2025-12-24 12:30:07 +01:00
208 changed files with 12999 additions and 18989 deletions
--- a/.gitignore
+++ b/.gitignore
@ -81,6 +81,7 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
+/data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -60,11 +60,11 @@ variables:
  #
  # This is done by running `ci-fairy generate-template` and possibly bumping
  # ".default_tag".
-  ALPINE_TAG:  'tag-0c3a6f855fb8'
-  CENTOS_TAG:  'tag-c1c23df75dda'
-  DEBIAN_TAG:  'tag-d4bf5db9e214'
-  FEDORA_TAG:  'tag-c1c23df75dda'
-  UBUNTU_TAG:  'tag-d4bf5db9e214'
+  ALPINE_TAG:  'tag-da1ae96102c6'
+  CENTOS_TAG:  'tag-c8df7d2b249f'
+  DEBIAN_TAG:  'tag-e68f538711ec'
+  FEDORA_TAG:  'tag-c8df7d2b249f'
+  UBUNTU_TAG:  'tag-e68f538711ec'

  ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
  CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@ -128,20 +128,6 @@ tier2:fedora:rawhide@prep:
      when: manual
      allow_failure: true

-tier2:centos:stream10@prep:
-  extends:
-    - .fdo.container-build@centos
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier2:centos:stream9@prep:
  extends:
    - .fdo.container-build@centos
@ -212,20 +198,6 @@ tier2:alpine:edge@prep:
      when: manual
      allow_failure: true

-tier3:fedora:43@prep:
-  extends:
-    - .fdo.container-build@fedora
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '43'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:fedora:41@prep:
  extends:
    - .fdo.container-build@fedora
@ -254,6 +226,20 @@ tier3:ubuntu:25.04@prep:
      when: manual
      allow_failure: true

+tier3:ubuntu:24.10@prep:
+  extends:
+    - .fdo.container-build@ubuntu
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '24.10'
+    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
+    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier3:ubuntu:24.04@prep:
  extends:
    - .fdo.container-build@ubuntu
@ -282,20 +268,6 @@ tier3:ubuntu:22.04@prep:
      when: manual
      allow_failure: true

-tier3:debian:13@prep:
-  extends:
-    - .fdo.container-build@debian
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '13'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:debian:12@prep:
  extends:
    - .fdo.container-build@debian
@ -310,20 +282,6 @@ tier3:debian:12@prep:
      when: manual
      allow_failure: true

-tier3:alpine:3.22@prep:
-  extends:
-    - .fdo.container-build@alpine
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '3.22'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:alpine:3.21@prep:
  extends:
    - .fdo.container-build@alpine
@ -419,20 +377,6 @@ t_fedora:rawhide:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

-t_centos:stream10:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@centos
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-  needs:
-    - "tier2:centos:stream10@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_centos:stream9:
  extends:
    - .build@template
@ -503,20 +447,6 @@ t_alpine:edge:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

-t_fedora:43:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@fedora
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-  needs:
-    - "tier3:fedora:43@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_fedora:41:
  extends:
    - .build@template
@ -545,6 +475,20 @@ t_ubuntu:25.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

+t_ubuntu:24.10:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@ubuntu
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: '24.10'
+    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
+  needs:
+    - "tier3:ubuntu:24.10@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_ubuntu:24.04:
  extends:
    - .build@template
@ -573,20 +517,6 @@ t_ubuntu:22.04:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

-t_debian:13:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@debian
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '13'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-  needs:
-    - "tier3:debian:13@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_debian:12:
  extends:
    - .build@template
@ -601,20 +531,6 @@ t_debian:12:
  rules:
    - if: $CI_PIPELINE_SOURCE != 'schedule'

-t_alpine:3.22:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@alpine
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '3.22'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-  needs:
-    - "tier3:alpine:3.22@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_alpine:3.21:
  extends:
    - .build@template
@ -713,7 +629,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
  dependencies:
    - "t_fedora:42: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/ci.template
+++ b/.gitlab-ci/ci.template
@ -240,7 +240,7 @@ pages:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'
      when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
  dependencies:
    - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
  needs:
--- a/.gitlab-ci/config.yml
+++ b/.gitlab-ci/config.yml
@ -34,7 +34,6 @@ distributions:
  - name: centos
    tier: 2
    versions:
-      - 'stream10'
      - 'stream9'
  - name: ubuntu
    tier: 2
@ -55,23 +54,21 @@ distributions:
  - name: fedora
    tier: 3
    versions:
-      - '43'
      - '41'
  - name: ubuntu
    tier: 3
    versions:
      - '25.04'
+      - '24.10'
      - '24.04'
      - '22.04'
  - name: debian
    tier: 3
    versions:
-      - '13'
      - '12'
  - name: alpine
    tier: 3
    versions:
-      - '3.22'
      - '3.21'
      - '3.20'
      - '3.19'
--- a/.gitlab-ci/distros-info.yml
+++ b/.gitlab-ci/distros-info.yml
@ -8,9 +8,6 @@ fedora:
 - version: rawhide
  support: yes
  nm: main
- version: 43
-  support: 2026-12-02
-  nm: 1.54
 - version: 42
  support: 2026-05-13
  nm: 1.52
@ -21,11 +18,8 @@ fedora:

 # CentOS Stream
 centos:
- version: stream10
-  support: 2030-12-31 # exact date unknown, only the year
-  nm: main
 - version: stream9
-  support: 2027-12-31 # exact date unknown, only the year
+  support: 2027-05-31
  nm: main

 # RHEL:
@ -37,43 +31,33 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
-# Not released yet
- version: 10.1
+- version: 9.6  # not released yet
  support: yes
-  nm: 1.54
- version: 9.7  # not released yet
+  nm: main
+- version: 9.5
  support: yes
-  nm: 1.54
-# Full support or EUS support:
- version: 10.0
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
- version: 9.6
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
+  nm: 1.48
 - version: 9.4
  support: 2026-04-30
  extended-support: 2028-04-30
  nm: 1.46
- version: 8.10  # last RHEL 8 release, maintenaince support only
-  support: 2029-05-31
-  extended-support: no
-  nm: 1.40
-# SAP / Enhaced EUS only:
 - version: 9.2
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.42
- version: 9.0
-  support: 2024-05-31
-  extended-support: 2026-05-31
-  nm: 1.36
+- version: 8.10  # last RHEL 8 release, maintenaince support only
+  support: 2029-05-31
+  extended-support: no
+  nm: 1.40
 - version: 8.8
  support: 2025-05-31
  extended-support: 2027-05-31
  nm: 1.40
+# SAP / Enhaced EUS only:
+- version: 9.0
+  support: 2024-05-31
+  extended-support: 2026-05-31
+  nm: 1.36
 - version: 8.6
  support: 2024-05-31
  extended-support: 2026-05-31
@ -97,6 +81,10 @@ ubuntu:
  name: plucky
  support: 2026-01-15
  nm: 1.52
+- version: 24.10
+  name: oracular
+  support: 2025-07-10
+  nm: 1.48
 - version: 24.04
  name: noble
  support: 2029-05-31
@ -121,11 +109,6 @@ debian:
 - version: sid
  support: yes
  nm: main
- version: 13
-  name: trixie
-  support: 2028-08-09
-  extended-support: 2030-06-30
-  nm: 1.52
 - version: 12
  name: bookworm
  support: 2026-06-11
@ -147,9 +130,6 @@ alpine:
 - version: edge
  support: yes
  nm: main
- version: 3.22
-  support: 2027-05-01
-  nm: 1.52
 - version: 3.21
  support: 2026-11-01
  nm: 1.50
--- a/.gitlab-ci/fedora-install.sh
+++ b/.gitlab-ci/fedora-install.sh
@ -13,8 +13,6 @@ if [ $IS_CENTOS = 1 ]; then
        CENTOS_VERSION=8
    elif grep -q '^VERSION_ID=.*\<9\>' /etc/os-release ; then
        CENTOS_VERSION=9
-    elif grep -q '^VERSION_ID=.*\<10\>' /etc/os-release ; then
-        CENTOS_VERSION=10
    else
        exit 1
    fi
@ -35,11 +33,6 @@ fi
        dnf install -y 'dnf-command(config-manager)'
        dnf config-manager --set-enabled crb
        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-9/nmstate-nm-build-deps-epel-9.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-9.repo
-    elif [ "$CENTOS_VERSION" = stream10 ]; then
-        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
-        dnf install -y 'dnf-command(config-manager)'
-        dnf config-manager --set-enabled crb
-        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-10/nmstate-nm-build-deps-epel-10.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-10.repo
    else
        exit 1
    fi
--- a/.gitlab-ci/run-test.sh
+++ b/.gitlab-ci/run-test.sh
@ -17,17 +17,10 @@ grep -q '^NAME=.*\(CentOS\)' /etc/os-release && IS_CENTOS=1
 grep -q '^NAME=.*\(Fedora\)' /etc/os-release && IS_FEDORA=1
 grep -q '^NAME=.*\(Alpine\)' /etc/os-release && IS_ALPINE=1

+IS_CENTOS_7=0
 if [ $IS_CENTOS = 1 ]; then
-    CENTOS_VER_LINE="$(grep '^VERSION_ID=' /etc/os-release)"
-    if [[ $CENTOS_VER_LINE =~ ^VERSION_ID=\"?([0-9]+)\"?$ ]]; then
-        CENTOS_VER="${BASH_REMATCH[1]}"
-    else
-        echo "Error detecting CentOS Stream version" >&2
-        exit 1
-    fi
-
-    if (( $CENTOS_VER >= 10 )); then
-        export WITH_LIBTEAM=0
+    if grep -q '^VERSION_ID=.*\<7\>' /etc/os-release ; then
+        IS_CENTOS_7=1
    fi
 fi

@ -155,7 +148,12 @@ test_subtree() {
    do_clean
    pushd ./src/$d

-    CC="$cc" CFLAGS="-Werror -Wall" meson build
+    ARGS=()
+    if [ "$d" = n-acd ]; then
+        ARGS+=('-Debpf=false')
+    fi
+
+    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
    ninja -v -C build test

    popd
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@ -252,25 +252,17 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
  versioning scheme than the main NM project despite there are no development
  versions here.

-Before starting:
- You need to have the maintainer role in the project.
- The GPG key used to sign the release must be added to your GNOME's Gitlab
-  profile and uploaded to a keyserver.
- All details: https://handbook.gnome.org/maintainers/making-a-release.html
-
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build` or `configure.ac`.
-3. Commit and push to the `main` branch.
-4. Check that the Gitlab's pipeline finishes without errors.
-5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
-6. Push the tag. Example: `git push origin 1.2.8`.  
-   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
-   to delete tags, any error detected after this will force a new version bump.
-7. Check that the Gitlab's pipeline finishes without errors. If that happens,
-   the release is done and available both in the Gitlab's releases section and
-   https://download.gnome.org/sources/*
-8. Announce the release on the mailing list.
+2. Increment the version in `meson.build`, commit and tag the commit. Example:
+   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
+3. Ensure that you are on the right commit and create the tarball:
+   `git clean -fdx && meson setup build && cd build && meson dist`
+4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
+5. Login to `master.gnome.org` and run `ftpadmin install`.  
+   Ensure the new tarballs show up at https://download.gnome.org/sources/
+   (happens after a short delay)
+6. Announce the release on the mailing list.

 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).
--- a/55
+++ b/55
@ -1,6 +1,6 @@
 =============================================
-NetworkManager-1.58
-Overview of changes since NetworkManager-1.56
+NetworkManager-1.56
+Overview of changes since NetworkManager-1.54
 =============================================

 This is a snapshot of NetworkManager development. The API is
@ -8,58 +8,7 @@ subject to change and not guaranteed to be compatible with
 the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!

-* Restrict the connectivity check to use the DNS servers defined on the
-  same link. If the link has no DNS servers, the connectivity check will
-  use any servers available in the system.
-* Install the systemd units in the initramfs using a systemd generator.
-* A new "check-connectivity" configuration option is available to disable the
-  connectivity check for selected interfaces.
-* Remove the modify_system build option that allowed setting up the
-  polkit permissions to allow non-admin users to create system-wide
-  connection. That configuration is discouraged because it can be used
-  to bypass filesystem permissions.
-* For private connections (the ones that specify a user in the
-  "connection.permissions" property), verify that the user can access
-  the 802.1X certificates and keys set in the connection.
-* Introduce a libnm function that can be used by VPN plugins to check
-  user permissions on certificate and keys.
-* The support for Wireless Extensions is deprecated and will be
-  removed in a future release. Wireless Extensions are now disabled by
-  default.
-
-=============================================
-NetworkManager-1.56
-Overview of changes since NetworkManager-1.54
-=============================================
-
 * nmcli now supports viewing and managing WireGuard peers.
-* Support reapplying the "sriov.vfs" property as long as
-  "sriov.total-vfs" is not changed.
-* Support reapplying "bond-port.vlans".
-* Accept hostnames longer than 64 characters from DNS lookup.
-* Make that global-dns configuration overwrites DNS searches and
-  options from connections, instead of merging all together.
-* Add support for a new rd.net.dhcp.client-id option in
-  nm-initrd-generator.
-* Add gsm device-uid setting to restrict the devices the connection applies to.
-* Support configuring the HSR protocol version via the
-  "hsr.protocol-version" property.
-* Fix a bug that makes broadband connections auto-connect getting 
-  blocked if the connection tries to reconnect when modem status is 
-  "disconnecting" / "disconnected".
-* Treat modem connection not having an operator code available
-  as a recoverable error.
-* Add support for configuring systemd-resolved's DNSSEC option
-  per-connection via the "connection.dnssec" connection property.
-* Support configuring the HSR interlink port via the
-  "hsr.interlink" property.
-* Fix some connection properties not being applied to vpn connections
-  (connection.mdns, connection.llmnr, connection.dns-over-tls,
-   connection.mptcp-flags, ipv6.ip6-privacy)
-* Update n-acd to always compile with eBPF enabled, as support
-  for eBPF is now detected at run time.
-* Add new MPTCP 'laminar' endpoint type, and set it by default alongside
-  the 'subflow' one.

 =============================================
 NetworkManager-1.54
--- a/config.h.meson
+++ b/config.h.meson
@ -239,15 +239,6 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH

-/* Whether we build with team support */
-#mesondefine WITH_TEAMDCTL
-
-/* Whether we build with Wi-Fi support */
-#mesondefine WITH_WIFI
-
-/* Whether we build with WWAN support */
-#mesondefine WITH_WWAN
-
 /* Define if you have PPP support */
 #mesondefine WITH_PPP

--- a/contrib/alpine/REQUIRED_PACKAGES
+++ b/contrib/alpine/REQUIRED_PACKAGES
@ -11,7 +11,6 @@ apk add \
    'clang' \
    'curl-dev' \
    'dbus' \
-    'dbus-dev' \
    'elogind-dev' \
    'eudev-dev' \
    'gcc' \
@ -30,6 +29,7 @@ apk add \
    'libpsl-dev' \
    'libsoup-dev' \
    'libteam-dev' \
+    'libtool' \
    'linux-headers' \
    'meson' \
    'mobile-broadband-provider-info' \
--- a/contrib/debian/REQUIRED_PACKAGES
+++ b/contrib/debian/REQUIRED_PACKAGES
@ -62,6 +62,7 @@ install \
    libreadline-dev \
    libsystemd-dev \
    libteam-dev \
+    libtool \
    libudev-dev \
    locales \
    meson \
--- a/contrib/fedora/REQUIRED_PACKAGES
+++ b/contrib/fedora/REQUIRED_PACKAGES
@ -68,6 +68,7 @@ install \
    libndp-devel \
    libnvme-devel \
    libselinux-devel \
+    libtool \
    libuuid-devel \
    meson \
    mobile-broadband-provider-info-devel \
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@ -107,11 +107,6 @@
 %else
 %bcond_without iwd
 %endif
-%if 0%{?fedora} <= 43 || 0%{?rhel} <= 10
-%bcond_without polkit_noauth_group
-%else
-%bcond_with polkit_noauth_group
-%endif

 ###############################################################################

@ -159,6 +154,17 @@
 %bcond_with ifcfg_migrate
 %endif

+%if 0%{?fedora}
+# Although eBPF would be available on Fedora's kernel, it seems
+# we often get SELinux denials (rh#1651654). But even aside them,
+# bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
+# be related to `ulimit -l`. Anyway, this is not usable at the
+# moment.
+%global ebpf_enabled "no"
+%else
+%global ebpf_enabled "no"
+%endif
+
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@ -248,6 +254,7 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif

 BuildRequires: gcc
+BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@ -621,10 +628,14 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
+%if 0%{?fedora}
+	-Dwext=true \
+%else
+	-Dwext=false \
+%endif
 %else
 	-Dwifi=false \
 %endif
-	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
@ -666,20 +677,22 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-%if %{with polkit_noauth_group}
-	-Dpolkit_noauth_group=wheel \
-%endif
+	-Dmodify_system=true \
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
+%endif
+%if %{ebpf_enabled} != "yes"
+	-Debpf=false \
+%else
+	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
-	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
+	-Dsystem_ca_path=/etc/pki/tls/cert.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
 	-Dvalgrind=no \
@ -751,7 +764,6 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la

 # Don't use the *-initrd.service files yet, wait dracut to support them
-rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@ -885,7 +897,6 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
-%{_libexecdir}/nm-libnm-helper
 %{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
@ -917,9 +928,6 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
-%if %{with polkit_noauth_group}
-%{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
-%endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@ -155,6 +155,7 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
+P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@ -173,7 +174,6 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
-P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
        P_FEDORA="$x"
        P_RHEL=0
    else
-        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
+        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
        if test "$x" -gt 0 ; then
            P_FEDORA=0
            P_RHEL="$x"
@ -294,14 +294,6 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
    fi
 fi

-if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
-    P_TEAM=0
-fi
-
-if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
-    P_IFCFG_RH=1
-fi
-
 if bool "$P_DEBUG" ; then
    P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@ -387,7 +379,7 @@ meson setup\
    -Db_lto="$(bool_true "$P_LTO")" \
    -Dlibaudit=yes-disabled-by-default \
    -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
    $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
    -Diwd="$(bool_true "$P_IWD")" \
    -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@ -401,17 +393,18 @@ meson setup\
    -Dselinux=true \
    -Dpolkit=true  \
    -Dconfig_auth_polkit_default=true \
+    -Dmodify_system=true \
    -Dconcheck=true \
    -Dlibpsl="$(bool_true "$P_FEDORA")" \
+    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
    -Dsession_tracking=systemd \
    -Dsuspend_resume=systemd \
    -Dsystemdsystemunitdir=/usr/lib/systemd/system \
-    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
    -Dsystem_ca_path=/etc/pki/tls/cert.pem \
    -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
    -Dtests=yes \
    -Dvalgrind=no \
-    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
+    -Difcfg_rh=true \
    -Difupdown=false \
    $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
    $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \
--- a/contrib/scripts/nm-ci-run.sh
+++ b/contrib/scripts/nm-ci-run.sh
@ -84,14 +84,6 @@ if [ "$CC" != gcc ]; then
    _WITH_CRYPTO=nss
 fi

-if [ "$WITH_LIBTEAM" != "" ]; then
-    if _is_true "$WITH_LIBTEAM"; then
-        _WITH_LIBTEAM="true"
-    else
-        _WITH_LIBTEAM="false"
-    fi
-fi
-
 if [ "$WITH_DOCS" != "" ]; then
    if _is_true "$WITH_DOCS"; then
        _WITH_DOCS="true"
@ -169,7 +161,6 @@ meson setup build \
    -D ld_gc=false \
    -D session_tracking=no \
    -D systemdsystemunitdir=no \
-    -D systemdsystemgeneratordir=no \
    -D systemd_journal=false \
    -D selinux=false \
    -D libaudit=no \
@ -181,6 +172,8 @@ meson setup build \
    -D crypto=$_WITH_CRYPTO \
    -D docs=$_WITH_DOCS \
    \
+    -D ebpf=false \
+    \
    -D iwd=true \
    -D ofono=true \
    -D teamdctl=$_WITH_LIBTEAM \
--- a/data/NetworkManager-config-initrd.service.in
+++ b/data/NetworkManager-config-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
+ConditionPathExists=/etc/initrd-release

 [Service]
 Type=oneshot
@ -22,3 +22,6 @@ ExecStartPost=/bin/sh -c ' \
    fi \
 '
 RemainAfterExit=yes
+
+[Install]
+WantedBy=initrd.target
--- a/data/NetworkManager-initrd.service.in
+++ b/data/NetworkManager-initrd.service.in
@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@ -22,3 +22,11 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
+
+[Install]
+WantedBy=initrd.target
+# We want to enable NetworkManager-wait-online-initrd.service whenever this
+# service is enabled. NetworkManager-wait-online-initrd.service has
+# WantedBy=network-online.target, so enabling it only has an effect if
+# network-online.target itself is enabled or pulled in by some other unit.
+Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service
--- a/data/NetworkManager-wait-online-initrd.service.in
+++ b/data/NetworkManager-wait-online-initrd.service.in
@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet

 [Service]
@ -21,3 +21,6 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
+
+[Install]
+WantedBy=initrd.target network-online.target
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@ -19,7 +19,7 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600

-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT

 ProtectSystem=true
 ProtectHome=read-only
--- a/data/meson.build
+++ b/data/meson.build
@ -55,22 +55,21 @@ if install_udevdir
 endif

 if enable_polkit
+  policy = 'org.freedesktop.NetworkManager.policy'
+
+  policy_in = configure_file(
+    input: policy + '.in.in',
+    output: '@BASENAME@',
+    configuration: data_conf,
+  )
+
  i18n.merge_file(
-    input: 'org.freedesktop.NetworkManager.policy.in',
+    input: policy_in,
    output: '@BASENAME@',
    po_dir: po_dir,
    install: true,
-    install_dir: polkit_policydir,
+    install_dir: polkit_gobject_policydir,
  )
-
-  if polkit_noauth_group != ''
-    configure_file(
-      input: 'org.freedesktop.NetworkManager.rules.in',
-      output: '@BASENAME@',
-      install_dir: polkit_rulesdir,
-      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
-    )
-  endif
 endif

 if enable_firewalld_zone
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in.in
@ -117,8 +117,8 @@
    <message>System policy prevents modification of network settings for all users</message>
    <defaults>
      <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
+      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
+      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
    </defaults>
  </action>

--- a/data/org.freedesktop.NetworkManager.rules.in
+++ b/data/org.freedesktop.NetworkManager.rules.in
@ -1,17 +0,0 @@
-// NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
-//
-// DO NOT EDIT THIS FILE, it will be overwritten on update.
-//
-// Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
-// prompted for a password if they are in a local console.
-// This is optional and is only recommended to maintain backwards compatibility
-// in systems where it was already working in this way. It is discouraged
-// otherwise.
-
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
-        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
-        subject.local) {
-        return polkit.Result.YES;
-    }
-});
--- a/examples/C/glib/monitor-nm-state-gdbus.c
+++ b/examples/C/glib/monitor-nm-state-gdbus.c
@ -23,8 +23,8 @@ static const char *
 nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_DISABLED:
-        return "network off";
+    case NM_STATE_ASLEEP:
+        return "asleep";
    case NM_STATE_CONNECTING:
        return "connecting";
    case NM_STATE_CONNECTED_LOCAL:
--- a/man/NetworkManager.conf.xml
+++ b/man/NetworkManager.conf.xml
@ -83,11 +83,6 @@
    note that your distribution or other packages may drop configuration snippets for NetworkManager, such
    that they are part of the factory default.
    </para>
-    <para>
-    The options that are indicated as boolean can be set to one of these values:
-    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
-    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
-    </para>

  </refsect1>

@ -900,15 +895,11 @@ ipv6.ip6-privacy=0
        </varlistentry>
        <varlistentry>
          <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><varname>connection.dnssec</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
        </varlistentry>
        <varlistentry>
          <term><varname>connection.stable-id</varname></term>
@ -1254,13 +1245,12 @@ managed=1
          <term><varname>managed</varname></term>
          <listitem>
            <para>
-              A boolean value specifying whether the device is
-              managed or not. A device can be marked as managed via
-              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
-              (keyfile.unmanaged-devices).  This is yet another
-              way. Note that this configuration can be overruled at
-              runtime via D-Bus. Also, it has higher priority than
-              udev rules.
+              Whether the device is managed or not. A device can be
+              marked as managed via udev rules (ENV{NM_UNMANAGED}),
+              or via setting plugins (keyfile.unmanaged-devices).
+              This is yet another way. Note that this configuration
+              can be overruled at runtime via D-Bus. Also, it has
+              higher priority then udev rules.
            </para>
          </listitem>
        </varlistentry>
@ -1329,27 +1319,9 @@ managed=1
            </para>
          </listitem>
        </varlistentry>
-        <varlistentry id="check-connectivity">
-          <term><varname>check-connectivity</varname></term>
-          <listitem>
-            <para>
-              A boolean value specifying whether NetworkManager will perform a connectivity check
-              for this device. Defaults to <literal>yes</literal>.
-            </para>
-            <para>
-              This setting does nothing if the connectivity check has been
-              disabled globally using the
-              <literal>connectivity.enabled</literal> setting.
-            </para>
-          </listitem>
-        </varlistentry>
        <varlistentry id="keep-configuration">
-          <term><varname>keep-configuration</varname></term>
+         <term><varname>keep-configuration</varname></term>
          <listitem>
-            <para>
-              A boolean value indicating whether the existing device
-              configuration is kept at startup.
-            </para>
            <para>
              On startup, NetworkManager tries to not interfere with
              interfaces that are already configured. It does so by
@ -1446,16 +1418,16 @@ managed=1
          <term><varname>wifi.iwd.autoconnect</varname></term>
          <listitem>
            <para>
-              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
-              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
-              disabled for this device and connections will only be initiated by NetworkManager
-              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
-              (default) stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks to
-              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
-              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
-              IWD connection attempts.
+              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
+              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
+              this device and connections will only be initiated by NetworkManager whether
+              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
+              stops NetworkManager from automatically initiating connections and allows
+              IWD to use its network ranking and scanning logic to decide the best networks
+              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
+              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
+              with IWD connection attempts.
            </para>
          </listitem>
        </varlistentry>
@ -1514,7 +1486,7 @@ managed=1
      <variablelist>
        <varlistentry>
          <term><varname>enabled</varname></term>
-          <listitem><para>A boolean indicating whether connectivity check is enabled.
+          <listitem><para>Whether connectivity check is enabled.
          Note that to enable connectivity check, a valid uri must
          also be configured. The value defaults to true, but since
          the uri is unset by default, connectivity check may be disabled.
@ -1568,12 +1540,8 @@ managed=1

  <refsect1>
    <title><literal>global-dns</literal> section</title>
-    <para>This section specifies DNS settings that are applied globally. They
-    override the equivalent options defined in individual connections, making
-    them to be ignored. If a [global-dns-domain-*] section is defined, but this
-    section isn't, an empty [global-dns] section is assumed, thus overwriting
-    connection specific configurations too.
-    </para>
+    <para>This section specifies DNS settings that are applied
+    globally, in addition to connection-specific ones.</para>
    <para>
      <variablelist>
        <varlistentry>
@ -1633,10 +1601,6 @@ managed=1
    default domain "*". When the global DNS domains are valid, the
    name servers and domains defined globally override the ones from
    active connections.
-
-    If any global DNS domain is defined but a [global-dns] section isn't,
-    an empty [global-dns] section is assumed, thus overwriting its
-    connection specific configurations too.
    </para>
    <para>
      <variablelist>
--- a/man/nm-initrd-generator.xml
+++ b/man/nm-initrd-generator.xml
@ -162,7 +162,6 @@
            <member><option>rd.net.dns-backend</option></member>
            <member><option>rd.net.dns-resolve-mode</option></member>
            <member><option>rd.net.timeout.dhcp</option></member>
-            <member><option>rd.net.dhcp.client-id</option></member>
            <member><option>rd.net.dhcp.retry</option></member>
            <member><option>rd.net.dhcp.vendor-class</option></member>
            <member><option>rd.net.dhcp.dscp</option></member>
@ -269,23 +268,6 @@
        </para>
      </listitem>

-      <listitem>
-        <para>NetworkManager supports the
-        <option>rd.net.dhcp.client-id</option>=<replaceable>interface</replaceable>:<replaceable>client-id</replaceable>
-        kernel command line option to set a specific DHCPv4 client identifier
-        for the given interface. The client-id can be specified either as a
-        sequence of bytes in hexadecimal format separated by dashes, or as the
-        character '@' followed by a non-empty string. When using the second
-        format, NetworkManager prepends a zero byte to the given string,
-        according to section 9.14 of RFC 2132. See the "ipv4.dhcp-client-id"
-        section of <link
-        linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
-        for more details. Examples:
-        <literal>rd.net.dhcp.client-id=eth0:01-52-54-00-45-87-42</literal>,
-        <literal>rd.net.dhcp.client-id=enp1s0:@example.com</literal>.
-        </para>
-      </listitem>
-
    </itemizedlist>
  </refsect1>

@ -296,7 +278,6 @@

  <refsect1 id='see_also'><title>See Also</title>
    <para><link linkend='dracut.cmdline'><citerefentry><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
-    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
-    <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.</para>
+    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>.</para>
  </refsect1>
 </refentry>
--- a/man/nm-openvswitch.xml
+++ b/man/nm-openvswitch.xml
@ -91,10 +91,6 @@
      NetworkManager inserts the records for Bridges into OVSDB when a Port is
      attached.
      </para>
-
-      <para>Known limitation: when the last NetworkManager's owned port is removed,
-      the bridge is removed too, even if there are other externally attached ports.
-      </para>
    </refsect2>

    <refsect2>
@ -106,10 +102,6 @@
      exist.  Ports can also be configured to do VLAN tagging or Bonding.
      NetworkManager inserts the records for Ports into OVSDB when an Interface is
      attached. Ports must be attached to a Bridge.</para>
-
-      <para>Known limitation: when the last NetworkManager's owned interface is removed,
-      the port is removed too, even if there are other externally attached interfaces.
-      </para>
    </refsect2>

    <refsect2>
--- a/meson.build
+++ b/meson.build
@ -5,7 +5,7 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.57.1',
+  version: '1.55.3',
  license: 'GPL2+',
  default_options: [
    'buildtype=debugoptimized',
@ -327,17 +327,12 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)

 enable_wifi = get_option('wifi')
-config_h.set10('WITH_WIFI', enable_wifi)

 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)

-wext = get_option('wext')
-if wext == 'true'
-  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
-endif
-enable_wext = (wext == 'force')
+enable_wext = get_option('wext')
 config_h.set10('HAVE_WEXT', enable_wext)

 # Checks for libdl - on certain platforms its part of libc
@ -387,14 +382,6 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
  systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif

-systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
-install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
-
-if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
-  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
-  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
-endif
-
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
  assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@ -489,6 +476,19 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)

+# eBPF support
+ebpf_opt = get_option('ebpf')
+# 'auto' means 'false', because there are still issues.
+if ebpf_opt != 'true'
+  enable_ebpf = false
+else
+  enable_ebpf = true
+  if not cc.has_header('linux/bpf.h')
+    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
+    enable_ebpf = false
+  endif
+endif
+
 # libaudit support
 libaudit = get_option('libaudit')
 enable_libaudit = libaudit.contains('yes')
@ -507,14 +507,12 @@ if enable_teamdctl
  libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
  assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
-config_h.set10('WITH_TEAMDCTL', enable_teamdctl)

 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
  # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
-  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
+  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
 endif

 config_auth_polkit_default = get_option('config_auth_polkit_default')
@ -524,12 +522,6 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)

 enable_modify_system = get_option('modify_system')
-if enable_modify_system
-  # FIXME: remove this after everyone has stopped using modify_system
-  error('modify_system=true is no longer allowed due to security reasons')
-endif
-
-polkit_noauth_group = get_option('polkit_noauth_group')

 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@ -624,7 +616,6 @@ if enable_modem_manager
  endif
  config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
-config_h.set10('WITH_WWAN', enable_modem_manager)

 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@ -924,6 +915,7 @@ endif
 test_args = [
  '--called-from-make',
  build_root,
+  '',
  enable_valgrind ? valgrind_path : '',
  enable_valgrind ? valgrind_suppressions_path : '',
  '--launch-dbus=auto',
@ -962,6 +954,7 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
+data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@ -1077,7 +1070,6 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
-output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@ -1092,7 +1084,17 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
+if enable_polkit
+  output += ' ('
+  if enable_modify_system
+    output += 'permissive'
+  else
+    output += 'restrictive'
+  endif
+  output += ' modify.system)'
+endif
+output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@ -1156,5 +1158,6 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
+output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)
--- a/meson_options.txt
+++ b/meson_options.txt
@ -1,6 +1,5 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
-option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@ -19,8 +18,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
-option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@ -30,7 +28,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')

 # features
-option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
+option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@ -46,7 +44,7 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')

 # configuration plugins
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@ -1,6 +1,6 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in
+data/org.freedesktop.NetworkManager.policy.in.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
--- a/po/ca.po
+++ b/po/ca.po
@ -8,15 +8,14 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
-# Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2025-09-28 00:07+0200\n"
-"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
+"PO-Revision-Date: 2023-06-17 00:07+0200\n"
+"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@ -356,7 +355,7 @@ msgstr "Connexió WPAN"

 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió d'equip"
+msgstr "Connexió equip"

 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@ -649,7 +648,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
+"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"

 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@ -796,7 +795,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."

 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals S390."
+msgstr "La connexió i el dispositiu difereixen als subcanals 5930."

 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@ -882,7 +881,7 @@ msgstr "La connexió no era una connexió tun."

 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió d'equip."
+msgstr "La connexió no era una connexió equip."

 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@ -1326,27 +1325,27 @@ msgstr ""

 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignora el número faltant"
+msgstr "s'ignorarà el número faltant"

 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignora el número «%s» no vàlid"
+msgstr "s'ignorarà el número «%s» no vàlid"

 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignora l'adreça %s no vàlida: %s"
+msgstr "s'ignorarà l'adreça %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"

 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignora la ruta %s no vàlida: %s"
+msgstr "s'ignorarà la ruta %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@ -1362,7 +1361,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"

 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@ -1414,11 +1413,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"

 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignora l'SSID no vàlida"
+msgstr "s'ignorarà l'SSID no vàlida"

 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignora la contrasenya sense processar no vàlida"
+msgstr "s'ignorarà la contrasenya sense processar no vàlida"

 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@ -1459,7 +1458,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: %s"
+msgstr "el paràmetre no és vàlid: «%s»"

 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@ -1974,7 +1973,7 @@ msgstr "file:// URI no és UTF-8 vàlida"

 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"

 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@ -2087,7 +2086,7 @@ msgstr "«%s» no és un número"

 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buida o de mida incorrecta"
+msgstr "la propietat és buda o de mida incorrecta"

 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@ -2099,12 +2098,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"

 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P-Key si s'especifica el pare"

 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"

 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@ -2157,12 +2156,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlida"

 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"

 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@ -2209,7 +2208,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un tipus de ruta vàlid"
+msgstr "%s no és un nom de ruta vàlid"

 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@ -2433,7 +2432,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: %s"
+msgstr "atribut no vàlid: «%s»"

 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@ -4106,7 +4105,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"

 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@ -4677,7 +4676,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:620
@ -4699,7 +4698,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:886
@ -4710,7 +4709,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."

 #: src/libnmc-base/nm-secret-agent-simple.c:893
@ -5419,10 +5418,10 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
-"(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
+"(amb prefix opcional 0x/0X,i un 0 inicial opcional). \n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
 "          ab 4 55 0xa6 ea 3a 74 C2\n"
@ -5494,7 +5493,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benvinguda"
+msgstr "Temps de benviguda"

 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@ -5568,7 +5567,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@ -5677,7 +5676,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@ -5697,7 +5696,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
+"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@ -8152,12 +8151,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@ -10723,7 +10722,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"

 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobat totes les connexions actives."
+msgstr "Error: No s'han trobar totes les connexions actives."

 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@ -11042,7 +11041,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticament amb l'opció «fix».\n"
+"automàticaent amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@ -11064,7 +11063,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@ -11486,7 +11485,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmetre «%s»: %s\n"
+msgstr "Verifica el paràmere «%s»: %s\n"

 #: src/nmcli/connections.c:8501
 #, c-format
@ -11553,12 +11552,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"

 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
+"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
 "continuar)\n"

 #: src/nmcli/connections.c:8721
@ -11583,7 +11582,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"

 #: src/nmcli/connections.c:8985
 #, fuzzy
@ -12397,7 +12396,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositiu: %s"
+msgstr "Error: no s'ha pogut activar el dispositu: %s"

 #: src/nmcli/devices.c:2322
 #, c-format
@ -12604,7 +12603,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPA PSK vàlida"
+msgstr "«%s» no és una WPS PSK vàlida"

 #: src/nmcli/devices.c:4193
 #, c-format
@ -13539,7 +13538,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»"
+msgstr "Error: argument inesperat «%s»."

 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@ -13898,7 +13897,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomanat)"
+msgstr "MII (recomendat)"

 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@ -14544,7 +14543,7 @@ msgstr ""

 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexió nova"
+msgstr "Connexions nova"

 #: src/nmtui/nmtui-edit.c:452
 #, c-format
--- a/po/it.po
+++ b/po/it.po
@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."

 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po
--- a/po/sl.po
+++ b/po/sl.po
--- a/src/core/devices/nm-device-bond.c
+++ b/src/core/devices/nm-device-bond.c
@ -52,7 +52,8 @@
        NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
        NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
        NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX,    \
+        NM_SETTING_BOND_OPTION_LACP_ACTIVE

 #define OPTIONS_REAPPLY_FULL                                     \
    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE, \
--- a/src/core/devices/nm-device-ethernet.c
+++ b/src/core/devices/nm-device-ethernet.c
@ -629,17 +629,10 @@ build_supplicant_config(NMDeviceEthernet *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));

-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);

    security = nm_connection_get_setting_802_1x(connection);
-    if (!nm_supplicant_config_add_setting_8021x(config,
-                                                security,
-                                                con_uuid,
-                                                mtu,
-                                                TRUE,
-                                                nm_device_get_private_files(NM_DEVICE(self)),
-                                                error)) {
+    if (!nm_supplicant_config_add_setting_8021x(config, security, con_uuid, mtu, TRUE, error)) {
        g_prefix_error(error, "802-1x-setting: ");
        g_clear_object(&config);
    }
@ -707,9 +700,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
    NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -724,16 +714,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-hsr.c
+++ b/src/core/devices/nm-device-hsr.c
@ -116,51 +116,29 @@ create_and_realize(NMDevice              *device,
                   const NMPlatformLink **out_plink,
                   GError               **error)
 {
-    const char        *iface   = nm_device_get_iface(device);
-    nm_auto_free char *err_msg = NULL;
-    NMSettingHsr      *s_hsr;
-    NMPlatformLnkHsr   lnk = {};
-    int                r   = 0;
+    const char      *iface = nm_device_get_iface(device);
+    NMSettingHsr    *s_hsr;
+    NMPlatformLnkHsr lnk = {};
+    int              r;

    s_hsr = _nm_connection_get_setting(connection, NM_TYPE_SETTING_HSR);
-
    nm_assert(s_hsr);

    if (nm_setting_hsr_get_port1(s_hsr) != NULL)
        lnk.port1 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port1(s_hsr));
    if (nm_setting_hsr_get_port2(s_hsr) != NULL)
        lnk.port2 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port2(s_hsr));
-    if (nm_setting_hsr_get_interlink(s_hsr) != NULL) {
-        const char *ifname  = nm_setting_hsr_get_interlink(s_hsr);
-        int         ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, ifname);
-
-        if (ifindex <= 0) {
-            err_msg = g_strdup_printf("interlink port '%s' does not exist", ifname);
-            goto out;
-        }
-
-        lnk.interlink = ifindex;
-    }
-
-    lnk.multicast_spec   = nm_setting_hsr_get_multicast_spec(s_hsr);
-    lnk.prp              = nm_setting_hsr_get_prp(s_hsr);
-    lnk.protocol_version = nm_setting_hsr_get_protocol_version(s_hsr);
-
+    lnk.multicast_spec = nm_setting_hsr_get_multicast_spec(s_hsr);
+    lnk.prp            = nm_setting_hsr_get_prp(s_hsr);
    r = nm_platform_link_hsr_add(nm_device_get_platform(device), iface, &lnk, out_plink);
-
    if (r < 0) {
-        err_msg = g_strdup(nm_strerror(r) ?: "unknown");
-    }
-
-out:
-    if (err_msg) {
        g_set_error(error,
                    NM_DEVICE_ERROR,
                    NM_DEVICE_ERROR_CREATION_FAILED,
                    "Failed to create HSR interface '%s' for '%s': %s",
                    iface,
                    nm_connection_get_id(connection),
-                    err_msg);
+                    nm_strerror(r));
        return FALSE;
    }

--- a/src/core/devices/nm-device-macsec.c
+++ b/src/core/devices/nm-device-macsec.c
@ -201,8 +201,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
    mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                   nm_device_get_ifindex(NM_DEVICE(self)));

-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);

    s_macsec = nm_device_get_applied_setting(NM_DEVICE(self), NM_TYPE_SETTING_MACSEC);

@ -228,13 +227,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)

    if (nm_setting_macsec_get_mode(s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
        s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_8021x(config,
-                                                    s_8021x,
-                                                    con_uuid,
-                                                    mtu,
-                                                    TRUE,
-                                                    nm_device_get_private_files(NM_DEVICE(self)),
-                                                    error)) {
+        if (!nm_supplicant_config_add_setting_8021x(config, s_8021x, con_uuid, mtu, TRUE, error)) {
            g_prefix_error(error, "802-1x-setting: ");
            return NULL;
        }
@ -440,9 +433,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
    NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
    gs_unref_object NMSupplicantConfig *config = NULL;
    gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;

    config = build_supplicant_config(self, &error);
    if (!config) {
@ -455,16 +445,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
    }

    nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
    nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
    return TRUE;
 }
--- a/src/core/devices/nm-device-private.h
+++ b/src/core/devices/nm-device-private.h
@ -115,6 +115,9 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,

 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);

+NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
+                                                                NMConnection *connection);
+
 void nm_device_ip_method_dhcp4_start(NMDevice *self);

 void nm_device_ip_method_autoconf6_start(NMDevice *self);
@ -176,6 +179,4 @@ void nm_device_auth_request(NMDevice                      *self,

 void nm_device_link_properties_set(NMDevice *self, gboolean reapply);

-GHashTable *nm_device_get_private_files(NMDevice *self);
-
 #endif /* NM_DEVICE_PRIVATE_H */
--- a/src/core/devices/nm-device-utils.c
+++ b/src/core/devices/nm-device-utils.c
@ -135,17 +135,13 @@ NM_UTILS_LOOKUP_STR_DEFINE(
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_LINK_NOT_INIT,
                             "unmanaged-link-not-init"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING, "unmanaged-quitting"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED,
-                             "unmanaged-nm-disabled"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING, "unmanaged-sleeping"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_CONF, "unmanaged-user-conf"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_EXPLICIT,
                             "unmanaged-user-explicit"),
    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                             "unmanaged-user-settings"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
-                             "modem-no-operator-code"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"), );

 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                           NMDeviceMtuSource,
@ -239,7 +235,7 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data
    gs_free_error GError *error  = NULL;
    gs_free char         *output = NULL;

-    output = nm_utils_spawn_helper_finish_string(result, &error);
+    output = nm_utils_spawn_helper_finish(result, &error);
    if (nm_utils_error_is_cancelled(error))
        return;

@ -278,7 +274,6 @@ resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services)
    nm_inet_ntop(info->addr_family, &info->address, addr_str);
    _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str);
    nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str),
-                          FALSE,
                          g_task_get_cancellable(info->task),
                          resolve_addr_helper_cb,
                          info);
--- a/src/core/devices/nm-device-wireguard.c
+++ b/src/core/devices/nm-device-wireguard.c
@ -1672,57 +1672,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
    return ret;
 }

-static gboolean
-skip_peer_route(const NMIPAddr    *peer_addr,
-                guint              peer_addr_prefix,
-                int                addr_family,
-                NMSettingIPConfig *s_ip)
-{
-    guint num_addresses;
-    guint i;
-
-    /*
-     * If the allowed-ip subnet is already reachable on the interface via the
-     * prefix route of a static IP address, skip adding the peer route.
-     * We don't want to override the prefix route with a new one because the
-     * prefix route also specifies the correct source IP address.
-     *
-     * wg-quick does something similar here:
-     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
-     * The condition in wg-quick is a bit different because it checks that no
-     * duplicate route exists on the interface. We can't do exactly the same
-     * because here we don't have visibility on all the platform routes.
-     */
-
-    if (!s_ip)
-        return FALSE;
-
-    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
-    for (i = 0; i < num_addresses; i++) {
-        NMIPAddr     setting_addr;
-        NMIPAddr     peer_addr_tmp;
-        guint        setting_prefix;
-        NMIPAddress *a;
-
-        peer_addr_tmp = *peer_addr;
-
-        a = nm_setting_ip_config_get_address(s_ip, i);
-        nm_ip_address_get_address_binary(a, &setting_addr);
-        setting_prefix = nm_ip_address_get_prefix(a);
-
-        if (setting_prefix > peer_addr_prefix)
-            continue;
-
-        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
-        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
-
-        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
-            return TRUE;
-    }
-
-    return FALSE;
-}
-
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@ -1789,7 +1738,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)

        n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
        for (j = 0; j < n_aips; j++) {
-            NMSettingIPConfig *s_ip;
            NMPlatformIPXRoute rt;
            NMIPAddr           addrbin;
            const char        *aip;
@ -1797,8 +1745,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
            int                prefix;
            guint32            rtable_coerced;

-            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
-            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
+            aip = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);

            if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                continue;
@ -1807,6 +1754,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                prefix = (addr_family == AF_INET) ? 32 : 128;

            if (prefix == 0) {
+                NMSettingIPConfig *s_ip;
+
+                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                if (nm_setting_ip_config_get_never_default(s_ip))
                    continue;
            }
@ -1819,9 +1769,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)

            nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);

-            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
-                continue;
-
            rtable_coerced = route_table_coerced;

            if (prefix == 0 && auto_default_route_enabled) {
--- a/src/core/devices/nm-device.c
+++ b/src/core/devices/nm-device.c
@ -113,19 +113,6 @@ typedef enum {
    RELEASE_PORT_TYPE_CONFIG_FORCE,
 } ReleasePortType;

-/**
- * CleanupType:
- * @CLEANUP_TYPE_KEEP: Cleanup internally but keep the real device's config. This is
- *   often used when moving a partially managed device to "unmanaged" (but not only).
- * @CLEANUP_TYPE_REMOVED: The device suddently disappeared. Cleanup internally but don't
- *   make any action on the real device at all, as it no longer exists.
- * @CLEANUP_TYPE_DECONFIGURE: Also deconfigure the real device. This is the typical
- *   action when a connection or device is set to "down", or fully managed devices
- *   moved to "unmanaged".
- * @CLEANUP_TYPE_KEEP_REAPPLY: Like %CLEANUP_TYPE_KEEP, but indicating that it's a
- *   reapply. Some special actions can be done if we're doing a reapply, like keeping
- *   the existing DHCP lease, for example.
- */
 typedef enum {
    CLEANUP_TYPE_KEEP,
    CLEANUP_TYPE_REMOVED,
@ -278,11 +265,11 @@ typedef struct {
    NMDeviceIPState state;
    union {
        struct {
-            NMDnsMasqManager     *dnsmasq_manager;
-            NMNetnsIPReservation *ip_reservation;
-            NMFirewallConfig     *firewall_config;
-            gulong                dnsmasq_state_id;
-            const NML3ConfigData *l3cd;
+            NMDnsMasqManager      *dnsmasq_manager;
+            NMNetnsSharedIPHandle *shared_ip_handle;
+            NMFirewallConfig      *firewall_config;
+            gulong                 dnsmasq_state_id;
+            const NML3ConfigData  *l3cd;
        } v4;
        struct {
        } v6;
@ -348,12 +335,6 @@ typedef struct {
    int           addr_family;
 } HostnameResolver;

-typedef enum {
-    PRIVATE_FILES_STATE_UNKNOWN = 0,
-    PRIVATE_FILES_STATE_READING,
-    PRIVATE_FILES_STATE_DONE,
-} PrivateFilesState;
-
 /*****************************************************************************/

 enum {
@ -711,8 +692,6 @@ typedef struct _NMDevicePrivate {

    IPDevStateData ipdev_data_unspec;

-    gulong sharing_ipv4_changed_id;
-
    struct {
        /* If we set the addrgenmode6, this records the previously set value. */
        guint8 previous_mode_val;
@ -790,13 +769,6 @@ typedef struct _NMDevicePrivate {
        guint64  rx_bytes;
    } stats;

-    struct {
-        GHashTable       *table;
-        GCancellable     *cancellable;
-        char             *user;
-        PrivateFilesState state;
-    } private_files;
-
    bool mtu_force_set_done : 1;

    bool needs_ip6_subnet : 1;
@ -807,6 +779,7 @@ typedef struct _NMDevicePrivate {
    char     *prop_ip_iface; /* IP interface D-Bus property */
    GList    *ping_operations;
    GSource  *ping_timeout;
+    bool      refresh_forwarding_done : 1;
 } NMDevicePrivate;

 G_DEFINE_ABSTRACT_TYPE(NMDevice, nm_device, NM_TYPE_DBUS_OBJECT)
@ -894,8 +867,6 @@ static void _dev_ipshared4_spawn_dnsmasq(NMDevice *self);

 static void _dev_ipshared6_start(NMDevice *self);

-static void _dev_ipforwarding4_start(NMDevice *self, int addr_family);
-
 static void
 _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gboolean preserve_dhcp);

@ -1424,12 +1395,14 @@ _prop_get_ipvx_routed_dns(NMDevice *self, int addr_family)
 }

 static NMSettingConnectionMdns
-_prop_get_connection_mdns(NMDevice *self, NMConnection *connection)
+_prop_get_connection_mdns(NMDevice *self)
 {
+    NMConnection           *connection;
    NMSettingConnectionMdns mdns = NM_SETTING_CONNECTION_MDNS_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_MDNS_DEFAULT);

+    connection = nm_device_get_applied_connection(self);
    if (connection)
        mdns = nm_setting_connection_get_mdns(nm_connection_get_setting_connection(connection));
    if (mdns != NM_SETTING_CONNECTION_MDNS_DEFAULT)
@ -1464,12 +1437,14 @@ _prop_get_sriov_preserve_on_down(NMDevice *self, NMSettingSriov *s_sriov)
 }

 static NMSettingConnectionLlmnr
-_prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
+_prop_get_connection_llmnr(NMDevice *self)
 {
+    NMConnection            *connection;
    NMSettingConnectionLlmnr llmnr = NM_SETTING_CONNECTION_LLMNR_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_LLMNR_DEFAULT);

+    connection = nm_device_get_applied_connection(self);
    if (connection)
        llmnr = nm_setting_connection_get_llmnr(nm_connection_get_setting_connection(connection));
    if (llmnr != NM_SETTING_CONNECTION_LLMNR_DEFAULT)
@ -1484,12 +1459,14 @@ _prop_get_connection_llmnr(NMDevice *self, NMConnection *connection)
 }

 static NMSettingConnectionDnsOverTls
-_prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
+_prop_get_connection_dns_over_tls(NMDevice *self)
 {
+    NMConnection                 *connection;
    NMSettingConnectionDnsOverTls dns_over_tls = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);

+    connection = nm_device_get_applied_connection(self);
    if (connection)
        dns_over_tls = nm_setting_connection_get_dns_over_tls(
            nm_connection_get_setting_connection(connection));
@ -1504,33 +1481,15 @@ _prop_get_connection_dns_over_tls(NMDevice *self, NMConnection *connection)
                                                       NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT);
 }

-static NMSettingConnectionDnssec
-_prop_get_connection_dnssec(NMDevice *self, NMConnection *connection)
-{
-    NMSettingConnectionDnssec dnssec = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
-
-    g_return_val_if_fail(NM_IS_DEVICE(self), NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
-
-    if (connection)
-        dnssec = nm_setting_connection_get_dnssec(nm_connection_get_setting_connection(connection));
-    if (dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
-        return dnssec;
-
-    return nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
-                                                       NM_CON_DEFAULT("connection.dnssec"),
-                                                       self,
-                                                       NM_SETTING_CONNECTION_DNSSEC_NO,
-                                                       NM_SETTING_CONNECTION_DNSSEC_YES,
-                                                       NM_SETTING_CONNECTION_DNSSEC_DEFAULT);
-}
-
 static NMMptcpFlags
-_prop_get_connection_mptcp_flags(NMDevice *self, NMConnection *connection)
+_prop_get_connection_mptcp_flags(NMDevice *self)
 {
-    NMMptcpFlags mptcp_flags = NM_MPTCP_FLAGS_NONE;
+    NMConnection *connection;
+    NMMptcpFlags  mptcp_flags = NM_MPTCP_FLAGS_NONE;

    g_return_val_if_fail(NM_IS_DEVICE(self), NM_MPTCP_FLAGS_DISABLED);

+    connection = nm_device_get_applied_connection(self);
    if (connection) {
        mptcp_flags =
            nm_setting_connection_get_mptcp_flags(nm_connection_get_setting_connection(connection));
@ -2172,8 +2131,8 @@ _prop_get_ipvx_dhcp_send_hostname(NMDevice *self, int addr_family)
    return send_hostname_v2;
 }

-static NMSettingIPConfigForwarding
-_prop_get_ipv4_forwarding(NMDevice *self)
+NMSettingIPConfigForwarding
+nm_device_get_ipv4_forwarding(NMDevice *self)
 {
    NMSettingIPConfig          *s_ip;
    NMSettingIPConfigForwarding forwarding;
@ -2496,14 +2455,16 @@ _prop_get_ipv4_dhcp_vendor_class_identifier(NMDevice *self, NMSettingIP4Config *
 }

 static NMSettingIP6ConfigPrivacy
-_prop_get_ipv6_ip6_privacy(NMDevice *self, NMConnection *connection)
+_prop_get_ipv6_ip6_privacy(NMDevice *self)
 {
    NMSettingIP6ConfigPrivacy ip6_privacy;
+    NMConnection             *connection;

    g_return_val_if_fail(self, NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN);

    /* 1.) First look at the per-connection setting. If it is not -1 (unknown),
     * use it. */
+    connection = nm_device_get_applied_connection(self);
    if (connection) {
        NMSettingIPConfig *s_ip6 = nm_connection_get_setting_ip6_config(connection);

@ -3636,12 +3597,11 @@ nm_device_create_l3_config_data_from_connection(NMDevice *self, NMConnection *co

    l3cd =
        nm_l3_config_data_new_from_connection(nm_device_get_multi_index(self), ifindex, connection);
-    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self, connection));
-    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self, connection));
-    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self, connection));
-    nm_l3_config_data_set_dnssec(l3cd, _prop_get_connection_dnssec(self, connection));
-    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self, connection));
-    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self, connection));
+    nm_l3_config_data_set_mdns(l3cd, _prop_get_connection_mdns(self));
+    nm_l3_config_data_set_llmnr(l3cd, _prop_get_connection_llmnr(self));
+    nm_l3_config_data_set_dns_over_tls(l3cd, _prop_get_connection_dns_over_tls(self));
+    nm_l3_config_data_set_ip6_privacy(l3cd, _prop_get_ipv6_ip6_privacy(self));
+    nm_l3_config_data_set_mptcp_flags(l3cd, _prop_get_connection_mptcp_flags(self));
    return l3cd;
 }

@ -3818,7 +3778,7 @@ nm_device_assume_state_reset(NMDevice *self)

 /*****************************************************************************/

-static char *
+char *
 nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property)
 {
    const char *ifname;
@ -6344,14 +6304,6 @@ concheck_is_possible(NMDevice *self)
    if (priv->state == NM_DEVICE_STATE_UNKNOWN)
        return FALSE;

-    if (!nm_config_data_get_device_config_boolean_by_device(
-            NM_CONFIG_GET_DATA,
-            NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
-            self,
-            TRUE,
-            TRUE))
-        return FALSE;
-
    return TRUE;
 }

@ -6372,10 +6324,8 @@ concheck_periodic_schedule_do(NMDevice *self, int addr_family, gint64 now_ns)
        goto out;
    }

-    if (!concheck_is_possible(self)) {
-        concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
+    if (!concheck_is_possible(self))
        goto out;
-    }

    nm_assert(now_ns > 0);
    nm_assert(priv->concheck_x[IS_IPv4].p_cur_interval > 0);
@ -6598,11 +6548,7 @@ concheck_update_interval(NMDevice *self, int addr_family, gboolean check_now)
        concheck_periodic_schedule_do(self, addr_family, 0);

        /* also update the fake connectivity state. */
-        if (concheck_is_possible(self))
-            concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
-        else
-            concheck_update_state(self, addr_family, NM_CONNECTIVITY_UNKNOWN, FALSE);
-
+        concheck_update_state(self, addr_family, NM_CONNECTIVITY_FAKE, TRUE);
        return;
    }

@ -6631,7 +6577,6 @@ concheck_update_state(NMDevice           *self,
    /* @state is a result of the connectivity check. We only expect a precise
     * number of possible values. */
    nm_assert(NM_IN_SET(state,
-                        NM_CONNECTIVITY_UNKNOWN,
                        NM_CONNECTIVITY_LIMITED,
                        NM_CONNECTIVITY_PORTAL,
                        NM_CONNECTIVITY_FULL,
@ -6700,7 +6645,7 @@ concheck_update_state(NMDevice           *self,
    }
 }

-static const char *
+const char *
 nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family)
 {
    NMDeviceClass *klass;
@ -6955,11 +6900,8 @@ nm_device_check_connectivity(NMDevice                    *self,
                             NMDeviceConnectivityCallback callback,
                             gpointer                     user_data)
 {
-    if (!concheck_is_possible(self)) {
-        concheck_update_state(self, AF_INET, NM_CONNECTIVITY_UNKNOWN, FALSE);
-        concheck_update_state(self, AF_INET6, NM_CONNECTIVITY_UNKNOWN, FALSE);
+    if (!concheck_is_possible(self))
        return NULL;
-    }

    concheck_periodic_schedule_set(self, addr_family, CONCHECK_SCHEDULE_CHECK_EXTERNAL);
    return concheck_start(self, addr_family, callback, user_data, FALSE);
@ -8347,17 +8289,6 @@ config_changed(NMConfig           *config,
            && !nm_device_get_applied_setting(self, NM_TYPE_SETTING_SRIOV))
            device_init_static_sriov_num_vfs(self);
    }
-
-    if (NM_FLAGS_HAS(changes, NM_CONFIG_CHANGE_VALUES) && concheck_is_possible(self)) {
-        /* restart (periodic) connectivity checks if they were previously disabled */
-        if (!nm_config_data_get_device_config_boolean_by_device(
-                old_data,
-                NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
-                self,
-                TRUE,
-                TRUE))
-            nm_device_check_connectivity_update_interval(self);
-    }
 }

 static void
@ -8708,8 +8639,6 @@ nm_device_unrealize(NMDevice *self, gboolean remove_resources, GError **error)

    g_object_thaw_notify(G_OBJECT(self));

-    nm_device_managed_type_set(self, NM_DEVICE_MANAGED_TYPE_REMOVED);
-
    nm_device_set_unmanaged_flags(self, NM_UNMANAGED_PLATFORM_INIT, TRUE);

    nm_device_set_unmanaged_flags(self,
@ -9235,10 +9164,6 @@ is_available(NMDevice *self, NMDeviceCheckDevAvailableFlags flags)
 {
    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);

-    /* unrealized software devices are always available, hardware devices never */
-    if (!nm_device_is_real(self))
-        return nm_device_is_software(self);
-
    if (priv->carrier || priv->ignore_carrier)
        return TRUE;

@ -10465,43 +10390,6 @@ sriov_params_cb(GError *error, gpointer user_data)
    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
 }

-static gboolean
-sriov_gen_platform_vfs(NMDevice       *self,
-                       NMSettingSriov *s_sriov,
-                       NMPlatformVF ***plat_vfs_out,
-                       GError        **error)
-{
-    nm_auto_freev NMPlatformVF **plat_vfs = NULL;
-    guint                        num;
-
-    nm_assert(s_sriov);
-    nm_assert(plat_vfs_out && !*plat_vfs_out);
-
-    num      = nm_setting_sriov_get_num_vfs(s_sriov);
-    plat_vfs = g_new0(NMPlatformVF *, num + 1);
-
-    for (int i = 0; i < num; i++) {
-        NMSriovVF            *vf    = nm_setting_sriov_get_vf(s_sriov, i);
-        gs_free_error GError *local = NULL;
-
-        plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &local);
-
-        if (!plat_vfs[i]) {
-            g_set_error(error,
-                        local->domain,
-                        local->code,
-                        "VF '%s' is invalid: %s",
-                        nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
-                        local->message);
-            return FALSE;
-        }
-    }
-
-    *plat_vfs_out = g_steal_pointer(&plat_vfs);
-
-    return TRUE;
-}
-
 /*
 * activate_stage1_device_prepare
 *
@ -10548,7 +10436,10 @@ activate_stage1_device_prepare(NMDevice *self)
        if (s_sriov && nm_device_has_capability(self, NM_DEVICE_CAP_SRIOV)) {
            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
            gs_free_error GError        *error    = NULL;
+            NMSriovVF                   *vf;
            NMTernary                    autoprobe;
+            guint                        num;
+            guint                        i;

            autoprobe = nm_setting_sriov_get_autoprobe_drivers(s_sriov);
            if (autoprobe == NM_TERNARY_DEFAULT) {
@ -10561,12 +10452,21 @@ activate_stage1_device_prepare(NMDevice *self)
                    NM_OPTION_BOOL_TRUE);
            }

-            if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &error)) {
-                _LOGE(LOGD_DEVICE, "cannot parse the VF list: %s", error->message);
-                nm_device_state_changed(self,
-                                        NM_DEVICE_STATE_FAILED,
-                                        NM_DEVICE_STATE_REASON_SRIOV_CONFIGURATION_FAILED);
-                return;
+            num      = nm_setting_sriov_get_num_vfs(s_sriov);
+            plat_vfs = g_new0(NMPlatformVF *, num + 1);
+            for (i = 0; i < num; i++) {
+                vf          = nm_setting_sriov_get_vf(s_sriov, i);
+                plat_vfs[i] = sriov_vf_config_to_platform(self, vf, &error);
+                if (!plat_vfs[i]) {
+                    _LOGE(LOGD_DEVICE,
+                          "failed to apply SR-IOV VF '%s': %s",
+                          nm_utils_sriov_vf_to_str(vf, FALSE, NULL),
+                          error->message);
+                    nm_device_state_changed(self,
+                                            NM_DEVICE_STATE_FAILED,
+                                            NM_DEVICE_STATE_REASON_SRIOV_CONFIGURATION_FAILED);
+                    return;
+                }
            }

            /* When changing the number of VFs the kernel can block
@ -10873,49 +10773,6 @@ tc_commit(NMDevice *self)
    return TRUE;
 }

-static void
-read_private_files_cb(GObject *source_object, GAsyncResult *result, gpointer data)
-{
-    gs_unref_hashtable GHashTable *table = NULL;
-    gs_free_error GError          *error = NULL;
-    NMDevice                      *self;
-    NMDevicePrivate               *priv;
-
-    table = nm_utils_read_private_files_finish(result, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    self = NM_DEVICE(data);
-    priv = NM_DEVICE_GET_PRIVATE(self);
-
-    if (error) {
-        NMConnection *connection = nm_device_get_applied_connection(self);
-
-        _LOGW(LOGD_DEVICE,
-              "could not read files for private connection %s owned by user '%s': %s",
-              connection ? nm_connection_get_uuid(connection) : NULL,
-              priv->private_files.user,
-              error->message);
-        nm_device_state_changed(self, NM_DEVICE_STATE_FAILED, NM_DEVICE_STATE_REASON_CONFIG_FAILED);
-        return;
-    }
-
-    _LOGD(LOGD_DEVICE, "private files successfully read");
-
-    priv->private_files.state = PRIVATE_FILES_STATE_DONE;
-    priv->private_files.table = g_steal_pointer(&table);
-    g_clear_pointer(&priv->private_files.user, g_free);
-    g_clear_object(&priv->private_files.cancellable);
-
-    nm_device_activate_schedule_stage2_device_config(self, FALSE);
-}
-
-GHashTable *
-nm_device_get_private_files(NMDevice *self)
-{
-    return NM_DEVICE_GET_PRIVATE(self)->private_files.table;
-}
-
 /*
 * activate_stage2_device_config
 *
@ -10928,7 +10785,6 @@ activate_stage2_device_config(NMDevice *self)
 {
    NMDevicePrivate *priv  = NM_DEVICE_GET_PRIVATE(self);
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
-    NMConnection    *applied;
    NMActStageReturn ret;
    NMSettingWired  *s_wired;
    gboolean         no_firmware = FALSE;
@ -10937,68 +10793,6 @@ activate_stage2_device_config(NMDevice *self)

    nm_device_state_changed(self, NM_DEVICE_STATE_CONFIG, NM_DEVICE_STATE_REASON_NONE);

-    applied = nm_device_get_applied_connection(self);
-
-    /* If the connection is private (owned by a specific user), we need to
-     * verify that the user has permission to access any files specified in
-     * the connection, such as certificates and keys. We do that by calling
-     * nm_utils_read_private_files() and saving the file contents in a hash
-     * table that can be accessed later during the activation. It is important
-     * to never access the files again to avoid TOCTOU bugs.
-     */
-    switch (priv->private_files.state) {
-    case PRIVATE_FILES_STATE_UNKNOWN:
-    {
-        gs_free const char **paths = NULL;
-        NMSettingConnection *s_con;
-        const char          *user;
-
-        s_con = nm_connection_get_setting_connection(applied);
-        nm_assert(s_con);
-        user = _nm_setting_connection_get_first_permissions_user(s_con);
-
-        priv->private_files.user = g_strdup(user);
-        if (!priv->private_files.user) {
-            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
-            break;
-        }
-
-        paths = nm_utils_get_connection_private_files_paths(applied);
-        if (!paths) {
-            priv->private_files.state = PRIVATE_FILES_STATE_DONE;
-            break;
-        }
-
-        if (_nm_setting_connection_get_num_permissions_users(s_con) > 1) {
-            _LOGW(LOGD_DEVICE,
-                  "private connections with multiple users are not allowed to reference "
-                  "certificates and keys on the filesystem. Specify only one user in the "
-                  "connection.permissions property.");
-            nm_device_state_changed(self,
-                                    NM_DEVICE_STATE_FAILED,
-                                    NM_DEVICE_STATE_REASON_CONFIG_FAILED);
-            return;
-        }
-
-        priv->private_files.state       = PRIVATE_FILES_STATE_READING;
-        priv->private_files.cancellable = g_cancellable_new();
-
-        _LOGD(LOGD_DEVICE, "reading private files");
-        nm_utils_read_private_files(paths,
-                                    priv->private_files.user,
-                                    priv->private_files.cancellable,
-                                    read_private_files_cb,
-                                    self);
-        return;
-    }
-    case PRIVATE_FILES_STATE_READING:
-        /* wait */
-        return;
-    case PRIVATE_FILES_STATE_DONE:
-        /* proceed */
-        break;
-    }
-
    if (!nm_device_managed_type_is_external(self)) {
        _ethtool_state_set(self);
        nm_device_link_properties_set(self, FALSE);
@ -11015,7 +10809,7 @@ activate_stage2_device_config(NMDevice *self)
        priv->tc_committed = TRUE;
    }

-    nm_routing_rules_sync(applied,
+    nm_routing_rules_sync(nm_device_get_applied_connection(self),
                          NM_TERNARY_TRUE,
                          klass->get_extra_rules,
                          self,
@ -13027,7 +12821,7 @@ _dev_ipac6_start(NMDevice *self)
            .router_solicitations         = router_solicitations,
            .router_solicitation_interval = router_solicitation_interval,
            .ra_timeout                   = ra_timeout,
-            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self, connection),
+            .ip6_privacy                  = _prop_get_ipv6_ip6_privacy(self),
        };

        priv->ipac6_data.ndisc = nm_lndp_ndisc_new(&config);
@ -13340,12 +13134,17 @@ activate_stage3_ip_config_for_addr_family(NMDevice *self, int addr_family)
        goto out_devip;

    if (IS_IPv4) {
+        NMSettingIPConfigForwarding ipv4_forwarding = nm_device_get_ipv4_forwarding(self);
+
+        if (NM_IN_SET(ipv4_forwarding,
+                      NM_SETTING_IP_CONFIG_FORWARDING_NO,
+                      NM_SETTING_IP_CONFIG_FORWARDING_YES)) {
+            nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", ipv4_forwarding ? "1" : "0");
+        }
        priv->ipll_data_4.v4.mode = _prop_get_ipv4_link_local(self);
        if (priv->ipll_data_4.v4.mode == NM_SETTING_IP4_LL_ENABLED)
            _dev_ipll4_start(self);

-        _dev_ipforwarding4_start(self, addr_family);
-
        if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_AUTO))
            _dev_ipdhcpx_start(self, AF_INET);
        else if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_LINK_LOCAL)) {
@ -13665,21 +13464,15 @@ nm_device_activate_schedule_stage3_ip_config(NMDevice *self, gboolean do_sync)
 static void
 _dev_ipsharedx_set_state(NMDevice *self, int addr_family, NMDeviceIPState state)
 {
-    NMDevicePrivate *priv      = NM_DEVICE_GET_PRIVATE(self);
-    const int        IS_IPv4   = NM_IS_IPv4(addr_family);
-    NMDeviceIPState  old_state = priv->ipshared_data_x[IS_IPv4].state;
+    NMDevicePrivate *priv    = NM_DEVICE_GET_PRIVATE(self);
+    const int        IS_IPv4 = NM_IS_IPv4(addr_family);

-    if (old_state != state) {
+    if (priv->ipshared_data_x[IS_IPv4].state != state) {
        _LOGD_ipshared(addr_family,
                       "set state %s (was %s)",
                       nm_device_ip_state_to_string(state),
-                       nm_device_ip_state_to_string(old_state));
+                       nm_device_ip_state_to_string(priv->ipshared_data_x[IS_IPv4].state));
        priv->ipshared_data_x[IS_IPv4].state = state;
-
-        if (old_state == NM_DEVICE_IP_STATE_READY || state == NM_DEVICE_IP_STATE_READY)
-            nm_manager_update_shared_connection(NM_MANAGER_GET,
-                                                addr_family,
-                                                state == NM_DEVICE_IP_STATE_READY);
    }
 }

@ -13702,7 +13495,7 @@ _dev_ipsharedx_cleanup(NMDevice *self, int addr_family)
            nm_clear_pointer(&priv->ipshared_data_4.v4.firewall_config, nm_firewall_config_free);
        }

-        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
        nm_clear_l3cd(&priv->ipshared_data_4.v4.l3cd);

        _dev_l3_register_l3cds_set_one(self, L3_CONFIG_DATA_TYPE_SHARED_4, NULL, FALSE);
@ -13736,14 +13529,13 @@ _dev_ipshared4_new_l3cd(NMDevice *self, NMConnection *connection, NMPlatformIP4A

        nm_ip_address_get_address_binary(user, &a);
        nm_platform_ip4_address_set_addr(&address, a, nm_ip_address_get_prefix(user));
-        nm_clear_pointer(&priv->ipshared_data_4.v4.ip_reservation, nm_netns_ip_reservation_release);
+        nm_clear_pointer(&priv->ipshared_data_4.v4.shared_ip_handle, nm_netns_shared_ip_release);
    } else {
-        if (!priv->ipshared_data_4.v4.ip_reservation)
-            priv->ipshared_data_4.v4.ip_reservation =
-                nm_netns_ip_reservation_get(nm_device_get_netns(self),
-                                            NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
+        if (!priv->ipshared_data_4.v4.shared_ip_handle)
+            priv->ipshared_data_4.v4.shared_ip_handle =
+                nm_netns_shared_ip_reserve(nm_device_get_netns(self));
        nm_platform_ip4_address_set_addr(&address,
-                                         priv->ipshared_data_4.v4.ip_reservation->addr,
+                                         priv->ipshared_data_4.v4.shared_ip_handle->addr,
                                         24);
    }

@ -13975,106 +13767,6 @@ _dev_ipshared6_start(NMDevice *self)

 /*****************************************************************************/

-/**
- * Set the device's forwarding to the specified value. If %NM_TERNARY_DEFAULT is specified,
- * it's set to the kernel's default, otherwise it's set to the specific value.
- */
-static void
-_dev_ipforwarding4_set(NMDevice *self, NMTernary val)
-{
-    gs_free const char *default_forwarding = NULL;
-    gs_free const char *current_forwarding = NULL;
-    const char         *val_str;
-
-    if (val != NM_TERNARY_DEFAULT) {
-        val_str = val ? "1" : "0";
-    } else {
-        default_forwarding = nm_platform_sysctl_get(
-            nm_device_get_platform(self),
-            NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"));
-
-        if (!default_forwarding) {
-            _LOGW(LOGD_DEVICE,
-                  "error setting IPv4 forwarding: can't read default forwarding value: %s",
-                  nm_strerror_native(errno));
-            return; /* Non fatal */
-        }
-
-        val_str = default_forwarding;
-    }
-
-    current_forwarding = nm_device_sysctl_ip_conf_get(self, AF_INET, "forwarding");
-    if (nm_streq0(current_forwarding, val_str))
-        return;
-
-    if (!nm_device_sysctl_ip_conf_set(self, AF_INET, "forwarding", val_str))
-        _LOGW(LOGD_DEVICE,
-              "error setting IPv4 forwarding to '%s': %s",
-              val_str,
-              nm_strerror_native(errno));
-}
-
-static void
-_dev_ipforwarding4_auto_cb(NMManager *manager, gboolean sharing_ipv4, gpointer data)
-{
-    NMDevice *self = NM_DEVICE(data);
-
-    _dev_ipforwarding4_set(self, sharing_ipv4 ? NM_TERNARY_TRUE : NM_TERNARY_DEFAULT);
-}
-
-static void
-_dev_ipforwarding4_start(NMDevice *self, int addr_family)
-{
-    NMDevicePrivate            *priv            = NM_DEVICE_GET_PRIVATE(self);
-    NMSettingIPConfigForwarding ipv4_forwarding = _prop_get_ipv4_forwarding(self);
-    NMTernary                   new_forwarding  = NM_TERNARY_DEFAULT;
-
-    /* IPv6 per-interface forwarding not supported yet */
-    if (addr_family != AF_INET)
-        return;
-
-    if (nm_streq(priv->ipv4_method, NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
-        new_forwarding = NM_TERNARY_TRUE;
-    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_YES) {
-        new_forwarding = NM_TERNARY_TRUE;
-    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_NO) {
-        new_forwarding = NM_TERNARY_FALSE;
-    } else if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO) {
-        if (nm_manager_get_sharing_ipv4(NM_MANAGER_GET))
-            new_forwarding = NM_TERNARY_TRUE;
-        else
-            new_forwarding = NM_TERNARY_DEFAULT;
-
-        if (!priv->sharing_ipv4_changed_id)
-            priv->sharing_ipv4_changed_id = g_signal_connect(NM_MANAGER_GET,
-                                                             NM_MANAGER_SHARING_IPV4_CHANGED,
-                                                             G_CALLBACK(_dev_ipforwarding4_auto_cb),
-                                                             self);
-    } else {
-        nm_assert_not_reached();
-    }
-
-    _dev_ipforwarding4_set(self, new_forwarding);
-}
-
-static void
-_dev_ipforwarding_cleanup(NMDevice *self, int addr_family, CleanupType cleanup_type)
-{
-    NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE(self);
-
-    if (!NM_IS_IPv4(addr_family))
-        return;
-
-    nm_clear_g_signal_handler(NM_MANAGER_GET, &priv->sharing_ipv4_changed_id);
-
-    if (NM_IN_SET(cleanup_type, CLEANUP_TYPE_DECONFIGURE, CLEANUP_TYPE_KEEP_REAPPLY)) {
-        /* Deconfigure by restoring kernel's default */
-        _dev_ipforwarding4_set(self, NM_TERNARY_DEFAULT);
-    }
-}
-
-/*****************************************************************************/
-
 static void
 act_request_set(NMDevice *self, NMActRequest *act_request)
 {
@ -14187,8 +13879,6 @@ _cleanup_ip_pre(NMDevice *self, int addr_family, CleanupType cleanup_type, gbool
    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
    gboolean         keep_reapply = (cleanup_type == CLEANUP_TYPE_KEEP_REAPPLY);

-    _dev_ipforwarding_cleanup(self, addr_family, cleanup_type);
-
    _dev_ipsharedx_cleanup(self, addr_family);

    _dev_ipdev_cleanup(self, AF_UNSPEC);
@ -14336,7 +14026,6 @@ can_reapply_change(NMDevice   *self,
                                                 NM_SETTING_CONNECTION_MDNS,
                                                 NM_SETTING_CONNECTION_LLMNR,
                                                 NM_SETTING_CONNECTION_DNS_OVER_TLS,
-                                                 NM_SETTING_CONNECTION_DNSSEC,
                                                 NM_SETTING_CONNECTION_MPTCP_FLAGS,
                                                 NM_SETTING_CONNECTION_WAIT_ACTIVATION_DELAY);
    }
@ -14372,8 +14061,7 @@ can_reapply_change(NMDevice   *self,
        return nm_device_hash_check_invalid_keys(diffs,
                                                 NM_SETTING_SRIOV_SETTING_NAME,
                                                 error,
-                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN,
-                                                 NM_SETTING_SRIOV_VFS);
+                                                 NM_SETTING_SRIOV_PRESERVE_ON_DOWN);
    }

 out_fail:
@ -14551,35 +14239,9 @@ check_and_reapply_connection(NMDevice            *self,

    nm_device_link_properties_set(self, TRUE);

-    if (priv->state >= NM_DEVICE_STATE_CONFIG) {
-        GHashTable *sriov_diff;
-
+    if (priv->state >= NM_DEVICE_STATE_CONFIG)
        lldp_setup(self, NM_TERNARY_DEFAULT);

-        sriov_diff = nm_g_hash_table_lookup(diffs, NM_SETTING_SRIOV_SETTING_NAME);
-
-        if (sriov_diff && nm_g_hash_table_lookup(sriov_diff, NM_SETTING_SRIOV_VFS)) {
-            nm_auto_freev NMPlatformVF **plat_vfs = NULL;
-            NMSettingSriov              *s_sriov;
-
-            s_sriov = (NMSettingSriov *) nm_connection_get_setting(applied, NM_TYPE_SETTING_SRIOV);
-
-            if (s_sriov) {
-                gs_free_error GError *local = NULL;
-
-                if (!sriov_gen_platform_vfs(self, s_sriov, &plat_vfs, &local)
-                    || !nm_platform_link_set_sriov_vfs(nm_device_get_platform(self),
-                                                       priv->ifindex,
-                                                       (const NMPlatformVF *const *) plat_vfs)) {
-                    _LOGE(LOGD_DEVICE,
-                          "failed to reapply SRIOV VFs%s%s",
-                          local ? ": " : "",
-                          local ? local->message : "");
-                }
-            }
-        }
-    }
-
    if (priv->state >= NM_DEVICE_STATE_IP_CONFIG) {
        /* Allow reapply of MTU */
        priv->mtu_source = NM_DEVICE_MTU_SOURCE_NONE;
@ -14595,7 +14257,6 @@ check_and_reapply_connection(NMDevice            *self,
                NM_SETTING_CONNECTION_MDNS,
                NM_SETTING_CONNECTION_LLMNR,
                NM_SETTING_CONNECTION_DNS_OVER_TLS,
-                NM_SETTING_CONNECTION_DNSSEC,
                NM_SETTING_CONNECTION_MPTCP_FLAGS)) {
            priv->ip_data_4.do_reapply = TRUE;
            priv->ip_data_6.do_reapply = TRUE;
@ -15034,15 +14695,13 @@ impl_device_delete(NMDBusObject                      *obj,
                           NULL);
 }

-static gboolean
+static void
 _device_activate(NMDevice *self, NMActRequest *req)
 {
    NMConnection *connection;

-    /* Returns TRUE on success, FALSE if the activation request could not be started */
-
-    g_return_val_if_fail(NM_IS_DEVICE(self), FALSE);
-    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), FALSE);
+    g_return_if_fail(NM_IS_DEVICE(self));
+    g_return_if_fail(NM_IS_ACT_REQUEST(req));
    nm_assert(nm_device_is_real(self));

    /* Ensure the activation request is still valid; the controller may have
@ -15050,7 +14709,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
     */
    if (nm_active_connection_get_state(NM_ACTIVE_CONNECTION(req))
        >= NM_ACTIVE_CONNECTION_STATE_DEACTIVATING)
-        return FALSE;
+        return;

    if (!nm_device_get_managed(self, FALSE)) {
        /* It's unclear why the device would be unmanaged at this point.
@ -15061,7 +14720,7 @@ _device_activate(NMDevice *self, NMActRequest *req)
        nm_active_connection_set_state_fail((NMActiveConnection *) req,
                                            NM_ACTIVE_CONNECTION_STATE_REASON_UNKNOWN,
                                            NULL);
-        return FALSE;
+        return;
    }

    connection = nm_act_request_get_applied_connection(req);
@ -15077,8 +14736,6 @@ _device_activate(NMDevice *self, NMActRequest *req)
    act_request_set(self, req);

    nm_device_activate_schedule_stage1_device_prepare(self, FALSE);
-
-    return TRUE;
 }

 static void
@ -15098,9 +14755,7 @@ _carrier_wait_check_queued_act_request(NMDevice *self)

        _LOGD(LOGD_DEVICE, "Activate queued activation request as we now have carrier");
        queued_req = g_steal_pointer(&priv->queued_act_request);
-        if (!_device_activate(self, queued_req)) {
-            delete_on_deactivate_check_and_schedule(self);
-        }
+        _device_activate(self, queued_req);
    }
 }

@ -15947,7 +15602,7 @@ nm_device_get_firmware_missing(NMDevice *self)

 NM_UTILS_FLAGS2STR_DEFINE(nm_unmanaged_flags2str,
                          NMUnmanagedFlags,
-                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_MANAGER_DISABLED, "nm-disabled"),
+                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_SLEEPING, "sleeping"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_QUITTING, "quitting"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_PLATFORM_INIT, "platform-init"),
                          NM_UTILS_FLAGS2STR(NM_UNMANAGED_USER_EXPLICIT, "user-explicit"),
@ -16011,8 +15666,8 @@ unmanaged_flags_to_reason(NMUnmanagedFlags flags)
    /* Even if there are multiple flags, we can only return one reason.
     * Return the most important reason.
     */
-    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_MANAGER_DISABLED))
-        return NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED;
+    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_SLEEPING))
+        return NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_QUITTING))
        return NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING;
    if (NM_FLAGS_HAS(flags, NM_UNMANAGED_USER_SETTINGS))
@ -17257,6 +16912,8 @@ _cleanup_generic_post(NMDevice *self, NMDeviceStateReason reason, CleanupType cl
    priv->v4_route_table_all_sync_before = FALSE;
    priv->v6_route_table_all_sync_before = FALSE;

+    priv->refresh_forwarding_done = FALSE;
+
    priv->mtu_force_set_done = FALSE;

    priv->needs_ip6_subnet = FALSE;
@ -17302,6 +16959,7 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    NMDevicePrivate *priv;
    NMDeviceClass   *klass = NM_DEVICE_GET_CLASS(self);
    int              ifindex;
+    gint32           default_forwarding_v4;

    g_return_if_fail(NM_IS_DEVICE(self));

@ -17324,41 +16982,27 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
        nm_device_sysctl_ip_conf_set(self, AF_INET6, "use_tempaddr", "0");
    }

+    /* Restoring the device's forwarding to the sysctl default is necessary because
+     * `refresh_forwarding()` only updates forwarding on activated devices. */
+    default_forwarding_v4 = nm_platform_sysctl_get_int32(
+        nm_device_get_platform(self),
+        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
+        0);
+    nm_device_sysctl_ip_conf_set(self,
+                                 AF_INET,
+                                 "forwarding",
+                                 default_forwarding_v4 == 1 ? "1" : "0");
+
    /* Call device type-specific deactivation */
    if (klass->deactivate)
        klass->deactivate(self);

-    /* Clean up private files */
-    nm_clear_g_cancellable(&priv->private_files.cancellable);
-    g_clear_pointer(&priv->private_files.table, g_hash_table_unref);
-    g_clear_pointer(&priv->private_files.user, g_free);
-    priv->private_files.state = PRIVATE_FILES_STATE_UNKNOWN;
-
    ifindex = nm_device_get_ip_ifindex(self);

    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* controller: release ports */
        nm_device_controller_release_ports_all(self);

-        /* port: detach from controller */
-        if (priv->controller) {
-            nm_device_controller_release_port(priv->controller,
-                                              self,
-                                              RELEASE_PORT_TYPE_CONFIG,
-                                              reason);
-        }
-    }
-
-    /* port: mark no longer attached */
-    if (priv->controller && priv->ifindex > 0
-        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
-        nm_device_controller_release_port(priv->controller,
-                                          self,
-                                          RELEASE_PORT_TYPE_NO_CONFIG,
-                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
-    }
-
-    if (cleanup_type == CLEANUP_TYPE_DECONFIGURE) {
        /* Take out any entries in the routing table and any IP address the device had. */
        if (ifindex > 0) {
            NMPlatform *platform = nm_device_get_platform(self);
@ -17382,6 +17026,15 @@ nm_device_cleanup(NMDevice *self, NMDeviceStateReason reason, CleanupType cleanu
    if (ifindex > 0)
        nm_platform_ip4_dev_route_blacklist_set(nm_device_get_platform(self), ifindex, NULL);

+    /* port: mark no longer attached */
+    if (priv->controller && priv->ifindex > 0
+        && nm_platform_link_get_controller(nm_device_get_platform(self), priv->ifindex) <= 0) {
+        nm_device_controller_release_port(priv->controller,
+                                          self,
+                                          RELEASE_PORT_TYPE_NO_CONFIG,
+                                          NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED);
+    }
+
    lldp_setup(self, NM_TERNARY_FALSE);

    nm_device_update_metered(self);
@ -17880,8 +17533,7 @@ _set_state_full(NMDevice *self, NMDeviceState state, NMDeviceStateReason reason,
            gs_unref_object NMActRequest *queued_req = NULL;

            queued_req = g_steal_pointer(&priv->queued_act_request);
-            if (!_device_activate(self, queued_req))
-                delete_on_deactivate_check_and_schedule(self);
+            _device_activate(self, queued_req);
        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
@ -19283,6 +18935,19 @@ nm_device_get_hostname_from_dns_lookup(NMDevice *self, int addr_family, gboolean
    return nm_assert_unreachable_val(NULL);
 }

+gboolean
+nm_device_get_refresh_forwarding_done(NMDevice *self)
+{
+    return NM_DEVICE_GET_PRIVATE(self)->refresh_forwarding_done;
+}
+
+void
+nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done)
+{
+    NMDevicePrivate *priv         = NM_DEVICE_GET_PRIVATE(self);
+    priv->refresh_forwarding_done = is_refresh_forwarding_done;
+}
+
 /*****************************************************************************/

 static const char *
--- a/src/core/devices/nm-device.h
+++ b/src/core/devices/nm-device.h
@ -581,8 +581,7 @@ void nm_device_copy_ip6_dns_config(NMDevice *self, NMDevice *from_device);
 /**
 * NMUnmanagedFlags:
 * @NM_UNMANAGED_NONE: placeholder value
- * @NM_UNMANAGED_MANAGER_DISABLED: %TRUE when unmanaged because NM is disabled.
- *   Currently, this happens when sleeping or with networking disabled.
+ * @NM_UNMANAGED_SLEEPING: %TRUE when unmanaged because NM is sleeping.
 * @NM_UNMANAGED_QUITTING: %TRUE when unmanaged because NM is shutting down.
 * @NM_UNMANAGED_PLATFORM_INIT: %TRUE when unmanaged because platform link not
 *   yet initialized. Unrealized device are also unmanaged for this reason.
@ -611,11 +610,11 @@ typedef enum {

    /* these flags are authoritative. If one of them is set,
     * the device cannot be managed. */
-    NM_UNMANAGED_MANAGER_DISABLED = (1LL << 0),
-    NM_UNMANAGED_QUITTING         = (1LL << 1),
-    NM_UNMANAGED_PLATFORM_INIT    = (1LL << 2),
-    NM_UNMANAGED_USER_EXPLICIT    = (1LL << 3),
-    NM_UNMANAGED_USER_SETTINGS    = (1LL << 4),
+    NM_UNMANAGED_SLEEPING      = (1LL << 0),
+    NM_UNMANAGED_QUITTING      = (1LL << 1),
+    NM_UNMANAGED_PLATFORM_INIT = (1LL << 2),
+    NM_UNMANAGED_USER_EXPLICIT = (1LL << 3),
+    NM_UNMANAGED_USER_SETTINGS = (1LL << 4),

    /* These flags can be non-effective and be overwritten
     * by other flags. */
@ -853,7 +852,14 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                           NMDevice *self,
                           NMNetns  *netns);

-NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
-                                                                NMConnection *connection);
+NMSettingIPConfigForwarding nm_device_get_ipv4_forwarding(NMDevice *self);
+
+const char *nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family);
+
+char *nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property);
+
+gboolean nm_device_get_refresh_forwarding_done(NMDevice *self);
+
+void nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done);

 #endif /* __NETWORKMANAGER_DEVICE_H__ */
--- a/src/core/devices/ovs/nm-ovsdb.c
+++ b/src/core/devices/ovs/nm-ovsdb.c
@ -1460,42 +1460,40 @@ _delete_interface(NMOvsdb *self, json_t *params, const char *ifname)
                json_array_append_new(new_interfaces, json_pack("[s,s]", "uuid", interface_uuid));
            }

-            if (interfaces_changed && num_nm_interfaces == 0) {
-                /* We are deleting the last nm-interface of this port. Don't add it to "new_ports"
-                 * and set ports_changed=TRUE, so that it will be deleted. */
+            if (num_nm_interfaces == 0) {
+                /* The port no longer has any NM interface. Don't add it to "new_ports" and set
+                 * ports_changed=TRUE, so that it will be deleted. */
                ports_changed = TRUE;
            } else {
-                /* Keep this port: it's still alive, or it's unrelated to the deleted interface */
-                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
-                if (ovs_port->connection_uuid)
-                    num_nm_ports++;
-
                if (interfaces_changed) {
-                    /* This port is still alive, but an interface needs to be deleted from it */
+                    /* An interface needs to be deleted from this port */
                    _expect_port_interfaces(params, ovs_port->name, interfaces);
                    _set_port_interfaces(params, ovs_port->name, new_interfaces);
                }
+                /* The port is still alive */
+                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
+                if (ovs_port->connection_uuid)
+                    num_nm_ports++;
            }
        }

-        if (ports_changed && num_nm_ports == 0) {
-            /* We are deleting the last nm-port of this bridge. Don't add it to "new_bridges"
-             * and set bridges_changed=TRUE, so that it will be deleted. */
+        if (num_nm_ports == 0) {
+            /* The bridge no longer has any NM port. Don't add it to "new_bridges" and set
+             * bridges_changed=TRUE, so that it will be deleted. */
            bridges_changed = TRUE;
        } else {
-            /* Keep this bridge: it's still alive, or it's unrelated to the deleted interface */
-            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
-
            if (ports_changed) {
-                /* This bridge is still alive, but a port needs to be deleted from it */
+                /* A port needs to be deleted from this bridge */
                _expect_bridge_ports(params, ovs_bridge->name, ports);
                _set_bridge_ports(params, ovs_bridge->name, new_ports);
            }
+            /* The bridge is still alive */
+            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
        }
    }

    if (bridges_changed) {
-        /* A bridge needs to be deleted */
+        /* A port needs to be deleted from this bridge */
        _expect_ovs_bridges(params, priv->db_uuid, bridges);
        _set_ovs_bridges(params, priv->db_uuid, new_bridges);
    }
@ -1890,7 +1888,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
        == -1) {
        /* This doesn't really have to be an error; the key might
         * be missing if there really are no bridges present. */
-        _LOGD("monitor: bad update: %s", json_error.text);
+        _LOGD("Bad update: %s", json_error.text);
    }

    if (ovs) {
@ -1936,12 +1934,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;

-            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
+            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
                  key,
+                  ovs_interface->type,
+                  ovs_interface->name,
                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_interface->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self,
@ -1989,18 +1987,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT(
-                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                    "other-config=%s",
-                    ovs_interface->name,
-                    type,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                         ", connection=",
-                                         ovs_interface->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                      "other-config=%s",
+                      key,
+                      type,
+                      ovs_interface->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                           ", ",
+                                           ovs_interface->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
            }
        } else {
            gs_free char *strtmp1 = NULL;
@ -2016,17 +2013,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                  "other-config=%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
-                  key,
-                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
-                                       ovs_interface->connection_uuid,
-                                       ""),
-                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                  (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+            _LOGT(
+                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
+                key,
+                ovs_interface->type,
+                ovs_interface->name,
+                NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                     ", ",
+                                     ovs_interface->connection_uuid,
+                                     ""),
+                (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
            _signal_emit_device_added(self,
                                      ovs_interface->name,
                                      NM_DEVICE_TYPE_OVS_INTERFACE,
@ -2072,11 +2069,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
            if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                continue;

-            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: removed a port: %s%s%s",
                  key,
+                  ovs_port->name,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_port->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@ -2123,16 +2120,15 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT(
-                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                    ovs_port->name,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                         ", connection=",
-                                         ovs_port->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_port->other_config)));
+                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
+                      key,
+                      ovs_port->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
+                                           ", ",
+                                           ovs_port->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_port->other_config)));
            }
        } else {
            gs_free char *strtmp1 = NULL;
@ -2148,11 +2144,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
                  key,
+                  ovs_port->name,
                  NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_port->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@ -2194,11 +2190,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                             &unused))
                continue;

-            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
                  key,
+                  ovs_bridge->name,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_bridge->connection_uuid,
                                       ""));
            _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@ -2245,12 +2241,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                gs_free char *strtmp1 = NULL;
                gs_free char *strtmp2 = NULL;

-                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
-                      "other-config=%s",
-                      ovs_bridge->name,
+                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
                      key,
+                      ovs_bridge->name,
                      NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", connection=",
+                                           ", ",
                                           ovs_bridge->connection_uuid,
                                           ""),
                      (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@ -2270,11 +2265,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                .other_config    = g_steal_pointer(&other_config_arr),
            };
            g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
                  key,
+                  ovs_bridge->name,
                  NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                       ovs_bridge->connection_uuid,
                                       ""),
                  (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
--- a/src/core/devices/wifi/nm-device-wifi.c
+++ b/src/core/devices/wifi/nm-device-wifi.c
@ -191,19 +191,12 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                  GParamSpec            *pspec,
                                                  NMDeviceWifi          *self);

-static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
-static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
 static void periodic_update(NMDeviceWifi *self);

 static void ap_add_remove(NMDeviceWifi *self,
                          gboolean      is_adding,
                          NMWifiAP     *ap,
-                          gboolean      recheck_available_connections,
-                          gboolean      recheck_auto_activate);
+                          gboolean      recheck_available_connections);

 static void _hw_addr_set_scanning(NMDeviceWifi *self, gboolean do_reset);

@ -630,14 +623,6 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                     "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                     G_CALLBACK(supplicant_iface_notify_p2p_available),
                     self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
-                     self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
-                     self);

    _scan_notify_is_scanning(self);

@ -729,10 +714,7 @@ update_seen_bssids_cache(NMDeviceWifi *self, NMWifiAP *ap)
 }

 static void
-set_current_ap(NMDeviceWifi *self,
-               NMWifiAP     *new_ap,
-               gboolean      recheck_available_connections,
-               gboolean      recheck_auto_activate)
+set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_connections)
 {
    NMDeviceWifiPrivate *priv;
    NMWifiAP            *old_ap;
@ -759,11 +741,7 @@ set_current_ap(NMDeviceWifi *self,
        /* Remove any AP from the internal list if it was created by NM or isn't known to the supplicant */
        if (NM_IN_SET(mode, _NM_802_11_MODE_ADHOC, _NM_802_11_MODE_AP)
            || nm_wifi_ap_get_fake(old_ap))
-            ap_add_remove(self,
-                          FALSE,
-                          old_ap,
-                          recheck_available_connections,
-                          recheck_auto_activate);
+            ap_add_remove(self, FALSE, old_ap, recheck_available_connections);
        g_object_unref(old_ap);
    }

@ -836,8 +814,7 @@ static void
 ap_add_remove(NMDeviceWifi *self,
              gboolean      is_adding, /* or else removing */
              NMWifiAP     *ap,
-              gboolean      recheck_available_connections,
-              gboolean      recheck_auto_activate)
+              gboolean      recheck_available_connections)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);

@ -868,14 +845,13 @@ ap_add_remove(NMDeviceWifi *self,
        nm_dbus_object_clear_and_unexport(&ap);
    }

-    if (recheck_auto_activate)
-        nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
+    nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
    if (recheck_available_connections)
        nm_device_recheck_available_connections(NM_DEVICE(self));
 }

 static void
-remove_all_aps(NMDeviceWifi *self, gboolean disposing)
+remove_all_aps(NMDeviceWifi *self)
 {
    NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
    NMWifiAP            *ap;
@ -883,13 +859,12 @@ remove_all_aps(NMDeviceWifi *self, gboolean disposing)
    if (c_list_is_empty(&priv->aps_lst_head))
        return;

-    set_current_ap(self, NULL, FALSE, !disposing);
+    set_current_ap(self, NULL, FALSE);

    while ((ap = c_list_first_entry(&priv->aps_lst_head, NMWifiAP, aps_lst)))
-        ap_add_remove(self, FALSE, ap, FALSE, !disposing);
+        ap_add_remove(self, FALSE, ap, FALSE);

-    if (!disposing)
-        nm_device_recheck_available_connections(NM_DEVICE(self));
+    nm_device_recheck_available_connections(NM_DEVICE(self));
 }

 static gboolean
@ -976,7 +951,7 @@ deactivate(NMDevice *device)

    priv->rate = 0;

-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);

    if (!wake_on_wlan_restore(self))
        _LOGW(LOGD_DEVICE | LOGD_WIFI, "Cannot unconfigure WoWLAN.");
@ -2025,7 +2000,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            if (nm_wifi_ap_set_fake(found_ap, TRUE))
                _ap_dump(self, LOGL_DEBUG, found_ap, "updated", 0);
        } else {
-            ap_add_remove(self, FALSE, found_ap, TRUE, TRUE);
+            ap_add_remove(self, FALSE, found_ap, TRUE);
            schedule_ap_list_dump(self);
        }
        return;
@ -2068,7 +2043,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
            }
        }

-        ap_add_remove(self, TRUE, ap, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap, TRUE);
    }

    /* Update the current AP if the supplicant notified a current BSS change
@ -2293,7 +2268,7 @@ link_timeout_cb(gpointer user_data)
    if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED)
        return FALSE;

-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);

    nm_device_state_changed(device,
                            NM_DEVICE_STATE_FAILED,
@ -2412,9 +2387,6 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,

    g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);

-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return FALSE;
-
    req = nm_device_get_act_request(NM_DEVICE(self));
    g_return_val_if_fail(req != NULL, FALSE);

@ -2712,7 +2684,7 @@ supplicant_iface_notify_current_bss(NMSupplicantInterface *iface,
            }
        }

-        set_current_ap(self, new_ap, TRUE, TRUE);
+        set_current_ap(self, new_ap, TRUE);

        req = nm_device_get_act_request(NM_DEVICE(self));
        if (req) {
@ -2858,62 +2830,6 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
    return TRUE;
 }

-static void
-supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
-static void
-supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
 /*
 * supplicant_connection_timeout_cb
 *
@ -3019,8 +2935,7 @@ build_supplicant_config(NMDeviceWifi         *self,
    s_wireless = nm_connection_get_setting_wireless(connection);
    g_return_val_if_fail(s_wireless != NULL, NULL);

-    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface),
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface));

    /* Warn if AP mode may not be supported */
    if (nm_streq0(nm_setting_wireless_get_mode(s_wireless), NM_SETTING_WIRELESS_MODE_AP)
@ -3096,7 +3011,6 @@ build_supplicant_config(NMDeviceWifi         *self,
                mtu,
                pmf,
                fils,
-                nm_device_get_private_files(NM_DEVICE(self)),
                error)) {
            g_prefix_error(error, "802-11-wireless-security: ");
            goto error;
@ -3204,7 +3118,7 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
        priv->mode = _NM_802_11_MODE_AP;

        /* Scanning not done in AP mode; clear the scan list */
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
    } else if (g_strcmp0(mode, NM_SETTING_WIRELESS_MODE_MESH) == 0)
        priv->mode = _NM_802_11_MODE_MESH;
    _notify(self, PROP_MODE);
@ -3241,14 +3155,14 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
            nm_wifi_ap_set_address(ap_fake, nm_device_get_hw_address(device));

        g_object_freeze_notify(G_OBJECT(self));
-        ap_add_remove(self, TRUE, ap_fake, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap_fake, TRUE);
        g_object_thaw_notify(G_OBJECT(self));
        ap = ap_fake;
    }

    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);

-    set_current_ap(self, ap, FALSE, TRUE);
+    set_current_ap(self, ap, FALSE);
    nm_active_connection_set_specific_object(NM_ACTIVE_CONNECTION(req),
                                             nm_dbus_object_get_path(NM_DBUS_OBJECT(ap)));
    return NM_ACT_STAGE_RETURN_SUCCESS;
@ -3614,7 +3528,7 @@ device_state_changed(NMDevice           *device,

        cleanup_association_attempt(self, TRUE);
        cleanup_supplicant_failures(self);
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
    }

    switch (new_state) {
@ -3652,7 +3566,7 @@ device_state_changed(NMDevice           *device,
    }

    if (clear_aps)
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);

    _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 }
@ -3894,7 +3808,7 @@ dispose(GObject *object)

    g_clear_object(&priv->sup_mgr);

-    remove_all_aps(self, TRUE);
+    remove_all_aps(self);

    if (priv->p2p_device) {
        /* Destroy the P2P device. */
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
     * in the last few filename characters -- it cannot end in .open, .psk
     * or .8021x.
     */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
 }

 static const char *
--- a/src/core/devices/wwan/nm-modem-broadband.c
+++ b/src/core/devices/wwan/nm-modem-broadband.c
@ -508,9 +508,8 @@ find_gsm_apn_cb(const char   *apn,
 static gboolean
 try_create_connect_properties(NMModemBroadband *self)
 {
-    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
-    ConnectContext          *ctx         = priv->ctx;
-    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;
+    NMModemBroadbandPrivate *priv = NM_MODEM_BROADBAND_GET_PRIVATE(self);
+    ConnectContext          *ctx  = priv->ctx;

    if (MODEM_CAPS_3GPP(ctx->caps)) {
        NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@ -523,7 +522,7 @@ try_create_connect_properties(NMModemBroadband *self)
            if (s_gsm)
                network_id = nm_setting_gsm_get_network_id(s_gsm);
            if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
                    return FALSE;
                modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@ -531,7 +530,6 @@ try_create_connect_properties(NMModemBroadband *self)
            if (!network_id) {
                _LOGW("failed to connect '%s': unable to determine the network id",
                      nm_connection_get_id(ctx->connection));
-                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                goto out;
            }

@ -560,7 +558,7 @@ try_create_connect_properties(NMModemBroadband *self)
    }

 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
    connect_context_clear(self);
    return TRUE;
 }
@ -1651,8 +1649,6 @@ nm_modem_broadband_new(GObject *object, GError **error)
                        driver,
                        NM_MODEM_OPERATOR_CODE,
                        operator_code,
-                        NM_MODEM_DEVICE_UID,
-                        mm_modem_get_device(modem_iface),
                        NULL);
 }

--- a/src/core/devices/wwan/nm-modem.c
+++ b/src/core/devices/wwan/nm-modem.c
@ -39,8 +39,7 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                             PROP_IP_TYPES,
                             PROP_SIM_OPERATOR_ID,
                             PROP_OPERATOR_CODE,
-                             PROP_APN,
-                             PROP_DEVICE_UID, );
+                             PROP_APN, );

 enum {
    PPP_STATS,
@ -79,7 +78,6 @@ typedef struct _NMModemPrivate {
    char           *sim_operator_id;
    char           *operator_code;
    char           *apn;
-    char           *device_uid;

    NMPPPManager *ppp_manager;
    NMPppMgr     *ppp_mgr;
@ -620,12 +618,6 @@ nm_modem_get_apn(NMModem *self)
    return NM_MODEM_GET_PRIVATE(self)->apn;
 }

-const char *
-nm_modem_get_device_uid(NMModem *self)
-{
-    return NM_MODEM_GET_PRIVATE(self)->device_uid;
-}
-
 /*****************************************************************************/

 static void
@ -1129,22 +1121,6 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
            }
        }

-        str = nm_setting_gsm_get_device_uid(s_gsm);
-        if (str) {
-            if (!priv->device_uid) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "GSM profile has device-uid, device does not");
-                return FALSE;
-            }
-            if (!nm_streq(str, priv->device_uid)) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "device has differing device-uid than GSM profile");
-                return FALSE;
-            }
-        }
-
        /* SIM properties may not be available before the SIM is unlocked, so
         * to ensure that autoconnect works, the connection's SIM properties
         * are only compared if present on the device.
@ -1668,9 +1644,6 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
    case PROP_APN:
        g_value_set_string(value, priv->apn);
        break;
-    case PROP_DEVICE_UID:
-        g_value_set_string(value, priv->device_uid);
-        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1726,10 +1699,6 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
        /* construct-only */
        priv->operator_code = g_value_dup_string(value);
        break;
-    case PROP_DEVICE_UID:
-        /* construct-only */
-        priv->device_uid = g_value_dup_string(value);
-        break;
    default:
        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
        break;
@ -1789,7 +1758,6 @@ finalize(GObject *object)
    g_free(priv->sim_operator_id);
    g_free(priv->operator_code);
    g_free(priv->apn);
-    g_free(priv->device_uid);

    G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@ -1895,13 +1863,6 @@ nm_modem_class_init(NMModemClass *klass)
    obj_properties[PROP_APN] =
        g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);

-    obj_properties[PROP_DEVICE_UID] =
-        g_param_spec_string(NM_MODEM_DEVICE_UID,
-                            "",
-                            "",
-                            NULL,
-                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
-
    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);

    signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,
--- a/src/core/devices/wwan/nm-modem.h
+++ b/src/core/devices/wwan/nm-modem.h
@ -30,7 +30,6 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
-#define NM_MODEM_DEVICE_UID      "device-uid"

 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@ -155,7 +154,6 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
-const char *nm_modem_get_device_uid(NMModem *modem);

 gboolean nm_modem_set_data_port(NMModem        *self,
                                NMPlatform     *platform,
--- a/src/core/dhcp/nm-dhcp-utils.c
+++ b/src/core/dhcp/nm-dhcp-utils.c
@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                  in_addr_t       address,
                                  guint32        *out_gwaddr)
 {
-    gs_free char **routes = NULL;
-    char         **r;
-    gboolean       have_routes = FALSE;
+    gs_free const char **routes = NULL;
+    const char         **r;
+    gboolean             have_routes = FALSE;

-    routes = (char **) nm_strsplit_set(str, " ");
+    routes = nm_strsplit_set(str, " ");
    if (!routes)
        return FALSE;

--- a/src/core/dns/nm-dns-dnsconfd.c
+++ b/src/core/dns/nm-dns-dnsconfd.c
@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
    NMDnsServer dns_server;
    gsize       addr_size;

-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
        return FALSE;
    addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);

--- a/src/core/dns/nm-dns-dnsmasq.c
+++ b/src/core/dns/nm-dns-dnsmasq.c
@ -521,10 +521,9 @@ _gl_pid_spawn_next_step(void)
    argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
    argv[argv_idx++] = "--keep-in-foreground";
    argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-dynamic";
+    argv[argv_idx++] = "--bind-interfaces";
    argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1";
-    argv[argv_idx++] = "--listen-address=::1";
+    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
    argv[argv_idx++] = "--cache-size=400";
    argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
    argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -26,7 +26,6 @@

 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
-#include "libnm-glib-aux/nm-io-utils.h"

 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@ -587,11 +586,7 @@ add_dns_domains(GPtrArray            *array,
 }

 static void
-merge_one_l3cd(NMResolvConfData     *rc,
-               int                   addr_family,
-               int                   ifindex,
-               const NML3ConfigData *l3cd,
-               gboolean              ignore_searches_and_options)
+merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3ConfigData *l3cd)
 {
    char               buf[NM_INET_ADDRSTRLEN + 50];
    gboolean           has_trust_ad;
@ -629,33 +624,31 @@ merge_one_l3cd(NMResolvConfData     *rc,
        add_string_item(rc->nameservers, buf, TRUE);
    }

-    if (!ignore_searches_and_options) {
-        add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);
+    add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);

-        has_trust_ad = FALSE;
-        strarr       = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num);
-        for (i = 0; i < num; i++) {
-            const char *option = strarr[i];
+    has_trust_ad = FALSE;
+    strarr       = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num);
+    for (i = 0; i < num; i++) {
+        const char *option = strarr[i];

-            if (nm_streq(option, NM_SETTING_DNS_OPTION_TRUST_AD)) {
-                has_trust_ad = TRUE;
-                continue;
-            }
-            add_dns_option_item(rc->options, option);
+        if (nm_streq(option, NM_SETTING_DNS_OPTION_TRUST_AD)) {
+            has_trust_ad = TRUE;
+            continue;
        }
-
-        if (num_nameservers == 0) {
-            /* If the @l3cd contributes no DNS servers, ignore whether trust-ad is set or unset
-             * for this @l3cd. */
-        } else if (has_trust_ad) {
-            /* We only set has_trust_ad to TRUE, if all IP configs agree (or don't contribute).
-             * Once set to FALSE, it doesn't get reset. */
-            if (rc->has_trust_ad == NM_TERNARY_DEFAULT)
-                rc->has_trust_ad = NM_TERNARY_TRUE;
-        } else
-            rc->has_trust_ad = NM_TERNARY_FALSE;
+        add_dns_option_item(rc->options, option);
    }

+    if (num_nameservers == 0) {
+        /* If the @l3cd contributes no DNS servers, ignore whether trust-ad is set or unset
+         * for this @l3cd. */
+    } else if (has_trust_ad) {
+        /* We only set has_trust_ad to TRUE, if all IP configs agree (or don't contribute).
+         * Once set to FALSE, it doesn't get reset. */
+        if (rc->has_trust_ad == NM_TERNARY_DEFAULT)
+            rc->has_trust_ad = NM_TERNARY_TRUE;
+    } else
+        rc->has_trust_ad = NM_TERNARY_FALSE;
+
    if (addr_family == AF_INET) {
        const in_addr_t *nis_servers;
        const char      *nis_domain;
@ -1007,8 +1000,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define MY_RESOLV_CONF_TMP MY_RESOLV_CONF ".tmp"
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"

-#define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
-#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
+#define NO_STUB_RESOLV_CONF NMRUNDIR "/no-stub-resolv.conf"

 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@ -1021,14 +1013,7 @@ update_resolv_conf_no_stub(NMDnsManager      *self,

    content = create_resolv_conf(searches, nameservers, options);

-    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
-                                    content,
-                                    -1,
-                                    0644,
-                                    NULL,
-                                    NO_STUB_RESOLV_CONF_TMP,
-                                    NULL,
-                                    &local)) {
+    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
        _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
        g_error_free(local);
        return;
@ -1246,15 +1231,12 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
 {
    nm_auto_free_checksum GChecksum *sum = NULL;
    NMDnsConfigIPData               *ip_data;
-    gboolean                         has_global_dns_section = FALSE;

    sum = g_checksum_new(G_CHECKSUM_SHA1);
    nm_assert(HASH_LEN == g_checksum_type_get_length(G_CHECKSUM_SHA1));

-    if (global) {
+    if (global)
        nm_global_dns_config_update_checksum(global, sum);
-        has_global_dns_section = nm_global_dns_has_global_dns_section(global);
-    }

    if (!global || !nm_global_dns_config_lookup_domain(global, "*")) {
        const CList *head;
@ -1266,8 +1248,7 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
            nm_l3_config_data_hash_dns(ip_data->l3cd,
                                       sum,
                                       ip_data->addr_family,
-                                       ip_data->ip_config_type,
-                                       has_global_dns_section);
+                                       ip_data->ip_config_type);
        }
    }

@ -1283,9 +1264,6 @@ merge_global_dns_config(NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
    const char *const *servers;
    guint              i;

-    /* Global config must be processed before connections' config */
-    nm_assert(rc->nameservers->len == 0);
-
    if (!global_conf)
        return FALSE;

@ -1373,17 +1351,12 @@ _collect_resolv_conf_data(NMDnsManager      *self,
            .nis_servers  = g_ptr_array_new(),
            .has_trust_ad = NM_TERNARY_DEFAULT,
    };
-    gboolean has_global_dns_section = FALSE;

    priv = NM_DNS_MANAGER_GET_PRIVATE(self);

-    if (global_config) {
+    if (global_config)
        merge_global_dns_config(&rc, global_config);
-        has_global_dns_section = nm_global_dns_has_global_dns_section(global_config);
-    }

-    /* If global nameservers are defined, no DNS configs are used from connections at all,
-     * including searches and options. */
    if (!global_config || !nm_global_dns_config_lookup_domain(global_config, "*")) {
        nm_auto_str_buf NMStrBuf tmp_strbuf = NM_STR_BUF_INIT(0, FALSE);
        int                      first_prio = 0;
@ -1417,16 +1390,8 @@ _collect_resolv_conf_data(NMDnsManager      *self,
                  skip ? "<SKIP>" : "",
                  get_nameserver_list(ip_data->addr_family, ip_data->l3cd, &tmp_strbuf));

-            if (!skip) {
-                /* Merge the configs from connections. However, if there was a [global-dns]
-                 * it overwrites searches and options from the connections, thus we only
-                 * merge the nameservers. */
-                merge_one_l3cd(&rc,
-                               ip_data->addr_family,
-                               ip_data->data->ifindex,
-                               ip_data->l3cd,
-                               has_global_dns_section);
-            }
+            if (!skip)
+                merge_one_l3cd(&rc, ip_data->addr_family, ip_data->data->ifindex, ip_data->l3cd);
        }
    }

@ -1510,8 +1475,8 @@ _domain_track_is_shadowed(GHashTable  *ht,
                          const char **out_parent,
                          int         *out_parent_priority)
 {
-    const char *parent;
-    int         parent_priority;
+    char *parent;
+    int   parent_priority;

    if (!ht)
        return FALSE;
--- a/src/core/dns/nm-dns-systemd-resolved.c
+++ b/src/core/dns/nm-dns-systemd-resolved.c
@ -37,7 +37,6 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
-static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";

 /*****************************************************************************/

@ -399,7 +398,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
    for (i = 0; i < n; i++) {
        NMDnsServer dns_server;

-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
            continue;

        if (!NM_IN_SET(dns_server.scheme,
@ -485,11 +484,9 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
    NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
    NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
-    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
    const char                   *mdns_arg          = NULL;
    const char                   *llmnr_arg         = NULL;
    const char                   *dns_over_tls_arg  = NULL;
-    const char                   *dnssec_arg        = NULL;
    gboolean                      has_config        = FALSE;
    gboolean                      has_default_route = FALSE;
    guint                         i;
@ -520,7 +517,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                dns_over_tls =
                    NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
-                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
            }
        }
    }
@ -593,24 +589,8 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
    }
    nm_assert(dns_over_tls_arg);

-    switch (dnssec) {
-    case NM_SETTING_CONNECTION_DNSSEC_NO:
-        dnssec_arg = "no";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
-        dnssec_arg = "allow-downgrade";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_YES:
-        dnssec_arg = "yes";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
-        dnssec_arg = "";
-        break;
-    }
-    nm_assert(dnssec_arg);
-
    if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
+        || !nm_str_is_empty(dns_over_tls_arg))
        has_config = TRUE;

    _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@ -638,10 +618,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                         DBUS_OP_SET_LINK_DNS_OVER_TLS,
                         ic->ifindex,
                         g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
-    _request_item_append(self,
-                         DBUS_OP_SET_LINK_DNSSEC,
-                         ic->ifindex,
-                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));

    return has_config;
 }
--- a/src/core/main-utils.c
+++ b/src/core/main-utils.c
@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
    char                  pid[16];

    nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
        fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
        return FALSE;
    }
--- a/src/core/main.c
+++ b/src/core/main.c
@ -339,7 +339,7 @@ main(int argc, char *argv[])
        char *path, *slash;
        int   g;

-        /* exe is <builddir>/src/core/NetworkManager, so chop off
+        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
         * the last three components */
        path = realpath("/proc/self/exe", NULL);
        g_assert(path != NULL);
--- a/src/core/ndisc/nm-lndp-ndisc.c
+++ b/src/core/ndisc/nm-lndp-ndisc.c
@ -19,7 +19,6 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
-#include "nm-core-utils.h"

 #define _NMLOG_PREFIX_NAME "ndisc-lndp"

@ -28,14 +27,6 @@
 typedef struct {
    struct ndp *ndp;
    GSource    *event_source;
-
-    struct {
-        NMRateLimit pio_lft;
-        NMRateLimit mtu;
-        NMRateLimit omit_prefix;
-        NMRateLimit omit_dns;
-        NMRateLimit omit_dnssl;
-    } msg_ratelimit;
 } NMLndpNDiscPrivate;

 /*****************************************************************************/
@ -58,36 +49,6 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)

 /*****************************************************************************/

-/*
- * If we log a message about an invalid RA packet, don't repeat the same message
- * at every packet received or sent. Rate limit the message to 6 every 12 hours
- * per type and per ndisc instance.
- */
-
-#define LOG_INV_RA_WINDOW (12 * 3600)
-#define LOG_INV_RA_BURST  6
-
-#define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
-    G_STMT_START                                                                 \
-    {                                                                            \
-        NMNDisc     *__ndisc  = (ndisc);                                         \
-        NMRateLimit *__rl     = (rate_limit);                                    \
-        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
-                                                                                 \
-        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
-            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
-            nm_log(LOGL_WARN,                                                    \
-                   LOGD_IP6,                                                     \
-                   __ifname,                                                     \
-                   NULL,                                                         \
-                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
-                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
-        }                                                                        \
-    }                                                                            \
-    G_STMT_END
-
-/*****************************************************************************/
-
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@ -152,7 +113,6 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
    NMNDisc             *ndisc   = (NMNDisc *) user_data;
-    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
    NMNDiscDataInternal *rdata   = ndisc->rdata;
    NMNDiscConfigMap     changed = 0;
    NMNDiscGateway       gateway;
@ -269,11 +229,7 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * log a system management error in this case.
             */
            if (preferred_time > valid_time) {
-                _LOG_INVALID_RA(
-                    ndisc,
-                    &priv->msg_ratelimit.pio_lft,
-                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
-                    "router advertisement");
+                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
                continue;
            }

@ -393,11 +349,7 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
             * Kernel would set it, but would flush out all IPv6 addresses away
             * from the link, even the link-local, and we wouldn't be able to
             * listen for further RAs that could fix the MTU. */
-            _LOG_INVALID_RA(ndisc,
-                            &priv->msg_ratelimit.mtu,
-                            "ignoring too small MTU %u in received IPv6 "
-                            "router advertisement",
-                            mtu);
+            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
        }
    }

@ -493,11 +445,8 @@ send_ra(NMNDisc *ndisc, GError **error)

        prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
        if (!prefix) {
-            /* Maybe we could send separate RAs, but why bother... */
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_prefix,
-                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
+            /* Maybe we could sent separate RAs, but why bother... */
+            _LOGW("The RA is too big, had to omit some some prefixes.");
            break;
        }

@ -526,10 +475,7 @@ send_ra(NMNDisc *ndisc, GError **error)

        option = _ndp_msg_add_option(msg, len);
        if (!option) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dns,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
+            _LOGW("The RA is too big, had to omit DNS information.");
            goto dns_servers_done;
        }

@ -607,10 +553,7 @@ dns_servers_done:
        nm_assert(len / 8u >= 2u);

        if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dnssl,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
+            _LOGW("The RA is too big, had to omit DNS search list.");
            goto dns_domains_done;
        }

--- a/src/core/nm-checkpoint.c
+++ b/src/core/nm-checkpoint.c
@ -160,7 +160,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
    nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
    gs_free char                   *base_dir = NULL;
-    const char                     *sep;
+    char                           *sep;

    keyfile = g_key_file_new();
    if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
--- a/src/core/nm-config-data.c
+++ b/src/core/nm-config-data.c
@ -50,9 +50,9 @@ struct _NMGlobalDnsConfig {
    char           **options;
    GHashTable      *domains;
    const char     **domain_list;
+    gboolean         internal;
    char            *cert_authority;
    NMDnsResolveMode resolve_mode;
-    gboolean         internal;
 };

 /*****************************************************************************/
@ -941,14 +941,6 @@ next:

 /*****************************************************************************/

-gboolean
-nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config)
-{
-    g_return_val_if_fail(dns_config, FALSE);
-
-    return dns_config->searches != NULL || dns_config->options != NULL;
-}
-
 const char *const *
 nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config)
 {
@ -1244,7 +1236,6 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
    gs_free char      *cert_authority = NULL;
    gs_free char      *resolve_mode   = NULL;
    NMDnsResolveMode   parsed_resolve_mode;
-    gboolean           has_global_dns_section;

    if (internal) {
        group         = NM_CONFIG_KEYFILE_GROUP_INTERN_GLOBAL_DNS;
@ -1395,22 +1386,6 @@ load_global_dns(GKeyFile *keyfile, gboolean internal)
        return NULL;
    }

-    /* Defining [global-dns-domain-*] implies defining [global-dns] too (maybe empty) */
-    if (default_found)
-        has_global_dns_section = TRUE;
-    else
-        has_global_dns_section = g_key_file_has_group(keyfile, group);
-
-    /* If there exist a [global-dns] section, always initialize "searches" and "options" so
-     * they appear in D-Bus. Clients can use this to know if it's defined, so they can know
-     * if DNS configs from connections are relevant or not. */
-    if (has_global_dns_section) {
-        if (!dns_config->searches)
-            dns_config->searches = nm_strv_empty_new();
-        if (!dns_config->options)
-            dns_config->options = nm_strv_empty_new();
-    }
-
    dns_config->internal = internal;
    global_dns_config_seal_domains(dns_config);
    return dns_config;
@ -1631,6 +1606,17 @@ nm_global_dns_config_from_dbus(const GValue *value, GError **error)
        g_variant_unref(val);
    }

+    /* An empty value is valid and clears the internal configuration */
+    if (!nm_global_dns_config_is_empty(dns_config)
+        && !nm_global_dns_config_lookup_domain(dns_config, "*")) {
+        g_set_error_literal(error,
+                            NM_MANAGER_ERROR,
+                            NM_MANAGER_ERROR_FAILED,
+                            "Global DNS configuration is missing the default domain");
+        nm_global_dns_config_free(dns_config);
+        return NULL;
+    }
+
    global_dns_config_seal_domains(dns_config);
    return dns_config;
 }
--- a/src/core/nm-config-data.h
+++ b/src/core/nm-config-data.h
@ -274,7 +274,6 @@ gboolean nm_config_data_is_intern_atomic_group(const NMConfigData *self, const c

 GKeyFile *nm_config_data_clone_keyfile_intern(const NMConfigData *self);

-gboolean           nm_global_dns_has_global_dns_section(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_searches(const NMGlobalDnsConfig *dns_config);
 const char *const *nm_global_dns_config_get_options(const NMGlobalDnsConfig *dns_config);
 const char *nm_global_dns_config_get_certification_authority(const NMGlobalDnsConfig *dns_config);
--- a/src/core/nm-config.c
+++ b/src/core/nm-config.c
@ -18,7 +18,6 @@
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-core-intern/nm-keyfile-internal.h"
 #include "libnm-core-intern/nm-keyfile-utils.h"
-#include "libnm-glib-aux/nm-keyfile-aux.h"

 #define DEFAULT_CONFIG_MAIN_FILE     NMCONFDIR "/NetworkManager.conf"
 #define DEFAULT_CONFIG_DIR           NMCONFDIR "/conf.d"
@ -892,7 +891,6 @@ static const ConfigGroup config_groups[] = {
        .is_prefix = TRUE,
        .keys      = NM_MAKE_STRV(NM_CONFIG_KEYFILE_KEY_DEVICE_CARRIER_WAIT_TIMEOUT,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER,
-                             NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS,
                             NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION,
@ -1048,10 +1046,6 @@ read_config(GKeyFile   *keyfile,
            /* internal groups cannot be set by user configuration. */
            continue;
        }
-
-        if (!g_key_file_has_group(keyfile, group))
-            nm_key_file_add_group(keyfile, group);
-
        keys = g_key_file_get_keys(kf, group, &nkeys, NULL);
        if (!keys)
            continue;
@ -1645,12 +1639,6 @@ intern_config_read(const char        *filename,
                                 "");
        }

-        if (!g_key_file_has_group(keyfile_intern, group)) {
-            nm_key_file_add_group(keyfile_intern, group);
-            if (is_intern)
-                has_intern = TRUE;
-        }
-
        for (k = 0; keys[k]; k++) {
            gs_free char *value_set = NULL;
            const char   *key       = keys[k];
@ -1835,9 +1823,6 @@ intern_config_write(const char        *filename,
            }
        }

-        if (!g_key_file_has_group(keyfile, group))
-            nm_key_file_add_group(keyfile, group);
-
        for (k = 0; keys[k]; k++) {
            const char   *key       = keys[k];
            gs_free char *value_set = NULL;
--- a/src/core/nm-connectivity.c
+++ b/src/core/nm-connectivity.c
@ -77,8 +77,6 @@ struct _NMConnectivityCheckHandle {
        ConConfig *con_config;

        GCancellable      *resolve_cancellable;
-        int                resolve_ifindex;
-        GDBusConnection   *dbus_connection;
        CURLM             *curl_mhandle;
        CURL              *curl_ehandle;
        struct curl_slist *request_headers;
@ -955,113 +953,6 @@ systemd_resolved_resolve_cb(GObject *object, GAsyncResult *res, gpointer user_da
    do_curl_request(cb_data, nm_str_buf_get_str(&strbuf_hosts));
 }

-static void
-systemd_resolved_resolve(NMConnectivityCheckHandle *cb_data)
-{
-    _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved with ifindex %d)",
-           cb_data->concheck.con_config->uri,
-           cb_data->concheck.con_config->host,
-           cb_data->concheck.resolve_ifindex);
-
-    g_dbus_connection_call(cb_data->concheck.dbus_connection,
-                           "org.freedesktop.resolve1",
-                           "/org/freedesktop/resolve1",
-                           "org.freedesktop.resolve1.Manager",
-                           "ResolveHostname",
-                           g_variant_new("(isit)",
-                                         (gint32) cb_data->concheck.resolve_ifindex,
-                                         cb_data->concheck.con_config->host,
-                                         (gint32) cb_data->addr_family,
-                                         SD_RESOLVED_DNS),
-                           G_VARIANT_TYPE("(a(iiay)st)"),
-                           G_DBUS_CALL_FLAGS_NONE,
-                           -1,
-                           cb_data->concheck.resolve_cancellable,
-                           systemd_resolved_resolve_cb,
-                           cb_data);
-}
-
-static void
-systemd_resolved_link_scopes_cb(GObject *object, GAsyncResult *res, gpointer user_data)
-{
-    NMConnectivityCheckHandle *cb_data;
-    gs_unref_variant GVariant *result     = NULL;
-    gs_unref_variant GVariant *value      = NULL;
-    gs_free_error GError      *error      = NULL;
-    guint64                    scope_mask = 0;
-
-    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    cb_data = user_data;
-
-    if (!result) {
-        _LOG2D("unable to obtain systemd-resolved link ScopesMask for interface %d: %s",
-               cb_data->concheck.resolve_ifindex,
-               error->message);
-
-        cb_data->concheck.resolve_ifindex = 0;
-        systemd_resolved_resolve(cb_data);
-        return;
-    }
-
-    g_variant_get(result, "(v)", &value);
-    g_variant_get(value, "t", &scope_mask);
-
-    if (!(scope_mask & SD_RESOLVED_DNS)) {
-        /* there is no per-link DNS configured / active; query all available /
-         * system DNS resolvers instead of restricting the lookup to just this
-         * one, which would turn up no results. */
-        _LOG2D("no per-link DNS available (scope mask %" G_GUINT64_FORMAT
-               "); falling back to system-wide lookups",
-               scope_mask);
-        cb_data->concheck.resolve_ifindex = 0;
-    }
-
-    systemd_resolved_resolve(cb_data);
-}
-
-static void
-systemd_resolved_get_link_cb(GObject *object, GAsyncResult *res, gpointer user_data)
-{
-    NMConnectivityCheckHandle *cb_data;
-    gs_unref_variant GVariant *result    = NULL;
-    gs_free char              *link_path = NULL;
-    gs_free_error GError      *error     = NULL;
-
-    result = g_dbus_connection_call_finish(G_DBUS_CONNECTION(object), res, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    cb_data = user_data;
-
-    if (!result) {
-        _LOG2D("unable to obtain systemd-resolved link D-Bus object for interface %d: %s",
-               cb_data->concheck.resolve_ifindex,
-               error->message);
-
-        cb_data->concheck.resolve_ifindex = 0;
-        systemd_resolved_resolve(cb_data);
-        return;
-    }
-
-    g_variant_get(result, "(o)", &link_path);
-
-    g_dbus_connection_call(cb_data->concheck.dbus_connection,
-                           "org.freedesktop.resolve1",
-                           link_path,
-                           "org.freedesktop.DBus.Properties",
-                           "Get",
-                           g_variant_new("(ss)", "org.freedesktop.resolve1.Link", "ScopesMask"),
-                           G_VARIANT_TYPE("(v)"),
-                           G_DBUS_CALL_FLAGS_NONE,
-                           -1,
-                           cb_data->concheck.resolve_cancellable,
-                           systemd_resolved_link_scopes_cb,
-                           cb_data);
-}
-
 static NMConnectivityState
 check_platform_config(NMConnectivity *self,
                      NMPlatform     *platform,
@ -1176,7 +1067,6 @@ nm_connectivity_check_start(NMConnectivity             *self,
        }

        cb_data->concheck.resolve_cancellable = g_cancellable_new();
-        cb_data->concheck.resolve_ifindex     = ifindex;

        /* note that we pick up support for systemd-resolved right away when we need it.
         * We don't need to remember the setting, because we can (cheaply) check anew
@ -1199,8 +1089,10 @@ nm_connectivity_check_start(NMConnectivity             *self,
        has_systemd_resolved = !!nm_dns_manager_get_systemd_resolved(nm_dns_manager_get());

        if (has_systemd_resolved) {
-            cb_data->concheck.dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
-            if (!cb_data->concheck.dbus_connection) {
+            GDBusConnection *dbus_connection;
+
+            dbus_connection = NM_MAIN_DBUS_CONNECTION_GET;
+            if (!dbus_connection) {
                /* we have no D-Bus connection? That might happen in configure and quit mode.
                 *
                 * Anyway, something is very odd, just fail connectivity check. */
@ -1211,19 +1103,25 @@ nm_connectivity_check_start(NMConnectivity             *self,
                return cb_data;
            }

-            /* first check whether there has been a per-link DNS configured */
-            g_dbus_connection_call(cb_data->concheck.dbus_connection,
+            g_dbus_connection_call(dbus_connection,
                                   "org.freedesktop.resolve1",
                                   "/org/freedesktop/resolve1",
                                   "org.freedesktop.resolve1.Manager",
-                                   "GetLink",
-                                   g_variant_new("(i)", ifindex),
-                                   G_VARIANT_TYPE("(o)"),
+                                   "ResolveHostname",
+                                   g_variant_new("(isit)",
+                                                 0,
+                                                 cb_data->concheck.con_config->host,
+                                                 (gint32) cb_data->addr_family,
+                                                 SD_RESOLVED_DNS),
+                                   G_VARIANT_TYPE("(a(iiay)st)"),
                                   G_DBUS_CALL_FLAGS_NONE,
                                   -1,
                                   cb_data->concheck.resolve_cancellable,
-                                   systemd_resolved_get_link_cb,
+                                   systemd_resolved_resolve_cb,
                                   cb_data);
+            _LOG2D("start request to '%s' (try resolving '%s' using systemd-resolved)",
+                   cb_data->concheck.con_config->uri,
+                   cb_data->concheck.con_config->host);
            return cb_data;
        }

--- a/src/core/nm-core-utils.c
+++ b/src/core/nm-core-utils.c
@ -2865,7 +2865,6 @@ _host_id_read(guint8 **out_host_id, gsize *out_host_id_len)
                                               0600,
                                               NULL,
                                               NULL,
-                                               NULL,
                                               &error)) {
            nm_log_warn(
                LOGD_CORE,
@ -5012,7 +5011,6 @@ typedef struct {
    int      child_stdin;
    int      child_stdout;
    int      child_stderr;
-    gboolean binary_output;
    GSource *input_source;
    GSource *output_source;
    GSource *error_source;
@ -5092,17 +5090,9 @@ helper_complete(HelperInfo *info, GError *error)
    }

    nm_clear_g_cancellable_disconnect(g_task_get_cancellable(info->task), &info->cancellable_id);
-
-    if (info->binary_output) {
-        g_task_return_pointer(
-            info->task,
-            g_bytes_new(nm_str_buf_get_str_unsafe(&info->in_buffer), info->in_buffer.len),
-            (GDestroyNotify) (g_bytes_unref));
-    } else {
-        g_task_return_pointer(info->task,
-                              nm_str_buf_finalize(&info->in_buffer, NULL) ?: g_new0(char, 1),
-                              g_free);
-    }
+    g_task_return_pointer(info->task,
+                          nm_str_buf_finalize(&info->in_buffer, NULL) ?: g_new0(char, 1),
+                          g_free);
    helper_info_free(info);
 }

@ -5245,7 +5235,6 @@ helper_cancelled(GObject *object, gpointer user_data)

 void
 nm_utils_spawn_helper(const char *const  *args,
-                      gboolean            binary_output,
                      GCancellable       *cancellable,
                      GAsyncReadyCallback callback,
                      gpointer            cb_data)
@ -5261,14 +5250,9 @@ nm_utils_spawn_helper(const char *const  *args,

    info  = g_new(HelperInfo, 1);
    *info = (HelperInfo) {
-        .task          = nm_g_task_new(NULL, cancellable, nm_utils_spawn_helper, callback, cb_data),
-        .binary_output = binary_output,
+        .task = nm_g_task_new(NULL, cancellable, nm_utils_spawn_helper, callback, cb_data),
    };

-    /* Store if the caller requested binary output so that we can check later
-     * that the right result function is called. */
-    g_task_set_task_data(info->task, GINT_TO_POINTER(binary_output), NULL);
-
    if (!g_spawn_async_with_pipes("/",
                                  (char **) NM_MAKE_STRV(LIBEXECDIR "/nm-daemon-helper"),
                                  (char **) NM_MAKE_STRV(),
@ -5379,25 +5363,11 @@ nm_utils_spawn_helper(const char *const  *args,
 }

 char *
-nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error)
+nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error)
 {
    GTask *task = G_TASK(result);

    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
-    /* Check binary_output */
-    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == FALSE);
-
-    return g_task_propagate_pointer(task, error);
-}
-
-GBytes *
-nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error)
-{
-    GTask *task = G_TASK(result);
-
-    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_spawn_helper));
-    /* Check binary_output */
-    nm_assert(GPOINTER_TO_INT(g_task_get_task_data(task)) == TRUE);

    return g_task_propagate_pointer(task, error);
 }
@ -5504,334 +5474,3 @@ nm_utils_shorten_hostname(const char *hostname, char **shortened)
    *shortened = g_steal_pointer(&s);
    return TRUE;
 }
-
-/**
- * nm_utils_connection_supported:
- * @connection: the connection
- * @error: on return, the reason why the connection in not supported
- *
- * Returns whether the given connection is supported by this version
- * of NetworkManager.
- */
-gboolean
-nm_utils_connection_supported(NMConnection *connection, GError **error)
-{
-    const char *type;
-    const char *feature = NULL;
-
-    g_return_val_if_fail(connection, FALSE);
-    g_return_val_if_fail(!error || !*error, FALSE);
-
-    type = nm_connection_get_connection_type(connection);
-
-    if (!WITH_TEAMDCTL) {
-        NMSettingConnection *s_con;
-
-        if (nm_streq0(type, NM_SETTING_TEAM_SETTING_NAME)) {
-            feature = "team";
-            goto out_disabled;
-        }
-
-        /* Match team ports */
-        if ((s_con = nm_connection_get_setting_connection(connection))
-            && nm_streq0(nm_setting_connection_get_port_type(s_con),
-                         NM_SETTING_TEAM_SETTING_NAME)) {
-            feature = "team";
-            goto out_disabled;
-        }
-    }
-
-    if (!WITH_OPENVSWITCH) {
-        if (NM_IN_STRSET(type,
-                         NM_SETTING_OVS_BRIDGE_SETTING_NAME,
-                         NM_SETTING_OVS_PORT_SETTING_NAME,
-                         NM_SETTING_OVS_INTERFACE_SETTING_NAME)) {
-            feature = "Open vSwitch";
-            goto out_disabled;
-        }
-
-        /* Match OVS system interfaces */
-        if (nm_connection_get_setting_ovs_interface(connection)) {
-            feature = "Open vSwitch";
-            goto out_disabled;
-        }
-    }
-
-    if (!WITH_WIFI
-        && NM_IN_STRSET(type,
-                        NM_SETTING_WIRELESS_SETTING_NAME,
-                        NM_SETTING_OLPC_MESH_SETTING_NAME,
-                        NM_SETTING_WIFI_P2P_SETTING_NAME)) {
-        feature = "Wi-Fi";
-        goto out_disabled;
-    }
-
-    if (!WITH_WWAN
-        && NM_IN_STRSET(type, NM_SETTING_GSM_SETTING_NAME, NM_SETTING_CDMA_SETTING_NAME)) {
-        feature = "WWAN";
-        goto out_disabled;
-    }
-
-    if (nm_streq0(type, NM_SETTING_WIMAX_SETTING_NAME)) {
-        feature = "WiMAX";
-        goto out_removed;
-    }
-
-    return TRUE;
-
-out_disabled:
-    nm_assert(feature);
-    g_set_error(error,
-                NM_SETTINGS_ERROR,
-                NM_SETTINGS_ERROR_FEATURE_DISABLED,
-                "%s support is disabled in this build",
-                feature);
-    return FALSE;
-
-out_removed:
-    nm_assert(feature);
-    g_set_error(error,
-                NM_SETTINGS_ERROR,
-                NM_SETTINGS_ERROR_FEATURE_REMOVED,
-                "%s is no longer supported",
-                feature);
-    return FALSE;
-}
-
-/*****************************************************************************/
-
-/**
- * nm_rate_limit_check():
- * @rate_limit: the NMRateLimit instance
- * @window_sec: the time window in seconds, between 1 and 864000 (ten days)
- * @burst: the number of max allowed event occurrences in the given time
- *   window
- *
- * The function rate limits an event. Call it multiple times with the
- * same @window_sec, and @burst values.
- *
- * Returns: TRUE if the event is allowed, FALSE if it is rate-limited
- */
-gboolean
-nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst)
-{
-    gint64 now;
-    gint64 old_ts_msec;
-    gint64 window_msec;
-    gint64 capacity;
-    gint64 elapsed;
-
-    nm_assert(window_sec >= 1 && window_sec <= 864000);
-    nm_assert(burst >= 1);
-
-    /* This implements a simple token bucket algorithm. For each millisecond,
-     * refill "burst" tokens. Thus, during a full time window we
-     * refill (window_msec * burst) tokens. Each event consumes @window_msec
-     * tokens. */
-
-    window_msec         = (gint64) window_sec * NM_UTILS_MSEC_PER_SEC;
-    capacity            = window_msec * (gint64) burst;
-    old_ts_msec         = rate_limit->ts_msec;
-    now                 = nm_utils_get_monotonic_timestamp_msec();
-    rate_limit->ts_msec = now;
-
-    elapsed = now - old_ts_msec;
-    if (old_ts_msec == 0 || elapsed > window_msec) {
-        /* On the first call, or in case a whole window passed, (re)start with
-         * a full budget */
-        rate_limit->tokens = capacity;
-    } else {
-        rate_limit->tokens += elapsed * (gint64) burst;
-        rate_limit->tokens = NM_MIN(rate_limit->tokens, capacity);
-    }
-
-    /* Consume the tokens */
-    if (rate_limit->tokens >= window_msec) {
-        rate_limit->tokens -= window_msec;
-        return TRUE;
-    }
-
-    return FALSE;
-}
-
-const char *
-nm_utils_get_connection_first_permissions_user(NMConnection *connection)
-{
-    NMSettingConnection *s_con;
-
-    s_con = nm_connection_get_setting_connection(connection);
-    nm_assert(s_con);
-
-    return _nm_setting_connection_get_first_permissions_user(s_con);
-}
-
-/*****************************************************************************/
-
-const char **
-nm_utils_get_connection_private_files_paths(NMConnection *connection)
-{
-    GPtrArray          *files;
-    gs_free NMSetting **settings = NULL;
-    guint               num_settings;
-    guint               i;
-
-    files    = g_ptr_array_new();
-    settings = nm_connection_get_settings(connection, &num_settings);
-    for (i = 0; i < num_settings; i++) {
-        _nm_setting_get_private_files(settings[i], files);
-    }
-    g_ptr_array_add(files, NULL);
-
-    return (const char **) g_ptr_array_free(files, files->len == 1);
-}
-
-typedef struct _ReadInfo ReadInfo;
-
-typedef struct {
-    char     *path;
-    ReadInfo *read_info;
-} FileInfo;
-
-struct _ReadInfo {
-    GTask      *task;
-    GHashTable *table;
-    GPtrArray  *file_infos; /* of FileInfo */
-    GError     *first_error;
-    guint       num_pending;
-};
-
-static void
-read_file_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data)
-{
-    FileInfo              *file_info = user_data;
-    ReadInfo              *read_info = file_info->read_info;
-    gs_unref_bytes GBytes *output    = NULL;
-    gs_free_error GError  *error     = NULL;
-
-    output = nm_utils_spawn_helper_finish_binary(result, &error);
-
-    nm_assert(read_info->num_pending > 0);
-    read_info->num_pending--;
-
-    if (nm_utils_error_is_cancelled(error)) {
-        /* nop */
-    } else if (error) {
-        nm_log_dbg(LOGD_CORE,
-                   "read-private-files: failed to read file '%s': %s",
-                   file_info->path,
-                   error->message);
-        if (!read_info->first_error) {
-            /* @error just says "helper process exited with status X".
-             * Return a more human-friendly one. */
-            read_info->first_error = g_error_new(NM_UTILS_ERROR,
-                                                 NM_UTILS_ERROR_UNKNOWN,
-                                                 "error reading file '%s'",
-                                                 file_info->path);
-        }
-    } else {
-        nm_log_dbg(LOGD_SUPPLICANT,
-                   "read-private-files: successfully read file '%s'",
-                   file_info->path);
-
-        /* Store the file contents in the hash table */
-        if (!read_info->table) {
-            read_info->table = g_hash_table_new_full(nm_str_hash,
-                                                     g_str_equal,
-                                                     g_free,
-                                                     (GDestroyNotify) g_bytes_unref);
-        }
-        g_hash_table_insert(read_info->table,
-                            g_steal_pointer(&file_info->path),
-                            g_steal_pointer(&output));
-    }
-
-    g_clear_pointer(&file_info->path, g_free);
-
-    /* If all operations are completed, return  */
-    if (read_info->num_pending == 0) {
-        if (read_info->first_error) {
-            g_task_return_error(read_info->task, g_steal_pointer(&read_info->first_error));
-        } else {
-            g_task_return_pointer(read_info->task,
-                                  g_steal_pointer(&read_info->table),
-                                  (GDestroyNotify) g_hash_table_unref);
-        }
-
-        if (read_info->table)
-            g_hash_table_unref(read_info->table);
-        if (read_info->file_infos)
-            g_ptr_array_unref(read_info->file_infos);
-
-        g_object_unref(read_info->task);
-        g_free(read_info);
-    }
-}
-
-/**
- * nm_utils_read_private_files:
- * @paths: array of file paths to be read
- * @user: name of the user to impersonate when reading the files
- * @cancellable: cancellable to cancel the operation
- * @callback: callback to invoke on completion
- * @cb_data: data for @callback
- *
- * Reads the given list of files @paths on behalf of user @user. Invokes
- * @callback asynchronously on completion. The callback must use
- * nm_utils_read_private_files_finish() to obtain the result.
- */
-void
-nm_utils_read_private_files(const char *const  *paths,
-                            const char         *user,
-                            GCancellable       *cancellable,
-                            GAsyncReadyCallback callback,
-                            gpointer            cb_data)
-{
-    ReadInfo *read_info;
-    FileInfo *file_info;
-    guint     i;
-
-    g_return_if_fail(paths && paths[0]);
-    g_return_if_fail(cancellable);
-    g_return_if_fail(callback);
-    g_return_if_fail(cb_data);
-
-    read_info  = g_new(ReadInfo, 1);
-    *read_info = (ReadInfo) {
-        .task = nm_g_task_new(NULL, cancellable, nm_utils_read_private_files, callback, cb_data),
-        .file_infos = g_ptr_array_new_with_free_func(g_free),
-    };
-
-    for (i = 0; paths[i]; i++) {
-        file_info  = g_new(FileInfo, 1);
-        *file_info = (FileInfo) {
-            .path      = g_strdup(paths[i]),
-            .read_info = read_info,
-        };
-        g_ptr_array_add(read_info->file_infos, file_info);
-        read_info->num_pending++;
-
-        nm_utils_spawn_helper(NM_MAKE_STRV("read-file-as-user", user, paths[i]),
-                              TRUE,
-                              cancellable,
-                              read_file_helper_cb,
-                              file_info);
-    }
-}
-
-/**
- * nm_utils_read_private_files_finish:
- * @result: the GAsyncResult
- * @error: on return, the error
- *
- * Returns the files read by nm_utils_read_private_files(). The return value
- * is a hash table {char * -> GBytes *}. Free it with g_hash_table_unref().
- */
-GHashTable *
-nm_utils_read_private_files_finish(GAsyncResult *result, GError **error)
-{
-    GTask *task = G_TASK(result);
-
-    nm_assert(nm_g_task_is_valid(result, NULL, nm_utils_read_private_files));
-
-    return g_task_propagate_pointer(task, error);
-}
--- a/src/core/nm-core-utils.h
+++ b/src/core/nm-core-utils.h
@ -478,13 +478,11 @@ guint8 nm_wifi_utils_level_to_quality(int val);
 /*****************************************************************************/

 void nm_utils_spawn_helper(const char *const  *args,
-                           gboolean            binary_output,
                           GCancellable       *cancellable,
                           GAsyncReadyCallback callback,
                           gpointer            cb_data);

-char   *nm_utils_spawn_helper_finish_string(GAsyncResult *result, GError **error);
-GBytes *nm_utils_spawn_helper_finish_binary(GAsyncResult *result, GError **error);
+char *nm_utils_spawn_helper_finish(GAsyncResult *result, GError **error);

 /*****************************************************************************/

@ -492,32 +490,4 @@ uid_t nm_utils_get_nm_uid(void);

 gid_t nm_utils_get_nm_gid(void);

-/*****************************************************************************/
-
-gboolean nm_utils_connection_supported(NMConnection *connection, GError **error);
-
-/*****************************************************************************/
-
-typedef struct {
-    gint64 ts_msec;
-    gint64 tokens;
-} NMRateLimit;
-
-gboolean nm_rate_limit_check(NMRateLimit *rate_limit, gint32 window_sec, gint32 burst);
-
-/*****************************************************************************/
-
-const char *nm_utils_get_connection_first_permissions_user(NMConnection *connection);
-
-/*****************************************************************************/
-
-const char **nm_utils_get_connection_private_files_paths(NMConnection *connection);
-
-void        nm_utils_read_private_files(const char *const  *paths,
-                                        const char         *user,
-                                        GCancellable       *cancellable,
-                                        GAsyncReadyCallback callback,
-                                        gpointer            cb_data);
-GHashTable *nm_utils_read_private_files_finish(GAsyncResult *result, GError **error);
-
 #endif /* __NM_CORE_UTILS_H__ */
--- a/src/core/nm-l3-config-data.c
+++ b/src/core/nm-l3-config-data.c
@ -120,7 +120,6 @@ struct _NML3ConfigData {
    NMSettingConnectionMdns       mdns;
    NMSettingConnectionLlmnr      llmnr;
    NMSettingConnectionDnsOverTls dns_over_tls;
-    NMSettingConnectionDnssec     dnssec;
    NMUtilsIPv6IfaceId            ip6_token;

    NML3ConfigDatFlags flags;
@ -578,16 +577,6 @@ nm_l3_config_data_log(const NML3ConfigData *self,
                                           NULL)));
    }

-    if (self->dnssec != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        gs_free char *s = NULL;
-
-        _L("dnssec: %s",
-           (s = _nm_utils_enum_to_str_full(nm_setting_connection_dnssec_get_type(),
-                                           self->dnssec,
-                                           " ",
-                                           NULL)));
-    }
-
    if (self->mptcp_flags != NM_MPTCP_FLAGS_NONE) {
        gs_free char *s = NULL;

@ -705,7 +694,6 @@ nm_l3_config_data_new(NMDedupMultiIndex *multi_idx, int ifindex, NMIPConfigSourc
        .mdns                           = NM_SETTING_CONNECTION_MDNS_DEFAULT,
        .llmnr                          = NM_SETTING_CONNECTION_LLMNR_DEFAULT,
        .dns_over_tls                   = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT,
-        .dnssec                         = NM_SETTING_CONNECTION_DNSSEC_DEFAULT,
        .flags                          = NM_L3_CONFIG_DAT_FLAGS_NONE,
        .metered                        = NM_TERNARY_DEFAULT,
        .proxy_browser_only             = NM_TERNARY_DEFAULT,
@ -1779,26 +1767,6 @@ nm_l3_config_data_set_dns_over_tls(NML3ConfigData *self, NMSettingConnectionDnsO
    return TRUE;
 }

-NMSettingConnectionDnssec
-nm_l3_config_data_get_dnssec(const NML3ConfigData *self)
-{
-    nm_assert(_NM_IS_L3_CONFIG_DATA(self, TRUE));
-
-    return self->dnssec;
-}
-
-gboolean
-nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec)
-{
-    nm_assert(_NM_IS_L3_CONFIG_DATA(self, FALSE));
-
-    if (self->dnssec == dnssec)
-        return FALSE;
-
-    self->dnssec = dnssec;
-    return TRUE;
-}
-
 NMIPRouteTableSyncMode
 nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self, int addr_family)
 {
@ -2478,7 +2446,6 @@ nm_l3_config_data_cmp_full(const NML3ConfigData *a,
        NM_CMP_DIRECT(a->mdns, b->mdns);
        NM_CMP_DIRECT(a->llmnr, b->llmnr);
        NM_CMP_DIRECT(a->dns_over_tls, b->dns_over_tls);
-        NM_CMP_DIRECT(a->dnssec, b->dnssec);
    }

    if (NM_FLAGS_HAS(flags, NM_L3_CONFIG_CMP_FLAGS_OTHER)) {
@ -3172,8 +3139,7 @@ void
 nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                           GChecksum            *sum,
                           int                   addr_family,
-                           NMDnsIPConfigType     dns_ip_config_type,
-                           gboolean              ignore_searches_and_options)
+                           NMDnsIPConfigType     dns_ip_config_type)
 {
    guint              i;
    int                val;
@ -3212,18 +3178,16 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }

-    if (!ignore_searches_and_options) {
-        searches = nm_l3_config_data_get_searches(l3cd, addr_family, &num_searches);
-        for (i = 0; i < num_searches; i++) {
-            g_checksum_update(sum, (const guint8 *) searches[i], strlen(searches[i]));
-            empty = FALSE;
-        }
+    searches = nm_l3_config_data_get_searches(l3cd, addr_family, &num_searches);
+    for (i = 0; i < num_searches; i++) {
+        g_checksum_update(sum, (const guint8 *) searches[i], strlen(searches[i]));
+        empty = FALSE;
+    }

-        options = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num_options);
-        for (i = 0; i < num_options; i++) {
-            g_checksum_update(sum, (const guint8 *) options[i], strlen(options[i]));
-            empty = FALSE;
-        }
+    options = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num_options);
+    for (i = 0; i < num_options; i++) {
+        g_checksum_update(sum, (const guint8 *) options[i], strlen(options[i]));
+        empty = FALSE;
    }

    val = nm_l3_config_data_get_mdns(l3cd);
@ -3244,12 +3208,6 @@ nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
        empty = FALSE;
    }

-    val = nm_l3_config_data_get_dnssec(l3cd);
-    if (val != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        g_checksum_update(sum, (const guint8 *) &val, sizeof(val));
-        empty = FALSE;
-    }
-
    if (!empty) {
        int prio = 0;

@ -3500,9 +3458,6 @@ nm_l3_config_data_merge(NML3ConfigData       *self,
    if (self->dns_over_tls == NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT)
        self->dns_over_tls = src->dns_over_tls;

-    if (self->dnssec == NM_SETTING_CONNECTION_DNSSEC_DEFAULT)
-        self->dnssec = src->dnssec;
-
    if (self->ip6_token.id == 0)
        self->ip6_token.id = src->ip6_token.id;

--- a/src/core/nm-l3-config-data.h
+++ b/src/core/nm-l3-config-data.h
@ -458,10 +458,6 @@ NMSettingConnectionDnsOverTls nm_l3_config_data_get_dns_over_tls(const NML3Confi
 gboolean nm_l3_config_data_set_dns_over_tls(NML3ConfigData               *self,
                                            NMSettingConnectionDnsOverTls dns_over_tls);

-NMSettingConnectionDnssec nm_l3_config_data_get_dnssec(const NML3ConfigData *self);
-
-gboolean nm_l3_config_data_set_dnssec(NML3ConfigData *self, NMSettingConnectionDnssec dnssec);
-
 NMIPRouteTableSyncMode nm_l3_config_data_get_route_table_sync(const NML3ConfigData *self,
                                                              int                   addr_family);

@ -619,7 +615,6 @@ nmtst_l3_config_data_get_best_gateway(const NML3ConfigData *self, int addr_famil
 void nm_l3_config_data_hash_dns(const NML3ConfigData *l3cd,
                                GChecksum            *sum,
                                int                   addr_family,
-                                NMDnsIPConfigType     dns_ip_config_type,
-                                gboolean              ignore_searches_and_options);
+                                NMDnsIPConfigType     dns_ip_config_type);

 #endif /* __NM_L3_CONFIG_DATA_H__ */
--- a/src/core/nm-l3cfg.c
+++ b/src/core/nm-l3cfg.c
@ -3056,10 +3056,9 @@ handle_start_probing:
        }

        _LOGT_acd(acd_data,
-                  "%sstart probing (timeout %u msec, ebpf %s; %s)",
+                  "%sstart probing (timeout %u msec, %s)",
                  orig_state == NM_L3_ACD_ADDR_STATE_INIT ? "" : "re",
                  acd_data->probing_timeout_msec,
-                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled",
                  log_reason);
        return;
    }
@ -3154,11 +3153,10 @@ handle_start_defending:
        }

        _LOGT_acd(acd_data,
-                  "start announcing (defend=%s) (probe created with ebpf %s)",
+                  "start announcing (defend=%s) (probe created)",
                  _l3_acd_defend_type_to_string(acd_data->acd_defend_type_current,
                                                sbuf256,
-                                                sizeof(sbuf256)),
-                  n_acd_has_bpf(self->priv.p->nacd) ? "enabled" : "disabled");
+                                                sizeof(sbuf256)));
        acd_data->acd_defend_type_is_active = FALSE;
        acd_data->nacd_probe                = probe;
        return;
@ -3989,7 +3987,7 @@ _l3cfg_routed_dns_apply(NML3Cfg *self, const NML3ConfigData *l3cd)
            NMDnsServer               dns;
            int                       r;

-            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns, NULL))
+            if (!nm_dns_uri_parse(addr_family, nameservers[i], &dns))
                continue;

            /* Find the gateway to the DNS over the current interface. When
@ -5054,8 +5052,8 @@ _l3_commit_mptcp_af(NML3Cfg          *self,
            (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SIGNAL) ? MPTCP_PM_ADDR_FLAG_SIGNAL : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_SUBFLOW) ? MPTCP_PM_ADDR_FLAG_SUBFLOW : 0)
            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_BACKUP) ? MPTCP_PM_ADDR_FLAG_BACKUP : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH : 0)
-            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_LAMINAR) ? MPTCP_PM_ADDR_FLAG_LAMINAR : 0);
+            | (NM_FLAGS_HAS(mptcp_flags, NM_MPTCP_FLAGS_FULLMESH) ? MPTCP_PM_ADDR_FLAG_FULLMESH
+                                                                  : 0);
        NMPlatformMptcpAddr a = {
            .ifindex     = self->priv.ifindex,
            .id          = 0,
--- a/src/core/nm-manager.c
+++ b/src/core/nm-manager.c
@ -136,7 +136,6 @@ enum {
    ACTIVE_CONNECTION_REMOVED,
    CONFIGURE_QUIT,
    DEVICE_IFINDEX_CHANGED,
-    SHARING_IPV4_CHANGED,

    LAST_SIGNAL
 };
@ -239,8 +238,6 @@ typedef struct {

    guint8 device_state_prune_ratelimit_count;

-    guint shared_connections_ip4_count;
-
    bool startup : 1;
    bool devices_inited : 1;

@ -1963,7 +1960,7 @@ find_device_by_iface(NMManager    *self,
 }

 static gboolean
-manager_is_disabled(NMManager *self)
+manager_sleeping(NMManager *self)
 {
    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);

@ -1976,8 +1973,8 @@ static const char *
 _nm_state_to_string(NMState state)
 {
    switch (state) {
-    case NM_STATE_DISABLED:
-        return "DISABLED";
+    case NM_STATE_ASLEEP:
+        return "ASLEEP";
    case NM_STATE_DISCONNECTED:
        return "DISCONNECTED";
    case NM_STATE_DISCONNECTING:
@ -2081,18 +2078,15 @@ nm_manager_update_state(NMManager *self)
 {
    NMManagerPrivate *priv;
    NMState           new_state = NM_STATE_DISCONNECTED;
-    const char       *detail    = "";

    g_return_if_fail(NM_IS_MANAGER(self));

    priv = NM_MANAGER_GET_PRIVATE(self);

-    if (manager_is_disabled(self)) {
-        new_state = NM_STATE_DISABLED;
-        detail    = priv->sleeping ? " (ASLEEP)" : " (NETWORKING OFF)";
-    } else {
+    if (manager_sleeping(self))
+        new_state = NM_STATE_ASLEEP;
+    else
        new_state = find_best_device_state(self);
-    }

    if (new_state >= NM_STATE_CONNECTED_LOCAL && priv->connectivity_state == NM_CONNECTIVITY_FULL) {
        new_state = NM_STATE_CONNECTED_GLOBAL;
@ -2103,7 +2097,7 @@ nm_manager_update_state(NMManager *self)

    priv->state = new_state;

-    _LOGI(LOGD_CORE, "NetworkManager state is now %s%s", _nm_state_to_string(new_state), detail);
+    _LOGI(LOGD_CORE, "NetworkManager state is now %s", _nm_state_to_string(new_state));

    _notify(self, PROP_STATE);
    nm_dbus_object_emit_signal(NM_DBUS_OBJECT(self),
@ -2962,7 +2956,7 @@ _rfkill_update_devices(NMManager *self, NMRfkillType rtype, gboolean enabled)
    _notify(self, _rfkill_type_desc[rtype].prop_id);

    /* Don't touch devices if asleep/networking disabled */
-    if (manager_is_disabled(self))
+    if (manager_sleeping(self))
        return;

    /* enable/disable wireless devices as required */
@ -3126,7 +3120,7 @@ _rfkill_update_from_user(NMManager *self, NMRfkillType rtype, gboolean enabled)
    gboolean          old_enabled, new_enabled;

    /* Don't touch devices if asleep/networking disabled */
-    if (manager_is_disabled(self))
+    if (manager_sleeping(self))
        return;

    _LOGD(LOGD_RFKILL,
@ -4085,7 +4079,7 @@ add_device(NMManager *self, NMDevice *device, GError **error)

    nm_device_set_unmanaged_by_user_settings(device, TRUE);

-    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED, manager_is_disabled(self));
+    nm_device_set_unmanaged_flags(device, NM_UNMANAGED_SLEEPING, manager_sleeping(self));

    dbus_path = nm_dbus_object_export(NM_DBUS_OBJECT(device));
    _LOG2I(LOGD_DEVICE, device, "new %s device (%s)", type_desc, dbus_path);
@ -5724,7 +5718,6 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    GError                  *local = NULL;
    NMConnectionMultiConnect multi_connect;
    const char              *parent_spec;
-    gboolean                 did_realize = FALSE;

    g_return_val_if_fail(NM_IS_MANAGER(self), FALSE);
    g_return_val_if_fail(NM_IS_ACTIVE_CONNECTION(active), FALSE);
@ -5899,7 +5892,6 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                               nm_device_get_iface(device));
                return FALSE;
            }
-            did_realize = TRUE;
        }
    }

@ -5931,7 +5923,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                        "The controller connection '%s' is not compatible with '%s'",
                        nm_settings_connection_get_id(controller_connection),
                        nm_settings_connection_get_id(sett_conn));
-            goto err_unrealize;
+            return FALSE;
        }

        if (!controller_ac) {
@ -5954,7 +5946,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                   "Controller connection '%s' can't be activated: ",
                                   nm_settings_connection_get_id(controller_connection));
                }
-                goto err_unrealize;
+                return FALSE;
            }
        }

@ -6048,7 +6040,7 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
                                NM_MANAGER_ERROR,
                                NM_MANAGER_ERROR_DEPENDENCY_FAILED,
                                "Activation failed because the device is unmanaged");
-            goto err_unrealize;
+            return FALSE;
        }
    }

@ -6056,11 +6048,6 @@ _internal_activate_device(NMManager *self, NMActiveConnection *active, GError **
    active_connection_add(self, active);
    nm_device_queue_activation(device, NM_ACT_REQUEST(active));
    return TRUE;
-
-err_unrealize:
-    if (did_realize)
-        nm_device_unrealize(device, TRUE, NULL);
-    return FALSE;
 }

 static gboolean
@ -7305,7 +7292,7 @@ device_sleep_cb(NMDevice *device, GParamSpec *pspec, NMManager *self)
    case NM_DEVICE_STATE_DISCONNECTED:
        _LOGD(LOGD_SUSPEND, "sleep: unmanaging device %s", nm_device_get_ip_iface(device));
        nm_device_set_unmanaged_by_flags_queue(device,
-                                               NM_UNMANAGED_MANAGER_DISABLED,
+                                               NM_UNMANAGED_SLEEPING,
                                               NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                               NM_DEVICE_STATE_REASON_SLEEPING);
        break;
@ -7327,26 +7314,24 @@ _handle_device_takedown(NMManager *self,
                        gboolean   suspending,
                        gboolean   is_shutdown)
 {
-    gboolean            is_sleep = suspending || is_shutdown;
-    NMDeviceStateReason reason =
-        is_sleep ? NM_DEVICE_STATE_REASON_SLEEPING : NM_DEVICE_STATE_REASON_NETWORKING_OFF;
-
    nm_device_notify_sleeping(device);

    if (nm_device_is_activating(device)
        || nm_device_get_state(device) == NM_DEVICE_STATE_ACTIVATED) {
-        _LOGD(is_sleep ? LOGD_SUSPEND : LOGD_CORE,
+        _LOGD(LOGD_SUSPEND,
              "%s: wait disconnection of device %s",
-              is_sleep ? (is_shutdown ? "shutdown" : "sleep") : "networking off",
+              is_shutdown ? "shutdown" : "sleep",
              nm_device_get_ip_iface(device));

        if (sleep_devices_add(self, device, suspending))
-            nm_device_queue_state(device, NM_DEVICE_STATE_DEACTIVATING, reason);
+            nm_device_queue_state(device,
+                                  NM_DEVICE_STATE_DEACTIVATING,
+                                  NM_DEVICE_STATE_REASON_SLEEPING);
    } else {
        nm_device_set_unmanaged_by_flags(device,
-                                         NM_UNMANAGED_MANAGER_DISABLED,
+                                         NM_UNMANAGED_SLEEPING,
                                         NM_UNMAN_FLAG_OP_SET_UNMANAGED,
-                                         reason);
+                                         NM_DEVICE_STATE_REASON_SLEEPING);
    }
 }

@ -7360,10 +7345,8 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
    suspending          = sleeping_changed && priv->sleeping;
    waking_from_suspend = sleeping_changed && !priv->sleeping;

-    if (manager_is_disabled(self)) {
-        _LOGD(suspending ? LOGD_SUSPEND : LOGD_CORE,
-              "%s...",
-              suspending ? "sleep: sleeping" : "networking: disabling");
+    if (manager_sleeping(self)) {
+        _LOGD(LOGD_SUSPEND, "sleep: %s...", suspending ? "sleeping" : "disabling");

        /* FIXME: are there still hardware devices that need to be disabled around
         * suspend/resume?
@ -7389,9 +7372,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            _handle_device_takedown(self, device, suspending, FALSE);
        }
    } else {
-        _LOGD(waking_from_suspend ? LOGD_SUSPEND : LOGD_CORE,
-              "%s...",
-              waking_from_suspend ? "sleep: waking up" : "networking: re-enabling");
+        _LOGD(LOGD_SUSPEND, "sleep: %s...", waking_from_suspend ? "waking up" : "re-enabling");

        sleep_devices_clear(self);

@ -7405,7 +7386,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                 */
                if (device_is_wake_on_lan(priv->platform, device))
                    nm_device_set_unmanaged_by_flags(device,
-                                                     NM_UNMANAGED_MANAGER_DISABLED,
+                                                     NM_UNMANAGED_SLEEPING,
                                                     NM_UNMAN_FLAG_OP_SET_UNMANAGED,
                                                     NM_DEVICE_STATE_REASON_SLEEPING);

@ -7433,12 +7414,10 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
            guint               i;

            if (nm_device_is_software(device)
-                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_MANAGER_DISABLED)) {
+                && !nm_device_get_unmanaged_flags(device, NM_UNMANAGED_SLEEPING)) {
                /* DHCP leases of software devices could have gone stale
                 * so we need to renew them. */
-                nm_device_update_dynamic_ip_setup(device,
-                                                  waking_from_suspend ? "wake up"
-                                                                      : "networking on");
+                nm_device_update_dynamic_ip_setup(device, "wake up");
                continue;
            }

@ -7469,7 +7448,7 @@ do_sleep_wake(NMManager *self, gboolean sleeping_changed)
                    ? NM_DEVICE_STATE_REASON_CONNECTION_ASSUMED
                    : NM_DEVICE_STATE_REASON_NOW_MANAGED;
            nm_device_set_unmanaged_by_flags(device,
-                                             NM_UNMANAGED_MANAGER_DISABLED,
+                                             NM_UNMANAGED_SLEEPING,
                                             NM_UNMAN_FLAG_OP_SET_MANAGED,
                                             reason);
        }
@ -8832,41 +8811,6 @@ nm_manager_emit_device_ifindex_changed(NMManager *self, NMDevice *device)
    g_signal_emit(self, signals[DEVICE_IFINDEX_CHANGED], 0, device);
 }

-void
-nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled)
-{
-    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
-    gboolean          state_changed, state;
-
-    /* Only IPv4 supported for the moment */
-    if (addr_family != AF_INET)
-        return;
-
-    if (enabled) {
-        g_return_if_fail(priv->shared_connections_ip4_count < G_MAXUINT);
-        priv->shared_connections_ip4_count++;
-        state_changed = priv->shared_connections_ip4_count == 1;
-    } else {
-        g_return_if_fail(priv->shared_connections_ip4_count > 0);
-        priv->shared_connections_ip4_count--;
-        state_changed = priv->shared_connections_ip4_count == 0;
-    }
-
-    if (state_changed) {
-        state = priv->shared_connections_ip4_count > 0;
-        _LOGD(LOGD_SHARING, "sharing-ipv4 state change %d -> %d", !state, state);
-        g_signal_emit(self, signals[SHARING_IPV4_CHANGED], 0, state);
-    }
-}
-
-gboolean
-nm_manager_get_sharing_ipv4(NMManager *self)
-{
-    NMManagerPrivate *priv = NM_MANAGER_GET_PRIVATE(self);
-
-    return priv->shared_connections_ip4_count > 0;
-}
-
 /*****************************************************************************/

 NM_DEFINE_SINGLETON_REGISTER(NMManager);
@ -9970,17 +9914,6 @@ nm_manager_class_init(NMManagerClass *manager_class)
                                                   G_TYPE_NONE,
                                                   1,
                                                   NM_TYPE_DEVICE);
-
-    signals[SHARING_IPV4_CHANGED] = g_signal_new(NM_MANAGER_SHARING_IPV4_CHANGED,
-                                                 G_OBJECT_CLASS_TYPE(object_class),
-                                                 G_SIGNAL_RUN_FIRST,
-                                                 0,
-                                                 NULL,
-                                                 NULL,
-                                                 NULL,
-                                                 G_TYPE_NONE,
-                                                 1,
-                                                 G_TYPE_BOOLEAN);
 }

 NMConfig *
--- a/src/core/nm-manager.h
+++ b/src/core/nm-manager.h
@ -61,7 +61,6 @@
 #define NM_MANAGER_CONFIGURE_QUIT            "configure-quit"
 #define NM_MANAGER_INTERNAL_DEVICE_ADDED     "internal-device-added"
 #define NM_MANAGER_INTERNAL_DEVICE_REMOVED   "internal-device-removed"
-#define NM_MANAGER_SHARING_IPV4_CHANGED      "sharing-ipv4-changed"

 GType nm_manager_get_type(void);

@ -213,9 +212,6 @@ struct _NMDnsManager;

 struct _NMDnsManager *nm_manager_get_dns_manager(NMManager *self);

-void     nm_manager_update_shared_connection(NMManager *self, int addr_family, gboolean enabled);
-gboolean nm_manager_get_sharing_ipv4(NMManager *self);
-
 /*****************************************************************************/

 void nm_manager_notify_delete_settings_connections(NMManager            *self,
--- a/src/core/nm-netns.c
+++ b/src/core/nm-netns.c
@ -68,7 +68,7 @@ typedef struct {
    NMPNetns         *platform_netns;
    NMPGlobalTracker *global_tracker;
    GHashTable       *l3cfgs;
-    GHashTable       *ip_reservation[_NM_NETNS_IP_RESERVATION_TYPE_NUM];
+    GHashTable       *shared_ips;
    GHashTable       *ecmp_track_by_obj;
    GHashTable       *ecmp_track_by_ecmpid;

@ -571,150 +571,106 @@ notify_watcher:

 /*****************************************************************************/

-typedef struct {
-    const char *name;
-    guint32     start_addr; /* host byte order */
-    guint       prefix_len;
-    guint       num_addrs;
-    gboolean    allow_reuse;
-} IPReservationTypeDesc;
-
-static const IPReservationTypeDesc ip_reservation_types[_NM_NETNS_IP_RESERVATION_TYPE_NUM] = {
-    [NM_NETNS_IP_RESERVATION_TYPE_SHARED4] =
-        {
-            .name        = "shared-ip4",
-            .start_addr  = 0x0a2a0001, /* 10.42.0.1 */
-            .prefix_len  = 24,
-            .num_addrs   = 256,
-            .allow_reuse = TRUE,
-        },
-};
-
-NMNetnsIPReservation *
-nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type)
+NMNetnsSharedIPHandle *
+nm_netns_shared_ip_reserve(NMNetns *self)
 {
-    NMNetnsPrivate              *priv;
-    const IPReservationTypeDesc *desc;
-    NMNetnsIPReservation        *res;
-    GHashTable                 **table;
-    in_addr_t                    addr;
-    char                         buf[NM_INET_ADDRSTRLEN];
+    NMNetnsPrivate        *priv;
+    NMNetnsSharedIPHandle *handle;
+    const in_addr_t        addr_start = ntohl(0x0a2a0001u); /* 10.42.0.1 */
+    in_addr_t              addr;
+    char                   sbuf_addr[NM_INET_ADDRSTRLEN];
+
+    /* Find an unused address in the 10.42.x.x range */

    g_return_val_if_fail(NM_IS_NETNS(self), NULL);
-    g_return_val_if_fail(type < _NM_NETNS_IP_RESERVATION_TYPE_NUM, NULL);

-    priv  = NM_NETNS_GET_PRIVATE(self);
-    desc  = &ip_reservation_types[type];
-    table = &priv->ip_reservation[type];
+    priv = NM_NETNS_GET_PRIVATE(self);

-    if (!*table) {
-        addr   = htonl(desc->start_addr);
-        *table = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
+    if (!priv->shared_ips) {
+        addr             = addr_start;
+        priv->shared_ips = g_hash_table_new(nm_puint32_hash, nm_puint32_equal);
        g_object_ref(self);
    } else {
        guint32 count;

-        nm_assert(g_hash_table_size(*table) > 0);
-        nm_assert(desc->prefix_len > 0 && desc->prefix_len <= 32);
+        nm_assert(g_hash_table_size(priv->shared_ips) > 0);

        count = 0u;
        for (;;) {
-            addr = htonl(desc->start_addr + (count << (32 - desc->prefix_len)));
+            addr = addr_start + htonl(count << 8u);

-            res = g_hash_table_lookup(*table, &addr);
-            if (!res)
+            handle = g_hash_table_lookup(priv->shared_ips, &addr);
+            if (!handle)
                break;

            count++;

-            if (count >= desc->num_addrs) {
-                if (!desc->allow_reuse) {
-                    _LOGE("%s: ran out of IP addresses", desc->name);
-                    return NULL;
-                }
-
-                if (res->_ref_count == 1) {
-                    _LOGE("%s: ran out of IP addresses. Reuse %s/%u",
-                          desc->name,
-                          nm_inet4_ntop(res->addr, buf),
-                          desc->prefix_len);
+            if (count > 0xFFu) {
+                if (handle->_ref_count == 1) {
+                    _LOGE("shared-ip4: ran out of shared IP addresses. Reuse %s/24",
+                          nm_inet4_ntop(handle->addr, sbuf_addr));
                } else {
-                    _LOGD("%s: reserved IP address %s/%u (duplicate)",
-                          desc->name,
-                          nm_inet4_ntop(res->addr, buf),
-                          desc->prefix_len);
+                    _LOGD("shared-ip4: reserved IP address range %s/24 (duplicate)",
+                          nm_inet4_ntop(handle->addr, sbuf_addr));
                }
-                res->_ref_count++;
-                return res;
+                handle->_ref_count++;
+                return handle;
            }
        }
    }

-    res  = g_slice_new(NMNetnsIPReservation);
-    *res = (NMNetnsIPReservation) {
+    handle  = g_slice_new(NMNetnsSharedIPHandle);
+    *handle = (NMNetnsSharedIPHandle) {
        .addr       = addr,
        ._ref_count = 1,
        ._self      = self,
-        ._type      = type,
    };

-    g_hash_table_add(*table, res);
+    g_hash_table_add(priv->shared_ips, handle);

-    _LOGD("%s: reserved IP address %s/%u",
-          desc->name,
-          nm_inet4_ntop(res->addr, buf),
-          desc->prefix_len);
-    return res;
+    _LOGD("shared-ip4: reserved IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+    return handle;
 }

 void
-nm_netns_ip_reservation_release(NMNetnsIPReservation *res)
+nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle)
 {
-    NMNetns                     *self;
-    NMNetnsPrivate              *priv;
-    const IPReservationTypeDesc *desc;
-    GHashTable                 **table;
-    char                         buf[NM_INET_ADDRSTRLEN];
+    NMNetns        *self;
+    NMNetnsPrivate *priv;
+    char            sbuf_addr[NM_INET_ADDRSTRLEN];

-    g_return_if_fail(res);
-    g_return_if_fail(res->_type < _NM_NETNS_IP_RESERVATION_TYPE_NUM);
+    g_return_if_fail(handle);
+
+    self = handle->_self;

-    self = res->_self;
    g_return_if_fail(NM_IS_NETNS(self));

-    priv  = NM_NETNS_GET_PRIVATE(self);
-    desc  = &ip_reservation_types[res->_type];
-    table = &priv->ip_reservation[res->_type];
+    priv = NM_NETNS_GET_PRIVATE(self);

-    nm_assert(res->_ref_count > 0);
-    nm_assert(res == nm_g_hash_table_lookup(*table, res));
+    nm_assert(handle->_ref_count > 0);
+    nm_assert(handle == nm_g_hash_table_lookup(priv->shared_ips, handle));

-    if (res->_ref_count > 1) {
-        nm_assert(desc->allow_reuse);
-        res->_ref_count--;
-        _LOGD("%s: release IP address reservation %s/%u (%d more references held)",
-              desc->name,
-              nm_inet4_ntop(res->addr, buf),
-              desc->prefix_len,
-              res->_ref_count);
+    if (handle->_ref_count > 1) {
+        nm_assert(handle->addr == ntohl(0x0A2AFF01u)); /* 10.42.255.1 */
+        handle->_ref_count--;
+        _LOGD("shared-ip4: release IP address range %s/24 (%d more references held)",
+              nm_inet4_ntop(handle->addr, sbuf_addr),
+              handle->_ref_count);
        return;
    }

-    if (!g_hash_table_remove(*table, res))
+    if (!g_hash_table_remove(priv->shared_ips, handle))
        nm_assert_not_reached();

-    _LOGD("%s: release IP address reservation %s/%u",
-          desc->name,
-          nm_inet4_ntop(res->addr, buf),
-          desc->prefix_len);
-
-    if (g_hash_table_size(*table) == 0) {
-        nm_clear_pointer(table, g_hash_table_unref);
+    if (g_hash_table_size(priv->shared_ips) == 0) {
+        nm_clear_pointer(&priv->shared_ips, g_hash_table_unref);
        g_object_unref(self);
    }

-    res->_self = NULL;
-    nm_g_slice_free(res);
+    _LOGD("shared-ip4: release IP address range %s/24", nm_inet4_ntop(handle->addr, sbuf_addr));
+
+    handle->_self = NULL;
+    nm_g_slice_free(handle);
 }

 /*****************************************************************************/
@ -1604,14 +1560,11 @@ dispose(GObject *object)

    nm_assert(nm_g_hash_table_size(priv->l3cfgs) == 0);
    nm_assert(c_list_is_empty(&priv->l3cfg_signal_pending_lst_head));
+    nm_assert(!priv->shared_ips);
    nm_assert(nm_g_hash_table_size(priv->watcher_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_by_tag_idx) == 0);
    nm_assert(nm_g_hash_table_size(priv->watcher_ip_data_idx) == 0);

-    for (guint i = 0; i < _NM_NETNS_IP_RESERVATION_TYPE_NUM; i++) {
-        nm_assert(!priv->ip_reservation[i]);
-    }
-
    nm_clear_pointer(&priv->ecmp_track_by_obj, g_hash_table_destroy);
    nm_clear_pointer(&priv->ecmp_track_by_ecmpid, g_hash_table_destroy);

--- a/src/core/nm-netns.h
+++ b/src/core/nm-netns.h
@ -41,22 +41,15 @@ NML3Cfg *nm_netns_l3cfg_acquire(NMNetns *netns, int ifindex);

 /*****************************************************************************/

-typedef enum {
-    NM_NETNS_IP_RESERVATION_TYPE_SHARED4,
-
-    _NM_NETNS_IP_RESERVATION_TYPE_NUM,
-} NMNetnsIPReservationType;
-
 typedef struct {
-    in_addr_t                addr;
-    int                      _ref_count;
-    NMNetnsIPReservationType _type;
-    NMNetns                 *_self;
-} NMNetnsIPReservation;
+    in_addr_t addr;
+    int       _ref_count;
+    NMNetns  *_self;
+} NMNetnsSharedIPHandle;

-NMNetnsIPReservation *nm_netns_ip_reservation_get(NMNetns *self, NMNetnsIPReservationType type);
+NMNetnsSharedIPHandle *nm_netns_shared_ip_reserve(NMNetns *self);

-void nm_netns_ip_reservation_release(NMNetnsIPReservation *reservation);
+void nm_netns_shared_ip_release(NMNetnsSharedIPHandle *handle);

 /*****************************************************************************/

--- a/src/core/nm-policy.c
+++ b/src/core/nm-policy.c
@ -18,6 +18,7 @@
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
 #include "devices/nm-device-factory.h"
+#include "devices/nm-device-private.h"
 #include "dns/nm-dns-manager.h"
 #include "nm-act-request.h"
 #include "nm-auth-utils.h"
@ -97,7 +98,6 @@ typedef struct {
    bool updating_dns : 1;

    GArray *ip6_prefix_delegations; /* pool of ip6 prefixes delegated to all devices */
-
 } NMPolicyPrivate;

 struct _NMPolicy {
@ -1845,7 +1845,7 @@ nm_policy_device_recheck_auto_activate_schedule(NMPolicy *self, NMDevice *device

    priv = NM_POLICY_GET_PRIVATE(self);

-    if (nm_manager_get_state(priv->manager) == NM_STATE_DISABLED)
+    if (nm_manager_get_state(priv->manager) == NM_STATE_ASLEEP)
        return;

    if (!nm_device_autoconnect_allowed(device))
@ -2083,6 +2083,65 @@ unblock_autoconnect_for_ports_for_sett_conn(NMPolicy *self, NMSettingsConnection
    unblock_autoconnect_for_ports(self, controller_device, controller_uuid_settings, NULL);
 }

+static void
+refresh_forwarding(NMPolicy *self, NMDevice *device, gboolean is_activated_shared_device)
+{
+    NMActiveConnection *ac;
+    NMDevice           *tmp_device;
+    NMPolicyPrivate    *priv = NM_POLICY_GET_PRIVATE(self);
+    const CList        *tmp_lst;
+    gboolean            any_shared_active = false;
+    gint32              default_forwarding_v4;
+    const char         *new_value = NULL;
+
+    /* FIXME: This implementation is still inefficient because refresh_forwarding()
+     * is called every time a device goes up or down, requiring a full scan of all
+     * active connections to determine if any shared connection is active. */
+    nm_manager_for_each_active_connection (priv->manager, ac, tmp_lst) {
+        NMSettingIPConfig *s_ip;
+        NMDevice          *to_device = nm_active_connection_get_device(ac);
+
+        if (to_device) {
+            s_ip = nm_device_get_applied_setting(to_device, NM_TYPE_SETTING_IP4_CONFIG);
+            if (s_ip) {
+                if (nm_streq0(nm_device_get_effective_ip_config_method(to_device, AF_INET),
+                              NM_SETTING_IP4_CONFIG_METHOD_SHARED)) {
+                    any_shared_active = true;
+                    break;
+                }
+            }
+        }
+    }
+
+    default_forwarding_v4 = nm_platform_sysctl_get_int32(
+        NM_PLATFORM_GET,
+        NMP_SYSCTL_PATHID_ABSOLUTE("/proc/sys/net/ipv4/conf/default/forwarding"),
+        0);
+
+    new_value = any_shared_active ? "1" : (default_forwarding_v4 ? "1" : "0");
+
+    nm_manager_for_each_device (priv->manager, tmp_device, tmp_lst) {
+        NMDeviceState               state;
+        NMSettingIPConfigForwarding ipv4_forwarding;
+
+        state = nm_device_get_state(tmp_device);
+        if (state != NM_DEVICE_STATE_ACTIVATED)
+            continue;
+
+        ipv4_forwarding = nm_device_get_ipv4_forwarding(tmp_device);
+
+        if (ipv4_forwarding == NM_SETTING_IP_CONFIG_FORWARDING_AUTO
+            || (device == tmp_device && is_activated_shared_device)) {
+            gs_free char *sysctl_value = NULL;
+
+            sysctl_value = nm_device_sysctl_ip_conf_get(tmp_device, AF_INET, "forwarding");
+
+            if (!nm_streq0(sysctl_value, new_value))
+                nm_device_sysctl_ip_conf_set(tmp_device, AF_INET, "forwarding", new_value);
+        }
+    }
+}
+
 static void
 activate_port_or_children_connections(NMPolicy *self,
                                      NMDevice *device,
@ -2227,8 +2286,9 @@ device_state_changed(NMDevice           *device,
    NMPolicyPrivate      *priv = user_data;
    NMPolicy             *self = _PRIV_TO_SELF(priv);
    NMActiveConnection   *ac;
-    NMSettingsConnection *sett_conn = nm_device_get_settings_connection(device);
-    NMSettingConnection  *s_con     = NULL;
+    NMSettingsConnection *sett_conn                  = nm_device_get_settings_connection(device);
+    NMSettingConnection  *s_con                      = NULL;
+    gboolean              is_activated_shared_device = FALSE;

    switch (nm_device_state_reason_check(reason)) {
    case NM_DEVICE_STATE_REASON_GSM_SIM_PIN_REQUIRED:
@ -2344,6 +2404,10 @@ device_state_changed(NMDevice           *device,
                }
            }
        }
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;
    case NM_DEVICE_STATE_ACTIVATED:
        if (nm_device_get_device_type(device) == NM_DEVICE_TYPE_OVS_INTERFACE) {
@ -2353,10 +2417,7 @@ device_state_changed(NMDevice           *device,
        }
        if (sett_conn) {
            /* Reset auto retries back to default since connection was successful */
-            nm_manager_devcon_autoconnect_reset_reconnect_all(priv->manager,
-                                                              device,
-                                                              sett_conn,
-                                                              FALSE);
+            nm_manager_devcon_autoconnect_retries_reset(priv->manager, device, sett_conn);
        }

        /* Since there is no guarantee that device_l3cd_changed() is called
@ -2379,11 +2440,20 @@ device_state_changed(NMDevice           *device,
        update_system_hostname(self, "routing and dns", TRUE);
        nm_dns_manager_end_updates(priv->dns_manager, __func__);

+        is_activated_shared_device =
+            nm_streq0(nm_device_get_effective_ip_config_method(device, AF_INET),
+                      NM_SETTING_IP4_CONFIG_METHOD_SHARED);
+        refresh_forwarding(self, device, is_activated_shared_device);
+        nm_device_set_refresh_forwarding_done(device, FALSE);
        break;
    case NM_DEVICE_STATE_UNMANAGED:
    case NM_DEVICE_STATE_UNAVAILABLE:
        if (old_state > NM_DEVICE_STATE_DISCONNECTED)
            update_routing_and_dns(self, FALSE, device);
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;
    case NM_DEVICE_STATE_DEACTIVATING:
        if (sett_conn) {
@ -2419,6 +2489,10 @@ device_state_changed(NMDevice           *device,
            }
        }
        ip6_remove_device_prefix_delegations(self, device);
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;
    case NM_DEVICE_STATE_DISCONNECTED:
        g_signal_handlers_disconnect_by_func(device, device_dns_lookup_done, self);
@ -2435,6 +2509,10 @@ device_state_changed(NMDevice           *device,

        /* Device is now available for auto-activation */
        nm_policy_device_recheck_auto_activate_schedule(self, device);
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;

    case NM_DEVICE_STATE_PREPARE:
@ -2450,6 +2528,10 @@ device_state_changed(NMDevice           *device,
            g_object_weak_unref(G_OBJECT(ac), pending_ac_gone, self);
            g_object_unref(self);
        }
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;
    case NM_DEVICE_STATE_IP_CONFIG:
        /* We must have secrets if we got here. */
@ -2460,6 +2542,10 @@ device_state_changed(NMDevice           *device,
                sett_conn,
                NM_SETTINGS_AUTOCONNECT_BLOCKED_REASON_FAILED,
                FALSE);
+        if (!nm_device_get_refresh_forwarding_done(device)) {
+            refresh_forwarding(self, device, FALSE);
+            nm_device_set_refresh_forwarding_done(device, TRUE);
+        }
        break;
    case NM_DEVICE_STATE_SECONDARIES:
        if (sett_conn)
--- a/src/core/platform/tests/monitor.c
+++ b/src/core/platform/tests/monitor.c
@ -186,7 +186,6 @@ ip_again:
                               00644,
                               NULL,
                               NULL,
-                               NULL,
                               NULL);

    nm_log_dbg(LOGD_PLATFORM, "dump to file complete");
--- a/src/core/platform/tests/test-link.c
+++ b/src/core/platform/tests/test-link.c
@ -123,8 +123,7 @@ software_add(NMLinkType link_type, const char *name)
        gboolean bond0_exists = !!nm_platform_link_get_by_ifname(NM_PLATFORM_GET, "bond0");
        int      r;
        const NMPlatformLnkBond nm_platform_lnk_bond_default = {
-            .mode        = nmtst_rand_select(3, 1),
-            .use_carrier = 1,
+            .mode = nmtst_rand_select(3, 1),
        };

        r = nm_platform_link_bond_add(NM_PLATFORM_GET, name, &nm_platform_lnk_bond_default, NULL);
--- a/src/core/settings/nm-settings-storage.h
+++ b/src/core/settings/nm-settings-storage.h
@ -27,19 +27,6 @@

 struct _NMSettingsPlugin;

-/**
- * NMSettingsStorage:
- * @_plugin: The settings plugin that provides this storage.
- * @_uuid: UUID of the profile represented by this storage.
- * @_filename: Backing filename (can be NULL for in-memory or meta-data).
- * @_storage_lst: Node in the per-plugin storage list.
- * @_storage_by_uuid_lst: Node in the per-UUID storage list.
- *
- * Describes the origin and identity of one profile instance as provided by a
- * specific settings plugin and (optionally) a backing file. A single UUID may
- * have multiple storages from different plugins; plugin order determines
- * priority.
- */
 typedef struct NMSettingsStorage {
    GObject                   parent;
    struct _NMSettingsPlugin *_plugin;
--- a/src/core/settings/nm-settings.c
+++ b/src/core/settings/nm-settings.c
@ -76,17 +76,6 @@ static NM_CACHED_QUARK_FCN("default-wired-connection-blocked",

 /*****************************************************************************/

-/**
- * StorageData:
- * @sd_lst: Node used in per-UUID storage lists.
- * @storage: Storage provider instance for this UUID.
- * @connection: Connection object backed by @storage, or NULL for meta-data.
- * @prioritize: Request to prioritize this storage during merge.
- *
- * Per-UUID storage entry used to accumulate and merge updates from plugins.
- * Items live temporarily in the dirty list and are merged into the current list
- * with stable priority ordering.
- */
 typedef struct _StorageData {
    CList              sd_lst;
    NMSettingsStorage *storage;
@ -176,20 +165,6 @@ _storage_data_is_alive(StorageData *sd)

 /*****************************************************************************/

-/**
- * SettConnEntry:
- * @uuid: Normalized UUID key for this entry (points to @_uuid_data).
- * @sett_conn: Current NMSettingsConnection selected for @uuid, or NULL.
- * @storage: The storage that currently owns @sett_conn, or NULL.
- * @sd_lst_head: Head of current storages list for @uuid (high to low priority).
- * @dirty_sd_lst_head: Head of pending storage updates to merge.
- * @sce_dirty_lst: Node in the global dirty queue.
- * @_uuid_data: Inline storage backing @uuid.
- *
- * Tracks one connection profile across all storages and its dirty state.
- * It holds the authoritative in-memory connection and the sets of storages
- * providing or updating it.
- */
 typedef struct {
    const char           *uuid;
    NMSettingsConnection *sett_conn;
@ -1393,11 +1368,10 @@ _connection_changed_track(NMSettings        *self,
                          NMConnection      *connection,
                          gboolean           prioritize)
 {
-    NMSettingsPrivate    *priv = NM_SETTINGS_GET_PRIVATE(self);
-    SettConnEntry        *sett_conn_entry;
-    StorageData          *sd;
-    const char           *uuid;
-    gs_free_error GError *error = NULL;
+    NMSettingsPrivate *priv = NM_SETTINGS_GET_PRIVATE(self);
+    SettConnEntry     *sett_conn_entry;
+    StorageData       *sd;
+    const char        *uuid;

    nm_assert_valid_settings_storage(NULL, storage);

@ -1408,17 +1382,6 @@ _connection_changed_track(NMSettings        *self,
              || (_nm_connection_verify(connection, NULL) == NM_SETTING_VERIFY_SUCCESS));
    nm_assert(!connection || nm_streq0(uuid, nm_connection_get_uuid(connection)));

-    if (connection && !nm_utils_connection_supported(connection, &error)) {
-        _LOGD("storage[%s," NM_SETTINGS_STORAGE_PRINT_FMT
-              "]: ignoring connection \"%s\" from file \"%s\": %s",
-              uuid,
-              NM_SETTINGS_STORAGE_PRINT_ARG(storage),
-              nm_connection_get_id(connection),
-              nm_settings_storage_get_filename(storage),
-              error->message);
-        connection = NULL;
-    }
-
    nm_assert_connection_unchanging(connection);

    sett_conn_entry =
@ -1888,9 +1851,6 @@ nm_settings_add_connection(NMSettings                     *self,

    NM_SET_OUT(out_sett_conn, NULL);

-    if (!nm_utils_connection_supported(connection, error))
-        return FALSE;
-
    uuid = nm_connection_get_uuid(connection);

    sett_conn_entry = _sett_conn_entries_get(self, uuid);
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
@ -77,7 +77,7 @@ get_full_file_path(const char *ifcfg_path, const char *file_path)
 {
    const char   *base    = file_path;
    gs_free char *dirname = NULL;
-    const char   *p;
+    char         *p;

    g_return_val_if_fail(ifcfg_path != NULL, NULL);
    g_return_val_if_fail(file_path != NULL, NULL);
@ -2056,9 +2056,8 @@ make_ip4_setting(shvarFile *ifcfg,
         * Pick up just IPv4 addresses (IPv6 addresses are taken by make_ip6_setting())
         */
        for (i = 1; i < 10000; i++) {
-            NMDnsServer           dns;
-            char                  tag[256];
-            gs_free_error GError *local = NULL;
+            NMDnsServer dns;
+            char        tag[256];

            numbered_tag(tag, "DNS", i);
            nm_clear_g_free(&value);
@ -2066,13 +2065,12 @@ make_ip4_setting(shvarFile *ifcfg,
            if (!v)
                break;

-            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &local)) {
+            if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
                g_set_error(error,
                            NM_SETTINGS_ERROR,
                            NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                            "Invalid DNS server address '%s': %s",
-                            v,
-                            local->message);
+                            "Invalid DNS server address '%s'",
+                            v);
                return NULL;
            }

@ -2609,9 +2607,8 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
     * Pick up just IPv6 addresses (IPv4 addresses are taken by make_ip4_setting())
     */
    for (i = 1; i < 10000; i++) {
-        gs_free_error GError *err = NULL;
-        NMDnsServer           dns;
-        char                  tag[256];
+        NMDnsServer dns;
+        char        tag[256];

        numbered_tag(tag, "DNS", i);
        nm_clear_g_free(&value);
@ -2619,15 +2616,14 @@ make_ip6_setting(shvarFile *ifcfg, shvarFile *network_ifcfg, gboolean routes_rea
        if (!v)
            break;

-        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns, &err)) {
+        if (!nm_dns_uri_parse(AF_UNSPEC, v, &dns)) {
            if (is_disabled)
                continue;
            g_set_error(error,
                        NM_SETTINGS_ERROR,
                        NM_SETTINGS_ERROR_INVALID_CONNECTION,
-                        "Invalid DNS server address '%s': %s",
-                        v,
-                        err->message);
+                        "Invalid DNS server address '%s'",
+                        v);
            return NULL;
        }
        if (dns.addr_family == AF_INET6) {
--- a/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+++ b/src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
@ -320,7 +320,6 @@ write_blobs(GHashTable *blobs, GError **error)
                                        0600,
                                        NULL,
                                        NULL,
-                                        NULL,
                                        &write_error)) {
            g_set_error(error,
                        NM_SETTINGS_ERROR,
@ -3627,14 +3626,6 @@ do_write_construct(NMConnection                   *connection,

    write_ip_routing_rules(connection, ifcfg, route_ignore);

-    if (nm_setting_connection_get_dnssec(s_con) != NM_SETTING_CONNECTION_DNSSEC_DEFAULT) {
-        set_error_unsupported(error,
-                              connection,
-                              NM_SETTING_CONNECTION_SETTING_NAME "." NM_SETTING_CONNECTION_DNSSEC,
-                              TRUE);
-        return FALSE;
-    }
-
    write_connection_setting(s_con, ifcfg, interface_name);

    NM_SET_OUT(out_ifcfg, g_steal_pointer(&ifcfg));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-utils.c
@ -280,7 +280,6 @@ nms_keyfile_nmmeta_write(const char *dirname,
                                        length,
                                        0600,
                                        NULL,
-                                        NULL,
                                        &errsv,
                                        NULL)) {
            NM_SET_OUT(out_full_filename, g_steal_pointer(&full_filename_tmp));
--- a/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
+++ b/src/core/settings/plugins/keyfile/nms-keyfile-writer.c
@ -133,7 +133,6 @@ cert_writer(NMConnection                     *connection,
                                             0600,
                                             NULL,
                                             NULL,
-                                             NULL,
                                             &local);
        if (success) {
            /* Write the path value to the keyfile.
@ -385,14 +384,7 @@ _internal_write_connection(NMConnection                   *connection,
        }
    }

-    nm_utils_file_set_contents(path,
-                               kf_content_buf,
-                               kf_content_len,
-                               0600,
-                               NULL,
-                               NULL,
-                               NULL,
-                               &local_err);
+    nm_utils_file_set_contents(path, kf_content_buf, kf_content_len, 0600, NULL, NULL, &local_err);
    if (local_err) {
        g_set_error(error,
                    NM_SETTINGS_ERROR,
--- a/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
+++ b/src/core/settings/plugins/keyfile/tests/keyfiles/Test_Write_GSM
@ -8,7 +8,6 @@ timestamp=305415219
 [gsm]
 apn=internet2.voicestream.com
 device-id=da812de91eec16620b06cd0ca5cbc7ea25245222
-device-uid=MODEM1
 home-only=true
 network-id=254098
 password=parliament2
--- a/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
+++ b/src/core/settings/plugins/keyfile/tests/test-keyfile-settings.c
@ -1408,8 +1408,6 @@ test_write_gsm_connection(void)
                 "89148000000060671234",
                 NM_SETTING_GSM_SIM_OPERATOR_ID,
                 "310260",
-                 NM_SETTING_GSM_DEVICE_UID,
-                 "MODEM1",
                 NULL);

    write_test_connection_and_reread(connection, TRUE, TEST_KEYFILES_DIR "/Test_Write_GSM");
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -30,7 +30,6 @@ typedef struct {
 typedef struct {
    GHashTable    *config;
    GHashTable    *blobs;
-    char          *private_user;
    NMSupplCapMask capabilities;
    guint32        ap_scan;
    bool           fast_required : 1;
@ -61,7 +60,7 @@ _get_capability(NMSupplicantConfigPrivate *priv, NMSupplCapType type)
 }

 NMSupplicantConfig *
-nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user)
+nm_supplicant_config_new(NMSupplCapMask capabilities)
 {
    NMSupplicantConfigPrivate *priv;
    NMSupplicantConfig        *self;
@ -70,7 +69,6 @@ nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user)
    priv = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);

    priv->capabilities = capabilities;
-    priv->private_user = g_strdup(private_user);

    return self;
 }
@ -260,19 +258,19 @@ static gboolean
 nm_supplicant_config_add_blob_for_connection(NMSupplicantConfig *self,
                                             GBytes             *field,
                                             const char         *name,
-                                             const char         *con_uuid,
+                                             const char         *con_uid,
                                             GError            **error)
 {
    if (field && g_bytes_get_size(field)) {
-        gs_free char *blob_id = NULL;
+        gs_free char *uid = NULL;
        char         *p;

-        blob_id = g_strdup_printf("%s-%s", con_uuid, name);
-        for (p = blob_id; *p; p++) {
+        uid = g_strdup_printf("%s-%s", con_uid, name);
+        for (p = uid; *p; p++) {
            if (*p == '/')
                *p = '-';
        }
-        if (!nm_supplicant_config_add_blob(self, name, field, blob_id, error))
+        if (!nm_supplicant_config_add_blob(self, name, field, uid, error))
            return FALSE;
    }
    return TRUE;
@ -285,7 +283,6 @@ nm_supplicant_config_finalize(GObject *object)

    g_hash_table_destroy(priv->config);
    nm_clear_pointer(&priv->blobs, g_hash_table_destroy);
-    nm_clear_pointer(&priv->private_user, g_free);

    G_OBJECT_CLASS(nm_supplicant_config_parent_class)->finalize(object);
 }
@ -933,7 +930,6 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                   guint32                       mtu,
                                                   NMSettingWirelessSecurityPmf  pmf,
                                                   NMSettingWirelessSecurityFils fils,
-                                                   GHashTable                   *files,
                                                   GError                      **error)
 {
    NMSupplicantConfigPrivate    *priv          = NM_SUPPLICANT_CONFIG_GET_PRIVATE(self);
@ -1288,7 +1284,6 @@ nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                        con_uuid,
                                                        mtu,
                                                        FALSE,
-                                                        files,
                                                        error))
                return FALSE;
        }
@ -1370,7 +1365,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                       const char         *con_uuid,
                                       guint32             mtu,
                                       gboolean            wired,
-                                       GHashTable         *files,
                                       GError            **error)
 {
    NMSupplicantConfigPrivate    *priv;
@ -1600,21 +1594,24 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    }

    /* CA certificate */
-    path  = NULL;
-    bytes = NULL;
    if (ca_cert_override) {
-        /* This is a build-time-configured system-wide file path, no need to pass
-         * it as a blob */
-        path = ca_cert_override;
+        if (!add_string_val(self, ca_cert_override, "ca_cert", FALSE, NULL, error))
+            return FALSE;
    } else {
        switch (nm_setting_802_1x_get_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_ca_cert_blob(setting);
+            if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                              bytes,
+                                                              "ca_cert",
+                                                              con_uuid,
+                                                              error))
+                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_ca_cert_path(setting);
-            if (priv->private_user)
-                bytes = nm_g_hash_table_lookup(files, path);
+            if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
+                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(self,
@ -1630,32 +1627,26 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
-    if (bytes) {
-        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert", con_uuid, error))
-            return FALSE;
-    } else if (path) {
-        /* Private connections cannot use paths other than the system CA store */
-        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
-        if (!add_string_val(self, path, "ca_cert", FALSE, NULL, error))
-            return FALSE;
-    }

    /* Phase 2 CA certificate */
-    path  = NULL;
-    bytes = NULL;
    if (ca_cert_override) {
-        /* This is a build-time-configured system-wide file path, no need to pass
-         * it as a blob */
-        path = ca_cert_override;
+        if (!add_string_val(self, ca_cert_override, "ca_cert2", FALSE, NULL, error))
+            return FALSE;
    } else {
        switch (nm_setting_802_1x_get_phase2_ca_cert_scheme(setting)) {
        case NM_SETTING_802_1X_CK_SCHEME_BLOB:
            bytes = nm_setting_802_1x_get_phase2_ca_cert_blob(setting);
+            if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                              bytes,
+                                                              "ca_cert2",
+                                                              con_uuid,
+                                                              error))
+                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PATH:
            path = nm_setting_802_1x_get_phase2_ca_cert_path(setting);
-            if (priv->private_user)
-                bytes = nm_g_hash_table_lookup(files, path);
+            if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
+                return FALSE;
            break;
        case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
            if (!add_pkcs11_uri_with_pin(
@ -1672,15 +1663,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            break;
        }
    }
-    if (bytes) {
-        if (!nm_supplicant_config_add_blob_for_connection(self, bytes, "ca_cert2", con_uuid, error))
-            return FALSE;
-    } else if (path) {
-        /* Private connections cannot use paths other than the system CA store */
-        g_return_val_if_fail(ca_cert_override || !priv->private_user, FALSE);
-        if (!add_string_val(self, path, "ca_cert2", FALSE, NULL, error))
-            return FALSE;
-    }

    /* Subject match */
    value = nm_setting_802_1x_get_subject_match(setting);
@ -1732,17 +1714,21 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,

    /* Private key */
    added = FALSE;
-    path  = NULL;
-    bytes = NULL;
    switch (nm_setting_802_1x_get_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_private_key_blob(setting);
+        if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                          bytes,
+                                                          "private_key",
+                                                          con_uuid,
+                                                          error))
+            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_private_key_path(setting);
-        if (priv->private_user)
-            bytes = nm_g_hash_table_lookup(files, path);
+        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
+            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1759,19 +1745,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
-    if (bytes) {
-        if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                          bytes,
-                                                          "private_key",
-                                                          con_uuid,
-                                                          error))
-            return FALSE;
-    } else if (path) {
-        /* Private connections cannot use paths */
-        g_return_val_if_fail(!priv->private_user, FALSE);
-        if (!add_string_val(self, path, "private_key", FALSE, NULL, error))
-            return FALSE;
-    }

    if (added) {
        NMSetting8021xCKFormat format;
@ -1795,16 +1768,20 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
-            path  = NULL;
-            bytes = NULL;
            switch (nm_setting_802_1x_get_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_client_cert_blob(setting);
+                if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                                  bytes,
+                                                                  "client_cert",
+                                                                  con_uuid,
+                                                                  error))
+                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_client_cert_path(setting);
-                if (priv->private_user)
-                    bytes = nm_g_hash_table_lookup(files, path);
+                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
+                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1820,35 +1797,26 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
-            if (bytes) {
-                if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                                  bytes,
-                                                                  "client_cert",
-                                                                  con_uuid,
-                                                                  error))
-                    return FALSE;
-            } else if (path) {
-                /* Private connections cannot use paths */
-                g_return_val_if_fail(!priv->private_user, FALSE);
-                if (!add_string_val(self, path, "client_cert", FALSE, NULL, error))
-                    return FALSE;
-            }
        }
    }

    /* Phase 2 private key */
    added = FALSE;
-    path  = NULL;
-    bytes = NULL;
    switch (nm_setting_802_1x_get_phase2_private_key_scheme(setting)) {
    case NM_SETTING_802_1X_CK_SCHEME_BLOB:
        bytes = nm_setting_802_1x_get_phase2_private_key_blob(setting);
+        if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                          bytes,
+                                                          "private_key2",
+                                                          con_uuid,
+                                                          error))
+            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PATH:
        path = nm_setting_802_1x_get_phase2_private_key_path(setting);
-        if (priv->private_user)
-            bytes = nm_g_hash_table_lookup(files, path);
+        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
+            return FALSE;
        added = TRUE;
        break;
    case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
@ -1866,19 +1834,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
    default:
        break;
    }
-    if (bytes) {
-        if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                          bytes,
-                                                          "private_key2",
-                                                          con_uuid,
-                                                          error))
-            return FALSE;
-    } else if (path) {
-        /* Private connections cannot use paths */
-        g_return_val_if_fail(!priv->private_user, FALSE);
-        if (!add_string_val(self, path, "private_key2", FALSE, NULL, error))
-            return FALSE;
-    }

    if (added) {
        NMSetting8021xCKFormat format;
@ -1902,16 +1857,20 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            /* Only add the client cert if the private key is not PKCS#12, as
             * wpa_supplicant configuration directs us to do.
             */
-            path  = NULL;
-            bytes = NULL;
            switch (nm_setting_802_1x_get_phase2_client_cert_scheme(setting)) {
            case NM_SETTING_802_1X_CK_SCHEME_BLOB:
                bytes = nm_setting_802_1x_get_phase2_client_cert_blob(setting);
+                if (!nm_supplicant_config_add_blob_for_connection(self,
+                                                                  bytes,
+                                                                  "client_cert2",
+                                                                  con_uuid,
+                                                                  error))
+                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PATH:
                path = nm_setting_802_1x_get_phase2_client_cert_path(setting);
-                if (priv->private_user)
-                    bytes = nm_g_hash_table_lookup(files, path);
+                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
+                    return FALSE;
                break;
            case NM_SETTING_802_1X_CK_SCHEME_PKCS11:
                if (!add_pkcs11_uri_with_pin(
@ -1927,19 +1886,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
            default:
                break;
            }
-            if (bytes) {
-                if (!nm_supplicant_config_add_blob_for_connection(self,
-                                                                  bytes,
-                                                                  "client_cert2",
-                                                                  con_uuid,
-                                                                  error))
-                    return FALSE;
-            } else if (path) {
-                /* Private connections cannot use paths */
-                g_return_val_if_fail(!priv->private_user, FALSE);
-                if (!add_string_val(self, path, "client_cert2", FALSE, NULL, error))
-                    return FALSE;
-            }
        }
    }

--- a/src/core/supplicant/nm-supplicant-config.h
+++ b/src/core/supplicant/nm-supplicant-config.h
@ -29,7 +29,7 @@ typedef struct _NMSupplicantConfigClass NMSupplicantConfigClass;

 GType nm_supplicant_config_get_type(void);

-NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities, const char *private_user);
+NMSupplicantConfig *nm_supplicant_config_new(NMSupplCapMask capabilities);

 guint32 nm_supplicant_config_get_ap_scan(NMSupplicantConfig *self);

@ -57,7 +57,6 @@ gboolean nm_supplicant_config_add_setting_wireless_security(NMSupplicantConfig
                                                            guint32         mtu,
                                                            NMSettingWirelessSecurityPmf  pmf,
                                                            NMSettingWirelessSecurityFils fils,
-                                                            GHashTable                   *files,
                                                            GError                      **error);

 gboolean nm_supplicant_config_add_no_security(NMSupplicantConfig *self, GError **error);
@ -67,7 +66,6 @@ gboolean nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
                                                const char         *con_uuid,
                                                guint32             mtu,
                                                gboolean            wired,
-                                                GHashTable         *files,
                                                GError            **error);

 gboolean nm_supplicant_config_add_setting_macsec(NMSupplicantConfig    *self,
--- a/src/core/supplicant/nm-supplicant-interface.c
+++ b/src/core/supplicant/nm-supplicant-interface.c
@ -46,7 +46,6 @@ typedef struct {
    gpointer                     user_data;
    guint                        fail_on_idle_id;
    guint                        blobs_left;
-    guint                        remove_blobs_left;
    guint                        calls_left;
    struct _AddNetworkData      *add_network_data;
 } AssocData;
@ -66,8 +65,6 @@ enum {
    WPS_CREDENTIALS, /* WPS credentials received */
    GROUP_STARTED,   /* a new Group (interface) was created */
    GROUP_FINISHED,  /* a Group (interface) has been finished */
-    PSK_MISMATCH,    /* supplicant reported incorrect PSK */
-    SAE_MISMATCH,    /* supplicant reported incorrect SAE Password */
    LAST_SIGNAL
 };

@ -2267,7 +2264,6 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        return;
    }

-    nm_assert(priv->assoc_data->blobs_left > 0);
    priv->assoc_data->blobs_left--;
    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob added (%u left)",
          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
@ -2276,148 +2272,6 @@ assoc_add_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
        assoc_call_select_network(self);
 }

-static void
-assoc_add_blobs(NMSupplicantInterface *self)
-{
-    NMSupplicantInterfacePrivate *priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
-    GHashTable                   *blobs;
-    GHashTableIter                iter;
-    const char                   *blob_name;
-    GBytes                       *blob_data;
-
-    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
-    priv->assoc_data->blobs_left = nm_g_hash_table_size(blobs);
-
-    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to add %u blobs",
-          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-          priv->assoc_data->blobs_left);
-
-    if (priv->assoc_data->blobs_left == 0) {
-        assoc_call_select_network(self);
-        return;
-    }
-
-    g_hash_table_iter_init(&iter, blobs);
-    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
-        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: adding blob '%s'",
-              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-              blob_name);
-        _dbus_connection_call(
-            self,
-            NM_WPAS_DBUS_IFACE_INTERFACE,
-            "AddBlob",
-            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
-            G_VARIANT_TYPE("()"),
-            G_DBUS_CALL_FLAGS_NONE,
-            DBUS_TIMEOUT_MSEC,
-            priv->assoc_data->cancellable,
-            assoc_add_blob_cb,
-            self);
-    }
-}
-
-static void
-assoc_remove_blob_cb(GObject *source, GAsyncResult *result, gpointer user_data)
-{
-    NMSupplicantInterface        *self;
-    NMSupplicantInterfacePrivate *priv;
-    gs_free_error GError         *error = NULL;
-    gs_unref_variant GVariant    *res   = NULL;
-
-    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    self = NM_SUPPLICANT_INTERFACE(user_data);
-    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
-
-    /* We don't consider a failure fatal. The new association might be able
-     * to proceed even with the existing blobs, if they don't conflict with new
-     * ones. */
-
-    nm_assert(priv->assoc_data->remove_blobs_left > 0);
-    priv->assoc_data->remove_blobs_left--;
-
-    if (error) {
-        g_dbus_error_strip_remote_error(error);
-        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to delete blob: %s",
-              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-              error->message);
-    } else {
-        _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: blob removed (%u left)",
-              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-              priv->assoc_data->remove_blobs_left);
-    }
-
-    if (priv->assoc_data->remove_blobs_left == 0)
-        assoc_add_blobs(self);
-}
-
-static void
-assoc_get_blobs_cb(GObject *source, GAsyncResult *result, gpointer user_data)
-{
-    NMSupplicantInterface        *self;
-    NMSupplicantInterfacePrivate *priv;
-    gs_free_error GError         *error = NULL;
-    gs_unref_variant GVariant    *res   = NULL;
-    gs_unref_variant GVariant    *value = NULL;
-    GVariantIter                  iter;
-    const char                   *blob_name;
-    GVariant                     *blob_data;
-
-    res = g_dbus_connection_call_finish(G_DBUS_CONNECTION(source), result, &error);
-    if (nm_utils_error_is_cancelled(error))
-        return;
-
-    self = NM_SUPPLICANT_INTERFACE(user_data);
-    priv = NM_SUPPLICANT_INTERFACE_GET_PRIVATE(self);
-
-    if (error) {
-        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: %s",
-              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-              error->message);
-        assoc_add_blobs(self);
-        return;
-    }
-
-    g_variant_get(res, "(v)", &value);
-
-    /* While the "Blobs" property is documented as type "as", it is actually "a{say}" */
-    if (!value || !g_variant_is_of_type(value, G_VARIANT_TYPE("a{say}"))) {
-        _LOGD("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: failed to get blob list: wrong return type %s",
-              NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-              value ? g_variant_get_type_string(value) : "NULL");
-        assoc_add_blobs(self);
-        return;
-    }
-
-    g_variant_iter_init(&iter, value);
-    priv->assoc_data->remove_blobs_left = g_variant_iter_n_children(&iter);
-    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: need to delete %u blobs",
-          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-          priv->assoc_data->remove_blobs_left);
-
-    if (priv->assoc_data->remove_blobs_left == 0) {
-        assoc_add_blobs(self);
-    } else {
-        while (g_variant_iter_loop(&iter, "{&s@ay}", &blob_name, &blob_data)) {
-            _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: removing blob '%s'",
-                  NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-                  blob_name);
-            _dbus_connection_call(self,
-                                  NM_WPAS_DBUS_IFACE_INTERFACE,
-                                  "RemoveBlob",
-                                  g_variant_new("(s)", blob_name),
-                                  G_VARIANT_TYPE("()"),
-                                  G_DBUS_CALL_FLAGS_NONE,
-                                  DBUS_TIMEOUT_MSEC,
-                                  priv->assoc_data->cancellable,
-                                  assoc_remove_blob_cb,
-                                  self);
-        }
-    }
-}
-
 static void
 assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
 {
@ -2425,8 +2279,12 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    AssocData                      *assoc_data;
    NMSupplicantInterface          *self;
    NMSupplicantInterfacePrivate   *priv;
-    gs_unref_variant GVariant      *res         = NULL;
-    gs_free_error GError           *error       = NULL;
+    gs_unref_variant GVariant      *res   = NULL;
+    gs_free_error GError           *error = NULL;
+    GHashTable                     *blobs;
+    GHashTableIter                  iter;
+    const char                     *blob_name;
+    GBytes                         *blob_data;
    nm_auto_ref_string NMRefString *name_owner  = NULL;
    nm_auto_ref_string NMRefString *object_path = NULL;

@ -2478,21 +2336,34 @@ assoc_add_network_cb(GObject *source, GAsyncResult *result, gpointer user_data)
    nm_assert(!priv->net_path);
    g_variant_get(res, "(o)", &priv->net_path);

-    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s)",
-          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
-          priv->net_path);
+    /* Send blobs first; otherwise jump to selecting the network */
+    blobs                        = nm_supplicant_config_get_blobs(priv->assoc_data->cfg);
+    priv->assoc_data->blobs_left = blobs ? g_hash_table_size(blobs) : 0u;

-    /* Delete any existing blobs before adding new ones */
-    _dbus_connection_call(self,
-                          DBUS_INTERFACE_PROPERTIES,
-                          "Get",
-                          g_variant_new("(ss)", NM_WPAS_DBUS_IFACE_INTERFACE, "Blobs"),
-                          G_VARIANT_TYPE("(v)"),
-                          G_DBUS_CALL_FLAGS_NONE,
-                          DBUS_TIMEOUT_MSEC,
-                          priv->assoc_data->cancellable,
-                          assoc_get_blobs_cb,
-                          self);
+    _LOGT("assoc[" NM_HASH_OBFUSCATE_PTR_FMT "]: network added (%s) (%u blobs left)",
+          NM_HASH_OBFUSCATE_PTR(priv->assoc_data),
+          priv->net_path,
+          priv->assoc_data->blobs_left);
+
+    if (priv->assoc_data->blobs_left == 0) {
+        assoc_call_select_network(self);
+        return;
+    }
+
+    g_hash_table_iter_init(&iter, blobs);
+    while (g_hash_table_iter_next(&iter, (gpointer) &blob_name, (gpointer) &blob_data)) {
+        _dbus_connection_call(
+            self,
+            NM_WPAS_DBUS_IFACE_INTERFACE,
+            "AddBlob",
+            g_variant_new("(s@ay)", blob_name, nm_g_bytes_to_variant_ay(blob_data)),
+            G_VARIANT_TYPE("()"),
+            G_DBUS_CALL_FLAGS_NONE,
+            DBUS_TIMEOUT_MSEC,
+            priv->assoc_data->cancellable,
+            assoc_add_blob_cb,
+            self);
+    }
 }

 static void
@ -3234,15 +3105,6 @@ _signal_handle(NMSupplicantInterface *self,
            return;
        }

-        if (nm_streq(signal_name, "PskMismatch")) {
-            g_signal_emit(self, signals[PSK_MISMATCH], 0);
-            return;
-        }
-
-        if (nm_streq(signal_name, "SaePasswordMismatch")) {
-            g_signal_emit(self, signals[SAE_MISMATCH], 0);
-            return;
-        }
        return;
    }

@ -3875,23 +3737,4 @@ nm_supplicant_interface_class_init(NMSupplicantInterfaceClass *klass)
                                           G_TYPE_NONE,
                                           1,
                                           G_TYPE_STRING);
-
-    signals[PSK_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
-                                         G_OBJECT_CLASS_TYPE(object_class),
-                                         G_SIGNAL_RUN_LAST,
-                                         0,
-                                         NULL,
-                                         NULL,
-                                         NULL,
-                                         G_TYPE_NONE,
-                                         0);
-    signals[SAE_MISMATCH] = g_signal_new(NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
-                                         G_OBJECT_CLASS_TYPE(object_class),
-                                         G_SIGNAL_RUN_LAST,
-                                         0,
-                                         NULL,
-                                         NULL,
-                                         NULL,
-                                         G_TYPE_NONE,
-                                         0);
 }
--- a/src/core/supplicant/nm-supplicant-interface.h
+++ b/src/core/supplicant/nm-supplicant-interface.h
@ -86,8 +86,6 @@ typedef enum {
 #define NM_SUPPLICANT_INTERFACE_WPS_CREDENTIALS "wps-credentials"
 #define NM_SUPPLICANT_INTERFACE_GROUP_STARTED   "group-started"
 #define NM_SUPPLICANT_INTERFACE_GROUP_FINISHED  "group-finished"
-#define NM_SUPPLICANT_INTERFACE_PSK_MISMATCH    "wpa-psk-mismatch"
-#define NM_SUPPLICANT_INTERFACE_SAE_MISMATCH    "wpa-sae-password-mismatch"

 typedef struct _NMSupplicantInterfaceClass NMSupplicantInterfaceClass;

--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@ -212,19 +212,18 @@ validate_type_utf8(const struct Opt *opt, const char *value, const guint32 len)
 }

 static gboolean
-validate_type_keyword(const struct Opt *opt, const char *value_in, const guint32 len)
+validate_type_keyword(const struct Opt *opt, const char *value, const guint32 len)
 {
    gs_free char *value_free = NULL;
-    char         *value;

    nm_assert(opt);
-    nm_assert(value_in);
+    nm_assert(value);

    /* Allow everything */
    if (!opt->str_allowed)
        return TRUE;

-    value = nm_strndup_a(300, value_in, len, &value_free);
+    value = nm_strndup_a(300, value, len, &value_free);

    /* validate each space-separated word in 'value' */

--- a/src/core/supplicant/tests/test-supplicant-config.c
+++ b/src/core/supplicant/tests/test-supplicant-config.c
@ -98,8 +98,7 @@ build_supplicant_config(NMConnection  *connection,
    NMSetting8021x                     *s_8021x;
    gboolean                            success;

-    config = nm_supplicant_config_new(capabilities,
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(capabilities);

    s_wifi = nm_connection_get_setting_wireless(connection);
    g_assert(s_wifi);
@ -121,7 +120,6 @@ build_supplicant_config(NMConnection  *connection,
                                                               mtu,
                                                               pmf,
                                                               fils,
-                                                               NULL,
                                                               &error);
    } else {
        success = nm_supplicant_config_add_no_security(config, &error);
--- a/src/core/tests/config/global-dns-empty.conf
+++ b/src/core/tests/config/global-dns-empty.conf
@ -1,3 +0,0 @@
-# Good configuration, an empty global-dns section must be valid
-
-[global-dns]
--- a/src/core/tests/config/global-dns-not-set.conf
+++ b/src/core/tests/config/global-dns-not-set.conf
@ -1,5 +0,0 @@
-# Good configuration, an empty [global-dns] must be implicitly assumed because a domain is defined
-
-[global-dns-domain-*]
-servers=4.5.6.7
-options=myoption1
--- a/src/core/tests/config/test-config.c
+++ b/src/core/tests/config/test-config.c
@ -387,27 +387,7 @@ test_config_global_dns(void)
    g_assert(dns);
    g_object_unref(config);

-    /* Check that a file with an empty global-dns section gives a good configuration.
-     * Check also that searches and options are not NULL, as this is how we expose to
-     * D-Bus that global-dns is defined. */
-    config =
-        setup_config(NULL, TEST_DIR "/global-dns-empty.conf", "", NULL, "/no/such/dir", "", NULL);
-    dns = nm_config_data_get_global_dns_config(nm_config_get_data_orig(config));
-    g_assert(dns);
-    g_assert(nm_global_dns_config_get_searches(dns));
-    g_assert(nm_global_dns_config_get_options(dns));
-    g_object_unref(config);
-
-    /* Check that a file with a domain, but no global-dns, assumes an implicit empty global-dns */
-    config =
-        setup_config(NULL, TEST_DIR "/global-dns-not-set.conf", "", NULL, "/no/such/dir", "", NULL);
-    dns = nm_config_data_get_global_dns_config(nm_config_get_data_orig(config));
-    g_assert(dns);
-    g_assert(nm_global_dns_config_get_searches(dns));
-    g_assert(nm_global_dns_config_get_options(dns));
-    g_object_unref(config);
-
-    /* Check that a file with a domain, but without a default one, gives a NULL configuration */
+    /* Check that a file with a domain domain, but without a default one gives a NULL configuration */
    config =
        setup_config(NULL, TEST_DIR "/global-dns-invalid.conf", "", NULL, "/no/such/dir", "", NULL);
    dns = nm_config_data_get_global_dns_config(nm_config_get_data_orig(config));
--- a/src/core/tests/meson.build
+++ b/src/core/tests/meson.build
@ -6,7 +6,6 @@ test_units = [
  'test-core',
  'test-core-with-expect',
  'test-dcb',
-  'test-netns',
  'test-l3cfg',
  'test-utils',
  'test-wired-defname',
--- a/src/core/tests/test-netns.c
+++ b/src/core/tests/test-netns.c
@ -1,69 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include "src/core/nm-default-daemon.h"
-
-#include "nm-netns.h"
-#include "nm-test-utils-core.h"
-
-static void
-test_ip_reservation_shared4(void)
-{
-    gs_unref_object NMPlatform *platform = NULL;
-    gs_unref_object NMNetns    *netns    = NULL;
-    NMNetnsIPReservation       *res[256];
-    NMNetnsIPReservation       *res1;
-    NMNetnsIPReservation       *res2;
-    char                        buf[NM_INET_ADDRSTRLEN];
-    guint                       i;
-
-    platform = g_object_ref(NM_PLATFORM_GET);
-    netns    = nm_netns_new(platform);
-
-    /* Allocate addresses from 10.42.0.1 to 10.42.255.1 */
-    for (i = 0; i < 256; i++) {
-        res[i] = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-        g_snprintf(buf, sizeof(buf), "10.42.%u.1", i);
-        nmtst_assert_ip4_address(res[i]->addr, buf);
-        g_assert_cmpint(res[i]->_ref_count, ==, 1);
-    }
-
-    /* Release an address and get it back */
-    nm_netns_ip_reservation_release(res[139]);
-    res[139] = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    nmtst_assert_ip4_address(res[139]->addr, "10.42.139.1");
-
-    /* Reuse 10.42.255.1 once */
-    NMTST_EXPECT_NM_ERROR("netns[*]: shared-ip4: ran out of IP addresses. Reuse 10.42.255.1/24");
-    res1 = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    g_test_assert_expected_messages();
-    nmtst_assert_ip4_address(res1->addr, "10.42.255.1");
-    g_assert_cmpint(res1->_ref_count, ==, 2);
-
-    /* Reuse 10.42.255.1 twice */
-    res2 = nm_netns_ip_reservation_get(netns, NM_NETNS_IP_RESERVATION_TYPE_SHARED4);
-    g_assert(res2 == res1);
-    nmtst_assert_ip4_address(res1->addr, "10.42.255.1");
-    g_assert_cmpint(res2->_ref_count, ==, 3);
-
-    /* Release all */
-    nm_netns_ip_reservation_release(res1);
-    nm_netns_ip_reservation_release(res2);
-    for (i = 0; i < 256; i++) {
-        nm_netns_ip_reservation_release(res[i]);
-    }
-}
-
-/*****************************************************************************/
-
-NMTST_DEFINE();
-
-int
-main(int argc, char **argv)
-{
-    nmtst_init_with_logging(&argc, &argv, NULL, "ALL");
-    nm_linux_platform_setup();
-
-    g_test_add_func("/netns/ip_reservation/shared4", test_ip_reservation_shared4);
-
-    return g_test_run();
-}
--- a/src/core/tests/test-utils.c
+++ b/src/core/tests/test-utils.c
@ -260,70 +260,6 @@ test_shorten_hostname(void)
    do_test_shorten_hostname(".name1", FALSE, NULL);
 }

-/*****************************************************************************/
-typedef struct {
-    NMRateLimit ratelimit;
-    GMainLoop  *loop;
-    GSource    *source;
-    guint       num;
-} RateLimitData;
-
-static int
-rate_limit_window_expire_cb(gpointer user_data)
-{
-    RateLimitData *data = user_data;
-
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    nm_clear_g_source_inst(&data->source);
-    g_main_loop_quit(data->loop);
-
-    return G_SOURCE_CONTINUE;
-}
-
-static int
-rate_limit_check_cb(gpointer user_data)
-{
-    RateLimitData *data = user_data;
-
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-    g_assert(!nm_rate_limit_check(&data->ratelimit, 1, 5));
-
-    nm_clear_g_source_inst(&data->source);
-    data->source = nm_g_timeout_add_source(1000, rate_limit_window_expire_cb, data);
-
-    return G_SOURCE_CONTINUE;
-}
-
-static void
-test_rate_limit_check(void)
-{
-    RateLimitData data;
-
-    data = (RateLimitData) {
-        .loop      = g_main_loop_new(NULL, FALSE),
-        .ratelimit = {},
-        .source    = nm_g_timeout_add_source(1, rate_limit_check_cb, &data),
-        .num       = 0,
-    };
-
-    g_main_loop_run(data.loop);
-    g_main_loop_unref(data.loop);
-}
-
 /*****************************************************************************/

 NMTST_DEFINE();
@ -336,7 +272,6 @@ main(int argc, char **argv)
    g_test_add_func("/utils/stable_privacy", test_stable_privacy);
    g_test_add_func("/utils/hw_addr_gen_stable_eth", test_hw_addr_gen_stable_eth);
    g_test_add_func("/utils/shorten-hostname", test_shorten_hostname);
-    g_test_add_func("/utils/rate-limit-check", test_rate_limit_check);

    return g_test_run();
 }
--- a/src/core/vpn/nm-vpn-connection.c
+++ b/src/core/vpn/nm-vpn-connection.c
@ -26,12 +26,10 @@
 #include "nm-active-connection.h"
 #include "nm-config.h"
 #include "nm-dbus-manager.h"
-#include "devices/nm-device.h"
 #include "nm-dispatcher.h"
 #include "nm-firewalld-manager.h"
 #include "nm-ip-config.h"
 #include "nm-l3-config-data.h"
-#include "nm-manager.h"
 #include "nm-netns.h"
 #include "nm-pacrunner-manager.h"
 #include "nm-vpn-manager.h"
@ -1411,11 +1409,9 @@ _check_complete(NMVpnConnection *self, gboolean success)
    NMVpnConnectionPrivate                 *priv = NM_VPN_CONNECTION_GET_PRIVATE(self);
    nm_auto_unref_l3cd_init NML3ConfigData *l3cd = NULL;
    NMConnection                           *connection;
-    NMDevice                               *device;
    NMSettingConnection                    *s_con;
    const char                             *zone;
    const char                             *iface;
-    int                                     ifindex;

    if (priv->vpn_state < STATE_IP_CONFIG_GET || priv->vpn_state > STATE_ACTIVATED)
        return;
@ -1441,23 +1437,10 @@ _check_complete(NMVpnConnection *self, gboolean success)
    }

    connection = _get_applied_connection(self);
-    ifindex    = nm_vpn_connection_get_ip_ifindex(self, FALSE);
-    /* Use nm_device_create_l3_config_data_from_connection here if possible. This ensures that
-     * connection properties like mdns, llmnr, dns-over-tls or dnssec are applied to vpn connections
-     * If this vpn connection does not have its own device resort to nm_l3_config_data_new_from_connection
-     * since we can't properly apply these properties anyway
-     */
-    if (ifindex > 0) {
-        device = nm_manager_get_device_by_ifindex(NM_MANAGER_GET, ifindex);
-        nm_assert(device);
-        l3cd = nm_device_create_l3_config_data_from_connection(device, connection);
-    } else {
-        l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
-                                                     nm_vpn_connection_get_ip_ifindex(self, TRUE),
-                                                     connection);
-        _LOGD("VPN connection does not have its own device. Some connection properties won't be "
-              "supported.");
-    }
+
+    l3cd = nm_l3_config_data_new_from_connection(nm_netns_get_multi_idx(priv->netns),
+                                                 nm_vpn_connection_get_ip_ifindex(self, TRUE),
+                                                 connection);

    nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET, TRUE);
    nm_l3_config_data_set_allow_routes_without_address(l3cd, AF_INET6, TRUE);
--- a/src/core/vpn/nm-vpn-manager.c
+++ b/src/core/vpn/nm-vpn-manager.c
@ -60,21 +60,16 @@ nm_vpn_manager_activate_connection(NMVpnManager *manager, NMVpnConnection *vpn,
 {
    NMVpnManagerPrivate *priv;
    NMVpnPluginInfo     *plugin_info;
-    NMConnection        *applied;
    const char          *service_name;
    NMDevice            *device;
-    const char          *user;

    g_return_val_if_fail(NM_IS_VPN_MANAGER(manager), FALSE);
    g_return_val_if_fail(NM_IS_VPN_CONNECTION(vpn), FALSE);
    g_return_val_if_fail(!error || !*error, FALSE);

-    priv    = NM_VPN_MANAGER_GET_PRIVATE(manager);
-    device  = nm_active_connection_get_device(NM_ACTIVE_CONNECTION(vpn));
-    applied = nm_active_connection_get_applied_connection(NM_ACTIVE_CONNECTION(vpn));
-    nm_assert(device);
-    nm_assert(applied);
-
+    priv   = NM_VPN_MANAGER_GET_PRIVATE(manager);
+    device = nm_active_connection_get_device(NM_ACTIVE_CONNECTION(vpn));
+    g_assert(device);
    if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED
        && nm_device_get_state(device) != NM_DEVICE_STATE_SECONDARIES) {
        g_set_error_literal(error,
@ -106,30 +101,6 @@ nm_vpn_manager_activate_connection(NMVpnManager *manager, NMVpnConnection *vpn,
        return FALSE;
    }

-    user = nm_utils_get_connection_first_permissions_user(applied);
-    if (user) {
-        NMSettingConnection *s_con;
-
-        s_con = nm_connection_get_setting_connection(applied);
-        nm_assert(s_con);
-        if (_nm_setting_connection_get_num_permissions_users(s_con) > 1) {
-            g_set_error_literal(error,
-                                NM_MANAGER_ERROR,
-                                NM_MANAGER_ERROR_CONNECTION_NOT_AVAILABLE,
-                                "private VPN connections with multiple users are not allowed.");
-            return FALSE;
-        }
-
-        if (!nm_vpn_plugin_info_supports_safe_private_file_access(plugin_info)) {
-            g_set_error(error,
-                        NM_MANAGER_ERROR,
-                        NM_MANAGER_ERROR_CONNECTION_NOT_AVAILABLE,
-                        "The '%s' plugin doesn't support private connections.",
-                        nm_vpn_plugin_info_get_name(plugin_info));
-            return FALSE;
-        }
-    }
-
    nm_vpn_connection_activate(vpn, plugin_info);

    if (!nm_vpn_plugin_info_supports_multiple(plugin_info)) {
--- a/src/libnm-base/nm-config-base.h
+++ b/src/libnm-base/nm-config-base.h
@ -65,7 +65,6 @@

 #define NM_CONFIG_KEYFILE_KEY_DEVICE_MANAGED                    "managed"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_IGNORE_CARRIER             "ignore-carrier"
-#define NM_CONFIG_KEYFILE_KEY_DEVICE_CHECK_CONNECTIVITY         "check-connectivity"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_SRIOV_NUM_VFS              "sriov-num-vfs"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_KEEP_CONFIGURATION         "keep-configuration"
 #define NM_CONFIG_KEYFILE_KEY_DEVICE_ALLOWED_CONNECTIONS        "allowed-connections"
--- a/src/libnm-client-impl/libnm.ver
+++ b/src/libnm-client-impl/libnm.ver
@ -2076,20 +2076,3 @@ global:
 	nm_setting_sriov_get_preserve_on_down;
 	nm_sriov_preserve_on_down_get_type;
 } libnm_1_52_0;
-
-libnm_1_54_2 {
-global:
-	nm_setting_hsr_get_interlink;
-	nm_setting_hsr_get_protocol_version;
-	nm_setting_hsr_protocol_version_get_type;
-} libnm_1_54_0;
-
-libnm_1_56_0 {
-global:
-	nm_dns_server_validate;
-	nm_setting_gsm_get_device_uid;
-	nm_setting_connection_get_dnssec;
-	nm_setting_connection_dnssec_get_type;
-	nm_utils_copy_cert_as_user;
-	nm_vpn_plugin_info_supports_safe_private_file_access;
-} libnm_1_54_0;
--- a/Show more
+++ b/Show more