release: bump version to 1.52.2

std-aux: use _nm_strerror_r
The function strerror_r returns an int per POSIX spec, but GNU version returns char *. Using it fails the compilation in Alpine, so use _nm_strerror_r instead that handles both cases. Fixes: 41e28b900f ('daemon-helper: add read-file-as-user') (cherry picked from commit 599cc1ed1d) (cherry picked from commit ea759ccf3a) (cherry picked from commit c8384fd528)
2026-05-05 01:47:58 +02:00 · 2025-12-12 20:15:51 +01:00 · 2025-12-12 15:41:44 +01:00 · 2025-12-12 13:03:19 +00:00 · 2025-12-12 13:35:53 +01:00 · 2025-12-12 13:35:39 +01:00
516 changed files with 50872 additions and 86260 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,11 +81,9 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
 /data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
 /data/NetworkManager-initrd.service
 /data/NetworkManager-wait-online-initrd.service
 /docs/api/version.xml
 /docs/api/settings-spec.html
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -60,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-8e4bbc59695b'
+  ALPINE_TAG:  'tag-672dcdb2e2bf'
-  CENTOS_TAG:  'tag-caf6673db1a7'
+  CENTOS_TAG:  'tag-d7d348d344cf'
-  DEBIAN_TAG:  'tag-e394e8e726e1'
+  DEBIAN_TAG:  'tag-217545cfdeb1'
-  FEDORA_TAG:  'tag-caf6673db1a7'
+  FEDORA_TAG:  'tag-d7d348d344cf'
-  UBUNTU_TAG:  'tag-e394e8e726e1'
+  UBUNTU_TAG:  'tag-217545cfdeb1'
  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -114,55 +114,13 @@ tier1:fedora:42@prep:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule' || $SCHEDULED_PIPELINE_NAME == "weekly"
-tier2:fedora:rawhide@prep:
+tier2:ubuntu:25.04@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'rawhide'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:centos:stream10@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:ubuntu:devel@prep:
  extends:
    - .fdo.container-build@ubuntu
  stage: prep
  variables:
    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'devel'
+    FDO_DISTRIBUTION_VERSION: '25.04'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
  rules:
@ -170,13 +128,13 @@ tier2:ubuntu:devel@prep:
      when: manual
      allow_failure: true
-tier2:debian:testing@prep:
+tier2:debian:13@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'testing'
+    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
@ -184,27 +142,13 @@ tier2:debian:testing@prep:
      when: manual
      allow_failure: true
-tier2:debian:sid@prep:
+tier2:alpine:3.22@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'sid'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier2:alpine:edge@prep:
  extends:
    - .fdo.container-build@alpine
  stage: prep
  variables:
    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'edge'
+    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
  rules:
@ -212,20 +156,6 @@ tier2:alpine:edge@prep:
      when: manual
      allow_failure: true
 tier3:fedora:43@prep:
  extends:
    - .fdo.container-build@fedora
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:fedora:41@prep:
  extends:
    - .fdo.container-build@fedora
@ -240,20 +170,6 @@ tier3:fedora:41@prep:
      when: manual
      allow_failure: true
 tier3:ubuntu:25.04@prep:
  extends:
    - .fdo.container-build@ubuntu
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '25.04'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:ubuntu:24.04@prep:
  extends:
    - .fdo.container-build@ubuntu
@ -282,20 +198,6 @@ tier3:ubuntu:22.04@prep:
      when: manual
      allow_failure: true
 tier3:debian:13@prep:
  extends:
    - .fdo.container-build@debian
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:debian:12@prep:
  extends:
    - .fdo.container-build@debian
@ -310,20 +212,6 @@ tier3:debian:12@prep:
      when: manual
      allow_failure: true
 tier3:alpine:3.22@prep:
  extends:
    - .fdo.container-build@alpine
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:alpine:3.21@prep:
  extends:
    - .fdo.container-build@alpine
@ -366,6 +254,34 @@ tier3:alpine:3.19@prep:
      when: manual
      allow_failure: true
 tier3:centos:stream10@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 tier3:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
  stage: prep
  variables:
    GIT_STRATEGY: none
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
      when: manual
      allow_failure: true
 #################################################################
 #                                                               #
 # tierN stage                                                   #
@ -405,115 +321,45 @@ t_fedora:42:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
-t_fedora:rawhide:
+t_ubuntu:25.04:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'rawhide'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
    - "tier2:fedora:rawhide@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream10:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier2:centos:stream10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream9:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier2:centos:stream9@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:devel:
  extends:
    - .build@template
    - .fdo.distribution-image@ubuntu
    - .nm_artifacts_debug
  stage: tier2
  variables:
-    FDO_DISTRIBUTION_VERSION: 'devel'
+    FDO_DISTRIBUTION_VERSION: '25.04'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
  needs:
-    - "tier2:ubuntu:devel@prep"
+    - "tier2:ubuntu:25.04@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
-t_debian:testing:
+t_debian:13:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier2
  variables:
-    FDO_DISTRIBUTION_VERSION: 'testing'
+    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
-    - "tier2:debian:testing@prep"
+    - "tier2:debian:13@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
-t_debian:sid:
+t_alpine:3.22:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier2
  variables:
    FDO_DISTRIBUTION_VERSION: 'sid'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
    - "tier2:debian:sid@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:edge:
  extends:
    - .build@template
    - .fdo.distribution-image@alpine
    - .nm_artifacts_debug
  stage: tier2
  variables:
-    FDO_DISTRIBUTION_VERSION: 'edge'
+    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
  needs:
-    - "tier2:alpine:edge@prep"
+    - "tier2:alpine:3.22@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_fedora:43:
  extends:
    - .build@template
    - .fdo.distribution-image@fedora
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '43'
    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
  needs:
    - "tier3:fedora:43@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
@ -531,20 +377,6 @@ t_fedora:41:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:25.04:
  extends:
    - .build@template
    - .fdo.distribution-image@ubuntu
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '25.04'
    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
  needs:
    - "tier3:ubuntu:25.04@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_ubuntu:24.04:
  extends:
    - .build@template
@ -573,20 +405,6 @@ t_ubuntu:22.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:13:
  extends:
    - .build@template
    - .fdo.distribution-image@debian
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '13'
    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
  needs:
    - "tier3:debian:13@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_debian:12:
  extends:
    - .build@template
@ -601,20 +419,6 @@ t_debian:12:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:3.22:
  extends:
    - .build@template
    - .fdo.distribution-image@alpine
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: '3.22'
    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
  needs:
    - "tier3:alpine:3.22@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_alpine:3.21:
  extends:
    - .build@template
@ -657,6 +461,34 @@ t_alpine:3.19:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream10:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream10'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier3:centos:stream10@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 t_centos:stream9:
  extends:
    - .build@template
    - .fdo.distribution-image@centos
    - .nm_artifacts_debug
  stage: tier3
  variables:
    FDO_DISTRIBUTION_VERSION: 'stream9'
    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
  needs:
    - "tier3:centos:stream9@prep"
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'
 #################################################################
 #                                                               #
 # specific jobs                                                 #
@ -713,7 +545,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
  dependencies:
    - "t_fedora:42: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -240,7 +240,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
  dependencies:
    - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/config.yml
+++ b/.gitlab-ci/config.yml
@ -27,51 +27,42 @@ distributions:
  # TIER 2: distribution versions that will or might use the current NM version.
  # Run when doing a release.
  - name: fedora
    tier: 2
    versions:
      - 'rawhide'
  - name: centos
    tier: 2
    versions:
      - 'stream10'
      - 'stream9'
  - name: ubuntu
    tier: 2
    versions:
-      - 'devel'
+      - '25.04'
  - name: debian
    tier: 2
    versions:
-      - 'testing'
+      - '13'
      - 'sid'
  - name: alpine
    tier: 2
    versions:
-      - 'edge'
+      - '3.22'
  # TIER 3: distribution versions not in EOL but don't use the current NM version.
  # Run when doing a release, but a failure won't be blocking for the release.
  - name: fedora
    tier: 3
    versions:
      - '43'
      - '41'
  - name: ubuntu
    tier: 3
    versions:
      - '25.04'
      - '24.04'
      - '22.04'
  - name: debian
    tier: 3
    versions:
      - '13'
      - '12'
  - name: alpine
    tier: 3
    versions:
      - '3.22'
      - '3.21'
      - '3.20'
      - '3.19'
  - name: centos
    tier: 3
    versions:
      - 'stream10'
      - 'stream9'
--- a/.gitlab-ci/distros-info.yml
+++ b/.gitlab-ci/distros-info.yml
@ -8,24 +8,18 @@ fedora:
 - version: rawhide
  support: yes
  nm: main
 - version: 43
  support: 2026-12-02
  nm: 1.54
 - version: 42
  support: 2026-05-13
  nm: 1.52
  tier1-default: yes
 - version: 41
  support: 2025-11-19
  nm: 1.50
  tier1-default: yes
 - version: 40
  support: 2025-05-13
  nm: 1.46
 # CentOS Stream
 centos:
 - version: stream10
  support: 2030-12-31 # exact date unknown, only the year
  nm: main
 - version: stream9
-  support: 2027-12-31 # exact date unknown, only the year
+  support: 2027-05-31
  nm: main
 # RHEL:
@ -37,43 +31,33 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
-# Not released yet
+- version: 9.6  # not released yet
 - version: 10.1
  support: yes
-  nm: 1.54
+  nm: main
- version: 9.7  # not released yet
+- version: 9.5
  support: yes
-  nm: 1.54
+  nm: 1.48
 # Full support or EUS support:
 - version: 10.0
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.6
  support: 2027-05-31
  extended-support: 2029-05-31
  nm: 1.52
 - version: 9.4
  support: 2026-04-30
  extended-support: 2028-04-30
  nm: 1.46
 - version: 8.10  # last RHEL 8 release, maintenaince support only
  support: 2029-05-31
  extended-support: no
  nm: 1.40
 # SAP / Enhaced EUS only:
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.42
- version: 9.0
+- version: 8.10  # last RHEL 8 release, maintenaince support only
-  support: 2024-05-31
+  support: 2029-05-31
-  extended-support: 2026-05-31
+  extended-support: no
-  nm: 1.36
+  nm: 1.40
 - version: 8.8
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.40
 # SAP / Enhaced EUS only:
 - version: 9.0
  support: 2024-05-31
  extended-support: 2026-05-31
  nm: 1.36
 - version: 8.6
  support: 2024-05-31
  extended-support: 2026-05-31
@ -93,10 +77,10 @@ ubuntu:
 - version: devel
  support: yes
  nm: main
- version: 25.04
+- version: 24.10
-  name: plucky
+  name: oracular
-  support: 2026-01-15
+  support: 2025-07-10
-  nm: 1.52
+  nm: 1.48
 - version: 24.04
  name: noble
  support: 2029-05-31
@ -107,6 +91,11 @@ ubuntu:
  support: 2027-06-01
  extended-support: 2032-04-21
  nm: 1.36
 - version: 20.04
  name: focal
  support: 2025-05-29
  extended-support: 2030-04-23
  nm: 1.22
 # Debian:
 #   cadence: every 2 years
@ -121,11 +110,6 @@ debian:
 - version: sid
  support: yes
  nm: main
 - version: 13
  name: trixie
  support: 2028-08-09
  extended-support: 2030-06-30
  nm: 1.52
 - version: 12
  name: bookworm
  support: 2026-06-11
@ -147,9 +131,6 @@ alpine:
 - version: edge
  support: yes
  nm: main
 - version: 3.22
  support: 2027-05-01
  nm: 1.52
 - version: 3.21
  support: 2026-11-01
  nm: 1.50
@ -159,3 +140,6 @@ alpine:
 - version: 3.19
  support: 2025-11-01
  nm: 1.44
 - version: 3.18
  support: 2025-05-09
  nm: 1.42
--- a/.gitlab-ci/run-test.sh
+++ b/.gitlab-ci/run-test.sh
@ -155,7 +155,12 @@ test_subtree() {
    do_clean
    pushd ./src/$d
-    CC="$cc" CFLAGS="-Werror -Wall" meson build
+    ARGS=()
    if [ "$d" = n-acd ]; then
        ARGS+=('-Debpf=false')
    fi
    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
    ninja -v -C build test
    popd
--- a/.gitlab/merge_request_templates/Default.md
+++ b/.gitlab/merge_request_templates/Default.md
@ -12,9 +12,9 @@ Please read
 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/CONTRIBUTING.md
 before opening the merge request. In particular, check that:
- - [ ] The subject for all commits is concise, explanatory, and includes a prefix indicating the area of code changed (e.g., "nmcli: ", "core: ")
+ - [ ] the subject for all commits is concise and explicative
- - [ ] The message for all commits explains the reason for the change
+ - [ ] the message for all commits explains the reason for the change
- - [ ] The source is properly formatted
+ - [ ] the source is properly formatted
- - [ ] Any relevant documentation is up to date
+ - [ ] any relevant documentation is up to date
- - [ ] You have added unit tests if applicable
+ - [ ] you have added unit tests if applicable
- - [ ] The NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.
+ - [ ] the NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -252,25 +252,17 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
  versioning scheme than the main NM project despite there are no development
  versions here.
 Before starting:
 - You need to have the maintainer role in the project.
 - The GPG key used to sign the release must be added to your GNOME's Gitlab
  profile and uploaded to a keyserver.
 - All details: https://handbook.gnome.org/maintainers/making-a-release.html
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build` or `configure.ac`.
+2. Increment the version in `meson.build`, commit and tag the commit. Example:
-3. Commit and push to the `main` branch.
+   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
-4. Check that the Gitlab's pipeline finishes without errors.
+3. Ensure that you are on the right commit and create the tarball:
-5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
+   `git clean -fdx && meson setup build && cd build && meson dist`
-6. Push the tag. Example: `git push origin 1.2.8`.  
+4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
-   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
+5. Login to `master.gnome.org` and run `ftpadmin install`.  
-   to delete tags, any error detected after this will force a new version bump.
+   Ensure the new tarballs show up at https://download.gnome.org/sources/
-7. Check that the Gitlab's pipeline finishes without errors. If that happens,
+   (happens after a short delay)
-   the release is done and available both in the Gitlab's releases section and
+6. Announce the release on the mailing list.
   https://download.gnome.org/sources/*
 8. Announce the release on the mailing list.
 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
--- a/139
+++ b/139
@ -1,130 +1,27 @@
-=============================================
+===============================================
-NetworkManager-1.58
+NetworkManager-1.52.2
-Overview of changes since NetworkManager-1.56
+Overview of changes since NetworkManager-1.52.1
-=============================================
+===============================================
-This is a snapshot of NetworkManager development. The API is
+* Support reapplying the "sriov.vfs" property as long as
-subject to change and not guaranteed to be compatible with
+  "sriov.total-vfs" is not changed.
 the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 * Unify the versioning to use everywhere the scheme with the -rcX or -dev
  suffixes when appropriate. This affects, for example, the URL and filename
  of the release tarball and the version reported by nmcli and the daemon.
  As an exception, the C API will continue to use the 90+ scheme for RC versions.
 * Connection profiles with manual IP addressing and with gateways that are not
  directly reachable will generate a warning on activation and when they are
  added/modified via nmcli and nmtui. NetworkManager currently adds on-link
  routes for them automatically, but this will change in the future. To fix the
  warning, users should add addresses or routes whose subnets cover these
  gateways. A gateway (either the default gateway or the next-hop of a route) is
  considered directly reachable if it falls within the subnet of a direct route
  (a route without a next hop) or of a prefix route from a static address.
 * Restrict the connectivity check to use the DNS servers defined on the
  same link. If the link has no DNS servers, the connectivity check will
  use any servers available in the system.
 * Install the systemd units in the initramfs using a systemd generator.
 * A new "check-connectivity" configuration option is available to disable the
  connectivity check for selected interfaces.
 * Remove the modify_system build option that allowed setting up the
  polkit permissions to allow non-admin users to create system-wide
  connection. That configuration is discouraged because it can be used
  to bypass filesystem permissions.
 * For private connections (the ones that specify a user in the
  "connection.permissions" property), verify that the user can access
  the 802.1X certificates and keys set in the connection.
 * Introduce a libnm function that can be used by VPN plugins to check
  user permissions on certificate and keys.
 * The support for Wireless Extensions is deprecated and will be
  removed in a future release. Wireless Extensions are now disabled by
  default.
 * Use an internal implementation of the ping functionality when the
  "connection.gateway-ping-timeout" or "connection.ip-ping-addresses"
  properties are set, instead of relying on the "ping" tool.  
 * The powersave property now functions with the iwd backend.
 * The "band" property of Wi-fi connections now accepts the "6GHz"
  value.
 * Show the Wi-Fi band of APs in the scan results from nmcli.
 * New <Select...> button in nmtui that allows users to chose from list of
  available devices when creating connection profiles for physical interfaces
  (Ethernet, Wi-Fi, etc.).
 * Add support for CLAT (464XLAT) using a BPF program.
 * Change the default value of the ipv4.dhcp-ipv6-only-preferred property
  to a new value "auto" which automatically enables the option when CLAT
  is enabled ("yes" or "auto") in the connection profile.
 * WIFI connections using wpa-psk respect the setting connection.auth-retry
  and only prompt for new secrets during the last authentication attempt before
  failing.
 * Add support for GENEVE interface.
 * The DHCPv4 internal client now ignores option 3 (Router) if the lease
  contains option 121 (Classless Static Route), as recommended by RFC 3442.
 * Allow persisting the managed state across reboots from nmcli and the D-Bus API.
 * Allow changing the device's administrative state in the kernel at the same
  time as a change to the managed state from nmcli and the D-Bus API.
 * Allow configuring all bond options in nmtui by introducing a
  "other options" field, which covers options not already covered by a
  dedicated input field.
 =============================================
-NetworkManager-1.56
+NetworkManager-1.52.1
 Overview of changes since NetworkManager-1.54
 =============================================
 * nmcli now supports viewing and managing WireGuard peers.
 * Support reapplying the "sriov.vfs" property as long as
  "sriov.total-vfs" is not changed.
 * Support reapplying "bond-port.vlans".
 * Accept hostnames longer than 64 characters from DNS lookup.
 * Make that global-dns configuration overwrites DNS searches and
  options from connections, instead of merging all together.
 * Add support for a new rd.net.dhcp.client-id option in
  nm-initrd-generator.
 * Add gsm device-uid setting to restrict the devices the connection applies to.
 * Support configuring the HSR protocol version via the
  "hsr.protocol-version" property.
 * Fix a bug that makes broadband connections auto-connect getting 
  blocked if the connection tries to reconnect when modem status is 
  "disconnecting" / "disconnected".
 * Treat modem connection not having an operator code available
  as a recoverable error.
 * Add support for configuring systemd-resolved's DNSSEC option
  per-connection via the "connection.dnssec" connection property.
 * Support configuring the HSR interlink port via the
  "hsr.interlink" property.
 * Fix some connection properties not being applied to vpn connections
  (connection.mdns, connection.llmnr, connection.dns-over-tls,
   connection.mptcp-flags, ipv6.ip6-privacy)
 * Update n-acd to always compile with eBPF enabled, as support
  for eBPF is now detected at run time.
 * Add new MPTCP 'laminar' endpoint type, and set it by default alongside
  the 'subflow' one.
 =============================================
 NetworkManager-1.54
 Overview of changes since NetworkManager-1.52
 =============================================
-* Add support for configuring per-device IPv4 forwarding via the
+* Fail early if we cannot get current FEC
-  "ipv4.forwarding" connection property.
+  (Forward Error Correction) value.
-* Add a new "prefix-delegation" setting containing a "subnet-id"
+* Allow reapplying ovs-bridge and ovs-port properties.
  property that specifies the subnet to choose on the downstream
  interface when using IPv6 prefix delegation.
 * Support OCI baremetal in nm-cloud-setup
 * When activating a WireGuard connection to an IPv6 endpoint, now
  NetworkManager creates firewall rules to ensure that the incoming
  packets are not dropped by kernel reverse path filtering.
 * Add support for configuring the loopback interface in nmtui.
 * Most of the properties of ovs-bridge and ovs-port connections can
  now be reapplied at runtime without bringing the connection down.
 * Add a new "sriov.preserve-on-down" property that controls whether
  NetworkManager preserves the SR-IOV parameters set on the device
  when the connection is deactivated, or whether it resets them to
  their default value.
 * Introduce a new "ovs-dpdk.lsc-interrupt" property to configure the
  Link State Change (LSC) detection mode for OVS DPDK interfaces.
 * The initrd-generator now can parse the NVMe Boot Firmware Table
  (NBFT) to configure networking during early boot.
 * Add systemd services to provide networking in the initrd.
 =============================================
 NetworkManager-1.52
@ -319,7 +216,7 @@ Overview of changes since NetworkManager-1.42
  lead to unexpected behaviors in case of multiconnect profiles.
 * Set VLAN filtering options on bridge via netlink instead of sysfs.
 * nm-cloud-setup now supports IMDSv2 on Amazon EC2.
-* nmtui now supports enabling/disabling Wi-Fi and WWAN radios.
+* nmtui now allows to enable or disable Wi-Fi and WWAN radios.
 * Honor ignore-carrier=no for bond/bridge/team devices.
 * Add version mismatch warning when running nmcli commands.
@ -484,7 +381,7 @@ Overview of changes since NetworkManager-1.38
 * NetworkManager reads the kernel command line "/proc/cmdline" for several
  purposes, including "nm.debug" for enabling debugging and the
  "match.kernel-command-line" setting in the profile. NetworkManager now
-  first looks now for "/run/NetworkManager/proc-cmdline", which allows one to
+  first looks now for "/run/NetworkManager/proc-cmdline", which allows to
  overwrite the command line.
 * Improve the reapply of non-bridge properties.
 * Honor adding a Bluetooth NAP connection with all available methods.
@ -557,7 +454,7 @@ Overview of changes since NetworkManager-1.36
 * Workaround libcurl blocking NetworkManager while resolving DNS names.
 * nmcli: indicate missing Wi-Fi hardware when showing rfkill setting.
 * nmcli: add connection migrate command to move a profile to a specified
-  settings plugin. This allows one to convert profiles in the deprecated ifcfg-rh
+  settings plugin. This allows to convert profiles in the deprecated ifcfg-rh
  format to keyfile.
 * Set "src" attribute for routes from DHCPv4 to the leased address. This
  helps with source address selection.
@ -689,7 +586,7 @@ and 1.32.12 are also present in NetworkManager-1.34:
 * core: fix adding stale local routes when address changes.
 * initrd: tag generated profiles with origin in user data.
 * core: introduce "allowed-connections" option to disallow
-  profiles on a device. This allows one to filter out profiles
+  profiles on a device. This allows to filter out profiles
  that originate from initrd.
 * core: introduce "keep-configuration" device option to forcefully
  activate a profile on start.
@ -750,7 +647,7 @@ Overview of changes since NetworkManager-1.30
  'nm-daemon-helper' binary is spawned to perform the lookup using
  the 'dns' NSS module.
 * dhcp: honor "ID_NET_DHCP_BROADCAST" udev attribute to set the broadcast flag.
-  This allows one to configure devices in udev for which DHCPOFFER messages are to be
+  This allows to configure devices in udev for which DHCPOFFER messages are to be
  broadcast.
 * firewall: add nftables firewall backend for configuring IPv4 NAT with shared
  mode. Now two backends are supported, "iptables" and "nftables". The default
@ -1010,16 +907,16 @@ This is a new stable release of NetworkManager.  Notable changes include:
  in allowed-ips.
 * Rework implementation of settings plugins and how profiles are presisted
  to disk. This is a large internal refactoring of the settings plugins that
-  allows one to migrate a connection profile between plugins.
+  allows to migrate a connection profile between plugins.
 * In-memory profiles are now only handled by keyfile plugin and will also be
-  persisted to /run directory. This allows one to restart NetworkManager without
+  persisted to /run directory. This allows to restart NetworkManager without
  loosing these profiles and it provides a file-system based API for creating
  in-memory profiles.
 * Keyfile plugin now supports a read-only directory of profiles under directory
  "/usr/lib/NetworkManager/system-connections". Such profiles still can be modified
  and deleted via D-Bus, which results in writing profiles to /etc or /run that
  shadow the read-only files.
-* Add new D-Bus method AddConnection2() that allows one to block autoconnect of
+* Add new D-Bus method AddConnection2() that allows to block autoconnect of
  the profile at the moment when creating the profile. Also add support for
  this API to libnm.
 * Add flag "no-reapply" to Update2() D-Bus method. Normally, when a connection
--- a/README.md
+++ b/README.md
@ -112,14 +112,6 @@ contrib/fedora/rpm/NetworkManager.conf for how to enable debug logging
 in NetworkManager.
 Requirements
 ------------
 NetworkManager requires:
 - Linux kernel >= 5.6 for some ethtool options (pause, eee, ring)
 Documentation
 -------------
--- a/config.h.meson
+++ b/config.h.meson
@ -239,15 +239,6 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH
 /* Whether we build with team support */
 #mesondefine WITH_TEAMDCTL
 /* Whether we build with Wi-Fi support */
 #mesondefine WITH_WIFI
 /* Whether we build with WWAN support */
 #mesondefine WITH_WWAN
 /* Define if you have PPP support */
 #mesondefine WITH_PPP
@ -289,11 +280,3 @@
 /* Define to 1 if you have history support from -lreadline. */
 #mesondefine HAVE_READLINE_HISTORY
 /* Define if NBFT support is enabled */
 #mesondefine WITH_NBFT
 /* Define to 1 if dlvsym() is available */
 #mesondefine HAVE_DLVSYM
 /* Define to 1 if you want CLAT support. */
 #mesondefine HAVE_CLAT
--- a/contrib/alpine/REQUIRED_PACKAGES
+++ b/contrib/alpine/REQUIRED_PACKAGES
@ -8,7 +8,6 @@ apk add \
    'alpine-sdk' \
    'autoconf' \
    'bash' \
    'bpftool' \
    'clang' \
    'curl-dev' \
    'dbus' \
@ -24,14 +23,13 @@ apk add \
    'iproute2' \
    'iptables' \
    'jansson-dev' \
    'libbpf-dev' \
    'libgudev-dev' \
    'libndp-dev' \
    'libnvme-dev' \
    'libnl3-dev' \
    'libpsl-dev' \
    'libsoup-dev' \
    'libteam-dev' \
    'libtool' \
    'linux-headers' \
    'meson' \
    'mobile-broadband-provider-info' \
--- a/contrib/debian/REQUIRED_PACKAGES
+++ b/contrib/debian/REQUIRED_PACKAGES
@ -32,7 +32,6 @@ install_ignore_missing() {
 install \
    \
    bpftool \
    clang \
    dbus \
    dbus-x11 \
@ -44,7 +43,6 @@ install \
    iproute2 \
    iptables \
    libaudit-dev \
    libbpf-dev \
    libcurl4-gnutls-dev \
    libdbus-1-dev \
    libgirepository1.0-dev \
@ -58,12 +56,12 @@ install \
    libndp-dev \
    libnewt-dev \
    libnss3-dev \
    libnvme-dev \
    libpolkit-gobject-1-dev \
    libpsl-dev \
    libreadline-dev \
    libsystemd-dev \
    libteam-dev \
    libtool \
    libudev-dev \
    locales \
    meson \
--- a/contrib/fedora/REQUIRED_PACKAGES
+++ b/contrib/fedora/REQUIRED_PACKAGES
@ -49,7 +49,6 @@ install \
    ModemManager-glib-devel \
    audit-libs-devel \
    bluez-libs-devel \
    bpftool \
    clang \
    dbus-devel \
    dbus-x11 \
@ -65,11 +64,10 @@ install \
    iptables \
    jansson-devel \
    jq \
    libbpf-devel \
    libcurl-devel \
    libndp-devel \
    libnvme-devel \
    libselinux-devel \
    libtool \
    libuuid-devel \
    meson \
    mobile-broadband-provider-info-devel \
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@ -6,23 +6,18 @@
 #
 # Note that it contains __PLACEHOLDERS__ that will be replaced by the accompanying 'build.sh' script.
 Name:    NetworkManager
 Summary: Network connection manager and user applications
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL:     https://networkmanager.dev/
 Group:   System Environment/Base
 Epoch:   1
 Version: __VERSION__
 Release: __RELEASE_VERSION__%{?dist}
 ###############################################################################
 %global wpa_supplicant_version 1:1.1
 %global ppp_version %(pkg-config --modversion pppd 2>/dev/null || sed -n 's/^#define\\s*VERSION\\s*"\\([^\\s]*\\)"$/\\1/p' %{_includedir}/pppd/patchlevel.h 2>/dev/null | grep . || echo bad)
 %global glib2_version %(pkg-config --modversion glib-2.0 2>/dev/null || echo bad)
 %global epoch_version 1
 %global real_version __VERSION__
 %global rpm_version %{real_version}
 %global release_version __RELEASE_VERSION__
 %global snapshot __SNAPSHOT__
 %global git_sha __COMMIT__
 %global bcond_default_debug __BCOND_DEFAULT_DEBUG__
 %global bcond_default_lto __BCOND_DEFAULT_LTO__
 %global bcond_default_test __BCOND_DEFAULT_TEST__
@ -37,6 +32,17 @@ Release: __RELEASE_VERSION__%{?dist}
 %global _hardened_build 1
 %if "x%{?snapshot}" != "x"
 %global snapshot_dot .%{snapshot}
 %endif
 %if "x%{?git_sha}" != "x"
 %global git_sha_dot .%{git_sha}
 %endif
 %global snap %{?snapshot_dot}%{?git_sha_dot}
 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[0-9][0-9]*\\)\\.[0-9][0-9]*$/\\1/p')
 %global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
 %global systemd_units_cloud_setup nm-cloud-setup.service nm-cloud-setup.timer
@ -100,13 +106,7 @@ Release: __RELEASE_VERSION__%{?dist}
 %else
 %bcond_without iwd
 %endif
-%bcond_without polkit_noauth_group
+
 %ifarch %{ix86}
 # there is no bpftool in i686
 %bcond_with clat
 %else
 %bcond_without clat
 %endif
 ###############################################################################
 %global dbus_version 1.9.18
@ -153,6 +153,17 @@ Release: __RELEASE_VERSION__%{?dist}
 %bcond_with ifcfg_migrate
 %endif
 %if 0%{?fedora}
 # Although eBPF would be available on Fedora's kernel, it seems
 # we often get SELinux denials (rh#1651654). But even aside them,
 # bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
 # be related to `ulimit -l`. Anyway, this is not usable at the
 # moment.
 %global ebpf_enabled "no"
 %else
 %global ebpf_enabled "no"
 %endif
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@ -160,7 +171,16 @@ Release: __RELEASE_VERSION__%{?dist}
 ###############################################################################
-#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{version_no_tilde}/downloads/%{name}-%{version_no_tilde}.tar.xz
+Name: NetworkManager
 Summary: Network connection manager and user applications
 Epoch: %{epoch_version}
 Version: %{rpm_version}
 Release: %{release_version}%{?snap}%{?dist}
 Group: System Environment/Base
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://networkmanager.dev/
 #Source: https://download.gnome.org/sources/NetworkManager/%{real_version_major}/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@ -174,16 +194,17 @@ Source9: readme-ifcfg-rh-migrated.txt
 #Patch1: 0001-some.patch
 Requires(post): systemd
 Requires(post): systemd-udev
 Requires(post): /usr/sbin/update-alternatives
 Requires(preun): systemd
 Requires(preun): /usr/sbin/update-alternatives
 Requires(postun): systemd
 Requires: dbus >= %{dbus_version}
 Requires: glib2 >= %{glib2_version}
 Requires: %{name}-libnm%{?_isa} = %{epoch}:%{version}-%{release}
-%if %{with clat}
+Recommends: iputils
 Requires: libbpf
 %endif
 %if 0%{?rhel} == 8
 # Older libndp versions use select() (rh#1933041). On well known distros,
@ -232,7 +253,7 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif
 BuildRequires: gcc
-BuildRequires: clang
+BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@ -286,11 +307,6 @@ BuildRequires: libubsan
 BuildRequires: firewalld-filesystem
 BuildRequires: iproute
 BuildRequires: iproute-tc
 BuildRequires: libnvme-devel >= 1.5
 %if %{with clat}
 BuildRequires: libbpf-devel
 BuildRequires: bpftool
 %endif
 Provides: %{name}-dispatcher%{?_isa} = %{epoch}:%{version}-%{release}
@ -559,8 +575,6 @@ Group: System Environment/Base
 BuildArch: noarch
 Requires: NetworkManager
 Requires: /usr/bin/nmcli
 Requires(post): /usr/sbin/update-alternatives
 Requires(preun): /usr/sbin/update-alternatives
 Obsoletes: NetworkManager < %{obsoletes_initscripts_updown}
 %description initscripts-updown
@ -571,7 +585,7 @@ Preferably use nmcli instead.
 %prep
-%autosetup -p1 -n NetworkManager-%{version_no_tilde}
+%autosetup -p1 -n NetworkManager-%{real_version}
 %build
@ -612,20 +626,19 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
 %if 0%{?fedora}
 	-Dwext=true \
 %else
 	-Dwext=false \
 %endif
 %else
 	-Dwifi=false \
 %endif
 	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
 	-Diwd=false \
 %endif
 %if %{with clat}
 	-Dclat=true \
 %else
 	-Dclat=false \
 %endif
 %if %{with bluetooth}
 	-Dbluez5_dun=true \
 %else
@ -662,20 +675,22 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-%if %{with polkit_noauth_group}
+	-Dmodify_system=true \
 	-Dpolkit_noauth_group=wheel \
 %endif
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
 %endif
 %if %{ebpf_enabled} != "yes"
 	-Debpf=false \
 %else
 	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
+	-Dsystem_ca_path=/etc/pki/tls/cert.pem \
 	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
 	-Dvalgrind=no \
@ -746,18 +761,12 @@ rm -f %{buildroot}%{_libdir}/*.la
 rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la
 # Don't use the *-initrd.service files yet, wait dracut to support them
 rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
 # Ensure the documentation timestamps are constant to avoid multilib conflicts
 find %{buildroot}%{_datadir}/gtk-doc -exec touch --reference meson.build '{}' \+
 %if 0%{?__debug_package} && ! 0%{?flatpak}
-mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
+mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
-cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
+cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
 %endif
 %if %{with ifcfg_rh}
@ -839,12 +848,8 @@ fi
 %postun
 # skip triggering if udevd isn't even accessible, e.g. containers or
 # rpm-ostree-based systems
 if [ -S /run/udev/control ]; then
 /usr/bin/udevadm control --reload-rules || :
 /usr/bin/udevadm trigger --subsystem-match=net || :
 fi
 %firewalld_reload
 %systemd_postun %{systemd_units}
@ -917,9 +922,6 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
 %if %{with polkit_noauth_group}
 %{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
 %endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
--- a/contrib/fedora/rpm/build.sh
+++ b/contrib/fedora/rpm/build.sh
@ -110,6 +110,7 @@ exec 2>&1
 UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
 SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
@ -205,8 +206,12 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 write_changelog
-sed -e "s/__VERSION__/${VERSION/-/\~}/g" \
+sed -e "s/__VERSION__/$VERSION/g" \
    -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__COMMIT__/$COMMIT/g" \
    -e "s/__COMMIT_FULL__/$COMMIT_FULL/g" \
    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
    -e "s/__SOURCE1__/$(basename "$SOURCE")/g" \
    -e "s/__BCOND_DEFAULT_DEBUG__/$BCOND_DEFAULT_DEBUG/g" \
    -e "s/__BCOND_DEFAULT_LTO__/${BCOND_DEFAULT_LTO:-"%{nil}"}/g" \
@ -227,12 +232,7 @@ case "$BUILDTYPE" in
        ;;
 esac
-DIST=
+rpmbuild --define "_topdir $TEMP" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
 [[ "$COMMIT" != "" ]] && DIST=".${COMMIT}${DIST}"
 [[ "$SNAPSHOT" != "" ]] && DIST=".${SNAPSHOT}${DIST}"
 [[ "$DIST" != "" ]] && DIST=("--define" "dist ${DIST}$(rpmbuild --eval '%{dist}')")
 rpmbuild --define "_topdir $TEMP" "${DIST[@]}" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
 LS_EXTRA=()
--- a/contrib/fedora/rpm/build_clean.sh
+++ b/contrib/fedora/rpm/build_clean.sh
@ -143,7 +143,7 @@ while [[ $# -gt 0 ]]; do
            ;;
        --no-auto-with-test)
            # by default, the script adds "-w test" (unless the command line contains
-            # "-w test" or "-W test"). This flag suppresses that automatism.
+            # "-w test" or "-W test"). This flags allows to suppress that automatism.
            # It's really only useful to test the spec file's internal default for the
            # "test" option. Otherwise, you can always just explicitly select "-w test"
            # or "-W test".
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@ -155,6 +155,7 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
 P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@ -173,7 +174,6 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
 P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
        P_FEDORA="$x"
        P_RHEL=0
    else
-        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
+        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
        if test "$x" -gt 0 ; then
            P_FEDORA=0
            P_RHEL="$x"
@ -294,14 +294,6 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
    fi
 fi
 if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
    P_TEAM=0
 fi
 if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
    P_IFCFG_RH=1
 fi
 if bool "$P_DEBUG" ; then
    P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@ -387,7 +379,7 @@ meson setup\
    -Db_lto="$(bool_true "$P_LTO")" \
    -Dlibaudit=yes-disabled-by-default \
    -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
    $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
    -Diwd="$(bool_true "$P_IWD")" \
    -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@ -401,17 +393,18 @@ meson setup\
    -Dselinux=true \
    -Dpolkit=true  \
    -Dconfig_auth_polkit_default=true \
    -Dmodify_system=true \
    -Dconcheck=true \
    -Dlibpsl="$(bool_true "$P_FEDORA")" \
    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
    -Dsession_tracking=systemd \
    -Dsuspend_resume=systemd \
    -Dsystemdsystemunitdir=/usr/lib/systemd/system \
    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
    -Dsystem_ca_path=/etc/pki/tls/cert.pem \
    -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
    -Dtests=yes \
    -Dvalgrind=no \
-    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
+    -Difcfg_rh=true \
    -Difupdown=false \
    $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
    $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \
--- a/contrib/fedora/rpm/release.sh
+++ b/contrib/fedora/rpm/release.sh
@ -27,7 +27,7 @@
 #   * Run in a "clean" environment, i.e. no unusual environment variables set, on a recent
 #     Fedora, with suitable dependencies installed.
 #
-#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedesktop.org
+#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedestkop.org
 #     stored in ~/.config/nm-release-token, or pass one with --gitlab-token argument.
 #     Also, ensure you have a GPG key that you want to use for signing. Also, have gpg-agent running
 #     and possibly configure `git config --get user.signingkey` for the proper key.
@ -102,8 +102,14 @@ do_command() {
 SCRIPTDIR="$(dirname "$(readlink -f "$0")")"
 GITDIR="$(cd "$SCRIPTDIR" && git rev-parse --show-toplevel || die "Could not get GITDIR")"
-get_version() {
+parse_version() {
-    grep -E -m1 '^\s+version:' "$GITDIR/meson.build" | cut -d"'" -f2
+    local VERSION=$(grep -E -m1 '^\s+version:' "$GITDIR/meson.build" \
                    | cut -d"'" -f2 \
                    | sed 's/\./ /g')
    re='^(0|[1-9][0-9]*) (0|[1-9][0-9]*) (0|[1-9][0-9]*)$'
    [[ "$VERSION" =~ $re ]] || return 1
    echo "$VERSION"
 }
 number_is_even() {
@ -149,12 +155,14 @@ check_gitlab_pipeline() {
 set_version_number() {
    sed -i \
-        -E "1,20 s/^( *version: *')[^']+(',) *\$/\1$1\2/" \
+        -e '1,20 s/^\( *version: *'\''\)[0-9]\+\.[0-9]\+\.[0-9]\+\('\'',\)$/\1'"$1.$2.$3"'\2/' \
        meson.build
 }
 check_news() {
    local mode="$1"
    shift
    local ver_arr=("$@")
    case "$mode" in
        major|minor)
@ -251,18 +259,12 @@ done
 [ -n "$RELEASE_MODE" ] || die_usage "specify the desired release mode"
-VERSION_STR="$(get_version)"
+VERSION_ARR=( $(parse_version) ) || die "cannot detect NetworkManager version"
-VERSION_ARR=( $(echo "$VERSION_STR" | sed 's/[\.\-]/ /g') )
+VERSION_STR="$(IFS=.; echo "${VERSION_ARR[*]}")"
 if [[ ${VERSION_ARR[2]} =~ ^rc ]]; then
    RC_VERSION=${VERSION_ARR[2]#rc}
    VERSION_ARR[2]=0
 else
    RC_VERSION=
 fi
 echo "Current version before release: $VERSION_STR (do \"$RELEASE_MODE\" release)"
-grep -q "version: '$VERSION_STR'," ./meson.build || die "meson.build does not have expected version"
+grep -q "version: '${VERSION_ARR[0]}.${VERSION_ARR[1]}.${VERSION_ARR[2]}'," ./meson.build || die "meson.build does not have expected version"
 TMP="$(git status --porcelain)" || die "git status failed"
 test -z "$TMP" || die "git working directory is not clean (git status --porcelain)"
@ -278,41 +280,50 @@ if [ "$CUR_BRANCH" = main ]; then
    number_is_odd "${VERSION_ARR[1]}" || die "Unexpected version number on main. Should be an odd development version"
    [ "$RELEASE_MODE" = devel -o "$RELEASE_MODE" = rc1 -o "$RELEASE_MODE" = major-post ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
 else
    re='^nm-[0-9]+-[0-9]+$'
    [[ "$CUR_BRANCH" =~ $re ]] || die "Unexpected current branch $CUR_BRANCH. Should be main or nm-?-??"
    if number_is_odd "${VERSION_ARR[1]}"; then
        # we are on a release candiate branch.
        [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
    else
        [ "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}"
-    [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
+    fi
 fi
 RC_VERSION=
 RELEASE_BRANCH=
 case "$RELEASE_MODE" in
    minor)
        number_is_even "${VERSION_ARR[1]}" || die "cannot do minor release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "cannot do a minor release on top of an RC version"
+        [ "$CUR_BRANCH" != main ] || die "cannot do a minor release on main"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "minor release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
        ;;
    devel)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do devel release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "cannot do a devel release on top of an RC version"
+        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "devel release must have a micro version smaller than 90 but current version is $VERSION_STR"
        [ "$CUR_BRANCH" == main ] || die "devel release can only be on main"
        ;;
    rc)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
        [ "${VERSION_ARR[2]}" -ge 90 ] || die "rc release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
        RC_VERSION="$((${VERSION_ARR[2]} - 88))"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "devel release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
        ;;
    rc1)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "rc1 release cannot be done on top of an RC version"
+        [ "${VERSION_ARR[2]}" -lt 90 ] || die "rc release must have a micro version smaller than ${VERSION_ARR[0]}.${VERSION_ARR[1]}.90 but current version is $VERSION_STR"
        [ "$CUR_BRANCH" == main ] || die "rc1 release can only be on main"
        RELEASE_BRANCH="nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
        ;;
    rc)
        number_is_even "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
        [ "$RC_VERSION" != "" ] || die "rc release must be done on top of an RC version"
        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "rc release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
        ;;
    major)
-        number_is_even "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
+        number_is_odd "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
-        [ "$RC_VERSION" != "" ] || die "major release must be done on top of an RC version"
+        [ "${VERSION_ARR[2]}" -ge 90 ] || die "parent version for major release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
-        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
        ;;
    major-post)
        number_is_odd "${VERSION_ARR[1]}" || die "cannot do major-post release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "major-post release cannot be done on top of an RC version"
+        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "major-post release must have a micro version smaller than 90 but current version is $VERSION_STR"
        [ "$CUR_BRANCH" == main ] || die "major-post release can only be on main"
        ;;
    *)
@ -359,7 +370,7 @@ if [ "$ALLOW_LOCAL_BRANCHES" != 1 ]; then
    cmp <(git show "$ORIGIN/main:contrib/fedora/rpm/release.sh") "$BASH_SOURCE_ABSOLUTE" || die "$BASH_SOURCE is not identical to \`git show \"$ORIGIN/main:contrib/fedora/rpm/release.sh\"\`"
 fi
-if ! check_news "$RELEASE_MODE"; then
+if ! check_news "$RELEASE_MODE" "@{VERSION_ARR[@]}" ; then
    if [ "$CHECK_NEWS" == 1 ]; then
        die "NEWS file needs update to mention stable release (skip check with --no-check-news)"
    fi
@ -378,7 +389,7 @@ if [ "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ]; then
    fi
    echo "$(echo_color 36 -n "https://gitlab.freedesktop.org/NetworkManager/networkmanager.pages.freedesktop.org.git") by running"
    if [ "$RELEASE_MODE" = major ]; then
-        v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
+        v="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
    else
        v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
    fi
@ -407,36 +418,71 @@ if [ $CHECK_GITLAB = 1 ]; then
    fi
 fi
-# Work on a temporary branch
+BRANCHES=()
 BUILD_TAG=
 CLEANUP_CHECKOUT_BRANCH="$CUR_BRANCH"
 git checkout -B "$TMP_BRANCH"
 CLEANUP_REFS+=("refs/heads/$TMP_BRANCH")
 case "$RELEASE_MODE" in
    minor)
-        # Version is already correct in meson.build
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
-        BUILD_VERSION="$VERSION_STR"
+        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))" -a || die "failed to commit release"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
+
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
        BRANCHES+=("$b")
        CLEANUP_REFS+=("refs/tags/$b")
        BUILD_TAG="$b"
        TAR_VERSION="$b"
        ;;
    devel)
-        # Version is already correct in meson.build
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
-        BUILD_VERSION="$VERSION_STR"
+        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1)) (development)" -a || die "failed to commit devel version bump"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
+
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
        BRANCHES+=("$b-dev")
        CLEANUP_REFS+=("refs/tags/$b-dev")
        BUILD_TAG="$b-dev"
        TAR_VERSION="$b"
        ;;
    rc)
-        # Version is already correct in meson.build
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
-        BUILD_VERSION="$VERSION_STR"
+        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc$RC_VERSION"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}-rc$((RC_VERSION + 1))"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
        git commit -m "release: bump version to $b ($t) (development)" -a || die "failed to commit rc version bump"
        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release"
        BRANCHES+=("$t")
        CLEANUP_REFS+=("refs/tags/$t")
        BUILD_TAG="$t"
        TAR_VERSION="$b"
        ;;
    rc1)
-        # Current version is wrong (dev version), need to set rc1 version
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" 90
-        BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc1"
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.90"
-        NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc2"
+        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc1"
        git commit -m "release: bump version to $b ($t)" -a || die "failed to commit rc1 version bump"
        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release $t"
        BRANCHES+=("$t")
        CLEANUP_REFS+=("refs/tags/$t")
        BUILD_TAG="$t"
        TAR_VERSION="$b"
        ;;
    major)
-        # Current version is wrong (rc version), need to set major version
+        b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
-        BUILD_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
+        set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 1))" 0
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.1"
+        git commit -m "release: bump version to $b" -a || die "failed to commit major version bump"
        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
        BRANCHES+=("$b")
        CLEANUP_REFS+=("refs/tags/$b")
        BUILD_TAG="$b"
        TAR_VERSION="$b"
        ;;
    major-post)
        # We create a merge commit with the content of current "main", with two
@ -448,76 +494,64 @@ case "$RELEASE_MODE" in
        git merge -Xours --commit -m tmp main || die "merge1"
        git rm --cached -r . || die "merge2"
        git checkout main -- . || die "merge3"
        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
        git commit --amend -m tmp -a || die "failed to commit major version bump"
        test x = "x$(git diff main HEAD)" || die "there is a diff after merge!"
-        # Version is already correct in meson.build
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" "$((${VERSION_ARR[2]} + 1))"
-        BUILD_VERSION="$VERSION_STR"
+        git commit --amend -m "release: bump version to $b (development)" -a || die "failed to commit major version bump"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
+        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
        BRANCHES+=("$b-dev")
        CLEANUP_REFS+=("refs/tags/$b-dev")
        BUILD_TAG="$b-dev"
        TAR_VERSION="$b"
        ;;
    *)
        die "Release mode $RELEASE_MODE not yet implemented"
        ;;
 esac
-build_version() {
+build_tag() {
-    local CURR_VERSION="$(get_version)"
+    local BUILD_TAG="$1"
-    local BUILD_VERSION="$1"
+    local TAR_FILE="NetworkManager-$2.tar.xz"
    local NEXT_VERSION="$2"
    local BUILD_VERSION_DESCR="${BUILD_VERSION/-dev/ (development)}"
    local NEXT_VERSION_DESCR="${NEXT_VERSION/-dev/ (development)}"
    local TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
    local SUM_FILE="$TAR_FILE.sha256sum"
-    # The current version is usually already correct, except for rc1 and major. Bump version in those cases.
+    git checkout "$BUILD_TAG" || die "failed to checkout $BUILD_TAG"
    if [[ "$BUILD_VERSION" != "$CURR_VERSION" ]]; then
        set_version_number "$BUILD_VERSION"
        git commit -m "release: bump version to $BUILD_VERSION_DESCR" -a || die "failed to commit release"
    fi
    # Tag the release
    git tag -s -a -m "Release $BUILD_VERSION_DESCR" "$BUILD_VERSION" HEAD || die "failed to tag release"
    PUSH_REFS+=("$BUILD_VERSION")
    CLEANUP_REFS+=("refs/tags/$BUILD_VERSION")
    # Build to get the tarball for the release
    ./contrib/fedora/rpm/build_clean.sh -r || die "build release failed"
    cp "./build/meson-dist/$TAR_FILE" /tmp/ || die "failed to copy $TAR_FILE to /tmp"
    cp "./build/meson-dist/$SUM_FILE" /tmp/ || die "failed to copy $SUM_FILE to /tmp"
    git clean -fdx
    # Store the release version for later use
    RELEASE_VERSIONS+=("$BUILD_VERSION")
    # Bump to next version, so that build between now and the next release has the next version already.
    # Otherwise the macros in nm_version.h don't work correctly.
    set_version_number "$NEXT_VERSION"
    git commit -m "release: bump version to $NEXT_VERSION_DESCR" -a || die "failed to commit version bump"
 }
-# Build and create tarball. Bump version as needed.
+RELEASE_TAR_VERSIONS=()
-PUSH_REFS=()
+RELEASE_TAGS=()
-RELEASE_VERSIONS=()
+if [ -n "$BUILD_TAG" ]; then
-build_version "$BUILD_VERSION" "$NEXT_VERSION"
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
    RELEASE_TAGS+=("$BUILD_TAG")
 fi
 git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 BRANCHES+=( "$CUR_BRANCH" )
 if [ "$RELEASE_MODE" = rc1 ]; then
-    # Create the release branch (nm-1-xx)
+    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
-    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $RELEASE_BRANCH"
+    BRANCHES+=( "$RELEASE_BRANCH" )
    PUSH_REFS+=( "$RELEASE_BRANCH" )
    CLEANUP_REFS+=( "refs/heads/$RELEASE_BRANCH" )
-
+    git checkout "$TMP_BRANCH"
-    # Go back to the commit of the rc1 release, nm-1-xx is one commit further now.
+    b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0"
-    git checkout -B "$TMP_BRANCH" "$BUILD_VERSION" || die "cannot checkout $TMP_BRANCH"
+    set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 2))" 0
-
+    git commit -m "release: bump version to $b (development)" -a || die "failed to commit devel version bump"
-    # Second release for rc1: create new dev version on main
+    git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
-    BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0-dev"
+    BRANCHES+=("$b-dev")
-    NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).1-dev"
+    CLEANUP_REFS+=("refs/tags/$b-dev")
-    build_version "$BUILD_VERSION" "$NEXT_VERSION"
+    BUILD_TAG="$b-dev"
-fi
+    TAR_VERSION="$b"
-
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
-# Work was done on the temporary branch, advance the real branch
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
    RELEASE_TAGS+=("$BUILD_TAG")
    git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
-PUSH_REFS+=( "$CUR_BRANCH" )
+fi
 if [[ $GITLAB_TOKEN == "" ]]; then
    [[ -r ~/.config/nm-release-token ]] || die "cannot read ~/.config/nm-release-token"
@ -531,21 +565,20 @@ if [ -z "$GITLAB_USER_ID" ] || [ "$GITLAB_USER_ID" = "null" ]; then
    die "failed to authenticate to gitlab.freedesktop.org with the private token"
 fi
-# Push the modified branches and tags to the origin repository
+do_command git push "$ORIGIN" "${BRANCHES[@]}" || die "failed to to push branches ${BRANCHES[@]} to $ORIGIN"
 do_command git push "$ORIGIN" "${PUSH_REFS[@]}" || die "failed to to push branches ${PUSH_REFS[@]} to $ORIGIN"
 # Create the releases
 CREATE_RELEASE_FAIL=0
-for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
+for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
-    TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
+    TAR_FILE="NetworkManager-${RELEASE_TAR_VERSIONS[$I]}.tar.xz"
    SUM_FILE="$TAR_FILE.sha256sum"
    BUILD_TAG="${RELEASE_TAGS["$I"]}"
    FAIL=0
    # upload tarball and checksum file as generic packages
    for F in "$TAR_FILE" "$SUM_FILE"; do
        do_command curl --location --fail-with-body --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
            --upload-file "/tmp/$F" \
-            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$F" \
+            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$F" \
            || FAIL=1
        if [[ $FAIL = 1 ]]; then
@ -562,25 +595,25 @@ for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
         --request POST "https://gitlab.freedesktop.org/api/v4/projects/411/releases" \
         --data "$(cat <<END
            {
-                "name": "NetworkManager $BUILD_VERSION",
+                "name": "NetworkManager $BUILD_TAG",
-                "tag_name": "$BUILD_VERSION", 
+                "tag_name": "$BUILD_TAG", 
                "assets": {
                    "links": [
                        {
-                            "name": "NetworkManager $BUILD_VERSION tarball with docs",
+                            "name": "NetworkManager $BUILD_TAG tarball with docs",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$TAR_FILE",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$TAR_FILE",
                            "direct_asset_path": "/$TAR_FILE",
                            "link_type":"package"
                        },
                        {
-                            "name": "NetworkManager $BUILD_VERSION tarball sha256sum",
+                            "name": "NetworkManager $BUILD_TAG tarball sha256sum",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$SUM_FILE",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$SUM_FILE",
                            "direct_asset_path": "/$SUM_FILE",
                            "link_type":"package"
                        },
                        {
                            "name": "NEWS",
-                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_VERSION/NEWS?ref_type=tags",
+                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_TAG/NEWS?ref_type=tags",
                            "direct_asset_path": "/NEWS",
                            "link_type":"other"
                        }
@ -590,8 +623,8 @@ for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
 END
            )" || FAIL=1
-    if [[ $FAIL = 1 ]]; then
+    if [[ $? != 0 ]]; then
-        fail_msg "failed to create NetworkManager $BUILD_VERSION release"
+        fail_msg "failed to create NetworkManager $BUILD_TAG release"
        CREATE_RELEASE_FAIL=1
        continue
    fi
--- a/contrib/fedora/utils/makerepo.sh
+++ b/contrib/fedora/utils/makerepo.sh
@ -265,11 +265,9 @@ detect_dirname() {
            # At some point FEDPKG changed the behavior of "prep" command
            # now it generates the directory with "-build" suffix and the
            # real directory inside. We just move it out.
-            if [ -d "$D-build" ]; then
+            rm -rf $D
-                rm -rf "$D"
+            mv $D-build/$D .
-                mv "$D-build/$D" .
+            rm -rf $D-build
                rm -rf "$D-build"
            fi
            [[ -d "$D" ]] && DIRS=("${DIRS[@]}" "$D")
        done
    done
--- a/contrib/scripts/nm-ci-run.sh
+++ b/contrib/scripts/nm-ci-run.sh
@ -54,24 +54,10 @@ _WITH_WERROR=1
 _WITH_LIBTEAM="true"
 _WITH_DOCS="true"
 _WITH_SYSTEMD_LOGIND="true"
 _WITH_NBFT="true"
 _WITH_CLAT="true"
 if [ $IS_ALPINE = 1 ]; then
    _WITH_SYSTEMD_LOGIND="false"
 fi
 if ! pkgconf 'libnvme >= 1.5'; then
    _WITH_NBFT="false"
 fi
 if ! pkgconf 'libndp >= 1.9'; then
    _WITH_CLAT="false"
 fi
 if ! pkgconf 'libbpf >= 1.3'; then
    _WITH_CLAT="false"
 fi
 if [ -z "${NMTST_SEED_RAND+x}" ]; then
    NMTST_SEED_RAND="$SRANDOM"
    if [ -z "$NMTST_SEED_RAND" ]; then
@ -178,18 +164,18 @@ meson setup build \
    -D ld_gc=false \
    -D session_tracking=no \
    -D systemdsystemunitdir=no \
    -D systemdsystemgeneratordir=no \
    -D systemd_journal=false \
    -D selinux=false \
    -D libaudit=no \
    -D libpsl=false \
    -D vapi=false \
    -D introspection=$_WITH_DOCS \
    -D man=$_WITH_DOCS \
    -D qt=false \
    -D crypto=$_WITH_CRYPTO \
    -D docs=$_WITH_DOCS \
    \
    -D ebpf=false \
    \
    -D iwd=true \
    -D ofono=true \
    -D teamdctl=$_WITH_LIBTEAM \
@ -203,9 +189,6 @@ meson setup build \
    -D ifcfg_rh=false \
    -D ifupdown=true \
    \
    -D nbft=$_WITH_NBFT \
    -D clat=$_WITH_CLAT \
    \
    #end
 export NM_TEST_CLIENT_CHECK_L10N=1
--- a/data/NetworkManager-config-initrd.service.in
+++ b/data/NetworkManager-config-initrd.service.in
@ -1,24 +0,0 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
 [Service]
 Type=oneshot
 ExecStartPre=/bin/sh -c "rm -f /run/NetworkManager/system-connections/*"
 ExecStart=/bin/sh -c "@libexecdir@/nm-initrd-generator -- $(cat /proc/cmdline)"
 ExecStartPost=/bin/sh -c ' \
    for i in /{usr/lib,run,etc}/NetworkManager/system-connections/*; do \
        [ -f "$i" ] || continue; \
        mkdir -p /run/NetworkManager/initrd; \
        : > /run/NetworkManager/initrd/neednet; \
        break; \
    done; \
    if [ -s /run/NetworkManager/initrd/hostname ]; then \
        cat /run/NetworkManager/initrd/hostname > /proc/sys/kernel/hostname; \
    fi \
 '
 RemainAfterExit=yes
--- a/data/NetworkManager-initrd.service.in
+++ b/data/NetworkManager-initrd.service.in
@ -1,24 +0,0 @@
 [Unit]
 Description=NetworkManager (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/etc/NetworkManager/system-connections/*
 [Service]
 Type=dbus
 BusName=org.freedesktop.NetworkManager
 ExecReload=/usr/bin/busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager org.freedesktop.NetworkManager Reload u 0
 ExecStart=@sbindir@/NetworkManager
 # NM doesn't want systemd to kill its children for it
 KillMode=process
 Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
--- a/data/NetworkManager-wait-online-initrd.service.in
+++ b/data/NetworkManager-wait-online-initrd.service.in
@ -1,23 +0,0 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
 AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 [Service]
 # `nm-online -s` waits until the point when NetworkManager logs
 # "startup complete". That is when startup actions are settled and
 # devices and profiles reached a conclusive activated or deactivated
 # state. It depends on which profiles are configured to autoconnect and
 # also depends on profile settings like ipv4.may-fail/ipv6.may-fail,
 # which affect when a profile is considered fully activated.
 # Check NetworkManager logs to find out why wait-online takes a certain
 # time.
 Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -19,18 +19,10 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 PrivateTmp=true
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=read-only
 ProtectKernelLogs=true
 ProtectSystem=true
-
+ProtectHome=read-only
 RestrictRealtime=true
 RestrictSUIDSGID=true
 # We require file descriptors for DHCP etc. When activating many interfaces,
 # the default limit of 1024 is easily reached.
--- a/data/meson.build
+++ b/data/meson.build
@ -13,9 +13,6 @@ if install_systemdunitdir
    'NetworkManager.service',
    'nm-priv-helper.service',
    'NetworkManager-wait-online.service',
    'NetworkManager-config-initrd.service',
    'NetworkManager-initrd.service',
    'NetworkManager-wait-online-initrd.service',
  ]
  foreach service: services
@ -55,22 +52,21 @@ if install_udevdir
 endif
 if enable_polkit
  policy = 'org.freedesktop.NetworkManager.policy'
  policy_in = configure_file(
    input: policy + '.in.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
  i18n.merge_file(
-    input: 'org.freedesktop.NetworkManager.policy.in',
+    input: policy_in,
    output: '@BASENAME@',
    po_dir: po_dir,
    install: true,
-    install_dir: polkit_policydir,
+    install_dir: polkit_gobject_policydir,
  )
  if polkit_noauth_group != ''
    configure_file(
      input: 'org.freedesktop.NetworkManager.rules.in',
      output: '@BASENAME@',
      install_dir: polkit_rulesdir,
      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
    )
  endif
 endif
 if enable_firewalld_zone
--- a/data/nm-priv-helper.service.in
+++ b/data/nm-priv-helper.service.in
@ -2,8 +2,8 @@
 Description=NetworkManager Privileged Helper
 #
-# nm-priv-helper exists for privilege separation. It allows NetworkManager
+# nm-priv-helper exists for privilege separation. It allows to run
-# to run without certain capabilities, and ask nm-priv-helper
+# NetworkManager without certain capabilities, and ask nm-priv-helper
 # for special operations where more privileges are required.
 #
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -117,8 +117,8 @@
    <message>System policy prevents modification of network settings for all users</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
+      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
+      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
    </defaults>
  </action>
--- a/data/org.freedesktop.NetworkManager.rules.in
+++ b/data/org.freedesktop.NetworkManager.rules.in
@ -1,17 +0,0 @@
 // NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
 //
 // DO NOT EDIT THIS FILE, it will be overwritten on update.
 //
 // Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
 // prompted for a password if they are in a local console.
 // This is optional and is only recommended to maintain backwards compatibility
 // in systems where it was already working in this way. It is discouraged
 // otherwise.
 polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
        subject.local) {
        return polkit.Result.YES;
    }
 });
--- a/docs/api/meson.build
+++ b/docs/api/meson.build
@ -1,8 +1,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 if enable_introspection
  xsltproc = find_program('xsltproc')
  settings = 'settings-spec'
  output = settings + '.xml'
--- a/docs/api/network-manager-docs.xml
+++ b/docs/api/network-manager-docs.xml
@ -183,7 +183,6 @@
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Bridge.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Dummy.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Generic.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Geneve.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Hsr.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.IPTunnel.xml"/>
      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Infiniband.xml"/>
--- a/docs/libnm/libnm-docs.xml
+++ b/docs/libnm/libnm-docs.xml
@ -317,7 +317,6 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
    <xi:include href="xml/nm-setting-dummy.xml"/>
    <xi:include href="xml/nm-setting-ethtool.xml"/>
    <xi:include href="xml/nm-setting-generic.xml"/>
    <xi:include href="xml/nm-setting-geneve.xml"/>
    <xi:include href="xml/nm-setting-gsm.xml"/>
    <xi:include href="xml/nm-setting-hostname.xml"/>
    <xi:include href="xml/nm-setting-hsr.xml"/>
@ -342,7 +341,6 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
    <xi:include href="xml/nm-setting-ovs-port.xml"/>
    <xi:include href="xml/nm-setting-ppp.xml"/>
    <xi:include href="xml/nm-setting-pppoe.xml"/>
    <xi:include href="xml/nm-setting-prefix-delegation.xml"/>
    <xi:include href="xml/nm-setting-proxy.xml"/>
    <xi:include href="xml/nm-setting-serial.xml"/>
    <xi:include href="xml/nm-setting-sriov.xml"/>
@ -378,7 +376,6 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
    <xi:include href="xml/nm-device-dummy.xml"/>
    <xi:include href="xml/nm-device-ethernet.xml"/>
    <xi:include href="xml/nm-device-generic.xml"/>
    <xi:include href="xml/nm-device-geneve.xml"/>
    <xi:include href="xml/nm-device-hsr.xml"/>
    <xi:include href="xml/nm-device-infiniband.xml"/>
    <xi:include href="xml/nm-device-ip-tunnel.xml"/>
--- a/docs/libnm/libnm.svg
+++ b/docs/libnm/libnm.svg
@ -202,7 +202,7 @@
         sodipodi:role="line"
         x="19.192902"
         y="360.40768"
-         id="tspan3839">Retrieves, adds, and notifies of changes</tspan><tspan
+         id="tspan3839">Retrieves, adds, and notifes of changes</tspan><tspan
         sodipodi:role="line"
         x="19.192902"
         y="372.90768"
--- a/examples/C/glib/monitor-nm-state-gdbus.c
+++ b/examples/C/glib/monitor-nm-state-gdbus.c
@ -23,8 +23,8 @@ static const char *
 nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_DISABLED:
+    case NM_STATE_ASLEEP:
-        return "network off";
+        return "asleep";
    case NM_STATE_CONNECTING:
        return "connecting";
    case NM_STATE_CONNECTED_LOCAL:
--- a/examples/python/gi/gmaincontext.py
+++ b/examples/python/gi/gmaincontext.py
@ -188,7 +188,7 @@ def create_nmc(dbus_connection):
    # which has an overhead.
    #
    # Also, split the GObject creation and the init_async() call in two.
-    # That allows one to pass construct-only parameters, in particular like
+    # That allows to pass construct-only parameters, in particular like
    # the instance_flags.
    # Create a separate context for the NMClient. The NMClient is strongly
--- a/examples/python/gi/secret-agent.py
+++ b/examples/python/gi/secret-agent.py
@ -1,92 +0,0 @@
 #!/usr/bin/env python
 # SPDX-License-Identifier: LGPL-2.1-or-later
 import gi
 gi.require_version("NM", "1.0")
 from gi.repository import GLib, NM, Gio
 # This example shows how to implement a very simple secret agent for
 # NetworkManager. The secret agent registers to the NM daemon and can
 # provide missing secrets like Wi-Fi or VPN passwords. Set environment
 # variable "LIBNM_CLIENT_DEBUG=trace" to enable libnm verbose logging.
 class SecretAgent(NM.SecretAgentOld):
    def __init__(self):
        super().__init__(identifier="MySecretAgent")
        super().init()
    def do_get_secrets(
        self,
        connection,
        connection_path,
        setting_name,
        hints,
        flags,
        callback,
        callback_data,
    ):
        print(
            "get_secrets for '{}', interface '{}', setting '{}'".format(
                connection.get_id(), connection.get_interface_name(), setting_name
            )
        )
        # Implement here the logic to retrieve the secrets.
        # As an example, we return a hardcoded Wi-Fi PSK.
        if (
            connection.get_connection_type() == "802-11-wireless"
            and setting_name == "802-11-wireless-security"
        ):
            s_wifi = connection.get_setting_wireless()
            ssid = NM.utils_ssid_to_utf8(s_wifi.get_ssid().get_data())
            if ssid == "home":
                secrets = GLib.Variant(
                    "a{sa{sv}}",
                    {
                        "802-11-wireless-security": {
                            "psk": GLib.Variant("s", "abcd1234")
                        }
                    },
                )
                print("Sending secrets {}".format(secrets))
                callback(self, connection, secrets, None)
                return
        # We don't have the secret, NM will ask to another agent or fail
        callback(
            self,
            connection,
            None,
            GLib.GError.new_literal(
                NM.SecretAgentError.quark(),
                "No secrets found",
                NM.SecretAgentError.NOSECRETS,
            ),
        )
    def do_cancel_get_secrets(self, connection_path, connection_name):
        pass
    def do_save_secrets(self, connection, connection_path, callback, callback_data):
        # Implement this if you want to store "agent-owned" secrets
        callback(self, connection, None)
    def do_delete_secrets(self, connection, connection_path, callback, callback_data):
        # Implement this if you want to store "agent-owned" secrets
        callback(self, connection, None)
 def main():
    agent = SecretAgent()
    loop = GLib.MainLoop()
    try:
        loop.run()
    except KeyboardInterrupt:
        print("Exiting Secret Agent...")
 if __name__ == "__main__":
    main()
--- a/introspection/meson.build
+++ b/introspection/meson.build
@ -15,7 +15,6 @@ ifaces = [
  'org.freedesktop.NetworkManager.Device.Bridge',
  'org.freedesktop.NetworkManager.Device.Dummy',
  'org.freedesktop.NetworkManager.Device.Generic',
  'org.freedesktop.NetworkManager.Device.Geneve',
  'org.freedesktop.NetworkManager.Device.Hsr',
  'org.freedesktop.NetworkManager.Device.IPTunnel',
  'org.freedesktop.NetworkManager.Device.Infiniband',
--- a/introspection/org.freedesktop.NetworkManager.Device.Geneve.xml
+++ b/introspection/org.freedesktop.NetworkManager.Device.Geneve.xml
@ -1,63 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <node name="/">
  <!--
      org.freedesktop.NetworkManager.Device.Geneve:
      @short_description: GENEVE Device.
  -->
  <interface name="org.freedesktop.NetworkManager.Device.Geneve">
    <!--
        Id:
        @since: 1.58
        The GENEVE Virtual Network Identifier (VNI).
    -->
    <property name="Id" type="u" access="read"/>
    <!--
        Remote:
        @since: 1.58
        The IP (v4 or v6) address of the remote endpoint to which GENEVE packets
        are sent.
    -->
    <property name="Remote" type="s" access="read"/>
    <!--
        Tos:
        @since: 1.58
        The value to use in the IP ToS field for GENEVE packets sent to the remote
        endpoint.
    -->
    <property name="Tos" type="y" access="read"/>
    <!--
        Ttl:
        @since: 1.58
        The value to use in the IP TTL field for GENEVE packets sent to the remote
        endpoint.
    -->
    <property name="Ttl" type="i" access="read"/>
    <!--
        Df:
        @since: 1.58
        The Don't Fragment (DF) flag setting for GENEVE packets. 0 means unset,
        1 means set, 2 means inherit from the underlying interface.
    -->
    <property name="Df" type="y" access="read"/>
    <!--
        DstPort:
        @since: 1.58
        Destination port for outgoing GENEVE packets.
    -->
    <property name="DstPort" type="q" access="read"/>
  </interface>
 </node>
--- a/introspection/org.freedesktop.NetworkManager.Device.xml
+++ b/introspection/org.freedesktop.NetworkManager.Device.xml
@ -175,9 +175,6 @@
        property has a similar effect to configuring the device as unmanaged via
        the keyfile.unmanaged-devices setting in NetworkManager.conf. Changes to
        this value are not persistent and lost after NetworkManager restart.
        DEPRECATED: 1.58: Use the SetManaged method instead, which supports
        additional features like persisting the state to disk
    -->
    <property name="Managed" type="b" access="readwrite"/>
@ -324,7 +321,7 @@
    <!--
        Reapply:
        @connection: The optional connection settings that will be reapplied on the device. If empty, the currently active settings-connection will be used. The connection cannot arbitrarily differ from the current applied-connection otherwise the call will fail. Only certain changes are supported, like adding or removing IP addresses.
-        @version_id: If non-zero, the current version id of the applied-connection must match. The current version id can be retrieved via GetAppliedConnection. This optional argument allows one to catch concurrent modifications between the GetAppliedConnection call and Reapply.
+        @version_id: If non-zero, the current version id of the applied-connection must match. The current version id can be retrieved via GetAppliedConnection. This optional argument allows to catch concurrent modifications between the GetAppliedConnection call and Reapply.
        @flags: Flags which would modify the behavior of the Reapply call. Invalid flags are rejected.
        Attempts to update the configuration of a device without deactivating it.
@ -340,7 +337,7 @@
        settings-connection, or call Reapply. The Reapply call allows you to
        directly update the applied-connection and reconfigure the device. Reapply
        can also be useful if the currently applied-connection is equal to the
-        connection that is about to be reapplied. This allows one to reconfigure the
+        connection that is about to be reapplied. This allows to reconfigure the
        device and revert external changes like removing or adding an IP address
        (which NetworkManager doesn't revert automatically because it is assumed
        that the user made these changes intentionally outside of NetworkManager).
@ -394,20 +391,6 @@
    -->
    <method name="Delete"/>
    <!--
        SetManaged:
        @managed:(<link linkend="NMDeviceManaged">NMDeviceManaged</link>) Whether the device is managed. Possible values are "no" (0), "yes" (1) and "reset" (2).
        @flags: (<link linkend="NMDeviceManagedFlags">NMDeviceManagedFlags</link>) flags.
        @since: 1.58
        Set the managed state of the device. With the flags argument different
        behaviors can be achieved, like storing the new managed state to disk.
    -->
    <method name="SetManaged">
      <arg name="managed" type="u" direction="in"/>
      <arg name="flags" type="u" direction="in"/>
      </method>
    <!--
        StateChanged:
        @new_state: (<link linkend="NMDeviceState">NMDeviceState</link>) The new state of the device.
--- a/introspection/org.freedesktop.NetworkManager.Settings.Connection.xml
+++ b/introspection/org.freedesktop.NetworkManager.Settings.Connection.xml
@ -62,7 +62,7 @@
    <!--
        GetSecrets:
-        @setting_name: Name of the setting to return secrets for (mandatory).
+        @setting_name: Name of the setting to return secrets for. If empty, all secrets will be returned.
        @secrets: Nested settings maps containing secrets.
        Get the secrets belonging to this network configuration. Only secrets from
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -83,11 +83,6 @@
    note that your distribution or other packages may drop configuration snippets for NetworkManager, such
    that they are part of the factory default.
    </para>
    <para>
    The options that are indicated as boolean can be set to one of these values:
    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
    </para>
  </refsect1>
@ -276,7 +271,8 @@ no-auto-default=*
            Set the management mode of the hostname. This parameter will
            affect only the transient hostname. If a valid static hostname is set,
            NetworkManager will skip the update of the hostname despite the value of
-            this option. A hostname empty or equal to '(none)' is considered invalid.
+            this option. An hostname empty or equal to 'localhost', 'localhost6',
            'localhost.localdomain' or 'localhost6.localdomain' is considered invalid.
          </para>
          <para><literal>default</literal>: NetworkManager will update the
          hostname with the one provided via DHCP or reverse DNS lookup of the
@ -900,15 +896,11 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dnssec</varname></term>
          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
@ -950,14 +942,6 @@ ipv6.ip6-privacy=0
          <term><varname>ip-tunnel.mtu</varname></term>
          <listitem><para>If configured explicitly to 0, the MTU is not reconfigured during device activation unless it is required due to IPv6 constraints. If left unspecified, a DHCP/IPv6 SLAAC provided value is used or a default of 1500.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.forwarding</varname></term>
          <listitem><para>Whether to configure IPv4 sysctl interface-specific forwarding. When enabled, the interface will act as a router to forward the IPv4 packet from one interface to another. If left unspecified, "auto" is used, so NetworkManager sets the IPv4 forwarding if any shared connection is active, or it will use the kernel default value otherwise. The "ipv4.forwarding" property is ignored when "ipv4.method" is set to "shared", because forwarding is always enabled in this case. The accepted values are: 0: disabled, 1: enabled, 2: auto, 3: ignored (leave the forwarding unchanged).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.clat</varname></term>
          <listitem><para>If left unspecified, defaults to "no".</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.routed-dns</varname></term>
        </varlistentry>
@ -976,7 +960,7 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.dhcp-ipv6-only-preferred</varname></term>
-          <listitem><para>If left unspecified, it defaults to "auto".</para></listitem>
+          <listitem><para>If left unspecified, the "IPv6-only preferred" DHCPv4 option is disabled.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>ipv4.dhcp-hostname-flags</varname></term>
@ -1106,12 +1090,6 @@ ipv6.ip6-privacy=0
          <term><varname>sriov.autoprobe-drivers</varname></term>
          <listitem><para>If left unspecified, drivers are autoprobed when the SR-IOV VF gets created.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>sriov.preserve-on-down</varname></term>
          <listitem><para>Set to 0 or 1 to select whether the SR-IOV parameters are
          preserved when the connection is deactivated. If left unspecified, default
          to 0 (parameters are not preserved). </para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>vpn.timeout</varname></term>
          <listitem><para>If left unspecified, default value of 60 seconds is used.</para></listitem>
@ -1258,13 +1236,12 @@ managed=1
          <term><varname>managed</varname></term>
          <listitem>
            <para>
-              A boolean value specifying whether the device is
+              Whether the device is managed or not. A device can be
-              managed or not. A device can be marked as managed via
+              marked as managed via udev rules (ENV{NM_UNMANAGED}),
-              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
+              or via setting plugins (keyfile.unmanaged-devices).
-              (keyfile.unmanaged-devices).  This is yet another
+              This is yet another way. Note that this configuration
-              way. Note that this configuration can be overruled at
+              can be overruled at runtime via D-Bus. Also, it has
-              runtime via D-Bus. Also, it has higher priority than
+              higher priority then udev rules.
              udev rules.
            </para>
          </listitem>
        </varlistentry>
@ -1333,27 +1310,9 @@ managed=1
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="check-connectivity">
          <term><varname>check-connectivity</varname></term>
          <listitem>
            <para>
              A boolean value specifying whether NetworkManager will perform a connectivity check
              for this device. Defaults to <literal>yes</literal>.
            </para>
            <para>
              This setting does nothing if the connectivity check has been
              disabled globally using the
              <literal>connectivity.enabled</literal> setting.
            </para>
          </listitem>
        </varlistentry>
        <varlistentry id="keep-configuration">
         <term><varname>keep-configuration</varname></term>
          <listitem>
            <para>
              A boolean value indicating whether the existing device
              configuration is kept at startup.
            </para>
            <para>
              On startup, NetworkManager tries to not interfere with
              interfaces that are already configured. It does so by
@ -1416,7 +1375,7 @@ managed=1
              scanning. This defaults to <literal>yes</literal> in which case
              a random, locally-administered MAC address will be used.
              The setting <literal>wifi.scan-generate-mac-address-mask</literal>
-              can be used to influence the generated MAC address to use certain vendor
+              allows to influence the generated MAC address to use certain vendor
              OUIs.
              If disabled, the MAC address during scanning is left unchanged to
              whatever is configured.
@ -1440,7 +1399,7 @@ managed=1
          <listitem>
            <para>
              Like the per-connection settings <literal>ethernet.generate-mac-address-mask</literal>
-              and <literal>wifi.generate-mac-address-mask</literal>, this can be used to configure the
+              and <literal>wifi.generate-mac-address-mask</literal>, this allows to configure the
              generated MAC addresses during scanning. See <citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry>
              for details.
            </para>
@ -1450,16 +1409,16 @@ managed=1
          <term><varname>wifi.iwd.autoconnect</varname></term>
          <listitem>
            <para>
-              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
+              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
-              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
+              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
-              disabled for this device and connections will only be initiated by NetworkManager
+              this device and connections will only be initiated by NetworkManager whether
-              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
+              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
-              (default) stops NetworkManager from automatically initiating connections and allows
+              stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks to
+              IWD to use its network ranking and scanning logic to decide the best networks
-              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
-              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
+              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
-              IWD connection attempts.
+              with IWD connection attempts.
            </para>
          </listitem>
        </varlistentry>
@ -1518,7 +1477,7 @@ managed=1
      <variablelist>
        <varlistentry>
          <term><varname>enabled</varname></term>
-          <listitem><para>A boolean indicating whether connectivity check is enabled.
+          <listitem><para>Whether connectivity check is enabled.
          Note that to enable connectivity check, a valid uri must
          also be configured. The value defaults to true, but since
          the uri is unset by default, connectivity check may be disabled.
@ -1572,12 +1531,8 @@ managed=1
  <refsect1>
    <title><literal>global-dns</literal> section</title>
-    <para>This section specifies DNS settings that are applied globally. They
+    <para>This section specifies DNS settings that are applied
-    override the equivalent options defined in individual connections, making
+    globally, in addition to connection-specific ones.</para>
    them to be ignored. If a [global-dns-domain-*] section is defined, but this
    section isn't, an empty [global-dns] section is assumed, thus overwriting
    connection specific configurations too.
    </para>
    <para>
      <variablelist>
        <varlistentry>
@ -1626,7 +1581,7 @@ managed=1
  <refsect1>
    <title><literal>global-dns-domain</literal> sections</title>
    <para>Sections with a name starting with the "global-dns-domain-"
-    prefix allow one to define global DNS configuration for specific
+    prefix allow to define global DNS configuration for specific
    domains.  The part of section name after "global-dns-domain-"
    specifies the domain name a section applies to (for example, a
    section could be named "global-dns-domain-foobar.com").  More
@ -1637,10 +1592,6 @@ managed=1
    default domain "*". When the global DNS domains are valid, the
    name servers and domains defined globally override the ones from
    active connections.
    If any global DNS domain is defined but a [global-dns] section isn't,
    an empty [global-dns] section is assumed, thus overwriting its
    connection specific configurations too.
    </para>
    <para>
      <variablelist>
--- a/man/meson.build
+++ b/man/meson.build
@ -1,5 +1,29 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 common_ent_file = configure_file(
  input: 'common.ent.in',
  output: '@BASENAME@',
  configuration: data_conf,
 )
 xsltproc_options = [
  xsltproc,
  '--output', '@OUTPUT@',
  '--path', meson.current_build_dir(),
  '--xinclude',
  '--nonet',
  '--stringparam', 'man.output.quietly', '1',
  '--stringparam', 'funcsynopsis.style', 'ansi',
  '--stringparam', 'man.th.extra1.suppress', '1',
  '--stringparam', 'man.authors.section.enabled', '0',
  '--stringparam', 'man.copyright.section.enabled', '0',
  '--stringparam', 'man.th.title.max.length', '30',
 ]
 docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
 mans_xmls = []
 mans = [
  ['NetworkManager', '8'],
  ['NetworkManager-dispatcher', '8'],
@ -20,62 +44,12 @@ if enable_nm_cloud_setup
  mans += [['nm-cloud-setup', '8']]
 endif
 introspection_mans = [
  ['nm-settings-keyfile', '5'],
  ['nm-settings-dbus',    '5'],
  ['nm-settings-nmcli',   '5'],
 ]
 if enable_ifcfg_rh
  introspection_mans += [['nm-settings-ifcfg-rh', '5']]
 endif
 built_mans = []
 foreach man: mans + introspection_mans
  name = man[0] + '.' + man[1]
  if not fs.exists(name)
    built_mans = []
    break
  endif
  built_mans += name
 endforeach
 if enable_introspection or enable_docs
  common_ent_file = configure_file(
    input: 'common.ent.in',
    output: '@BASENAME@',
    configuration: data_conf,
  )
 endif
 if enable_introspection and (enable_man or enable_docs)
  xsltproc_options = [
    find_program('xsltproc'),
    '--output', '@OUTPUT@',
    '--path', meson.current_build_dir(),
    '--xinclude',
    '--nonet',
    '--stringparam', 'man.output.quietly', '1',
    '--stringparam', 'funcsynopsis.style', 'ansi',
    '--stringparam', 'man.th.extra1.suppress', '1',
    '--stringparam', 'man.authors.section.enabled', '0',
    '--stringparam', 'man.copyright.section.enabled', '0',
    '--stringparam', 'man.th.title.max.length', '30',
  ]
  docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
  mans_xmls = []
 foreach man: mans
  input = man[0] + '.xml'
  content_files += join_paths(meson.current_source_dir(), input)
  output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
  custom_target(
    output,
    input: input,
@ -85,9 +59,9 @@ if enable_introspection and (enable_man or enable_docs)
    install: true,
    install_dir: join_paths(nm_mandir, 'man' + man[1]),
  )
    endif
 endforeach
 if enable_introspection
  merge_cmd = files(source_root / 'tools' / 'generate-docs-nm-settings-docs-merge.py')
  name = 'dbus'
@ -150,8 +124,6 @@ if enable_introspection and (enable_man or enable_docs)
    output = '@0@.@1@'.format(man[0], man[1])
    # not needed if only html requested
    if enable_man
    custom_target(
      output,
      input: input,
@ -160,13 +132,5 @@ if enable_introspection and (enable_man or enable_docs)
      install: true,
      install_dir: join_paths(nm_mandir, 'man' + man[1]),
    )
    endif
  endforeach
 # not needed if only html requested
 elif enable_man
  if built_mans.length() > 0
    install_man(built_mans)
  else
    error('Building manpages requires xsltproc and -Dintrospection=true, and no prebuilt manpages were found. Try building from a release tarball or using -Dman=false.')
  endif
 endif
--- a/man/nm-cloud-setup.xml
+++ b/man/nm-cloud-setup.xml
@ -115,9 +115,9 @@
      <title>nm-cloud-setup.service systemd unit</title>
      <para>Usually <command>/usr/libexec/nm-cloud-setup</command> is not run directly,
      but only by <command>systemctl restart nm-cloud-setup.service</command>. This
-      ensures that the tool only runs once at any time.
+      ensures that the tool only runs once at any time. It also allows to integrate
-      The unit is also used by the nm-cloud-setup systemd timer and allows
+      with the nm-cloud-setup systemd timer,
-      enabling/disabling the service via systemd.</para>
+      and to enable/disable the service via systemd.</para>
      <para>As you need to set environment variable to configure nm-cloud-setup binary,
      you can do so via systemd override files. Try <command>systemctl edit nm-cloud-setup.service</command>.</para>
@ -143,7 +143,7 @@
      script is to automatically pick up changes to the network.</para>
      <para>The dispatcher script will do nothing, unless the systemd service is
-      enabled. To use the dispatcher script you should therefore run
+      enabled. To use the dispatcher script you should therefor run
      <command>systemctl enable nm-cloud-setup.service</command> once.</para>
    </refsect2>
@ -197,7 +197,7 @@
    <para>Enable debug logging by setting <literal>NM_CLOUD_SETUP_LOG</literal> environment variable to <literal>TRACE</literal>.</para>
    <para>In the common case where nm-cloud-setup is running as systemd service, this can be done via <command>systemctl edit nm-cloud-setup.service</command>
    and add <literal>Environment=NM_CLOUD_SETUP_LOG=TRACE</literal> to the <literal>[Service]</literal> section. Afterwards, the log can
-    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as described
+    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as descibed
    in the DEBUGGING section in <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
    manual. When sharing logs, it's best to share complete logs and not preemptively filter for NetworkManager or nm-cloud-setup logs.</para>
  </refsect1>
--- a/man/nm-initrd-generator.xml
+++ b/man/nm-initrd-generator.xml
@ -154,7 +154,6 @@
            <member><option>net.ifnames</option></member>
            <member><option>rd.peerdns</option></member>
            <member><option>rd.iscsi.ibft</option></member>
            <member><option>rd.nvmf.nonbft</option></member>
            <member><option>rd.bootif</option></member>
            <member><option>rd.neednet</option></member>
            <member><option>rd.ethtool</option></member>
@ -162,7 +161,6 @@
            <member><option>rd.net.dns-backend</option></member>
            <member><option>rd.net.dns-resolve-mode</option></member>
            <member><option>rd.net.timeout.dhcp</option></member>
            <member><option>rd.net.dhcp.client-id</option></member>
            <member><option>rd.net.dhcp.retry</option></member>
            <member><option>rd.net.dhcp.vendor-class</option></member>
            <member><option>rd.net.dhcp.dscp</option></member>
@ -269,23 +267,6 @@
        </para>
      </listitem>
      <listitem>
        <para>NetworkManager supports the
        <option>rd.net.dhcp.client-id</option>=<replaceable>interface</replaceable>:<replaceable>client-id</replaceable>
        kernel command line option to set a specific DHCPv4 client identifier
        for the given interface. The client-id can be specified either as a
        sequence of bytes in hexadecimal format separated by dashes, or as the
        character '@' followed by a non-empty string. When using the second
        format, NetworkManager prepends a zero byte to the given string,
        according to section 9.14 of RFC 2132. See the "ipv4.dhcp-client-id"
        section of <link
        linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
        for more details. Examples:
        <literal>rd.net.dhcp.client-id=eth0:01-52-54-00-45-87-42</literal>,
        <literal>rd.net.dhcp.client-id=enp1s0:@example.com</literal>.
        </para>
      </listitem>
    </itemizedlist>
  </refsect1>
@ -296,7 +277,6 @@
  <refsect1 id='see_also'><title>See Also</title>
    <para><link linkend='dracut.cmdline'><citerefentry><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
-    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
+    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>.</para>
    <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.</para>
  </refsect1>
 </refentry>
--- a/man/nmcli.xml
+++ b/man/nmcli.xml
@ -1066,16 +1066,15 @@
            <listitem><para><literal>dummy</literal></para></listitem>
            <listitem><para><literal>generic</literal></para></listitem>
            <listitem><para><literal>gsm</literal></para></listitem>
            <listitem><para><literal>hsr</literal></para></listitem>
            <listitem><para><literal>infiniband</literal></para></listitem>
            <listitem><para><literal>ip-tunnel</literal></para></listitem>
            <listitem><para><literal>ipvlan</literal></para></listitem>
            <listitem><para><literal>loopback</literal></para></listitem>
            <listitem><para><literal>macsec</literal></para></listitem>
            <listitem><para><literal>macvlan</literal></para></listitem>
            <listitem><para><literal>olpc-mesh</literal></para></listitem>
            <listitem><para><literal>ovs-bridge</literal></para></listitem>
            <listitem><para><literal>ovs-dpdk</literal></para></listitem>
            <listitem><para><literal>ovs-interface</literal></para></listitem>
            <listitem><para><literal>ovs-patch</literal></para></listitem>
            <listitem><para><literal>ovs-port</literal></para></listitem>
            <listitem><para><literal>pppoe</literal></para></listitem>
            <listitem><para><literal>team</literal></para></listitem>
@ -1436,31 +1435,15 @@
          </arg>
          <arg>
            <option>managed</option>
            <group>
              <arg choice='plain'>--permanent</arg>
              <arg choice='plain'>--permanent-only</arg>
            </group>
            <group choice='req'>
              <arg choice='plain'>yes</arg>
              <arg choice='plain'>no</arg>
              <arg choice='plain'>up</arg>
              <arg choice='plain'>down</arg>
              <arg choice='plain'>reset</arg>
            </group>
          </arg>
        </term>
        <listitem>
          <para>Set device properties.</para>
          <para>The <option>managed</option> property accepts a <option>--permanent</option>
          option to persist the managed state to disk, and not only in runtime. With
          <option>--permanent-only</option> only the permanent managed state is set, and not the
          runtime managed state. The special values <option>up</option> and <option>down</option>
          can be used to set the administrative state of the device at the same time as the runtime
          managed state. The <option>reset</option> value clears the explicit managed setting, and
          with <option>--permanent</option> or <option>--permanent-only</option> it also removes
          the persisted managed setting.</para>
        </listitem>
      </varlistentry>
@ -1734,7 +1717,6 @@
            <group choice='req'>
              <arg choice='plain'>a</arg>
              <arg choice='plain'>bg</arg>
              <arg choice='plain'>6GHz</arg>
            </group>
          </arg>
          <arg><option>channel</option> <replaceable>channel</replaceable></arg>
@ -1868,9 +1850,9 @@
          connections with an option of restoring the network configuration to a
          known good state in case of an error.</para>
-          <para>If a list of interface names is specified, the checkpoint is
+          <para>If the a list of interface names is specified, the checkpoint is
-          taken only on the specified devices. Otherwise a checkpoint is taken for
+          taken, the checkpoint is takes only on the specified devices. Otherwise
-          all devices.</para>
+          a checkpoint is taken for all devices.</para>
          <para>Currently the timeout defaults to 15 seconds. This may change in
          a future version.</para>
--- a/meson.build
+++ b/meson.build
@ -5,48 +5,23 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.57.4-dev',
+  version: '1.52.2',
  license: 'GPL2+',
  default_options: [
    'buildtype=debugoptimized',
    'c_std=gnu11',
    'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
  ],
-  meson_version: '>= 0.56.0',
+  meson_version: '>= 0.51.0',
 )
 nm_name = meson.project_name()
 nm_version = meson.project_version()
-
+version_array = nm_version.split('.')
 version_and_suffix = nm_version.split('-')
 version_array = version_and_suffix[0].split('.')
 if version_and_suffix.length() == 2
  version_suffix = version_and_suffix[1]
 else
  assert(version_and_suffix.length() == 1)
  version_suffix = ''
 endif
 # In the C API we encode the version in 90+ scheme (1.56-rc1 = 1.55.90, rc2 = .91, etc)
 if version_suffix == '' or version_suffix == 'dev'
  assert(version_array.length() == 3)
 nm_major_version = version_array[0].to_int()
 nm_minor_version = version_array[1].to_int()
 nm_micro_version = version_array[2].to_int()
 elif version_suffix.startswith('rc')
  assert(version_array.length() == 2)
  nm_major_version = version_array[0].to_int()
  nm_minor_version = version_array[1].to_int() - 1
  nm_micro_version = version_suffix.substring(2).to_int() + 89
 else
  error('Invalid suffix: ' + version_suffix)
 endif
 if nm_minor_version % 2 == 1 and version_suffix == ''
  error('Expected a "-dev" or "-rc" suffix')
 elif nm_minor_version %2 == 0 and version_suffix != ''
  error('Unexpected "' + version_suffix + '" suffix')
 endif
 nm_id_prefix = 'NM'
@ -102,7 +77,6 @@ libnm_version = '@0@.@1@.@2@'.format(current - age, age, revision)
 libnm_pkgincludedir = join_paths(nm_includedir, libnm_name)
 fs = import('fs')
 gnome = import('gnome')
 i18n = import('i18n')
 pkg = import('pkgconfig')
@ -115,6 +89,7 @@ po_dir = source_root / 'po'
 top_inc = include_directories('.')
 perl = find_program('perl')
 xsltproc = find_program('xsltproc')
 check_exports = find_program(join_paths(source_root, 'tools', 'check-exports.sh'))
@ -162,9 +137,6 @@ config_h.set10('HAVE_DECL_REALLOCARRAY', cc.has_function('reallocarray', prefix:
 config_h.set10('HAVE_DECL_EXPLICIT_BZERO', cc.has_function('explicit_bzero', prefix: '#include <string.h>'))
 config_h.set10('HAVE_DECL_MEMFD_CREATE', cc.has_function('memfd_create', prefix: '#include <sys/mman.h>'))
 config_h.set10('HAVE_DLVSYM', cc.has_function('dlvsym', prefix: '''#define _GNU_SOURCE
                                                                   #include <dlfcn.h>'''))
 # types
 config_h.set('SIZEOF_PID_T', cc.sizeof('pid_t', prefix : '#include <sys/types.h>'))
 config_h.set('SIZEOF_UID_T', cc.sizeof('uid_t', prefix : '#include <sys/types.h>'))
@ -201,13 +173,13 @@ endif
 enable_lto = get_option('b_lto')
 if enable_lto
  cc_version = cc.version()
  if  cc.get_id() == 'clang'
-    if cc_version <= '18.0.0'
+    clang_version = cc.version()
-      error('Clang version should be greater than 18.0.0, got : ' + cc_version)
+    if clang_version <= '18.0.0'
      error('Clang version should be greater then 18.0.0 got : ' + clang_version)
    endif
-  elif cc_version < '12.0'
+  else
-    # GCC < 12 breaks libnm symbol versioning with LTO, use workarounds
+    # Meson already adds '-flto'
    lto_flag = '-flto-partition=none'
    assert(cc.has_argument(lto_flag), '-flto-partition=none not supported. Disable link-time optimization with -Db_lto=false.')
    common_flags += lto_flag
@ -296,8 +268,7 @@ config_h.set10('WITH_JANSSON', jansson_dep.found())
 jansson_msg = 'no'
 if jansson_dep.found()
  jansson_libdir = jansson_dep.get_variable(pkgconfig: 'libdir')
-  jansson_sysroot = meson.is_cross_build() ? meson.get_external_property('sys_root', '') : ''
+  res = run_command(find_program('eu-readelf', 'readelf'), '-d', join_paths(jansson_libdir, 'libjansson.so'), check: false)
  res = run_command(find_program('eu-readelf', 'readelf'), '-d', jansson_sysroot + join_paths(jansson_libdir, 'libjansson.so'), check: false)
  jansson_soname = ''
  foreach line: res.stdout().split('\n')
    if line.strip().contains('SONAME')
@ -353,17 +324,12 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)
 enable_wifi = get_option('wifi')
 config_h.set10('WITH_WIFI', enable_wifi)
 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)
-wext = get_option('wext')
+enable_wext = get_option('wext')
 if wext == 'true'
  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
 endif
 enable_wext = (wext == 'force')
 config_h.set10('HAVE_WEXT', enable_wext)
 # Checks for libdl - on certain platforms its part of libc
@ -413,14 +379,6 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
  systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
 install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
 if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
  assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@ -515,15 +473,18 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)
-# CLAT support
+# eBPF support
-enable_clat = get_option('clat')
+ebpf_opt = get_option('ebpf')
-if enable_clat
+# 'auto' means 'false', because there are still issues.
-  libbpf = dependency('libbpf', version: '>= 1.3.0', required: false)
+if ebpf_opt != 'true'
-  assert(libbpf.found(), 'You must have libbpf >= 1.3.0 installed to build. Use -Dclat=false to disable use of it')
+  enable_ebpf = false
-  libndp_dep = dependency('libndp', version: '>= 1.9', required: false)
+else
-  assert(libndp_dep.found(), 'You must have libndp >= 1.9 installed to build with CLAT support. Use -Dclat=false to disable it')
+  enable_ebpf = true
  if not cc.has_header('linux/bpf.h')
    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
    enable_ebpf = false
  endif
 endif
 config_h.set10('HAVE_CLAT', enable_clat)
 # libaudit support
 libaudit = get_option('libaudit')
@ -543,14 +504,12 @@ if enable_teamdctl
  libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
  assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
 config_h.set10('WITH_TEAMDCTL', enable_teamdctl)
 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
  # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
+  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
 endif
 config_auth_polkit_default = get_option('config_auth_polkit_default')
@ -560,12 +519,6 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 enable_modify_system = get_option('modify_system')
 if enable_modify_system
  # FIXME: remove this after everyone has stopped using modify_system
  error('modify_system=true is no longer allowed due to security reasons')
 endif
 polkit_noauth_group = get_option('polkit_noauth_group')
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@ -660,7 +613,6 @@ if enable_modem_manager
  endif
  config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
 config_h.set10('WITH_WWAN', enable_modem_manager)
 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@ -861,7 +813,6 @@ if enable_nm_cloud_setup
  assert(jansson_dep.found(), 'nm-cloud-setup requires jansson library. Use -Dnm_cloud_setup=false to disable it')
 endif
 enable_man = get_option('man')
 enable_docs = get_option('docs')
 more_asserts = get_option('more_asserts')
@ -960,6 +911,7 @@ endif
 test_args = [
  '--called-from-make',
  build_root,
  '',
  enable_valgrind ? valgrind_path : '',
  enable_valgrind ? valgrind_suppressions_path : '',
  '--launch-dbus=auto',
@ -977,14 +929,6 @@ if python.found()
  config_h.set_quoted('TEST_NM_PYTHON', python_path)
 endif
 # libnvme (NBFT support)
 enable_nbft = get_option('nbft')
 if enable_nbft
  libnvme_dep = dependency('libnvme', version: '>= 1.5', required: false)
  assert(libnvme_dep.found(), 'NBFT support was requested, but the libnvme library is not available. Use -Dnbft=false to build without it.')
 endif
 config_h.set10('WITH_NBFT', enable_nbft)
 data_conf = configuration_data()
 data_conf.set('DISTRO_NETWORK_SERVICE',                  (enable_ifcfg_rh ? 'network.service' : ''))
 data_conf.set('NM_CONFIG_DEFAULT_LOGGING_AUDIT_TEXT',    config_default_logging_audit)
@ -998,6 +942,7 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
 data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@ -1008,6 +953,38 @@ data_conf.set('nmstatedir',                              nm_pkgstatedir)
 data_conf.set('sbindir',                                 nm_sbindir)
 data_conf.set('sysconfdir',                              nm_sysconfdir)
 # check if we can build setting property documentation
 '''
 build_docs=no
 if test -n "$INTROSPECTION_MAKEFILE"; then
  # If g-i is installed we know we have python, but we might not have pygobject
  if ! "$PYTHON" -c 'from gi.repository import GObject' >& /dev/null; then
    AC_MSG_ERROR(["--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)])
  fi
  AC_PATH_PROG(PERL, perl)
  if test -z "$PERL"; then
    AC_MSG_ERROR([--enable-introspection requires perl])
  fi
  AC_PATH_PROG(XSLTPROC, xsltproc)
  if test -z "$XSLTPROC"; then
    AC_MSG_ERROR([--enable-introspection requires xsltproc])
  fi
  have_introspection=yes
  if test "$enable_gtk_doc" = "yes"; then
    build_docs=yes
  fi
 else
  if test "$enable_gtk_doc" = "yes"; then
    # large parts of the documentation require introspection/pygobject to extract
    # the documentation out of the source files. You cannot enable gtk-doc without alone.
    AC_MSG_ERROR(["--with-gtk-doc requires --enable-introspection"])
  fi
  have_introspection=no
 fi
 '''
 content_files = []
 subdir('introspection')
@ -1045,14 +1022,9 @@ if enable_qt != 'false'
  endif
 endif
 # The man/ directory builds a couple targets needed by the docs build too.
 # If we build with docs but no man, then enter the subdir and only build
 # some targets.
 if enable_docs or enable_man
  subdir('man')
 endif
 if enable_docs
  assert(enable_introspection, '-Ddocs=true requires -Dintrospection=true')
  subdir('man')
  subdir('docs')
  meson.add_dist_script(
    'tools/meson-dist-data.sh',
@ -1103,7 +1075,7 @@ meson.add_install_script(
  nm_pkgstatedir,
  nm_mandir,
  nm_sysconfdir,
-  enable_man ? '1' : '0',
+  enable_docs ? '1' : '0',
  enable_ifcfg_rh ? '1' : '0',
  enable_nm_cloud_setup ? '1' : '0',
  install_systemdunitdir ? '1' : '0',
@ -1113,7 +1085,6 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
 output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@ -1128,7 +1099,17 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
 if enable_polkit
  output += ' ('
  if enable_modify_system
    output += 'permissive'
  else
    output += 'restrictive'
  endif
  output += ' modify.system)'
 endif
 output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@ -1156,7 +1137,6 @@ output += '  ofono: ' + enable_ofono.to_string() + '\n'
 output += '  concheck: ' + enable_concheck.to_string() + '\n'
 output += '  libteamdctl: ' + enable_teamdctl.to_string() + '\n'
 output += '  ovs: ' + enable_ovs.to_string() + '\n'
 output += '  clat: ' + enable_clat.to_string() + '\n'
 output += '  nmcli: ' + enable_nmcli.to_string() + '\n'
 output += '  nmtui: ' + enable_nmtui.to_string() + '\n'
 output += '  nm-cloud-setup: ' + enable_nm_cloud_setup.to_string() + '\n'
@ -1193,5 +1173,6 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
 output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -1,6 +1,5 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
 option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@ -19,8 +18,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
 option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@ -30,7 +28,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')
 # features
-option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
+option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@ -46,11 +44,7 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')
 option('clat', type: 'boolean', value: true, description: 'Build with CLAT support')
 option('bpf-compiler', type : 'combo', choices : ['auto', 'clang', 'gcc'],
       description : 'compiler used to build BPF programs')
 # configuration plugins
 option('config_plugins_default', type: 'string', value: '', description: 'Default configuration option for main.plugins setting, used as fallback if the configuration option is unset')
@ -72,7 +66,6 @@ option('config_dhcp_default', type: 'combo', choices: ['dhclient', 'dhcpcd', 'in
 option('introspection', type: 'boolean', value: true, description: 'Enable introspection for this build')
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('man', type: 'boolean', value: true, description: 'Install manpages')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
 option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'auto', description: 'Enable more assertions for debugging (0 = no, 100 = all, default: auto)')
--- a/po/LINGUAS
+++ b/po/LINGUAS
@ -30,7 +30,6 @@ id
 it
 ja
 ka
 kk
 kn
 ko
 ku
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -1,18 +1,16 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in
+data/org.freedesktop.NetworkManager.policy.in.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
 src/core/devices/bluetooth/nm-device-bt.c
 src/core/devices/nm-device.c
 src/core/devices/nm-device-6lowpan.c
 src/core/devices/nm-device-bond.c
 src/core/devices/nm-device-bridge.c
 src/core/devices/nm-device-dummy.c
 src/core/devices/nm-device-ethernet-utils.c
 src/core/devices/nm-device-ethernet.c
 src/core/devices/nm-device-geneve.c
 src/core/devices/nm-device-infiniband.c
 src/core/devices/nm-device-ip-tunnel.c
 src/core/devices/nm-device-loopback.c
@ -48,7 +46,6 @@ src/libnm-client-impl/nm-device-bt.c
 src/libnm-client-impl/nm-device-dummy.c
 src/libnm-client-impl/nm-device-ethernet.c
 src/libnm-client-impl/nm-device-generic.c
 src/libnm-client-impl/nm-device-geneve.c
 src/libnm-client-impl/nm-device-hsr.c
 src/libnm-client-impl/nm-device-infiniband.c
 src/libnm-client-impl/nm-device-ip-tunnel.c
@ -93,13 +90,11 @@ src/libnm-core-impl/nm-setting-connection.c
 src/libnm-core-impl/nm-setting-dcb.c
 src/libnm-core-impl/nm-setting-ethtool.c
 src/libnm-core-impl/nm-setting-generic.c
 src/libnm-core-impl/nm-setting-geneve.c
 src/libnm-core-impl/nm-setting-gsm.c
 src/libnm-core-impl/nm-setting-hsr.c
 src/libnm-core-impl/nm-setting-infiniband.c
 src/libnm-core-impl/nm-setting-ip-config.c
 src/libnm-core-impl/nm-setting-ip-tunnel.c
 src/libnm-core-impl/nm-setting-ipvlan.c
 src/libnm-core-impl/nm-setting-ip4-config.c
 src/libnm-core-impl/nm-setting-ip6-config.c
 src/libnm-core-impl/nm-setting-loopback.c
@ -153,7 +148,6 @@ src/libnmc-base/nm-secret-agent-simple.c
 src/libnmc-base/nm-vpn-helpers.c
 src/libnmc-setting/nm-meta-setting-access.c
 src/libnmc-setting/nm-meta-setting-desc.c
 src/libnmc-setting/nm-meta-setting-desc.h
 src/libnmc-setting/settings-docs.h.in
 src/libnmt-newt/nmt-newt-utils.c
 src/nm-online/nm-online.c
@ -185,7 +179,6 @@ src/nmtui/nmt-page-infiniband.c
 src/nmtui/nmt-page-ip-tunnel.c
 src/nmtui/nmt-page-ip4.c
 src/nmtui/nmt-page-ip6.c
 src/nmtui/nmt-page-loopback.c
 src/nmtui/nmt-page-macsec.c
 src/nmtui/nmt-page-ppp.c
 src/nmtui/nmt-page-team-port.c
--- a/po/POTFILES.skip
+++ b/po/POTFILES.skip
@ -1,11 +1,20 @@
 contrib/fedora/rpm/
 data/NetworkManager-dispatcher.service.in
 data/NetworkManager-wait-online.service.in
 data/NetworkManager-wait-online-initrd.service.in
 data/NetworkManager-initrd.service.in
 data/NetworkManager.service.in
 data/nm-priv-helper.service.in
 data/org.freedesktop.NetworkManager.policy.in
 examples/python/NetworkManager.py
 examples/python/systray/eggtrayicon.c
 src/contrib/nm-vpn-editor-plugin-call.h
 src/contrib/nm-vpn-plugin-utils.c
 src/libnm-systemd-shared/src/basic/parse-util.c
 src/nm-cloud-setup/nm-cloud-setup.service.in
 vpn-daemons/openvpn
 vpn-daemons/pptp
 vpn-daemons/vpnc
 # https://bugs.launchpad.net/intltool/+bug/1117944
 sub/data/org.freedesktop.NetworkManager.policy.in
 # from meson build directory:
 build/data/org.freedesktop.NetworkManager.policy.in
--- a/po/bg.po
+++ b/po/bg.po
--- a/po/ca.po
+++ b/po/ca.po
@ -8,15 +8,14 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
 # Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2025-09-28 00:07+0200\n"
+"PO-Revision-Date: 2023-06-17 00:07+0200\n"
-"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
+"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@ -356,7 +355,7 @@ msgstr "Connexió WPAN"
 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió d'equip"
+msgstr "Connexió equip"
 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@ -649,7 +648,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
+"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@ -796,7 +795,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."
 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals S390."
+msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@ -882,7 +881,7 @@ msgstr "La connexió no era una connexió tun."
 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió d'equip."
+msgstr "La connexió no era una connexió equip."
 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@ -1326,27 +1325,27 @@ msgstr ""
 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignora el número faltant"
+msgstr "s'ignorarà el número faltant"
 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignora el número «%s» no vàlid"
+msgstr "s'ignorarà el número «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignora l'adreça %s no vàlida: %s"
+msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignora la ruta %s no vàlida: %s"
+msgstr "s'ignorarà la ruta %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@ -1362,7 +1361,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@ -1414,11 +1413,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignora l'SSID no vàlida"
+msgstr "s'ignorarà l'SSID no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignora la contrasenya sense processar no vàlida"
+msgstr "s'ignorarà la contrasenya sense processar no vàlida"
 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@ -1459,7 +1458,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: %s"
+msgstr "el paràmetre no és vàlid: «%s»"
 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@ -1974,7 +1973,7 @@ msgstr "file:// URI no és UTF-8 vàlida"
 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@ -2087,7 +2086,7 @@ msgstr "«%s» no és un número"
 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buida o de mida incorrecta"
+msgstr "la propietat és buda o de mida incorrecta"
 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@ -2099,12 +2098,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"
 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@ -2157,12 +2156,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@ -2209,7 +2208,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un tipus de ruta vàlid"
+msgstr "%s no és un nom de ruta vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@ -2433,7 +2432,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: %s"
+msgstr "atribut no vàlid: «%s»"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@ -4106,7 +4105,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@ -4677,7 +4676,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:620
@ -4699,7 +4698,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:886
@ -4710,7 +4709,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 #: src/libnmc-base/nm-secret-agent-simple.c:893
@ -5419,9 +5418,9 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
 "(amb prefix opcional 0x/0X,i un 0 inicial opcional). \n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
@ -5494,7 +5493,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benvinguda"
+msgstr "Temps de benviguda"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@ -5568,7 +5567,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@ -5677,7 +5676,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@ -5697,7 +5696,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
+"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@ -8152,12 +8151,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@ -10723,7 +10722,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"
 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobat totes les connexions actives."
+msgstr "Error: No s'han trobar totes les connexions actives."
 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@ -11042,7 +11041,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticament amb l'opció «fix».\n"
+"automàticaent amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@ -11064,7 +11063,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@ -11486,7 +11485,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmetre «%s»: %s\n"
+msgstr "Verifica el paràmere «%s»: %s\n"
 #: src/nmcli/connections.c:8501
 #, c-format
@ -11553,12 +11552,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
+"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
 "continuar)\n"
 #: src/nmcli/connections.c:8721
@ -11583,7 +11582,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
 #: src/nmcli/connections.c:8985
 #, fuzzy
@ -12397,7 +12396,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositiu: %s"
+msgstr "Error: no s'ha pogut activar el dispositu: %s"
 #: src/nmcli/devices.c:2322
 #, c-format
@ -12604,7 +12603,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPA PSK vàlida"
+msgstr "«%s» no és una WPS PSK vàlida"
 #: src/nmcli/devices.c:4193
 #, c-format
@ -13539,7 +13538,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»"
+msgstr "Error: argument inesperat «%s»."
 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@ -13898,7 +13897,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomanat)"
+msgstr "MII (recomendat)"
 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@ -14544,7 +14543,7 @@ msgstr ""
 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexió nova"
+msgstr "Connexions nova"
 #: src/nmtui/nmtui-edit.c:452
 #, c-format
--- a/po/it.po
+++ b/po/it.po
@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075
--- a/po/ka.po
+++ b/po/ka.po
--- a/po/kk.po
+++ b/po/kk.po
--- a/po/meson.build
+++ b/po/meson.build
@ -1,8 +1,3 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 i18n.gettext(nm_name, preset: 'glib')
 test(
    'check-potfile-list',
    find_program(join_paths(source_root, 'src/tests/check-potfile-list.py'))
 )
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po
--- a/po/sl.po
+++ b/po/sl.po
--- a/po/sr.po
+++ b/po/sr.po
--- a/po/sr@latin.po
+++ b/po/sr@latin.po
--- a/po/tr.po
+++ b/po/tr.po
--- a/src/contrib/nm-vpn-editor-plugin-call.h
+++ b/src/contrib/nm-vpn-editor-plugin-call.h
@ -11,7 +11,7 @@
 *
 * This uses the NMVpnEditorPluginVT and allows a user (nm-applet)
 * to directly communicate with a VPN plugin using API that is newer
- * then the current libnm version. That is, it allows a user to call to a VPN
+ * then the current libnm version. That is, it allows to call to a VPN
 * plugin bypassing libnm. */
 #include <NetworkManager.h>
--- a/src/contrib/nm-vpn-plugin-utils.c
+++ b/src/contrib/nm-vpn-plugin-utils.c
@ -155,33 +155,3 @@ nm_vpn_plugin_utils_load_editor(const char                   *module_path,
    g_return_val_if_fail(NM_IS_VPN_EDITOR(editor), NULL);
    return editor;
 }
 char *
 nm_vpn_plugin_utils_get_cert_path(const char *plugin)
 {
    const char *path;
    g_return_val_if_fail(plugin, NULL);
    /* Users can set NM_CERT_PATH=~/.cert to be compatible with the certificate
     * directory used in the past. */
    path = g_getenv("NM_CERT_PATH");
    if (path)
        return g_build_filename(path, plugin, NULL);
    /* Otherwise use XDG_DATA_HOME. We use subdirectory "networkmanagement/certificates"
     * because the SELinux policy already has rules to set the correct labels in that
     * directory. */
    path = g_getenv("XDG_DATA_HOME");
    if (path)
        return g_build_filename(path, "networkmanagement", "certificates", plugin, NULL);
    /* Use the default value for XDG_DATA_HOME */
    return g_build_filename(g_get_home_dir(),
                            ".local",
                            "share",
                            "networkmanagement",
                            "certificates",
                            plugin,
                            NULL);
 }
--- a/src/contrib/nm-vpn-plugin-utils.h
+++ b/src/contrib/nm-vpn-plugin-utils.h
@ -24,6 +24,4 @@ NMVpnEditor *nm_vpn_plugin_utils_load_editor(const char                   *modul
                                             gpointer                      user_data,
                                             GError                      **error);
 char *nm_vpn_plugin_utils_get_cert_path(const char *plugin);
 #endif /* __NM_VPN_PLUGIN_UTILS_H__ */
--- a/src/core/NetworkManagerUtils.c
+++ b/src/core/NetworkManagerUtils.c
@ -1495,10 +1495,11 @@ nm_utils_ip_route_attribute_to_platform(int                addr_family,
        r4->scope_inv = nm_platform_route_scope_inv(scope);
    }
-    /* For IPv4 routes in kernel, the onlink flag is per-nexthop (rtnh_flags).
+    /* Note that for IPv4 routes in kernel, the onlink flag can be set for
-     * Here we set the flag on r_rtm_flags which represents the first nexthop's
+     * each next hop separately (rtnh_flags). Not for NetworkManager. We can
-     * flags. For ECMP routes, each nexthop carries its own onlink flag, so
+     * only merge routes as ECMP routes (when setting a weight) if they all
-     * routes with different onlink settings per-nexthop can be merged. */
+     * share the same onlink flag. See NM_PLATFORM_IP_ROUTE_CMP_TYPE_ECMP_ID.
     * That simplifies the code. */
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_ONLINK, onlink, BOOLEAN, boolean, FALSE);
    r->r_rtm_flags = ((onlink) ? (unsigned) RTNH_F_ONLINK : 0u);
@ -1508,6 +1509,7 @@ nm_utils_ip_route_attribute_to_platform(int                addr_family,
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_INITCWND, r->initcwnd, UINT32, uint32, 0);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_INITRWND, r->initrwnd, UINT32, uint32, 0);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_MTU, r->mtu, UINT32, uint32, 0);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_RTO_MIN, r->rto_min, UINT32, uint32, 0);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_QUICKACK, r->quickack, BOOLEAN, boolean, FALSE);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_LOCK_WINDOW, r->lock_window, BOOLEAN, boolean, FALSE);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_LOCK_CWND, r->lock_cwnd, BOOLEAN, boolean, FALSE);
@ -1516,18 +1518,6 @@ nm_utils_ip_route_attribute_to_platform(int                addr_family,
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_LOCK_MTU, r->lock_mtu, BOOLEAN, boolean, FALSE);
    GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_LOCK_ADVMSS, r->lock_mss, BOOLEAN, boolean, FALSE);
    {
        GVariant *_variant = nm_ip_route_get_attribute(s_route, NM_IP_ROUTE_ATTRIBUTE_RTO_MIN);
        if (_variant && g_variant_is_of_type(_variant, G_VARIANT_TYPE_UINT32)) {
            r->rto_min     = g_variant_get_uint32(_variant);
            r->rto_min_set = TRUE;
        } else {
            r->rto_min     = 0;
            r->rto_min_set = FALSE;
        }
    }
    if ((variant = nm_ip_route_get_attribute(s_route, NM_IP_ROUTE_ATTRIBUTE_SRC))
        && g_variant_is_of_type(variant, G_VARIANT_TYPE_STRING)) {
        if (inet_pton(addr_family, g_variant_get_string(variant, NULL), &addr) == 1) {
--- a/src/core/bpf/clat.bpf.c
+++ b/src/core/bpf/clat.bpf.c
--- a/src/core/bpf/clat.h
+++ b/src/core/bpf/clat.h
@ -1,30 +0,0 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 #ifndef __NAT64_H__
 #define __NAT64_H__
 #include <linux/in6.h>
 struct clat_config {
    struct in6_addr local_v6;
    struct in6_addr pref64;
    struct in_addr  local_v4;
    unsigned        pref64_len;
 };
 struct clat_stats {
    /* egress: v4 to v6 */
    __u64 egress_tcp;
    __u64 egress_udp;
    __u64 egress_icmp;
    __u64 egress_other;
    __u64 egress_dropped;
    /* ingress: v6 to v4 */
    __u64 ingress_tcp;
    __u64 ingress_udp;
    __u64 ingress_icmp;
    __u64 ingress_other;
    __u64 ingress_fragment;
    __u64 ingress_dropped;
 };
 #endif
--- a/src/core/bpf/meson.build
+++ b/src/core/bpf/meson.build
@ -1,239 +0,0 @@
 # SPDX-License-Identifier: LGPL-2.1+
 # Ripped from systemd: https://github.com/systemd/systemd/pull/20429
 if not enable_clat
  subdir_done()
 endif
 bpf_compiler = get_option('bpf-compiler')
 clang_found = false
 clang_supports_bpf = false
 bpf_gcc_found = false
 bpftool_strip = false
 if bpf_compiler == 'clang' or bpf_compiler == 'auto'
  # Support 'versioned' clang/llvm-strip binaries, as seen on Debian/Ubuntu
  # (like clang-10/llvm-strip-10)
  if meson.is_cross_build() or cc.get_id() != 'clang' or cc.cmd_array()[0].contains('afl-clang') or cc.cmd_array()[0].contains('hfuzz-clang')
    r = find_program('clang',
                     version : '>= 10.0.0')
    clang_found = r.found()
    if clang_found
      if meson.version().version_compare('>= 0.55')
        clang = r.full_path()
      else
        clang = r.path()
      endif
    endif
  else
    clang_found = true
    clang = cc.cmd_array()
  endif
  if clang_found
    # Check if 'clang -target bpf' is supported.
    clang_supports_bpf = run_command(clang, '-target', 'bpf', '--print-supported-cpus', check : false).returncode() == 0
  endif
 elif bpf_compiler == 'gcc' or bpf_compiler == 'auto'
  bpf_gcc = find_program('bpf-gcc',
                         'bpf-none-gcc',
                         'bpf-unknown-none-gcc',
                         version : '>= 13.1.0')
  bpf_gcc_found = bpf_gcc.found()
 endif
 if bpf_compiler == 'auto'
  if clang_supports_bpf and bpf_gcc_found
    # Both supported, prefer the one matching our compiler:
    if cc.get_id() == 'gcc'
      bpf_compiler = 'gcc'
    else
      # Default to clang if we don't know this compiler
      bpf_compiler = 'clang'
    endif
  elif clang_supports_bpf
    bpf_compiler = 'clang'
  elif bpf_gcc_found
    bpf_compiler = 'clang'
  endif
 endif
 if clang_supports_bpf or bpf_gcc_found
  # Debian installs this in /usr/sbin/ which is not in $PATH.
  # We check for 'bpftool' first, honouring $PATH, and in /usr/sbin/ for Debian.
  # We use 'bpftool gen object' subcommand for bpftool strip, it was added by d80b2fcbe0a023619e0fc73112f2a02c2662f6ab (v5.13).
  bpftool = find_program('bpftool',
                         '/usr/sbin/bpftool',
                         required : bpf_compiler == 'gcc',
                         version : bpf_compiler == 'gcc' ? '>= 7.0.0' : '>= 5.13.0')
  if bpftool.found()
    bpftool_strip = true
  elif bpf_compiler == 'clang'
    # We require the 'bpftool gen skeleton' subcommand, it was added by 985ead416df39d6fe8e89580cc1db6aa273e0175 (v5.6).
    bpftool = find_program('bpftool',
                           '/usr/sbin/bpftool',
                           required : true,
                           version : '>= 5.6.0')
  endif
  # We use `llvm-strip` as a fallback if `bpftool gen object` strip support is not available.
  if not bpftool_strip and bpftool.found() and clang_supports_bpf
    if not meson.is_cross_build()
      llvm_strip_bin = run_command(clang, '--print-prog-name', 'llvm-strip',
                                   check : true).stdout().strip()
    else
      llvm_strip_bin = 'llvm-strip'
    endif
    llvm_strip = find_program(llvm_strip_bin,
                              required : true,
                              version : '>= 10.0.0')
  endif
 else
  error('clat support was enabled but couldn\'t find a suitable BPF compiler!')
 endif
 bpf_clang_flags = [
  '-std=gnu17',
  '-Wunused',
  '-Wimplicit-fallthrough',
  '-Wno-compare-distinct-pointer-types',
  '-fno-stack-protector',
  '-O2',
  '-target',
  'bpf',
  '-g',
  '-c',
 ]
 bpf_gcc_flags = [
  '-std=gnu17',
  '-Wunused',
  '-Wimplicit-fallthrough',
  '-fno-stack-protector',
  '-fno-ssa-phiopt',
  '-O2',
  '-mcpu=v3',
  '-mco-re',
  '-gbtf',
  '-c',
 ]
 clang_arch_flag = '-D__@0@__'.format(host_machine.cpu_family())
 libbpf_include_dir = dependency('libbpf').get_variable(pkgconfig : 'includedir')
 # Generate defines that are appropriate to tell the compiler what architecture
 # we're compiling for. By default we just map meson's cpu_family to __<cpu_family>__.
 # This dictionary contains the exceptions where this doesn't work.
 #
 # C.f. https://mesonbuild.com/Reference-tables.html#cpu-families
 # and src/basic/missing_syscall_def.h.
 cpu_arch_defines = {
  'ppc'         : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'],
  'ppc64'       : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'],
  'riscv32'     : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'],
  'riscv64'     : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'],
  'x86'         : ['-D__i386__', '-D__TARGET_ARCH_x86'],
  's390x'       : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'],
  # For arm, assume hardware fp is available.
  'arm'         : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'],
  'loongarch64' : ['-D__loongarch__', '-D__loongarch_grlen=64', '-D__TARGET_ARCH_loongarch']
 }
 bpf_arch_flags = cpu_arch_defines.get(host_machine.cpu_family(),
                                      ['-D__@0@__'.format(host_machine.cpu_family())])
 if bpf_compiler == 'gcc'
  bpf_arch_flags += ['-m' + host_machine.endian() + '-endian']
 endif
 bpf_o_unstripped_cmd = []
 if bpf_compiler == 'clang'
  bpf_o_unstripped_cmd += [
    clang,
    bpf_clang_flags,
    bpf_arch_flags,
  ]
 elif bpf_compiler == 'gcc'
  bpf_o_unstripped_cmd += [
    bpf_gcc,
    bpf_gcc_flags,
    bpf_arch_flags,
  ]
 endif
 bpf_o_unstripped_cmd += ['-I.']
 if cc.get_id() == 'gcc' or meson.is_cross_build()
  if cc.get_id() != 'gcc'
    warning('Cross compiler is not gcc. Guessing the target triplet for bpf likely fails.')
  endif
  target_triplet_cmd = run_command(cc.cmd_array(), '-print-multiarch', check: false)
 else
  # clang does not support -print-multiarch (D133170) and its -dump-machine
  # does not match multiarch. Query gcc instead.
  target_triplet_cmd = run_command('gcc', '-print-multiarch', check: false)
 endif
 if target_triplet_cmd.returncode() == 0
  target_triplet = target_triplet_cmd.stdout().strip()
  bpf_o_unstripped_cmd += [
    '-isystem',
    '/usr/include/@0@'.format(target_triplet)
  ]
 endif
 bpf_o_unstripped_cmd += [
  '-idirafter',
  libbpf_include_dir,
  '@INPUT@',
  '-o',
  '@OUTPUT@'
 ]
 if bpftool_strip
  bpf_o_cmd = [
    bpftool,
    'gen',
    'object',
    '@OUTPUT@',
    '@INPUT@'
  ]
 elif bpf_compiler == 'clang'
  bpf_o_cmd = [
    llvm_strip,
    '-g',
    '@INPUT@',
    '-o',
    '@OUTPUT@'
  ]
 endif
 skel_h_cmd = [
  bpftool,
  'g',
  's',
  '@INPUT@'
 ]
 clat_bpf_o_unstripped = custom_target(
  'clat.bpf.unstripped.o',
  input : 'clat.bpf.c',
  output : 'clat.bpf.unstripped.o',
  command : bpf_o_unstripped_cmd)
 clat_bpf_o = custom_target(
  'clat.bpf.o',
  input : clat_bpf_o_unstripped,
  output : 'clat.bpf.o',
  command : bpf_o_cmd)
 clat_skel_h = custom_target(
  'clat.skel.h',
  input : clat_bpf_o,
  output : 'clat.skel.h',
  command : skel_h_cmd,
  capture : true)
--- a/src/core/devices/nm-device-bond.c
+++ b/src/core/devices/nm-device-bond.c
@ -52,12 +52,12 @@
        NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
        NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
        NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX,    \
        NM_SETTING_BOND_OPTION_LACP_ACTIVE
 #define OPTIONS_REAPPLY_FULL                                     \
    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE, \
-        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET, \
+        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET
        NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
 /*****************************************************************************/
@ -142,7 +142,7 @@ _set_bond_attr(NMDevice *device, const char *attr, const char *value)
    {                                                                       \
        gs_free char *_tmp = (value);                                       \
                                                                            \
-        _set_bond_attr(device, attr, _tmp);      \
+        _set_bond_attr(device, NM_SETTING_BOND_OPTION_ARP_IP_TARGET, _tmp); \
    }                                                                       \
    G_STMT_END
@ -502,8 +502,6 @@ _platform_lnk_bond_init_from_setting(NMSettingBond *s_bond, NMPlatformLnkBond *p
    props->lp_interval_has      = props->lp_interval != 1;
    props->tlb_dynamic_lb_has   = NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB);
    props->lacp_active_has      = NM_IN_SET(props->mode, NM_BOND_MODE_8023AD);
    props->arp_missed_max_has =
        !NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD);
 }
 static void
@ -904,14 +902,12 @@ reapply_connection(NMDevice *device, NMConnection *con_old, NMConnection *con_ne
    mode  = _nm_setting_bond_mode_from_string(value);
    g_return_if_fail(mode != NM_BOND_MODE_UNKNOWN);
-    /* Below we set only the bond options that the kernel allows modifying
+    /* Below we set only the bond options that kernel allows to modify
     * while keeping the bond interface up */
    set_bond_arp_ip_targets(device, s_bond);
    set_bond_attrs_or_default(device, s_bond, NM_MAKE_STRV(OPTIONS_REAPPLY_SUBSET));
    if (!NM_IN_SET(mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD))
        set_bond_attr_or_default(device, s_bond, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX);
    _balance_slb_setup(self, con_new);
 }
--- a/src/core/devices/nm-device-bridge.c
+++ b/src/core/devices/nm-device-bridge.c
@ -1066,7 +1066,7 @@ attach_port(NMDevice                  *device,
            plat_vlans = setting_vlans_to_platform(vlans, &num_vlans);
-            /* Since the link was just attached, there are no existing VLANs
+            /* Since the link was just enportd, there are no existing VLANs
             * (except for the default one) and so there's no need to flush. */
            if (plat_vlans
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -14,6 +14,7 @@
 #include <libudev.h>
 #include <linux/if_ether.h>
 #include "NetworkManagerUtils.h"
 #include "NetworkManagerUtils.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-core-intern/nm-core-internal.h"
@ -707,9 +708,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -724,16 +722,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
@ -1913,7 +1901,7 @@ get_ip_method_auto(NMDevice *device, int addr_family)
        /* We cannot do DHCPv4 on a PPP link, instead we get "auto" IP addresses
         * by pppd. Return "manual" here, which has the suitable effect to a
         * (zero) manual addresses in addition. */
-        return NM_SETTING_IP4_CONFIG_METHOD_MANUAL;
+        return NM_SETTING_IP6_CONFIG_METHOD_MANUAL;
    }
    return NM_SETTING_IP6_CONFIG_METHOD_AUTO;
--- a/src/core/devices/nm-device-factory.c
+++ b/src/core/devices/nm-device-factory.c
@ -412,7 +412,6 @@ nm_device_factory_manager_load_factories(NMDeviceFactoryManagerFactoryFunc callb
    _ADD_INTERNAL(nm_dummy_device_factory_get_type);
    _ADD_INTERNAL(nm_ethernet_device_factory_get_type);
    _ADD_INTERNAL(nm_generic_device_factory_get_type);
    _ADD_INTERNAL(nm_geneve_device_factory_get_type);
    _ADD_INTERNAL(nm_hsr_device_factory_get_type);
    _ADD_INTERNAL(nm_infiniband_device_factory_get_type);
    _ADD_INTERNAL(nm_ip_tunnel_device_factory_get_type);
--- a/src/core/devices/nm-device-geneve.c
+++ b/src/core/devices/nm-device-geneve.c
@ -1,487 +0,0 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 /*
 * Copyright (C) 2026 Red Hat, Inc.
 */
 #include "src/core/nm-default-daemon.h"
 #include "nm-manager.h"
 #include "nm-device-geneve.h"
 #include "libnm-core-intern/nm-core-internal.h"
 #include "nm-act-request.h"
 #include "nm-device-private.h"
 #include "nm-setting-geneve.h"
 #include "libnm-platform/nm-platform.h"
 #include "nm-device-factory.h"
 #define _NMLOG_DEVICE_TYPE NMDeviceGeneve
 #include "nm-device-logging.h"
 NM_GOBJECT_PROPERTIES_DEFINE(NMDeviceGeneve,
                             PROP_ID,
                             PROP_REMOTE,
                             PROP_TOS,
                             PROP_TTL,
                             PROP_DF,
                             PROP_DST_PORT, );
 typedef struct {
    NMPlatformLnkGeneve props;
 } NMDeviceGenevePrivate;
 struct _NMDeviceGeneve {
    NMDevice              parent;
    NMDeviceGenevePrivate _priv;
 };
 struct _NMDeviceGeneveClass {
    NMDeviceClass parent;
 };
 G_DEFINE_TYPE(NMDeviceGeneve, nm_device_geneve, NM_TYPE_DEVICE)
 #define NM_DEVICE_GENEVE_GET_PRIVATE(self) \
    _NM_GET_PRIVATE(self, NMDeviceGeneve, NM_IS_DEVICE_GENEVE, NMDevice)
 /*****************************************************************************/
 static NMDeviceCapabilities
 get_generic_capabilities(NMDevice *dev)
 {
    return NM_DEVICE_CAP_IS_SOFTWARE;
 }
 static void
 update_properties(NMDevice *device)
 {
    NMDeviceGeneve            *self;
    NMDeviceGenevePrivate     *priv;
    const NMPlatformLink      *plink;
    const NMPlatformLnkGeneve *props;
    int                        ifindex;
    g_return_if_fail(NM_IS_DEVICE_GENEVE(device));
    self = NM_DEVICE_GENEVE(device);
    priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
    ifindex = nm_device_get_ifindex(device);
    g_return_if_fail(ifindex > 0);
    props = nm_platform_link_get_lnk_geneve(nm_device_get_platform(device), ifindex, &plink);
    if (!props) {
        _LOGW(LOGD_PLATFORM, "could not get GENEVE properties");
        return;
    }
    g_object_freeze_notify((GObject *) device);
 #define CHECK_PROPERTY_CHANGED(field, prop)      \
    G_STMT_START                                 \
    {                                            \
        if (priv->props.field != props->field) { \
            priv->props.field = props->field;    \
            _notify(self, prop);                 \
        }                                        \
    }                                            \
    G_STMT_END
 #define CHECK_PROPERTY_CHANGED_IN6ADDR(field, prop)                                 \
    G_STMT_START                                                                    \
    {                                                                               \
        if (memcmp(&priv->props.field, &props->field, sizeof(props->field)) != 0) { \
            priv->props.field = props->field;                                       \
            _notify(self, prop);                                                    \
        }                                                                           \
    }                                                                               \
    G_STMT_END
    CHECK_PROPERTY_CHANGED(id, PROP_ID);
    CHECK_PROPERTY_CHANGED(remote, PROP_REMOTE);
    CHECK_PROPERTY_CHANGED_IN6ADDR(remote6, PROP_REMOTE);
    CHECK_PROPERTY_CHANGED(tos, PROP_TOS);
    CHECK_PROPERTY_CHANGED(ttl, PROP_TTL);
    CHECK_PROPERTY_CHANGED(df, PROP_DF);
    CHECK_PROPERTY_CHANGED(dst_port, PROP_DST_PORT);
    g_object_thaw_notify((GObject *) device);
 }
 static void
 link_changed(NMDevice *device, const NMPlatformLink *pllink)
 {
    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->link_changed(device, pllink);
    update_properties(device);
 }
 static void
 unrealize_notify(NMDevice *device)
 {
    NMDeviceGeneve        *self = NM_DEVICE_GENEVE(device);
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
    guint                  i;
    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->unrealize_notify(device);
    memset(&priv->props, 0, sizeof(NMPlatformLnkGeneve));
    for (i = 1; i < _PROPERTY_ENUMS_LAST; i++)
        g_object_notify_by_pspec(G_OBJECT(self), obj_properties[i]);
 }
 static gboolean
 create_and_realize(NMDevice              *device,
                   NMConnection          *connection,
                   NMDevice              *parent,
                   const NMPlatformLink **out_plink,
                   GError               **error)
 {
    const char         *iface = nm_device_get_iface(device);
    NMPlatformLnkGeneve props = {};
    NMSettingGeneve    *s_geneve;
    const char         *str;
    int                 r;
    s_geneve = nm_connection_get_setting_geneve(connection);
    g_return_val_if_fail(s_geneve, FALSE);
    props.id = nm_setting_geneve_get_id(s_geneve);
    str = nm_setting_geneve_get_remote(s_geneve);
    if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.remote)
        && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.remote6)) {
        return nm_assert_unreachable_val(FALSE);
    }
    props.tos      = nm_setting_geneve_get_tos(s_geneve);
    props.ttl      = nm_setting_geneve_get_ttl(s_geneve);
    props.df       = nm_setting_geneve_get_df(s_geneve);
    props.dst_port = nm_setting_geneve_get_destination_port(s_geneve);
    r = nm_platform_link_geneve_add(nm_device_get_platform(device), iface, &props, out_plink);
    if (r < 0) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create geneve interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
                    nm_strerror(r));
        return FALSE;
    }
    return TRUE;
 }
 static gboolean
 address_matches(const char *candidate, in_addr_t addr4, struct in6_addr *addr6)
 {
    NMIPAddr candidate_addr;
    int      addr_family;
    if (!candidate)
        return addr4 == 0u && IN6_IS_ADDR_UNSPECIFIED(addr6);
    if (!nm_inet_parse_bin(AF_UNSPEC, candidate, &addr_family, &candidate_addr))
        return FALSE;
    if (!nm_ip_addr_equal(addr_family,
                          &candidate_addr,
                          NM_IS_IPv4(addr_family) ? (gpointer) &addr4 : addr6))
        return FALSE;
    if (NM_IS_IPv4(addr_family))
        return IN6_IS_ADDR_UNSPECIFIED(addr6);
    else
        return addr4 == 0u;
 }
 static gboolean
 check_connection_compatible(NMDevice     *device,
                            NMConnection *connection,
                            gboolean      check_properties,
                            GError      **error)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
    NMSettingGeneve       *s_geneve;
    if (!NM_DEVICE_CLASS(nm_device_geneve_parent_class)
             ->check_connection_compatible(device, connection, check_properties, error))
        return FALSE;
    if (check_properties && nm_device_is_real(device)) {
        s_geneve = nm_connection_get_setting_geneve(connection);
        if (priv->props.id != nm_setting_geneve_get_id(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve id mismatches");
            return FALSE;
        }
        if (!address_matches(nm_setting_geneve_get_remote(s_geneve),
                             priv->props.remote,
                             &priv->props.remote6)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve remote address mismatches");
            return FALSE;
        }
        if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve destination port mismatches");
            return FALSE;
        }
        if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve TOS mismatches");
            return FALSE;
        }
        if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve TTL mismatches");
            return FALSE;
        }
        if (priv->props.df != nm_setting_geneve_get_df(s_geneve)) {
            nm_utils_error_set_literal(error,
                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
                                       "geneve DF mismatches");
            return FALSE;
        }
    }
    return TRUE;
 }
 static gboolean
 complete_connection(NMDevice            *device,
                    NMConnection        *connection,
                    const char          *specific_object,
                    NMConnection *const *existing_connections,
                    GError             **error)
 {
    NMSettingGeneve *s_geneve;
    nm_utils_complete_generic(nm_device_get_platform(device),
                              connection,
                              NM_SETTING_GENEVE_SETTING_NAME,
                              existing_connections,
                              NULL,
                              _("Geneve connection"),
                              NULL,
                              NULL);
    s_geneve = nm_connection_get_setting_geneve(connection);
    if (!s_geneve) {
        g_set_error_literal(error,
                            NM_DEVICE_ERROR,
                            NM_DEVICE_ERROR_INVALID_CONNECTION,
                            "A 'geneve' setting is required.");
        return FALSE;
    }
    return TRUE;
 }
 static void
 update_connection(NMDevice *device, NMConnection *connection)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
    NMSettingGeneve *s_geneve   = _nm_connection_ensure_setting(connection, NM_TYPE_SETTING_GENEVE);
    char             sbuf[NM_INET_ADDRSTRLEN];
    if (priv->props.id != nm_setting_geneve_get_id(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_ID, priv->props.id, NULL);
    /* Handle remote (IPv4 or IPv6) */
    if (priv->props.remote) {
        g_object_set(s_geneve,
                     NM_SETTING_GENEVE_REMOTE,
                     nm_inet4_ntop(priv->props.remote, sbuf),
                     NULL);
    } else if (memcmp(&priv->props.remote6, &in6addr_any, sizeof(in6addr_any))) {
        g_object_set(s_geneve,
                     NM_SETTING_GENEVE_REMOTE,
                     nm_inet6_ntop(&priv->props.remote6, sbuf),
                     NULL);
    }
    if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve))
        g_object_set(G_OBJECT(s_geneve),
                     NM_SETTING_GENEVE_DESTINATION_PORT,
                     priv->props.dst_port,
                     NULL);
    if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TOS, priv->props.tos, NULL);
    if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TTL, priv->props.ttl, NULL);
    if (priv->props.df != nm_setting_geneve_get_df(s_geneve))
        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_DF, priv->props.df, NULL);
 }
 static void
 get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
 {
    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(object);
    switch (prop_id) {
    case PROP_ID:
        g_value_set_uint(value, priv->props.id);
        break;
    case PROP_REMOTE:
        if (priv->props.remote)
            g_value_take_string(value, nm_inet4_ntop_dup(priv->props.remote));
        else if (!IN6_IS_ADDR_UNSPECIFIED(&priv->props.remote6))
            g_value_take_string(value, nm_inet6_ntop_dup(&priv->props.remote6));
        break;
    case PROP_TOS:
        g_value_set_uchar(value, priv->props.tos);
        break;
    case PROP_TTL:
        g_value_set_uchar(value, priv->props.ttl);
        break;
    case PROP_DF:
        g_value_set_uint(value, priv->props.df);
        break;
    case PROP_DST_PORT:
        g_value_set_uint(value, priv->props.dst_port);
        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
    }
 }
 /*****************************************************************************/
 static void
 nm_device_geneve_init(NMDeviceGeneve *self)
 {}
 static const NMDBusInterfaceInfoExtended interface_info_device_geneve = {
    .parent = NM_DEFINE_GDBUS_INTERFACE_INFO_INIT(
        NM_DBUS_INTERFACE_DEVICE_GENEVE,
        .properties = NM_DEFINE_GDBUS_PROPERTY_INFOS(
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Id", "u", NM_DEVICE_GENEVE_ID),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Remote", "s", NM_DEVICE_GENEVE_REMOTE),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tos", "y", NM_DEVICE_GENEVE_TOS),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Ttl", "y", NM_DEVICE_GENEVE_TTL),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Df", "u", NM_DEVICE_GENEVE_DF),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("DstPort",
                                                           "q",
                                                           NM_DEVICE_GENEVE_DST_PORT), ), ),
 };
 static void
 nm_device_geneve_class_init(NMDeviceGeneveClass *klass)
 {
    GObjectClass      *object_class      = G_OBJECT_CLASS(klass);
    NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS(klass);
    NMDeviceClass     *device_class      = NM_DEVICE_CLASS(klass);
    object_class->get_property = get_property;
    dbus_object_class->interface_infos = NM_DBUS_INTERFACE_INFOS(&interface_info_device_geneve);
    device_class->connection_type_supported        = NM_SETTING_GENEVE_SETTING_NAME;
    device_class->connection_type_check_compatible = NM_SETTING_GENEVE_SETTING_NAME;
    device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES(NM_LINK_TYPE_GENEVE);
    device_class->link_changed                = link_changed;
    device_class->unrealize_notify            = unrealize_notify;
    device_class->create_and_realize          = create_and_realize;
    device_class->check_connection_compatible = check_connection_compatible;
    device_class->complete_connection         = complete_connection;
    device_class->get_generic_capabilities    = get_generic_capabilities;
    device_class->update_connection           = update_connection;
    obj_properties[PROP_ID] = g_param_spec_uint(NM_DEVICE_GENEVE_ID,
                                                "",
                                                "",
                                                0,
                                                G_MAXUINT32,
                                                0,
                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_REMOTE] = g_param_spec_string(NM_DEVICE_GENEVE_REMOTE,
                                                      "",
                                                      "",
                                                      NULL,
                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_TOS] = g_param_spec_uchar(NM_DEVICE_GENEVE_TOS,
                                                  "",
                                                  "",
                                                  0,
                                                  255,
                                                  0,
                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_TTL] = g_param_spec_uchar(NM_DEVICE_GENEVE_TTL,
                                                  "",
                                                  "",
                                                  0,
                                                  255,
                                                  0,
                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DF] = g_param_spec_uint(NM_DEVICE_GENEVE_DF,
                                                "",
                                                "",
                                                0,
                                                2,
                                                0,
                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    obj_properties[PROP_DST_PORT] = g_param_spec_uint(NM_DEVICE_GENEVE_DST_PORT,
                                                      "",
                                                      "",
                                                      0,
                                                      65535,
                                                      0,
                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 }
 /*****************************************************************************/
 #define NM_TYPE_GENEVE_DEVICE_FACTORY (nm_geneve_device_factory_get_type())
 #define NM_GENEVE_DEVICE_FACTORY(obj) \
    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_GENEVE_DEVICE_FACTORY, NMGeneveDeviceFactory))
 static NMDevice *
 create_device(NMDeviceFactory      *factory,
              const char           *iface,
              const NMPlatformLink *plink,
              NMConnection         *connection,
              gboolean             *out_ignore)
 {
    return g_object_new(NM_TYPE_DEVICE_GENEVE,
                        NM_DEVICE_IFACE,
                        iface,
                        NM_DEVICE_TYPE_DESC,
                        "Geneve",
                        NM_DEVICE_DEVICE_TYPE,
                        NM_DEVICE_TYPE_GENEVE,
                        NM_DEVICE_LINK_TYPE,
                        NM_LINK_TYPE_GENEVE,
                        NULL);
 }
 NM_DEVICE_FACTORY_DEFINE_INTERNAL(
    GENEVE,
    Geneve,
    geneve,
    NM_DEVICE_FACTORY_DECLARE_LINK_TYPES(NM_LINK_TYPE_GENEVE)
        NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES(NM_SETTING_GENEVE_SETTING_NAME),
    factory_class->create_device = create_device;);
--- a/src/core/devices/nm-device-geneve.h
+++ b/src/core/devices/nm-device-geneve.h
@ -1,33 +0,0 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 /*
 * Copyright (C) 2026 Red Hat, Inc.
 */
 #ifndef __NETWORKMANAGER_DEVICE_GENEVE_H__
 #define __NETWORKMANAGER_DEVICE_GENEVE_H__
 #include "nm-device.h"
 #define NM_TYPE_DEVICE_GENEVE (nm_device_geneve_get_type())
 #define NM_DEVICE_GENEVE(obj) \
    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneve))
 #define NM_DEVICE_GENEVE_CLASS(klass) \
    (G_TYPE_CHECK_CLASS_CAST((klass), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
 #define NM_IS_DEVICE_GENEVE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), NM_TYPE_DEVICE_GENEVE))
 #define NM_IS_DEVICE_GENEVE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), NM_TYPE_DEVICE_GENEVE))
 #define NM_DEVICE_GENEVE_GET_CLASS(obj) \
    (G_TYPE_INSTANCE_GET_CLASS((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
 #define NM_DEVICE_GENEVE_ID       "id"
 #define NM_DEVICE_GENEVE_REMOTE   "remote"
 #define NM_DEVICE_GENEVE_TOS      "tos"
 #define NM_DEVICE_GENEVE_TTL      "ttl"
 #define NM_DEVICE_GENEVE_DF       "df"
 #define NM_DEVICE_GENEVE_DST_PORT "dst-port"
 typedef struct _NMDeviceGeneve      NMDeviceGeneve;
 typedef struct _NMDeviceGeneveClass NMDeviceGeneveClass;
 GType nm_device_geneve_get_type(void);
 #endif /* __NETWORKMANAGER_DEVICE_GENEVE_H__ */
--- a/src/core/devices/nm-device-hsr.c
+++ b/src/core/devices/nm-device-hsr.c
@ -94,10 +94,8 @@ update_properties(NMDevice *device)
    CHECK_PROPERTY_CHANGED(multicast_spec, PROP_MULTICAST_SPEC);
    CHECK_PROPERTY_CHANGED(prp, PROP_PRP);
-    if (!nm_ether_addr_equal(&priv->props.supervision_address, &props->supervision_address)) {
+    if (!nm_ether_addr_equal(&priv->props.supervision_address, &props->supervision_address))
        priv->props.supervision_address = props->supervision_address;
        _notify(self, PROP_SUPERVISION_ADDRESS);
    }
    g_object_thaw_notify((GObject *) device);
 }
@ -117,50 +115,28 @@ create_and_realize(NMDevice              *device,
                   GError               **error)
 {
    const char      *iface = nm_device_get_iface(device);
    nm_auto_free char *err_msg = NULL;
    NMSettingHsr    *s_hsr;
    NMPlatformLnkHsr lnk = {};
-    int                r   = 0;
+    int              r;
    s_hsr = _nm_connection_get_setting(connection, NM_TYPE_SETTING_HSR);
    nm_assert(s_hsr);
    if (nm_setting_hsr_get_port1(s_hsr) != NULL)
        lnk.port1 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port1(s_hsr));
    if (nm_setting_hsr_get_port2(s_hsr) != NULL)
        lnk.port2 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port2(s_hsr));
    if (nm_setting_hsr_get_interlink(s_hsr) != NULL) {
        const char *ifname  = nm_setting_hsr_get_interlink(s_hsr);
        int         ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, ifname);
        if (ifindex <= 0) {
            err_msg = g_strdup_printf("interlink port '%s' does not exist", ifname);
            goto out;
        }
        lnk.interlink = ifindex;
    }
    lnk.multicast_spec = nm_setting_hsr_get_multicast_spec(s_hsr);
    lnk.prp            = nm_setting_hsr_get_prp(s_hsr);
    lnk.protocol_version = nm_setting_hsr_get_protocol_version(s_hsr);
    r = nm_platform_link_hsr_add(nm_device_get_platform(device), iface, &lnk, out_plink);
    if (r < 0) {
        err_msg = g_strdup(nm_strerror(r) ?: "unknown");
    }
 out:
    if (err_msg) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create HSR interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
-                    err_msg);
+                    nm_strerror(r));
        return FALSE;
    }
--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -440,9 +440,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
    NMActRequest                       *request;
    NMActiveConnection                 *controller_ac;
    NMDevice                           *controller;
    config = build_supplicant_config(self, &error);
    if (!config) {
@ -455,16 +452,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }
    nm_supplicant_interface_disconnect(priv->supplicant.iface);
    /* Tell the supplicant in which bridge the interface is */
    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
        && (controller = nm_active_connection_get_device(controller_ac))
        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
    } else
        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-macvlan.c
+++ b/src/core/devices/nm-device-macvlan.c
@ -468,12 +468,7 @@ static const NMDBusInterfaceInfoExtended interface_info_device_macvlan = {
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("NoPromisc",
                                                           "b",
                                                           NM_DEVICE_MACVLAN_NO_PROMISC),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tap", "b", NM_DEVICE_MACVLAN_TAP),
+            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tab", "b", NM_DEVICE_MACVLAN_TAP), ), ),
            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE(
                "Tab",
                "b",
                NM_DEVICE_MACVLAN_TAP,
                .annotations = NM_GDBUS_ANNOTATION_INFO_LIST_DEPRECATED(), ), ), ),
 };
 static void
--- a/src/core/devices/nm-device-private.h
+++ b/src/core/devices/nm-device-private.h
@ -115,6 +115,9 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,
 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);
 NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
                                                                NMConnection *connection);
 void nm_device_ip_method_dhcp4_start(NMDevice *self);
 void nm_device_ip_method_autoconf6_start(NMDevice *self);
--- a/src/core/devices/nm-device-tun.c
+++ b/src/core/devices/nm-device-tun.c
@ -242,14 +242,12 @@ create_and_realize(NMDevice              *device,
        g_return_val_if_reached(FALSE);
    }
-    owner =
+    owner = _nm_utils_ascii_str_to_int64(nm_setting_tun_get_owner(s_tun), 10, 0, G_MAXINT32, -1);
        _nm_utils_ascii_str_to_int64(nm_setting_tun_get_owner(s_tun), 10, 0, G_MAXUINT32 - 1, -1);
    if (owner != -1) {
        props.owner_valid = TRUE;
        props.owner       = owner;
    }
-    group =
+    group = _nm_utils_ascii_str_to_int64(nm_setting_tun_get_group(s_tun), 10, 0, G_MAXINT32, -1);
        _nm_utils_ascii_str_to_int64(nm_setting_tun_get_group(s_tun), 10, 0, G_MAXUINT32 - 1, -1);
    if (group != -1) {
        props.group_valid = TRUE;
        props.group       = group;
@ -280,7 +278,7 @@ _same_og(const char *str, gboolean og_valid, guint32 og_num)
 {
    gint64 v;
-    v = _nm_utils_ascii_str_to_int64(str, 10, 0, G_MAXUINT32 - 1, -1);
+    v = _nm_utils_ascii_str_to_int64(str, 10, 0, G_MAXINT32, -1);
    return (!og_valid && (v == (gint64) -1)) || (og_valid && (((guint32) v) == og_num));
 }
--- a/src/core/devices/nm-device-utils.c
+++ b/src/core/devices/nm-device-utils.c
@ -135,17 +135,13 @@ NM_UTILS_LOOKUP_STR_DEFINE(
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_LINK_NOT_INIT,
                             "unmanaged-link-not-init"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING, "unmanaged-quitting"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED,
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING, "unmanaged-sleeping"),
                             "unmanaged-nm-disabled"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_CONF, "unmanaged-user-conf"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_EXPLICIT,
                             "unmanaged-user-explicit"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                             "unmanaged-user-settings"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"), );
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
                             "modem-no-operator-code"), );
 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                           NMDeviceMtuSource,
--- a/src/core/devices/nm-device-veth.c
+++ b/src/core/devices/nm-device-veth.c
@ -53,7 +53,7 @@ update_properties(NMDevice *device)
    nm_device_parent_set_ifindex(device, peer_ifindex);
    peer = nm_device_parent_get_device(device);
-    if (peer && NM_IS_DEVICE_VETH(peer) && !nm_device_parent_get_device(peer))
+    if (peer && NM_IS_DEVICE_VETH(peer) && nm_device_parent_get_ifindex(peer) <= 0)
        update_properties(peer);
 }
--- a/src/core/devices/nm-device-vrf.c
+++ b/src/core/devices/nm-device-vrf.c
@ -235,7 +235,7 @@ attach_port(NMDevice                  *device,
        _LOGI(LOGD_DEVICE, "attached VRF port %s", port_iface);
    } else
-        _LOGI(LOGD_DEVICE, "VRF port %s was attached", port_iface);
+        _LOGI(LOGD_BOND, "VRF port %s was attached", port_iface);
    return TRUE;
 }
--- a/src/core/devices/nm-device-vxlan.c
+++ b/src/core/devices/nm-device-vxlan.c
@ -176,14 +176,14 @@ create_and_realize(NMDevice              *device,
    if (str) {
        if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.local)
            && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.local6))
-            return nm_assert_unreachable_val(FALSE);
+            return FALSE;
    }
    str = nm_setting_vxlan_get_remote(s_vxlan);
    if (str) {
        if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.group)
            && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.group6))
-            return nm_assert_unreachable_val(FALSE);
+            return FALSE;
    }
    props.tos          = nm_setting_vxlan_get_tos(s_vxlan);
--- a/src/core/devices/nm-device-wireguard.c
+++ b/src/core/devices/nm-device-wireguard.c
@ -1672,57 +1672,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    return ret;
 }
 static gboolean
 skip_peer_route(const NMIPAddr    *peer_addr,
                guint              peer_addr_prefix,
                int                addr_family,
                NMSettingIPConfig *s_ip)
 {
    guint num_addresses;
    guint i;
    /*
     * If the allowed-ip subnet is already reachable on the interface via the
     * prefix route of a static IP address, skip adding the peer route.
     * We don't want to override the prefix route with a new one because the
     * prefix route also specifies the correct source IP address.
     *
     * wg-quick does something similar here:
     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
     * The condition in wg-quick is a bit different because it checks that no
     * duplicate route exists on the interface. We can't do exactly the same
     * because here we don't have visibility on all the platform routes.
     */
    if (!s_ip)
        return FALSE;
    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
    for (i = 0; i < num_addresses; i++) {
        NMIPAddr     setting_addr;
        NMIPAddr     peer_addr_tmp;
        guint        setting_prefix;
        NMIPAddress *a;
        peer_addr_tmp = *peer_addr;
        a = nm_setting_ip_config_get_address(s_ip, i);
        nm_ip_address_get_address_binary(a, &setting_addr);
        setting_prefix = nm_ip_address_get_prefix(a);
        if (setting_prefix > peer_addr_prefix)
            continue;
        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
            return TRUE;
    }
    return FALSE;
 }
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@ -1789,7 +1738,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
        n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
        for (j = 0; j < n_aips; j++) {
            NMSettingIPConfig *s_ip;
            NMPlatformIPXRoute rt;
            NMIPAddr           addrbin;
            const char        *aip;
@ -1798,7 +1746,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            guint32            rtable_coerced;
            aip = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
            if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                continue;
@ -1807,6 +1754,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                prefix = (addr_family == AF_INET) ? 32 : 128;
            if (prefix == 0) {
                NMSettingIPConfig *s_ip;
                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                if (nm_setting_ip_config_get_never_default(s_ip))
                    continue;
            }
@ -1819,9 +1769,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);
            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
                continue;
            rtable_coerced = route_table_coerced;
            if (prefix == 0 && auto_default_route_enabled) {
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@ -209,6 +209,8 @@ typedef struct _NMDeviceClass {
    bool act_stage1_prepare_set_hwaddr_ethernet : 1;
    bool can_reapply_change_ovs_external_ids : 1;
    bool allow_autoconnect_on_external : 1;
    NMRfkillType rfkill_type : 4;
@ -581,8 +583,7 @@ void nm_device_copy_ip6_dns_config(NMDevice *self, NMDevice *from_device);
 /**
 * NMUnmanagedFlags:
 * @NM_UNMANAGED_NONE: placeholder value
- * @NM_UNMANAGED_MANAGER_DISABLED: %TRUE when unmanaged because NM is disabled.
+ * @NM_UNMANAGED_SLEEPING: %TRUE when unmanaged because NM is sleeping.
 *   Currently, this happens when sleeping or with networking disabled.
 * @NM_UNMANAGED_QUITTING: %TRUE when unmanaged because NM is shutting down.
 * @NM_UNMANAGED_PLATFORM_INIT: %TRUE when unmanaged because platform link not
 *   yet initialized. Unrealized device are also unmanaged for this reason.
@ -611,7 +612,7 @@ typedef enum {
    /* these flags are authoritative. If one of them is set,
     * the device cannot be managed. */
-    NM_UNMANAGED_MANAGER_DISABLED = (1LL << 0),
+    NM_UNMANAGED_SLEEPING      = (1LL << 0),
    NM_UNMANAGED_QUITTING      = (1LL << 1),
    NM_UNMANAGED_PLATFORM_INIT = (1LL << 2),
    NM_UNMANAGED_USER_EXPLICIT = (1LL << 3),
@ -791,7 +792,6 @@ void     nm_device_update_permanent_hw_address(NMDevice *self, gboolean force_fr
 void     nm_device_update_dynamic_ip_setup(NMDevice *self, const char *reason);
 guint    nm_device_get_supplicant_timeout(NMDevice *self);
 gboolean nm_device_auth_retries_has_next(NMDevice *self);
 gboolean nm_device_auth_retries_try_next(NMDevice *self);
 gboolean nm_device_hw_addr_get_cloned(NMDevice     *self,
@ -854,7 +854,4 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                           NMDevice *self,
                           NMNetns  *netns);
 NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
                                                                NMConnection *connection);
 #endif /* __NETWORKMANAGER_DEVICE_H__ */
--- a/src/core/devices/nm-lldp-listener.c
+++ b/src/core/devices/nm-lldp-listener.c
@ -310,7 +310,7 @@ format_string(const guint8 *data, gsize len, gboolean allow_trim, char **out_to_
    if (len == 0)
        return NULL;
-    if (memchr(data, '\0', len))
+    if (memchr(data, len, '\0'))
        return NULL;
    return nm_utils_buf_utf8safe_escape(data,
--- a/src/core/devices/ovs/nm-device-ovs-bridge.c
+++ b/src/core/devices/ovs/nm-device-ovs-bridge.c
@ -162,11 +162,6 @@ can_reapply_change(NMDevice   *device,
                                                 NM_SETTING_OVS_BRIDGE_STP_ENABLE);
    }
    if (NM_IN_STRSET(setting_name,
                     NM_SETTING_OVS_EXTERNAL_IDS_SETTING_NAME,
                     NM_SETTING_OVS_OTHER_CONFIG_SETTING_NAME))
        return TRUE;
    return device_class->can_reapply_change(device, setting_name, s_old, s_new, diffs, error);
 }
@ -209,5 +204,6 @@ nm_device_ovs_bridge_class_init(NMDeviceOvsBridgeClass *klass)
    device_class->attach_port                         = attach_port;
    device_class->detach_port                         = detach_port;
    device_class->can_reapply_change                  = can_reapply_change;
    device_class->can_reapply_change_ovs_external_ids = TRUE;
    device_class->reapply_connection                  = nm_device_ovs_reapply_connection;
 }
--- a/src/core/devices/ovs/nm-device-ovs-interface.c
+++ b/src/core/devices/ovs/nm-device-ovs-interface.c
@ -16,8 +16,6 @@
 #include "nm-setting-ovs-bridge.h"
 #include "nm-setting-ovs-interface.h"
 #include "nm-setting-ovs-port.h"
 #include "nm-setting-ovs-external-ids.h"
 #include "nm-setting-ovs-other-config.h"
 #define _NMLOG_DEVICE_TYPE NMDeviceOvsInterface
 #include "devices/nm-device-logging.h"
@ -633,28 +631,6 @@ can_update_from_platform_link(NMDevice *device, const NMPlatformLink *plink)
    return !plink || nm_device_get_state(device) != NM_DEVICE_STATE_DEACTIVATING;
 }
 static gboolean
 can_reapply_change(NMDevice   *device,
                   const char *setting_name,
                   NMSetting  *s_old,
                   NMSetting  *s_new,
                   GHashTable *diffs,
                   GError    **error)
 {
    NMDeviceClass *device_class = NM_DEVICE_CLASS(nm_device_ovs_interface_parent_class);
    if (NM_IN_STRSET(setting_name,
                     NM_SETTING_OVS_EXTERNAL_IDS_SETTING_NAME,
                     NM_SETTING_OVS_OTHER_CONFIG_SETTING_NAME)) {
        /* TODO: it's currently not possible to reapply those settings on OVS
         * system interfaces because they have type != "ovs-interface" (e.g.
         * "ethernet") */
        return TRUE;
    }
    return device_class->can_reapply_change(device, setting_name, s_old, s_new, diffs, error);
 }
 /*****************************************************************************/
 static void
@ -735,6 +711,6 @@ nm_device_ovs_interface_class_init(NMDeviceOvsInterfaceClass *klass)
    device_class->can_unmanaged_external_down         = can_unmanaged_external_down;
    device_class->set_platform_mtu                    = set_platform_mtu;
    device_class->get_configured_mtu                  = nm_device_get_configured_mtu_for_wired;
-    device_class->can_reapply_change            = can_reapply_change;
+    device_class->can_reapply_change_ovs_external_ids = TRUE;
    device_class->reapply_connection                  = nm_device_ovs_reapply_connection;
 }
--- a/src/core/devices/ovs/nm-device-ovs-port.c
+++ b/src/core/devices/ovs/nm-device-ovs-port.c
@ -16,8 +16,6 @@
 #include "nm-setting-connection.h"
 #include "nm-setting-ovs-port.h"
 #include "nm-setting-ovs-interface.h"
 #include "nm-setting-ovs-external-ids.h"
 #include "nm-setting-ovs-other-config.h"
 #include "nm-setting-wired.h"
 #define _NMLOG_DEVICE_TYPE NMDeviceOvsPort
@ -281,11 +279,6 @@ can_reapply_change(NMDevice   *device,
                                                 NM_SETTING_OVS_PORT_TRUNKS);
    }
    if (NM_IN_STRSET(setting_name,
                     NM_SETTING_OVS_EXTERNAL_IDS_SETTING_NAME,
                     NM_SETTING_OVS_OTHER_CONFIG_SETTING_NAME))
        return TRUE;
    return device_class->can_reapply_change(device, setting_name, s_old, s_new, diffs, error);
 }
@ -327,5 +320,6 @@ nm_device_ovs_port_class_init(NMDeviceOvsPortClass *klass)
    device_class->attach_port                         = attach_port;
    device_class->detach_port                         = detach_port;
    device_class->can_reapply_change                  = can_reapply_change;
    device_class->can_reapply_change_ovs_external_ids = TRUE;
    device_class->reapply_connection                  = nm_device_ovs_reapply_connection;
 }
--- a/src/core/devices/ovs/nm-ovs-factory.c
+++ b/src/core/devices/ovs/nm-ovs-factory.c
@ -75,6 +75,9 @@ new_device_from_type(const char *name, NMDeviceType device_type)
    const char *type_desc;
    NMLinkType  link_type = NM_LINK_TYPE_NONE;
    if (nm_manager_get_device(NM_MANAGER_GET, name, device_type))
        return NULL;
    if (device_type == NM_DEVICE_TYPE_OVS_INTERFACE) {
        type      = NM_TYPE_DEVICE_OVS_INTERFACE;
        type_desc = "Open vSwitch Interface";
@ -86,7 +89,6 @@ new_device_from_type(const char *name, NMDeviceType device_type)
        type      = NM_TYPE_DEVICE_OVS_BRIDGE;
        type_desc = "Open vSwitch Bridge";
    } else {
        _LOGT(name, NULL, "Unrecognized link type: %d", device_type);
        return NULL;
    }
@ -123,11 +125,6 @@ ovsdb_device_added(NMOvsdb         *ovsdb,
        return;
    }
    if (nm_manager_get_device(NM_MANAGER_GET, name, device_type)) {
        _LOGT(name, NULL, "Device already registered with manager, skipping.");
        return;
    }
    device = new_device_from_type(name, device_type);
    if (!device)
        return;
@ -291,31 +288,23 @@ create_device(NMDeviceFactory      *self,
 {
    NMDeviceType device_type     = NM_DEVICE_TYPE_UNKNOWN;
    const char  *connection_type = NULL;
    const char  *connection_uuid = NULL;
    if (g_strcmp0(iface, "ovs-system") == 0) {
        *out_ignore = TRUE;
        return NULL;
    }
-    if (connection) {
+    if (connection)
        connection_type = nm_connection_get_connection_type(connection);
        connection_uuid = nm_connection_get_uuid(connection);
    }
-    if (plink) {
+    if (plink)
        _LOGD(iface, connection_uuid, "creating OVS interface (from a platform link)");
        device_type = NM_DEVICE_TYPE_OVS_INTERFACE;
-    } else if (nm_streq0(connection_type, NM_SETTING_OVS_INTERFACE_SETTING_NAME)) {
+    else if (g_strcmp0(connection_type, NM_SETTING_OVS_INTERFACE_SETTING_NAME) == 0)
        _LOGD(iface, connection_uuid, "creating OVS interface (from setting)");
        device_type = NM_DEVICE_TYPE_OVS_INTERFACE;
-    } else if (nm_streq0(connection_type, NM_SETTING_OVS_PORT_SETTING_NAME)) {
+    else if (g_strcmp0(connection_type, NM_SETTING_OVS_PORT_SETTING_NAME) == 0)
        _LOGD(iface, connection_uuid, "creating OVS port (from setting)");
        device_type = NM_DEVICE_TYPE_OVS_PORT;
-    } else if (nm_streq0(connection_type, NM_SETTING_OVS_BRIDGE_SETTING_NAME)) {
+    else if (g_strcmp0(connection_type, NM_SETTING_OVS_BRIDGE_SETTING_NAME) == 0)
        _LOGD(iface, connection_uuid, "creating OVS bridge (from setting)");
        device_type = NM_DEVICE_TYPE_OVS_BRIDGE;
    }
    return new_device_from_type(iface, device_type);
 }
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@ -904,13 +904,11 @@ _insert_interface(json_t       *params,
        guint32     n_rxq;
        guint32     n_rxq_desc;
        guint32     n_txq_desc;
        NMSettingOvsDpdkLscInterrupt lsc_int;
        devargs    = nm_setting_ovs_dpdk_get_devargs(s_ovs_dpdk);
        n_rxq      = nm_setting_ovs_dpdk_get_n_rxq(s_ovs_dpdk);
        n_rxq_desc = nm_setting_ovs_dpdk_get_n_rxq_desc(s_ovs_dpdk);
        n_txq_desc = nm_setting_ovs_dpdk_get_n_txq_desc(s_ovs_dpdk);
        lsc_int    = nm_setting_ovs_dpdk_get_lsc_interrupt(s_ovs_dpdk);
        dpdk_array = json_array();
@ -932,17 +930,6 @@ _insert_interface(json_t       *params,
                json_pack("[s,s]", "n_txq_desc", nm_sprintf_buf(sbuf, "%u", n_txq_desc)));
        }
        switch (lsc_int) {
        case NM_SETTING_OVS_DPDK_LSC_INTERRUPT_IGNORE:
            break;
        case NM_SETTING_OVS_DPDK_LSC_INTERRUPT_ENABLED:
            json_array_append_new(dpdk_array, json_pack("[s,s]", "dpdk-lsc-interrupt", "true"));
            break;
        case NM_SETTING_OVS_DPDK_LSC_INTERRUPT_DISABLED:
            json_array_append_new(dpdk_array, json_pack("[s,s]", "dpdk-lsc-interrupt", "false"));
            break;
        }
        json_array_append_new(options, dpdk_array);
    } else if (s_ovs_patch) {
@ -1890,7 +1877,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
        == -1) {
        /* This doesn't really have to be an error; the key might
         * be missing if there really are no bridges present. */
-        _LOGD("monitor: bad update: %s", json_error.text);
+        _LOGD("Bad update: %s", json_error.text);
    }
    if (ovs) {
@ -1936,12 +1923,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
+            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
                  ovs_interface->name,
                  ovs_interface->type,
                  key,
                  ovs_interface->type,
                  ovs_interface->name,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_interface->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self,
@ -1989,14 +1976,13 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT(
+                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
                      "other-config=%s",
                    ovs_interface->name,
                    type,
                      key,
                      type,
                      ovs_interface->name,
                      NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                         ", connection=",
+                                           ", ",
                                           ovs_interface->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2016,13 +2002,13 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
+            _LOGT(
-                  "other-config=%s",
+                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
                  ovs_interface->name,
                  ovs_interface->type,
                key,
                ovs_interface->type,
                ovs_interface->name,
                NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
+                                     ", ",
                                     ovs_interface->connection_uuid,
                                     ""),
                (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
@ -2072,11 +2058,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
            if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                continue;
-            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
+            _LOGT("obj[port:%s]: removed a port: %s%s%s",
                  ovs_port->name,
                  key,
                  ovs_port->name,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_port->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@ -2123,12 +2109,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT(
+                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
                    ovs_port->name,
                      key,
                      ovs_port->name,
                      NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                         ", connection=",
+                                           ", ",
                                           ovs_port->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2148,11 +2133,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
+            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
                  ovs_port->name,
                  key,
                  ovs_port->name,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_port->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2194,11 +2179,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;
-            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
+            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
                  ovs_bridge->name,
                  key,
                  ovs_bridge->name,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_bridge->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@ -2245,16 +2230,15 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;
-                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
+                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
                      "other-config=%s",
                      ovs_bridge->name,
                      key,
                      ovs_bridge->name,
                      NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", connection=",
+                                           ", ",
                                           ovs_bridge->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
-                      (strtmp2 = _strdict_to_string(ovs_bridge->other_config)));
+                      (strtmp2 = _strdict_to_string(ovs_bridge->external_ids)));
            }
        } else {
            gs_free char *strtmp1 = NULL;
@ -2270,11 +2254,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
+            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
                  ovs_bridge->name,
                  key,
                  ovs_bridge->name,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_bridge->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@ -2270,37 +2270,6 @@ add_new:
    return NM_ACT_STAGE_RETURN_SUCCESS;
 }
 static void
 set_powersave(NMDevice *device)
 {
    NMDeviceIwd               *self = NM_DEVICE_IWD(device);
    NMSettingWireless         *s_wireless;
    NMSettingWirelessPowersave val;
    s_wireless = nm_device_get_applied_setting(device, NM_TYPE_SETTING_WIRELESS);
    g_return_if_fail(s_wireless);
    val = nm_setting_wireless_get_powersave(s_wireless);
    if (val == NM_SETTING_WIRELESS_POWERSAVE_DEFAULT) {
        val = nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
                                                          "wifi.powersave",
                                                          device,
                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE,
                                                          NM_SETTING_WIRELESS_POWERSAVE_ENABLE,
                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE);
    }
    _LOGT(LOGD_WIFI, "powersave is set to %u", (unsigned) val);
    if (val == NM_SETTING_WIRELESS_POWERSAVE_IGNORE)
        return;
    nm_platform_wifi_set_powersave(nm_device_get_platform(device),
                                   nm_device_get_ifindex(device),
                                   val == NM_SETTING_WIRELESS_POWERSAVE_ENABLE);
 }
 static NMActStageReturn
 act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 {
@ -2328,8 +2297,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            goto out_fail;
        }
        set_powersave(device);
        /* With priv->iwd_autoconnect we have to let IWD handle retries for
         * infrastructure networks.  IWD will not necessarily retry the same
         * network after a failure but it will likely go into an autoconnect
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -191,19 +191,12 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                  GParamSpec            *pspec,
                                                  NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
                                                        NMDeviceWifi          *self);
 static void periodic_update(NMDeviceWifi *self);
 static void ap_add_remove(NMDeviceWifi *self,
                          gboolean      is_adding,
                          NMWifiAP     *ap,
-                          gboolean      recheck_available_connections,
+                          gboolean      recheck_available_connections);
                          gboolean      recheck_auto_activate);
 static void _hw_addr_set_scanning(NMDeviceWifi *self, gboolean do_reset);
@ -630,14 +623,6 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                     "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                     G_CALLBACK(supplicant_iface_notify_p2p_available),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
                     self);
    g_signal_connect(priv->sup_iface,
                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
                     self);
    _scan_notify_is_scanning(self);
@ -729,10 +714,7 @@ update_seen_bssids_cache(NMDeviceWifi *self, NMWifiAP *ap)
 }
 static void
-set_current_ap(NMDeviceWifi *self,
+set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_connections)
               NMWifiAP     *new_ap,
               gboolean      recheck_available_connections,
               gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv;
    NMWifiAP            *old_ap;
@ -759,11 +741,7 @@ set_current_ap(NMDeviceWifi *self,
        /* Remove any AP from the internal list if it was created by NM or isn't known to the supplicant */
        if (NM_IN_SET(mode, _NM_802_11_MODE_ADHOC, _NM_802_11_MODE_AP)
            || nm_wifi_ap_get_fake(old_ap))
-            ap_add_remove(self,
+            ap_add_remove(self, FALSE, old_ap, recheck_available_connections);
                          FALSE,
                          old_ap,
                          recheck_available_connections,
                          recheck_auto_activate);
        g_object_unref(old_ap);
    }
@ -836,8 +814,7 @@ static void
 ap_add_remove(NMDeviceWifi *self,
              gboolean      is_adding, /* or else removing */
              NMWifiAP     *ap,
-              gboolean      recheck_available_connections,
+              gboolean      recheck_available_connections)
              gboolean      recheck_auto_activate)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
@ -868,14 +845,13 @@ ap_add_remove(NMDeviceWifi *self,
        nm_dbus_object_clear_and_unexport(&ap);
    }
    if (recheck_auto_activate)
    nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
    if (recheck_available_connections)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }
 static void
-remove_all_aps(NMDeviceWifi *self, gboolean disposing)
+remove_all_aps(NMDeviceWifi *self)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
    NMWifiAP            *ap;
@ -883,12 +859,11 @@ remove_all_aps(NMDeviceWifi *self, gboolean disposing)
    if (c_list_is_empty(&priv->aps_lst_head))
        return;
-    set_current_ap(self, NULL, FALSE, !disposing);
+    set_current_ap(self, NULL, FALSE);
    while ((ap = c_list_first_entry(&priv->aps_lst_head, NMWifiAP, aps_lst)))
-        ap_add_remove(self, FALSE, ap, FALSE, !disposing);
+        ap_add_remove(self, FALSE, ap, FALSE);
    if (!disposing)
    nm_device_recheck_available_connections(NM_DEVICE(self));
 }
@ -976,7 +951,7 @@ deactivate(NMDevice *device)
    priv->rate = 0;
-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);
    if (!wake_on_wlan_restore(self))
        _LOGW(LOGD_DEVICE | LOGD_WIFI, "Cannot unconfigure WoWLAN.");
@ -2025,7 +2000,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            if (nm_wifi_ap_set_fake(found_ap, TRUE))
                _ap_dump(self, LOGL_DEBUG, found_ap, "updated", 0);
        } else {
-            ap_add_remove(self, FALSE, found_ap, TRUE, TRUE);
+            ap_add_remove(self, FALSE, found_ap, TRUE);
            schedule_ap_list_dump(self);
        }
        return;
@ -2068,7 +2043,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            }
        }
-        ap_add_remove(self, TRUE, ap, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap, TRUE);
    }
    /* Update the current AP if the supplicant notified a current BSS change
@ -2251,26 +2226,6 @@ wps_timeout_cb(gpointer user_data)
    return G_SOURCE_REMOVE;
 }
 static gboolean
 wifi_connection_is_new(NMDeviceWifi *self)
 {
    NMDevice             *device = NM_DEVICE(self);
    NMActRequest         *req;
    NMSettingsConnection *connection;
    guint64               timestamp = 0;
    req = nm_device_get_act_request(device);
    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), TRUE);
    connection = nm_act_request_get_settings_connection(req);
    g_return_val_if_fail(NM_IS_SETTINGS_CONNECTION(connection), TRUE);
    if (nm_settings_connection_get_timestamp(connection, &timestamp) && timestamp != 0)
        return FALSE;
    return TRUE;
 }
 static void
 wifi_secrets_get_secrets(NMDeviceWifi                *self,
                         const char                  *setting_name,
@ -2313,7 +2268,7 @@ link_timeout_cb(gpointer user_data)
    if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED)
        return FALSE;
-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_FAILED,
@ -2428,18 +2383,15 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NULL;
-    NMSecretAgentGetSecretsFlags secret_flags = NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
+    gboolean      handled      = FALSE;
                                                | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
    g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return FALSE;
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_val_if_fail(req != NULL, FALSE);
-    if (need_new_8021x_secrets(self, old_state, &setting_name)) {
+    if (need_new_8021x_secrets(self, old_state, &setting_name)
        || need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
        nm_act_request_clear_secrets(req);
        _LOGI(LOGD_DEVICE | LOGD_WIFI,
@ -2449,54 +2401,14 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
        nm_device_state_changed(device,
                                NM_DEVICE_STATE_NEED_AUTH,
                                NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-        wifi_secrets_get_secrets(self, setting_name, secret_flags);
+        wifi_secrets_get_secrets(self,
-        return TRUE;
+                                 setting_name,
                                 NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                     | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
        handled = TRUE;
    }
-    if (need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
+    return handled;
        nm_act_request_clear_secrets(req);
        cleanup_association_attempt(self, TRUE);
        if (wifi_connection_is_new(self)) {
            _LOGI(LOGD_DEVICE | LOGD_WIFI,
                  "Activation: (wifi) new connection disconnected during association, asking for "
                  "new key");
            nm_device_state_changed(device,
                                    NM_DEVICE_STATE_NEED_AUTH,
                                    NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
            wifi_secrets_get_secrets(self, setting_name, secret_flags);
            return TRUE;
        }
        if (!nm_device_auth_retries_try_next(device)) {
            nm_device_state_changed(device,
                                    NM_DEVICE_STATE_FAILED,
                                    NM_DEVICE_STATE_REASON_NO_SECRETS);
            return TRUE;
        }
        if (nm_device_auth_retries_has_next(device)) {
            secret_flags &= ~NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
            _LOGI(
                LOGD_DEVICE | LOGD_WIFI,
                "Activation: (wifi) disconnected during association, reauthenticating connection");
        } else {
            _LOGI(LOGD_DEVICE | LOGD_WIFI,
                  "Activation: (wifi) disconnected during association, asking for new key");
        }
        nm_device_state_changed(device,
                                NM_DEVICE_STATE_NEED_AUTH,
                                NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
        wifi_secrets_get_secrets(self, setting_name, secret_flags);
        return TRUE;
    }
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) disconnected during association, retrying connection");
    return FALSE;
 }
 static gboolean
@ -2772,7 +2684,7 @@ supplicant_iface_notify_current_bss(NMSupplicantInterface *iface,
            }
        }
-        set_current_ap(self, new_ap, TRUE, TRUE);
+        set_current_ap(self, new_ap, TRUE);
        req = nm_device_get_act_request(NM_DEVICE(self));
        if (req) {
@ -2918,68 +2830,6 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
    return TRUE;
 }
 static void
 supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    if (!wifi_connection_is_new(self) && nm_device_auth_retries_has_next(device)) {
        _LOGI(LOGD_DEVICE | LOGD_WIFI,
              "Activation: (wifi) psk mismatch reported by supplicant, retrying connection");
        return;
    }
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 static void
 supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
 {
    NMDevice     *device = NM_DEVICE(self);
    NMActRequest *req;
    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
        return;
    _LOGI(LOGD_DEVICE | LOGD_WIFI,
          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_if_fail(req != NULL);
    nm_act_request_clear_secrets(req);
    cleanup_association_attempt(self, TRUE);
    nm_device_state_changed(device,
                            NM_DEVICE_STATE_NEED_AUTH,
                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
    wifi_secrets_get_secrets(self,
                             setting_name,
                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
 }
 /*
 * supplicant_connection_timeout_cb
 *
@ -3270,7 +3120,7 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
        priv->mode = _NM_802_11_MODE_AP;
        /* Scanning not done in AP mode; clear the scan list */
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
    } else if (g_strcmp0(mode, NM_SETTING_WIRELESS_MODE_MESH) == 0)
        priv->mode = _NM_802_11_MODE_MESH;
    _notify(self, PROP_MODE);
@ -3307,14 +3157,14 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            nm_wifi_ap_set_address(ap_fake, nm_device_get_hw_address(device));
        g_object_freeze_notify(G_OBJECT(self));
-        ap_add_remove(self, TRUE, ap_fake, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap_fake, TRUE);
        g_object_thaw_notify(G_OBJECT(self));
        ap = ap_fake;
    }
    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
-    set_current_ap(self, ap, FALSE, TRUE);
+    set_current_ap(self, ap, FALSE);
    nm_active_connection_set_specific_object(NM_ACTIVE_CONNECTION(req),
                                             nm_dbus_object_get_path(NM_DBUS_OBJECT(ap)));
    return NM_ACT_STAGE_RETURN_SUCCESS;
@ -3323,19 +3173,8 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 static void
 ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP *ap)
 {
-    guint32     freqs_a[]    = {5180, /* only U-NII-1 channels: non-DFS and available everywhere */
+    guint32     a_freqs[]  = {5180, 5200, 5220, 5745, 5765, 5785, 5805, 0};
-                                5200,
+    guint32     bg_freqs[] = {2412, 2437, 2462, 2472, 0};
                                5220,
                                5240,
                                0};
    guint32     freqs_bg[]   = {2412, 2437, 2462, 2472, 0};
    guint32     freqs_6ghz[] = {5975, /* only U-NII-5 PSC channels, for better compatibility */
                                6055,
                                6135,
                                6215,
                                6295,
                                6375,
                                0};
    guint32    *rnd_freqs;
    guint       rnd_freqs_len;
    NMDevice   *device = NM_DEVICE(self);
@ -3346,7 +3185,7 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
    guint       l;
    nm_assert(ap);
-    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg", "6GHz"));
+    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg"));
    if (nm_wifi_ap_get_freq(ap))
        return;
@ -3380,14 +3219,11 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
    }
    if (nm_streq0(band, "a")) {
-        rnd_freqs     = freqs_a;
+        rnd_freqs     = a_freqs;
-        rnd_freqs_len = G_N_ELEMENTS(freqs_a) - 1;
+        rnd_freqs_len = G_N_ELEMENTS(a_freqs) - 1;
    } else if (nm_streq0(band, "6GHz")) {
        rnd_freqs     = freqs_6ghz;
        rnd_freqs_len = G_N_ELEMENTS(freqs_6ghz) - 1;
    } else {
-        rnd_freqs     = freqs_bg;
+        rnd_freqs     = bg_freqs;
-        rnd_freqs_len = G_N_ELEMENTS(freqs_bg) - 1;
+        rnd_freqs_len = G_N_ELEMENTS(bg_freqs) - 1;
    }
    /* shuffle the frequencies (inplace). The idea is to choose
@ -3694,7 +3530,7 @@ device_state_changed(NMDevice           *device,
        cleanup_association_attempt(self, TRUE);
        cleanup_supplicant_failures(self);
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
    }
    switch (new_state) {
@ -3732,7 +3568,7 @@ device_state_changed(NMDevice           *device,
    }
    if (clear_aps)
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 }
@ -3974,7 +3810,7 @@ dispose(GObject *object)
    g_clear_object(&priv->sup_mgr);
-    remove_all_aps(self, TRUE);
+    remove_all_aps(self);
    if (priv->p2p_device) {
        /* Destroy the P2P device. */
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
     * in the last few filename characters -- it cannot end in .open, .psk
     * or .8021x.
     */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
 }
 static const char *
--- a/src/core/devices/wifi/nm-wifi-ap.c
+++ b/src/core/devices/wifi/nm-wifi-ap.c
@ -574,6 +574,16 @@ nm_wifi_ap_to_string(const NMWifiAP *self, char *str_buf, gulong buf_len, gint64
    return str_buf;
 }
 static guint
 freq_to_band(guint32 freq)
 {
    if (freq >= 4915 && freq <= 5825)
        return 5;
    else if (freq >= 2412 && freq <= 2484)
        return 2;
    return 0;
 }
 gboolean
 nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
 {
@ -621,12 +631,12 @@ nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
    band = nm_setting_wireless_get_band(s_wireless);
    if (band) {
-        const char *ap_band = nm_wifi_freq_to_band_prop(priv->freq);
+        guint ap_band = freq_to_band(priv->freq);
-        if (!nm_streq(band, ap_band))
+        if (!strcmp(band, "a") && ap_band != 5)
            return FALSE;
        else if (!strcmp(band, "bg") && ap_band != 2)
            return FALSE;
        return TRUE;
    }
    channel = nm_setting_wireless_get_channel(s_wireless);
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@ -639,7 +639,7 @@ nm_wifi_utils_complete_connection(GBytes       *ap_ssid,
                chan_valid = FALSE;
            }
-            band = nm_wifi_freq_to_band_prop(ap_freq);
+            band = nm_utils_wifi_freq_to_band(ap_freq);
            if (band) {
                g_object_set(s_wifi, NM_SETTING_WIRELESS_BAND, band, NULL);
            } else {
@ -1929,19 +1929,3 @@ nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b)
    return a->source == b->source && a->sink == b->sink && a->port == b->port
           && a->has_audio == b->has_audio && a->has_uibc == b->has_uibc && a->has_cp == b->has_cp;
 }
 const char *
 nm_wifi_freq_to_band_prop(guint32 freq)
 {
    switch (nm_utils_wifi_freq_to_band(freq)) {
    case NM_WIFI_BAND_2_4_GHZ:
        return "bg";
    case NM_WIFI_BAND_5_GHZ:
        return "a";
    case NM_WIFI_BAND_6_GHZ:
        return "6GHz";
    default:
    case NM_WIFI_BAND_UNKNOWN:
        return NULL;
    }
 }
--- a/src/core/devices/wifi/nm-wifi-utils.h
+++ b/src/core/devices/wifi/nm-wifi-utils.h
@ -56,6 +56,4 @@ bool    nm_wifi_utils_parse_wfd_ies(GBytes *ies, NMIwdWfdInfo *out_wfd);
 GBytes *nm_wifi_utils_build_wfd_ies(const NMIwdWfdInfo *wfd);
 bool    nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b);
 const char *nm_wifi_freq_to_band_prop(guint32 freq);
 #endif /* __NM_WIFI_UTILS_H__ */
--- a/Show more
+++ b/Show more