release: bump version to 1.54.3

The function strerror_r returns an int per POSIX spec, but GNU version
returns char *. Using it fails the compilation in Alpine, so use
_nm_strerror_r instead that handles both cases.

Fixes: 41e28b900f ('daemon-helper: add read-file-as-user')
(cherry picked from commit 599cc1ed1d)
(cherry picked from commit ea759ccf3a)

.gitignore

@@ -81,6 +81,7 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
+/data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service

.gitlab-ci.yml

@@ -60,11 +60,11 @@ variables:
   #
   # This is done by running `ci-fairy generate-template` and possibly bumping
   # ".default_tag".
-  ALPINE_TAG:  'tag-0c3a6f855fb8'
-  CENTOS_TAG:  'tag-c1c23df75dda'
-  DEBIAN_TAG:  'tag-d4bf5db9e214'
-  FEDORA_TAG:  'tag-c1c23df75dda'
-  UBUNTU_TAG:  'tag-d4bf5db9e214'
+  ALPINE_TAG:  'tag-dcc430216167'
+  CENTOS_TAG:  'tag-feb1adbc208e'
+  DEBIAN_TAG:  'tag-afb784497c2f'
+  FEDORA_TAG:  'tag-feb1adbc208e'
+  UBUNTU_TAG:  'tag-afb784497c2f'
 
   ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
   CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@@ -102,117 +102,7 @@ variables:
 # Build a container for each distribution + version. The ci-templates
 # will re-use the containers if the tag doesn't change.
 
-tier1:fedora:42@prep:
-  extends:
-    - .fdo.container-build@fedora
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '42'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule' || $SCHEDULED_PIPELINE_NAME == "weekly"
-
-tier2:fedora:rawhide@prep:
-  extends:
-    - .fdo.container-build@fedora
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'rawhide'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:centos:stream10@prep:
-  extends:
-    - .fdo.container-build@centos
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:centos:stream9@prep:
-  extends:
-    - .fdo.container-build@centos
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'stream9'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:ubuntu:devel@prep:
-  extends:
-    - .fdo.container-build@ubuntu
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'devel'
-    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
-    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:debian:testing@prep:
-  extends:
-    - .fdo.container-build@debian
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'testing'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:debian:sid@prep:
-  extends:
-    - .fdo.container-build@debian
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'sid'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier2:alpine:edge@prep:
-  extends:
-    - .fdo.container-build@alpine
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'edge'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
-tier3:fedora:43@prep:
+tier1:fedora:43@prep:
   extends:
     - .fdo.container-build@fedora
   stage: prep
@@ -221,6 +111,18 @@ tier3:fedora:43@prep:
     FDO_DISTRIBUTION_VERSION: '43'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
     FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule' || $SCHEDULED_PIPELINE_NAME == "weekly"
+
+tier3:fedora:42@prep:
+  extends:
+    - .fdo.container-build@fedora
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
+    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
       when: manual
@@ -366,6 +268,34 @@ tier3:alpine:3.19@prep:
       when: manual
       allow_failure: true
 
+tier3:centos:stream10@prep:
+  extends:
+    - .fdo.container-build@centos
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: 'stream10'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
+tier3:centos:stream9@prep:
+  extends:
+    - .fdo.container-build@centos
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: 'stream9'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 #################################################################
 #                                                               #
 # tierN stage                                                   #
@@ -382,7 +312,7 @@ tier3:alpine:3.19@prep:
   dependencies: []
 
 
-t_fedora:42:
+t_fedora:43:
   extends:
     - .build@template
     - .fdo.distribution-image@fedora
@@ -398,122 +328,24 @@ t_fedora:42:
         - tarball
         - subtree
   variables:
-    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_VERSION: '43'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
   needs:
-    - "tier1:fedora:42@prep"
+    - "tier1:fedora:43@prep"
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
-t_fedora:rawhide:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@fedora
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'rawhide'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-  needs:
-    - "tier2:fedora:rawhide@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_centos:stream10:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@centos
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-  needs:
-    - "tier2:centos:stream10@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_centos:stream9:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@centos
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'stream9'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-  needs:
-    - "tier2:centos:stream9@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_ubuntu:devel:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@ubuntu
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'devel'
-    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
-  needs:
-    - "tier2:ubuntu:devel@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_debian:testing:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@debian
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'testing'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-  needs:
-    - "tier2:debian:testing@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_debian:sid:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@debian
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'sid'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-  needs:
-    - "tier2:debian:sid@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_alpine:edge:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@alpine
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'edge'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-  needs:
-    - "tier2:alpine:edge@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
-t_fedora:43:
+t_fedora:42:
   extends:
     - .build@template
     - .fdo.distribution-image@fedora
     - .nm_artifacts_debug
   stage: tier3
   variables:
-    FDO_DISTRIBUTION_VERSION: '43'
+    FDO_DISTRIBUTION_VERSION: '42'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
   needs:
-    - "tier3:fedora:43@prep"
+    - "tier3:fedora:42@prep"
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
@@ -657,6 +489,34 @@ t_alpine:3.19:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
+t_centos:stream10:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@centos
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: 'stream10'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+  needs:
+    - "tier3:centos:stream10@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
+t_centos:stream9:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@centos
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: 'stream9'
+    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
+  needs:
+    - "tier3:centos:stream9@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 #################################################################
 #                                                               #
 # specific jobs                                                 #
@@ -667,10 +527,10 @@ check-patch:
   extends:
     - .fdo.distribution-image@fedora
   variables:
-    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_VERSION: '43'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
   needs:
-    - "tier1:fedora:42@prep"
+    - "tier1:fedora:43@prep"
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
   stage: tier1
@@ -682,10 +542,10 @@ check-tree:
   extends:
     - .fdo.distribution-image@fedora
   variables:
-    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_VERSION: '43'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
   needs:
-    - "tier1:fedora:42@prep"
+    - "tier1:fedora:43@prep"
   rules:
     - if: $CI_PIPELINE_SOURCE == 'merge_request_event' && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != $CI_DEFAULT_BRANCH
       allow_failure: true
@@ -713,11 +573,11 @@ pages:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'schedule'
       when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
   dependencies:
-    - "t_fedora:42: [meson+gcc+docs+valgrind]"
+    - "t_fedora:43: [meson+gcc+docs+valgrind]"
   needs:
-    - "t_fedora:42: [meson+gcc+docs+valgrind]"
+    - "t_fedora:43: [meson+gcc+docs+valgrind]"
 
 triage:issues:
   stage: triage
@@ -734,11 +594,11 @@ coverity:
   extends:
     - .fdo.distribution-image@fedora
   variables:
-    FDO_DISTRIBUTION_VERSION: '42'
+    FDO_DISTRIBUTION_VERSION: '43'
     FDO_DISTRIBUTION_TAG: $FEDORA_TAG
   stage: coverity
   needs:
-    - "tier1:fedora:42@prep"
+    - "tier1:fedora:43@prep"
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULED_PIPELINE_NAME == "weekly"
   script:

.gitlab-ci/ci.template

@@ -240,7 +240,7 @@ pages:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'schedule'
       when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
   dependencies:
     - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
   needs:

.gitlab-ci/config.yml

@@ -23,39 +23,17 @@ distributions:
   - name: fedora
     tier: 1
     versions:
-      - '42'
+      - '43'
 
   # TIER 2: distribution versions that will or might use the current NM version.
   # Run when doing a release.
-  - name: fedora
-    tier: 2
-    versions:
-      - 'rawhide'
-  - name: centos
-    tier: 2
-    versions:
-      - 'stream10'
-      - 'stream9'
-  - name: ubuntu
-    tier: 2
-    versions:
-      - 'devel'
-  - name: debian
-    tier: 2
-    versions:
-      - 'testing'
-      - 'sid'
-  - name: alpine
-    tier: 2
-    versions:
-      - 'edge'
 
   # TIER 3: distribution versions not in EOL but don't use the current NM version.
   # Run when doing a release, but a failure won't be blocking for the release.
   - name: fedora
     tier: 3
     versions:
-      - '43'
+      - '42'
       - '41'
   - name: ubuntu
     tier: 3
@@ -75,3 +53,8 @@ distributions:
       - '3.21'
       - '3.20'
       - '3.19'
+  - name: centos
+    tier: 3
+    versions:
+      - 'stream10'
+      - 'stream9'

.gitlab-ci/distros-info.yml

@@ -8,9 +8,6 @@ fedora:
 - version: rawhide
   support: yes
   nm: main
-- version: 43
-  support: 2026-12-02
-  nm: 1.54
 - version: 42
   support: 2026-05-13
   nm: 1.52
@@ -21,11 +18,8 @@ fedora:
 
 # CentOS Stream
 centos:
-- version: stream10
-  support: 2030-12-31 # exact date unknown, only the year
-  nm: main
 - version: stream9
-  support: 2027-12-31 # exact date unknown, only the year
+  support: 2027-05-31
   nm: main
 
 # RHEL:
@@ -37,43 +31,33 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
-# Not released yet
-- version: 10.1
+- version: 9.6  # not released yet
   support: yes
-  nm: 1.54
-- version: 9.7  # not released yet
+  nm: main
+- version: 9.5
   support: yes
-  nm: 1.54
-# Full support or EUS support:
-- version: 10.0
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
-- version: 9.6
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
+  nm: 1.48
 - version: 9.4
   support: 2026-04-30
   extended-support: 2028-04-30
   nm: 1.46
-- version: 8.10  # last RHEL 8 release, maintenaince support only
-  support: 2029-05-31
-  extended-support: no
-  nm: 1.40
-# SAP / Enhaced EUS only:
 - version: 9.2
   support: 2025-05-31
   extended-support: 2027-05-31
   nm: 1.42
-- version: 9.0
-  support: 2024-05-31
-  extended-support: 2026-05-31
-  nm: 1.36
+- version: 8.10  # last RHEL 8 release, maintenaince support only
+  support: 2029-05-31
+  extended-support: no
+  nm: 1.40
 - version: 8.8
   support: 2025-05-31
   extended-support: 2027-05-31
   nm: 1.40
+# SAP / Enhaced EUS only:
+- version: 9.0
+  support: 2024-05-31
+  extended-support: 2026-05-31
+  nm: 1.36
 - version: 8.6
   support: 2024-05-31
   extended-support: 2026-05-31
@@ -97,6 +81,10 @@ ubuntu:
   name: plucky
   support: 2026-01-15
   nm: 1.52
+- version: 24.10
+  name: oracular
+  support: 2025-07-10
+  nm: 1.48
 - version: 24.04
   name: noble
   support: 2029-05-31
@@ -121,11 +109,6 @@ debian:
 - version: sid
   support: yes
   nm: main
-- version: 13
-  name: trixie
-  support: 2028-08-09
-  extended-support: 2030-06-30
-  nm: 1.52
 - version: 12
   name: bookworm
   support: 2026-06-11
@@ -147,9 +130,6 @@ alpine:
 - version: edge
   support: yes
   nm: main
-- version: 3.22
-  support: 2027-05-01
-  nm: 1.52
 - version: 3.21
   support: 2026-11-01
   nm: 1.50

.gitlab-ci/run-test.sh

@@ -155,7 +155,12 @@ test_subtree() {
     do_clean
     pushd ./src/$d
 
-    CC="$cc" CFLAGS="-Werror -Wall" meson build
+    ARGS=()
+    if [ "$d" = n-acd ]; then
+        ARGS+=('-Debpf=false')
+    fi
+
+    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
     ninja -v -C build test
 
     popd

MAINTAINERS.md

@@ -252,25 +252,17 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
   versioning scheme than the main NM project despite there are no development
   versions here.
 
-Before starting:
-- You need to have the maintainer role in the project.
-- The GPG key used to sign the release must be added to your GNOME's Gitlab
-  profile and uploaded to a keyserver.
-- All details: https://handbook.gnome.org/maintainers/making-a-release.html
-
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build` or `configure.ac`.
-3. Commit and push to the `main` branch.
-4. Check that the Gitlab's pipeline finishes without errors.
-5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
-6. Push the tag. Example: `git push origin 1.2.8`.  
-   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
-   to delete tags, any error detected after this will force a new version bump.
-7. Check that the Gitlab's pipeline finishes without errors. If that happens,
-   the release is done and available both in the Gitlab's releases section and
-   https://download.gnome.org/sources/*
-8. Announce the release on the mailing list.
+2. Increment the version in `meson.build`, commit and tag the commit. Example:
+   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
+3. Ensure that you are on the right commit and create the tarball:
+   `git clean -fdx && meson setup build && cd build && meson dist`
+4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
+5. Login to `master.gnome.org` and run `ftpadmin install`.  
+   Ensure the new tarballs show up at https://download.gnome.org/sources/
+   (happens after a short delay)
+6. Announce the release on the mailing list.
 
 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).

NEWS

@@ -1,65 +1,36 @@
-=============================================
-NetworkManager-1.58
-Overview of changes since NetworkManager-1.56
-=============================================
+===============================================
+NetworkManager-1.54.3
+Overview of changes since NetworkManager-1.54.2
+===============================================
 
-This is a snapshot of NetworkManager development. The API is
-subject to change and not guaranteed to be compatible with
-the later release.
-USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
-
-* Restrict the connectivity check to use the DNS servers defined on the
-  same link. If the link has no DNS servers, the connectivity check will
-  use any servers available in the system.
-* Install the systemd units in the initramfs using a systemd generator.
-* A new "check-connectivity" configuration option is available to disable the
-  connectivity check for selected interfaces.
-* Remove the modify_system build option that allowed setting up the
-  polkit permissions to allow non-admin users to create system-wide
-  connection. That configuration is discouraged because it can be used
-  to bypass filesystem permissions.
 * For private connections (the ones that specify a user in the
   "connection.permissions" property), verify that the user can access
   the 802.1X certificates and keys set in the connection.
 * Introduce a libnm function that can be used by VPN plugins to check
   user permissions on certificate and keys.
-* The support for Wireless Extensions is deprecated and will be
-  removed in a future release. Wireless Extensions are now disabled by
-  default.
 
-=============================================
-NetworkManager-1.56
-Overview of changes since NetworkManager-1.54
-=============================================
+===============================================
+NetworkManager-1.54.2
+Overview of changes since NetworkManager-1.54.1
+===============================================
 
-* nmcli now supports viewing and managing WireGuard peers.
 * Support reapplying the "sriov.vfs" property as long as
   "sriov.total-vfs" is not changed.
-* Support reapplying "bond-port.vlans".
-* Accept hostnames longer than 64 characters from DNS lookup.
+* Support configuring the HSR protocol version via the
+  "hsr.protocol-version" property.
+* Support configuring the HSR interlink port via the
+  "hsr.interlink" property.
+
+===============================================
+NetworkManager-1.54.1
+Overview of changes since NetworkManager-1.54.0
+===============================================
+
 * Make that global-dns configuration overwrites DNS searches and
   options from connections, instead of merging all together.
 * Add support for a new rd.net.dhcp.client-id option in
   nm-initrd-generator.
-* Add gsm device-uid setting to restrict the devices the connection applies to.
-* Support configuring the HSR protocol version via the
-  "hsr.protocol-version" property.
-* Fix a bug that makes broadband connections auto-connect getting 
-  blocked if the connection tries to reconnect when modem status is 
-  "disconnecting" / "disconnected".
-* Treat modem connection not having an operator code available
-  as a recoverable error.
-* Add support for configuring systemd-resolved's DNSSEC option
-  per-connection via the "connection.dnssec" connection property.
-* Support configuring the HSR interlink port via the
-  "hsr.interlink" property.
-* Fix some connection properties not being applied to vpn connections
-  (connection.mdns, connection.llmnr, connection.dns-over-tls,
-   connection.mptcp-flags, ipv6.ip6-privacy)
-* Update n-acd to always compile with eBPF enabled, as support
-  for eBPF is now detected at run time.
-* Add new MPTCP 'laminar' endpoint type, and set it by default alongside
-  the 'subflow' one.
+* Minor bug fixes.
 
 =============================================
 NetworkManager-1.54

config.h.meson

@@ -239,15 +239,6 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH
 
-/* Whether we build with team support */
-#mesondefine WITH_TEAMDCTL
-
-/* Whether we build with Wi-Fi support */
-#mesondefine WITH_WIFI
-
-/* Whether we build with WWAN support */
-#mesondefine WITH_WWAN
-
 /* Define if you have PPP support */
 #mesondefine WITH_PPP
 

contrib/alpine/REQUIRED_PACKAGES

@@ -30,6 +30,7 @@ apk add \
     'libpsl-dev' \
     'libsoup-dev' \
     'libteam-dev' \
+    'libtool' \
     'linux-headers' \
     'meson' \
     'mobile-broadband-provider-info' \

contrib/debian/REQUIRED_PACKAGES

@@ -62,6 +62,7 @@ install \
     libreadline-dev \
     libsystemd-dev \
     libteam-dev \
+    libtool \
     libudev-dev \
     locales \
     meson \

contrib/fedora/REQUIRED_PACKAGES

@@ -68,6 +68,7 @@ install \
     libndp-devel \
     libnvme-devel \
     libselinux-devel \
+    libtool \
     libuuid-devel \
     meson \
     mobile-broadband-provider-info-devel \

contrib/fedora/rpm/NetworkManager.spec

@@ -14,7 +14,6 @@
 
 %global epoch_version 1
 %global real_version __VERSION__
-%global git_tag_version __GIT_TAG_VERSION__
 %global rpm_version %{real_version}
 %global release_version __RELEASE_VERSION__
 %global snapshot __SNAPSHOT__
@@ -107,11 +106,6 @@
 %else
 %bcond_without iwd
 %endif
-%if 0%{?fedora} <= 43 || 0%{?rhel} <= 10
-%bcond_without polkit_noauth_group
-%else
-%bcond_with polkit_noauth_group
-%endif
 
 ###############################################################################
 
@@ -159,6 +153,17 @@
 %bcond_with ifcfg_migrate
 %endif
 
+%if 0%{?fedora}
+# Although eBPF would be available on Fedora's kernel, it seems
+# we often get SELinux denials (rh#1651654). But even aside them,
+# bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
+# be related to `ulimit -l`. Anyway, this is not usable at the
+# moment.
+%global ebpf_enabled "no"
+%else
+%global ebpf_enabled "no"
+%endif
+
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@@ -175,7 +180,7 @@ Group: System Environment/Base
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 URL: https://networkmanager.dev/
 
-#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{git_tag_version}/downloads/%{name}-%{real_version}.tar.xz
+#Source: https://download.gnome.org/sources/NetworkManager/%{real_version_major}/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@@ -248,6 +253,7 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif
 
 BuildRequires: gcc
+BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@@ -621,10 +627,14 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
+%if 0%{?fedora}
+	-Dwext=true \
+%else
+	-Dwext=false \
+%endif
 %else
 	-Dwifi=false \
 %endif
-	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
@@ -666,19 +676,21 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-%if %{with polkit_noauth_group}
-	-Dpolkit_noauth_group=wheel \
-%endif
+	-Dmodify_system=true \
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
+%endif
+%if %{ebpf_enabled} != "yes"
+	-Debpf=false \
+%else
+	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
 	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
@@ -751,7 +763,6 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la
 
 # Don't use the *-initrd.service files yet, wait dracut to support them
-rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@@ -917,9 +928,6 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
-%if %{with polkit_noauth_group}
-%{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
-%endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff

contrib/fedora/rpm/build.sh

@@ -12,7 +12,6 @@ set -o pipefail
 #   RELEASE_VERSION=
 #   SNAPSHOT=
 #   VERSION=
-#   GIT_TAG_VERSION=
 #   COMMIT_FULL=
 #   COMMIT=
 #   USERNAME=
@@ -113,7 +112,6 @@ UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
 SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
-GIT_TAG_VERSION="${GIT_TAG_VERSION:-$VERSION}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
 BCOND_DEFAULT_DEBUG="${BCOND_DEFAULT_DEBUG:-0}"
@@ -157,7 +155,6 @@ if [[ "$SOURCE_FROM_GIT" == "1" ]]; then
 fi
 
 LOG "VERSION=$VERSION"
-LOG "GIT_TAG_VERSION=$GIT_TAG_VERSION"
 LOG "RELEASE_VERSION=$RELEASE_VERSION"
 LOG "SNAPSHOT=$SNAPSHOT"
 LOG "COMMIT_FULL=$COMMIT_FULL"
@@ -210,7 +207,6 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 write_changelog
 
 sed -e "s/__VERSION__/$VERSION/g" \
-    -e "s/__GIT_TAG_VERSION__/$GIT_TAG_VERSION/g" \
     -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
     -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
     -e "s/__COMMIT__/$COMMIT/g" \

contrib/fedora/rpm/configure-for-system.sh

@@ -155,6 +155,7 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
+P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@@ -173,7 +174,6 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
-P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
         P_FEDORA="$x"
         P_RHEL=0
     else
-        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
+        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
         if test "$x" -gt 0 ; then
             P_FEDORA=0
             P_RHEL="$x"
@@ -294,14 +294,6 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
     fi
 fi
 
-if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
-    P_TEAM=0
-fi
-
-if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
-    P_IFCFG_RH=1
-fi
-
 if bool "$P_DEBUG" ; then
     P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@@ -387,7 +379,7 @@ meson setup\
     -Db_lto="$(bool_true "$P_LTO")" \
     -Dlibaudit=yes-disabled-by-default \
     -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
     $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
     -Diwd="$(bool_true "$P_IWD")" \
     -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@@ -401,17 +393,18 @@ meson setup\
     -Dselinux=true \
     -Dpolkit=true  \
     -Dconfig_auth_polkit_default=true \
+    -Dmodify_system=true \
     -Dconcheck=true \
     -Dlibpsl="$(bool_true "$P_FEDORA")" \
+    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
     -Dsession_tracking=systemd \
     -Dsuspend_resume=systemd \
     -Dsystemdsystemunitdir=/usr/lib/systemd/system \
-    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
     -Dsystem_ca_path=/etc/pki/tls/cert.pem \
     -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
     -Dtests=yes \
     -Dvalgrind=no \
-    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
+    -Difcfg_rh=true \
     -Difupdown=false \
     $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
     $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \

contrib/scripts/nm-ci-run.sh

@@ -169,18 +169,18 @@ meson setup build \
     -D ld_gc=false \
     -D session_tracking=no \
     -D systemdsystemunitdir=no \
-    -D systemdsystemgeneratordir=no \
     -D systemd_journal=false \
     -D selinux=false \
     -D libaudit=no \
     -D libpsl=false \
     -D vapi=false \
     -D introspection=$_WITH_DOCS \
-    -D man=$_WITH_DOCS \
     -D qt=false \
     -D crypto=$_WITH_CRYPTO \
     -D docs=$_WITH_DOCS \
     \
+    -D ebpf=false \
+    \
     -D iwd=true \
     -D ofono=true \
     -D teamdctl=$_WITH_LIBTEAM \

data/NetworkManager-config-initrd.service.in

@@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
+ConditionPathExists=/etc/initrd-release
 
 [Service]
 Type=oneshot
@@ -22,3 +22,6 @@ ExecStartPost=/bin/sh -c ' \
     fi \
 '
 RemainAfterExit=yes
+
+[Install]
+WantedBy=initrd.target

data/NetworkManager-initrd.service.in

@@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@@ -22,3 +22,11 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
+
+[Install]
+WantedBy=initrd.target
+# We want to enable NetworkManager-wait-online-initrd.service whenever this
+# service is enabled. NetworkManager-wait-online-initrd.service has
+# WantedBy=network-online.target, so enabling it only has an effect if
+# network-online.target itself is enabled or pulled in by some other unit.
+Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service

data/NetworkManager-wait-online-initrd.service.in

@@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 
 [Service]
@@ -21,3 +21,6 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
+
+[Install]
+WantedBy=initrd.target network-online.target

data/NetworkManager.service.in

@@ -19,7 +19,7 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
 
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 
 ProtectSystem=true
 ProtectHome=read-only

data/meson.build

@@ -55,22 +55,21 @@ if install_udevdir
 endif
 
 if enable_polkit
+  policy = 'org.freedesktop.NetworkManager.policy'
+
+  policy_in = configure_file(
+    input: policy + '.in.in',
+    output: '@BASENAME@',
+    configuration: data_conf,
+  )
+
   i18n.merge_file(
-    input: 'org.freedesktop.NetworkManager.policy.in',
+    input: policy_in,
     output: '@BASENAME@',
     po_dir: po_dir,
     install: true,
-    install_dir: polkit_policydir,
+    install_dir: polkit_gobject_policydir,
   )
-
-  if polkit_noauth_group != ''
-    configure_file(
-      input: 'org.freedesktop.NetworkManager.rules.in',
-      output: '@BASENAME@',
-      install_dir: polkit_rulesdir,
-      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
-    )
-  endif
 endif
 
 if enable_firewalld_zone

data/org.freedesktop.NetworkManager.policy.in.in

@@ -117,8 +117,8 @@
     <message>System policy prevents modification of network settings for all users</message>
     <defaults>
       <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
+      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
+      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
     </defaults>
   </action>
 

data/org.freedesktop.NetworkManager.rules.in

@@ -1,17 +0,0 @@
-// NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
-//
-// DO NOT EDIT THIS FILE, it will be overwritten on update.
-//
-// Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
-// prompted for a password if they are in a local console.
-// This is optional and is only recommended to maintain backwards compatibility
-// in systems where it was already working in this way. It is discouraged
-// otherwise.
-
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
-        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
-        subject.local) {
-        return polkit.Result.YES;
-    }
-});

docs/api/meson.build

@@ -1,8 +1,6 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
 if enable_introspection
-  xsltproc = find_program('xsltproc')
-
   settings = 'settings-spec'
   output = settings + '.xml'
 

man/NetworkManager.conf.xml

@@ -83,11 +83,6 @@
     note that your distribution or other packages may drop configuration snippets for NetworkManager, such
     that they are part of the factory default.
     </para>
-    <para>
-    The options that are indicated as boolean can be set to one of these values:
-    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
-    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
-    </para>
 
   </refsect1>
 
@@ -900,15 +895,11 @@ ipv6.ip6-privacy=0
         </varlistentry>
         <varlistentry>
           <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><varname>connection.dnssec</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>connection.stable-id</varname></term>
@@ -1254,13 +1245,12 @@ managed=1
           <term><varname>managed</varname></term>
           <listitem>
             <para>
-              A boolean value specifying whether the device is
-              managed or not. A device can be marked as managed via
-              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
-              (keyfile.unmanaged-devices).  This is yet another
-              way. Note that this configuration can be overruled at
-              runtime via D-Bus. Also, it has higher priority than
-              udev rules.
+              Whether the device is managed or not. A device can be
+              marked as managed via udev rules (ENV{NM_UNMANAGED}),
+              or via setting plugins (keyfile.unmanaged-devices).
+              This is yet another way. Note that this configuration
+              can be overruled at runtime via D-Bus. Also, it has
+              higher priority then udev rules.
             </para>
           </listitem>
         </varlistentry>
@@ -1329,27 +1319,9 @@ managed=1
             </para>
           </listitem>
         </varlistentry>
-        <varlistentry id="check-connectivity">
-          <term><varname>check-connectivity</varname></term>
-          <listitem>
-            <para>
-              A boolean value specifying whether NetworkManager will perform a connectivity check
-              for this device. Defaults to <literal>yes</literal>.
-            </para>
-            <para>
-              This setting does nothing if the connectivity check has been
-              disabled globally using the
-              <literal>connectivity.enabled</literal> setting.
-            </para>
-          </listitem>
-        </varlistentry>
         <varlistentry id="keep-configuration">
-          <term><varname>keep-configuration</varname></term>
+         <term><varname>keep-configuration</varname></term>
           <listitem>
-            <para>
-              A boolean value indicating whether the existing device
-              configuration is kept at startup.
-            </para>
             <para>
               On startup, NetworkManager tries to not interfere with
               interfaces that are already configured. It does so by
@@ -1446,16 +1418,16 @@ managed=1
           <term><varname>wifi.iwd.autoconnect</varname></term>
           <listitem>
             <para>
-              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
-              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
-              disabled for this device and connections will only be initiated by NetworkManager
-              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
-              (default) stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks to
-              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
-              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
-              IWD connection attempts.
+              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
+              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
+              this device and connections will only be initiated by NetworkManager whether
+              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
+              stops NetworkManager from automatically initiating connections and allows
+              IWD to use its network ranking and scanning logic to decide the best networks
+              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
+              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
+              with IWD connection attempts.
             </para>
           </listitem>
         </varlistentry>
@@ -1514,7 +1486,7 @@ managed=1
       <variablelist>
         <varlistentry>
           <term><varname>enabled</varname></term>
-          <listitem><para>A boolean indicating whether connectivity check is enabled.
+          <listitem><para>Whether connectivity check is enabled.
           Note that to enable connectivity check, a valid uri must
           also be configured. The value defaults to true, but since
           the uri is unset by default, connectivity check may be disabled.

man/meson.build

@@ -1,5 +1,29 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
+common_ent_file = configure_file(
+  input: 'common.ent.in',
+  output: '@BASENAME@',
+  configuration: data_conf,
+)
+
+xsltproc_options = [
+  xsltproc,
+  '--output', '@OUTPUT@',
+  '--path', meson.current_build_dir(),
+  '--xinclude',
+  '--nonet',
+  '--stringparam', 'man.output.quietly', '1',
+  '--stringparam', 'funcsynopsis.style', 'ansi',
+  '--stringparam', 'man.th.extra1.suppress', '1',
+  '--stringparam', 'man.authors.section.enabled', '0',
+  '--stringparam', 'man.copyright.section.enabled', '0',
+  '--stringparam', 'man.th.title.max.length', '30',
+]
+
+docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
+
+mans_xmls = []
+
 mans = [
   ['NetworkManager', '8'],
   ['NetworkManager-dispatcher', '8'],
@@ -20,74 +44,24 @@ if enable_nm_cloud_setup
   mans += [['nm-cloud-setup', '8']]
 endif
 
-introspection_mans = [
-  ['nm-settings-keyfile', '5'],
-  ['nm-settings-dbus',    '5'],
-  ['nm-settings-nmcli',   '5'],
-]
+foreach man: mans
+  input = man[0] + '.xml'
+  content_files += join_paths(meson.current_source_dir(), input)
 
-if enable_ifcfg_rh
-  introspection_mans += [['nm-settings-ifcfg-rh', '5']]
-endif
+  output = '@0@.@1@'.format(man[0], man[1])
 
-built_mans = []
-foreach man: mans + introspection_mans
-  name = man[0] + '.' + man[1]
-  if not fs.exists(name)
-    built_mans = []
-    break
-  endif
-
-  built_mans += name
+  custom_target(
+    output,
+    input: input,
+    output: output,
+    command: xsltproc_options + [docbook_xls, '@INPUT@'],
+    depend_files: common_ent_file,
+    install: true,
+    install_dir: join_paths(nm_mandir, 'man' + man[1]),
+  )
 endforeach
 
-if enable_introspection or enable_docs
-  common_ent_file = configure_file(
-    input: 'common.ent.in',
-    output: '@BASENAME@',
-    configuration: data_conf,
-  )
-endif
-
-if enable_introspection and (enable_man or enable_docs)
-  xsltproc_options = [
-    find_program('xsltproc'),
-    '--output', '@OUTPUT@',
-    '--path', meson.current_build_dir(),
-    '--xinclude',
-    '--nonet',
-    '--stringparam', 'man.output.quietly', '1',
-    '--stringparam', 'funcsynopsis.style', 'ansi',
-    '--stringparam', 'man.th.extra1.suppress', '1',
-    '--stringparam', 'man.authors.section.enabled', '0',
-    '--stringparam', 'man.copyright.section.enabled', '0',
-    '--stringparam', 'man.th.title.max.length', '30',
-  ]
-
-  docbook_xls = 'http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl'
-
-  mans_xmls = []
-
-  foreach man: mans
-    input = man[0] + '.xml'
-    content_files += join_paths(meson.current_source_dir(), input)
-
-    output = '@0@.@1@'.format(man[0], man[1])
-
-    # not needed if only html requested
-    if enable_man
-      custom_target(
-        output,
-        input: input,
-        output: output,
-        command: xsltproc_options + [docbook_xls, '@INPUT@'],
-        depend_files: common_ent_file,
-        install: true,
-        install_dir: join_paths(nm_mandir, 'man' + man[1]),
-      )
-    endif
-  endforeach
-
+if enable_introspection
   merge_cmd = files(source_root / 'tools' / 'generate-docs-nm-settings-docs-merge.py')
 
   name = 'dbus'
@@ -150,23 +124,13 @@ if enable_introspection and (enable_man or enable_docs)
 
     output = '@0@.@1@'.format(man[0], man[1])
 
-    # not needed if only html requested
-    if enable_man
-      custom_target(
-        output,
-        input: input,
-        output: output,
-        command: xsltproc_options + [docbook_xls, '@INPUT@'],
-        install: true,
-        install_dir: join_paths(nm_mandir, 'man' + man[1]),
-      )
-    endif
+    custom_target(
+      output,
+      input: input,
+      output: output,
+      command: xsltproc_options + [docbook_xls, '@INPUT@'],
+      install: true,
+      install_dir: join_paths(nm_mandir, 'man' + man[1]),
+    )
   endforeach
-# not needed if only html requested
-elif enable_man
-  if built_mans.length() > 0
-    install_man(built_mans)
-  else
-    error('Building manpages requires xsltproc and -Dintrospection=true, and no prebuilt manpages were found. Try building from a release tarball or using -Dman=false.')
-  endif
 endif

man/nmcli.xml

@@ -1066,16 +1066,15 @@
             <listitem><para><literal>dummy</literal></para></listitem>
             <listitem><para><literal>generic</literal></para></listitem>
             <listitem><para><literal>gsm</literal></para></listitem>
-            <listitem><para><literal>hsr</literal></para></listitem>
             <listitem><para><literal>infiniband</literal></para></listitem>
             <listitem><para><literal>ip-tunnel</literal></para></listitem>
-            <listitem><para><literal>ipvlan</literal></para></listitem>
-            <listitem><para><literal>loopback</literal></para></listitem>
             <listitem><para><literal>macsec</literal></para></listitem>
             <listitem><para><literal>macvlan</literal></para></listitem>
             <listitem><para><literal>olpc-mesh</literal></para></listitem>
             <listitem><para><literal>ovs-bridge</literal></para></listitem>
+            <listitem><para><literal>ovs-dpdk</literal></para></listitem>
             <listitem><para><literal>ovs-interface</literal></para></listitem>
+            <listitem><para><literal>ovs-patch</literal></para></listitem>
             <listitem><para><literal>ovs-port</literal></para></listitem>
             <listitem><para><literal>pppoe</literal></para></listitem>
             <listitem><para><literal>team</literal></para></listitem>

meson.build

@@ -5,14 +5,14 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.57.1',
+  version: '1.54.3',
   license: 'GPL2+',
   default_options: [
     'buildtype=debugoptimized',
     'c_std=gnu11',
     'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
   ],
-  meson_version: '>= 0.53.0',
+  meson_version: '>= 0.51.0',
 )
 
 nm_name = meson.project_name()
@@ -77,7 +77,6 @@ libnm_version = '@0@.@1@.@2@'.format(current - age, age, revision)
 
 libnm_pkgincludedir = join_paths(nm_includedir, libnm_name)
 
-fs = import('fs')
 gnome = import('gnome')
 i18n = import('i18n')
 pkg = import('pkgconfig')
@@ -90,6 +89,7 @@ po_dir = source_root / 'po'
 top_inc = include_directories('.')
 
 perl = find_program('perl')
+xsltproc = find_program('xsltproc')
 
 check_exports = find_program(join_paths(source_root, 'tools', 'check-exports.sh'))
 
@@ -327,17 +327,12 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)
 
 enable_wifi = get_option('wifi')
-config_h.set10('WITH_WIFI', enable_wifi)
 
 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)
 
-wext = get_option('wext')
-if wext == 'true'
-  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
-endif
-enable_wext = (wext == 'force')
+enable_wext = get_option('wext')
 config_h.set10('HAVE_WEXT', enable_wext)
 
 # Checks for libdl - on certain platforms its part of libc
@@ -387,14 +382,6 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
   systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 
-systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
-install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
-
-if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
-  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
-  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
-endif
-
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
   assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@@ -489,6 +476,19 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)
 
+# eBPF support
+ebpf_opt = get_option('ebpf')
+# 'auto' means 'false', because there are still issues.
+if ebpf_opt != 'true'
+  enable_ebpf = false
+else
+  enable_ebpf = true
+  if not cc.has_header('linux/bpf.h')
+    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
+    enable_ebpf = false
+  endif
+endif
+
 # libaudit support
 libaudit = get_option('libaudit')
 enable_libaudit = libaudit.contains('yes')
@@ -507,14 +507,12 @@ if enable_teamdctl
   libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
   assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
-config_h.set10('WITH_TEAMDCTL', enable_teamdctl)
 
 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
   # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
-  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
+  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
 endif
 
 config_auth_polkit_default = get_option('config_auth_polkit_default')
@@ -524,12 +522,6 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 
 enable_modify_system = get_option('modify_system')
-if enable_modify_system
-  # FIXME: remove this after everyone has stopped using modify_system
-  error('modify_system=true is no longer allowed due to security reasons')
-endif
-
-polkit_noauth_group = get_option('polkit_noauth_group')
 
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@@ -624,7 +616,6 @@ if enable_modem_manager
   endif
   config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
-config_h.set10('WITH_WWAN', enable_modem_manager)
 
 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@@ -825,7 +816,6 @@ if enable_nm_cloud_setup
   assert(jansson_dep.found(), 'nm-cloud-setup requires jansson library. Use -Dnm_cloud_setup=false to disable it')
 endif
 
-enable_man = get_option('man')
 enable_docs = get_option('docs')
 
 more_asserts = get_option('more_asserts')
@@ -924,6 +914,7 @@ endif
 test_args = [
   '--called-from-make',
   build_root,
+  '',
   enable_valgrind ? valgrind_path : '',
   enable_valgrind ? valgrind_suppressions_path : '',
   '--launch-dbus=auto',
@@ -962,6 +953,7 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
+data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@@ -972,6 +964,38 @@ data_conf.set('nmstatedir',                              nm_pkgstatedir)
 data_conf.set('sbindir',                                 nm_sbindir)
 data_conf.set('sysconfdir',                              nm_sysconfdir)
 
+# check if we can build setting property documentation
+'''
+build_docs=no
+if test -n "$INTROSPECTION_MAKEFILE"; then
+  # If g-i is installed we know we have python, but we might not have pygobject
+  if ! "$PYTHON" -c 'from gi.repository import GObject' >& /dev/null; then
+    AC_MSG_ERROR(["--enable-introspection aims to build the settings documentation. This requires GObject introspection for python (pygobject)])
+  fi
+
+  AC_PATH_PROG(PERL, perl)
+  if test -z "$PERL"; then
+    AC_MSG_ERROR([--enable-introspection requires perl])
+  fi
+  AC_PATH_PROG(XSLTPROC, xsltproc)
+  if test -z "$XSLTPROC"; then
+    AC_MSG_ERROR([--enable-introspection requires xsltproc])
+  fi
+
+  have_introspection=yes
+  if test "$enable_gtk_doc" = "yes"; then
+    build_docs=yes
+  fi
+else
+  if test "$enable_gtk_doc" = "yes"; then
+    # large parts of the documentation require introspection/pygobject to extract
+    # the documentation out of the source files. You cannot enable gtk-doc without alone.
+    AC_MSG_ERROR(["--with-gtk-doc requires --enable-introspection"])
+  fi
+  have_introspection=no
+fi
+'''
+
 content_files = []
 
 subdir('introspection')
@@ -1009,14 +1033,9 @@ if enable_qt != 'false'
   endif
 endif
 
-# The man/ directory builds a couple targets needed by the docs build too.
-# If we build with docs but no man, then enter the subdir and only build
-# some targets.
-if enable_docs or enable_man
-  subdir('man')
-endif
 if enable_docs
   assert(enable_introspection, '-Ddocs=true requires -Dintrospection=true')
+  subdir('man')
   subdir('docs')
   meson.add_dist_script(
     'tools/meson-dist-data.sh',
@@ -1067,7 +1086,7 @@ meson.add_install_script(
   nm_pkgstatedir,
   nm_mandir,
   nm_sysconfdir,
-  enable_man ? '1' : '0',
+  enable_docs ? '1' : '0',
   enable_ifcfg_rh ? '1' : '0',
   enable_nm_cloud_setup ? '1' : '0',
   install_systemdunitdir ? '1' : '0',
@@ -1077,7 +1096,6 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
-output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@@ -1092,7 +1110,17 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
+if enable_polkit
+  output += ' ('
+  if enable_modify_system
+    output += 'permissive'
+  else
+    output += 'restrictive'
+  endif
+  output += ' modify.system)'
+endif
+output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@@ -1156,5 +1184,6 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
+output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)

meson_options.txt

@@ -1,6 +1,5 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
-option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@@ -19,8 +18,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
-option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@@ -30,7 +28,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')
 
 # features
-option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
+option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@@ -46,7 +44,7 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')
 
 # configuration plugins
@@ -69,7 +67,6 @@ option('config_dhcp_default', type: 'combo', choices: ['dhclient', 'dhcpcd', 'in
 option('introspection', type: 'boolean', value: true, description: 'Enable introspection for this build')
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
-option('man', type: 'boolean', value: true, description: 'Install manpages')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
 option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'auto', description: 'Enable more assertions for debugging (0 = no, 100 = all, default: auto)')

po/POTFILES.in

@@ -1,6 +1,6 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in
+data/org.freedesktop.NetworkManager.policy.in.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c

po/ca.po

@@ -8,15 +8,14 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
-# Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2025-09-28 00:07+0200\n"
-"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
+"PO-Revision-Date: 2023-06-17 00:07+0200\n"
+"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@@ -356,7 +355,7 @@ msgstr "Connexió WPAN"
 
 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió d'equip"
+msgstr "Connexió equip"
 
 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@@ -649,7 +648,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
+"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
 
 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@@ -796,7 +795,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."
 
 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals S390."
+msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
 
 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@@ -882,7 +881,7 @@ msgstr "La connexió no era una connexió tun."
 
 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió d'equip."
+msgstr "La connexió no era una connexió equip."
 
 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@@ -1326,27 +1325,27 @@ msgstr ""
 
 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignora el número faltant"
+msgstr "s'ignorarà el número faltant"
 
 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignora el número «%s» no vàlid"
+msgstr "s'ignorarà el número «%s» no vàlid"
 
 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignora l'adreça %s no vàlida: %s"
+msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignora la ruta %s no vàlida: %s"
+msgstr "s'ignorarà la ruta %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@@ -1362,7 +1361,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
 
 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@@ -1414,11 +1413,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignora l'SSID no vàlida"
+msgstr "s'ignorarà l'SSID no vàlida"
 
 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignora la contrasenya sense processar no vàlida"
+msgstr "s'ignorarà la contrasenya sense processar no vàlida"
 
 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@@ -1459,7 +1458,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: %s"
+msgstr "el paràmetre no és vàlid: «%s»"
 
 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@@ -1974,7 +1973,7 @@ msgstr "file:// URI no és UTF-8 vàlida"
 
 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
 
 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@@ -2087,7 +2086,7 @@ msgstr "«%s» no és un número"
 
 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buida o de mida incorrecta"
+msgstr "la propietat és buda o de mida incorrecta"
 
 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@@ -2099,12 +2098,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@@ -2157,12 +2156,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@@ -2209,7 +2208,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un tipus de ruta vàlid"
+msgstr "%s no és un nom de ruta vàlid"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@@ -2433,7 +2432,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: %s"
+msgstr "atribut no vàlid: «%s»"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@@ -4106,7 +4105,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
 
 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@@ -4677,7 +4676,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:620
@@ -4699,7 +4698,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:886
@@ -4710,7 +4709,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:893
@@ -5419,10 +5418,10 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
-"(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
+"(amb prefix opcional 0x/0X,i un 0 inicial opcional). \n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
 "          ab 4 55 0xa6 ea 3a 74 C2\n"
@@ -5494,7 +5493,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benvinguda"
+msgstr "Temps de benviguda"
 
 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@@ -5568,7 +5567,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@@ -5677,7 +5676,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@@ -5697,7 +5696,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
+"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@@ -8152,12 +8151,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@@ -10723,7 +10722,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"
 
 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobat totes les connexions actives."
+msgstr "Error: No s'han trobar totes les connexions actives."
 
 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@@ -11042,7 +11041,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticament amb l'opció «fix».\n"
+"automàticaent amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@@ -11064,7 +11063,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@@ -11486,7 +11485,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmetre «%s»: %s\n"
+msgstr "Verifica el paràmere «%s»: %s\n"
 
 #: src/nmcli/connections.c:8501
 #, c-format
@@ -11553,12 +11552,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
 
 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
+"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
 "continuar)\n"
 
 #: src/nmcli/connections.c:8721
@@ -11583,7 +11582,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
 
 #: src/nmcli/connections.c:8985
 #, fuzzy
@@ -12397,7 +12396,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositiu: %s"
+msgstr "Error: no s'ha pogut activar el dispositu: %s"
 
 #: src/nmcli/devices.c:2322
 #, c-format
@@ -12604,7 +12603,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPA PSK vàlida"
+msgstr "«%s» no és una WPS PSK vàlida"
 
 #: src/nmcli/devices.c:4193
 #, c-format
@@ -13539,7 +13538,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»"
+msgstr "Error: argument inesperat «%s»."
 
 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@@ -13898,7 +13897,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomanat)"
+msgstr "MII (recomendat)"
 
 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@@ -14544,7 +14543,7 @@ msgstr ""
 
 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexió nova"
+msgstr "Connexions nova"
 
 #: src/nmtui/nmtui-edit.c:452
 #, c-format

po/it.po

@@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
 
 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075

src/contrib/nm-vpn-plugin-utils.c

@@ -155,33 +155,3 @@ nm_vpn_plugin_utils_load_editor(const char                   *module_path,
     g_return_val_if_fail(NM_IS_VPN_EDITOR(editor), NULL);
     return editor;
 }
-
-char *
-nm_vpn_plugin_utils_get_cert_path(const char *plugin)
-{
-    const char *path;
-
-    g_return_val_if_fail(plugin, NULL);
-
-    /* Users can set NM_CERT_PATH=~/.cert to be compatible with the certificate
-     * directory used in the past. */
-    path = g_getenv("NM_CERT_PATH");
-    if (path)
-        return g_build_filename(path, plugin, NULL);
-
-    /* Otherwise use XDG_DATA_HOME. We use subdirectory "networkmanagement/certificates"
-     * because the SELinux policy already has rules to set the correct labels in that
-     * directory. */
-    path = g_getenv("XDG_DATA_HOME");
-    if (path)
-        return g_build_filename(path, "networkmanagement", "certificates", plugin, NULL);
-
-    /* Use the default value for XDG_DATA_HOME */
-    return g_build_filename(g_get_home_dir(),
-                            ".local",
-                            "share",
-                            "networkmanagement",
-                            "certificates",
-                            plugin,
-                            NULL);
-}

src/contrib/nm-vpn-plugin-utils.h

@@ -24,6 +24,4 @@ NMVpnEditor *nm_vpn_plugin_utils_load_editor(const char                   *modul
                                              gpointer                      user_data,
                                              GError                      **error);
 
-char *nm_vpn_plugin_utils_get_cert_path(const char *plugin);
-
 #endif /* __NM_VPN_PLUGIN_UTILS_H__ */

src/core/devices/nm-device-bridge.c

@@ -1066,7 +1066,7 @@ attach_port(NMDevice                  *device,
 
             plat_vlans = setting_vlans_to_platform(vlans, &num_vlans);
 
-            /* Since the link was just attached, there are no existing VLANs
+            /* Since the link was just enportd, there are no existing VLANs
              * (except for the default one) and so there's no need to flush. */
 
             if (plat_vlans

src/core/devices/nm-device-ethernet.c

@@ -14,6 +14,7 @@
 #include <libudev.h>
 #include <linux/if_ether.h>
 
+#include "NetworkManagerUtils.h"
 #include "NetworkManagerUtils.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-core-intern/nm-core-internal.h"
@@ -707,9 +708,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
     NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
     gs_unref_object NMSupplicantConfig *config = NULL;
     gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;
 
     config = build_supplicant_config(self, &error);
     if (!config) {
@@ -724,16 +722,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
     }
 
     nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
     nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
     return TRUE;
 }
@@ -1913,7 +1901,7 @@ get_ip_method_auto(NMDevice *device, int addr_family)
         /* We cannot do DHCPv4 on a PPP link, instead we get "auto" IP addresses
          * by pppd. Return "manual" here, which has the suitable effect to a
          * (zero) manual addresses in addition. */
-        return NM_SETTING_IP4_CONFIG_METHOD_MANUAL;
+        return NM_SETTING_IP6_CONFIG_METHOD_MANUAL;
     }
 
     return NM_SETTING_IP6_CONFIG_METHOD_AUTO;

src/core/devices/nm-device-macsec.c

@@ -440,9 +440,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
     NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
     gs_unref_object NMSupplicantConfig *config = NULL;
     gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;
 
     config = build_supplicant_config(self, &error);
     if (!config) {
@@ -455,16 +452,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
     }
 
     nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
     nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
     return TRUE;
 }

src/core/devices/nm-device-private.h

@@ -115,6 +115,9 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,
 
 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);
 
+NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
+                                                                NMConnection *connection);
+
 void nm_device_ip_method_dhcp4_start(NMDevice *self);
 
 void nm_device_ip_method_autoconf6_start(NMDevice *self);

src/core/devices/nm-device-utils.c

@@ -143,9 +143,7 @@ NM_UTILS_LOOKUP_STR_DEFINE(
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                              "unmanaged-user-settings"),
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
-                             "modem-no-operator-code"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"), );
 
 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                            NMDeviceMtuSource,

src/core/devices/nm-device-wireguard.c

@@ -1672,57 +1672,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
     return ret;
 }
 
-static gboolean
-skip_peer_route(const NMIPAddr    *peer_addr,
-                guint              peer_addr_prefix,
-                int                addr_family,
-                NMSettingIPConfig *s_ip)
-{
-    guint num_addresses;
-    guint i;
-
-    /*
-     * If the allowed-ip subnet is already reachable on the interface via the
-     * prefix route of a static IP address, skip adding the peer route.
-     * We don't want to override the prefix route with a new one because the
-     * prefix route also specifies the correct source IP address.
-     *
-     * wg-quick does something similar here:
-     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
-     * The condition in wg-quick is a bit different because it checks that no
-     * duplicate route exists on the interface. We can't do exactly the same
-     * because here we don't have visibility on all the platform routes.
-     */
-
-    if (!s_ip)
-        return FALSE;
-
-    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
-    for (i = 0; i < num_addresses; i++) {
-        NMIPAddr     setting_addr;
-        NMIPAddr     peer_addr_tmp;
-        guint        setting_prefix;
-        NMIPAddress *a;
-
-        peer_addr_tmp = *peer_addr;
-
-        a = nm_setting_ip_config_get_address(s_ip, i);
-        nm_ip_address_get_address_binary(a, &setting_addr);
-        setting_prefix = nm_ip_address_get_prefix(a);
-
-        if (setting_prefix > peer_addr_prefix)
-            continue;
-
-        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
-        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
-
-        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
-            return TRUE;
-    }
-
-    return FALSE;
-}
-
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@@ -1789,7 +1738,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 
         n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
         for (j = 0; j < n_aips; j++) {
-            NMSettingIPConfig *s_ip;
             NMPlatformIPXRoute rt;
             NMIPAddr           addrbin;
             const char        *aip;
@@ -1797,8 +1745,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
             int                prefix;
             guint32            rtable_coerced;
 
-            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
-            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
+            aip = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
 
             if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                 continue;
@@ -1807,6 +1754,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                 prefix = (addr_family == AF_INET) ? 32 : 128;
 
             if (prefix == 0) {
+                NMSettingIPConfig *s_ip;
+
+                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                 if (nm_setting_ip_config_get_never_default(s_ip))
                     continue;
             }
@@ -1819,9 +1769,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 
             nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);
 
-            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
-                continue;
-
             rtable_coerced = route_table_coerced;
 
             if (prefix == 0 && auto_default_route_enabled) {

src/core/devices/nm-device.c

@@ -113,19 +113,6 @@ typedef enum {
     RELEASE_PORT_TYPE_CONFIG_FORCE,
 } ReleasePortType;
 
-/**
- * CleanupType:
- * @CLEANUP_TYPE_KEEP: Cleanup internally but keep the real device's config. This is
- *   often used when moving a partially managed device to "unmanaged" (but not only).
- * @CLEANUP_TYPE_REMOVED: The device suddently disappeared. Cleanup internally but don't
- *   make any action on the real device at all, as it no longer exists.
- * @CLEANUP_TYPE_DECONFIGURE: Also deconfigure the real device. This is the typical
- *   action when a connection or device is set to "down", or fully managed devices
- *   moved to "unmanaged".
- * @CLEANUP_TYPE_KEEP_REAPPLY: Like %CLEANUP_TYPE_KEEP, but indicating that it's a
- *   reapply. Some special actions can be done if we're doing a reapply, like keeping
- *   the existing DHCP lease, for example.
- */
 typedef enum {
     CLEANUP_TYPE_KEEP,
     CLEANUP_TYPE_REMOVED,
@@ -278,11 +265,11 @@ typedef struct {
     NMDeviceIPState state;
     union {
         struct {
-            NMDnsMasqManager     *dnsmasq_manager;
-            NMNetnsIPReservation *ip_reservation;
-            NMFirewallConfig     *firewall_config;
-            gulong                dnsmasq_state_id;
-            const NML3ConfigData *l3cd;
+            NMDnsMasqManager      *dnsmasq_manager;
+            NMNetnsSharedIPHandle *shared_ip_handle;
+            NMFirewallConfig      *firewall_config;
+            gulong                 dnsmasq_state_id;
+            const NML3ConfigData  *l3cd;
         } v4;
         struct {
         } v6;
@@ -1424,12 +1411,14 @@ _prop_get_ipvx_routed_dns(NMDevice *self, int addr_family)
 }
 
 static NMSettingConnectionMdns
-_prop_get_connection_mdns(NMDevice *self, NMConnection *connection)
+_prop_get_connection_mdns(NMDevice *self)
 {
+    NMConnection           *connection;
     NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;
 
     g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_MDNS_DEFAULT);
 
+    connection = nm_device_get_applied_connection(self);
     if (connection)
         mdns = nm_setting_connection_get_mdns(nm_connection_get_setting_connection(connection));
     if (mdns != NM_SETTING_CONNECTION_MDNS_DEFAULT)
@@ -1464,12 +1453,14 @@ _prop_get_sriov_preserve_on_down(NMDevice *self, NMSettingSriov *s_sriov)
 }
 
 static NMSettingConnectionLlmnr
-_prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
+_prop_get_connection_llmnr(NMDevice *self)
 {
+    NMConnection            *connection;
     NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
 
     g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_LLMNR_DEFAULT);
 
+    connection = nm_device_get_applied_connection(self);
     if (connection)
         llmnr = nm_setting_connection_get_llmnr(nm_connection_get_setting_connection(connection));
     if (llmnr != NM_SETTING_CONNECTION_LLMNR_DEFAULT)
@@ -1484,12 +1475,14 @@ _prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
 }
 
 static NMSettingConnectionDnsOverTls
-_prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
+_prop_get_connection_dns_over_tls(NMDevice *self)
 {
+    NMConnection                 *connection;
     NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
 
     g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 
+    connection = nm_device_get_applied_connection(self);
     if (connection)
         dns_over_tls = nm_setting_connection_get_dns_over_tls(
             nm_connection_get_setting_connection(connection));
@@ -1504,33 +1497,15 @@ _prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
                                                        NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 }
 
-static NMSettingConnectionDnssec
-_prop_get_connection_dnssec(NMDevice *self, NMConnection *connection)
-{
-    NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
-
-    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
-
-    if (connection)
-        dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
-    if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
-        return dnssec;
-
-    return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
-                                                       NM_CON_DEFAULT("connection.dnssec"),
-                                                       self,
-                                                       NM_SETTING_CONNECTION_DNSSEC_NO,
-                                                       NM_SETTING_CONNECTION_DNSSEC_YES,
-                                                       NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
-}
-
 static NMMptcpFlags
-_prop_get_connection_mptcp_flags(NMDevice *self, NMConnection *connection)
+_prop_get_connection_mptcp_flags(NMDevice *self)
 {
-    NMMptcpFlags mptcp_flags = NM_MPTCP_FLAGS_NONE;
+    NMConnection *connection;
+    NMMptcpFlags  mptcp_flags = NM_MPTCP_FLAGS_NONE;
 
     g_return_val_if_fail(NM_IS_DEVICE(self), NM_MPTCP_FLAGS_DISABLED);
 
+    connection = nm_device_get_applied_connection(self);
     if (connection) {
         mptcp_flags =
             nm_setting_connection_get_mptcp_flags(nm_connection_get_setting_connection(connection));
@@ -2496,14 +2471,16 @@ _prop_get_ipv4_dhcp_vendor_class_identifier(NMDevice *self, NMSettingIP4Config *
 }
 
 static NMSettingIP6ConfigPrivacy
-_prop_get_ipv6_ip6_privacy(NMDevice *self, NMConnection *connection)
+_prop_get_ipv6_ip6_privacy(NMDevice *self)
 {
     NMSettingIP6ConfigPrivacy ip6_privacy;
+    NMConnection             *connection;
 
     g_return_val_if_fail(self, NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN);
 
     /* 1.) First look at the per-connection setting. If it is not -1 (unknown),
      * use it. */
+    connection = nm_device_get_applied_connection(self);
     if (connection) {
         NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);
 
@@ -3636,12 +3613,11 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co
 
     l3cd =
         nm_l3_config_data_new_from_connection(nm_device_get_multi_index(self), ifindex, connection);
-    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self, connection));
-    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self, connection));
-    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self, connection));
-    nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self, connection));
-    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self, connection));
-    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self, connection));
+    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
+    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
+    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
+    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
+    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
     return l3cd;
 }
 
@@ -6344,14 +6320,6 @@ concheck_is_possible(NMDevice *self)
     if (priv->state == NM_DEVICE_STATE_UNKNOWN)
         return FALSE;
 
-    if (!nm_config_data_get_device_config_boolean_by_device(
-            NM_CONFIG_GET_DATA,
-            NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
-            self,
-            TRUE,
-            TRUE))
-        return FALSE;
-
     return TRUE;
 }
 
@@ -6372,10 +6340,8 @@ concheck_periodic_schedule_do(NMDevice *self, int addr_family, gint64 now_ns)
         goto out;
     }
 
-    if (!concheck_is_possible(self)) {
-        concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
+    if (!concheck_is_possible(self))
         goto out;
-    }
 
     nm_assert(now_ns > 0);
     nm_assert(priv->concheck_x[IS_IPv4].p_cur_interval > 0);
@@ -6598,11 +6564,7 @@ concheck_update_interval(NMDevice *self, int addr_family, gboolean check_now)
         concheck_periodic_schedule_do(self, addr_family, 0);
 
         /* also update the fake connectivity state. */
-        if (concheck_is_possible(self))
-            concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
-        else
-            concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
-
+        concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
         return;
     }
 
@@ -6631,7 +6593,6 @@ concheck_update_state(NMDevice           *self,
     /* @state is a result of the connectivity check. We only expect a precise
      * number of possible values. */
     nm_assert(NM_IN_SET(state,
-                        NM_CONNECTIVITY_UNKNOWN,
                         NM_CONNECTIVITY_LIMITED,
                         NM_CONNECTIVITY_PORTAL,
                         NM_CONNECTIVITY_FULL,
@@ -6955,11 +6916,8 @@ nm_device_check_connectivity(NMDevice                    *self,
                              NMDeviceConnectivityCallback callback,
                              gpointer                     user_data)
 {
-    if (!concheck_is_possible(self)) {
-        concheck_update_state(self, AF_INET, NM_CONNECTIVITY_UNKNOWN, FALSE);
-        concheck_update_state(self, AF_INET6, NM_CONNECTIVITY_UNKNOWN, FALSE);
+    if (!concheck_is_possible(self))
         return NULL;
-    }
 
     concheck_periodic_schedule_set(self, addr_family, CONCHECK_SCHEDULE_CHECK_EXTERNAL);
     return concheck_start(self, addr_family, callback, user_data, FALSE);
@@ -8347,17 +8305,6 @@ config_changed(NMConfig           *config,
             && !nm_device_get_applied_setting(self, NM_TYPE_SETTING_SRIOV))
             device_init_static_sriov_num_vfs(self);
     }
-
-    if (NM_FLAGS_HAS(changes, NM_CONFIG_CHANGE_VALUES) && concheck_is_possible(self)) {
-        /* restart (periodic) connectivity checks if they were previously disabled */
-        if (!nm_config_data_get_device_config_boolean_by_device(
-                old_data,
-                NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
-                self,
-                TRUE,
-                TRUE))
-            nm_device_check_connectivity_update_interval(self);
-    }
 }
 
 static void
@@ -13027,7 +12974,7 @@ _dev_ipac6_start(NMDevice *self)
             .router_solicitations         = router_solicitations,
             .router_solicitation_interval = router_solicitation_interval,
             .ra_timeout                   = ra_timeout,
-            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self, connection),
+            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self),
         };
 
         priv->ipac6_data.ndisc = nm_lndp_ndisc_new(&config);
@@ -13214,6 +13161,7 @@ _dev_addrgenmode6_set(NMDevice *self, guint8 addr_gen_mode)
     if (!priv->addrgenmode6_data.previous_mode_has) {
         priv->addrgenmode6_data.previous_mode_has = TRUE;
         priv->addrgenmode6_data.previous_mode_val = cur_addr_gen_mode;
+        nm_assert(priv->addrgenmode6_data.previous_mode_val == cur_addr_gen_mode);
     }
 
     _LOGD_ip(AF_INET6,
@@ -13702,7 +13650,7 @@ _dev_ipsharedx_cleanup(NMDevice *self, int addr_family)
             nm_clear_pointer(&priv->ipshared_data_4.v4.firewall_config, nm_firewall_config_free);
         }
 
-        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
         nm_clear_l3cd(&priv->ipshared_data_4.v4.l3cd);
 
         _dev_l3_register_l3cds_set_one(self, L3_CONFIG_DATA_TYPE_SHARED_4, NULL, FALSE);
@@ -13736,14 +13684,13 @@ _dev_ipshared4_new_l3cd(NMDevice *self, NMConnection *connection, NMPlatformIP4A
 
         nm_ip_address_get_address_binary(user, &a);
         nm_platform_ip4_address_set_addr(&address, a, nm_ip_address_get_prefix(user));
-        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
     } else {
-        if (!priv->ipshared_data_4.v4.ip_reservation)
-            priv->ipshared_data_4.v4.ip_reservation =
-                nm_netns_ip_reservation_get(nm_device_get_netns(self),
-                                            NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
+        if (!priv->ipshared_data_4.v4.shared_ip_handle)
+            priv->ipshared_data_4.v4.shared_ip_handle =
+                nm_netns_shared_ip_reserve(nm_device_get_netns(self));
         nm_platform_ip4_address_set_addr(&address,
-                                         priv->ipshared_data_4.v4.ip_reservation->addr,
+                                         priv->ipshared_data_4.v4.shared_ip_handle->addr,
                                          24);
     }
 
@@ -14336,7 +14283,6 @@ can_reapply_change(NMDevice   *self,
                                                  NM_SETTING_CONNECTION_MDNS,
                                                  NM_SETTING_CONNECTION_LLMNR,
                                                  NM_SETTING_CONNECTION_DNS_OVER_TLS,
-                                                 NM_SETTING_CONNECTION_DNSSEC,
                                                  NM_SETTING_CONNECTION_MPTCP_FLAGS,
                                                  NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
     }
@@ -14595,7 +14541,6 @@ check_and_reapply_connection(NMDevice            *self,
                 NM_SETTING_CONNECTION_MDNS,
                 NM_SETTING_CONNECTION_LLMNR,
                 NM_SETTING_CONNECTION_DNS_OVER_TLS,
-                NM_SETTING_CONNECTION_DNSSEC,
                 NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
             priv->ip_data_4.do_reapply = TRUE;
             priv->ip_data_6.do_reapply = TRUE;
@@ -17340,25 +17285,6 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
         /* controller: release ports */
         nm_device_controller_release_ports_all(self);
 
-        /* port: detach from controller */
-        if (priv->controller) {
-            nm_device_controller_release_port(priv->controller,
-                                              self,
-                                              RELEASE_PORT_TYPE_CONFIG,
-                                              reason);
-        }
-    }
-
-    /* port: mark no longer attached */
-    if (priv->controller && priv->ifindex > 0
-        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
-        nm_device_controller_release_port(priv->controller,
-                                          self,
-                                          RELEASE_PORT_TYPE_NO_CONFIG,
-                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
-    }
-
-    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
         /* Take out any entries in the routing table and any IP address the device had. */
         if (ifindex > 0) {
             NMPlatform *platform = nm_device_get_platform(self);
@@ -17382,6 +17308,15 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
     if (ifindex > 0)
         nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL);
 
+    /* port: mark no longer attached */
+    if (priv->controller && priv->ifindex > 0
+        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
+        nm_device_controller_release_port(priv->controller,
+                                          self,
+                                          RELEASE_PORT_TYPE_NO_CONFIG,
+                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
+    }
+
     lldp_setup(self, NM_TERNARY_FALSE);
 
     nm_device_update_metered(self);

src/core/devices/nm-device.h

@@ -853,7 +853,4 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                            NMDevice *self,
                            NMNetns  *netns);
 
-NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
-                                                                NMConnection *connection);
-
 #endif /* __NETWORKMANAGER_DEVICE_H__ */

src/core/devices/ovs/nm-ovsdb.c

@@ -1890,7 +1890,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
         == -1) {
         /* This doesn't really have to be an error; the key might
          * be missing if there really are no bridges present. */
-        _LOGD("monitor: bad update: %s", json_error.text);
+        _LOGD("Bad update: %s", json_error.text);
     }
 
     if (ovs) {
@@ -1936,12 +1936,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                              &unused))
                 continue;
 
-            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
+            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
                   key,
+                  ovs_interface->type,
+                  ovs_interface->name,
                   NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_interface->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self,
@@ -1989,18 +1989,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT(
-                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                    "other-config=%s",
-                    ovs_interface->name,
-                    type,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                         ", connection=",
-                                         ovs_interface->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                      "other-config=%s",
+                      key,
+                      type,
+                      ovs_interface->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                           ", ",
+                                           ovs_interface->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
             }
         } else {
             gs_free char *strtmp1 = NULL;
@@ -2016,17 +2015,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                  "other-config=%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
-                  key,
-                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
-                                       ovs_interface->connection_uuid,
-                                       ""),
-                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                  (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+            _LOGT(
+                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
+                key,
+                ovs_interface->type,
+                ovs_interface->name,
+                NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                     ", ",
+                                     ovs_interface->connection_uuid,
+                                     ""),
+                (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
             _signal_emit_device_added(self,
                                       ovs_interface->name,
                                       NM_DEVICE_TYPE_OVS_INTERFACE,
@@ -2072,11 +2071,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
             if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                 continue;
 
-            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: removed a port: %s%s%s",
                   key,
+                  ovs_port->name,
                   NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_port->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@@ -2123,16 +2122,15 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT(
-                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                    ovs_port->name,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                         ", connection=",
-                                         ovs_port->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_port->other_config)));
+                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
+                      key,
+                      ovs_port->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
+                                           ", ",
+                                           ovs_port->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_port->other_config)));
             }
         } else {
             gs_free char *strtmp1 = NULL;
@@ -2148,11 +2146,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
                   key,
+                  ovs_port->name,
                   NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_port->connection_uuid,
                                        ""),
                   (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@@ -2194,11 +2192,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                              &unused))
                 continue;
 
-            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
                   key,
+                  ovs_bridge->name,
                   NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_bridge->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@@ -2245,12 +2243,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
-                      "other-config=%s",
-                      ovs_bridge->name,
+                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
                       key,
+                      ovs_bridge->name,
                       NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", connection=",
+                                           ", ",
                                            ovs_bridge->connection_uuid,
                                            ""),
                       (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@@ -2270,11 +2267,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
                   key,
+                  ovs_bridge->name,
                   NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_bridge->connection_uuid,
                                        ""),
                   (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),

src/core/devices/wifi/nm-device-wifi.c

@@ -191,12 +191,6 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                   GParamSpec            *pspec,
                                                   NMDeviceWifi          *self);
 
-static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
-static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
 static void periodic_update(NMDeviceWifi *self);
 
 static void ap_add_remove(NMDeviceWifi *self,
@@ -630,14 +624,6 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                      "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                      G_CALLBACK(supplicant_iface_notify_p2p_available),
                      self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
-                     self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
-                     self);
 
     _scan_notify_is_scanning(self);
 
@@ -2412,9 +2398,6 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
 
     g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);
 
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return FALSE;
-
     req = nm_device_get_act_request(NM_DEVICE(self));
     g_return_val_if_fail(req != NULL, FALSE);
 
@@ -2858,62 +2841,6 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
     return TRUE;
 }
 
-static void
-supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
-static void
-supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
 /*
  * supplicant_connection_timeout_cb
  *

src/core/devices/wifi/nm-iwd-manager.c

@@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
      * in the last few filename characters -- it cannot end in .open, .psk
      * or .8021x.
      */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
 }
 
 static const char *

src/core/devices/wwan/nm-modem-broadband.c

@@ -508,9 +508,8 @@ find_gsm_apn_cb(const char   *apn,
 static gboolean
 try_create_connect_properties(NMModemBroadband *self)
 {
-    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
-    ConnectContext          *ctx         = priv->ctx;
-    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;
+    NMModemBroadbandPrivate *priv = NM_MODEM_BROADBAND_GET_PRIVATE(self);
+    ConnectContext          *ctx  = priv->ctx;
 
     if (MODEM_CAPS_3GPP(ctx->caps)) {
         NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@@ -523,7 +522,7 @@ try_create_connect_properties(NMModemBroadband *self)
             if (s_gsm)
                 network_id = nm_setting_gsm_get_network_id(s_gsm);
             if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
                     return FALSE;
                 modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                 network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@@ -531,7 +530,6 @@ try_create_connect_properties(NMModemBroadband *self)
             if (!network_id) {
                 _LOGW("failed to connect '%s': unable to determine the network id",
                       nm_connection_get_id(ctx->connection));
-                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                 goto out;
             }
 
@@ -560,7 +558,7 @@ try_create_connect_properties(NMModemBroadband *self)
     }
 
 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
     connect_context_clear(self);
     return TRUE;
 }
@@ -1651,8 +1649,6 @@ nm_modem_broadband_new(GObject *object, GError **error)
                         driver,
                         NM_MODEM_OPERATOR_CODE,
                         operator_code,
-                        NM_MODEM_DEVICE_UID,
-                        mm_modem_get_device(modem_iface),
                         NULL);
 }
 

src/core/devices/wwan/nm-modem.c

@@ -39,8 +39,7 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                              PROP_IP_TYPES,
                              PROP_SIM_OPERATOR_ID,
                              PROP_OPERATOR_CODE,
-                             PROP_APN,
-                             PROP_DEVICE_UID, );
+                             PROP_APN, );
 
 enum {
     PPP_STATS,
@@ -79,7 +78,6 @@ typedef struct _NMModemPrivate {
     char           *sim_operator_id;
     char           *operator_code;
     char           *apn;
-    char           *device_uid;
 
     NMPPPManager *ppp_manager;
     NMPppMgr     *ppp_mgr;
@@ -620,12 +618,6 @@ nm_modem_get_apn(NMModem *self)
     return NM_MODEM_GET_PRIVATE(self)->apn;
 }
 
-const char *
-nm_modem_get_device_uid(NMModem *self)
-{
-    return NM_MODEM_GET_PRIVATE(self)->device_uid;
-}
-
 /*****************************************************************************/
 
 static void
@@ -1129,22 +1121,6 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
             }
         }
 
-        str = nm_setting_gsm_get_device_uid(s_gsm);
-        if (str) {
-            if (!priv->device_uid) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "GSM profile has device-uid, device does not");
-                return FALSE;
-            }
-            if (!nm_streq(str, priv->device_uid)) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "device has differing device-uid than GSM profile");
-                return FALSE;
-            }
-        }
-
         /* SIM properties may not be available before the SIM is unlocked, so
          * to ensure that autoconnect works, the connection's SIM properties
          * are only compared if present on the device.
@@ -1668,9 +1644,6 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
     case PROP_APN:
         g_value_set_string(value, priv->apn);
         break;
-    case PROP_DEVICE_UID:
-        g_value_set_string(value, priv->device_uid);
-        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1726,10 +1699,6 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
         /* construct-only */
         priv->operator_code = g_value_dup_string(value);
         break;
-    case PROP_DEVICE_UID:
-        /* construct-only */
-        priv->device_uid = g_value_dup_string(value);
-        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1789,7 +1758,6 @@ finalize(GObject *object)
     g_free(priv->sim_operator_id);
     g_free(priv->operator_code);
     g_free(priv->apn);
-    g_free(priv->device_uid);
 
     G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@@ -1895,13 +1863,6 @@ nm_modem_class_init(NMModemClass *klass)
     obj_properties[PROP_APN] =
         g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
 
-    obj_properties[PROP_DEVICE_UID] =
-        g_param_spec_string(NM_MODEM_DEVICE_UID,
-                            "",
-                            "",
-                            NULL,
-                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
-
     g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 
     signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,

src/core/devices/wwan/nm-modem.h

@@ -30,7 +30,6 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
-#define NM_MODEM_DEVICE_UID      "device-uid"
 
 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@@ -155,7 +154,6 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
-const char *nm_modem_get_device_uid(NMModem *modem);
 
 gboolean nm_modem_set_data_port(NMModem        *self,
                                 NMPlatform     *platform,

src/core/dhcp/nm-dhcp-utils.c

@@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                   in_addr_t       address,
                                   guint32        *out_gwaddr)
 {
-    gs_free char **routes = NULL;
-    char         **r;
-    gboolean       have_routes = FALSE;
+    gs_free const char **routes = NULL;
+    const char         **r;
+    gboolean             have_routes = FALSE;
 
-    routes = (char **) nm_strsplit_set(str, " ");
+    routes = nm_strsplit_set(str, " ");
     if (!routes)
         return FALSE;
 

src/core/dns/nm-dns-dnsconfd.c

@@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
     NMDnsServer dns_server;
     gsize       addr_size;
 
-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
         return FALSE;
     addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);
 

src/core/dns/nm-dns-dnsmasq.c

@@ -521,10 +521,9 @@ _gl_pid_spawn_next_step(void)
     argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
     argv[argv_idx++] = "--keep-in-foreground";
     argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-dynamic";
+    argv[argv_idx++] = "--bind-interfaces";
     argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1";
-    argv[argv_idx++] = "--listen-address=::1";
+    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
     argv[argv_idx++] = "--cache-size=400";
     argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
     argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */

src/core/dns/nm-dns-manager.c

@@ -26,7 +26,6 @@
 
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
-#include "libnm-glib-aux/nm-io-utils.h"
 
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@@ -1007,8 +1006,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define MY_RESOLV_CONF_TMP MY_RESOLV_CONF ".tmp"
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"
 
-#define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
-#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
+#define NO_STUB_RESOLV_CONF NMRUNDIR "/no-stub-resolv.conf"
 
 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@@ -1021,14 +1019,7 @@ update_resolv_conf_no_stub(NMDnsManager      *self,
 
     content = create_resolv_conf(searches, nameservers, options);
 
-    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
-                                    content,
-                                    -1,
-                                    0644,
-                                    NULL,
-                                    NO_STUB_RESOLV_CONF_TMP,
-                                    NULL,
-                                    &local)) {
+    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
         _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
         g_error_free(local);
         return;
@@ -1510,8 +1501,8 @@ _domain_track_is_shadowed(GHashTable  *ht,
                           const char **out_parent,
                           int         *out_parent_priority)
 {
-    const char *parent;
-    int         parent_priority;
+    char *parent;
+    int   parent_priority;
 
     if (!ht)
         return FALSE;

src/core/dns/nm-dns-systemd-resolved.c

@@ -37,7 +37,6 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
-static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";
 
 /*****************************************************************************/
 
@@ -399,7 +398,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
     for (i = 0; i < n; i++) {
         NMDnsServer dns_server;
 
-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
             continue;
 
         if (!NM_IN_SET(dns_server.scheme,
@@ -485,11 +484,9 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
     NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
     NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
     NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
-    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
     const char                   *mdns_arg          = NULL;
     const char                   *llmnr_arg         = NULL;
     const char                   *dns_over_tls_arg  = NULL;
-    const char                   *dnssec_arg        = NULL;
     gboolean                      has_config        = FALSE;
     gboolean                      has_default_route = FALSE;
     guint                         i;
@@ -520,7 +517,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                 llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                 dns_over_tls =
                     NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
-                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
             }
         }
     }
@@ -593,24 +589,8 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
     }
     nm_assert(dns_over_tls_arg);
 
-    switch (dnssec) {
-    case NM_SETTING_CONNECTION_DNSSEC_NO:
-        dnssec_arg = "no";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
-        dnssec_arg = "allow-downgrade";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_YES:
-        dnssec_arg = "yes";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
-        dnssec_arg = "";
-        break;
-    }
-    nm_assert(dnssec_arg);
-
     if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
+        || !nm_str_is_empty(dns_over_tls_arg))
         has_config = TRUE;
 
     _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@@ -638,10 +618,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                          DBUS_OP_SET_LINK_DNS_OVER_TLS,
                          ic->ifindex,
                          g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
-    _request_item_append(self,
-                         DBUS_OP_SET_LINK_DNSSEC,
-                         ic->ifindex,
-                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
 
     return has_config;
 }

src/core/main-utils.c

@@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
     char                  pid[16];
 
     nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
         fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
         return FALSE;
     }

src/core/main.c

@@ -339,7 +339,7 @@ main(int argc, char *argv[])
         char *path, *slash;
         int   g;
 
-        /* exe is <builddir>/src/core/NetworkManager, so chop off
+        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
          * the last three components */
         path = realpath("/proc/self/exe", NULL);
         g_assert(path != NULL);

src/core/ndisc/nm-lndp-ndisc.c

@@ -19,7 +19,6 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
-#include "nm-core-utils.h"
 
 #define _NMLOG_PREFIX_NAME "ndisc-lndp"
 
@@ -28,14 +27,6 @@
 typedef struct {
     struct ndp *ndp;
     GSource    *event_source;
-
-    struct {
-        NMRateLimit pio_lft;
-        NMRateLimit mtu;
-        NMRateLimit omit_prefix;
-        NMRateLimit omit_dns;
-        NMRateLimit omit_dnssl;
-    } msg_ratelimit;
 } NMLndpNDiscPrivate;
 
 /*****************************************************************************/
@@ -58,36 +49,6 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)
 
 /*****************************************************************************/
 
-/*
- * If we log a message about an invalid RA packet, don't repeat the same message
- * at every packet received or sent. Rate limit the message to 6 every 12 hours
- * per type and per ndisc instance.
- */
-
-#define LOG_INV_RA_WINDOW (12 * 3600)
-#define LOG_INV_RA_BURST  6
-
-#define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
-    G_STMT_START                                                                 \
-    {                                                                            \
-        NMNDisc     *__ndisc  = (ndisc);                                         \
-        NMRateLimit *__rl     = (rate_limit);                                    \
-        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
-                                                                                 \
-        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
-            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
-            nm_log(LOGL_WARN,                                                    \
-                   LOGD_IP6,                                                     \
-                   __ifname,                                                     \
-                   NULL,                                                         \
-                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
-                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
-        }                                                                        \
-    }                                                                            \
-    G_STMT_END
-
-/*****************************************************************************/
-
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@@ -152,7 +113,6 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
     NMNDisc             *ndisc   = (NMNDisc *) user_data;
-    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
     NMNDiscDataInternal *rdata   = ndisc->rdata;
     NMNDiscConfigMap     changed = 0;
     NMNDiscGateway       gateway;
@@ -269,11 +229,7 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
              * log a system management error in this case.
              */
             if (preferred_time > valid_time) {
-                _LOG_INVALID_RA(
-                    ndisc,
-                    &priv->msg_ratelimit.pio_lft,
-                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
-                    "router advertisement");
+                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
                 continue;
             }
 
@@ -393,11 +349,7 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
              * Kernel would set it, but would flush out all IPv6 addresses away
              * from the link, even the link-local, and we wouldn't be able to
              * listen for further RAs that could fix the MTU. */
-            _LOG_INVALID_RA(ndisc,
-                            &priv->msg_ratelimit.mtu,
-                            "ignoring too small MTU %u in received IPv6 "
-                            "router advertisement",
-                            mtu);
+            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
         }
     }
 
@@ -493,11 +445,8 @@ send_ra(NMNDisc *ndisc, GError **error)
 
         prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
         if (!prefix) {
-            /* Maybe we could send separate RAs, but why bother... */
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_prefix,
-                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
+            /* Maybe we could sent separate RAs, but why bother... */
+            _LOGW("The RA is too big, had to omit some some prefixes.");
             break;
         }
 
@@ -526,10 +475,7 @@ send_ra(NMNDisc *ndisc, GError **error)
 
         option = _ndp_msg_add_option(msg, len);
         if (!option) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dns,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
+            _LOGW("The RA is too big, had to omit DNS information.");
             goto dns_servers_done;
         }
 
@@ -607,10 +553,7 @@ dns_servers_done:
         nm_assert(len / 8u >= 2u);
 
         if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dnssl,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
+            _LOGW("The RA is too big, had to omit DNS search list.");
             goto dns_domains_done;
         }
 

src/core/nm-checkpoint.c

@@ -160,7 +160,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
     nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
     gs_free char                   *base_dir = NULL;
-    const char                     *sep;
+    char                           *sep;
 
     keyfile = g_key_file_new();
     if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))

src/core/nm-config.c

@@ -892,7 +892,6 @@ static const ConfigGroup config_groups[] = {
         .is_prefix = TRUE,
         .keys      = NM_MAKE_STRV(NM_CONFIG_KEYFILE_KEY_DEVICE_CARRIER_WAIT_TIMEOUT,
                              NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER,
-                             NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
                              NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED,
                              NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS,
                              NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION,

src/core/nm-connectivity.c

@@ -77,8 +77,6 @@ struct _NMConnectivityCheckHandle {
         ConConfig *con_config;
 
         GCancellable      *resolve_cancellable;
-        int                resolve_ifindex;
-        GDBusConnection   *dbus_connection;
         CURLM             *curl_mhandle;
         CURL              *curl_ehandle;
         struct curl_slist *request_headers;
@@ -955,113 +953,6 @@ systemd_resolved_resolve_cb(GObject *object, GAsyncResult *res, gpointer user_da
     do_curl_request(cb_data, nm_str_buf_get_str(&strbuf_hosts));
 }
 
-static void
-systemd_resolved_resolve(NMConnectivityCheckHandle *cb_data)
-{
-    _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved with ifindex %d)",
-           cb_data->concheck.con_config->uri,
-           cb_data->concheck.con_config->host,
-           cb_data->concheck.resolve_ifindex);
-
-    g_dbus_connection_call(cb_data->concheck.dbus_connection,
-                           "org.freedesktop.resolve1",
-                           "/org/freedesktop/resolve1",
-                           "org.freedesktop.resolve1.Manager",
-                           "ResolveHostname",
-                           g_variant_new("(isit)",
-                                         (gint32) cb_data->concheck.resolve_ifindex,
-                                         cb_data->concheck.con_config->host,
-                                         (gint32) cb_data->addr_family,
-                                         SD_RESOLVED_DNS),
-                           G_VARIANT_TYPE("(a(iiay)st)"),
-                           G_DBUS_CALL_FLAGS_NONE,
-                           -1,
-                           cb_data->concheck.resolve_cancellable,
-                           systemd_resolved_resolve_cb,
-                           cb_data);
-}
-
-static void
-systemd_resolved_link_scopes_cb(GObject *object, GAsyncResult *res, gpointer user_data)
-{
-    NMConnectivityCheckHandle *cb_data;
-    gs_unref_variant GVariant *result     = NULL;
-    gs_unref_variant GVariant *value      = NULL;
-    gs_free_error GError      *error      = NULL;
-    guint64                    scope_mask = 0;
-
-    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    cb_data = user_data;
-
-    if (!result) {
-        _LOG2D("unable to obtain systemd-resolved link ScopesMask for interface %d: %s",
-               cb_data->concheck.resolve_ifindex,
-               error->message);
-
-        cb_data->concheck.resolve_ifindex = 0;
-        systemd_resolved_resolve(cb_data);
-        return;
-    }
-
-    g_variant_get(result, "(v)", &value);
-    g_variant_get(value, "t", &scope_mask);
-
-    if (!(scope_mask & SD_RESOLVED_DNS)) {
-        /* there is no per-link DNS configured / active; query all available /
-         * system DNS resolvers instead of restricting the lookup to just this
-         * one, which would turn up no results. */
-        _LOG2D("no per-link DNS available (scope mask %" G_GUINT64_FORMAT
-               "); falling back to system-wide lookups",
-               scope_mask);
-        cb_data->concheck.resolve_ifindex = 0;
-    }
-
-    systemd_resolved_resolve(cb_data);
-}
-
-static void
-systemd_resolved_get_link_cb(GObject *object, GAsyncResult *res, gpointer user_data)
-{
-    NMConnectivityCheckHandle *cb_data;
-    gs_unref_variant GVariant *result    = NULL;
-    gs_free char              *link_path = NULL;
-    gs_free_error GError      *error     = NULL;
-
-    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    cb_data = user_data;
-
-    if (!result) {
-        _LOG2D("unable to obtain systemd-resolved link D-Bus object for interface %d: %s",
-               cb_data->concheck.resolve_ifindex,
-               error->message);
-
-        cb_data->concheck.resolve_ifindex = 0;
-        systemd_resolved_resolve(cb_data);
-        return;
-    }
-
-    g_variant_get(result, "(o)", &link_path);
-
-    g_dbus_connection_call(cb_data->concheck.dbus_connection,
-                           "org.freedesktop.resolve1",
-                           link_path,
-                           "org.freedesktop.DBus.Properties",
-                           "Get",
-                           g_variant_new("(ss)", "org.freedesktop.resolve1.Link", "ScopesMask"),
-                           G_VARIANT_TYPE("(v)"),
-                           G_DBUS_CALL_FLAGS_NONE,
-                           -1,
-                           cb_data->concheck.resolve_cancellable,
-                           systemd_resolved_link_scopes_cb,
-                           cb_data);
-}
-
 static NMConnectivityState
 check_platform_config(NMConnectivity *self,
                       NMPlatform     *platform,
@@ -1176,7 +1067,6 @@ nm_connectivity_check_start(NMConnectivity             *self,
         }
 
         cb_data->concheck.resolve_cancellable = g_cancellable_new();
-        cb_data->concheck.resolve_ifindex     = ifindex;
 
         /* note that we pick up support for systemd-resolved right away when we need it.
          * We don't need to remember the setting, because we can (cheaply) check anew
@@ -1199,8 +1089,10 @@ nm_connectivity_check_start(NMConnectivity             *self,
         has_systemd_resolved = !!nm_dns_manager_get_systemd_resolved(nm_dns_manager_get());
 
         if (has_systemd_resolved) {
-            cb_data->concheck.dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
-            if (!cb_data->concheck.dbus_connection) {
+            GDBusConnection *dbus_connection;
+
+            dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
+            if (!dbus_connection) {
                 /* we have no D-Bus connection? That might happen in configure and quit mode.
                  *
                  * Anyway, something is very odd, just fail connectivity check. */
@@ -1211,19 +1103,25 @@ nm_connectivity_check_start(NMConnectivity             *self,
                 return cb_data;
             }
 
-            /* first check whether there has been a per-link DNS configured */
-            g_dbus_connection_call(cb_data->concheck.dbus_connection,
+            g_dbus_connection_call(dbus_connection,
                                    "org.freedesktop.resolve1",
                                    "/org/freedesktop/resolve1",
                                    "org.freedesktop.resolve1.Manager",
-                                   "GetLink",
-                                   g_variant_new("(i)", ifindex),
-                                   G_VARIANT_TYPE("(o)"),
+                                   "ResolveHostname",
+                                   g_variant_new("(isit)",
+                                                 0,
+                                                 cb_data->concheck.con_config->host,
+                                                 (gint32) cb_data->addr_family,
+                                                 SD_RESOLVED_DNS),
+                                   G_VARIANT_TYPE("(a(iiay)st)"),
                                    G_DBUS_CALL_FLAGS_NONE,
                                    -1,
                                    cb_data->concheck.resolve_cancellable,
-                                   systemd_resolved_get_link_cb,
+                                   systemd_resolved_resolve_cb,
                                    cb_data);
+            _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved)",
+                   cb_data->concheck.con_config->uri,
+                   cb_data->concheck.con_config->host);
             return cb_data;
         }
 

src/core/nm-core-utils.c

@@ -2865,7 +2865,6 @@ _host_id_read(guint8 **out_host_id, gsize *out_host_id_len)
                                                0600,
                                                NULL,
                                                NULL,
-                                               NULL,
                                                &error)) {
             nm_log_warn(
                 LOGD_CORE,
@@ -5505,155 +5504,6 @@ nm_utils_shorten_hostname(const char *hostname, char **shortened)
     return TRUE;
 }
 
-/**
- * nm_utils_connection_supported:
- * @connection: the connection
- * @error: on return, the reason why the connection in not supported
- *
- * Returns whether the given connection is supported by this version
- * of NetworkManager.
- */
-gboolean
-nm_utils_connection_supported(NMConnection *connection, GError **error)
-{
-    const char *type;
-    const char *feature = NULL;
-
-    g_return_val_if_fail(connection, FALSE);
-    g_return_val_if_fail(!error || !*error, FALSE);
-
-    type = nm_connection_get_connection_type(connection);
-
-    if (!WITH_TEAMDCTL) {
-        NMSettingConnection *s_con;
-
-        if (nm_streq0(type, NM_SETTING_TEAM_SETTING_NAME)) {
-            feature = "team";
-            goto out_disabled;
-        }
-
-        /* Match team ports */
-        if ((s_con = nm_connection_get_setting_connection(connection))
-            && nm_streq0(nm_setting_connection_get_port_type(s_con),
-                         NM_SETTING_TEAM_SETTING_NAME)) {
-            feature = "team";
-            goto out_disabled;
-        }
-    }
-
-    if (!WITH_OPENVSWITCH) {
-        if (NM_IN_STRSET(type,
-                         NM_SETTING_OVS_BRIDGE_SETTING_NAME,
-                         NM_SETTING_OVS_PORT_SETTING_NAME,
-                         NM_SETTING_OVS_INTERFACE_SETTING_NAME)) {
-            feature = "Open vSwitch";
-            goto out_disabled;
-        }
-
-        /* Match OVS system interfaces */
-        if (nm_connection_get_setting_ovs_interface(connection)) {
-            feature = "Open vSwitch";
-            goto out_disabled;
-        }
-    }
-
-    if (!WITH_WIFI
-        && NM_IN_STRSET(type,
-                        NM_SETTING_WIRELESS_SETTING_NAME,
-                        NM_SETTING_OLPC_MESH_SETTING_NAME,
-                        NM_SETTING_WIFI_P2P_SETTING_NAME)) {
-        feature = "Wi-Fi";
-        goto out_disabled;
-    }
-
-    if (!WITH_WWAN
-        && NM_IN_STRSET(type, NM_SETTING_GSM_SETTING_NAME, NM_SETTING_CDMA_SETTING_NAME)) {
-        feature = "WWAN";
-        goto out_disabled;
-    }
-
-    if (nm_streq0(type, NM_SETTING_WIMAX_SETTING_NAME)) {
-        feature = "WiMAX";
-        goto out_removed;
-    }
-
-    return TRUE;
-
-out_disabled:
-    nm_assert(feature);
-    g_set_error(error,
-                NM_SETTINGS_ERROR,
-                NM_SETTINGS_ERROR_FEATURE_DISABLED,
-                "%s support is disabled in this build",
-                feature);
-    return FALSE;
-
-out_removed:
-    nm_assert(feature);
-    g_set_error(error,
-                NM_SETTINGS_ERROR,
-                NM_SETTINGS_ERROR_FEATURE_REMOVED,
-                "%s is no longer supported",
-                feature);
-    return FALSE;
-}
-
-/*****************************************************************************/
-
-/**
- * nm_rate_limit_check():
- * @rate_limit: the NMRateLimit instance
- * @window_sec: the time window in seconds, between 1 and 864000 (ten days)
- * @burst: the number of max allowed event occurrences in the given time
- *   window
- *
- * The function rate limits an event. Call it multiple times with the
- * same @window_sec, and @burst values.
- *
- * Returns: TRUE if the event is allowed, FALSE if it is rate-limited
- */
-gboolean
-nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst)
-{
-    gint64 now;
-    gint64 old_ts_msec;
-    gint64 window_msec;
-    gint64 capacity;
-    gint64 elapsed;
-
-    nm_assert(window_sec >= 1 && window_sec <= 864000);
-    nm_assert(burst >= 1);
-
-    /* This implements a simple token bucket algorithm. For each millisecond,
-     * refill "burst" tokens. Thus, during a full time window we
-     * refill (window_msec * burst) tokens. Each event consumes @window_msec
-     * tokens. */
-
-    window_msec         = (gint64) window_sec * NM_UTILS_MSEC_PER_SEC;
-    capacity            = window_msec * (gint64) burst;
-    old_ts_msec         = rate_limit->ts_msec;
-    now                 = nm_utils_get_monotonic_timestamp_msec();
-    rate_limit->ts_msec = now;
-
-    elapsed = now - old_ts_msec;
-    if (old_ts_msec == 0 || elapsed > window_msec) {
-        /* On the first call, or in case a whole window passed, (re)start with
-         * a full budget */
-        rate_limit->tokens = capacity;
-    } else {
-        rate_limit->tokens += elapsed * (gint64) burst;
-        rate_limit->tokens = NM_MIN(rate_limit->tokens, capacity);
-    }
-
-    /* Consume the tokens */
-    if (rate_limit->tokens >= window_msec) {
-        rate_limit->tokens -= window_msec;
-        return TRUE;
-    }
-
-    return FALSE;
-}
-
 const char *
 nm_utils_get_connection_first_permissions_user(NMConnection *connection)
 {

src/core/nm-core-utils.h

@@ -494,19 +494,6 @@ gid_t nm_utils_get_nm_gid(void);
 
 /*****************************************************************************/
 
-gboolean nm_utils_connection_supported(NMConnection *connection, GError **error);
-
-/*****************************************************************************/
-
-typedef struct {
-    gint64 ts_msec;
-    gint64 tokens;
-} NMRateLimit;
-
-gboolean nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst);
-
-/*****************************************************************************/
-
 const char *nm_utils_get_connection_first_permissions_user(NMConnection *connection);
 
 /*****************************************************************************/

src/core/nm-l3-config-data.c

@@ -120,7 +120,6 @@ struct _NML3ConfigData {
     NMSettingConnectionMdns       mdns;
     NMSettingConnectionLlmnr      llmnr;
     NMSettingConnectionDnsOverTls dns_over_tls;
-    NMSettingConnectionDnssec     dnssec;
     NMUtilsIPv6IfaceId            ip6_token;
 
     NML3ConfigDatFlags flags;
@@ -578,16 +577,6 @@ nm_l3_config_data_log(const NML3ConfigData *self,
                                            NULL)));
     }
 
-    if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        gs_free char *s = NULL;
-
-        _L("dnssec: %s",
-           (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
-                                           self->dnssec,
-                                           " ",
-                                           NULL)));
-    }
-
     if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
         gs_free char *s = NULL;
 
@@ -705,7 +694,6 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
         .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
         .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
         .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
-        .dnssec                         = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
         .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
         .metered                        = NM_TERNARY_DEFAULT,
         .proxy_browser_only             = NM_TERNARY_DEFAULT,
@@ -1779,26 +1767,6 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
     return TRUE;
 }
 
-NMSettingConnectionDnssec
-nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
-{
-    nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
-
-    return self->dnssec;
-}
-
-gboolean
-nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
-{
-    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
-
-    if (self->dnssec == dnssec)
-        return FALSE;
-
-    self->dnssec = dnssec;
-    return TRUE;
-}
-
 NMIPRouteTableSyncMode
 nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
 {
@@ -2478,7 +2446,6 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
         NM_CMP_DIRECT(a->mdns, b->mdns);
         NM_CMP_DIRECT(a->llmnr, b->llmnr);
         NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
-        NM_CMP_DIRECT(a->dnssec, b->dnssec);
     }
 
     if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@@ -3244,12 +3211,6 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
         empty = FALSE;
     }
 
-    val = nm_l3_config_data_get_dnssec(l3cd);
-    if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
-        empty = FALSE;
-    }
-
     if (!empty) {
         int prio = 0;
 
@@ -3500,9 +3461,6 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
     if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
         self->dns_over_tls = src->dns_over_tls;
 
-    if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
-        self->dnssec = src->dnssec;
-
     if (self->ip6_token.id == 0)
         self->ip6_token.id = src->ip6_token.id;
 

src/core/nm-l3-config-data.h

@@ -458,10 +458,6 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
 gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData               *self,
                                             NMSettingConnectionDnsOverTls dns_over_tls);
 
-NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
-
-gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
-
 NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
                                                               int                   addr_family);
 

src/core/nm-l3cfg.c

@@ -40,7 +40,8 @@ G_STATIC_ASSERT(NM_ACD_TIMEOUT_RFC5227_MSEC == N_ACD_TIMEOUT_RFC5227);
 
 #define ACD_SUPPORTED_ETH_ALEN                  ETH_ALEN
 #define ACD_ENSURE_RATELIMIT_MSEC               ((guint32) 4000u)
-#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (2000u + ACD_ENSURE_RATELIMIT_MSEC))
+#define ACD_WAIT_PROBING_EXTRA_TIME_MSEC        ((guint32) (1000u + ACD_ENSURE_RATELIMIT_MSEC))
+#define ACD_WAIT_PROBING_EXTRA_TIME2_MSEC       ((guint32) 1000u)
 #define ACD_WAIT_TIME_PROBING_FULL_RESTART_MSEC ((guint32) 30000u)
 #define ACD_WAIT_TIME_CONFLICT_RESTART_MSEC     ((guint32) 120000u)
 #define ACD_WAIT_TIME_ANNOUNCE_RESTART_MSEC     ((guint32) 30000u)
@@ -2739,8 +2740,9 @@ handle_init:
             nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);
 
             if (acd_data->info.state == NM_L3_ACD_ADDR_STATE_PROBING) {
-                if ((*p_now_msec)
-                    > acd_data->probing_timestamp_msec + ACD_WAIT_PROBING_EXTRA_TIME_MSEC) {
+                if ((*p_now_msec) > acd_data->probing_timestamp_msec
+                                        + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
+                                        + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC) {
                     /* hm. We failed to create a new probe too long. Something is really wrong
                      * internally, but let's ignore the issue and assume the address is good. What
                      * else would we do? Assume the address is USED? */
@@ -2946,7 +2948,7 @@ handle_init:
             nm_utils_get_monotonic_timestamp_msec_cached(p_now_msec);
 
             if (acd_data->probing_timestamp_msec + acd_data->probing_timeout_msec
-                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC
+                    + ACD_WAIT_PROBING_EXTRA_TIME_MSEC + ACD_WAIT_PROBING_EXTRA_TIME2_MSEC
                 >= (*p_now_msec)) {
                 /* The probing already started quite a while ago. We ignore the link event
                  * and let the probe come to it's natural end. */
@@ -3056,10 +3058,9 @@ handle_start_probing:
         }
 
         _LOGT_acd(acd_data,
-                  "%sstart probing (timeout %u msec, ebpf %s; %s)",
+                  "%sstart probing (timeout %u msec, %s)",
                   orig_state == NM_L3_ACD_ADDR_STATE_INIT ? "" : "re",
                   acd_data->probing_timeout_msec,
-                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled",
                   log_reason);
         return;
     }
@@ -3154,11 +3155,10 @@ handle_start_defending:
         }
 
         _LOGT_acd(acd_data,
-                  "start announcing (defend=%s) (probe created with ebpf %s)",
+                  "start announcing (defend=%s) (probe created)",
                   _l3_acd_defend_type_to_string(acd_data->acd_defend_type_current,
                                                 sbuf256,
-                                                sizeof(sbuf256)),
-                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled");
+                                                sizeof(sbuf256)));
         acd_data->acd_defend_type_is_active = FALSE;
         acd_data->nacd_probe                = probe;
         return;
@@ -3989,7 +3989,7 @@ _l3cfg_routed_dns_apply(NML3Cfg *self, const NML3ConfigData *l3cd)
             NMDnsServer               dns;
             int                       r;
 
-            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns, NULL))
+            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns))
                 continue;
 
             /* Find the gateway to the DNS over the current interface. When
@@ -5054,8 +5054,8 @@ _l3_commit_mptcp_af(NML3Cfg          *self,
             (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SIGNAL) ? MPTCP_PM_ADDR_FLAG_SIGNAL : 0)
             | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SUBFLOW) ? MPTCP_PM_ADDR_FLAG_SUBFLOW : 0)
             | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_BACKUP) ? MPTCP_PM_ADDR_FLAG_BACKUP : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_LAMINAR) ? MPTCP_PM_ADDR_FLAG_LAMINAR : 0);
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH
+                                                                  : 0);
         NMPlatformMptcpAddr a = {
             .ifindex     = self->priv.ifindex,
             .id          = 0,

src/core/nm-netns.c

@@ -68,7 +68,7 @@ typedef struct {
     NMPNetns         *platform_netns;
     NMPGlobalTracker *global_tracker;
     GHashTable       *l3cfgs;
-    GHashTable       *ip_reservation[_NM_NETNS_IP_RESERVATION_TYPE_NUM];
+    GHashTable       *shared_ips;
     GHashTable       *ecmp_track_by_obj;
     GHashTable       *ecmp_track_by_ecmpid;
 
@@ -571,150 +571,106 @@ notify_watcher:
 
 /*****************************************************************************/
 
-typedef struct {
-    const char *name;
-    guint32     start_addr; /* host byte order */
-    guint       prefix_len;
-    guint       num_addrs;
-    gboolean    allow_reuse;
-} IPReservationTypeDesc;
-
-static const IPReservationTypeDesc ip_reservation_types[_NM_NETNS_IP_RESERVATION_TYPE_NUM] = {
-    [NM_NETNS_IP_RESERVATION_TYPE_SHARED4] =
-        {
-            .name        = "shared-ip4",
-            .start_addr  = 0x0a2a0001, /* 10.42.0.1 */
-            .prefix_len  = 24,
-            .num_addrs   = 256,
-            .allow_reuse = TRUE,
-        },
-};
-
-NMNetnsIPReservation *
-nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type)
+NMNetnsSharedIPHandle *
+nm_netns_shared_ip_reserve(NMNetns *self)
 {
-    NMNetnsPrivate              *priv;
-    const IPReservationTypeDesc *desc;
-    NMNetnsIPReservation        *res;
-    GHashTable                 **table;
-    in_addr_t                    addr;
-    char                         buf[NM_INET_ADDRSTRLEN];
+    NMNetnsPrivate        *priv;
+    NMNetnsSharedIPHandle *handle;
+    const in_addr_t        addr_start = ntohl(0x0a2a0001u); /* 10.42.0.1 */
+    in_addr_t              addr;
+    char                   sbuf_addr[NM_INET_ADDRSTRLEN];
+
+    /* Find an unused address in the 10.42.x.x range */
 
     g_return_val_if_fail(NM_IS_NETNS(self), NULL);
-    g_return_val_if_fail(type < _NM_NETNS_IP_RESERVATION_TYPE_NUM, NULL);
 
-    priv  = NM_NETNS_GET_PRIVATE(self);
-    desc  = &ip_reservation_types[type];
-    table = &priv->ip_reservation[type];
+    priv = NM_NETNS_GET_PRIVATE(self);
 
-    if (!*table) {
-        addr   = htonl(desc->start_addr);
-        *table = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
+    if (!priv->shared_ips) {
+        addr             = addr_start;
+        priv->shared_ips = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
         g_object_ref(self);
     } else {
         guint32 count;
 
-        nm_assert(g_hash_table_size(*table) > 0);
-        nm_assert(desc->prefix_len > 0 && desc->prefix_len <= 32);
+        nm_assert(g_hash_table_size(priv->shared_ips) > 0);
 
         count = 0u;
         for (;;) {
-            addr = htonl(desc->start_addr + (count << (32 - desc->prefix_len)));
+            addr = addr_start + htonl(count << 8u);
 
-            res = g_hash_table_lookup(*table, &addr);
-            if (!res)
+            handle = g_hash_table_lookup(priv->shared_ips, &addr);
+            if (!handle)
                 break;
 
             count++;
 
-            if (count >= desc->num_addrs) {
-                if (!desc->allow_reuse) {
-                    _LOGE("%s: ran out of IP addresses", desc->name);
-                    return NULL;
-                }
-
-                if (res->_ref_count == 1) {
-                    _LOGE("%s: ran out of IP addresses. Reuse %s/%u",
-                          desc->name,
-                          nm_inet4_ntop(res->addr, buf),
-                          desc->prefix_len);
+            if (count > 0xFFu) {
+                if (handle->_ref_count == 1) {
+                    _LOGE("shared-ip4: ran out of shared IP addresses. Reuse %s/24",
+                          nm_inet4_ntop(handle->addr, sbuf_addr));
                 } else {
-                    _LOGD("%s: reserved IP address %s/%u (duplicate)",
-                          desc->name,
-                          nm_inet4_ntop(res->addr, buf),
-                          desc->prefix_len);
+                    _LOGD("shared-ip4: reserved IP address range %s/24 (duplicate)",
+                          nm_inet4_ntop(handle->addr, sbuf_addr));
                 }
-                res->_ref_count++;
-                return res;
+                handle->_ref_count++;
+                return handle;
             }
         }
     }
 
-    res  = g_slice_new(NMNetnsIPReservation);
-    *res = (NMNetnsIPReservation) {
+    handle  = g_slice_new(NMNetnsSharedIPHandle);
+    *handle = (NMNetnsSharedIPHandle) {
         .addr       = addr,
         ._ref_count = 1,
         ._self      = self,
-        ._type      = type,
     };
 
-    g_hash_table_add(*table, res);
+    g_hash_table_add(priv->shared_ips, handle);
 
-    _LOGD("%s: reserved IP address %s/%u",
-          desc->name,
-          nm_inet4_ntop(res->addr, buf),
-          desc->prefix_len);
-    return res;
+    _LOGD("shared-ip4: reserved IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+    return handle;
 }
 
 void
-nm_netns_ip_reservation_release(NMNetnsIPReservation *res)
+nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle)
 {
-    NMNetns                     *self;
-    NMNetnsPrivate              *priv;
-    const IPReservationTypeDesc *desc;
-    GHashTable                 **table;
-    char                         buf[NM_INET_ADDRSTRLEN];
+    NMNetns        *self;
+    NMNetnsPrivate *priv;
+    char            sbuf_addr[NM_INET_ADDRSTRLEN];
 
-    g_return_if_fail(res);
-    g_return_if_fail(res->_type < _NM_NETNS_IP_RESERVATION_TYPE_NUM);
+    g_return_if_fail(handle);
+
+    self = handle->_self;
 
-    self = res->_self;
     g_return_if_fail(NM_IS_NETNS(self));
 
-    priv  = NM_NETNS_GET_PRIVATE(self);
-    desc  = &ip_reservation_types[res->_type];
-    table = &priv->ip_reservation[res->_type];
+    priv = NM_NETNS_GET_PRIVATE(self);
 
-    nm_assert(res->_ref_count > 0);
-    nm_assert(res == nm_g_hash_table_lookup(*table, res));
+    nm_assert(handle->_ref_count > 0);
+    nm_assert(handle == nm_g_hash_table_lookup(priv->shared_ips, handle));
 
-    if (res->_ref_count > 1) {
-        nm_assert(desc->allow_reuse);
-        res->_ref_count--;
-        _LOGD("%s: release IP address reservation %s/%u (%d more references held)",
-              desc->name,
-              nm_inet4_ntop(res->addr, buf),
-              desc->prefix_len,
-              res->_ref_count);
+    if (handle->_ref_count > 1) {
+        nm_assert(handle->addr == ntohl(0x0A2AFF01u)); /* 10.42.255.1 */
+        handle->_ref_count--;
+        _LOGD("shared-ip4: release IP address range %s/24 (%d more references held)",
+              nm_inet4_ntop(handle->addr, sbuf_addr),
+              handle->_ref_count);
         return;
     }
 
-    if (!g_hash_table_remove(*table, res))
+    if (!g_hash_table_remove(priv->shared_ips, handle))
         nm_assert_not_reached();
 
-    _LOGD("%s: release IP address reservation %s/%u",
-          desc->name,
-          nm_inet4_ntop(res->addr, buf),
-          desc->prefix_len);
-
-    if (g_hash_table_size(*table) == 0) {
-        nm_clear_pointer(table, g_hash_table_unref);
+    if (g_hash_table_size(priv->shared_ips) == 0) {
+        nm_clear_pointer(&priv->shared_ips, g_hash_table_unref);
         g_object_unref(self);
     }
 
-    res->_self = NULL;
-    nm_g_slice_free(res);
+    _LOGD("shared-ip4: release IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+
+    handle->_self = NULL;
+    nm_g_slice_free(handle);
 }
 
 /*****************************************************************************/
@@ -1604,14 +1560,11 @@ dispose(GObject *object)
 
     nm_assert(nm_g_hash_table_size(priv->l3cfgs) == 0);
     nm_assert(c_list_is_empty(&priv->l3cfg_signal_pending_lst_head));
+    nm_assert(!priv->shared_ips);
     nm_assert(nm_g_hash_table_size(priv->watcher_idx) == 0);
     nm_assert(nm_g_hash_table_size(priv->watcher_by_tag_idx) == 0);
     nm_assert(nm_g_hash_table_size(priv->watcher_ip_data_idx) == 0);
 
-    for (guint i = 0; i < _NM_NETNS_IP_RESERVATION_TYPE_NUM; i++) {
-        nm_assert(!priv->ip_reservation[i]);
-    }
-
     nm_clear_pointer(&priv->ecmp_track_by_obj, g_hash_table_destroy);
     nm_clear_pointer(&priv->ecmp_track_by_ecmpid, g_hash_table_destroy);
 

src/core/nm-netns.h

@@ -41,22 +41,15 @@ NML3Cfg *nm_netns_l3cfg_acquire(NMNetns *netns, int ifindex);
 
 /*****************************************************************************/
 
-typedef enum {
-    NM_NETNS_IP_RESERVATION_TYPE_SHARED4,
-
-    _NM_NETNS_IP_RESERVATION_TYPE_NUM,
-} NMNetnsIPReservationType;
-
 typedef struct {
-    in_addr_t                addr;
-    int                      _ref_count;
-    NMNetnsIPReservationType _type;
-    NMNetns                 *_self;
-} NMNetnsIPReservation;
+    in_addr_t addr;
+    int       _ref_count;
+    NMNetns  *_self;
+} NMNetnsSharedIPHandle;
 
-NMNetnsIPReservation *nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type);
+NMNetnsSharedIPHandle *nm_netns_shared_ip_reserve(NMNetns *self);
 
-void nm_netns_ip_reservation_release(NMNetnsIPReservation *reservation);
+void nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle);
 
 /*****************************************************************************/
 

src/core/nm-policy.c

@@ -2353,10 +2353,7 @@ device_state_changed(NMDevice           *device,
         }
         if (sett_conn) {
             /* Reset auto retries back to default since connection was successful */
-            nm_manager_devcon_autoconnect_reset_reconnect_all(priv->manager,
-                                                              device,
-                                                              sett_conn,
-                                                              FALSE);
+            nm_manager_devcon_autoconnect_retries_reset(priv->manager, device, sett_conn);
         }
 
         /* Since there is no guarantee that device_l3cd_changed() is called

src/core/platform/tests/monitor.c

@@ -186,7 +186,6 @@ ip_again:
                                00644,
                                NULL,
                                NULL,
-                               NULL,
                                NULL);
 
     nm_log_dbg(LOGD_PLATFORM, "dump to file complete");

src/core/platform/tests/test-link.c

@@ -123,8 +123,7 @@ software_add(NMLinkType link_type, const char *name)
         gboolean bond0_exists = !!nm_platform_link_get_by_ifname(NM_PLATFORM_GET, "bond0");
         int      r;
         const NMPlatformLnkBond nm_platform_lnk_bond_default = {
-            .mode        = nmtst_rand_select(3, 1),
-            .use_carrier = 1,
+            .mode = nmtst_rand_select(3, 1),
         };
 
         r = nm_platform_link_bond_add(NM_PLATFORM_GET, name, &nm_platform_lnk_bond_default, NULL);

src/core/platform/tests/test-route.c

@@ -623,79 +623,6 @@ test_ip4_zero_gateway(void)
     nmtstp_wait_for_signal(NM_PLATFORM_GET, 50);
 }
 
-static void
-test_via(void)
-{
-    int                ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, DEVICE_NAME);
-    GPtrArray         *routes;
-    NMPlatformIP4Route rts[1];
-    struct in6_addr    gateway6;
-    const int          metric = 22987;
-    NMPlatformIP4Route route4;
-    guint              mss = 1000;
-    in_addr_t          net4;
-
-    /* Test IPv4 routes with a IPv6 gateway (using RTA_VIA attribute) */
-
-    inet_pton(AF_INET6, "fd01::1", &gateway6);
-    inet_pton(AF_INET, "1.2.3.4", &net4);
-
-    /* Add direct route to IPv6 gateway: ip route add dev $DEV fd01::1/128 */
-    nmtstp_ip6_route_add(NM_PLATFORM_GET,
-                         ifindex,
-                         NM_IP_CONFIG_SOURCE_USER,
-                         gateway6,
-                         128,
-                         in6addr_any,
-                         in6addr_any,
-                         metric,
-                         mss);
-    g_assert(nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
-
-    /* Add IPv4 route via IPv6 gateway: ip route add dev $DEV 1.2.3.4/32 via inet6 fd01::1 */
-    route4 = (NMPlatformIP4Route) {
-        .ifindex         = ifindex,
-        .rt_source       = NM_IP_CONFIG_SOURCE_USER,
-        .network         = net4,
-        .plen            = 32,
-        .metric          = metric,
-        .via.addr_family = AF_INET6,
-        .via.addr.addr6  = gateway6,
-        .mss             = mss,
-    };
-    g_assert(NMTST_NM_ERR_SUCCESS(
-        nm_platform_ip4_route_add(NM_PLATFORM_GET, NMP_NLM_FLAG_REPLACE, &route4, NULL)));
-    g_assert(nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
-
-    /* Test route listing */
-    routes = nmtstp_ip4_route_get_all(NM_PLATFORM_GET, ifindex);
-    g_assert_cmpint(routes->len, ==, 1);
-
-    memset(rts, 0, sizeof(rts));
-    rts[0].rt_source       = nmp_utils_ip_config_source_round_trip_rtprot(NM_IP_CONFIG_SOURCE_USER);
-    rts[0].scope_inv       = nm_platform_route_scope_inv(RT_SCOPE_LINK);
-    rts[0].network         = net4;
-    rts[0].plen            = 32;
-    rts[0].ifindex         = ifindex;
-    rts[0].gateway         = INADDR_ANY;
-    rts[0].metric          = metric;
-    rts[0].mss             = mss;
-    rts[0].via.addr_family = AF_INET6;
-    rts[0].via.addr.addr6  = gateway6;
-    rts[0].n_nexthops      = 1;
-    nmtst_platform_ip4_routes_equal_aptr((const NMPObject *const *) routes->pdata,
-                                         rts,
-                                         routes->len,
-                                         TRUE);
-    g_ptr_array_unref(routes);
-
-    /* Delete routes */
-    g_assert(nmtstp_platform_ip6_route_delete(NM_PLATFORM_GET, ifindex, gateway6, 128, metric));
-    g_assert(!nmtstp_ip6_route_get(NM_PLATFORM_GET, ifindex, &gateway6, 128, metric, NULL, 0));
-    g_assert(nmtstp_platform_ip4_route_delete(NM_PLATFORM_GET, ifindex, net4, 32, metric));
-    g_assert(!nmtstp_ip4_route_get(NM_PLATFORM_GET, ifindex, net4, 32, metric, 0));
-}
-
 static void
 test_ip4_route_options(gconstpointer test_data)
 {
@@ -2494,7 +2421,6 @@ _nmtstp_setup_tests(void)
         add_test_func("/route/ip4_route_get", test_ip4_route_get);
         add_test_func("/route/ip6_route_get", test_ip6_route_get);
         add_test_func("/route/ip4_zero_gateway", test_ip4_zero_gateway);
-        add_test_func("/route/via", test_via);
     }
 
     if (nmtstp_is_root_test()) {

src/core/settings/nm-settings-storage.h

@@ -27,19 +27,6 @@
 
 struct _NMSettingsPlugin;
 
-/**
- * NMSettingsStorage:
- * @_plugin: The settings plugin that provides this storage.
- * @_uuid: UUID of the profile represented by this storage.
- * @_filename: Backing filename (can be NULL for in-memory or meta-data).
- * @_storage_lst: Node in the per-plugin storage list.
- * @_storage_by_uuid_lst: Node in the per-UUID storage list.
- *
- * Describes the origin and identity of one profile instance as provided by a
- * specific settings plugin and (optionally) a backing file. A single UUID may
- * have multiple storages from different plugins; plugin order determines
- * priority.
- */
 typedef struct NMSettingsStorage {
     GObject                   parent;
     struct _NMSettingsPlugin *_plugin;

src/core/settings/nm-settings.c

@@ -76,17 +76,6 @@ static NM_CACHED_QUARK_FCN("default-wired-connection-blocked",
 
 /*****************************************************************************/
 
-/**
- * StorageData:
- * @sd_lst: Node used in per-UUID storage lists.
- * @storage: Storage provider instance for this UUID.
- * @connection: Connection object backed by @storage, or NULL for meta-data.
- * @prioritize: Request to prioritize this storage during merge.
- *
- * Per-UUID storage entry used to accumulate and merge updates from plugins.
- * Items live temporarily in the dirty list and are merged into the current list
- * with stable priority ordering.
- */
 typedef struct _StorageData {
     CList              sd_lst;
     NMSettingsStorage *storage;
@@ -176,20 +165,6 @@ _storage_data_is_alive(StorageData *sd)
 
 /*****************************************************************************/
 
-/**
- * SettConnEntry:
- * @uuid: Normalized UUID key for this entry (points to @_uuid_data).
- * @sett_conn: Current NMSettingsConnection selected for @uuid, or NULL.
- * @storage: The storage that currently owns @sett_conn, or NULL.
- * @sd_lst_head: Head of current storages list for @uuid (high to low priority).
- * @dirty_sd_lst_head: Head of pending storage updates to merge.
- * @sce_dirty_lst: Node in the global dirty queue.
- * @_uuid_data: Inline storage backing @uuid.
- *
- * Tracks one connection profile across all storages and its dirty state.
- * It holds the authoritative in-memory connection and the sets of storages
- * providing or updating it.
- */
 typedef struct {
     const char           *uuid;
     NMSettingsConnection *sett_conn;
@@ -1393,11 +1368,10 @@ _connection_changed_track(NMSettings        *self,
                           NMConnection      *connection,
                           gboolean           prioritize)
 {
-    NMSettingsPrivate    *priv = NM_SETTINGS_GET_PRIVATE(self);
-    SettConnEntry        *sett_conn_entry;
-    StorageData          *sd;
-    const char           *uuid;
-    gs_free_error GError *error = NULL;
+    NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE(self);
+    SettConnEntry     *sett_conn_entry;
+    StorageData       *sd;
+    const char        *uuid;
 
     nm_assert_valid_settings_storage(NULL, storage);
 
@@ -1408,17 +1382,6 @@ _connection_changed_track(NMSettings        *self,
               || (_nm_connection_verify(connection, NULL) == NM_SETTING_VERIFY_SUCCESS));
     nm_assert(!connection || nm_streq0(uuid, nm_connection_get_uuid(connection)));
 
-    if (connection && !nm_utils_connection_supported(connection, &error)) {
-        _LOGD("storage[%s," NM_SETTINGS_STORAGE_PRINT_FMT
-              "]: ignoring connection \"%s\" from file \"%s\": %s",
-              uuid,
-              NM_SETTINGS_STORAGE_PRINT_ARG(storage),
-              nm_connection_get_id(connection),
-              nm_settings_storage_get_filename(storage),
-              error->message);
-        connection = NULL;
-    }
-
     nm_assert_connection_unchanging(connection);
 
     sett_conn_entry =
@@ -1888,9 +1851,6 @@ nm_settings_add_connection(NMSettings                     *self,
 
     NM_SET_OUT(out_sett_conn, NULL);
 
-    if (!nm_utils_connection_supported(connection, error))
-        return FALSE;
-
     uuid = nm_connection_get_uuid(connection);
 
     sett_conn_entry = _sett_conn_entries_get(self, uuid);

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c

@@ -77,7 +77,7 @@ get_full_file_path(const char *ifcfg_path, const char *file_path)
 {
     const char   *base    = file_path;
     gs_free char *dirname = NULL;
-    const char   *p;
+    char         *p;
 
     g_return_val_if_fail(ifcfg_path != NULL, NULL);
     g_return_val_if_fail(file_path != NULL, NULL);
@@ -2056,9 +2056,8 @@ make_ip4_setting(shvarFile *ifcfg,
          * Pick up just IPv4 addresses (IPv6 addresses are taken by make_ip6_setting())
          */
         for (i = 1; i < 10000; i++) {
-            NMDnsServer           dns;
-            char                  tag[256];
-            gs_free_error GError *local = NULL;
+            NMDnsServer dns;
+            char        tag[256];
 
             numbered_tag(tag, "DNS", i);
             nm_clear_g_free(&value);
@@ -2066,13 +2065,12 @@ make_ip4_setting(shvarFile *ifcfg,
             if (!v)
                 break;
 
-            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &local)) {
+            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
                 g_set_error(error,
                             NM_SETTINGS_ERROR,
                             NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                            "Invalid DNS server address '%s': %s",
-                            v,
-                            local->message);
+                            "Invalid DNS server address '%s'",
+                            v);
                 return NULL;
             }
 
@@ -2609,9 +2607,8 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
      * Pick up just IPv6 addresses (IPv4 addresses are taken by make_ip4_setting())
      */
     for (i = 1; i < 10000; i++) {
-        gs_free_error GError *err = NULL;
-        NMDnsServer           dns;
-        char                  tag[256];
+        NMDnsServer dns;
+        char        tag[256];
 
         numbered_tag(tag, "DNS", i);
         nm_clear_g_free(&value);
@@ -2619,15 +2616,14 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
         if (!v)
             break;
 
-        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &err)) {
+        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
             if (is_disabled)
                 continue;
             g_set_error(error,
                         NM_SETTINGS_ERROR,
                         NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                        "Invalid DNS server address '%s': %s",
-                        v,
-                        err->message);
+                        "Invalid DNS server address '%s'",
+                        v);
             return NULL;
         }
         if (dns.addr_family == AF_INET6) {

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c

@@ -320,7 +320,6 @@ write_blobs(GHashTable *blobs, GError **error)
                                         0600,
                                         NULL,
                                         NULL,
-                                        NULL,
                                         &write_error)) {
             g_set_error(error,
                         NM_SETTINGS_ERROR,
@@ -3627,14 +3626,6 @@ do_write_construct(NMConnection                   *connection,
 
     write_ip_routing_rules(connection, ifcfg, route_ignore);
 
-    if (nm_setting_connection_get_dnssec(s_con) != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        set_error_unsupported(error,
-                              connection,
-                              NM_SETTING_CONNECTION_SETTING_NAME "." NM_SETTING_CONNECTION_DNSSEC,
-                              TRUE);
-        return FALSE;
-    }
-
     write_connection_setting(s_con, ifcfg, interface_name);
 
     NM_SET_OUT(out_ifcfg, g_steal_pointer(&ifcfg));

src/core/settings/plugins/keyfile/nms-keyfile-utils.c

@@ -280,7 +280,6 @@ nms_keyfile_nmmeta_write(const char *dirname,
                                         length,
                                         0600,
                                         NULL,
-                                        NULL,
                                         &errsv,
                                         NULL)) {
             NM_SET_OUT(out_full_filename, g_steal_pointer(&full_filename_tmp));

src/core/settings/plugins/keyfile/nms-keyfile-writer.c

@@ -133,7 +133,6 @@ cert_writer(NMConnection                     *connection,
                                              0600,
                                              NULL,
                                              NULL,
-                                             NULL,
                                              &local);
         if (success) {
             /* Write the path value to the keyfile.
@@ -385,14 +384,7 @@ _internal_write_connection(NMConnection                   *connection,
         }
     }
 
-    nm_utils_file_set_contents(path,
-                               kf_content_buf,
-                               kf_content_len,
-                               0600,
-                               NULL,
-                               NULL,
-                               NULL,
-                               &local_err);
+    nm_utils_file_set_contents(path, kf_content_buf, kf_content_len, 0600, NULL, NULL, &local_err);
     if (local_err) {
         g_set_error(error,
                     NM_SETTINGS_ERROR,

src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM

@@ -8,7 +8,6 @@ timestamp=305415219
 [gsm]
 apn=internet2.voicestream.com
 device-id=da812de91eec16620b06cd0ca5cbc7ea25245222
-device-uid=MODEM1
 home-only=true
 network-id=254098
 password=parliament2

src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c

@@ -1408,8 +1408,6 @@ test_write_gsm_connection(void)
                  "89148000000060671234",
                  NM_SETTING_GSM_SIM_OPERATOR_ID,
                  "310260",
-                 NM_SETTING_GSM_DEVICE_UID,
-                 "MODEM1",
                  NULL);
 
     write_test_connection_and_reread(connection, TRUE, TEST_KEYFILES_DIR "/Test_Write_GSM");

src/core/supplicant/nm-supplicant-config.c

@@ -1016,7 +1016,7 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
         if (_get_capability(priv, NM_SUPPL_CAP_TYPE_SAE)
             && _get_capability(priv, NM_SUPPL_CAP_TYPE_PMF)
             && _get_capability(priv, NM_SUPPL_CAP_TYPE_BIP)
-            && (pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
+            && (!is_ap || pmf != NM_SETTING_WIRELESS_SECURITY_PMF_DISABLE)) {
             g_string_append(key_mgmt_conf, " SAE");
             if (!is_ap && _get_capability(priv, NM_SUPPL_CAP_TYPE_FT))
                 g_string_append(key_mgmt_conf, " FT-SAE");

src/core/supplicant/nm-supplicant-interface.c

@@ -66,8 +66,6 @@ enum {
     WPS_CREDENTIALS, /* WPS credentials received */
     GROUP_STARTED,   /* a new Group (interface) was created */
     GROUP_FINISHED,  /* a Group (interface) has been finished */
-    PSK_MISMATCH,    /* supplicant reported incorrect PSK */
-    SAE_MISMATCH,    /* supplicant reported incorrect SAE Password */
     LAST_SIGNAL
 };
 
@@ -3234,15 +3232,6 @@ _signal_handle(NMSupplicantInterface *self,
             return;
         }
 
-        if (nm_streq(signal_name, "PskMismatch")) {
-            g_signal_emit(self, signals[PSK_MISMATCH], 0);
-            return;
-        }
-
-        if (nm_streq(signal_name, "SaePasswordMismatch")) {
-            g_signal_emit(self, signals[SAE_MISMATCH], 0);
-            return;
-        }
         return;
     }
 
@@ -3875,23 +3864,4 @@ nm_supplicant_interface_class_init(NMSupplicantInterfaceClass *klass)
                                            G_TYPE_NONE,
                                            1,
                                            G_TYPE_STRING);
-
-    signals[PSK_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
-                                         G_OBJECT_CLASS_TYPE(object_class),
-                                         G_SIGNAL_RUN_LAST,
-                                         0,
-                                         NULL,
-                                         NULL,
-                                         NULL,
-                                         G_TYPE_NONE,
-                                         0);
-    signals[SAE_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
-                                         G_OBJECT_CLASS_TYPE(object_class),
-                                         G_SIGNAL_RUN_LAST,
-                                         0,
-                                         NULL,
-                                         NULL,
-                                         NULL,
-                                         G_TYPE_NONE,
-                                         0);
 }

src/core/supplicant/nm-supplicant-interface.h

@@ -86,8 +86,6 @@ typedef enum {
 #define NM_SUPPLICANT_INTERFACE_WPS_CREDENTIALS "wps-credentials"
 #define NM_SUPPLICANT_INTERFACE_GROUP_STARTED   "group-started"
 #define NM_SUPPLICANT_INTERFACE_GROUP_FINISHED  "group-finished"
-#define NM_SUPPLICANT_INTERFACE_PSK_MISMATCH    "wpa-psk-mismatch"
-#define NM_SUPPLICANT_INTERFACE_SAE_MISMATCH    "wpa-sae-password-mismatch"
 
 typedef struct _NMSupplicantInterfaceClass NMSupplicantInterfaceClass;
 

src/core/supplicant/nm-supplicant-settings-verify.c

@@ -212,19 +212,18 @@ validate_type_utf8(const struct Opt *opt, const char *value, const guint32 len)
 }
 
 static gboolean
-validate_type_keyword(const struct Opt *opt, const char *value_in, const guint32 len)
+validate_type_keyword(const struct Opt *opt, const char *value, const guint32 len)
 {
     gs_free char *value_free = NULL;
-    char         *value;
 
     nm_assert(opt);
-    nm_assert(value_in);
+    nm_assert(value);
 
     /* Allow everything */
     if (!opt->str_allowed)
         return TRUE;
 
-    value = nm_strndup_a(300, value_in, len, &value_free);
+    value = nm_strndup_a(300, value, len, &value_free);
 
     /* validate each space-separated word in 'value' */
 

src/core/tests/meson.build

@@ -6,7 +6,6 @@ test_units = [
   'test-core',
   'test-core-with-expect',
   'test-dcb',
-  'test-netns',
   'test-l3cfg',
   'test-utils',
   'test-wired-defname',

src/core/tests/test-netns.c

@@ -1,69 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include "src/core/nm-default-daemon.h"
-
-#include "nm-netns.h"
-#include "nm-test-utils-core.h"
-
-static void
-test_ip_reservation_shared4(void)
-{
-    gs_unref_object NMPlatform *platform = NULL;
-    gs_unref_object NMNetns    *netns    = NULL;
-    NMNetnsIPReservation       *res[256];
-    NMNetnsIPReservation       *res1;
-    NMNetnsIPReservation       *res2;
-    char                        buf[NM_INET_ADDRSTRLEN];
-    guint                       i;
-
-    platform = g_object_ref(NM_PLATFORM_GET);
-    netns    = nm_netns_new(platform);
-
-    /* Allocate addresses from 10.42.0.1 to 10.42.255.1 */
-    for (i = 0; i < 256; i++) {
-        res[i] = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-        g_snprintf(buf, sizeof(buf), "10.42.%u.1", i);
-        nmtst_assert_ip4_address(res[i]->addr, buf);
-        g_assert_cmpint(res[i]->_ref_count, ==, 1);
-    }
-
-    /* Release an address and get it back */
-    nm_netns_ip_reservation_release(res[139]);
-    res[139] = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    nmtst_assert_ip4_address(res[139]->addr, "10.42.139.1");
-
-    /* Reuse 10.42.255.1 once */
-    NMTST_EXPECT_NM_ERROR("netns[*]: shared-ip4: ran out of IP addresses. Reuse 10.42.255.1/24");
-    res1 = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    g_test_assert_expected_messages();
-    nmtst_assert_ip4_address(res1->addr, "10.42.255.1");
-    g_assert_cmpint(res1->_ref_count, ==, 2);
-
-    /* Reuse 10.42.255.1 twice */
-    res2 = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    g_assert(res2 == res1);
-    nmtst_assert_ip4_address(res1->addr, "10.42.255.1");
-    g_assert_cmpint(res2->_ref_count, ==, 3);
-
-    /* Release all */
-    nm_netns_ip_reservation_release(res1);
-    nm_netns_ip_reservation_release(res2);
-    for (i = 0; i < 256; i++) {
-        nm_netns_ip_reservation_release(res[i]);
-    }
-}
-
-/*****************************************************************************/
-
-NMTST_DEFINE();
-
-int
-main(int argc, char **argv)
-{
-    nmtst_init_with_logging(&argc, &argv, NULL, "ALL");
-    nm_linux_platform_setup();
-
-    g_test_add_func("/netns/ip_reservation/shared4", test_ip_reservation_shared4);
-
-    return g_test_run();
-}

src/core/tests/test-utils.c

@@ -260,70 +260,6 @@ test_shorten_hostname(void)
     do_test_shorten_hostname(".name1", FALSE, NULL);
 }
 
-/*****************************************************************************/
-typedef struct {
-    NMRateLimit ratelimit;
-    GMainLoop  *loop;
-    GSource    *source;
-    guint       num;
-} RateLimitData;
-
-static int
-rate_limit_window_expire_cb(gpointer user_data)
-{
-    RateLimitData *data = user_data;
-
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    nm_clear_g_source_inst(&data->source);
-    g_main_loop_quit(data->loop);
-
-    return G_SOURCE_CONTINUE;
-}
-
-static int
-rate_limit_check_cb(gpointer user_data)
-{
-    RateLimitData *data = user_data;
-
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    nm_clear_g_source_inst(&data->source);
-    data->source = nm_g_timeout_add_source(1000, rate_limit_window_expire_cb, data);
-
-    return G_SOURCE_CONTINUE;
-}
-
-static void
-test_rate_limit_check(void)
-{
-    RateLimitData data;
-
-    data = (RateLimitData) {
-        .loop      = g_main_loop_new(NULL, FALSE),
-        .ratelimit = {},
-        .source    = nm_g_timeout_add_source(1, rate_limit_check_cb, &data),
-        .num       = 0,
-    };
-
-    g_main_loop_run(data.loop);
-    g_main_loop_unref(data.loop);
-}
-
 /*****************************************************************************/
 
 NMTST_DEFINE();
@@ -336,7 +272,6 @@ main(int argc, char **argv)
     g_test_add_func("/utils/stable_privacy", test_stable_privacy);
     g_test_add_func("/utils/hw_addr_gen_stable_eth", test_hw_addr_gen_stable_eth);
     g_test_add_func("/utils/shorten-hostname", test_shorten_hostname);
-    g_test_add_func("/utils/rate-limit-check", test_rate_limit_check);
 
     return g_test_run();
 }

src/core/vpn/nm-vpn-connection.c

@@ -26,12 +26,10 @@
 #include "nm-active-connection.h"
 #include "nm-config.h"
 #include "nm-dbus-manager.h"
-#include "devices/nm-device.h"
 #include "nm-dispatcher.h"
 #include "nm-firewalld-manager.h"
 #include "nm-ip-config.h"
 #include "nm-l3-config-data.h"
-#include "nm-manager.h"
 #include "nm-netns.h"
 #include "nm-pacrunner-manager.h"
 #include "nm-vpn-manager.h"
@@ -1411,11 +1409,9 @@ _check_complete(NMVpnConnection *self, gboolean success)
     NMVpnConnectionPrivate                 *priv = NM_VPN_CONNECTION_GET_PRIVATE(self);
     nm_auto_unref_l3cd_init NML3ConfigData *l3cd = NULL;
     NMConnection                           *connection;
-    NMDevice                               *device;
     NMSettingConnection                    *s_con;
     const char                             *zone;
     const char                             *iface;
-    int                                     ifindex;
 
     if (priv->vpn_state < STATE_IP_CONFIG_GET || priv->vpn_state > STATE_ACTIVATED)
         return;
@@ -1441,23 +1437,10 @@ _check_complete(NMVpnConnection *self, gboolean success)
     }
 
     connection = _get_applied_connection(self);
-    ifindex    = nm_vpn_connection_get_ip_ifindex(self, FALSE);
-    /* Use nm_device_create_l3_config_data_from_connection here if possible. This ensures that
-     * connection properties like mdns, llmnr, dns-over-tls or dnssec are applied to vpn connections
-     * If this vpn connection does not have its own device resort to nm_l3_config_data_new_from_connection
-     * since we can't properly apply these properties anyway
-     */
-    if (ifindex > 0) {
-        device = nm_manager_get_device_by_ifindex(NM_MANAGER_GET, ifindex);
-        nm_assert(device);
-        l3cd = nm_device_create_l3_config_data_from_connection(device, connection);
-    } else {
-        l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
-                                                     nm_vpn_connection_get_ip_ifindex(self, TRUE),
-                                                     connection);
-        _LOGD("VPN connection does not have its own device. Some connection properties won't be "
-              "supported.");
-    }
+
+    l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
+                                                 nm_vpn_connection_get_ip_ifindex(self, TRUE),
+                                                 connection);
 
     nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET, TRUE);
     nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET6, TRUE);

src/core/vpn/nm-vpn-manager.c

@@ -60,21 +60,16 @@ nm_vpn_manager_activate_connection(NMVpnManager *manager, NMVpnConnection *vpn,
 {
     NMVpnManagerPrivate *priv;
     NMVpnPluginInfo     *plugin_info;
-    NMConnection        *applied;
     const char          *service_name;
     NMDevice            *device;
-    const char          *user;
 
     g_return_val_if_fail(NM_IS_VPN_MANAGER(manager), FALSE);
     g_return_val_if_fail(NM_IS_VPN_CONNECTION(vpn), FALSE);
     g_return_val_if_fail(!error || !*error, FALSE);
 
-    priv    = NM_VPN_MANAGER_GET_PRIVATE(manager);
-    device  = nm_active_connection_get_device(NM_ACTIVE_CONNECTION(vpn));
-    applied = nm_active_connection_get_applied_connection(NM_ACTIVE_CONNECTION(vpn));
-    nm_assert(device);
-    nm_assert(applied);
-
+    priv   = NM_VPN_MANAGER_GET_PRIVATE(manager);
+    device = nm_active_connection_get_device(NM_ACTIVE_CONNECTION(vpn));
+    g_assert(device);
     if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED
         && nm_device_get_state(device) != NM_DEVICE_STATE_SECONDARIES) {
         g_set_error_literal(error,
@@ -106,30 +101,6 @@ nm_vpn_manager_activate_connection(NMVpnManager *manager, NMVpnConnection *vpn,
         return FALSE;
     }
 
-    user = nm_utils_get_connection_first_permissions_user(applied);
-    if (user) {
-        NMSettingConnection *s_con;
-
-        s_con = nm_connection_get_setting_connection(applied);
-        nm_assert(s_con);
-        if (_nm_setting_connection_get_num_permissions_users(s_con) > 1) {
-            g_set_error_literal(error,
-                                NM_MANAGER_ERROR,
-                                NM_MANAGER_ERROR_CONNECTION_NOT_AVAILABLE,
-                                "private VPN connections with multiple users are not allowed.");
-            return FALSE;
-        }
-
-        if (!nm_vpn_plugin_info_supports_safe_private_file_access(plugin_info)) {
-            g_set_error(error,
-                        NM_MANAGER_ERROR,
-                        NM_MANAGER_ERROR_CONNECTION_NOT_AVAILABLE,
-                        "The '%s' plugin doesn't support private connections.",
-                        nm_vpn_plugin_info_get_name(plugin_info));
-            return FALSE;
-        }
-    }
-
     nm_vpn_connection_activate(vpn, plugin_info);
 
     if (!nm_vpn_plugin_info_supports_multiple(plugin_info)) {

src/libnm-base/nm-config-base.h

@@ -65,7 +65,6 @@
 
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED                    "managed"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER             "ignore-carrier"
-#define NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY         "check-connectivity"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS              "sriov-num-vfs"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION         "keep-configuration"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_ALLOWED_CONNECTIONS        "allowed-connections"

src/libnm-client-aux-extern/tests/test-libnm-client-aux.c

@@ -234,227 +234,6 @@ test_team_link_watcher_tofro_string(void)
                            NM_TEAM_LINK_WATCHER_ARP_PING_FLAG_NONE);
 }
 
-static void
-test_wireguard_peer(void)
-{
-    guint i;
-    struct {
-        const char *input;
-        const char *canonical; /* canonical string representation */
-
-        gboolean    invalid;
-        const char *pubkey;
-        const char *endpoint;
-        guint16     keepalive;
-        guint       num_allowed_ips;
-        const char *allowed_ips[2];
-        const char *psk;
-        int         psk_flags;
-    } tests[] = {{
-                     /* Public key only */
-                     .input     = "MWEKYcE9MEh5RoGDuJYrJ2YgkoosONGhuHRBAC00e14=",
-                     .canonical = "MWEKYcE9MEh5RoGDuJYrJ2YgkoosONGhuHRBAC00e14=",
-                     .pubkey    = "MWEKYcE9MEh5RoGDuJYrJ2YgkoosONGhuHRBAC00e14=",
-                 },
-                 {
-                     /* IPv4 endpoint */
-                     .input     = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                  " endpoint=1.2.3.4:5555",
-                     .canonical = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                  " endpoint=1.2.3.4:5555",
-                     .pubkey    = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04=",
-                     .endpoint  = "1.2.3.4:5555",
-                 },
-                 {
-                     /* IPv6 endpoint */
-                     .input     = "aPsdPkeqH4l5Nax3g3e8A8f7g0hJk2l3m4N5p6q7R8s="
-                                  " endpoint=[fd01:db8::1]:8080",
-                     .canonical = "aPsdPkeqH4l5Nax3g3e8A8f7g0hJk2l3m4N5p6q7R8s="
-                                  " endpoint=[fd01:db8::1]:8080",
-                     .pubkey    = "aPsdPkeqH4l5Nax3g3e8A8f7g0hJk2l3m4N5p6q7R8s=",
-                     .endpoint  = "[fd01:db8::1]:8080",
-                 },
-                 {
-                     /* IPv6 endpoint, without brackets */
-                     .input     = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                  " endpoint=fd01::12:8080",
-                     .canonical = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                  " endpoint=fd01::12:8080",
-                     .pubkey    = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04=",
-                     .endpoint  = "fd01::12:8080",
-                 },
-                 {
-                     /* Single IPv4 allowed-ip */
-                     .input           = "s4fmZZA3gMGVv8+0hkSwrmeLC6nNd+Pd6DlSaufLKhY="
-                                        " allowed-ips=172.16.0.0/16",
-                     .canonical       = "s4fmZZA3gMGVv8+0hkSwrmeLC6nNd+Pd6DlSaufLKhY="
-                                        " allowed-ips=172.16.0.0/16",
-                     .pubkey          = "s4fmZZA3gMGVv8+0hkSwrmeLC6nNd+Pd6DlSaufLKhY=",
-                     .num_allowed_ips = 1,
-                     .allowed_ips     = {"172.16.0.0/16"},
-                 },
-                 {
-                     /* Multiple allowed-ips */
-                     .input           = "V02J2zmCi2LHX2KMK+ZOgDNhZzK4JXjGNr7CYfz9DxQ="
-                                        " allowed-ips=192.168.2.0/24;2001:db8:a::/48",
-                     .canonical       = "V02J2zmCi2LHX2KMK+ZOgDNhZzK4JXjGNr7CYfz9DxQ="
-                                        " allowed-ips=192.168.2.0/24;2001:db8:a::/48",
-                     .pubkey          = "V02J2zmCi2LHX2KMK+ZOgDNhZzK4JXjGNr7CYfz9DxQ=",
-                     .num_allowed_ips = 2,
-                     .allowed_ips     = {"192.168.2.0/24", "2001:db8:a::/48"},
-                 },
-                 {
-                     /* Persistent-keepalive */
-                     .input     = "D1FTp8Wy1oJQI045yXo9EMdxJqjXHC3VhTCPTh3lSQM="
-                                  " persistent-keepalive=25",
-                     .canonical = "D1FTp8Wy1oJQI045yXo9EMdxJqjXHC3VhTCPTh3lSQM="
-                                  " persistent-keepalive=25",
-                     .pubkey    = "D1FTp8Wy1oJQI045yXo9EMdxJqjXHC3VhTCPTh3lSQM=",
-                     .keepalive = 25,
-                 },
-                 {
-                     /* Preshared-key without flags (should default to 0) */
-                     .input     = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0="
-                                  " preshared-key=16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA=",
-                     .canonical = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0="
-                                  " preshared-key=16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA="
-                                  " preshared-key-flags=0",
-                     .pubkey    = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0=",
-                     .psk       = "16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA=",
-                     .psk_flags = 0,
-                 },
-                 {
-                     /* Preshared-key flags as string */
-                     .input     = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0="
-                                  " preshared-key=16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA="
-                                  " preshared-key-flags=not-saved",
-                     .canonical = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0="
-                                  " preshared-key=16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA="
-                                  " preshared-key-flags=2",
-                     .pubkey    = "H5cWWgpWgJH+nHFhsuPS3adgZHuc6Z4cRzfiNRTinE0=",
-                     .psk       = "16uGwZvROnwyNGoW6Z3pvJB5GKbd6ncYROA/FFleLQA=",
-                     .psk_flags = 2,
-                 },
-                 {
-                     /* Non-canonical order and extra whitespaces */
-                     .input           = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY="
-                                        "  preshared-key=EVVP8pOzn8R3nQtv62/hnGsXzyagEgykSboFe4EFhQc="
-                                        " endpoint=vpn.example.com:51820  "
-                                        " preshared-key-flags=1"
-                                        " persistent-keepalive=45"
-                                        " allowed-ips=0.0.0.0/0;::/0",
-                     .canonical       = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY="
-                                        " allowed-ips=0.0.0.0/0;::/0"
-                                        " endpoint=vpn.example.com:51820"
-                                        " persistent-keepalive=45"
-                                        " preshared-key=EVVP8pOzn8R3nQtv62/hnGsXzyagEgykSboFe4EFhQc="
-                                        " preshared-key-flags=1",
-                     .pubkey          = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY=",
-                     .endpoint        = "vpn.example.com:51820",
-                     .keepalive       = 45,
-                     .num_allowed_ips = 2,
-                     .allowed_ips     = {"0.0.0.0/0", "::/0"},
-                     .psk             = "EVVP8pOzn8R3nQtv62/hnGsXzyagEgykSboFe4EFhQc=",
-                     .psk_flags       = 1,
-                 },
-                 {
-                     /* Empty string */
-                     .input   = "",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid public key*/
-                     .input   = "aaaaaaaaaaaaaaaaaaaaaaa=",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Missing value*/
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY= "
-                                "persistent-keepalive=",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Unknown attribute */
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY= "
-                                "persistent-keepalive=12 foobarness=13",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid IPv4 allowed-ip*/
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY= "
-                                "allowed-ips=192.168.10.256/32",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid IPv6 allowed-ip */
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY= "
-                                "allowed-ips=fd01::1::3/64",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Endpoint with no port */
-                     .input   = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                " endpoint=1.2.3.4",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid endpoint */
-                     .input   = "+DIX0qWKQ4E6hy7MWzsSRXjqAHCtffWrXTdJPe/xS04="
-                                " endpoint=1.2.3.5.6",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid persistent-keepalive */
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY= "
-                                "persistent-keepalive=yes",
-                     .invalid = TRUE,
-                 },
-                 {
-                     /* Invalid PSK */
-                     .input   = "gqQ9dUqKQNfz/KOqELJpS0MKBvRcYWL8sm/LGEWKKQY="
-                                " preshared-key=pskpskpskpskpskpskpskpskpskpskpskpsk",
-                     .invalid = TRUE,
-                 }};
-
-    for (i = 0; i < G_N_ELEMENTS(tests); i++) {
-        nm_auto_unref_wgpeer NMWireGuardPeer *peer   = NULL;
-        gs_free_error GError                 *error  = NULL;
-        gs_free char                         *newstr = NULL;
-        guint                                 j;
-
-        peer = _nm_utils_wireguard_peer_from_string(tests[i].input, &error);
-        if (tests[i].invalid) {
-            g_assert(!peer);
-            g_assert(error);
-            continue;
-        }
-        g_assert_no_error(error);
-        g_assert_nonnull(peer);
-
-        newstr = _nm_utils_wireguard_peer_to_string(peer);
-        g_assert_nonnull(newstr);
-        g_assert_cmpstr(tests[i].canonical, ==, newstr);
-
-        g_assert_cmpstr(tests[i].pubkey, ==, nm_wireguard_peer_get_public_key(peer));
-        g_assert_cmpstr(tests[i].endpoint, ==, nm_wireguard_peer_get_endpoint(peer));
-
-        g_assert_cmpint(tests[i].num_allowed_ips, ==, nm_wireguard_peer_get_allowed_ips_len(peer));
-        for (j = 0; j < tests[i].num_allowed_ips; j++) {
-            g_assert_cmpstr(tests[i].allowed_ips[j],
-                            ==,
-                            nm_wireguard_peer_get_allowed_ip(peer, j, NULL));
-        }
-
-        g_assert_cmpint(tests[i].keepalive, ==, nm_wireguard_peer_get_persistent_keepalive(peer));
-        g_assert_cmpstr(tests[i].psk, ==, nm_wireguard_peer_get_preshared_key(peer));
-        if (tests[i].psk) {
-            g_assert_cmpint(tests[i].psk_flags,
-                            ==,
-                            nm_wireguard_peer_get_preshared_key_flags(peer));
-        }
-    }
-}
-
 /*****************************************************************************/
 
 NMTST_DEFINE();
@@ -466,7 +245,6 @@ main(int argc, char **argv)
 
     g_test_add_func("/libnm-core-aux/test_team_link_watcher_tofro_string",
                     test_team_link_watcher_tofro_string);
-    g_test_add_func("/libnm-core-aux/test-wireguard-peer", test_wireguard_peer);
 
     return g_test_run();
 }

src/libnm-client-impl/libnm.ver

@@ -2084,12 +2084,8 @@ global:
 	nm_setting_hsr_protocol_version_get_type;
 } libnm_1_54_0;
 
-libnm_1_56_0 {
+libnm_1_54_3 {
 global:
-	nm_dns_server_validate;
-	nm_setting_gsm_get_device_uid;
-	nm_setting_connection_get_dnssec;
-	nm_setting_connection_dnssec_get_type;
 	nm_utils_copy_cert_as_user;
 	nm_vpn_plugin_info_supports_safe_private_file_access;
-} libnm_1_54_0;
+} libnm_1_54_2;

src/libnm-client-impl/tests/test-gir.py

@@ -93,6 +93,8 @@ def syms_from_ver(verfile):
     # hardcode it.
     c_syms["nm_ethtool_optname_is_feature"] = "1.20"
     c_syms["nm_setting_bond_port_get_prio"] = "1.44"
+    c_syms["nm_utils_copy_cert_as_user"] = "1.56"
+    c_syms["nm_vpn_plugin_info_supports_safe_private_file_access"] = "1.56"
 
     return c_syms
 

src/libnm-client-impl/tests/test-libnm.c

@@ -2756,8 +2756,6 @@ test_types(void)
         G(nm_setting_connection_lldp_get_type),
         G(nm_setting_connection_llmnr_get_type),
         G(nm_setting_connection_mdns_get_type),
-        G(nm_setting_connection_dns_over_tls_get_type),
-        G(nm_setting_connection_dnssec_get_type),
         G(nm_setting_dcb_flags_get_type),
         G(nm_setting_dcb_get_type),
         G(nm_setting_diff_result_get_type),

src/libnm-core-aux-extern/nm-libnm-core-aux.c

@@ -7,7 +7,6 @@
 
 #include "nm-libnm-core-aux.h"
 
-#include "nm-errors.h"
 #include "libnm-core-aux-intern/nm-libnm-core-utils.h"
 #include "libnm-glib-aux/nm-str-buf.h"
 
@@ -476,177 +475,3 @@ _nm_ip_route_to_string(NMIPRoute *route, NMStrBuf *strbuf)
         nm_str_buf_append_printf(strbuf, " metric %" G_GINT64_FORMAT, metric);
     }
 }
-
-/*****************************************************************************/
-
-char *
-_nm_utils_wireguard_peer_to_string(NMWireGuardPeer *peer)
-{
-    GString    *str;
-    const char *endpoint;
-    const char *psk;
-    guint16     keepalive;
-    guint       i;
-    guint       len;
-
-    g_return_val_if_fail(peer, "");
-
-    nm_assert(nm_wireguard_peer_is_valid(peer, TRUE, TRUE, NULL));
-
-    str = g_string_new("");
-    g_string_append(str, nm_wireguard_peer_get_public_key(peer));
-
-    len = nm_wireguard_peer_get_allowed_ips_len(peer);
-    if (len > 0) {
-        g_string_append(str, " allowed-ips=");
-        for (i = 0; i < len; i++) {
-            g_string_append(str, nm_wireguard_peer_get_allowed_ip(peer, i, NULL));
-            if (i < len - 1)
-                g_string_append(str, ";");
-        }
-    }
-
-    endpoint = nm_wireguard_peer_get_endpoint(peer);
-    if (endpoint) {
-        g_string_append_printf(str, " endpoint=%s", endpoint);
-    }
-
-    keepalive = nm_wireguard_peer_get_persistent_keepalive(peer);
-    if (keepalive != 0) {
-        g_string_append_printf(str, " persistent-keepalive=%hu", keepalive);
-    }
-
-    psk = nm_wireguard_peer_get_preshared_key(peer);
-    if (psk) {
-        g_string_append_printf(str, " preshared-key=%s", psk);
-        g_string_append_printf(str,
-                               " preshared-key-flags=%u",
-                               (guint) nm_wireguard_peer_get_preshared_key_flags(peer));
-    }
-
-    return g_string_free(str, FALSE);
-}
-
-NMWireGuardPeer *
-_nm_utils_wireguard_peer_from_string(const char *str, GError **error)
-{
-    nm_auto_unref_wgpeer NMWireGuardPeer *peer          = NULL;
-    gs_strfreev char                    **tokens        = NULL;
-    gboolean                              has_psk       = FALSE;
-    gboolean                              has_psk_flags = FALSE;
-    char                                 *value;
-    guint                                 i;
-
-    peer = nm_wireguard_peer_new();
-
-    tokens = g_strsplit_set(str, " ", 0);
-    for (i = 0; tokens[i]; i++) {
-        if (i == 0) {
-            if (!nm_wireguard_peer_set_public_key(peer, tokens[i], FALSE)) {
-                g_set_error(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            "invalid public key '%s'",
-                            tokens[i]);
-                return NULL;
-            }
-            continue;
-        }
-
-        if (tokens[i][0] == '\0')
-            continue;
-
-        value = strchr(tokens[i], '=');
-        if (!value || value[1] == '\0') {
-            g_set_error(error,
-                        NM_CONNECTION_ERROR,
-                        NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                        "attribute without value '%s'",
-                        tokens[i]);
-            return NULL;
-        }
-
-        *value = '\0';
-        value++;
-
-        if (nm_streq(tokens[i], "allowed-ips")) {
-            gs_strfreev char **ips = NULL;
-            guint              j;
-
-            ips = g_strsplit_set(value, ";", 0);
-            for (j = 0; ips[j]; j++) {
-                if (!nm_wireguard_peer_append_allowed_ip(peer, ips[j], FALSE)) {
-                    g_set_error(error,
-                                NM_CONNECTION_ERROR,
-                                NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                                "invalid allowed-ip '%s'",
-                                ips[j]);
-                    return NULL;
-                }
-            }
-        } else if (nm_streq(tokens[i], "endpoint")) {
-            if (!nm_wireguard_peer_set_endpoint(peer, value, FALSE)) {
-                g_set_error(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            "invalid endpoint '%s'",
-                            value);
-                return NULL;
-            }
-        } else if (nm_streq(tokens[i], "persistent-keepalive")) {
-            gint64 keepalive;
-
-            keepalive = _nm_utils_ascii_str_to_int64(value, 10, 0, G_MAXUINT16, -1);
-            if (keepalive == -1) {
-                g_set_error(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            "invalid persistent-keepalive value '%s'",
-                            value);
-                return NULL;
-            }
-            nm_wireguard_peer_set_persistent_keepalive(peer, (guint16) keepalive);
-        } else if (nm_streq(tokens[i], "preshared-key")) {
-            if (!nm_wireguard_peer_set_preshared_key(peer, value, FALSE)) {
-                g_set_error(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            "invalid preshared-key '%s'",
-                            value);
-                return NULL;
-            }
-            has_psk = TRUE;
-        } else if (nm_streq(tokens[i], "preshared-key-flags")) {
-            int flags;
-
-            if (!nm_utils_enum_from_str(NM_TYPE_SETTING_SECRET_FLAGS, value, &flags, NULL)) {
-                g_set_error(error,
-                            NM_CONNECTION_ERROR,
-                            NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                            "invalid preshared-key-flags '%s'",
-                            value);
-                return NULL;
-            }
-            nm_wireguard_peer_set_preshared_key_flags(peer, (NMSettingSecretFlags) flags);
-            has_psk_flags = TRUE;
-        } else {
-            g_set_error(error,
-                        NM_CONNECTION_ERROR,
-                        NM_CONNECTION_ERROR_INVALID_PROPERTY,
-                        "invalid attribute '%s'",
-                        tokens[i]);
-            return NULL;
-        }
-    }
-
-    if (has_psk && !has_psk_flags) {
-        /* The flags are NOT_REQUIRED by default. With this flag, the PSK would not
-         * be saved by default, unless the user explicitly sets a different value. */
-        nm_wireguard_peer_set_preshared_key_flags(peer, NM_SETTING_SECRET_FLAG_NONE);
-    }
-
-    if (!nm_wireguard_peer_is_valid(peer, TRUE, TRUE, error))
-        return NULL;
-
-    return g_steal_pointer(&peer);
-}

src/libnm-core-aux-extern/nm-libnm-core-aux.h

@@ -6,9 +6,8 @@
 #ifndef __NM_LIBNM_CORE_AUX_H__
 #define __NM_LIBNM_CORE_AUX_H__
 
-#include "nm-setting-ip-config.h"
 #include "nm-setting-team.h"
-#include "nm-setting-wireguard.h"
+#include "nm-setting-ip-config.h"
 
 typedef enum {
     NM_TEAM_LINK_WATCHER_TYPE_NONE     = 0,
@@ -40,7 +39,4 @@ void _nm_ip_route_to_string(NMIPRoute *route, struct _NMStrBuf *strbuf);
 
 NMTeamLinkWatcher *nm_utils_team_link_watcher_from_string(const char *str, GError **error);
 
-char            *_nm_utils_wireguard_peer_to_string(NMWireGuardPeer *peer);
-NMWireGuardPeer *_nm_utils_wireguard_peer_from_string(const char *str, GError **error);
-
 #endif /* __NM_LIBNM_CORE_AUX_H__ */