))
+        return nm_device_is_software(self);
+
    if (priv->carrier || priv->ignore_carrier)
        return TRUE;

@ -10390,6 +10465,43 @@ sriov_params_cb(GError *error, gpointer user_data)
    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
 }

+static gboolean
+sriov_gen_platform_vfs(NMDevice       *self,
+                       NMSettingSriov *s_sriov,
+                       NMPlatformVF ***plat_vfs_out,
+                       GError        **error)
+{
+    nm_auto_freev NMPlatformVF **plat_vfs = NULL;
+    guint                        num;
+
+    nm_assert(s_sriov);
+    nm_assert(plat_vfs_out && !*plat_vfs_out);
+
+    num      = nm_setting_sriov_get_num_vfs(s_sriov);
+    plat_vfs = g_new0(NMPlatformVF *, num + 1);
+
+    for (int i = 0; i < num; i++) {
+        NMSriovVF            *vf    = nm_setting_sriov_get_vf(s_sriov, i);
+        gs_free_error GError *local = NULL;
+
+        plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &local);
+
+        if (!plat_vfs[i]) {
+            g_set_error(error,
+                        local->domain,
+                        local->code,
+                        "VF '%s' is invalid: %s",
+                        nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
+                        local->message);
+            return FALSE;
+        }
+    }
+
+    *plat_vfs_out = g_steal_pointer(&plat_vfs);
+
+    return TRUE;
+}
+
 /*
 * activate_stage1_device_prepare
 *
@ -10436,10 +10548,7 @@ activate_stage1_device_prepare(NMDevice *self)
        if (s_sriov && nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)) {
            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
            gs_free_error GError        *error    = NULL;
-            NMSriovVF                   *vf;
            NMTernary                    autoprobe;
-            guint                        num;
-            guint                        i;

            autoprobe = nm_setting_sriov_get_autoprobe_drivers(s_sriov);
            if (autoprobe == NM_TERNARY_DEFAULT) {
@ -10452,22 +10561,13 @@ activate_stage1_device_prepare(NMDevice *self)
                    NM_OPTION_BOOL_TRUE);
            }

-            num      = nm_setting_sriov_get_num_vfs(s_sriov);
-            plat_vfs = g_new0(NMPlatformVF *, num + 1);
-            for (i = 0; i < num; i++) {
-                vf          = nm_setting_sriov_get_vf(s_sriov, i);
-                plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &error);
-                if (!plat_vfs[i]) {
-                    _LOGE(LOGD_DEVICE,
-                          "failed to apply SR-IOV VF '%s': %s",
-                          nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
-                          error->message);
+            if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &error)) {
+                _LOGE(LOGD_DEVICE, "cannot parse the VF list: %s", error->message);
                nm_device_state_changed(self,
                                        NM_DEVICE_STATE_FAILED,
                                        NM_DEVICE_STATE_REASON_SRIOV_CONFIGURATION_FAILED);
                return;
            }
-            }

            /* When changing the number of VFs the kernel can block
             * for very long time in the write to sysfs, especially
@ -10773,6 +10873,49 @@ tc_commit(NMDevice *self)
    return TRUE;
 }

+static void
+read_private_files_cb(GObject *source_object, GAsyncResult *result, gpointer data)
+{
+    gs_unref_hashtable GHashTable *table = NULL;
+    gs_free_error GError          *error = NULL;
+    NMDevice                      *self;
+    NMDevicePrivate               *priv;
+
+    table = nm_utils_read_private_files_finish(result, &error);
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    self = NM_DEVICE(data);
+    priv = NM_DEVICE_GET_PRIVATE(self);
+
+    if (error) {
+        NMConnection *connection = nm_device_get_applied_connection(self);
+
+        _LOGW(LOGD_DEVICE,
+              "could not read files for private connection %s owned by user '%s': %s",
+              connection ? nm_connection_get_uuid(connection) : NULL,
+              priv->private_files.user,
+              error->message);
+        nm_device_state_changed(self, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_CONFIG_FAILED);
+        return;
+    }
+
+    _LOGD(LOGD_DEVICE, "private files successfully read");
+
+    priv->private_files.state = PRIVATE_FILES_STATE_DONE;
+    priv->private_files.table = g_steal_pointer(&table);
+    g_clear_pointer(&priv->private_files.user, g_free);
+    g_clear_object(&priv->private_files.cancellable);
+
+    nm_device_activate_schedule_stage2_device_config(self, FALSE);
+}
+
+GHashTable *
+nm_device_get_private_files(NMDevice *self)
+{
+    return NM_DEVICE_GET_PRIVATE(self)->private_files.table;
+}
+
 /*
 * activate_stage2_device_config
 *
@ -10785,6 +10928,7 @@ activate_stage2_device_config(NMDevice *self)
 {
    NMDevicePrivate *priv  = NM_DEVICE_GET_PRIVATE(self);
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
+    NMConnection    *applied;
    NMActStageReturn ret;
    NMSettingWired  *s_wired;
    gboolean         no_firmware = FALSE;
@ -10793,6 +10937,68 @@ activate_stage2_device_config(NMDevice *self)

    nm_device_state_changed(self, NM_DEVICE_STATE_CONFIG, NM_DEVICE_STATE_REASON_NONE);

+    applied = nm_device_get_applied_connection(self);
+
+    /* If the connection is private (owned by a specific user), we need to
+     * verify that the user has permission to access any files specified in
+     * the connection, such as certificates and keys. We do that by calling
+     * nm_utils_read_private_files() and saving the file contents in a hash
+     * table that can be accessed later during the activation. It is important
+     * to never access the files again to avoid TOCTOU bugs.
+     */
+    switch (priv->private_files.state) {
+    case PRIVATE_FILES_STATE_UNKNOWN:
+    {
+        gs_free const char **paths = NULL;
+        NMSettingConnection *s_con;
+        const char          *user;
+
+        s_con = nm_connection_get_setting_connection(applied);
+        nm_assert(s_con);
+        user = _nm_setting_connection_get_first_permissions_user(s_con);
+
+        priv->private_files.user = g_strdup(user);
+        if (!priv->private_files.user) {
+            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
+            break;
+        }
+
+        paths = nm_utils_get_connection_private_files_paths(applied);
+        if (!paths) {
+            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
+            break;
+        }
+
+        if (_nm_setting_connection_get_num_permissions_users(s_con) > 1) {
+            _LOGW(LOGD_DEVICE,
+                  "private connections with multiple users are not allowed to reference "
+                  "certificates and keys on the filesystem. Specify only one user in the "
+                  "connection.permissions property.");
+            nm_device_state_changed(self,
+                                    NM_DEVICE_STATE_FAILED,
+                                    NM_DEVICE_STATE_REASON_CONFIG_FAILED);
+            return;
+        }
+
+        priv->private_files.state       = PRIVATE_FILES_STATE_READING;
+        priv->private_files.cancellable = g_cancellable_new();
+
+        _LOGD(LOGD_DEVICE, "reading private files");
+        nm_utils_read_private_files(paths,
+                                    priv->private_files.user,
+                                    priv->private_files.cancellable,
+                                    read_private_files_cb,
+                                    self);
+        return;
+    }
+    case PRIVATE_FILES_STATE_READING:
+        /* wait */
+        return;
+    case PRIVATE_FILES_STATE_DONE:
+        /* proceed */
+        break;
+    }
+
    if (!nm_device_managed_type_is_external(self)) {
        _ethtool_state_set(self);
        nm_device_link_properties_set(self, FALSE);
@ -10809,7 +11015,7 @@ activate_stage2_device_config(NMDevice *self)
        priv->tc_committed = TRUE;
    }

-    nm_routing_rules_sync(nm_device_get_applied_connection(self),
+    nm_routing_rules_sync(applied,
                          NM_TERNARY_TRUE,
                          klass->get_extra_rules,
                          self,
@ -12821,7 +13027,7 @@ _dev_ipac6_start(NMDevice *self)
            .router_solicitations         = router_solicitations,
            .router_solicitation_interval = router_solicitation_interval,
            .ra_timeout                   = ra_timeout,
-            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self),
+            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self, connection),
        };

        priv->ipac6_data.ndisc = nm_lndp_ndisc_new(&config);
@ -13008,7 +13214,6 @@ _dev_addrgenmode6_set(NMDevice *self, guint8 addr_gen_mode)
    if (!priv->addrgenmode6_data.previous_mode_has) {
        priv->addrgenmode6_data.previous_mode_has = TRUE;
        priv->addrgenmode6_data.previous_mode_val = cur_addr_gen_mode;
-        nm_assert(priv->addrgenmode6_data.previous_mode_val == cur_addr_gen_mode);
    }

    _LOGD_ip(AF_INET6,
@ -13135,17 +13340,12 @@ activate_stage3_ip_config_for_addr_family(NMDevice *self, int addr_family)
        goto out_devip;

    if (IS_IPv4) {
-        NMSettingIPConfigForwarding ipv4_forwarding = nm_device_get_ipv4_forwarding(self);
-
-        if (NM_IN_SET(ipv4_forwarding,
-                      NM_SETTING_IP_CONFIG_FORWARDING_NO,
-                      NM_SETTING_IP_CONFIG_FORWARDING_YES)) {
-            nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", ipv4_forwarding ? "1" : "0");
-        }
        priv->ipll_data_4.v4.mode = _prop_get_ipv4_link_local(self);
        if (priv->ipll_data_4.v4.mode == NM_SETTING_IP4_LL_ENABLED)
            _dev_ipll4_start(self);

+        _dev_ipforwarding4_start(self, addr_family);
+
        if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_AUTO))
            _dev_ipdhcpx_start(self, AF_INET);
        else if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_LINK_LOCAL)) {
@ -13467,13 +13667,19 @@ _dev_ipsharedx_set_state(NMDevice *self, int addr_family, NMDeviceIPState state)
 {
    NMDevicePrivate *priv      = NM_DEVICE_GET_PRIVATE(self);
    const int        IS_IPv4   = NM_IS_IPv4(addr_family);
+    NMDeviceIPState  old_state = priv->ipshared_data_x[IS_IPv4].state;

-    if (priv->ipshared_data_x[IS_IPv4].state != state) {
+    if (old_state != state) {
        _LOGD_ipshared(addr_family,
                       "set state %s (was %s)",
                       nm_device_ip_state_to_string(state),
-                       nm_device_ip_state_to_string(priv->ipshared_data_x[IS_IPv4].state));
+                       nm_device_ip_state_to_string(old_state));
        priv->ipshared_data_x[IS_IPv4].state = state;
+
+        if (old_state == NM_DEVICE_IP_STATE_READY || state == NM_DEVICE_IP_STATE_READY)
+            nm_manager_update_shared_connection(NM_MANAGER_GET,
+                                                addr_family,
+                                                state == NM_DEVICE_IP_STATE_READY);
    }
 }

@ -13496,7 +13702,7 @@ _dev_ipsharedx_cleanup(NMDevice *self, int addr_family)
            nm_clear_pointer(&priv->ipshared_data_4.v4.firewall_config, nm_firewall_config_free);
        }

-        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
        nm_clear_l3cd(&priv->ipshared_data_4.v4.l3cd);

        _dev_l3_register_l3cds_set_one(self, L3_CONFIG_DATA_TYPE_SHARED_4, NULL, FALSE);
@ -13530,13 +13736,14 @@ _dev_ipshared4_new_l3cd(NMDevice *self, NMConnection *connection, NMPlatformIP4A

        nm_ip_address_get_address_binary(user, &a);
        nm_platform_ip4_address_set_addr(&address, a, nm_ip_address_get_prefix(user));
-        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
    } else {
-        if (!priv->ipshared_data_4.v4.shared_ip_handle)
-            priv->ipshared_data_4.v4.shared_ip_handle =
-                nm_netns_shared_ip_reserve(nm_device_get_netns(self));
+        if (!priv->ipshared_data_4.v4.ip_reservation)
+            priv->ipshared_data_4.v4.ip_reservation =
+                nm_netns_ip_reservation_get(nm_device_get_netns(self),
+                                            NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
        nm_platform_ip4_address_set_addr(&address,
-                                         priv->ipshared_data_4.v4.shared_ip_handle->addr,
+                                         priv->ipshared_data_4.v4.ip_reservation->addr,
                                         24);
    }

@ -13768,6 +13975,106 @@ _dev_ipshared6_start(NMDevice *self)

 /*****************************************************************************/

+/**
+ * Set the device's forwarding to the specified value. If %NM_TERNARY_DEFAULT is specified,
+ * it's set to the kernel's default, otherwise it's set to the specific value.
+ */
+static void
+_dev_ipforwarding4_set(NMDevice *self, NMTernary val)
+{
+    gs_free const char *default_forwarding = NULL;
+    gs_free const char *current_forwarding = NULL;
+    const char         *val_str;
+
+    if (val != NM_TERNARY_DEFAULT) {
+        val_str = val ? "1" : "0";
+    } else {
+        default_forwarding = nm_platform_sysctl_get(
+            nm_device_get_platform(self),
+            NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"));
+
+        if (!default_forwarding) {
+            _LOGW(LOGD_DEVICE,
+                  "error setting IPv4 forwarding: can't read default forwarding value: %s",
+                  nm_strerror_native(errno));
+            return; /* Non fatal */
+        }
+
+        val_str = default_forwarding;
+    }
+
+    current_forwarding = nm_device_sysctl_ip_conf_get(self, AF_INET, "forwarding");
+    if (nm_streq0(current_forwarding, val_str))
+        return;
+
+    if (!nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", val_str))
+        _LOGW(LOGD_DEVICE,
+              "error setting IPv4 forwarding to '%s': %s",
+              val_str,
+              nm_strerror_native(errno));
+}
+
+static void
+_dev_ipforwarding4_auto_cb(NMManager *manager, gboolean sharing_ipv4, gpointer data)
+{
+    NMDevice *self = NM_DEVICE(data);
+
+    _dev_ipforwarding4_set(self, sharing_ipv4 ? NM_TERNARY_TRUE : NM_TERNARY_DEFAULT);
+}
+
+static void
+_dev_ipforwarding4_start(NMDevice *self, int addr_family)
+{
+    NMDevicePrivate            *priv            = NM_DEVICE_GET_PRIVATE(self);
+    NMSettingIPConfigForwarding ipv4_forwarding = _prop_get_ipv4_forwarding(self);
+    NMTernary                   new_forwarding  = NM_TERNARY_DEFAULT;
+
+    /* IPv6 per-interface forwarding not supported yet */
+    if (addr_family != AF_INET)
+        return;
+
+    if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
+        new_forwarding = NM_TERNARY_TRUE;
+    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_YES) {
+        new_forwarding = NM_TERNARY_TRUE;
+    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_NO) {
+        new_forwarding = NM_TERNARY_FALSE;
+    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO) {
+        if (nm_manager_get_sharing_ipv4(NM_MANAGER_GET))
+            new_forwarding = NM_TERNARY_TRUE;
+        else
+            new_forwarding = NM_TERNARY_DEFAULT;
+
+        if (!priv->sharing_ipv4_changed_id)
+            priv->sharing_ipv4_changed_id = g_signal_connect(NM_MANAGER_GET,
+                                                             NM_MANAGER_SHARING_IPV4_CHANGED,
+                                                             G_CALLBACK(_dev_ipforwarding4_auto_cb),
+                                                             self);
+    } else {
+        nm_assert_not_reached();
+    }
+
+    _dev_ipforwarding4_set(self, new_forwarding);
+}
+
+static void
+_dev_ipforwarding_cleanup(NMDevice *self, int addr_family, CleanupType cleanup_type)
+{
+    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
+
+    if (!NM_IS_IPv4(addr_family))
+        return;
+
+    nm_clear_g_signal_handler(NM_MANAGER_GET, &priv->sharing_ipv4_changed_id);
+
+    if (NM_IN_SET(cleanup_type, CLEANUP_TYPE_DECONFIGURE, CLEANUP_TYPE_KEEP_REAPPLY)) {
+        /* Deconfigure by restoring kernel's default */
+        _dev_ipforwarding4_set(self, NM_TERNARY_DEFAULT);
+    }
+}
+
+/*****************************************************************************/
+
 static void
 act_request_set(NMDevice *self, NMActRequest *act_request)
 {
@ -13880,6 +14187,8 @@ _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gbool
    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
    gboolean         keep_reapply = (cleanup_type == CLEANUP_TYPE_KEEP_REAPPLY);

+    _dev_ipforwarding_cleanup(self, addr_family, cleanup_type);
+
    _dev_ipsharedx_cleanup(self, addr_family);

    _dev_ipdev_cleanup(self, AF_UNSPEC);
@ -14027,6 +14336,7 @@ can_reapply_change(NMDevice   *self,
                                                 NM_SETTING_CONNECTION_MDNS,
                                                 NM_SETTING_CONNECTION_LLMNR,
                                                 NM_SETTING_CONNECTION_DNS_OVER_TLS,
+                                                 NM_SETTING_CONNECTION_DNSSEC,
                                                 NM_SETTING_CONNECTION_MPTCP_FLAGS,
                                                 NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
    }
@ -14062,7 +14372,8 @@ can_reapply_change(NMDevice   *self,
        return nm_device_hash_check_invalid_keys(diffs,
                                                 NM_SETTING_SRIOV_SETTING_NAME,
                                                 error,
-                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN);
+                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN,
+                                                 NM_SETTING_SRIOV_VFS);
    }

 out_fail:
@ -14240,9 +14551,35 @@ check_and_reapply_connection(NMDevice            *self,

    nm_device_link_properties_set(self, TRUE);

-    if (priv->state >= NM_DEVICE_STATE_CONFIG)
+    if (priv->state >= NM_DEVICE_STATE_CONFIG) {
+        GHashTable *sriov_diff;
+
        lldp_setup(self, NM_TERNARY_DEFAULT);

+        sriov_diff = nm_g_hash_table_lookup(diffs, NM_SETTING_SRIOV_SETTING_NAME);
+
+        if (sriov_diff && nm_g_hash_table_lookup(sriov_diff, NM_SETTING_SRIOV_VFS)) {
+            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
+            NMSettingSriov              *s_sriov;
+
+            s_sriov = (NMSettingSriov *) nm_connection_get_setting(applied, NM_TYPE_SETTING_SRIOV);
+
+            if (s_sriov) {
+                gs_free_error GError *local = NULL;
+
+                if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &local)
+                    || !nm_platform_link_set_sriov_vfs(nm_device_get_platform(self),
+                                                       priv->ifindex,
+                                                       (const NMPlatformVF *const *) plat_vfs)) {
+                    _LOGE(LOGD_DEVICE,
+                          "failed to reapply SRIOV VFs%s%s",
+                          local ? ": " : "",
+                          local ? local->message : "");
+                }
+            }
+        }
+    }
+
    if (priv->state >= NM_DEVICE_STATE_IP_CONFIG) {
        /* Allow reapply of MTU */
        priv->mtu_source = NM_DEVICE_MTU_SOURCE_NONE;
@ -14258,6 +14595,7 @@ check_and_reapply_connection(NMDevice            *self,
                NM_SETTING_CONNECTION_MDNS,
                NM_SETTING_CONNECTION_LLMNR,
                NM_SETTING_CONNECTION_DNS_OVER_TLS,
+                NM_SETTING_CONNECTION_DNSSEC,
                NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
            priv->ip_data_4.do_reapply = TRUE;
            priv->ip_data_6.do_reapply = TRUE;
@ -14696,13 +15034,15 @@ impl_device_delete(NMDBusObject                      *obj,
                           NULL);
 }

-static void
+static gboolean
 _device_activate(NMDevice *self, NMActRequest *req)
 {
    NMConnection *connection;

-    g_return_if_fail(NM_IS_DEVICE(self));
-    g_return_if_fail(NM_IS_ACT_REQUEST(req));
+    /* Returns TRUE on success, FALSE if the activation request could not be started */
+
+    g_return_val_if_fail(NM_IS_DEVICE(self), FALSE);
+    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), FALSE);
    nm_assert(nm_device_is_real(self));

    /* Ensure the activation request is still valid; the controller may have
@ -14710,7 +15050,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
     */
    if (nm_active_connection_get_state(NM_ACTIVE_CONNECTION(req))
        >= NM_ACTIVE_CONNECTION_STATE_DEACTIVATING)
-        return;
+        return FALSE;

    if (!nm_device_get_managed(self, FALSE)) {
        /* It's unclear why the device would be unmanaged at this point.
@ -14721,7 +15061,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
        nm_active_connection_set_state_fail((NMActiveConnection *) req,
                                            NM_ACTIVE_CONNECTION_STATE_REASON_UNKNOWN,
                                            NULL);
-        return;
+        return FALSE;
    }

    connection = nm_act_request_get_applied_connection(req);
@ -14737,6 +15077,8 @@ _device_activate(NMDevice *self, NMActRequest *req)
    act_request_set(self, req);

    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
+
+    return TRUE;
 }

 static void
@ -14756,7 +15098,9 @@ _carrier_wait_check_queued_act_request(NMDevice *self)

        _LOGD(LOGD_DEVICE, "Activate queued activation request as we now have carrier");
        queued_req = g_steal_pointer(&priv->queued_act_request);
-        _device_activate(self, queued_req);
+        if (!_device_activate(self, queued_req)) {
+            delete_on_deactivate_check_and_schedule(self);
+        }
    }
 }

@ -15603,7 +15947,7 @@ nm_device_get_firmware_missing(NMDevice *self)

 NM_UTILS_FLAGS2STR_DEFINE(nm_unmanaged_flags2str,
                          NMUnmanagedFlags,
-                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_SLEEPING, "sleeping"),
+                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_MANAGER_DISABLED, "nm-disabled"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_QUITTING, "quitting"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_PLATFORM_INIT, "platform-init"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_USER_EXPLICIT, "user-explicit"),
@ -15667,8 +16011,8 @@ unmanaged_flags_to_reason(NMUnmanagedFlags flags)
    /* Even if there are multiple flags, we can only return one reason.
     * Return the most important reason.
     */
-    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_SLEEPING))
-        return NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING;
+    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_MANAGER_DISABLED))
+        return NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_QUITTING))
        return NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_USER_SETTINGS))
@ -16913,8 +17257,6 @@ _cleanup_generic_post(NMDevice *self, NMDeviceStateReason reason, CleanupType cl
    priv->v4_route_table_all_sync_before = FALSE;
    priv->v6_route_table_all_sync_before = FALSE;

-    priv->refresh_forwarding_done = FALSE;
-
    priv->mtu_force_set_done = FALSE;

    priv->needs_ip6_subnet = FALSE;
@ -16960,7 +17302,6 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    NMDevicePrivate *priv;
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
    int              ifindex;
-    gint32           default_forwarding_v4;

    g_return_if_fail(NM_IS_DEVICE(self));

@ -16983,27 +17324,41 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
        nm_device_sysctl_ip_conf_set(self, AF_INET6, "use_tempaddr", "0");
    }

-    /* Restoring the device's forwarding to the sysctl default is necessary because
-     * `refresh_forwarding()` only updates forwarding on activated devices. */
-    default_forwarding_v4 = nm_platform_sysctl_get_int32(
-        nm_device_get_platform(self),
-        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
-        0);
-    nm_device_sysctl_ip_conf_set(self,
-                                 AF_INET,
-                                 "forwarding",
-                                 default_forwarding_v4 == 1 ? "1" : "0");
-
    /* Call device type-specific deactivation */
    if (klass->deactivate)
        klass->deactivate(self);

+    /* Clean up private files */
+    nm_clear_g_cancellable(&priv->private_files.cancellable);
+    g_clear_pointer(&priv->private_files.table, g_hash_table_unref);
+    g_clear_pointer(&priv->private_files.user, g_free);
+    priv->private_files.state = PRIVATE_FILES_STATE_UNKNOWN;
+
    ifindex = nm_device_get_ip_ifindex(self);

    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* controller: release ports */
        nm_device_controller_release_ports_all(self);

+        /* port: detach from controller */
+        if (priv->controller) {
+            nm_device_controller_release_port(priv->controller,
+                                              self,
+                                              RELEASE_PORT_TYPE_CONFIG,
+                                              reason);
+        }
+    }
+
+    /* port: mark no longer attached */
+    if (priv->controller && priv->ifindex > 0
+        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
+        nm_device_controller_release_port(priv->controller,
+                                          self,
+                                          RELEASE_PORT_TYPE_NO_CONFIG,
+                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
+    }
+
+    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* Take out any entries in the routing table and any IP address the device had. */
        if (ifindex > 0) {
            NMPlatform *platform = nm_device_get_platform(self);
@ -17027,15 +17382,6 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    if (ifindex > 0)
        nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL);

-    /* port: mark no longer attached */
-    if (priv->controller && priv->ifindex > 0
-        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
-        nm_device_controller_release_port(priv->controller,
-                                          self,
-                                          RELEASE_PORT_TYPE_NO_CONFIG,
-                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
-    }
-
    lldp_setup(self, NM_TERNARY_FALSE);

    nm_device_update_metered(self);
@ -17534,7 +17880,8 @@ _set_state_full(NMDevice *self, NMDeviceState state, NMDeviceStateReason reason,
            gs_unref_object NMActRequest *queued_req = NULL;

            queued_req = g_steal_pointer(&priv->queued_act_request);
-            _device_activate(self, queued_req);
+            if (!_device_activate(self, queued_req))
+                delete_on_deactivate_check_and_schedule(self);
        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
@ -18936,19 +19283,6 @@ nm_device_get_hostname_from_dns_lookup(NMDevice *self, int addr_family, gboolean
    return nm_assert_unreachable_val(NULL);
 }

-gboolean
-nm_device_get_refresh_forwarding_done(NMDevice *self)
-{
-    return NM_DEVICE_GET_PRIVATE(self)->refresh_forwarding_done;
-}
-
-void
-nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done)
-{
-    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
-    priv->refresh_forwarding_done = is_refresh_forwarding_done;
-}
-
 /*****************************************************************************/

 static const char *
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@ -581,7 +581,8 @@ void nm_device_copy_ip6_dns_config(NMDevice *self, NMDevice *from_device);
 /**
 * NMUnmanagedFlags:
 * @NM_UNMANAGED_NONE: placeholder value
- * @NM_UNMANAGED_SLEEPING: %TRUE when unmanaged because NM is sleeping.
+ * @NM_UNMANAGED_MANAGER_DISABLED: %TRUE when unmanaged because NM is disabled.
+ *   Currently, this happens when sleeping or with networking disabled.
 * @NM_UNMANAGED_QUITTING: %TRUE when unmanaged because NM is shutting down.
 * @NM_UNMANAGED_PLATFORM_INIT: %TRUE when unmanaged because platform link not
 *   yet initialized. Unrealized device are also unmanaged for this reason.
@ -610,7 +611,7 @@ typedef enum {

    /* these flags are authoritative. If one of them is set,
     * the device cannot be managed. */
-    NM_UNMANAGED_SLEEPING      = (1LL << 0),
+    NM_UNMANAGED_MANAGER_DISABLED = (1LL << 0),
    NM_UNMANAGED_QUITTING         = (1LL << 1),
    NM_UNMANAGED_PLATFORM_INIT    = (1LL << 2),
    NM_UNMANAGED_USER_EXPLICIT    = (1LL << 3),
@ -852,14 +853,7 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                           NMDevice *self,
                           NMNetns  *netns);

-NMSettingIPConfigForwarding nm_device_get_ipv4_forwarding(NMDevice *self);
-
-const char *nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family);
-
-char *nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property);
-
-gboolean nm_device_get_refresh_forwarding_done(NMDevice *self);
-
-void nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done);
+NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
+                                                                NMConnection *connection);

 #endif /* __NETWORKMANAGER_DEVICE_H__ */
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@ -1460,40 +1460,42 @@ _delete_interface(NMOvsdb *self, json_t *params, const char *ifname)
                json_array_append_new(new_interfaces, json_pack("[s,s]", "uuid", interface_uuid));
            }

-            if (num_nm_interfaces == 0) {
-                /* The port no longer has any NM interface. Don't add it to "new_ports" and set
-                 * ports_changed=TRUE, so that it will be deleted. */
+            if (interfaces_changed && num_nm_interfaces == 0) {
+                /* We are deleting the last nm-interface of this port. Don't add it to "new_ports"
+                 * and set ports_changed=TRUE, so that it will be deleted. */
                ports_changed = TRUE;
            } else {
-                if (interfaces_changed) {
-                    /* An interface needs to be deleted from this port */
-                    _expect_port_interfaces(params, ovs_port->name, interfaces);
-                    _set_port_interfaces(params, ovs_port->name, new_interfaces);
-                }
-                /* The port is still alive */
+                /* Keep this port: it's still alive, or it's unrelated to the deleted interface */
                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
                if (ovs_port->connection_uuid)
                    num_nm_ports++;
+
+                if (interfaces_changed) {
+                    /* This port is still alive, but an interface needs to be deleted from it */
+                    _expect_port_interfaces(params, ovs_port->name, interfaces);
+                    _set_port_interfaces(params, ovs_port->name, new_interfaces);
+                }
            }
        }

-        if (num_nm_ports == 0) {
-            /* The bridge no longer has any NM port. Don't add it to "new_bridges" and set
-             * bridges_changed=TRUE, so that it will be deleted. */
+        if (ports_changed && num_nm_ports == 0) {
+            /* We are deleting the last nm-port of this bridge. Don't add it to "new_bridges"
+             * and set bridges_changed=TRUE, so that it will be deleted. */
            bridges_changed = TRUE;
        } else {
+            /* Keep this bridge: it's still alive, or it's unrelated to the deleted interface */
+            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
+
            if (ports_changed) {
-                /* A port needs to be deleted from this bridge */
+                /* This bridge is still alive, but a port needs to be deleted from it */
                _expect_bridge_ports(params, ovs_bridge->name, ports);
                _set_bridge_ports(params, ovs_bridge->name, new_ports);
            }
-            /* The bridge is still alive */
-            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
        }
    }

    if (bridges_changed) {
-        /* A port needs to be deleted from this bridge */
+        /* A bridge needs to be deleted */
        _expect_ovs_bridges(params, priv->db_uuid, bridges);
        _set_ovs_bridges(params, priv->db_uuid, new_bridges);
    }
@ -1888,7 +1890,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
        == -1) {
        /* This doesn't really have to be an error; the key might
         * be missing if there really are no bridges present. */
-        _LOGD("Bad update: %s", json_error.text);
+        _LOGD("monitor: bad update: %s", json_error.text);
    }

    if (ovs) {
@ -1934,12 +1936,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;

-            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
-                  key,
-                  ovs_interface->type,
+            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
                  ovs_interface->name,
+                  ovs_interface->type,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self,
@ -1987,13 +1989,14 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                _LOGT(
+                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
                    "other-config=%s",
-                      key,
-                      type,
                    ovs_interface->name,
+                    type,
+                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_interface->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2013,13 +2016,13 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT(
-                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
-                key,
-                ovs_interface->type,
+            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
+                  "other-config=%s",
                  ovs_interface->name,
+                  ovs_interface->type,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                     ", ",
+                                       ", connection=",
                                       ovs_interface->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2069,11 +2072,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
            if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                continue;

-            _LOGT("obj[port:%s]: removed a port: %s%s%s",
-                  key,
+            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
                  ovs_port->name,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@ -2120,11 +2123,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
-                      key,
+                _LOGT(
+                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                    ovs_port->name,
+                    key,
                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                           ", ",
+                                         ", connection=",
                                         ovs_port->connection_uuid,
                                         ""),
                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2144,11 +2148,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
-                  key,
+            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                  ovs_port->name,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_port->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2190,11 +2194,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;

-            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
-                  key,
+            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
                  ovs_bridge->name,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@ -2241,11 +2245,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
-                      key,
+                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
+                      "other-config=%s",
                      ovs_bridge->name,
+                      key,
                      NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", ",
+                                           ", connection=",
                                           ovs_bridge->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@ -2265,11 +2270,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
-                  key,
+            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
                  ovs_bridge->name,
+                  key,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", ",
+                                       ", connection=",
                                       ovs_bridge->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -191,12 +191,19 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                  GParamSpec            *pspec,
                                                  NMDeviceWifi          *self);

+static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
+                                                        NMDeviceWifi          *self);
+
+static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
+                                                        NMDeviceWifi          *self);
+
 static void periodic_update(NMDeviceWifi *self);

 static void ap_add_remove(NMDeviceWifi *self,
                          gboolean      is_adding,
                          NMWifiAP     *ap,
-                          gboolean      recheck_available_connections);
+                          gboolean      recheck_available_connections,
+                          gboolean      recheck_auto_activate);

 static void _hw_addr_set_scanning(NMDeviceWifi *self, gboolean do_reset);

@ -623,6 +630,14 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                     "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                     G_CALLBACK(supplicant_iface_notify_p2p_available),
                     self);
+    g_signal_connect(priv->sup_iface,
+                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
+                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
+                     self);
+    g_signal_connect(priv->sup_iface,
+                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
+                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
+                     self);

    _scan_notify_is_scanning(self);

@ -714,7 +729,10 @@ update_seen_bssids_cache(NMDeviceWifi *self, NMWifiAP *ap)
 }

 static void
-set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_connections)
+set_current_ap(NMDeviceWifi *self,
+               NMWifiAP     *new_ap,
+               gboolean      recheck_available_connections,
+               gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv;
    NMWifiAP            *old_ap;
@ -741,7 +759,11 @@ set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_
        /* Remove any AP from the internal list if it was created by NM or isn't known to the supplicant */
        if (NM_IN_SET(mode, _NM_802_11_MODE_ADHOC, _NM_802_11_MODE_AP)
            || nm_wifi_ap_get_fake(old_ap))
-            ap_add_remove(self, FALSE, old_ap, recheck_available_connections);
+            ap_add_remove(self,
+                          FALSE,
+                          old_ap,
+                          recheck_available_connections,
+                          recheck_auto_activate);
        g_object_unref(old_ap);
    }

@ -814,7 +836,8 @@ static void
 ap_add_remove(NMDeviceWifi *self,
              gboolean      is_adding, /* or else removing */
              NMWifiAP     *ap,
-              gboolean      recheck_available_connections)
+              gboolean      recheck_available_connections,
+              gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);

@ -845,13 +868,14 @@ ap_add_remove(NMDeviceWifi *self,
        nm_dbus_object_clear_and_unexport(&ap);
    }

+    if (recheck_auto_activate)
        nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
    if (recheck_available_connections)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }

 static void
-remove_all_aps(NMDeviceWifi *self)
+remove_all_aps(NMDeviceWifi *self, gboolean disposing)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
    NMWifiAP            *ap;
@ -859,11 +883,12 @@ remove_all_aps(NMDeviceWifi *self)
    if (c_list_is_empty(&priv->aps_lst_head))
        return;

-    set_current_ap(self, NULL, FALSE);
+    set_current_ap(self, NULL, FALSE, !disposing);

    while ((ap = c_list_first_entry(&priv->aps_lst_head, NMWifiAP, aps_lst)))
-        ap_add_remove(self, FALSE, ap, FALSE);
+        ap_add_remove(self, FALSE, ap, FALSE, !disposing);

+    if (!disposing)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }

@ -951,7 +976,7 @@ deactivate(NMDevice *device)

    priv->rate = 0;

-    set_current_ap(self, NULL, TRUE);
+    set_current_ap(self, NULL, TRUE, TRUE);

    if (!wake_on_wlan_restore(self))
        _LOGW(LOGD_DEVICE | LOGD_WIFI, "Cannot unconfigure WoWLAN.");
@ -2000,7 +2025,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            if (nm_wifi_ap_set_fake(found_ap, TRUE))
                _ap_dump(self, LOGL_DEBUG, found_ap, "updated", 0);
        } else {
-            ap_add_remove(self, FALSE, found_ap, TRUE);
+            ap_add_remove(self, FALSE, found_ap, TRUE, TRUE);
            schedule_ap_list_dump(self);
        }
        return;
@ -2043,7 +2068,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            }
        }

-        ap_add_remove(self, TRUE, ap, TRUE);
+        ap_add_remove(self, TRUE, ap, TRUE, TRUE);
    }

    /* Update the current AP if the supplicant notified a current BSS change
@ -2268,7 +2293,7 @@ link_timeout_cb(gpointer user_data)
    if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED)
        return FALSE;

-    set_current_ap(self, NULL, TRUE);
+    set_current_ap(self, NULL, TRUE, TRUE);

    nm_device_state_changed(device,
                            NM_DEVICE_STATE_FAILED,
@ -2387,6 +2412,9 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,

    g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);

+    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
+        return FALSE;
+
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_val_if_fail(req != NULL, FALSE);

@ -2684,7 +2712,7 @@ supplicant_iface_notify_current_bss(NMSupplicantInterface *iface,
            }
        }

-        set_current_ap(self, new_ap, TRUE);
+        set_current_ap(self, new_ap, TRUE, TRUE);

        req = nm_device_get_act_request(NM_DEVICE(self));
        if (req) {
@ -2830,6 +2858,62 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
    return TRUE;
 }

+static void
+supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
+{
+    NMDevice     *device = NM_DEVICE(self);
+    NMActRequest *req;
+    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
+
+    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
+        return;
+
+    _LOGI(LOGD_DEVICE | LOGD_WIFI,
+          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
+
+    req = nm_device_get_act_request(NM_DEVICE(self));
+    g_return_if_fail(req != NULL);
+
+    nm_act_request_clear_secrets(req);
+
+    cleanup_association_attempt(self, TRUE);
+    nm_device_state_changed(device,
+                            NM_DEVICE_STATE_NEED_AUTH,
+                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
+    wifi_secrets_get_secrets(self,
+                             setting_name,
+                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
+                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
+}
+
+static void
+supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
+{
+    NMDevice     *device = NM_DEVICE(self);
+    NMActRequest *req;
+    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
+
+    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
+        return;
+
+    _LOGI(LOGD_DEVICE | LOGD_WIFI,
+          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
+
+    req = nm_device_get_act_request(NM_DEVICE(self));
+    g_return_if_fail(req != NULL);
+
+    nm_act_request_clear_secrets(req);
+
+    cleanup_association_attempt(self, TRUE);
+    nm_device_state_changed(device,
+                            NM_DEVICE_STATE_NEED_AUTH,
+                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
+    wifi_secrets_get_secrets(self,
+                             setting_name,
+                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
+                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
+}
+
 /*
 * supplicant_connection_timeout_cb
 *
@ -2935,7 +3019,8 @@ build_supplicant_config(NMDeviceWifi         *self,
    s_wireless = nm_connection_get_setting_wireless(connection);
    g_return_val_if_fail(s_wireless != NULL, NULL);

-    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface));
+    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface),
+                                      nm_utils_get_connection_first_permissions_user(connection));

    /* Warn if AP mode may not be supported */
    if (nm_streq0(nm_setting_wireless_get_mode(s_wireless), NM_SETTING_WIRELESS_MODE_AP)
@ -3011,6 +3096,7 @@ build_supplicant_config(NMDeviceWifi         *self,
                mtu,
                pmf,
                fils,
+                nm_device_get_private_files(NM_DEVICE(self)),
                error)) {
            g_prefix_error(error, "802-11-wireless-security: ");
            goto error;
@ -3118,7 +3204,7 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
        priv->mode = _NM_802_11_MODE_AP;

        /* Scanning not done in AP mode; clear the scan list */
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);
    } else if (g_strcmp0(mode, NM_SETTING_WIRELESS_MODE_MESH) == 0)
        priv->mode = _NM_802_11_MODE_MESH;
    _notify(self, PROP_MODE);
@ -3155,14 +3241,14 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            nm_wifi_ap_set_address(ap_fake, nm_device_get_hw_address(device));

        g_object_freeze_notify(G_OBJECT(self));
-        ap_add_remove(self, TRUE, ap_fake, TRUE);
+        ap_add_remove(self, TRUE, ap_fake, TRUE, TRUE);
        g_object_thaw_notify(G_OBJECT(self));
        ap = ap_fake;
    }

    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);

-    set_current_ap(self, ap, FALSE);
+    set_current_ap(self, ap, FALSE, TRUE);
    nm_active_connection_set_specific_object(NM_ACTIVE_CONNECTION(req),
                                             nm_dbus_object_get_path(NM_DBUS_OBJECT(ap)));
    return NM_ACT_STAGE_RETURN_SUCCESS;
@ -3528,7 +3614,7 @@ device_state_changed(NMDevice           *device,

        cleanup_association_attempt(self, TRUE);
        cleanup_supplicant_failures(self);
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);
    }

    switch (new_state) {
@ -3566,7 +3652,7 @@ device_state_changed(NMDevice           *device,
    }

    if (clear_aps)
-        remove_all_aps(self);
+        remove_all_aps(self, FALSE);

    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 }
@ -3808,7 +3894,7 @@ dispose(GObject *object)

    g_clear_object(&priv->sup_mgr);

-    remove_all_aps(self);
+    remove_all_aps(self, TRUE);

    if (priv->p2p_device) {
        /* Destroy the P2P device. */
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
     * in the last few filename characters -- it cannot end in .open, .psk
     * or .8021x.
     */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
 }

 static const char *
--- a/src/core/devices/wwan/nm-modem-broadband.c
+++ b/src/core/devices/wwan/nm-modem-broadband.c
@ -510,6 +510,7 @@ try_create_connect_properties(NMModemBroadband *self)
 {
    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
    ConnectContext          *ctx         = priv->ctx;
+    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;

    if (MODEM_CAPS_3GPP(ctx->caps)) {
        NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@ -522,7 +523,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (s_gsm)
                network_id = nm_setting_gsm_get_network_id(s_gsm);
            if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
                    return FALSE;
                modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@ -530,6 +531,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (!network_id) {
                _LOGW("failed to connect '%s': unable to determine the network id",
                      nm_connection_get_id(ctx->connection));
+                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                goto out;
            }

@ -558,7 +560,7 @@ try_create_connect_properties(NMModemBroadband *self)
    }

 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
    connect_context_clear(self);
    return TRUE;
 }
@ -1649,6 +1651,8 @@ nm_modem_broadband_new(GObject *object, GError **error)
                        driver,
                        NM_MODEM_OPERATOR_CODE,
                        operator_code,
+                        NM_MODEM_DEVICE_UID,
+                        mm_modem_get_device(modem_iface),
                        NULL);
 }

--- a/src/core/devices/wwan/nm-modem.c
+++ b/src/core/devices/wwan/nm-modem.c
@ -39,7 +39,8 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                             PROP_IP_TYPES,
                             PROP_SIM_OPERATOR_ID,
                             PROP_OPERATOR_CODE,
-                             PROP_APN, );
+                             PROP_APN,
+                             PROP_DEVICE_UID, );

 enum {
    PPP_STATS,
@ -78,6 +79,7 @@ typedef struct _NMModemPrivate {
    char           *sim_operator_id;
    char           *operator_code;
    char           *apn;
+    char           *device_uid;

    NMPPPManager *ppp_manager;
    NMPppMgr     *ppp_mgr;
@ -618,6 +620,12 @@ nm_modem_get_apn(NMModem *self)
    return NM_MODEM_GET_PRIVATE(self)->apn;
 }

+const char *
+nm_modem_get_device_uid(NMModem *self)
+{
+    return NM_MODEM_GET_PRIVATE(self)->device_uid;
+}
+
 /*****************************************************************************/

 static void
@ -1121,6 +1129,22 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
            }
        }

+        str = nm_setting_gsm_get_device_uid(s_gsm);
+        if (str) {
+            if (!priv->device_uid) {
+                nm_utils_error_set_literal(error,
+                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
+                                           "GSM profile has device-uid, device does not");
+                return FALSE;
+            }
+            if (!nm_streq(str, priv->device_uid)) {
+                nm_utils_error_set_literal(error,
+                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
+                                           "device has differing device-uid than GSM profile");
+                return FALSE;
+            }
+        }
+
        /* SIM properties may not be available before the SIM is unlocked, so
         * to ensure that autoconnect works, the connection's SIM properties
         * are only compared if present on the device.
@ -1644,6 +1668,9 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
    case PROP_APN:
        g_value_set_string(value, priv->apn);
        break;
+    case PROP_DEVICE_UID:
+        g_value_set_string(value, priv->device_uid);
+        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1699,6 +1726,10 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
        /* construct-only */
        priv->operator_code = g_value_dup_string(value);
        break;
+    case PROP_DEVICE_UID:
+        /* construct-only */
+        priv->device_uid = g_value_dup_string(value);
+        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1758,6 +1789,7 @@ finalize(GObject *object)
    g_free(priv->sim_operator_id);
    g_free(priv->operator_code);
    g_free(priv->apn);
+    g_free(priv->device_uid);

    G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@ -1863,6 +1895,13 @@ nm_modem_class_init(NMModemClass *klass)
    obj_properties[PROP_APN] =
        g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);

+    obj_properties[PROP_DEVICE_UID] =
+        g_param_spec_string(NM_MODEM_DEVICE_UID,
+                            "",
+                            "",
+                            NULL,
+                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
+
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);

    signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,
--- a/src/core/devices/wwan/nm-modem.h
+++ b/src/core/devices/wwan/nm-modem.h
@ -30,6 +30,7 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
+#define NM_MODEM_DEVICE_UID      "device-uid"

 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@ -154,6 +155,7 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
+const char *nm_modem_get_device_uid(NMModem *modem);

 gboolean nm_modem_set_data_port(NMModem        *self,
                                NMPlatform     *platform,
--- a/src/core/dhcp/nm-dhcp-utils.c
+++ b/src/core/dhcp/nm-dhcp-utils.c
@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                  in_addr_t       address,
                                  guint32        *out_gwaddr)
 {
-    gs_free const char **routes = NULL;
-    const char         **r;
+    gs_free char **routes = NULL;
+    char         **r;
    gboolean       have_routes = FALSE;

-    routes = nm_strsplit_set(str, " ");
+    routes = (char **) nm_strsplit_set(str, " ");
    if (!routes)
        return FALSE;

--- a/src/core/dns/nm-dns-dnsconfd.c
+++ b/src/core/dns/nm-dns-dnsconfd.c
@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
    NMDnsServer dns_server;
    gsize       addr_size;

-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
        return FALSE;
    addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);

--- a/src/core/dns/nm-dns-dnsmasq.c
+++ b/src/core/dns/nm-dns-dnsmasq.c
@ -521,9 +521,10 @@ _gl_pid_spawn_next_step(void)
    argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
    argv[argv_idx++] = "--keep-in-foreground";
    argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-interfaces";
+    argv[argv_idx++] = "--bind-dynamic";
    argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
+    argv[argv_idx++] = "--listen-address=127.0.0.1";
+    argv[argv_idx++] = "--listen-address=::1";
    argv[argv_idx++] = "--cache-size=400";
    argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
    argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -26,6 +26,7 @@

 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
+#include "libnm-glib-aux/nm-io-utils.h"

 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@ -586,7 +587,11 @@ add_dns_domains(GPtrArray            *array,
 }

 static void
-merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3ConfigData *l3cd)
+merge_one_l3cd(NMResolvConfData     *rc,
+               int                   addr_family,
+               int                   ifindex,
+               const NML3ConfigData *l3cd,
+               gboolean              ignore_searches_and_options)
 {
    char               buf[NM_INET_ADDRSTRLEN + 50];
    gboolean           has_trust_ad;
@ -624,6 +629,7 @@ merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3Con
        add_string_item(rc->nameservers, buf, TRUE);
    }

+    if (!ignore_searches_and_options) {
        add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);

        has_trust_ad = FALSE;
@ -648,6 +654,7 @@ merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3Con
                rc->has_trust_ad = NM_TERNARY_TRUE;
        } else
            rc->has_trust_ad = NM_TERNARY_FALSE;
+    }

    if (addr_family == AF_INET) {
        const in_addr_t *nis_servers;
@ -1001,6 +1008,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"

 #define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
+#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"

 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@ -1013,7 +1021,14 @@ update_resolv_conf_no_stub(NMDnsManager      *self,

    content = create_resolv_conf(searches, nameservers, options);

-    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
+    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
+                                    content,
+                                    -1,
+                                    0644,
+                                    NULL,
+                                    NO_STUB_RESOLV_CONF_TMP,
+                                    NULL,
+                                    &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;
@ -1231,12 +1246,15 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
 {
    nm_auto_free_checksum GChecksum *sum = NULL;
    NMDnsConfigIPData               *ip_data;
+    gboolean                         has_global_dns_section = FALSE;

    sum = g_checksum_new(G_CHECKSUM_SHA1);
    nm_assert(HASH_LEN == g_checksum_type_get_length(G_CHECKSUM_SHA1));

-    if (global)
+    if (global) {
        nm_global_dns_config_update_checksum(global, sum);
+        has_global_dns_section = nm_global_dns_has_global_dns_section(global);
+    }

    if (!global || !nm_global_dns_config_lookup_domain(global, "*")) {
        const CList *head;
@ -1248,7 +1266,8 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
            nm_l3_config_data_hash_dns(ip_data->l3cd,
                                       sum,
                                       ip_data->addr_family,
-                                       ip_data->ip_config_type);
+                                       ip_data->ip_config_type,
+                                       has_global_dns_section);
        }
    }

@ -1264,6 +1283,9 @@ merge_global_dns_config(NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
    const char *const *servers;
    guint              i;

+    /* Global config must be processed before connections' config */
+    nm_assert(rc->nameservers->len == 0);
+
    if (!global_conf)
        return FALSE;

@ -1351,12 +1373,17 @@ _collect_resolv_conf_data(NMDnsManager      *self,
            .nis_servers  = g_ptr_array_new(),
            .has_trust_ad = NM_TERNARY_DEFAULT,
    };
+    gboolean has_global_dns_section = FALSE;

    priv = NM_DNS_MANAGER_GET_PRIVATE(self);

-    if (global_config)
+    if (global_config) {
        merge_global_dns_config(&rc, global_config);
+        has_global_dns_section = nm_global_dns_has_global_dns_section(global_config);
+    }

+    /* If global nameservers are defined, no DNS configs are used from connections at all,
+     * including searches and options. */
    if (!global_config || !nm_global_dns_config_lookup_domain(global_config, "*")) {
        nm_auto_str_buf NMStrBuf tmp_strbuf = NM_STR_BUF_INIT(0, FALSE);
        int                      first_prio = 0;
@ -1390,8 +1417,16 @@ _collect_resolv_conf_data(NMDnsManager      *self,
                  skip ? "<SKIP>" : "",
                  get_nameserver_list(ip_data->addr_family, ip_data->l3cd, &tmp_strbuf));

-            if (!skip)
-                merge_one_l3cd(&rc, ip_data->addr_family, ip_data->data->ifindex, ip_data->l3cd);
+            if (!skip) {
+                /* Merge the configs from connections. However, if there was a [global-dns]
+                 * it overwrites searches and options from the connections, thus we only
+                 * merge the nameservers. */
+                merge_one_l3cd(&rc,
+                               ip_data->addr_family,
+                               ip_data->data->ifindex,
+                               ip_data->l3cd,
+                               has_global_dns_section);
+            }
        }
    }

@ -1475,7 +1510,7 @@ _domain_track_is_shadowed(GHashTable  *ht,
                          const char **out_parent,
                          int         *out_parent_priority)
 {
-    char *parent;
+    const char *parent;
    int         parent_priority;

    if (!ht)
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@ -37,6 +37,7 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
+static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";

 /*****************************************************************************/

@ -398,7 +399,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
    for (i = 0; i < n; i++) {
        NMDnsServer dns_server;

-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
            continue;

        if (!NM_IN_SET(dns_server.scheme,
@ -484,9 +485,11 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
+    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    const char                   *mdns_arg          = NULL;
    const char                   *llmnr_arg         = NULL;
    const char                   *dns_over_tls_arg  = NULL;
+    const char                   *dnssec_arg        = NULL;
    gboolean                      has_config        = FALSE;
    gboolean                      has_default_route = FALSE;
    guint                         i;
@ -517,6 +520,7 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                dns_over_tls =
                    NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
+                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
            }
        }
    }
@ -589,8 +593,24 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    }
    nm_assert(dns_over_tls_arg);

+    switch (dnssec) {
+    case NM_SETTING_CONNECTION_DNSSEC_NO:
+        dnssec_arg = "no";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
+        dnssec_arg = "allow-downgrade";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_YES:
+        dnssec_arg = "yes";
+        break;
+    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
+        dnssec_arg = "";
+        break;
+    }
+    nm_assert(dnssec_arg);
+
    if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg))
+        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
        has_config = TRUE;

    _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -618,6 +638,10 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                         DBUS_OP_SET_LINK_DNS_OVER_TLS,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
+    _request_item_append(self,
+                         DBUS_OP_SET_LINK_DNSSEC,
+                         ic->ifindex,
+                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));

    return has_config;
 }
--- a/src/core/main-utils.c
+++ b/src/core/main-utils.c
@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
    char                  pid[16];

    nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
        fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
        return FALSE;
    }
--- a/src/core/main.c
+++ b/src/core/main.c
@ -339,7 +339,7 @@ main(int argc, char *argv[])
        char *path, *slash;
        int   g;

-        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
+        /* exe is <builddir>/src/core/NetworkManager, so chop off
         * the last three components */
        path = realpath("/proc/self/exe", NULL);
        g_assert(path != NULL);
--- a/src/core/ndisc/nm-lndp-ndisc.c
+++ b/src/core/ndisc/nm-lndp-ndisc.c
@ -19,6 +19,7 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
+#include "nm-core-utils.h"

 #define _NMLOG_PREFIX_NAME "ndisc-lndp"

@ -27,6 +28,14 @@
 typedef struct {
    struct ndp *ndp;
    GSource    *event_source;
+
+    struct {
+        NMRateLimit pio_lft;
+        NMRateLimit mtu;
+        NMRateLimit omit_prefix;
+        NMRateLimit omit_dns;
+        NMRateLimit omit_dnssl;
+    } msg_ratelimit;
 } NMLndpNDiscPrivate;

 /*****************************************************************************/
@ -49,6 +58,36 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)

 /*****************************************************************************/

+/*
+ * If we log a message about an invalid RA packet, don't repeat the same message
+ * at every packet received or sent. Rate limit the message to 6 every 12 hours
+ * per type and per ndisc instance.
+ */
+
+#define LOG_INV_RA_WINDOW (12 * 3600)
+#define LOG_INV_RA_BURST  6
+
+#define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
+    G_STMT_START                                                                 \
+    {                                                                            \
+        NMNDisc     *__ndisc  = (ndisc);                                         \
+        NMRateLimit *__rl     = (rate_limit);                                    \
+        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
+                                                                                 \
+        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
+            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
+            nm_log(LOGL_WARN,                                                    \
+                   LOGD_IP6,                                                     \
+                   __ifname,                                                     \
+                   NULL,                                                         \
+                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
+                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
+        }                                                                        \
+    }                                                                            \
+    G_STMT_END
+
+/*****************************************************************************/
+
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@ -113,6 +152,7 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
    NMNDisc             *ndisc   = (NMNDisc *) user_data;
+    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
    NMNDiscDataInternal *rdata   = ndisc->rdata;
    NMNDiscConfigMap     changed = 0;
    NMNDiscGateway       gateway;
@ -229,7 +269,11 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * log a system management error in this case.
             */
            if (preferred_time > valid_time) {
-                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
+                _LOG_INVALID_RA(
+                    ndisc,
+                    &priv->msg_ratelimit.pio_lft,
+                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
+                    "router advertisement");
                continue;
            }

@ -349,7 +393,11 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * Kernel would set it, but would flush out all IPv6 addresses away
             * from the link, even the link-local, and we wouldn't be able to
             * listen for further RAs that could fix the MTU. */
-            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
+            _LOG_INVALID_RA(ndisc,
+                            &priv->msg_ratelimit.mtu,
+                            "ignoring too small MTU %u in received IPv6 "
+                            "router advertisement",
+                            mtu);
        }
    }

@ -445,8 +493,11 @@ send_ra(NMNDisc *ndisc, GError **error)

        prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
        if (!prefix) {
-            /* Maybe we could sent separate RAs, but why bother... */
-            _LOGW("The RA is too big, had to omit some some prefixes.");
+            /* Maybe we could send separate RAs, but why bother... */
+            _LOG_INVALID_RA(
+                ndisc,
+                &priv->msg_ratelimit.omit_prefix,
+                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
            break;
        }

@ -475,7 +526,10 @@ send_ra(NMNDisc *ndisc, GError **error)

        option = _ndp_msg_add_option(msg, len);
        if (!option) {
-            _LOGW("The RA is too big, had to omit DNS information.");
+            _LOG_INVALID_RA(
+                ndisc,
+                &priv->msg_ratelimit.omit_dns,
+                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
            goto dns_servers_done;
        }

@ -553,7 +607,10 @@ dns_servers_done:
        nm_assert(len / 8u >= 2u);

        if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOGW("The RA is too big, had to omit DNS search list.");
+            _LOG_INVALID_RA(
+                ndisc,
+                &priv->msg_ratelimit.omit_dnssl,
+                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
            goto dns_domains_done;
        }

--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@ -160,7 +160,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
    nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
    gs_free char                   *base_dir = NULL;
-    char                           *sep;
+    const char                     *sep;

    keyfile = g_key_file_new();
    if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
--- a/src/core/nm-config-data.c
+++ b/src/core/nm-config-data.c
@ -50,9 +50,9 @@ struct _NMGlobalDnsConfig {
    char           **options;
    GHashTable      *domains;
    const char     **domain_list;
-    gboolean         internal;
    char            *cert_authority;
    NMDnsResolveMode resolve_mode;
+    gboolean         internal;
 };

 /*****************************************************************************/
@ -941,6 +941,14 @@ next:

 /*****************************************************************************/

+gboolean
+nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config)
+{
+    g_return_val_if_fail(dns_config, FALSE);
+
+    return dns_config->searches != NULL || dns_config->options != NULL;
+}
+
 const char *const *
 nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config)
 {
@ -1236,6 +1244,7 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
    gs_free char      *cert_authority = NULL;
    gs_free char      *resolve_mode   = NULL;
    NMDnsResolveMode   parsed_resolve_mode;
+    gboolean           has_global_dns_section;

    if (internal) {
        group         = NM_CONFIG_KEYFILE_GROUP_INTERN_GLOBAL_DNS;
@ -1386,6 +1395,22 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
        return NULL;
    }

+    /* Defining [global-dns-domain-*] implies defining [global-dns] too (maybe empty) */
+    if (default_found)
+        has_global_dns_section = TRUE;
+    else
+        has_global_dns_section = g_key_file_has_group(keyfile, group);
+
+    /* If there exist a [global-dns] section, always initialize "searches" and "options" so
+     * they appear in D-Bus. Clients can use this to know if it's defined, so they can know
+     * if DNS configs from connections are relevant or not. */
+    if (has_global_dns_section) {
+        if (!dns_config->searches)
+            dns_config->searches = nm_strv_empty_new();
+        if (!dns_config->options)
+            dns_config->options = nm_strv_empty_new();
+    }
+
    dns_config->internal = internal;
    global_dns_config_seal_domains(dns_config);
    return dns_config;
@ -1606,17 +1631,6 @@ nm_global_dns_config_from_dbus(const GValue *value, GError **error)
        g_variant_unref(val);
    }

-    /* An empty value is valid and clears the internal configuration */
-    if (!nm_global_dns_config_is_empty(dns_config)
-        && !nm_global_dns_config_lookup_domain(dns_config, "*")) {
-        g_set_error_literal(error,
-                            NM_MANAGER_ERROR,
-                            NM_MANAGER_ERROR_FAILED,
-                            "Global DNS configuration is missing the default domain");
-        nm_global_dns_config_free(dns_config);
-        return NULL;
-    }
-
    global_dns_config_seal_domains(dns_config);
    return dns_config;
 }
--- a/src/core/nm-config-data.h
+++ b/src/core/nm-config-data.h
@ -274,6 +274,7 @@ gboolean nm_config_data_is_intern_atomic_group(const NMConfigData *self, const c

 GKeyFile *nm_config_data_clone_keyfile_intern(const NMConfigData *self);

+gboolean           nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_options(const NMGlobalDnsConfig *dns_config);
 const char *nm_global_dns_config_get_certification_authority(const NMGlobalDnsConfig *dns_config);
--- a/src/core/nm-config.c
+++ b/src/core/nm-config.c
@ -18,6 +18,7 @@
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-core-intern/nm-keyfile-internal.h"
 #include "libnm-core-intern/nm-keyfile-utils.h"
+#include "libnm-glib-aux/nm-keyfile-aux.h"

 #define DEFAULT_CONFIG_MAIN_FILE     NMCONFDIR "/NetworkManager.conf"
 #define DEFAULT_CONFIG_DIR           NMCONFDIR "/conf.d"
@ -891,6 +892,7 @@ static const ConfigGroup config_groups[] = {
        .is_prefix = TRUE,
        .keys      = NM_MAKE_STRV(NM_CONFIG_KEYFILE_KEY_DEVICE_CARRIER_WAIT_TIMEOUT,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER,
+                             NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION,
@ -1046,6 +1048,10 @@ read_config(GKeyFile   *keyfile,
            /* internal groups cannot be set by user configuration. */
            continue;
        }
+
+        if (!g_key_file_has_group(keyfile, group))
+            nm_key_file_add_group(keyfile, group);
+
        keys = g_key_file_get_keys(kf, group, &nkeys, NULL);
        if (!keys)
            continue;
@ -1639,6 +1645,12 @@ intern_config_read(const char        *filename,
                                 "");
        }

+        if (!g_key_file_has_group(keyfile_intern, group)) {
+            nm_key_file_add_group(keyfile_intern, group);
+            if (is_intern)
+                has_intern = TRUE;
+        }
+
        for (k = 0; keys[k]; k++) {
            gs_free char *value_set = NULL;
            const char   *key       = keys[k];
@ -1823,6 +1835,9 @@ intern_config_write(const char        *filename,
            }
        }

+        if (!g_key_file_has_group(keyfile, group))
+            nm_key_file_add_group(keyfile, group);
+
        for (k = 0; keys[k]; k++) {
            const char   *key       = keys[k];
            gs_free char *value_set = NULL;
--- a/src/core/nm-connectivity.c
+++ b/src/core/nm-connectivity.c
@ -77,6 +77,8 @@ struct _NMConnectivityCheckHandle {
        ConConfig *con_config;

        GCancellable      *resolve_cancellable;
+        int                resolve_ifindex;
+        GDBusConnection   *dbus_connection;
        CURLM             *curl_mhandle;
        CURL              *curl_ehandle;
        struct curl_slist *request_headers;
@ -953,6 +955,113 @@ systemd_resolved_resolve_cb(GObject *object, GAsyncResult *res, gpointer user_da
    do_curl_request(cb_data, nm_str_buf_get_str(&strbuf_hosts));
 }

+static void
+systemd_resolved_resolve(NMConnectivityCheckHandle *cb_data)
+{
+    _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved with ifindex %d)",
+           cb_data->concheck.con_config->uri,
+           cb_data->concheck.con_config->host,
+           cb_data->concheck.resolve_ifindex);
+
+    g_dbus_connection_call(cb_data->concheck.dbus_connection,
+                           "org.freedesktop.resolve1",
+                           "/org/freedesktop/resolve1",
+                           "org.freedesktop.resolve1.Manager",
+                           "ResolveHostname",
+                           g_variant_new("(isit)",
+                                         (gint32) cb_data->concheck.resolve_ifindex,
+                                         cb_data->concheck.con_config->host,
+                                         (gint32) cb_data->addr_family,
+                                         SD_RESOLVED_DNS),
+                           G_VARIANT_TYPE("(a(iiay)st)"),
+                           G_DBUS_CALL_FLAGS_NONE,
+                           -1,
+                           cb_data->concheck.resolve_cancellable,
+                           systemd_resolved_resolve_cb,
+                           cb_data);
+}
+
+static void
+systemd_resolved_link_scopes_cb(GObject *object, GAsyncResult *res, gpointer user_data)
+{
+    NMConnectivityCheckHandle *cb_data;
+    gs_unref_variant GVariant *result     = NULL;
+    gs_unref_variant GVariant *value      = NULL;
+    gs_free_error GError      *error      = NULL;
+    guint64                    scope_mask = 0;
+
+    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    cb_data = user_data;
+
+    if (!result) {
+        _LOG2D("unable to obtain systemd-resolved link ScopesMask for interface %d: %s",
+               cb_data->concheck.resolve_ifindex,
+               error->message);
+
+        cb_data->concheck.resolve_ifindex = 0;
+        systemd_resolved_resolve(cb_data);
+        return;
+    }
+
+    g_variant_get(result, "(v)", &value);
+    g_variant_get(value, "t", &scope_mask);
+
+    if (!(scope_mask & SD_RESOLVED_DNS)) {
+        /* there is no per-link DNS configured / active; query all available /
+         * system DNS resolvers instead of restricting the lookup to just this
+         * one, which would turn up no results. */
+        _LOG2D("no per-link DNS available (scope mask %" G_GUINT64_FORMAT
+               "); falling back to system-wide lookups",
+               scope_mask);
+        cb_data->concheck.resolve_ifindex = 0;
+    }
+
+    systemd_resolved_resolve(cb_data);
+}
+
+static void
+systemd_resolved_get_link_cb(GObject *object, GAsyncResult *res, gpointer user_data)
+{
+    NMConnectivityCheckHandle *cb_data;
+    gs_unref_variant GVariant *result    = NULL;
+    gs_free char              *link_path = NULL;
+    gs_free_error GError      *error     = NULL;
+
+    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    cb_data = user_data;
+
+    if (!result) {
+        _LOG2D("unable to obtain systemd-resolved link D-Bus object for interface %d: %s",
+               cb_data->concheck.resolve_ifindex,
+               error->message);
+
+        cb_data->concheck.resolve_ifindex = 0;
+        systemd_resolved_resolve(cb_data);
+        return;
+    }
+
+    g_variant_get(result, "(o)", &link_path);
+
+    g_dbus_connection_call(cb_data->concheck.dbus_connection,
+                           "org.freedesktop.resolve1",
+                           link_path,
+                           "org.freedesktop.DBus.Properties",
+                           "Get",
+                           g_variant_new("(ss)", "org.freedesktop.resolve1.Link", "ScopesMask"),
+                           G_VARIANT_TYPE("(v)"),
+                           G_DBUS_CALL_FLAGS_NONE,
+                           -1,
+                           cb_data->concheck.resolve_cancellable,
+                           systemd_resolved_link_scopes_cb,
+                           cb_data);
+}
+
 static NMConnectivityState
 check_platform_config(NMConnectivity *self,
                      NMPlatform     *platform,
@ -1067,6 +1176,7 @@ nm_connectivity_check_start(NMConnectivity             *self,
        }

        cb_data->concheck.resolve_cancellable = g_cancellable_new();
+        cb_data->concheck.resolve_ifindex     = ifindex;

        /* note that we pick up support for systemd-resolved right away when we need it.
         * We don't need to remember the setting, because we can (cheaply) check anew
@ -1089,10 +1199,8 @@ nm_connectivity_check_start(NMConnectivity             *self,
        has_systemd_resolved = !!nm_dns_manager_get_systemd_resolved(nm_dns_manager_get());

        if (has_systemd_resolved) {
-            GDBusConnection *dbus_connection;
-
-            dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
-            if (!dbus_connection) {
+            cb_data->concheck.dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
+            if (!cb_data->concheck.dbus_connection) {
                /* we have no D-Bus connection? That might happen in configure and quit mode.
                 *
                 * Anyway, something is very odd, just fail connectivity check. */
@ -1103,25 +1211,19 @@ nm_connectivity_check_start(NMConnectivity             *self,
                return cb_data;
            }

-            g_dbus_connection_call(dbus_connection,
+            /* first check whether there has been a per-link DNS configured */
+            g_dbus_connection_call(cb_data->concheck.dbus_connection,
                                   "org.freedesktop.resolve1",
                                   "/org/freedesktop/resolve1",
                                   "org.freedesktop.resolve1.Manager",
-                                   "ResolveHostname",
-                                   g_variant_new("(isit)",
-                                                 0,
-                                                 cb_data->concheck.con_config->host,
-                                                 (gint32) cb_data->addr_family,
-                                                 SD_RESOLVED_DNS),
-                                   G_VARIANT_TYPE("(a(iiay)st)"),
+                                   "GetLink",
+                                   g_variant_new("(i)", ifindex),
+                                   G_VARIANT_TYPE("(o)"),
                                   G_DBUS_CALL_FLAGS_NONE,
                                   -1,
                                   cb_data->concheck.resolve_cancellable,
-                                   systemd_resolved_resolve_cb,
+                                   systemd_resolved_get_link_cb,
                                   cb_data);
-            _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved)",
-                   cb_data->concheck.con_config->uri,
-                   cb_data->concheck.con_config->host);
            return cb_data;
        }

--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@ -2865,6 +2865,7 @@ _host_id_read(guint8 **out_host_id, gsize *out_host_id_len)
                                               0600,
                                               NULL,
                                               NULL,
+                                               NULL,
                                               &error)) {
            nm_log_warn(
                LOGD_CORE,
@ -5011,6 +5012,7 @@ typedef struct {
    int      child_stdin;
    int      child_stdout;
    int      child_stderr;
+    gboolean binary_output;
    GSource *input_source;
    GSource *output_source;
    GSource *error_source;
@ -5090,9 +5092,17 @@ helper_complete(HelperInfo *info, GError *error)
    }

    nm_clear_g_cancellable_disconnect(g_task_get_cancellable(info->task), &info->cancellable_id);
+
+    if (info->binary_output) {
+        g_task_return_pointer(
+            info->task,
+            g_bytes_new(nm_str_buf_get_str_unsafe(&info->in_buffer), info->in_buffer.len),
+            (GDestroyNotify) (g_bytes_unref));
+    } else {
        g_task_return_pointer(info->task,
                              nm_str_buf_finalize(&info->in_buffer, NULL) ?: g_new0(char, 1),
                              g_free);
+    }
    helper_info_free(info);
 }

@ -5235,6 +5245,7 @@ helper_cancelled(GObject *object, gpointer user_data)

 void
 nm_utils_spawn_helper(const char *const  *args,
+                      gboolean            binary_output,
                      GCancellable       *cancellable,
                      GAsyncReadyCallback callback,
                      gpointer            cb_data)
@ -5251,8 +5262,13 @@ nm_utils_spawn_helper(const char *const  *args,
    info  = g_new(HelperInfo, 1);
    *info = (HelperInfo) {
        .task          = nm_g_task_new(NULL, cancellable, nm_utils_spawn_helper, callback, cb_data),
+        .binary_output = binary_output,
    };

+    /* Store if the caller requested binary output so that we can check later
+     * that the right result function is called. */
+    g_task_set_task_data(info->task, GINT_TO_POINTER(binary_output), NULL);
+
    if (!g_spawn_async_with_pipes("/",
                                  (char **) NM_MAKE_STRV(LIBEXECDIR "/nm-daemon-helper"),
                                  (char **) NM_MAKE_STRV(),
@ -5363,11 +5379,25 @@ nm_utils_spawn_helper(const char *const  *args,
 }

 char *
-nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error)
+nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error)
 {
    GTask *task = G_TASK(result);

    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
+    /* Check binary_output */
+    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == FALSE);
+
+    return g_task_propagate_pointer(task, error);
+}
+
+GBytes *
+nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error)
+{
+    GTask *task = G_TASK(result);
+
+    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
+    /* Check binary_output */
+    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == TRUE);

    return g_task_propagate_pointer(task, error);
 }
@ -5474,3 +5504,334 @@ nm_utils_shorten_hostname(const char *hostname, char **shortened)
    *shortened = g_steal_pointer(&s);
    return TRUE;
 }
+
+/**
+ * nm_utils_connection_supported:
+ * @connection: the connection
+ * @error: on return, the reason why the connection in not supported
+ *
+ * Returns whether the given connection is supported by this version
+ * of NetworkManager.
+ */
+gboolean
+nm_utils_connection_supported(NMConnection *connection, GError **error)
+{
+    const char *type;
+    const char *feature = NULL;
+
+    g_return_val_if_fail(connection, FALSE);
+    g_return_val_if_fail(!error || !*error, FALSE);
+
+    type = nm_connection_get_connection_type(connection);
+
+    if (!WITH_TEAMDCTL) {
+        NMSettingConnection *s_con;
+
+        if (nm_streq0(type, NM_SETTING_TEAM_SETTING_NAME)) {
+            feature = "team";
+            goto out_disabled;
+        }
+
+        /* Match team ports */
+        if ((s_con = nm_connection_get_setting_connection(connection))
+            && nm_streq0(nm_setting_connection_get_port_type(s_con),
+                         NM_SETTING_TEAM_SETTING_NAME)) {
+            feature = "team";
+            goto out_disabled;
+        }
+    }
+
+    if (!WITH_OPENVSWITCH) {
+        if (NM_IN_STRSET(type,
+                         NM_SETTING_OVS_BRIDGE_SETTING_NAME,
+                         NM_SETTING_OVS_PORT_SETTING_NAME,
+                         NM_SETTING_OVS_INTERFACE_SETTING_NAME)) {
+            feature = "Open vSwitch";
+            goto out_disabled;
+        }
+
+        /* Match OVS system interfaces */
+        if (nm_connection_get_setting_ovs_interface(connection)) {
+            feature = "Open vSwitch";
+            goto out_disabled;
+        }
+    }
+
+    if (!WITH_WIFI
+        && NM_IN_STRSET(type,
+                        NM_SETTING_WIRELESS_SETTING_NAME,
+                        NM_SETTING_OLPC_MESH_SETTING_NAME,
+                        NM_SETTING_WIFI_P2P_SETTING_NAME)) {
+        feature = "Wi-Fi";
+        goto out_disabled;
+    }
+
+    if (!WITH_WWAN
+        && NM_IN_STRSET(type, NM_SETTING_GSM_SETTING_NAME, NM_SETTING_CDMA_SETTING_NAME)) {
+        feature = "WWAN";
+        goto out_disabled;
+    }
+
+    if (nm_streq0(type, NM_SETTING_WIMAX_SETTING_NAME)) {
+        feature = "WiMAX";
+        goto out_removed;
+    }
+
+    return TRUE;
+
+out_disabled:
+    nm_assert(feature);
+    g_set_error(error,
+                NM_SETTINGS_ERROR,
+                NM_SETTINGS_ERROR_FEATURE_DISABLED,
+                "%s support is disabled in this build",
+                feature);
+    return FALSE;
+
+out_removed:
+    nm_assert(feature);
+    g_set_error(error,
+                NM_SETTINGS_ERROR,
+                NM_SETTINGS_ERROR_FEATURE_REMOVED,
+                "%s is no longer supported",
+                feature);
+    return FALSE;
+}
+
+/*****************************************************************************/
+
+/**
+ * nm_rate_limit_check():
+ * @rate_limit: the NMRateLimit instance
+ * @window_sec: the time window in seconds, between 1 and 864000 (ten days)
+ * @burst: the number of max allowed event occurrences in the given time
+ *   window
+ *
+ * The function rate limits an event. Call it multiple times with the
+ * same @window_sec, and @burst values.
+ *
+ * Returns: TRUE if the event is allowed, FALSE if it is rate-limited
+ */
+gboolean
+nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst)
+{
+    gint64 now;
+    gint64 old_ts_msec;
+    gint64 window_msec;
+    gint64 capacity;
+    gint64 elapsed;
+
+    nm_assert(window_sec >= 1 && window_sec <= 864000);
+    nm_assert(burst >= 1);
+
+    /* This implements a simple token bucket algorithm. For each millisecond,
+     * refill "burst" tokens. Thus, during a full time window we
+     * refill (window_msec * burst) tokens. Each event consumes @window_msec
+     * tokens. */
+
+    window_msec         = (gint64) window_sec * NM_UTILS_MSEC_PER_SEC;
+    capacity            = window_msec * (gint64) burst;
+    old_ts_msec         = rate_limit->ts_msec;
+    now                 = nm_utils_get_monotonic_timestamp_msec();
+    rate_limit->ts_msec = now;
+
+    elapsed = now - old_ts_msec;
+    if (old_ts_msec == 0 || elapsed > window_msec) {
+        /* On the first call, or in case a whole window passed, (re)start with
+         * a full budget */
+        rate_limit->tokens = capacity;
+    } else {
+        rate_limit->tokens += elapsed * (gint64) burst;
+        rate_limit->tokens = NM_MIN(rate_limit->tokens, capacity);
+    }
+
+    /* Consume the tokens */
+    if (rate_limit->tokens >= window_msec) {
+        rate_limit->tokens -= window_msec;
+        return TRUE;
+    }
+
+    return FALSE;
+}
+
+const char *
+nm_utils_get_connection_first_permissions_user(NMConnection *connection)
+{
+    NMSettingConnection *s_con;
+
+    s_con = nm_connection_get_setting_connection(connection);
+    nm_assert(s_con);
+
+    return _nm_setting_connection_get_first_permissions_user(s_con);
+}
+
+/*****************************************************************************/
+
+const char **
+nm_utils_get_connection_private_files_paths(NMConnection *connection)
+{
+    GPtrArray          *files;
+    gs_free NMSetting **settings = NULL;
+    guint               num_settings;
+    guint               i;
+
+    files    = g_ptr_array_new();
+    settings = nm_connection_get_settings(connection, &num_settings);
+    for (i = 0; i < num_settings; i++) {
+        _nm_setting_get_private_files(settings[i], files);
+    }
+    g_ptr_array_add(files, NULL);
+
+    return (const char **) g_ptr_array_free(files, files->len == 1);
+}
+
+typedef struct _ReadInfo ReadInfo;
+
+typedef struct {
+    char     *path;
+    ReadInfo *read_info;
+} FileInfo;
+
+struct _ReadInfo {
+    GTask      *task;
+    GHashTable *table;
+    GPtrArray  *file_infos; /* of FileInfo */
+    GError     *first_error;
+    guint       num_pending;
+};
+
+static void
+read_file_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data)
+{
+    FileInfo              *file_info = user_data;
+    ReadInfo              *read_info = file_info->read_info;
+    gs_unref_bytes GBytes *output    = NULL;
+    gs_free_error GError  *error     = NULL;
+
+    output = nm_utils_spawn_helper_finish_binary(result, &error);
+
+    nm_assert(read_info->num_pending > 0);
+    read_info->num_pending--;
+
+    if (nm_utils_error_is_cancelled(error)) {
+        /* nop */
+    } else if (error) {
+        nm_log_dbg(LOGD_CORE,
+                   "read-private-files: failed to read file '%s': %s",
+                   file_info->path,
+                   error->message);
+        if (!read_info->first_error) {
+            /* @error just says "helper process exited with status X".
+             * Return a more human-friendly one. */
+            read_info->first_error = g_error_new(NM_UTILS_ERROR,
+                                                 NM_UTILS_ERROR_UNKNOWN,
+                                                 "error reading file '%s'",
+                                                 file_info->path);
+        }
+    } else {
+        nm_log_dbg(LOGD_SUPPLICANT,
+                   "read-private-files: successfully read file '%s'",
+                   file_info->path);
+
+        /* Store the file contents in the hash table */
+        if (!read_info->table) {
+            read_info->table = g_hash_table_new_full(nm_str_hash,
+                                                     g_str_equal,
+                                                     g_free,
+                                                     (GDestroyNotify) g_bytes_unref);
+        }
+        g_hash_table_insert(read_info->table,
+                            g_steal_pointer(&file_info->path),
+                            g_steal_pointer(&output));
+    }
+
+    g_clear_pointer(&file_info->path, g_free);
+
+    /* If all operations are completed, return  */
+    if (read_info->num_pending == 0) {
+        if (read_info->first_error) {
+            g_task_return_error(read_info->task, g_steal_pointer(&read_info->first_error));
+        } else {
+            g_task_return_pointer(read_info->task,
+                                  g_steal_pointer(&read_info->table),
+                                  (GDestroyNotify) g_hash_table_unref);
+        }
+
+        if (read_info->table)
+            g_hash_table_unref(read_info->table);
+        if (read_info->file_infos)
+            g_ptr_array_unref(read_info->file_infos);
+
+        g_object_unref(read_info->task);
+        g_free(read_info);
+    }
+}
+
+/**
+ * nm_utils_read_private_files:
+ * @paths: array of file paths to be read
+ * @user: name of the user to impersonate when reading the files
+ * @cancellable: cancellable to cancel the operation
+ * @callback: callback to invoke on completion
+ * @cb_data: data for @callback
+ *
+ * Reads the given list of files @paths on behalf of user @user. Invokes
+ * @callback asynchronously on completion. The callback must use
+ * nm_utils_read_private_files_finish() to obtain the result.
+ */
+void
+nm_utils_read_private_files(const char *const  *paths,
+                            const char         *user,
+                            GCancellable       *cancellable,
+                            GAsyncReadyCallback callback,
+                            gpointer            cb_data)
+{
+    ReadInfo *read_info;
+    FileInfo *file_info;
+    guint     i;
+
+    g_return_if_fail(paths && paths[0]);
+    g_return_if_fail(cancellable);
+    g_return_if_fail(callback);
+    g_return_if_fail(cb_data);
+
+    read_info  = g_new(ReadInfo, 1);
+    *read_info = (ReadInfo) {
+        .task = nm_g_task_new(NULL, cancellable, nm_utils_read_private_files, callback, cb_data),
+        .file_infos = g_ptr_array_new_with_free_func(g_free),
+    };
+
+    for (i = 0; paths[i]; i++) {
+        file_info  = g_new(FileInfo, 1);
+        *file_info = (FileInfo) {
+            .path      = g_strdup(paths[i]),
+            .read_info = read_info,
+        };
+        g_ptr_array_add(read_info->file_infos, file_info);
+        read_info->num_pending++;
+
+        nm_utils_spawn_helper(NM_MAKE_STRV("read-file-as-user", user, paths[i]),
+                              TRUE,
+                              cancellable,
+                              read_file_helper_cb,
+                              file_info);
+    }
+}
+
+/**
+ * nm_utils_read_private_files_finish:
+ * @result: the GAsyncResult
+ * @error: on return, the error
+ *
+ * Returns the files read by nm_utils_read_private_files(). The return value
+ * is a hash table {char * -> GBytes *}. Free it with g_hash_table_unref().
+ */
+GHashTable *
+nm_utils_read_private_files_finish(GAsyncResult *result, GError **error)
+{
+    GTask *task = G_TASK(result);
+
+    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_read_private_files));
+
+    return g_task_propagate_pointer(task, error);
+}
--- a/src/core/nm-core-utils.h
+++ b/src/core/nm-core-utils.h
@ -478,11 +478,13 @@ guint8 nm_wifi_utils_level_to_quality(int val);
 /*****************************************************************************/

 void nm_utils_spawn_helper(const char *const  *args,
+                           gboolean            binary_output,
                           GCancellable       *cancellable,
                           GAsyncReadyCallback callback,
                           gpointer            cb_data);

-char *nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error);
+char   *nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error);
+GBytes *nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error);

 /*****************************************************************************/

@ -490,4 +492,32 @@ uid_t nm_utils_get_nm_uid(void);

 gid_t nm_utils_get_nm_gid(void);

+/*****************************************************************************/
+
+gboolean nm_utils_connection_supported(NMConnection *connection, GError **error);
+
+/*****************************************************************************/
+
+typedef struct {
+    gint64 ts_msec;
+    gint64 tokens;
+} NMRateLimit;
+
+gboolean nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst);
+
+/*****************************************************************************/
+
+const char *nm_utils_get_connection_first_permissions_user(NMConnection *connection);
+
+/*****************************************************************************/
+
+const char **nm_utils_get_connection_private_files_paths(NMConnection *connection);
+
+void        nm_utils_read_private_files(const char *const  *paths,
+                                        const char         *user,
+                                        GCancellable       *cancellable,
+                                        GAsyncReadyCallback callback,
+                                        gpointer            cb_data);
+GHashTable *nm_utils_read_private_files_finish(GAsyncResult *result, GError **error);
+
 #endif /* __NM_CORE_UTILS_H__ */
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@ -120,6 +120,7 @@ struct _NML3ConfigData {
    NMSettingConnectionMdns       mdns;
    NMSettingConnectionLlmnr      llmnr;
    NMSettingConnectionDnsOverTls dns_over_tls;
+    NMSettingConnectionDnssec     dnssec;
    NMUtilsIPv6IfaceId            ip6_token;

    NML3ConfigDatFlags flags;
@ -577,6 +578,16 @@ nm_l3_config_data_log(const NML3ConfigData *self,
                                           NULL)));
    }

+    if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+        gs_free char *s = NULL;
+
+        _L("dnssec: %s",
+           (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
+                                           self->dnssec,
+                                           " ",
+                                           NULL)));
+    }
+
    if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
        gs_free char *s = NULL;

@ -694,6 +705,7 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
        .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
        .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
        .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
+        .dnssec                         = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
        .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
        .metered                        = NM_TERNARY_DEFAULT,
        .proxy_browser_only             = NM_TERNARY_DEFAULT,
@ -1767,6 +1779,26 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
    return TRUE;
 }

+NMSettingConnectionDnssec
+nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
+{
+    nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
+
+    return self->dnssec;
+}
+
+gboolean
+nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
+{
+    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
+
+    if (self->dnssec == dnssec)
+        return FALSE;
+
+    self->dnssec = dnssec;
+    return TRUE;
+}
+
 NMIPRouteTableSyncMode
 nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
 {
@ -2446,6 +2478,7 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
        NM_CMP_DIRECT(a->mdns, b->mdns);
        NM_CMP_DIRECT(a->llmnr, b->llmnr);
        NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
+        NM_CMP_DIRECT(a->dnssec, b->dnssec);
    }

    if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@ -3139,7 +3172,8 @@ void
 nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                           GChecksum            *sum,
                           int                   addr_family,
-                           NMDnsIPConfigType     dns_ip_config_type)
+                           NMDnsIPConfigType     dns_ip_config_type,
+                           gboolean              ignore_searches_and_options)
 {
    guint              i;
    int                val;
@ -3178,6 +3212,7 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }

+    if (!ignore_searches_and_options) {
        searches = nm_l3_config_data_get_searches(l3cd, addr_family, &num_searches);
        for (i = 0; i < num_searches; i++) {
            g_checksum_update(sum, (const guint8 *) searches[i], strlen(searches[i]));
@ -3189,6 +3224,7 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
            g_checksum_update(sum, (const guint8 *) options[i], strlen(options[i]));
            empty = FALSE;
        }
+    }

    val = nm_l3_config_data_get_mdns(l3cd);
    if (val != NM_SETTING_CONNECTION_MDNS_DEFAULT) {
@ -3208,6 +3244,12 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }

+    val = nm_l3_config_data_get_dnssec(l3cd);
+    if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+        g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
+        empty = FALSE;
+    }
+
    if (!empty) {
        int prio = 0;

@ -3458,6 +3500,9 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
    if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
        self->dns_over_tls = src->dns_over_tls;

+    if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
+        self->dnssec = src->dnssec;
+
    if (self->ip6_token.id == 0)
        self->ip6_token.id = src->ip6_token.id;

--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@ -458,6 +458,10 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
 gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData               *self,
                                            NMSettingConnectionDnsOverTls dns_over_tls);

+NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
+
+gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
+
 NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
                                                              int                   addr_family);

@ -615,6 +619,7 @@ nmtst_l3_config_data_get_best_gateway(const NML3ConfigData *self, int addr_famil
 void nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                                GChecksum            *sum,
                                int                   addr_family,
-                                NMDnsIPConfigType     dns_ip_config_type);
+                                NMDnsIPConfigType     dns_ip_config_type,
+                                gboolean              ignore_searches_and_options);

 #endif /* __NM_L3_CONFIG_DATA_H__ */
--- a/src/core/nm-l3cfg.c
+++ b/src/core/nm-l3cfg.c
@ -40,8 +40,7 @@ G_STATIC_ASSERT(NM_ACD_TIMEOUT_RFC5227_MSEC == N_ACD_TIMEOUT_RFC5227);

 #define ACD_SUPPORTED_ETH_ALEN                  ETH_ALEN
 #define ACD_ENSURE_RATELIMIT_MSEC               ((guint32) 4000u)
-#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (1000u + ACD_ENSURE_RATELIMIT_MSEC))
-#define ACD_WAIT_PROBING_EXTRA_TIME2_MSEC       ((guint32) 1000u)
+#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (2000u + ACD_ENSURE_RATELIMIT_MSEC))
 #define ACD_WAIT_TIME_PROBING_FULL_RESTART_MSEC ((guint32) 30000u)
 #define ACD_WAIT_TIME_CONFLICT_RESTART_MSEC     ((guint32) 120000u)
 #define ACD_WAIT_TIME_ANNOUNCE_RESTART_MSEC     ((guint32) 30000u)
@ -2740,9 +2739,8 @@ handle_init:
            nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);

            if (acd_data->info.state == NM_L3_ACD_ADDR_STATE_PROBING) {
-                if ((*p_now_msec) > acd_data->probing_timestamp_msec
-                                        + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
-                                        + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC) {
+                if ((*p_now_msec)
+                    > acd_data->probing_timestamp_msec + ACD_WAIT_PROBING_EXTRA_TIME_MSEC) {
                    /* hm. We failed to create a new probe too long. Something is really wrong
                     * internally, but let's ignore the issue and assume the address is good. What
                     * else would we do? Assume the address is USED? */
@ -2948,7 +2946,7 @@ handle_init:
            nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);

            if (acd_data->probing_timestamp_msec + acd_data->probing_timeout_msec
-                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC
+                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
                >= (*p_now_msec)) {
                /* The probing already started quite a while ago. We ignore the link event
                 * and let the probe come to it's natural end. */
@ -3058,9 +3056,10 @@ handle_start_probing:
        }

        _LOGT_acd(acd_data,
-                  "%sstart probing (timeout %u msec, %s)",
+                  "%sstart probing (timeout %u msec, ebpf %s; %s)",
                  orig_state == NM_L3_ACD_ADDR_STATE_INIT ? "" : "re",
                  acd_data->probing_timeout_msec,
+                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled",
                  log_reason);
        return;
    }
@ -3155,10 +3154,11 @@ handle_start_defending:
        }

        _LOGT_acd(acd_data,
-                  "start announcing (defend=%s) (probe created)",
+                  "start announcing (defend=%s) (probe created with ebpf %s)",
                  _l3_acd_defend_type_to_string(acd_data->acd_defend_type_current,
                                                sbuf256,
-                                                sizeof(sbuf256)));
+                                                sizeof(sbuf256)),
+                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled");
        acd_data->acd_defend_type_is_active = FALSE;
        acd_data->nacd_probe                = probe;
        return;
@ -3989,7 +3989,7 @@ _l3cfg_routed_dns_apply(NML3Cfg *self, const NML3ConfigData *l3cd)
            NMDnsServer               dns;
            int                       r;

-            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns))
+            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns, NULL))
                continue;

            /* Find the gateway to the DNS over the current interface. When
@ -5054,8 +5054,8 @@ _l3_commit_mptcp_af(NML3Cfg          *self,
            (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SIGNAL) ? MPTCP_PM_ADDR_FLAG_SIGNAL : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SUBFLOW) ? MPTCP_PM_ADDR_FLAG_SUBFLOW : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_BACKUP) ? MPTCP_PM_ADDR_FLAG_BACKUP : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH
-                                                                  : 0);
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH : 0)
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_LAMINAR) ? MPTCP_PM_ADDR_FLAG_LAMINAR : 0);
        NMPlatformMptcpAddr a = {
            .ifindex     = self->priv.ifindex,
            .id          = 0,
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@ -136,6 +136,7 @@ enum {
    ACTIVE_CONNECTION_REMOVED,
    CONFIGURE_QUIT,
    DEVICE_IFINDEX_CHANGED,
+    SHARING_IPV4_CHANGED,

    LAST_SIGNAL
 };
@ -238,6 +239,8 @@ typedef struct {

    guint8 device_state_prune_ratelimit_count;

+    guint shared_connections_ip4_count;
+
    bool startup : 1;
    bool devices_inited : 1;

@ -1960,7 +1963,7 @@ find_device_by_iface(NMManager    *self,
 }

 static gboolean
-manager_sleeping(NMManager *self)
+manager_is_disabled(NMManager *self)
 {
    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);

@ -1973,8 +1976,8 @@ static const char *
 _nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_ASLEEP:
-        return "ASLEEP";
+    case NM_STATE_DISABLED:
+        return "DISABLED";
    case NM_STATE_DISCONNECTED:
        return "DISCONNECTED";
    case NM_STATE_DISCONNECTING:
@ -2078,15 +2081,18 @@ nm_manager_update_state(NMManager *self)
 {
    NMManagerPrivate *priv;
    NMState           new_state = NM_STATE_DISCONNECTED;
+    const char       *detail    = "";

    g_return_if_fail(NM_IS_MANAGER(self));

    priv = NM_MANAGER_GET_PRIVATE(self);

-    if (manager_sleeping(self))
-        new_state = NM_STATE_ASLEEP;
-    else
+    if (manager_is_disabled(self)) {
+        new_state = NM_STATE_DISABLED;
+        detail    = priv->sleeping ? " (ASLEEP)" : " (NETWORKING OFF)";
+    } else {
        new_state = find_best_device_state(self);
+    }

    if (new_state >= NM_STATE_CONNECTED_LOCAL && priv->connectivity_state == NM_CONNECTIVITY_FULL) {
        new_state = NM_STATE_CONNECTED_GLOBAL;
@ -2097,7 +2103,7 @@ nm_manager_update_state(NMManager *self)

    priv->state = new_state;

-    _LOGI(LOGD_CORE, "NetworkManager state is now %s", _nm_state_to_string(new_state));
+    _LOGI(LOGD_CORE, "NetworkManager state is now %s%s", _nm_state_to_string(new_state), detail);

    _notify(self, PROP_STATE);
    nm_dbus_object_emit_signal(NM_DBUS_OBJECT(self),
@ -2956,7 +2962,7 @@ _rfkill_update_devices(NMManager *self, NMRfkillType rtype, gboolean enabled)
    _notify(self, _rfkill_type_desc[rtype].prop_id);

    /* Don't touch devices if asleep/networking disabled */
-    if (manager_sleeping(self))
+    if (manager_is_disabled(self))
        return;

    /* enable/disable wireless devices as required */
@ -3120,7 +3126,7 @@ _rfkill_update_from_user(NMManager *self, NMRfkillType rtype, gboolean enabled)
    gboolean          old_enabled, new_enabled;

    /* Don't touch devices if asleep/networking disabled */
-    if (manager_sleeping(self))
+    if (manager_is_disabled(self))
        return;

    _LOGD(LOGD_RFKILL,
@ -4079,7 +4085,7 @@ add_device(NMManager *self, NMDevice *device, GError **error)

    nm_device_set_unmanaged_by_user_settings(device, TRUE);

-    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_SLEEPING, manager_sleeping(self));
+    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED, manager_is_disabled(self));

    dbus_path = nm_dbus_object_export(NM_DBUS_OBJECT(device));
    _LOG2I(LOGD_DEVICE, device, "new %s device (%s)", type_desc, dbus_path);
@ -5718,6 +5724,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    GError                  *local = NULL;
    NMConnectionMultiConnect multi_connect;
    const char              *parent_spec;
+    gboolean                 did_realize = FALSE;

    g_return_val_if_fail(NM_IS_MANAGER(self), FALSE);
    g_return_val_if_fail(NM_IS_ACTIVE_CONNECTION(active), FALSE);
@ -5892,6 +5899,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                               nm_device_get_iface(device));
                return FALSE;
            }
+            did_realize = TRUE;
        }
    }

@ -5923,7 +5931,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                        "The controller connection '%s' is not compatible with '%s'",
                        nm_settings_connection_get_id(controller_connection),
                        nm_settings_connection_get_id(sett_conn));
-            return FALSE;
+            goto err_unrealize;
        }

        if (!controller_ac) {
@ -5946,7 +5954,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                   "Controller connection '%s' can't be activated: ",
                                   nm_settings_connection_get_id(controller_connection));
                }
-                return FALSE;
+                goto err_unrealize;
            }
        }

@ -6040,7 +6048,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                NM_MANAGER_ERROR,
                                NM_MANAGER_ERROR_DEPENDENCY_FAILED,
                                "Activation failed because the device is unmanaged");
-            return FALSE;
+            goto err_unrealize;
        }
    }

@ -6048,6 +6056,11 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    active_connection_add(self, active);
    nm_device_queue_activation(device, NM_ACT_REQUEST(active));
    return TRUE;
+
+err_unrealize:
+    if (did_realize)
+        nm_device_unrealize(device, TRUE, NULL);
+    return FALSE;
 }

 static gboolean
@ -7292,7 +7305,7 @@ device_sleep_cb(NMDevice *device, GParamSpec *pspec, NMManager *self)
    case NM_DEVICE_STATE_DISCONNECTED:
        _LOGD(LOGD_SUSPEND, "sleep: unmanaging device %s", nm_device_get_ip_iface(device));
        nm_device_set_unmanaged_by_flags_queue(device,
-                                               NM_UNMANAGED_SLEEPING,
+                                               NM_UNMANAGED_MANAGER_DISABLED,
                                               NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                               NM_DEVICE_STATE_REASON_SLEEPING);
        break;
@ -7314,24 +7327,26 @@ _handle_device_takedown(NMManager *self,
                        gboolean   suspending,
                        gboolean   is_shutdown)
 {
+    gboolean            is_sleep = suspending || is_shutdown;
+    NMDeviceStateReason reason =
+        is_sleep ? NM_DEVICE_STATE_REASON_SLEEPING : NM_DEVICE_STATE_REASON_NETWORKING_OFF;
+
    nm_device_notify_sleeping(device);

    if (nm_device_is_activating(device)
        || nm_device_get_state(device) == NM_DEVICE_STATE_ACTIVATED) {
-        _LOGD(LOGD_SUSPEND,
+        _LOGD(is_sleep ? LOGD_SUSPEND : LOGD_CORE,
              "%s: wait disconnection of device %s",
-              is_shutdown ? "shutdown" : "sleep",
+              is_sleep ? (is_shutdown ? "shutdown" : "sleep") : "networking off",
              nm_device_get_ip_iface(device));

        if (sleep_devices_add(self, device, suspending))
-            nm_device_queue_state(device,
-                                  NM_DEVICE_STATE_DEACTIVATING,
-                                  NM_DEVICE_STATE_REASON_SLEEPING);
+            nm_device_queue_state(device, NM_DEVICE_STATE_DEACTIVATING, reason);
    } else {
        nm_device_set_unmanaged_by_flags(device,
-                                         NM_UNMANAGED_SLEEPING,
+                                         NM_UNMANAGED_MANAGER_DISABLED,
                                         NM_UNMAN_FLAG_OP_SET_UNMANAGED,
-                                         NM_DEVICE_STATE_REASON_SLEEPING);
+                                         reason);
    }
 }

@ -7345,8 +7360,10 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
    suspending          = sleeping_changed && priv->sleeping;
    waking_from_suspend = sleeping_changed && !priv->sleeping;

-    if (manager_sleeping(self)) {
-        _LOGD(LOGD_SUSPEND, "sleep: %s...", suspending ? "sleeping" : "disabling");
+    if (manager_is_disabled(self)) {
+        _LOGD(suspending ? LOGD_SUSPEND : LOGD_CORE,
+              "%s...",
+              suspending ? "sleep: sleeping" : "networking: disabling");

        /* FIXME: are there still hardware devices that need to be disabled around
         * suspend/resume?
@ -7372,7 +7389,9 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            _handle_device_takedown(self, device, suspending, FALSE);
        }
    } else {
-        _LOGD(LOGD_SUSPEND, "sleep: %s...", waking_from_suspend ? "waking up" : "re-enabling");
+        _LOGD(waking_from_suspend ? LOGD_SUSPEND : LOGD_CORE,
+              "%s...",
+              waking_from_suspend ? "sleep: waking up" : "networking: re-enabling");

        sleep_devices_clear(self);

@ -7386,7 +7405,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                 */
                if (device_is_wake_on_lan(priv->platform, device))
                    nm_device_set_unmanaged_by_flags(device,
-                                                     NM_UNMANAGED_SLEEPING,
+                                                     NM_UNMANAGED_MANAGER_DISABLED,
                                                     NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                                     NM_DEVICE_STATE_REASON_SLEEPING);

@ -7414,10 +7433,12 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            guint               i;

            if (nm_device_is_software(device)
-                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_SLEEPING)) {
+                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED)) {
                /* DHCP leases of software devices could have gone stale
                 * so we need to renew them. */
-                nm_device_update_dynamic_ip_setup(device, "wake up");
+                nm_device_update_dynamic_ip_setup(device,
+                                                  waking_from_suspend ? "wake up"
+                                                                      : "networking on");
                continue;
            }

@ -7448,7 +7469,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                    ? NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED
                    : NM_DEVICE_STATE_REASON_NOW_MANAGED;
            nm_device_set_unmanaged_by_flags(device,
-                                             NM_UNMANAGED_SLEEPING,
+                                             NM_UNMANAGED_MANAGER_DISABLED,
                                             NM_UNMAN_FLAG_OP_SET_MANAGED,
                                             reason);
        }
@ -8811,6 +8832,41 @@ nm_manager_emit_device_ifindex_changed(NMManager *self, NMDevice *device)
    g_signal_emit(self, signals[DEVICE_IFINDEX_CHANGED], 0, device);
 }

+void
+nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled)
+{
+    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
+    gboolean          state_changed, state;
+
+    /* Only IPv4 supported for the moment */
+    if (addr_family != AF_INET)
+        return;
+
+    if (enabled) {
+        g_return_if_fail(priv->shared_connections_ip4_count < G_MAXUINT);
+        priv->shared_connections_ip4_count++;
+        state_changed = priv->shared_connections_ip4_count == 1;
+    } else {
+        g_return_if_fail(priv->shared_connections_ip4_count > 0);
+        priv->shared_connections_ip4_count--;
+        state_changed = priv->shared_connections_ip4_count == 0;
+    }
+
+    if (state_changed) {
+        state = priv->shared_connections_ip4_count > 0;
+        _LOGD(LOGD_SHARING, "sharing-ipv4 state change %d -> %d", !state, state);
+        g_signal_emit(self, signals[SHARING_IPV4_CHANGED], 0, state);
+    }
+}
+
+gboolean
+nm_manager_get_sharing_ipv4(NMManager *self)
+{
+    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
+
+    return priv->shared_connections_ip4_count > 0;
+}
+
 /*****************************************************************************/

 NM_DEFINE_SINGLETON_REGISTER(NMManager);
@ -9914,6 +9970,17 @@ nm_manager_class_init(NMManagerClass *manager_class)
                                                   G_TYPE_NONE,
                                                   1,
                                                   NM_TYPE_DEVICE);
+
+    signals[SHARING_IPV4_CHANGED] = g_signal_new(NM_MANAGER_SHARING_IPV4_CHANGED,
+                                                 G_OBJECT_CLASS_TYPE(object_class),
+                                                 G_SIGNAL_RUN_FIRST,
+                                                 0,
+                                                 NULL,
+                                                 NULL,
+                                                 NULL,
+                                                 G_TYPE_NONE,
+                                                 1,
+                                                 G_TYPE_BOOLEAN);
 }

 NMConfig *
--- a/src/core/nm-manager.h
+++ b/src/core/nm-manager.h
@ -61,6 +61,7 @@
 #define NM_MANAGER_CONFIGURE_QUIT            "configure-quit"
 #define NM_MANAGER_INTERNAL_DEVICE_ADDED     "internal-device-added"
 #define NM_MANAGER_INTERNAL_DEVICE_REMOVED   "internal-device-removed"
+#define NM_MANAGER_SHARING_IPV4_CHANGED      "sharing-ipv4-changed"

 GType nm_manager_get_type(void);

@ -212,6 +213,9 @@ struct _NMDnsManager;

 struct _NMDnsManager *nm_manager_get_dns_manager(NMManager *self);

+void     nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled);
+gboolean nm_manager_get_sharing_ipv4(NMManager *self);
+
 /*****************************************************************************/

 void nm_manager_notify_delete_settings_connections(NMManager            *self,
--- a/src/core/nm-netns.c
+++ b/src/core/nm-netns.c
@ -68,7 +68,7 @@ typedef struct {
    NMPNetns         *platform_netns;
    NMPGlobalTracker *global_tracker;
    GHashTable       *l3cfgs;
-    GHashTable       *shared_ips;
+    GHashTable       *ip_reservation[_NM_NETNS_IP_RESERVATION_TYPE_NUM];
    GHashTable       *ecmp_track_by_obj;
    GHashTable       *ecmp_track_by_ecmpid;

@ -571,106 +571,150 @@ notify_watcher:

 /*****************************************************************************/

-NMNetnsSharedIPHandle *
-nm_netns_shared_ip_reserve(NMNetns *self)
+typedef struct {
+    const char *name;
+    guint32     start_addr; /* host byte order */
+    guint       prefix_len;
+    guint       num_addrs;
+    gboolean    allow_reuse;
+} IPReservationTypeDesc;
+
+static const IPReservationTypeDesc ip_reservation_types[_NM_NETNS_IP_RESERVATION_TYPE_NUM] = {
+    [NM_NETNS_IP_RESERVATION_TYPE_SHARED4] =
+        {
+            .name        = "shared-ip4",
+            .start_addr  = 0x0a2a0001, /* 10.42.0.1 */
+            .prefix_len  = 24,
+            .num_addrs   = 256,
+            .allow_reuse = TRUE,
+        },
+};
+
+NMNetnsIPReservation *
+nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type)
 {
    NMNetnsPrivate              *priv;
-    NMNetnsSharedIPHandle *handle;
-    const in_addr_t        addr_start = ntohl(0x0a2a0001u); /* 10.42.0.1 */
+    const IPReservationTypeDesc *desc;
+    NMNetnsIPReservation        *res;
+    GHashTable                 **table;
    in_addr_t                    addr;
-    char                   sbuf_addr[NM_INET_ADDRSTRLEN];
-
-    /* Find an unused address in the 10.42.x.x range */
+    char                         buf[NM_INET_ADDRSTRLEN];

    g_return_val_if_fail(NM_IS_NETNS(self), NULL);
+    g_return_val_if_fail(type < _NM_NETNS_IP_RESERVATION_TYPE_NUM, NULL);

    priv  = NM_NETNS_GET_PRIVATE(self);
+    desc  = &ip_reservation_types[type];
+    table = &priv->ip_reservation[type];

-    if (!priv->shared_ips) {
-        addr             = addr_start;
-        priv->shared_ips = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
+    if (!*table) {
+        addr   = htonl(desc->start_addr);
+        *table = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
        g_object_ref(self);
    } else {
        guint32 count;

-        nm_assert(g_hash_table_size(priv->shared_ips) > 0);
+        nm_assert(g_hash_table_size(*table) > 0);
+        nm_assert(desc->prefix_len > 0 && desc->prefix_len <= 32);

        count = 0u;
        for (;;) {
-            addr = addr_start + htonl(count << 8u);
+            addr = htonl(desc->start_addr + (count << (32 - desc->prefix_len)));

-            handle = g_hash_table_lookup(priv->shared_ips, &addr);
-            if (!handle)
+            res = g_hash_table_lookup(*table, &addr);
+            if (!res)
                break;

            count++;

-            if (count > 0xFFu) {
-                if (handle->_ref_count == 1) {
-                    _LOGE("shared-ip4: ran out of shared IP addresses. Reuse %s/24",
-                          nm_inet4_ntop(handle->addr, sbuf_addr));
-                } else {
-                    _LOGD("shared-ip4: reserved IP address range %s/24 (duplicate)",
-                          nm_inet4_ntop(handle->addr, sbuf_addr));
+            if (count >= desc->num_addrs) {
+                if (!desc->allow_reuse) {
+                    _LOGE("%s: ran out of IP addresses", desc->name);
+                    return NULL;
                }
-                handle->_ref_count++;
-                return handle;
+
+                if (res->_ref_count == 1) {
+                    _LOGE("%s: ran out of IP addresses. Reuse %s/%u",
+                          desc->name,
+                          nm_inet4_ntop(res->addr, buf),
+                          desc->prefix_len);
+                } else {
+                    _LOGD("%s: reserved IP address %s/%u (duplicate)",
+                          desc->name,
+                          nm_inet4_ntop(res->addr, buf),
+                          desc->prefix_len);
+                }
+                res->_ref_count++;
+                return res;
            }
        }
    }

-    handle  = g_slice_new(NMNetnsSharedIPHandle);
-    *handle = (NMNetnsSharedIPHandle) {
+    res  = g_slice_new(NMNetnsIPReservation);
+    *res = (NMNetnsIPReservation) {
        .addr       = addr,
        ._ref_count = 1,
        ._self      = self,
+        ._type      = type,
    };

-    g_hash_table_add(priv->shared_ips, handle);
+    g_hash_table_add(*table, res);

-    _LOGD("shared-ip4: reserved IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
-    return handle;
+    _LOGD("%s: reserved IP address %s/%u",
+          desc->name,
+          nm_inet4_ntop(res->addr, buf),
+          desc->prefix_len);
+    return res;
 }

 void
-nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle)
+nm_netns_ip_reservation_release(NMNetnsIPReservation *res)
 {
    NMNetns                     *self;
    NMNetnsPrivate              *priv;
-    char            sbuf_addr[NM_INET_ADDRSTRLEN];
+    const IPReservationTypeDesc *desc;
+    GHashTable                 **table;
+    char                         buf[NM_INET_ADDRSTRLEN];

-    g_return_if_fail(handle);
-
-    self = handle->_self;
+    g_return_if_fail(res);
+    g_return_if_fail(res->_type < _NM_NETNS_IP_RESERVATION_TYPE_NUM);

+    self = res->_self;
    g_return_if_fail(NM_IS_NETNS(self));

    priv  = NM_NETNS_GET_PRIVATE(self);
+    desc  = &ip_reservation_types[res->_type];
+    table = &priv->ip_reservation[res->_type];

-    nm_assert(handle->_ref_count > 0);
-    nm_assert(handle == nm_g_hash_table_lookup(priv->shared_ips, handle));
+    nm_assert(res->_ref_count > 0);
+    nm_assert(res == nm_g_hash_table_lookup(*table, res));

-    if (handle->_ref_count > 1) {
-        nm_assert(handle->addr == ntohl(0x0A2AFF01u)); /* 10.42.255.1 */
-        handle->_ref_count--;
-        _LOGD("shared-ip4: release IP address range %s/24 (%d more references held)",
-              nm_inet4_ntop(handle->addr, sbuf_addr),
-              handle->_ref_count);
+    if (res->_ref_count > 1) {
+        nm_assert(desc->allow_reuse);
+        res->_ref_count--;
+        _LOGD("%s: release IP address reservation %s/%u (%d more references held)",
+              desc->name,
+              nm_inet4_ntop(res->addr, buf),
+              desc->prefix_len,
+              res->_ref_count);
        return;
    }

-    if (!g_hash_table_remove(priv->shared_ips, handle))
+    if (!g_hash_table_remove(*table, res))
        nm_assert_not_reached();

-    if (g_hash_table_size(priv->shared_ips) == 0) {
-        nm_clear_pointer(&priv->shared_ips, g_hash_table_unref);
+    _LOGD("%s: release IP address reservation %s/%u",
+          desc->name,
+          nm_inet4_ntop(res->addr, buf),
+          desc->prefix_len);
+
+    if (g_hash_table_size(*table) == 0) {
+        nm_clear_pointer(table, g_hash_table_unref);
        g_object_unref(self);
    }

-    _LOGD("shared-ip4: release IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
-
-    handle->_self = NULL;
-    nm_g_slice_free(handle);
+    res->_self = NULL;
+    nm_g_slice_free(res);
 }

 /*****************************************************************************/
@ -1560,11 +1604,14 @@ dispose(GObject *object)

    nm_assert(nm_g_hash_table_size(priv->l3cfgs) == 0);
    nm_assert(c_list_is_empty(&priv->l3cfg_signal_pending_lst_head));
-    nm_assert(!priv->shared_ips);
    nm_assert(nm_g_hash_table_size(priv->watcher_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_by_tag_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_ip_data_idx) == 0);

+    for (guint i = 0; i < _NM_NETNS_IP_RESERVATION_TYPE_NUM; i++) {
+        nm_assert(!priv->ip_reservation[i]);
+    }
+
    nm_clear_pointer(&priv->ecmp_track_by_obj, g_hash_table_destroy);
    nm_clear_pointer(&priv->ecmp_track_by_ecmpid, g_hash_table_destroy);

--- a/src/core/nm-netns.h
+++ b/src/core/nm-netns.h
@ -41,15 +41,22 @@ NML3Cfg *nm_netns_l3cfg_acquire(NMNetns *netns, int ifindex);

 /*****************************************************************************/

+typedef enum {
+    NM_NETNS_IP_RESERVATION_TYPE_SHARED4,
+
+    _NM_NETNS_IP_RESERVATION_TYPE_NUM,
+} NMNetnsIPReservationType;
+
 typedef struct {
    in_addr_t                addr;
    int                      _ref_count;
+    NMNetnsIPReservationType _type;
    NMNetns                 *_self;
-} NMNetnsSharedIPHandle;
+} NMNetnsIPReservation;

-NMNetnsSharedIPHandle *nm_netns_shared_ip_reserve(NMNetns *self);
+NMNetnsIPReservation *nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type);

-void nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle);
+void nm_netns_ip_reservation_release(NMNetnsIPReservation *reservation);

 /*****************************************************************************/

--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@ -18,7 +18,6 @@
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
 #include "devices/nm-device-factory.h"
-#include "devices/nm-device-private.h"
 #include "dns/nm-dns-manager.h"
 #include "nm-act-request.h"
 #include "nm-auth-utils.h"
@ -98,6 +97,7 @@ typedef struct {
    bool updating_dns : 1;

    GArray *ip6_prefix_delegations; /* pool of ip6 prefixes delegated to all devices */
+
 } NMPolicyPrivate;

 struct _NMPolicy {
@ -1845,7 +1845,7 @@ nm_policy_device_recheck_auto_activate_schedule(NMPolicy *self, NMDevice *device

    priv = NM_POLICY_GET_PRIVATE(self);

-    if (nm_manager_get_state(priv->manager) == NM_STATE_ASLEEP)
+    if (nm_manager_get_state(priv->manager) == NM_STATE_DISABLED)
        return;

    if (!nm_device_autoconnect_allowed(device))
@ -2083,65 +2083,6 @@ unblock_autoconnect_for_ports_for_sett_conn(NMPolicy *self, NMSettingsConnection
    unblock_autoconnect_for_ports(self, controller_device, controller_uuid_settings, NULL);
 }

-static void
-refresh_forwarding(NMPolicy *self, NMDevice *device, gboolean is_activated_shared_device)
-{
-    NMActiveConnection *ac;
-    NMDevice           *tmp_device;
-    NMPolicyPrivate    *priv = NM_POLICY_GET_PRIVATE(self);
-    const CList        *tmp_lst;
-    gboolean            any_shared_active = false;
-    gint32              default_forwarding_v4;
-    const char         *new_value = NULL;
-
-    /* FIXME: This implementation is still inefficient because refresh_forwarding()
-     * is called every time a device goes up or down, requiring a full scan of all
-     * active connections to determine if any shared connection is active. */
-    nm_manager_for_each_active_connection (priv->manager, ac, tmp_lst) {
-        NMSettingIPConfig *s_ip;
-        NMDevice          *to_device = nm_active_connection_get_device(ac);
-
-        if (to_device) {
-            s_ip = nm_device_get_applied_setting(to_device, NM_TYPE_SETTING_IP4_CONFIG);
-            if (s_ip) {
-                if (nm_streq0(nm_device_get_effective_ip_config_method(to_device, AF_INET),
-                              NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
-                    any_shared_active = true;
-                    break;
-                }
-            }
-        }
-    }
-
-    default_forwarding_v4 = nm_platform_sysctl_get_int32(
-        NM_PLATFORM_GET,
-        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
-        0);
-
-    new_value = any_shared_active ? "1" : (default_forwarding_v4 ? "1" : "0");
-
-    nm_manager_for_each_device (priv->manager, tmp_device, tmp_lst) {
-        NMDeviceState               state;
-        NMSettingIPConfigForwarding ipv4_forwarding;
-
-        state = nm_device_get_state(tmp_device);
-        if (state != NM_DEVICE_STATE_ACTIVATED)
-            continue;
-
-        ipv4_forwarding = nm_device_get_ipv4_forwarding(tmp_device);
-
-        if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO
-            || (device == tmp_device && is_activated_shared_device)) {
-            gs_free char *sysctl_value = NULL;
-
-            sysctl_value = nm_device_sysctl_ip_conf_get(tmp_device, AF_INET, "forwarding");
-
-            if (!nm_streq0(sysctl_value, new_value))
-                nm_device_sysctl_ip_conf_set(tmp_device, AF_INET, "forwarding", new_value);
-        }
-    }
-}
-
 static void
 activate_port_or_children_connections(NMPolicy *self,
                                      NMDevice *device,
@ -2288,7 +2229,6 @@ device_state_changed(NMDevice           *device,
    NMActiveConnection   *ac;
    NMSettingsConnection *sett_conn = nm_device_get_settings_connection(device);
    NMSettingConnection  *s_con     = NULL;
-    gboolean              is_activated_shared_device = FALSE;

    switch (nm_device_state_reason_check(reason)) {
    case NM_DEVICE_STATE_REASON_GSM_SIM_PIN_REQUIRED:
@ -2404,10 +2344,6 @@ device_state_changed(NMDevice           *device,
                }
            }
        }
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
        if (nm_device_get_device_type(device) == NM_DEVICE_TYPE_OVS_INTERFACE) {
@ -2417,7 +2353,10 @@ device_state_changed(NMDevice           *device,
        }
        if (sett_conn) {
            /* Reset auto retries back to default since connection was successful */
-            nm_manager_devcon_autoconnect_retries_reset(priv->manager, device, sett_conn);
+            nm_manager_devcon_autoconnect_reset_reconnect_all(priv->manager,
+                                                              device,
+                                                              sett_conn,
+                                                              FALSE);
        }

        /* Since there is no guarantee that device_l3cd_changed() is called
@ -2440,20 +2379,11 @@ device_state_changed(NMDevice           *device,
        update_system_hostname(self, "routing and dns", TRUE);
        nm_dns_manager_end_updates(priv->dns_manager, __func__);

-        is_activated_shared_device =
-            nm_streq0(nm_device_get_effective_ip_config_method(device, AF_INET),
-                      NM_SETTING_IP4_CONFIG_METHOD_SHARED);
-        refresh_forwarding(self, device, is_activated_shared_device);
-        nm_device_set_refresh_forwarding_done(device, FALSE);
        break;
    case NM_DEVICE_STATE_UNMANAGED:
    case NM_DEVICE_STATE_UNAVAILABLE:
        if (old_state > NM_DEVICE_STATE_DISCONNECTED)
            update_routing_and_dns(self, FALSE, device);
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;
    case NM_DEVICE_STATE_DEACTIVATING:
        if (sett_conn) {
@ -2489,10 +2419,6 @@ device_state_changed(NMDevice           *device,
            }
        }
        ip6_remove_device_prefix_delegations(self, device);
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;
    case NM_DEVICE_STATE_DISCONNECTED:
        g_signal_handlers_disconnect_by_func(device, device_dns_lookup_done, self);
@ -2509,10 +2435,6 @@ device_state_changed(NMDevice           *device,

        /* Device is now available for auto-activation */
        nm_policy_device_recheck_auto_activate_schedule(self, device);
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;

    case NM_DEVICE_STATE_PREPARE:
@ -2528,10 +2450,6 @@ device_state_changed(NMDevice           *device,
            g_object_weak_unref(G_OBJECT(ac), pending_ac_gone, self);
            g_object_unref(self);
        }
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;
    case NM_DEVICE_STATE_IP_CONFIG:
        /* We must have secrets if we got here. */
@ -2542,10 +2460,6 @@ device_state_changed(NMDevice           *device,
                sett_conn,
                NM_SETTINGS_AUTOCONNECT_BLOCKED_REASON_FAILED,
                FALSE);
-        if (!nm_device_get_refresh_forwarding_done(device)) {
-            refresh_forwarding(self, device, FALSE);
-            nm_device_set_refresh_forwarding_done(device, TRUE);
-        }
        break;
    case NM_DEVICE_STATE_SECONDARIES:
        if (sett_conn)
--- a/src/core/platform/tests/monitor.c
+++ b/src/core/platform/tests/monitor.c
@ -186,6 +186,7 @@ ip_again:
                               00644,
                               NULL,
                               NULL,
+                               NULL,
                               NULL);

    nm_log_dbg(LOGD_PLATFORM, "dump to file complete");
--- a/src/core/platform/tests/test-link.c
+++ b/src/core/platform/tests/test-link.c
@ -124,6 +124,7 @@ software_add(NMLinkType link_type, const char *name)
        int      r;
        const NMPlatformLnkBond nm_platform_lnk_bond_default = {
            .mode        = nmtst_rand_select(3, 1),
+            .use_carrier = 1,
        };

        r = nm_platform_link_bond_add(NM_PLATFORM_GET, name, &nm_platform_lnk_bond_default, NULL);
--- a/src/core/platform/tests/test-route.c
+++ b/src/core/platform/tests/test-route.c
@ -623,6 +623,79 @@ test_ip4_zero_gateway(void)
    nmtstp_wait_for_signal(NM_PLATFORM_GET, 50);
 }

+static void
+test_via(void)
+{
+    int                ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, DEVICE_NAME);
+    GPtrArray         *routes;
+    NMPlatformIP4Route rts[1];
+    struct in6_addr    gateway6;
+    const int          metric = 22987;
+    NMPlatformIP4Route route4;
+    guint              mss = 1000;
+    in_addr_t          net4;
+
+    /* Test IPv4 routes with a IPv6 gateway (using RTA_VIA attribute) */
+
+    inet_pton(AF_INET6, "fd01::1", &gateway6);
+    inet_pton(AF_INET, "1.2.3.4", &net4);
+
+    /* Add direct route to IPv6 gateway: ip route add dev $DEV fd01::1/128 */
+    nmtstp_ip6_route_add(NM_PLATFORM_GET,
+                         ifindex,
+                         NM_IP_CONFIG_SOURCE_USER,
+                         gateway6,
+                         128,
+                         in6addr_any,
+                         in6addr_any,
+                         metric,
+                         mss);
+    g_assert(nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
+
+    /* Add IPv4 route via IPv6 gateway: ip route add dev $DEV 1.2.3.4/32 via inet6 fd01::1 */
+    route4 = (NMPlatformIP4Route) {
+        .ifindex         = ifindex,
+        .rt_source       = NM_IP_CONFIG_SOURCE_USER,
+        .network         = net4,
+        .plen            = 32,
+        .metric          = metric,
+        .via.addr_family = AF_INET6,
+        .via.addr.addr6  = gateway6,
+        .mss             = mss,
+    };
+    g_assert(NMTST_NM_ERR_SUCCESS(
+        nm_platform_ip4_route_add(NM_PLATFORM_GET, NMP_NLM_FLAG_REPLACE, &route4, NULL)));
+    g_assert(nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
+
+    /* Test route listing */
+    routes = nmtstp_ip4_route_get_all(NM_PLATFORM_GET, ifindex);
+    g_assert_cmpint(routes->len, ==, 1);
+
+    memset(rts, 0, sizeof(rts));
+    rts[0].rt_source       = nmp_utils_ip_config_source_round_trip_rtprot(NM_IP_CONFIG_SOURCE_USER);
+    rts[0].scope_inv       = nm_platform_route_scope_inv(RT_SCOPE_LINK);
+    rts[0].network         = net4;
+    rts[0].plen            = 32;
+    rts[0].ifindex         = ifindex;
+    rts[0].gateway         = INADDR_ANY;
+    rts[0].metric          = metric;
+    rts[0].mss             = mss;
+    rts[0].via.addr_family = AF_INET6;
+    rts[0].via.addr.addr6  = gateway6;
+    rts[0].n_nexthops      = 1;
+    nmtst_platform_ip4_routes_equal_aptr((const NMPObject *const *) routes->pdata,
+                                         rts,
+                                         routes->len,
+                                         TRUE);
+    g_ptr_array_unref(routes);
+
+    /* Delete routes */
+    g_assert(nmtstp_platform_ip6_route_delete(NM_PLATFORM_GET, ifindex, gateway6, 128, metric));
+    g_assert(!nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
+    g_assert(nmtstp_platform_ip4_route_delete(NM_PLATFORM_GET, ifindex, net4, 32, metric));
+    g_assert(!nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
+}
+
 static void
 test_ip4_route_options(gconstpointer test_data)
 {
@ -2421,6 +2494,7 @@ _nmtstp_setup_tests(void)
        add_test_func("/route/ip4_route_get", test_ip4_route_get);
        add_test_func("/route/ip6_route_get", test_ip6_route_get);
        add_test_func("/route/ip4_zero_gateway", test_ip4_zero_gateway);
+        add_test_func("/route/via", test_via);
    }

    if (nmtstp_is_root_test()) {
--- a/src/core/settings/nm-settings-storage.h
+++ b/src/core/settings/nm-settings-storage.h
@ -27,6 +27,19 @@

 struct _NMSettingsPlugin;

+/**
+ * NMSettingsStorage:
+ * @_plugin: The settings plugin that provides this storage.
+ * @_uuid: UUID of the profile represented by this storage.
+ * @_filename: Backing filename (can be NULL for in-memory or meta-data).
+ * @_storage_lst: Node in the per-plugin storage list.
+ * @_storage_by_uuid_lst: Node in the per-UUID storage list.
+ *
+ * Describes the origin and identity of one profile instance as provided by a
+ * specific settings plugin and (optionally) a backing file. A single UUID may
+ * have multiple storages from different plugins; plugin order determines
+ * priority.
+ */
 typedef struct NMSettingsStorage {
    GObject                   parent;
    struct _NMSettingsPlugin *_plugin;
--- a/src/core/settings/nm-settings.c
+++ b/src/core/settings/nm-settings.c
@ -76,6 +76,17 @@ static NM_CACHED_QUARK_FCN("default-wired-connection-blocked",

 /*****************************************************************************/

+/**
+ * StorageData:
+ * @sd_lst: Node used in per-UUID storage lists.
+ * @storage: Storage provider instance for this UUID.
+ * @connection: Connection object backed by @storage, or NULL for meta-data.
+ * @prioritize: Request to prioritize this storage during merge.
+ *
+ * Per-UUID storage entry used to accumulate and merge updates from plugins.
+ * Items live temporarily in the dirty list and are merged into the current list
+ * with stable priority ordering.
+ */
 typedef struct _StorageData {
    CList              sd_lst;
    NMSettingsStorage *storage;
@ -165,6 +176,20 @@ _storage_data_is_alive(StorageData *sd)

 /*****************************************************************************/

+/**
+ * SettConnEntry:
+ * @uuid: Normalized UUID key for this entry (points to @_uuid_data).
+ * @sett_conn: Current NMSettingsConnection selected for @uuid, or NULL.
+ * @storage: The storage that currently owns @sett_conn, or NULL.
+ * @sd_lst_head: Head of current storages list for @uuid (high to low priority).
+ * @dirty_sd_lst_head: Head of pending storage updates to merge.
+ * @sce_dirty_lst: Node in the global dirty queue.
+ * @_uuid_data: Inline storage backing @uuid.
+ *
+ * Tracks one connection profile across all storages and its dirty state.
+ * It holds the authoritative in-memory connection and the sets of storages
+ * providing or updating it.
+ */
 typedef struct {
    const char           *uuid;
    NMSettingsConnection *sett_conn;
@ -1372,6 +1397,7 @@ _connection_changed_track(NMSettings        *self,
    SettConnEntry        *sett_conn_entry;
    StorageData          *sd;
    const char           *uuid;
+    gs_free_error GError *error = NULL;

    nm_assert_valid_settings_storage(NULL, storage);

@ -1382,6 +1408,17 @@ _connection_changed_track(NMSettings        *self,
              || (_nm_connection_verify(connection, NULL) == NM_SETTING_VERIFY_SUCCESS));
    nm_assert(!connection || nm_streq0(uuid, nm_connection_get_uuid(connection)));

+    if (connection && !nm_utils_connection_supported(connection, &error)) {
+        _LOGD("storage[%s," NM_SETTINGS_STORAGE_PRINT_FMT
+              "]: ignoring connection \"%s\" from file \"%s\": %s",
+              uuid,
+              NM_SETTINGS_STORAGE_PRINT_ARG(storage),
+              nm_connection_get_id(connection),
+              nm_settings_storage_get_filename(storage),
+              error->message);
+        connection = NULL;
+    }
+
    nm_assert_connection_unchanging(connection);

    sett_conn_entry =
@ -1851,6 +1888,9 @@ nm_settings_add_connection(NMSettings                     *self,

    NM_SET_OUT(out_sett_conn, NULL);

+    if (!nm_utils_connection_supported(connection, error))
+        return FALSE;
+
    uuid = nm_connection_get_uuid(connection);

    sett_conn_entry = _sett_conn_entries_get(self, uuid);
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@ -77,7 +77,7 @@ get_full_file_path(const char *ifcfg_path, const char *file_path)
 {
    const char   *base    = file_path;
    gs_free char *dirname = NULL;
-    char         *p;
+    const char   *p;

    g_return_val_if_fail(ifcfg_path != NULL, NULL);
    g_return_val_if_fail(file_path != NULL, NULL);
@ -2058,6 +2058,7 @@ make_ip4_setting(shvarFile *ifcfg,
        for (i = 1; i < 10000; i++) {
            NMDnsServer           dns;
            char                  tag[256];
+            gs_free_error GError *local = NULL;

            numbered_tag(tag, "DNS", i);
            nm_clear_g_free(&value);
@ -2065,12 +2066,13 @@ make_ip4_setting(shvarFile *ifcfg,
            if (!v)
                break;

-            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
+            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &local)) {
                g_set_error(error,
                            NM_SETTINGS_ERROR,
                            NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                            "Invalid DNS server address '%s'",
-                            v);
+                            "Invalid DNS server address '%s': %s",
+                            v,
+                            local->message);
                return NULL;
            }

@ -2607,6 +2609,7 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
     * Pick up just IPv6 addresses (IPv4 addresses are taken by make_ip4_setting())
     */
    for (i = 1; i < 10000; i++) {
+        gs_free_error GError *err = NULL;
        NMDnsServer           dns;
        char                  tag[256];

@ -2616,14 +2619,15 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
        if (!v)
            break;

-        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
+        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &err)) {
            if (is_disabled)
                continue;
            g_set_error(error,
                        NM_SETTINGS_ERROR,
                        NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                        "Invalid DNS server address '%s'",
-                        v);
+                        "Invalid DNS server address '%s': %s",
+                        v,
+                        err->message);
            return NULL;
        }
        if (dns.addr_family == AF_INET6) {
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@ -320,6 +320,7 @@ write_blobs(GHashTable *blobs, GError **error)
                                        0600,
                                        NULL,
                                        NULL,
+                                        NULL,
                                        &write_error)) {
            g_set_error(error,
                        NM_SETTINGS_ERROR,
@ -3626,6 +3627,14 @@ do_write_construct(NMConnection                   *connection,

    write_ip_routing_rules(connection, ifcfg, route_ignore);

+    if (nm_setting_connection_get_dnssec(s_con) != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
+        set_error_unsupported(error,
+                              connection,
+                              NM_SETTING_CONNECTION_SETTING_NAME "." NM_SETTING_CONNECTION_DNSSEC,
+                              TRUE);
+        return FALSE;
+    }
+
    write_connection_setting(s_con, ifcfg, interface_name);

    NM_SET_OUT(out_ifcfg, g_steal_pointer(&ifcfg));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
@ -280,6 +280,7 @@ nms_keyfile_nmmeta_write(const char *dirname,
                                        length,
                                        0600,
                                        NULL,
+                                        NULL,
                                        &errsv,
                                        NULL)) {
            NM_SET_OUT(out_full_filename, g_steal_pointer(&full_filename_tmp));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
@ -133,6 +133,7 @@ cert_writer(NMConnection                     *connection,
                                             0600,
                                             NULL,
                                             NULL,
+                                             NULL,
                                             &local);
        if (success) {
            /* Write the path value to the keyfile.
@ -384,7 +385,14 @@ _internal_write_connection(NMConnection                   *connection,
        }
    }

-    nm_utils_file_set_contents(path, kf_content_buf, kf_content_len, 0600, NULL, NULL, &local_err);
+    nm_utils_file_set_contents(path,
+                               kf_content_buf,
+                               kf_content_len,
+                               0600,
+                               NULL,
+                               NULL,
+                               NULL,
+                               &local_err);
    if (local_err) {
        g_set_error(error,
                    NM_SETTINGS_ERROR,
--- a/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
+++ b/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
@ -8,6 +8,7 @@ timestamp=305415219
 [gsm]
 apn=internet2.voicestream.com
 device-id=da812de91eec16620b06cd0ca5cbc7ea25245222
+device-uid=MODEM1
 home-only=true
 network-id=254098
 password=parliament2
--- a/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
+++ b/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
@ -1408,6 +1408,8 @@ test_write_gsm_connection(void)
                 "89148000000060671234",
                 NM_SETTING_GSM_SIM_OPERATOR_ID,
                 "310260",
+                 NM_SETTING_GSM_DEVICE_UID,
+                 "MODEM1",
                 NULL);

    write_test_connection_and_reread(connection, TRUE, TEST_KEYFILES_DIR "/Test_Write_GSM");
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -30,6 +30,7 @@ typedef struct {
 typedef struct {
    GHashTable    *config;
    GHashTable    *blobs;
+    char          *private_user;
    NMSupplCapMask capabilities;
    guint32        ap_scan;
    bool           fast_required : 1;
@ -60,7 +61,7 @@ _get_capability(NMSupplicantConfigPrivate *priv, NMSupplCapType type)
 }

 NMSupplicantConfig *
-nm_supplicant_config_new(NMSupplCapMask capabilities)
+nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user)
 {
    NMSupplicantConfigPrivate *priv;
    NMSupplicantConfig        *self;
@ -69,6 +70,7 @@ nm_supplicant_config_new(NMSupplCapMask capabilities)
    priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);

    priv->capabilities = capabilities;
+    priv->private_user = g_strdup(private_user);

    return self;
 }
@ -258,19 +260,19 @@ static gboolean
 nm_supplicant_config_add_blob_for_connection(NMSupplicantConfig *self,
                                             GBytes             *field,
                                             const char         *name,
-                                             const char         *con_uid,
+                                             const char         *con_uuid,
                                             GError            **error)
 {
    if (field && g_bytes_get_size(field)) {
-        gs_free char *uid = NULL;
+        gs_free char *blob_id = NULL;
        char         *p;

-        uid = g_strdup_printf("%s-%s", con_uid, name);
-        for (p = uid; *p; p++) {
+        blob_id = g_strdup_printf("%s-%s", con_uuid, name);
+        for (p = blob_id; *p; p++) {
            if (*p == '/')
                *p = '-';
        }
-        if (!nm_supplicant_config_add_blob(self, name, field, uid, error))
+        if (!nm_supplicant_config_add_blob(self, name, field, blob_id, error))
            return FALSE;
    }
    return TRUE;
@ -283,6 +285,7 @@ nm_supplicant_config_finalize(GObject *object)

    g_hash_table_destroy(priv->config);
    nm_clear_pointer(&priv->blobs, g_hash_table_destroy);
+    nm_clear_pointer(&priv->private_user, g_free);

    G_OBJECT_CLASS(nm_supplicant_config_parent_class)->finalize(object);
 }
@ -930,6 +933,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                   guint32                       mtu,
                                                   NMSettingWirelessSecurityPmf  pmf,
                                                   NMSettingWirelessSecurityFils fils,
+                                                   GHashTable                   *files,
                                                   GError                      **error)
 {
    NMSupplicantConfigPrivate    *priv          = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
@ -1012,7 +1016,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
        if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SAE)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
            && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)
-            && (!is_ap || pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
+            && (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
            g_string_append(key_mgmt_conf, " SAE");
            if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
                g_string_append(key_mgmt_conf, " FT-SAE");
@ -1284,6 +1288,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                        con_uuid,
                                                        mtu,
                                                        FALSE,
+                                                        files,
                                                        error))
                return FALSE;
        }
@ -1365,6 +1370,7 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                       const char         *con_uuid,
                                       guint32             mtu,
                                       gboolean            wired,
+                                       GHashTable         *files,
                                       GError            **error)
 {
    NMSupplicantConfigPrivate    *priv;
@ -1594,24 +1600,21 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    }

    /* CA certificate */
+    path  = NULL;
+    bytes = NULL;
    if (ca_cert_override) {
-        if (!add_string_val(self, ca_cert_override, "ca_cert", FALSE, NULL, error))
-            return FALSE;
+        /* This is a build-time-configured system-wide file path, no need to pass
+         * it as a blob */
+        path = ca_cert_override;
    } else {
        switch (nm_setting_802_1x_get_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_ca_cert_blob(setting);
-            if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                              bytes,
-                                                              "ca_cert",
-                                                              con_uuid,
-                                                              error))
-                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_ca_cert_path(setting);
-            if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
-                return FALSE;
+            if (priv->private_user)
+                bytes = nm_g_hash_table_lookup(files, path);
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(self,
@ -1627,26 +1630,32 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
+    if (bytes) {
+        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert", con_uuid, error))
+            return FALSE;
+    } else if (path) {
+        /* Private connections cannot use paths other than the system CA store */
+        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
+        if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
+            return FALSE;
+    }

    /* Phase 2 CA certificate */
+    path  = NULL;
+    bytes = NULL;
    if (ca_cert_override) {
-        if (!add_string_val(self, ca_cert_override, "ca_cert2", FALSE, NULL, error))
-            return FALSE;
+        /* This is a build-time-configured system-wide file path, no need to pass
+         * it as a blob */
+        path = ca_cert_override;
    } else {
        switch (nm_setting_802_1x_get_phase2_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_phase2_ca_cert_blob(setting);
-            if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                              bytes,
-                                                              "ca_cert2",
-                                                              con_uuid,
-                                                              error))
-                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_phase2_ca_cert_path(setting);
-            if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
-                return FALSE;
+            if (priv->private_user)
+                bytes = nm_g_hash_table_lookup(files, path);
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(
@ -1663,6 +1672,15 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
+    if (bytes) {
+        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert2", con_uuid, error))
+            return FALSE;
+    } else if (path) {
+        /* Private connections cannot use paths other than the system CA store */
+        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
+        if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
+            return FALSE;
+    }

    /* Subject match */
    value = nm_setting_802_1x_get_subject_match(setting);
@ -1714,21 +1732,17 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,

    /* Private key */
    added = FALSE;
+    path  = NULL;
+    bytes = NULL;
    switch (nm_setting_802_1x_get_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_private_key_blob(setting);
-        if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                          bytes,
-                                                          "private_key",
-                                                          con_uuid,
-                                                          error))
-            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_private_key_path(setting);
-        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
-            return FALSE;
+        if (priv->private_user)
+            bytes = nm_g_hash_table_lookup(files, path);
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1745,6 +1759,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
+    if (bytes) {
+        if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                          bytes,
+                                                          "private_key",
+                                                          con_uuid,
+                                                          error))
+            return FALSE;
+    } else if (path) {
+        /* Private connections cannot use paths */
+        g_return_val_if_fail(!priv->private_user, FALSE);
+        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
+            return FALSE;
+    }

    if (added) {
        NMSetting8021xCKFormat format;
@ -1768,20 +1795,16 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
+            path  = NULL;
+            bytes = NULL;
            switch (nm_setting_802_1x_get_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_client_cert_blob(setting);
-                if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                                  bytes,
-                                                                  "client_cert",
-                                                                  con_uuid,
-                                                                  error))
-                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_client_cert_path(setting);
-                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
-                    return FALSE;
+                if (priv->private_user)
+                    bytes = nm_g_hash_table_lookup(files, path);
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1797,26 +1820,35 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
+            if (bytes) {
+                if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                                  bytes,
+                                                                  "client_cert",
+                                                                  con_uuid,
+                                                                  error))
+                    return FALSE;
+            } else if (path) {
+                /* Private connections cannot use paths */
+                g_return_val_if_fail(!priv->private_user, FALSE);
+                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
+                    return FALSE;
+            }
        }
    }

    /* Phase 2 private key */
    added = FALSE;
+    path  = NULL;
+    bytes = NULL;
    switch (nm_setting_802_1x_get_phase2_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_phase2_private_key_blob(setting);
-        if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                          bytes,
-                                                          "private_key2",
-                                                          con_uuid,
-                                                          error))
-            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_phase2_private_key_path(setting);
-        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
-            return FALSE;
+        if (priv->private_user)
+            bytes = nm_g_hash_table_lookup(files, path);
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1834,6 +1866,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
+    if (bytes) {
+        if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                          bytes,
+                                                          "private_key2",
+                                                          con_uuid,
+                                                          error))
+            return FALSE;
+    } else if (path) {
+        /* Private connections cannot use paths */
+        g_return_val_if_fail(!priv->private_user, FALSE);
+        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
+            return FALSE;
+    }

    if (added) {
        NMSetting8021xCKFormat format;
@ -1857,20 +1902,16 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
+            path  = NULL;
+            bytes = NULL;
            switch (nm_setting_802_1x_get_phase2_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_phase2_client_cert_blob(setting);
-                if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                                  bytes,
-                                                                  "client_cert2",
-                                                                  con_uuid,
-                                                                  error))
-                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_phase2_client_cert_path(setting);
-                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
-                    return FALSE;
+                if (priv->private_user)
+                    bytes = nm_g_hash_table_lookup(files, path);
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1886,6 +1927,19 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
+            if (bytes) {
+                if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                                  bytes,
+                                                                  "client_cert2",
+                                                                  con_uuid,
+                                                                  error))
+                    return FALSE;
+            } else if (path) {
+                /* Private connections cannot use paths */
+                g_return_val_if_fail(!priv->private_user, FALSE);
+                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
+                    return FALSE;
+            }
        }
    }

--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@ -29,7 +29,7 @@ typedef struct _NMSupplicantConfigClass NMSupplicantConfigClass;

 GType nm_supplicant_config_get_type(void);

-NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities);
+NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user);

 guint32 nm_supplicant_config_get_ap_scan(NMSupplicantConfig *self);

@ -57,6 +57,7 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                            guint32         mtu,
                                                            NMSettingWirelessSecurityPmf  pmf,
                                                            NMSettingWirelessSecurityFils fils,
+                                                            GHashTable                   *files,
                                                            GError                      **error);

 gboolean nm_supplicant_config_add_no_security(NMSupplicantConfig *self, GError **error);
@ -66,6 +67,7 @@ gboolean nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                                const char         *con_uuid,
                                                guint32             mtu,
                                                gboolean            wired,
+                                                GHashTable         *files,
                                                GError            **error);

 gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig    *self,
--- a/src/core/supplicant/nm-supplicant-interface.c
+++ b/src/core/supplicant/nm-supplicant-interface.c
@ -46,6 +46,7 @@ typedef struct {
    gpointer                     user_data;
    guint                        fail_on_idle_id;
    guint                        blobs_left;
+    guint                        remove_blobs_left;
    guint                        calls_left;
    struct _AddNetworkData      *add_network_data;
 } AssocData;
@ -65,6 +66,8 @@ enum {
    WPS_CREDENTIALS, /* WPS credentials received */
    GROUP_STARTED,   /* a new Group (interface) was created */
    GROUP_FINISHED,  /* a Group (interface) has been finished */
+    PSK_MISMATCH,    /* supplicant reported incorrect PSK */
+    SAE_MISMATCH,    /* supplicant reported incorrect SAE Password */
    LAST_SIGNAL
 };

@ -2264,6 +2267,7 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        return;
    }

+    nm_assert(priv->assoc_data->blobs_left > 0);
    priv->assoc_data->blobs_left--;
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob added (%u left)",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
@ -2272,6 +2276,148 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        assoc_call_select_network(self);
 }

+static void
+assoc_add_blobs(NMSupplicantInterface *self)
+{
+    NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
+    GHashTable                   *blobs;
+    GHashTableIter                iter;
+    const char                   *blob_name;
+    GBytes                       *blob_data;
+
+    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
+    priv->assoc_data->blobs_left = nm_g_hash_table_size(blobs);
+
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to add %u blobs",
+          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+          priv->assoc_data->blobs_left);
+
+    if (priv->assoc_data->blobs_left == 0) {
+        assoc_call_select_network(self);
+        return;
+    }
+
+    g_hash_table_iter_init(&iter, blobs);
+    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
+        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: adding blob '%s'",
+              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+              blob_name);
+        _dbus_connection_call(
+            self,
+            NM_WPAS_DBUS_IFACE_INTERFACE,
+            "AddBlob",
+            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
+            G_VARIANT_TYPE("()"),
+            G_DBUS_CALL_FLAGS_NONE,
+            DBUS_TIMEOUT_MSEC,
+            priv->assoc_data->cancellable,
+            assoc_add_blob_cb,
+            self);
+    }
+}
+
+static void
+assoc_remove_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
+{
+    NMSupplicantInterface        *self;
+    NMSupplicantInterfacePrivate *priv;
+    gs_free_error GError         *error = NULL;
+    gs_unref_variant GVariant    *res   = NULL;
+
+    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    self = NM_SUPPLICANT_INTERFACE(user_data);
+    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
+
+    /* We don't consider a failure fatal. The new association might be able
+     * to proceed even with the existing blobs, if they don't conflict with new
+     * ones. */
+
+    nm_assert(priv->assoc_data->remove_blobs_left > 0);
+    priv->assoc_data->remove_blobs_left--;
+
+    if (error) {
+        g_dbus_error_strip_remote_error(error);
+        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to delete blob: %s",
+              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+              error->message);
+    } else {
+        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob removed (%u left)",
+              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+              priv->assoc_data->remove_blobs_left);
+    }
+
+    if (priv->assoc_data->remove_blobs_left == 0)
+        assoc_add_blobs(self);
+}
+
+static void
+assoc_get_blobs_cb(GObject *source, GAsyncResult *result, gpointer user_data)
+{
+    NMSupplicantInterface        *self;
+    NMSupplicantInterfacePrivate *priv;
+    gs_free_error GError         *error = NULL;
+    gs_unref_variant GVariant    *res   = NULL;
+    gs_unref_variant GVariant    *value = NULL;
+    GVariantIter                  iter;
+    const char                   *blob_name;
+    GVariant                     *blob_data;
+
+    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
+    if (nm_utils_error_is_cancelled(error))
+        return;
+
+    self = NM_SUPPLICANT_INTERFACE(user_data);
+    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
+
+    if (error) {
+        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: %s",
+              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+              error->message);
+        assoc_add_blobs(self);
+        return;
+    }
+
+    g_variant_get(res, "(v)", &value);
+
+    /* While the "Blobs" property is documented as type "as", it is actually "a{say}" */
+    if (!value || !g_variant_is_of_type(value, G_VARIANT_TYPE("a{say}"))) {
+        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: wrong return type %s",
+              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+              value ? g_variant_get_type_string(value) : "NULL");
+        assoc_add_blobs(self);
+        return;
+    }
+
+    g_variant_iter_init(&iter, value);
+    priv->assoc_data->remove_blobs_left = g_variant_iter_n_children(&iter);
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to delete %u blobs",
+          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+          priv->assoc_data->remove_blobs_left);
+
+    if (priv->assoc_data->remove_blobs_left == 0) {
+        assoc_add_blobs(self);
+    } else {
+        while (g_variant_iter_loop(&iter, "{&s@ay}", &blob_name, &blob_data)) {
+            _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: removing blob '%s'",
+                  NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+                  blob_name);
+            _dbus_connection_call(self,
+                                  NM_WPAS_DBUS_IFACE_INTERFACE,
+                                  "RemoveBlob",
+                                  g_variant_new("(s)", blob_name),
+                                  G_VARIANT_TYPE("()"),
+                                  G_DBUS_CALL_FLAGS_NONE,
+                                  DBUS_TIMEOUT_MSEC,
+                                  priv->assoc_data->cancellable,
+                                  assoc_remove_blob_cb,
+                                  self);
+        }
+    }
+}
+
 static void
 assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
@ -2281,10 +2427,6 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    NMSupplicantInterfacePrivate   *priv;
    gs_unref_variant GVariant      *res         = NULL;
    gs_free_error GError           *error       = NULL;
-    GHashTable                     *blobs;
-    GHashTableIter                  iter;
-    const char                     *blob_name;
-    GBytes                         *blob_data;
    nm_auto_ref_string NMRefString *name_owner  = NULL;
    nm_auto_ref_string NMRefString *object_path = NULL;

@ -2336,34 +2478,21 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    nm_assert(!priv->net_path);
    g_variant_get(res, "(o)", &priv->net_path);

-    /* Send blobs first; otherwise jump to selecting the network */
-    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
-    priv->assoc_data->blobs_left = blobs ? g_hash_table_size(blobs) : 0u;
-
-    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s) (%u blobs left)",
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s)",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-          priv->net_path,
-          priv->assoc_data->blobs_left);
+          priv->net_path);

-    if (priv->assoc_data->blobs_left == 0) {
-        assoc_call_select_network(self);
-        return;
-    }
-
-    g_hash_table_iter_init(&iter, blobs);
-    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
-        _dbus_connection_call(
-            self,
-            NM_WPAS_DBUS_IFACE_INTERFACE,
-            "AddBlob",
-            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
-            G_VARIANT_TYPE("()"),
+    /* Delete any existing blobs before adding new ones */
+    _dbus_connection_call(self,
+                          DBUS_INTERFACE_PROPERTIES,
+                          "Get",
+                          g_variant_new("(ss)", NM_WPAS_DBUS_IFACE_INTERFACE, "Blobs"),
+                          G_VARIANT_TYPE("(v)"),
                          G_DBUS_CALL_FLAGS_NONE,
                          DBUS_TIMEOUT_MSEC,
                          priv->assoc_data->cancellable,
-            assoc_add_blob_cb,
+                          assoc_get_blobs_cb,
                          self);
-    }
 }

 static void
@ -3105,6 +3234,15 @@ _signal_handle(NMSupplicantInterface *self,
            return;
        }

+        if (nm_streq(signal_name, "PskMismatch")) {
+            g_signal_emit(self, signals[PSK_MISMATCH], 0);
+            return;
+        }
+
+        if (nm_streq(signal_name, "SaePasswordMismatch")) {
+            g_signal_emit(self, signals[SAE_MISMATCH], 0);
+            return;
+        }
        return;
    }

@ -3737,4 +3875,23 @@ nm_supplicant_interface_class_init(NMSupplicantInterfaceClass *klass)
                                           G_TYPE_NONE,
                                           1,
                                           G_TYPE_STRING);
+
+    signals[PSK_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
+                                         G_OBJECT_CLASS_TYPE(object_class),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL,
+                                         NULL,
+                                         NULL,
+                                         G_TYPE_NONE,
+                                         0);
+    signals[SAE_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
+                                         G_OBJECT_CLASS_TYPE(object_class),
+                                         G_SIGNAL_RUN_LAST,
+                                         0,
+                                         NULL,
+                                         NULL,
+                                         NULL,
+                                         G_TYPE_NONE,
+                                         0);
 }
--- a/src/core/supplicant/nm-supplicant-interface.h
+++ b/src/core/supplicant/nm-supplicant-interface.h
@ -86,6 +86,8 @@ typedef enum {
 #define NM_SUPPLICANT_INTERFACE_WPS_CREDENTIALS "wps-credentials"
 #define NM_SUPPLICANT_INTERFACE_GROUP_STARTED   "group-started"
 #define NM_SUPPLICANT_INTERFACE_GROUP_FINISHED  "group-finished"
+#define NM_SUPPLICANT_INTERFACE_PSK_MISMATCH    "wpa-psk-mismatch"
+#define NM_SUPPLICANT_INTERFACE_SAE_MISMATCH    "wpa-sae-password-mismatch"

 typedef struct _NMSupplicantInterfaceClass NMSupplicantInterfaceClass;

--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@ -212,18 +212,19 @@ validate_type_utf8(const struct Opt *opt, const char *value, const guint32 len)
 }

 static gboolean
-validate_type_keyword(const struct Opt *opt, const char *value, const guint32 len)
+validate_type_keyword(const struct Opt *opt, const char *value_in, const guint32 len)
 {
    gs_free char *value_free = NULL;
+    char         *value;

    nm_assert(opt);
-    nm_assert(value);
+    nm_assert(value_in);

    /* Allow everything */
    if (!opt->str_allowed)
        return TRUE;

-    value = nm_strndup_a(300, value, len, &value_free);
+    value = nm_strndup_a(300, value_in, len, &value_free);

    /* validate each space-separated word in 'value' */

--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@ -98,7 +98,8 @@ build_supplicant_config(NMConnection  *connection,
    NMSetting8021x                     *s_8021x;
    gboolean                            success;

-    config = nm_supplicant_config_new(capabilities);
+    config = nm_supplicant_config_new(capabilities,
+                                      nm_utils_get_connection_first_permissions_user(connection));

    s_wifi = nm_connection_get_setting_wireless(connection);
    g_assert(s_wifi);
@ -120,6 +121,7 @@ build_supplicant_config(NMConnection  *connection,
                                                               mtu,
                                                               pmf,
                                                               fils,
+                                                               NULL,
                                                               &error);
    } else {
        success = nm_supplicant_config_add_no_security(config, &error);
--- a/src/core/tests/config/global-dns-empty.conf
+++ b/src/core/tests/config/global-dns-empty.conf
@ -0,0 +1,3 @@
+# Good configuration, an empty global-dns section must be valid
+
+[global-dns]
--- a/src/core/tests/config/global-dns-not-set.conf
+++ b/src/core/tests/config/global-dns-not-set.conf
@ -0,0 +1,5 @@
+# Good configuration, an empty [global-dns] must be implicitly assumed because a domain is defined
+
+[global-dns-domain-*]
+servers=4.5.6.7
+options=myoption1
--- a/Show more
+++ b/Show more