.gitignore

@@ -81,6 +81,7 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
+/data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service

.gitlab-ci.yml

@@ -60,11 +60,11 @@ variables:
   #
   # This is done by running `ci-fairy generate-template` and possibly bumping
   # ".default_tag".
-  ALPINE_TAG:  'tag-8e4bbc59695b'
-  CENTOS_TAG:  'tag-caf6673db1a7'
-  DEBIAN_TAG:  'tag-e394e8e726e1'
-  FEDORA_TAG:  'tag-caf6673db1a7'
-  UBUNTU_TAG:  'tag-e394e8e726e1'
+  ALPINE_TAG:  'tag-da1ae96102c6'
+  CENTOS_TAG:  'tag-c8df7d2b249f'
+  DEBIAN_TAG:  'tag-e68f538711ec'
+  FEDORA_TAG:  'tag-c8df7d2b249f'
+  UBUNTU_TAG:  'tag-e68f538711ec'
 
   ALPINE_EXEC: 'bash .gitlab-ci/alpine-install.sh'
   CENTOS_EXEC: 'bash .gitlab-ci/fedora-install.sh'
@@ -128,20 +128,6 @@ tier2:fedora:rawhide@prep:
       when: manual
       allow_failure: true
 
-tier2:centos:stream10@prep:
-  extends:
-    - .fdo.container-build@centos
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-    FDO_DISTRIBUTION_EXEC: $CENTOS_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier2:centos:stream9@prep:
   extends:
     - .fdo.container-build@centos
@@ -212,20 +198,6 @@ tier2:alpine:edge@prep:
       when: manual
       allow_failure: true
 
-tier3:fedora:43@prep:
-  extends:
-    - .fdo.container-build@fedora
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '43'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-    FDO_DISTRIBUTION_EXEC: $FEDORA_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:fedora:41@prep:
   extends:
     - .fdo.container-build@fedora
@@ -254,6 +226,20 @@ tier3:ubuntu:25.04@prep:
       when: manual
       allow_failure: true
 
+tier3:ubuntu:24.10@prep:
+  extends:
+    - .fdo.container-build@ubuntu
+  stage: prep
+  variables:
+    GIT_STRATEGY: none
+    FDO_DISTRIBUTION_VERSION: '24.10'
+    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
+    FDO_DISTRIBUTION_EXEC: $UBUNTU_EXEC
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+      when: manual
+      allow_failure: true
+
 tier3:ubuntu:24.04@prep:
   extends:
     - .fdo.container-build@ubuntu
@@ -282,20 +268,6 @@ tier3:ubuntu:22.04@prep:
       when: manual
       allow_failure: true
 
-tier3:debian:13@prep:
-  extends:
-    - .fdo.container-build@debian
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '13'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-    FDO_DISTRIBUTION_EXEC: $DEBIAN_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:debian:12@prep:
   extends:
     - .fdo.container-build@debian
@@ -310,20 +282,6 @@ tier3:debian:12@prep:
       when: manual
       allow_failure: true
 
-tier3:alpine:3.22@prep:
-  extends:
-    - .fdo.container-build@alpine
-  stage: prep
-  variables:
-    GIT_STRATEGY: none
-    FDO_DISTRIBUTION_VERSION: '3.22'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-    FDO_DISTRIBUTION_EXEC: $ALPINE_EXEC
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-      when: manual
-      allow_failure: true
-
 tier3:alpine:3.21@prep:
   extends:
     - .fdo.container-build@alpine
@@ -419,20 +377,6 @@ t_fedora:rawhide:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
-t_centos:stream10:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@centos
-    - .nm_artifacts_debug
-  stage: tier2
-  variables:
-    FDO_DISTRIBUTION_VERSION: 'stream10'
-    FDO_DISTRIBUTION_TAG: $CENTOS_TAG
-  needs:
-    - "tier2:centos:stream10@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_centos:stream9:
   extends:
     - .build@template
@@ -503,20 +447,6 @@ t_alpine:edge:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
-t_fedora:43:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@fedora
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '43'
-    FDO_DISTRIBUTION_TAG: $FEDORA_TAG
-  needs:
-    - "tier3:fedora:43@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_fedora:41:
   extends:
     - .build@template
@@ -545,6 +475,20 @@ t_ubuntu:25.04:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
+t_ubuntu:24.10:
+  extends:
+    - .build@template
+    - .fdo.distribution-image@ubuntu
+    - .nm_artifacts_debug
+  stage: tier3
+  variables:
+    FDO_DISTRIBUTION_VERSION: '24.10'
+    FDO_DISTRIBUTION_TAG: $UBUNTU_TAG
+  needs:
+    - "tier3:ubuntu:24.10@prep"
+  rules:
+    - if: $CI_PIPELINE_SOURCE != 'schedule'
+
 t_ubuntu:24.04:
   extends:
     - .build@template
@@ -573,20 +517,6 @@ t_ubuntu:22.04:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
-t_debian:13:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@debian
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '13'
-    FDO_DISTRIBUTION_TAG: $DEBIAN_TAG
-  needs:
-    - "tier3:debian:13@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_debian:12:
   extends:
     - .build@template
@@ -601,20 +531,6 @@ t_debian:12:
   rules:
     - if: $CI_PIPELINE_SOURCE != 'schedule'
 
-t_alpine:3.22:
-  extends:
-    - .build@template
-    - .fdo.distribution-image@alpine
-    - .nm_artifacts_debug
-  stage: tier3
-  variables:
-    FDO_DISTRIBUTION_VERSION: '3.22'
-    FDO_DISTRIBUTION_TAG: $ALPINE_TAG
-  needs:
-    - "tier3:alpine:3.22@prep"
-  rules:
-    - if: $CI_PIPELINE_SOURCE != 'schedule'
-
 t_alpine:3.21:
   extends:
     - .build@template
@@ -713,7 +629,7 @@ pages:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'schedule'
       when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
   dependencies:
     - "t_fedora:42: [meson+gcc+docs+valgrind]"
   needs:

.gitlab-ci/ci.template

@@ -240,7 +240,7 @@ pages:
   rules:
     - if: $CI_PIPELINE_SOURCE == 'schedule'
       when: never
-    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == 'main'
   dependencies:
     - "t_{{default_distro.name}}:{{default_distro.versions[0]}}: [meson+gcc+docs+valgrind]"
   needs:

.gitlab-ci/config.yml

@@ -34,7 +34,6 @@ distributions:
   - name: centos
     tier: 2
     versions:
-      - 'stream10'
       - 'stream9'
   - name: ubuntu
     tier: 2
@@ -55,23 +54,21 @@ distributions:
   - name: fedora
     tier: 3
     versions:
-      - '43'
       - '41'
   - name: ubuntu
     tier: 3
     versions:
       - '25.04'
+      - '24.10'
       - '24.04'
       - '22.04'
   - name: debian
     tier: 3
     versions:
-      - '13'
       - '12'
   - name: alpine
     tier: 3
     versions:
-      - '3.22'
       - '3.21'
       - '3.20'
       - '3.19'

.gitlab-ci/distros-info.yml

@@ -8,9 +8,6 @@ fedora:
 - version: rawhide
   support: yes
   nm: main
-- version: 43
-  support: 2026-12-02
-  nm: 1.54
 - version: 42
   support: 2026-05-13
   nm: 1.52
@@ -21,11 +18,8 @@ fedora:
 
 # CentOS Stream
 centos:
-- version: stream10
-  support: 2030-12-31 # exact date unknown, only the year
-  nm: main
 - version: stream9
-  support: 2027-12-31 # exact date unknown, only the year
+  support: 2027-05-31
   nm: main
 
 # RHEL:
@@ -37,43 +31,33 @@ centos:
 #   support: 6 months
 # Releases and support info: https://access.redhat.com/support/policy/updates/errata
 rhel:
-# Not released yet
-- version: 10.1
+- version: 9.6  # not released yet
   support: yes
-  nm: 1.54
-- version: 9.7  # not released yet
+  nm: main
+- version: 9.5
   support: yes
-  nm: 1.54
-# Full support or EUS support:
-- version: 10.0
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
-- version: 9.6
-  support: 2027-05-31
-  extended-support: 2029-05-31
-  nm: 1.52
+  nm: 1.48
 - version: 9.4
   support: 2026-04-30
   extended-support: 2028-04-30
   nm: 1.46
-- version: 8.10  # last RHEL 8 release, maintenaince support only
-  support: 2029-05-31
-  extended-support: no
-  nm: 1.40
-# SAP / Enhaced EUS only:
 - version: 9.2
   support: 2025-05-31
   extended-support: 2027-05-31
   nm: 1.42
-- version: 9.0
-  support: 2024-05-31
-  extended-support: 2026-05-31
-  nm: 1.36
+- version: 8.10  # last RHEL 8 release, maintenaince support only
+  support: 2029-05-31
+  extended-support: no
+  nm: 1.40
 - version: 8.8
   support: 2025-05-31
   extended-support: 2027-05-31
   nm: 1.40
+# SAP / Enhaced EUS only:
+- version: 9.0
+  support: 2024-05-31
+  extended-support: 2026-05-31
+  nm: 1.36
 - version: 8.6
   support: 2024-05-31
   extended-support: 2026-05-31
@@ -97,6 +81,10 @@ ubuntu:
   name: plucky
   support: 2026-01-15
   nm: 1.52
+- version: 24.10
+  name: oracular
+  support: 2025-07-10
+  nm: 1.48
 - version: 24.04
   name: noble
   support: 2029-05-31
@@ -121,11 +109,6 @@ debian:
 - version: sid
   support: yes
   nm: main
-- version: 13
-  name: trixie
-  support: 2028-08-09
-  extended-support: 2030-06-30
-  nm: 1.52
 - version: 12
   name: bookworm
   support: 2026-06-11
@@ -147,9 +130,6 @@ alpine:
 - version: edge
   support: yes
   nm: main
-- version: 3.22
-  support: 2027-05-01
-  nm: 1.52
 - version: 3.21
   support: 2026-11-01
   nm: 1.50

.gitlab-ci/fedora-install.sh

@@ -13,8 +13,6 @@ if [ $IS_CENTOS = 1 ]; then
         CENTOS_VERSION=8
     elif grep -q '^VERSION_ID=.*\<9\>' /etc/os-release ; then
         CENTOS_VERSION=9
-    elif grep -q '^VERSION_ID=.*\<10\>' /etc/os-release ; then
-        CENTOS_VERSION=10
     else
         exit 1
     fi
@@ -35,11 +33,6 @@ fi
         dnf install -y 'dnf-command(config-manager)'
         dnf config-manager --set-enabled crb
         curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-9/nmstate-nm-build-deps-epel-9.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-9.repo
-    elif [ "$CENTOS_VERSION" = stream10 ]; then
-        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
-        dnf install -y 'dnf-command(config-manager)'
-        dnf config-manager --set-enabled crb
-        curl https://copr.fedorainfracloud.org/coprs/nmstate/nm-build-deps/repo/epel-10/nmstate-nm-build-deps-epel-10.repo > /etc/yum.repos.d/nmstate-nm-build-deps-epel-10.repo
     else
         exit 1
     fi

.gitlab-ci/run-test.sh

@@ -17,17 +17,10 @@ grep -q '^NAME=.*\(CentOS\)' /etc/os-release && IS_CENTOS=1
 grep -q '^NAME=.*\(Fedora\)' /etc/os-release && IS_FEDORA=1
 grep -q '^NAME=.*\(Alpine\)' /etc/os-release && IS_ALPINE=1
 
+IS_CENTOS_7=0
 if [ $IS_CENTOS = 1 ]; then
-    CENTOS_VER_LINE="$(grep '^VERSION_ID=' /etc/os-release)"
-    if [[ $CENTOS_VER_LINE =~ ^VERSION_ID=\"?([0-9]+)\"?$ ]]; then
-        CENTOS_VER="${BASH_REMATCH[1]}"
-    else
-        echo "Error detecting CentOS Stream version" >&2
-        exit 1
-    fi
-
-    if (( $CENTOS_VER >= 10 )); then
-        export WITH_LIBTEAM=0
+    if grep -q '^VERSION_ID=.*\<7\>' /etc/os-release ; then
+        IS_CENTOS_7=1
     fi
 fi
 
@@ -155,7 +148,12 @@ test_subtree() {
     do_clean
     pushd ./src/$d
 
-    CC="$cc" CFLAGS="-Werror -Wall" meson build
+    ARGS=()
+    if [ "$d" = n-acd ]; then
+        ARGS+=('-Debpf=false')
+    fi
+
+    CC="$cc" CFLAGS="-Werror -Wall" meson build "${ARGS[@]}"
     ninja -v -C build test
 
     popd

.gitlab/merge_request_templates/Default.md

@@ -12,9 +12,9 @@ Please read
 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/CONTRIBUTING.md
 before opening the merge request. In particular, check that:
 
- - [ ] The subject for all commits is concise, explanatory, and includes a prefix indicating the area of code changed (e.g., "nmcli: ", "core: ")
- - [ ] The message for all commits explains the reason for the change
- - [ ] The source is properly formatted
- - [ ] Any relevant documentation is up to date
- - [ ] You have added unit tests if applicable
- - [ ] The NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.
+ - [ ] the subject for all commits is concise and explicative
+ - [ ] the message for all commits explains the reason for the change
+ - [ ] the source is properly formatted
+ - [ ] any relevant documentation is up to date
+ - [ ] you have added unit tests if applicable
+ - [ ] the NEWS file is updated when the change deserves to be mentioned, for example for new features, behavior changes, API deprecations, etc.

MAINTAINERS.md

@@ -252,25 +252,17 @@ Versioning scheme (version numbers are called MAJOR.MINOR.MICRO):
   versioning scheme than the main NM project despite there are no development
   versions here.
 
-Before starting:
-- You need to have the maintainer role in the project.
-- The GPG key used to sign the release must be added to your GNOME's Gitlab
-  profile and uploaded to a keyserver.
-- All details: https://handbook.gnome.org/maintainers/making-a-release.html
-
 When doing a release, follow this process:
 1. Ensure that `NEWS` file is up to date.
-2. Increment the version in `meson.build` or `configure.ac`.
-3. Commit and push to the `main` branch.
-4. Check that the Gitlab's pipeline finishes without errors.
-5. Tag the commit with a signed tag. Example: `git tag -s 1.2.8 -m 'Release 1.2.8'`.
-6. Push the tag. Example: `git push origin 1.2.8`.  
-   WARN: this is what starts the automatic CI release. As GNOME doesn't allow
-   to delete tags, any error detected after this will force a new version bump.
-7. Check that the Gitlab's pipeline finishes without errors. If that happens,
-   the release is done and available both in the Gitlab's releases section and
-   https://download.gnome.org/sources/*
-8. Announce the release on the mailing list.
+2. Increment the version in `meson.build`, commit and tag the commit. Example:
+   `git tag -s 1.2.8 -m 'Tag 1.2.8'`.
+3. Ensure that you are on the right commit and create the tarball:
+   `git clean -fdx && meson setup build && cd build && meson dist`
+4. Upload the tarball: `scp ./*-*.tar.xz "$user@master.gnome.org:"`
+5. Login to `master.gnome.org` and run `ftpadmin install`.  
+   Ensure the new tarballs show up at https://download.gnome.org/sources/
+   (happens after a short delay)
+6. Announce the release on the mailing list.
 
 Notes:
 - You need access to master.gnome.org, see [here](https://handbook.gnome.org/infrastructure/accounts.html).

NEWS

@@ -1,6 +1,6 @@
 =============================================
-NetworkManager-1.58
-Overview of changes since NetworkManager-1.56
+NetworkManager-1.56
+Overview of changes since NetworkManager-1.54
 =============================================
 
 This is a snapshot of NetworkManager development. The API is
@@ -8,96 +8,7 @@ subject to change and not guaranteed to be compatible with
 the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 
-* Unify the versioning to use everywhere the scheme with the -rcX or -dev
-  suffixes when appropriate. This affects, for example, the URL and filename
-  of the release tarball and the version reported by nmcli and the daemon.
-  As an exception, the C API will continue to use the 90+ scheme for RC versions.
-* Connection profiles with manual IP addressing and with gateways that are not
-  directly reachable will generate a warning on activation and when they are
-  added/modified via nmcli and nmtui. NetworkManager currently adds on-link
-  routes for them automatically, but this will change in the future. To fix the
-  warning, users should add addresses or routes whose subnets cover these
-  gateways. A gateway (either the default gateway or the next-hop of a route) is
-  considered directly reachable if it falls within the subnet of a direct route
-  (a route without a next hop) or of a prefix route from a static address.
-* Restrict the connectivity check to use the DNS servers defined on the
-  same link. If the link has no DNS servers, the connectivity check will
-  use any servers available in the system.
-* Install the systemd units in the initramfs using a systemd generator.
-* A new "check-connectivity" configuration option is available to disable the
-  connectivity check for selected interfaces.
-* Remove the modify_system build option that allowed setting up the
-  polkit permissions to allow non-admin users to create system-wide
-  connection. That configuration is discouraged because it can be used
-  to bypass filesystem permissions.
-* For private connections (the ones that specify a user in the
-  "connection.permissions" property), verify that the user can access
-  the 802.1X certificates and keys set in the connection.
-* Introduce a libnm function that can be used by VPN plugins to check
-  user permissions on certificate and keys.
-* The support for Wireless Extensions is deprecated and will be
-  removed in a future release. Wireless Extensions are now disabled by
-  default.
-* Use an internal implementation of the ping functionality when the
-  "connection.gateway-ping-timeout" or "connection.ip-ping-addresses"
-  properties are set, instead of relying on the "ping" tool.  
-* The powersave property now functions with the iwd backend.
-* The "band" property of Wi-fi connections now accepts the "6GHz"
-  value.
-* Show the Wi-Fi band of APs in the scan results from nmcli.
-* New <Select...> button in nmtui that allows users to chose from list of
-  available devices when creating connection profiles for physical interfaces
-  (Ethernet, Wi-Fi, etc.).
-* Add support for CLAT (464XLAT) using a BPF program.
-* Change the default value of the ipv4.dhcp-ipv6-only-preferred property
-  to a new value "auto" which automatically enables the option when CLAT
-  is enabled ("yes" or "auto") in the connection profile.
-* WIFI connections using wpa-psk respect the setting connection.auth-retry
-  and only prompt for new secrets during the last authentication attempt before
-  failing.
-* Add support for GENEVE interface.
-* The DHCPv4 internal client now ignores option 3 (Router) if the lease
-  contains option 121 (Classless Static Route), as recommended by RFC 3442.
-* Allow persisting the managed state across reboots from nmcli and the D-Bus API.
-* Allow changing the device's administrative state in the kernel at the same
-  time as a change to the managed state from nmcli and the D-Bus API.
-* Allow configuring all bond options in nmtui by introducing a
-  "other options" field, which covers options not already covered by a
-  dedicated input field.
-
-=============================================
-NetworkManager-1.56
-Overview of changes since NetworkManager-1.54
-=============================================
-
 * nmcli now supports viewing and managing WireGuard peers.
-* Support reapplying the "sriov.vfs" property as long as
-  "sriov.total-vfs" is not changed.
-* Support reapplying "bond-port.vlans".
-* Accept hostnames longer than 64 characters from DNS lookup.
-* Make that global-dns configuration overwrites DNS searches and
-  options from connections, instead of merging all together.
-* Add support for a new rd.net.dhcp.client-id option in
-  nm-initrd-generator.
-* Add gsm device-uid setting to restrict the devices the connection applies to.
-* Support configuring the HSR protocol version via the
-  "hsr.protocol-version" property.
-* Fix a bug that makes broadband connections auto-connect getting 
-  blocked if the connection tries to reconnect when modem status is 
-  "disconnecting" / "disconnected".
-* Treat modem connection not having an operator code available
-  as a recoverable error.
-* Add support for configuring systemd-resolved's DNSSEC option
-  per-connection via the "connection.dnssec" connection property.
-* Support configuring the HSR interlink port via the
-  "hsr.interlink" property.
-* Fix some connection properties not being applied to vpn connections
-  (connection.mdns, connection.llmnr, connection.dns-over-tls,
-   connection.mptcp-flags, ipv6.ip6-privacy)
-* Update n-acd to always compile with eBPF enabled, as support
-  for eBPF is now detected at run time.
-* Add new MPTCP 'laminar' endpoint type, and set it by default alongside
-  the 'subflow' one.
 
 =============================================
 NetworkManager-1.54

config.h.meson

@@ -239,15 +239,6 @@
 /* Whether we build with OVS plugin */
 #mesondefine WITH_OPENVSWITCH
 
-/* Whether we build with team support */
-#mesondefine WITH_TEAMDCTL
-
-/* Whether we build with Wi-Fi support */
-#mesondefine WITH_WIFI
-
-/* Whether we build with WWAN support */
-#mesondefine WITH_WWAN
-
 /* Define if you have PPP support */
 #mesondefine WITH_PPP
 
@@ -294,6 +285,3 @@
 
 /* Define to 1 if dlvsym() is available */
 #mesondefine HAVE_DLVSYM
-
-/* Define to 1 if you want CLAT support. */
-#mesondefine HAVE_CLAT

contrib/alpine/REQUIRED_PACKAGES

@@ -8,11 +8,9 @@ apk add \
     'alpine-sdk' \
     'autoconf' \
     'bash' \
-    'bpftool' \
     'clang' \
     'curl-dev' \
     'dbus' \
-    'dbus-dev' \
     'elogind-dev' \
     'eudev-dev' \
     'gcc' \
@@ -24,7 +22,6 @@ apk add \
     'iproute2' \
     'iptables' \
     'jansson-dev' \
-    'libbpf-dev' \
     'libgudev-dev' \
     'libndp-dev' \
     'libnvme-dev' \
@@ -32,6 +29,7 @@ apk add \
     'libpsl-dev' \
     'libsoup-dev' \
     'libteam-dev' \
+    'libtool' \
     'linux-headers' \
     'meson' \
     'mobile-broadband-provider-info' \

contrib/debian/REQUIRED_PACKAGES

@@ -32,7 +32,6 @@ install_ignore_missing() {
 
 install \
     \
-    bpftool \
     clang \
     dbus \
     dbus-x11 \
@@ -44,7 +43,6 @@ install \
     iproute2 \
     iptables \
     libaudit-dev \
-    libbpf-dev \
     libcurl4-gnutls-dev \
     libdbus-1-dev \
     libgirepository1.0-dev \
@@ -64,6 +62,7 @@ install \
     libreadline-dev \
     libsystemd-dev \
     libteam-dev \
+    libtool \
     libudev-dev \
     locales \
     meson \

contrib/fedora/REQUIRED_PACKAGES

@@ -49,7 +49,6 @@ install \
     ModemManager-glib-devel \
     audit-libs-devel \
     bluez-libs-devel \
-    bpftool \
     clang \
     dbus-devel \
     dbus-x11 \
@@ -65,11 +64,11 @@ install \
     iptables \
     jansson-devel \
     jq \
-    libbpf-devel \
     libcurl-devel \
     libndp-devel \
     libnvme-devel \
     libselinux-devel \
+    libtool \
     libuuid-devel \
     meson \
     mobile-broadband-provider-info-devel \

contrib/fedora/rpm/NetworkManager.spec

@@ -6,23 +6,19 @@
 #
 # Note that it contains __PLACEHOLDERS__ that will be replaced by the accompanying 'build.sh' script.
 
-Name:    NetworkManager
-Summary: Network connection manager and user applications
-License: GPL-2.0-or-later AND LGPL-2.1-or-later
-URL:     https://networkmanager.dev/
-Group:   System Environment/Base
-
-Epoch:   1
-Version: __VERSION__
-Release: __RELEASE_VERSION__%{?dist}
-
-###############################################################################
 
 %global wpa_supplicant_version 1:1.1
 
 %global ppp_version %(pkg-config --modversion pppd 2>/dev/null || sed -n 's/^#define\\s*VERSION\\s*"\\([^\\s]*\\)"$/\\1/p' %{_includedir}/pppd/patchlevel.h 2>/dev/null | grep . || echo bad)
 %global glib2_version %(pkg-config --modversion glib-2.0 2>/dev/null || echo bad)
 
+%global epoch_version 1
+%global real_version __VERSION__
+%global git_tag_version __GIT_TAG_VERSION__
+%global rpm_version %{real_version}
+%global release_version __RELEASE_VERSION__
+%global snapshot __SNAPSHOT__
+%global git_sha __COMMIT__
 %global bcond_default_debug __BCOND_DEFAULT_DEBUG__
 %global bcond_default_lto __BCOND_DEFAULT_LTO__
 %global bcond_default_test __BCOND_DEFAULT_TEST__
@@ -37,6 +33,17 @@ Release: __RELEASE_VERSION__%{?dist}
 
 %global _hardened_build 1
 
+%if "x%{?snapshot}" != "x"
+%global snapshot_dot .%{snapshot}
+%endif
+%if "x%{?git_sha}" != "x"
+%global git_sha_dot .%{git_sha}
+%endif
+
+%global snap %{?snapshot_dot}%{?git_sha_dot}
+
+%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[0-9][0-9]*\\)\\.[0-9][0-9]*$/\\1/p')
+
 %global systemd_units NetworkManager.service NetworkManager-wait-online.service NetworkManager-dispatcher.service nm-priv-helper.service
 
 %global systemd_units_cloud_setup nm-cloud-setup.service nm-cloud-setup.timer
@@ -100,13 +107,7 @@ Release: __RELEASE_VERSION__%{?dist}
 %else
 %bcond_without iwd
 %endif
-%bcond_without polkit_noauth_group
-%ifarch %{ix86}
-# there is no bpftool in i686
-%bcond_with clat
-%else
-%bcond_without clat
-%endif
+
 ###############################################################################
 
 %global dbus_version 1.9.18
@@ -153,6 +154,17 @@ Release: __RELEASE_VERSION__%{?dist}
 %bcond_with ifcfg_migrate
 %endif
 
+%if 0%{?fedora}
+# Although eBPF would be available on Fedora's kernel, it seems
+# we often get SELinux denials (rh#1651654). But even aside them,
+# bpf(BPF_MAP_CREATE, ...) randomly fails with EPERM. That might
+# be related to `ulimit -l`. Anyway, this is not usable at the
+# moment.
+%global ebpf_enabled "no"
+%else
+%global ebpf_enabled "no"
+%endif
+
 # Fedora 33 enables LTO by default by setting CFLAGS="-flto -ffat-lto-objects".
 # However, we also require "-flto -flto-partition=none", so disable Fedora's
 # default and use our configure option --with-lto instead.
@@ -160,7 +172,16 @@ Release: __RELEASE_VERSION__%{?dist}
 
 ###############################################################################
 
-#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{version_no_tilde}/downloads/%{name}-%{version_no_tilde}.tar.xz
+Name: NetworkManager
+Summary: Network connection manager and user applications
+Epoch: %{epoch_version}
+Version: %{rpm_version}
+Release: %{release_version}%{?snap}%{?dist}
+Group: System Environment/Base
+License: GPL-2.0-or-later AND LGPL-2.1-or-later
+URL: https://networkmanager.dev/
+
+#Source: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/releases/%{git_tag_version}/downloads/%{name}-%{real_version}.tar.xz
 Source: __SOURCE1__
 Source1: NetworkManager.conf
 Source2: 00-server.conf
@@ -174,16 +195,17 @@ Source9: readme-ifcfg-rh-migrated.txt
 #Patch1: 0001-some.patch
 
 Requires(post): systemd
+Requires(post): systemd-udev
+Requires(post): /usr/sbin/update-alternatives
 Requires(preun): systemd
+Requires(preun): /usr/sbin/update-alternatives
 Requires(postun): systemd
 
 Requires: dbus >= %{dbus_version}
 Requires: glib2 >= %{glib2_version}
 Requires: %{name}-libnm%{?_isa} = %{epoch}:%{version}-%{release}
 
-%if %{with clat}
-Requires: libbpf
-%endif
+Recommends: iputils
 
 %if 0%{?rhel} == 8
 # Older libndp versions use select() (rh#1933041). On well known distros,
@@ -232,7 +254,7 @@ Conflicts: NetworkManager-dispatcher-routing-rules <= 1:1.47.5-3
 %endif
 
 BuildRequires: gcc
-BuildRequires: clang
+BuildRequires: libtool
 BuildRequires: pkgconfig
 BuildRequires: meson
 BuildRequires: gettext-devel >= 0.19.8
@@ -287,10 +309,6 @@ BuildRequires: firewalld-filesystem
 BuildRequires: iproute
 BuildRequires: iproute-tc
 BuildRequires: libnvme-devel >= 1.5
-%if %{with clat}
-BuildRequires: libbpf-devel
-BuildRequires: bpftool
-%endif
 
 Provides: %{name}-dispatcher%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -559,8 +577,6 @@ Group: System Environment/Base
 BuildArch: noarch
 Requires: NetworkManager
 Requires: /usr/bin/nmcli
-Requires(post): /usr/sbin/update-alternatives
-Requires(preun): /usr/sbin/update-alternatives
 Obsoletes: NetworkManager < %{obsoletes_initscripts_updown}
 
 %description initscripts-updown
@@ -571,7 +587,7 @@ Preferably use nmcli instead.
 
 
 %prep
-%autosetup -p1 -n NetworkManager-%{version_no_tilde}
+%autosetup -p1 -n NetworkManager-%{real_version}
 
 
 %build
@@ -612,20 +628,19 @@ Preferably use nmcli instead.
 %endif
 %if %{with wifi}
 	-Dwifi=true \
+%if 0%{?fedora}
+	-Dwext=true \
+%else
+	-Dwext=false \
+%endif
 %else
 	-Dwifi=false \
 %endif
-	-Dwext=false \
 %if %{with iwd}
 	-Diwd=true \
 %else
 	-Diwd=false \
 %endif
-%if %{with clat}
-	-Dclat=true \
-%else
-	-Dclat=false \
-%endif
 %if %{with bluetooth}
 	-Dbluez5_dun=true \
 %else
@@ -662,20 +677,22 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-%if %{with polkit_noauth_group}
-	-Dpolkit_noauth_group=wheel \
-%endif
+	-Dmodify_system=true \
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
 %else
 	-Dlibpsl=false \
+%endif
+%if %{ebpf_enabled} != "yes"
+	-Debpf=false \
+%else
+	-Debpf=true \
 %endif
 	-Dsession_tracking=systemd \
 	-Dsuspend_resume=systemd \
 	-Dsystemdsystemunitdir=%{_unitdir} \
-	-Dsystemdsystemgeneratordir=%{_systemdgeneratordir} \
-	-Dsystem_ca_path=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
+	-Dsystem_ca_path=/etc/pki/tls/cert.pem \
 	-Ddbus_conf_dir=%{dbus_sys_dir} \
 	-Dtests=yes \
 	-Dvalgrind=no \
@@ -747,7 +764,6 @@ rm -f %{buildroot}%{_libdir}/pppd/%{ppp_version}/*.la
 rm -f %{buildroot}%{nmplugindir}/*.la
 
 # Don't use the *-initrd.service files yet, wait dracut to support them
-rm -f %{buildroot}%{_systemdgeneratordir}/nm-initrd-generator.sh
 rm -f %{buildroot}%{_unitdir}/NetworkManager-config-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-initrd.service
 rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
@@ -756,8 +772,8 @@ rm -f %{buildroot}%{_unitdir}/NetworkManager-wait-online-initrd.service
 find %{buildroot}%{_datadir}/gtk-doc -exec touch --reference meson.build '{}' \+
 
 %if 0%{?__debug_package} && ! 0%{?flatpak}
-mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
-cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{version_no_tilde}
+mkdir -p %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
+cp valgrind.suppressions %{buildroot}%{_prefix}/src/debug/NetworkManager-%{real_version}
 %endif
 
 %if %{with ifcfg_rh}
@@ -839,12 +855,8 @@ fi
 
 
 %postun
-# skip triggering if udevd isn't even accessible, e.g. containers or
-# rpm-ostree-based systems
-if [ -S /run/udev/control ]; then
-    /usr/bin/udevadm control --reload-rules || :
-    /usr/bin/udevadm trigger --subsystem-match=net || :
-fi
+/usr/bin/udevadm control --reload-rules || :
+/usr/bin/udevadm trigger --subsystem-match=net || :
 %firewalld_reload
 
 %systemd_postun %{systemd_units}
@@ -885,7 +897,6 @@ fi
 %{_libexecdir}/nm-dispatcher
 %{_libexecdir}/nm-initrd-generator
 %{_libexecdir}/nm-daemon-helper
-%{_libexecdir}/nm-libnm-helper
 %{_libexecdir}/nm-priv-helper
 %dir %{_libdir}/%{name}
 %dir %{nmplugindir}
@@ -917,9 +928,6 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_priv_helper.service
 %{_datadir}/polkit-1/actions/*.policy
-%if %{with polkit_noauth_group}
-%{_datadir}/polkit-1/rules.d/org.freedesktop.NetworkManager.rules
-%endif
 %{_prefix}/lib/udev/rules.d/*.rules
 %{_prefix}/lib/firewalld/zones/nm-shared.xml
 # systemd stuff

contrib/fedora/rpm/build.sh

@@ -12,6 +12,7 @@ set -o pipefail
 #   RELEASE_VERSION=
 #   SNAPSHOT=
 #   VERSION=
+#   GIT_TAG_VERSION=
 #   COMMIT_FULL=
 #   COMMIT=
 #   USERNAME=
@@ -110,7 +111,9 @@ exec 2>&1
 
 UUID=`uuidgen`
 RELEASE_VERSION="${RELEASE_VERSION:-$(git rev-list HEAD | wc -l)}"
+SNAPSHOT="${SNAPSHOT:-%{nil\}}"
 VERSION="${VERSION:-$(get_version || die "Could not read $VERSION")}"
+GIT_TAG_VERSION="${GIT_TAG_VERSION:-$VERSION}"
 COMMIT_FULL="${COMMIT_FULL:-$(git rev-parse --verify HEAD || die "Error reading HEAD revision")}"
 COMMIT="${COMMIT:-$(printf '%s' "$COMMIT_FULL" | sed 's/^\(.\{10\}\).*/\1/' || die "Error reading HEAD revision")}"
 BCOND_DEFAULT_DEBUG="${BCOND_DEFAULT_DEBUG:-0}"
@@ -154,6 +157,7 @@ if [[ "$SOURCE_FROM_GIT" == "1" ]]; then
 fi
 
 LOG "VERSION=$VERSION"
+LOG "GIT_TAG_VERSION=$GIT_TAG_VERSION"
 LOG "RELEASE_VERSION=$RELEASE_VERSION"
 LOG "SNAPSHOT=$SNAPSHOT"
 LOG "COMMIT_FULL=$COMMIT_FULL"
@@ -205,8 +209,13 @@ cp "$SOURCE_README_IFCFG_MIGRATED" "$TEMP/SOURCES/readme-ifcfg-rh-migrated.txt"
 
 write_changelog
 
-sed -e "s/__VERSION__/${VERSION/-/\~}/g" \
+sed -e "s/__VERSION__/$VERSION/g" \
+    -e "s/__GIT_TAG_VERSION__/$GIT_TAG_VERSION/g" \
     -e "s/__RELEASE_VERSION__/$RELEASE_VERSION/g" \
+    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
+    -e "s/__COMMIT__/$COMMIT/g" \
+    -e "s/__COMMIT_FULL__/$COMMIT_FULL/g" \
+    -e "s/__SNAPSHOT__/$SNAPSHOT/g" \
     -e "s/__SOURCE1__/$(basename "$SOURCE")/g" \
     -e "s/__BCOND_DEFAULT_DEBUG__/$BCOND_DEFAULT_DEBUG/g" \
     -e "s/__BCOND_DEFAULT_LTO__/${BCOND_DEFAULT_LTO:-"%{nil}"}/g" \
@@ -227,12 +236,7 @@ case "$BUILDTYPE" in
         ;;
 esac
 
-DIST=
-[[ "$COMMIT" != "" ]] && DIST=".${COMMIT}${DIST}"
-[[ "$SNAPSHOT" != "" ]] && DIST=".${SNAPSHOT}${DIST}"
-[[ "$DIST" != "" ]] && DIST=("--define" "dist ${DIST}$(rpmbuild --eval '%{dist}')")
-
-rpmbuild --define "_topdir $TEMP" "${DIST[@]}" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
+rpmbuild --define "_topdir $TEMP" $RPM_BUILD_OPTION "$TEMPSPEC" $NM_RPMBUILD_ARGS || die "ERROR: rpmbuild FAILED"
 
 LS_EXTRA=()
 

contrib/fedora/rpm/configure-for-system.sh

@@ -155,6 +155,7 @@ P_CRYPTO="${CRYPTO-}"
 P_DBUS_SYS_DIR="${DBUS_SYS_DIR-}"
 P_DHCP_DEFAULT="${DHCP_DEFAULT-}"
 P_DNS_RC_MANAGER_DEFAULT="${DNS_RC_MANAGER_DEFAULT-}"
+P_EBPF_ENABLED="${EBPF_ENABLED-no}"
 P_FIREWALLD_ZONE="${FIREWALLD_ZONE-}"
 P_IWD="${IWD-}"
 P_LOGGING_BACKEND_DEFAULT="${LOGGING_BACKEND_DEFAULT-}"
@@ -173,7 +174,6 @@ P_WIFI="${WIFI-1}"
 P_WWAN="${WWAN-1}"
 P_TEAM="${TEAM-1}"
 P_BLUETOOTH="${BLUETOOTH-1}"
-P_IFCFG_RH="${IFCFG_RH-0}"
 P_NMTUI="${NMTUI-1}"
 P_NM_CLOUD_SETUP="${NM_CLOUD_SETUP-1}"
 P_OVS="${OVS-1}"
@@ -203,7 +203,7 @@ if [ -z "$P_FEDORA" -a -z "$P_RHEL" ] ; then
         P_FEDORA="$x"
         P_RHEL=0
     else
-        x="$(grep -q 'ID="rhel"' /etc/os-release && sed -n 's/^VERSION_ID="*\([0-9]*\).*/\1/p' /etc/os-release)"
+        x="$(grep -q "ID=fedora" /etc/os-release && sed -n 's/VERSION_ID=//p' /etc/os-release)"
         if test "$x" -gt 0 ; then
             P_FEDORA=0
             P_RHEL="$x"
@@ -294,14 +294,6 @@ if [ -z "$P_MODEM_MANAGER_1" ] ; then
     fi
 fi
 
-if [ -z "$TEAM" ] && [ "${P_RHEL-0}" -ge 10 ] ; then
-    P_TEAM=0
-fi
-
-if [ -z "$IFCFG_RH" ] && [ -n "$P_RHEL" ] && [ "$P_RHEL" -le 9 ] ; then
-    P_IFCFG_RH=1
-fi
-
 if bool "$P_DEBUG" ; then
     P_CFLAGS="-g -Og -fexceptions${P_CFLAGS:+ }$P_CFLAGS"
 else
@@ -387,7 +379,7 @@ meson setup\
     -Db_lto="$(bool_true "$P_LTO")" \
     -Dlibaudit=yes-disabled-by-default \
     -Dmodem_manager="$(bool_true "$P_MODEM_MANAGER_1")" \
-    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext=false) \
+    $(args_enable "$P_WIFI"                    -Dwifi=true  -Dwext="$(bool_true "$P_FEDORA")") \
     $(args_enable "$(bool_not_true "$P_WIFI")" -Dwifi=false                                  ) \
     -Diwd="$(bool_true "$P_IWD")" \
     -Dbluez5_dun="$(bool_true "$P_BLUETOOTH")" \
@@ -401,17 +393,18 @@ meson setup\
     -Dselinux=true \
     -Dpolkit=true  \
     -Dconfig_auth_polkit_default=true \
+    -Dmodify_system=true \
     -Dconcheck=true \
     -Dlibpsl="$(bool_true "$P_FEDORA")" \
+    -Debpf="$(bool_true "$P_EBPF_ENABLED")" \
     -Dsession_tracking=systemd \
     -Dsuspend_resume=systemd \
     -Dsystemdsystemunitdir=/usr/lib/systemd/system \
-    -Dsystemdsystemgeneratordir=/usr/lib/systemd/system-generators \
     -Dsystem_ca_path=/etc/pki/tls/cert.pem \
     -Ddbus_conf_dir="$P_DBUS_SYS_DIR" \
     -Dtests=yes \
     -Dvalgrind=no \
-    -Difcfg_rh="$(bool_true "$P_IFCFG_RH")" \
+    -Difcfg_rh=true \
     -Difupdown=false \
     $(args_enable "$P_PPP"                    -Dppp=true  -Dpppd="$D_SBINDIR/pppd" -Dpppd_plugin_dir="$D_LIBDIR/pppd/$P_PPP_VERSION") \
     $(args_enable "$(bool_not_true "$P_PPP")" -Dppp=false                                                                           ) \

contrib/fedora/rpm/release.sh

@@ -27,7 +27,7 @@
 #   * Run in a "clean" environment, i.e. no unusual environment variables set, on a recent
 #     Fedora, with suitable dependencies installed.
 #
-#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedesktop.org
+#   * First, ensure that you have a valid Gitlab's private token for gitlab.freedestkop.org
 #     stored in ~/.config/nm-release-token, or pass one with --gitlab-token argument.
 #     Also, ensure you have a GPG key that you want to use for signing. Also, have gpg-agent running
 #     and possibly configure `git config --get user.signingkey` for the proper key.
@@ -102,8 +102,14 @@ do_command() {
 SCRIPTDIR="$(dirname "$(readlink -f "$0")")"
 GITDIR="$(cd "$SCRIPTDIR" && git rev-parse --show-toplevel || die "Could not get GITDIR")"
 
-get_version() {
-    grep -E -m1 '^\s+version:' "$GITDIR/meson.build" | cut -d"'" -f2
+parse_version() {
+    local VERSION=$(grep -E -m1 '^\s+version:' "$GITDIR/meson.build" \
+                    | cut -d"'" -f2 \
+                    | sed 's/\./ /g')
+
+    re='^(0|[1-9][0-9]*) (0|[1-9][0-9]*) (0|[1-9][0-9]*)$'
+    [[ "$VERSION" =~ $re ]] || return 1
+    echo "$VERSION"
 }
 
 number_is_even() {
@@ -149,12 +155,14 @@ check_gitlab_pipeline() {
 
 set_version_number() {
     sed -i \
-        -E "1,20 s/^( *version: *')[^']+(',) *\$/\1$1\2/" \
+        -e '1,20 s/^\( *version: *'\''\)[0-9]\+\.[0-9]\+\.[0-9]\+\('\'',\)$/\1'"$1.$2.$3"'\2/' \
         meson.build
 }
 
 check_news() {
     local mode="$1"
+    shift
+    local ver_arr=("$@")
 
     case "$mode" in
         major|minor)
@@ -251,18 +259,12 @@ done
 
 [ -n "$RELEASE_MODE" ] || die_usage "specify the desired release mode"
 
-VERSION_STR="$(get_version)"
-VERSION_ARR=( $(echo "$VERSION_STR" | sed 's/[\.\-]/ /g') )
-if [[ ${VERSION_ARR[2]} =~ ^rc ]]; then
-    RC_VERSION=${VERSION_ARR[2]#rc}
-    VERSION_ARR[2]=0
-else
-    RC_VERSION=
-fi
+VERSION_ARR=( $(parse_version) ) || die "cannot detect NetworkManager version"
+VERSION_STR="$(IFS=.; echo "${VERSION_ARR[*]}")"
 
 echo "Current version before release: $VERSION_STR (do \"$RELEASE_MODE\" release)"
 
-grep -q "version: '$VERSION_STR'," ./meson.build || die "meson.build does not have expected version"
+grep -q "version: '${VERSION_ARR[0]}.${VERSION_ARR[1]}.${VERSION_ARR[2]}'," ./meson.build || die "meson.build does not have expected version"
 
 TMP="$(git status --porcelain)" || die "git status failed"
 test -z "$TMP" || die "git working directory is not clean (git status --porcelain)"
@@ -278,41 +280,50 @@ if [ "$CUR_BRANCH" = main ]; then
     number_is_odd "${VERSION_ARR[1]}" || die "Unexpected version number on main. Should be an odd development version"
     [ "$RELEASE_MODE" = devel -o "$RELEASE_MODE" = rc1 -o "$RELEASE_MODE" = major-post ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
 else
-    [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}"
-    [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
+    re='^nm-[0-9]+-[0-9]+$'
+    [[ "$CUR_BRANCH" =~ $re ]] || die "Unexpected current branch $CUR_BRANCH. Should be main or nm-?-??"
+    if number_is_odd "${VERSION_ARR[1]}"; then
+        # we are on a release candiate branch.
+        [ "$RELEASE_MODE" = rc -o "$RELEASE_MODE" = major ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
+    else
+        [ "$RELEASE_MODE" = minor ] || die "Unexpected branch name \"$CUR_BRANCH\" for \"$RELEASE_MODE\""
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "Unexpected current branch $CUR_BRANCH. Should be nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}"
+    fi
 fi
 
+RC_VERSION=
 RELEASE_BRANCH=
 case "$RELEASE_MODE" in
     minor)
         number_is_even "${VERSION_ARR[1]}" || die "cannot do minor release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "cannot do a minor release on top of an RC version"
-        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "minor release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
+        [ "$CUR_BRANCH" != main ] || die "cannot do a minor release on main"
         ;;
     devel)
         number_is_odd "${VERSION_ARR[1]}" || die "cannot do devel release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "cannot do a devel release on top of an RC version"
+        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "devel release must have a micro version smaller than 90 but current version is $VERSION_STR"
         [ "$CUR_BRANCH" == main ] || die "devel release can only be on main"
         ;;
+    rc)
+        number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
+        [ "${VERSION_ARR[2]}" -ge 90 ] || die "rc release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
+        RC_VERSION="$((${VERSION_ARR[2]} - 88))"
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "devel release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
+        ;;
     rc1)
         number_is_odd "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "rc1 release cannot be done on top of an RC version"
+        [ "${VERSION_ARR[2]}" -lt 90 ] || die "rc release must have a micro version smaller than ${VERSION_ARR[0]}.${VERSION_ARR[1]}.90 but current version is $VERSION_STR"
         [ "$CUR_BRANCH" == main ] || die "rc1 release can only be on main"
         RELEASE_BRANCH="nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))"
         ;;
-    rc)
-        number_is_even "${VERSION_ARR[1]}" || die "cannot do rc release on top of version $VERSION_STR"
-        [ "$RC_VERSION" != "" ] || die "rc release must be done on top of an RC version"
-        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "rc release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
-        ;;
     major)
-        number_is_even "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
-        [ "$RC_VERSION" != "" ] || die "major release must be done on top of an RC version"
-        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-${VERSION_ARR[1]}\" branch"
+        number_is_odd "${VERSION_ARR[1]}" || die "cannot do major release on top of version $VERSION_STR"
+        [ "${VERSION_ARR[2]}" -ge 90 ] || die "parent version for major release must have a micro version larger than ${VERSION_ARR[0]}.90 but current version is $VERSION_STR"
+        [ "$CUR_BRANCH" == "nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))" ] || die "major release can only be on \"nm-${VERSION_ARR[0]}-$((${VERSION_ARR[1]} + 1))\" branch"
         ;;
     major-post)
         number_is_odd "${VERSION_ARR[1]}" || die "cannot do major-post release on top of version $VERSION_STR"
-        [ "$RC_VERSION" = "" ] || die "major-post release cannot be done on top of an RC version"
+        [ "$((${VERSION_ARR[2]} + 1))" -lt 90 ] || die "major-post release must have a micro version smaller than 90 but current version is $VERSION_STR"
         [ "$CUR_BRANCH" == main ] || die "major-post release can only be on main"
         ;;
     *)
@@ -359,7 +370,7 @@ if [ "$ALLOW_LOCAL_BRANCHES" != 1 ]; then
     cmp <(git show "$ORIGIN/main:contrib/fedora/rpm/release.sh") "$BASH_SOURCE_ABSOLUTE" || die "$BASH_SOURCE is not identical to \`git show \"$ORIGIN/main:contrib/fedora/rpm/release.sh\"\`"
 fi
 
-if ! check_news "$RELEASE_MODE"; then
+if ! check_news "$RELEASE_MODE" "@{VERSION_ARR[@]}" ; then
     if [ "$CHECK_NEWS" == 1 ]; then
         die "NEWS file needs update to mention stable release (skip check with --no-check-news)"
     fi
@@ -378,7 +389,7 @@ if [ "$RELEASE_MODE" = major -o "$RELEASE_MODE" = minor ]; then
     fi
     echo "$(echo_color 36 -n "https://gitlab.freedesktop.org/NetworkManager/networkmanager.pages.freedesktop.org.git") by running"
     if [ "$RELEASE_MODE" = major ]; then
-        v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
+        v="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
     else
         v="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
     fi
@@ -407,36 +418,71 @@ if [ $CHECK_GITLAB = 1 ]; then
     fi
 fi
 
-# Work on a temporary branch
+BRANCHES=()
+BUILD_TAG=
+
 CLEANUP_CHECKOUT_BRANCH="$CUR_BRANCH"
+
 git checkout -B "$TMP_BRANCH"
 CLEANUP_REFS+=("refs/heads/$TMP_BRANCH")
 
 case "$RELEASE_MODE" in
     minor)
-        # Version is already correct in meson.build
-        BUILD_VERSION="$VERSION_STR"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))" -a || die "failed to commit release"
+
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
+        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
+        BRANCHES+=("$b")
+        CLEANUP_REFS+=("refs/tags/$b")
+        BUILD_TAG="$b"
+        TAR_VERSION="$b"
         ;;
     devel)
-        # Version is already correct in meson.build
-        BUILD_VERSION="$VERSION_STR"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        git commit -m "release: bump version to ${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1)) (development)" -a || die "failed to commit devel version bump"
+
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
+        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
+        BRANCHES+=("$b-dev")
+        CLEANUP_REFS+=("refs/tags/$b-dev")
+        BUILD_TAG="$b-dev"
+        TAR_VERSION="$b"
         ;;
     rc)
-        # Version is already correct in meson.build
-        BUILD_VERSION="$VERSION_STR"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}-rc$((RC_VERSION + 1))"
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$(("${VERSION_ARR[2]}" + 1))"
+        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc$RC_VERSION"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" $(("${VERSION_ARR[2]}" + 1))
+        git commit -m "release: bump version to $b ($t) (development)" -a || die "failed to commit rc version bump"
+
+        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release"
+        BRANCHES+=("$t")
+        CLEANUP_REFS+=("refs/tags/$t")
+        BUILD_TAG="$t"
+        TAR_VERSION="$b"
         ;;
     rc1)
-        # Current version is wrong (dev version), need to set rc1 version
-        BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc1"
-        NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1))-rc2"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" 90
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.90"
+        t="${VERSION_ARR[0]}.$(("${VERSION_ARR[1]}" + 1))-rc1"
+        git commit -m "release: bump version to $b ($t)" -a || die "failed to commit rc1 version bump"
+
+        git tag -s -a -m "Tag $b ($t) (development)" "$t" HEAD || die "failed to tag release $t"
+        BRANCHES+=("$t")
+        CLEANUP_REFS+=("refs/tags/$t")
+        BUILD_TAG="$t"
+        TAR_VERSION="$b"
         ;;
     major)
-        # Current version is wrong (rc version), need to set major version
-        BUILD_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.0"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.1"
+        b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 1)).0"
+        set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 1))" 0
+        git commit -m "release: bump version to $b" -a || die "failed to commit major version bump"
+
+        git tag -s -a -m "Tag $b" "$b" HEAD || die "failed to tag release"
+        BRANCHES+=("$b")
+        CLEANUP_REFS+=("refs/tags/$b")
+        BUILD_TAG="$b"
+        TAR_VERSION="$b"
         ;;
     major-post)
         # We create a merge commit with the content of current "main", with two
@@ -448,77 +494,65 @@ case "$RELEASE_MODE" in
         git merge -Xours --commit -m tmp main || die "merge1"
         git rm --cached -r . || die "merge2"
         git checkout main -- . || die "merge3"
+        b="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))"
         git commit --amend -m tmp -a || die "failed to commit major version bump"
         test x = "x$(git diff main HEAD)" || die "there is a diff after merge!"
 
-        # Version is already correct in meson.build
-        BUILD_VERSION="$VERSION_STR"
-        NEXT_VERSION="${VERSION_ARR[0]}.${VERSION_ARR[1]}.$((${VERSION_ARR[2]} + 1))-dev"
+        set_version_number "${VERSION_ARR[0]}" "${VERSION_ARR[1]}" "$((${VERSION_ARR[2]} + 1))"
+        git commit --amend -m "release: bump version to $b (development)" -a || die "failed to commit major version bump"
+        git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
+        BRANCHES+=("$b-dev")
+        CLEANUP_REFS+=("refs/tags/$b-dev")
+        BUILD_TAG="$b-dev"
+        TAR_VERSION="$b"
         ;;
     *)
         die "Release mode $RELEASE_MODE not yet implemented"
         ;;
 esac
 
-build_version() {
-    local CURR_VERSION="$(get_version)"
-    local BUILD_VERSION="$1"
-    local NEXT_VERSION="$2"
-    local BUILD_VERSION_DESCR="${BUILD_VERSION/-dev/ (development)}"
-    local NEXT_VERSION_DESCR="${NEXT_VERSION/-dev/ (development)}"
-    local TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
+build_tag() {
+    local BUILD_TAG="$1"
+    local TAR_FILE="NetworkManager-$2.tar.xz"
     local SUM_FILE="$TAR_FILE.sha256sum"
 
-    # The current version is usually already correct, except for rc1 and major. Bump version in those cases.
-    if [[ "$BUILD_VERSION" != "$CURR_VERSION" ]]; then
-        set_version_number "$BUILD_VERSION"
-        git commit -m "release: bump version to $BUILD_VERSION_DESCR" -a || die "failed to commit release"
-    fi
-
-    # Tag the release
-    git tag -s -a -m "Release $BUILD_VERSION_DESCR" "$BUILD_VERSION" HEAD || die "failed to tag release"
-    PUSH_REFS+=("$BUILD_VERSION")
-    CLEANUP_REFS+=("refs/tags/$BUILD_VERSION")
-
-    # Build to get the tarball for the release
+    git checkout "$BUILD_TAG" || die "failed to checkout $BUILD_TAG"
     ./contrib/fedora/rpm/build_clean.sh -r || die "build release failed"
     cp "./build/meson-dist/$TAR_FILE" /tmp/ || die "failed to copy $TAR_FILE to /tmp"
     cp "./build/meson-dist/$SUM_FILE" /tmp/ || die "failed to copy $SUM_FILE to /tmp"
     git clean -fdx
-
-    # Store the release version for later use
-    RELEASE_VERSIONS+=("$BUILD_VERSION")
-
-    # Bump to next version, so that build between now and the next release has the next version already.
-    # Otherwise the macros in nm_version.h don't work correctly.
-    set_version_number "$NEXT_VERSION"
-    git commit -m "release: bump version to $NEXT_VERSION_DESCR" -a || die "failed to commit version bump"
 }
 
-# Build and create tarball. Bump version as needed.
-PUSH_REFS=()
-RELEASE_VERSIONS=()
-build_version "$BUILD_VERSION" "$NEXT_VERSION"
+RELEASE_TAR_VERSIONS=()
+RELEASE_TAGS=()
+if [ -n "$BUILD_TAG" ]; then
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
+    RELEASE_TAGS+=("$BUILD_TAG")
+fi
+git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
+
+BRANCHES+=( "$CUR_BRANCH" )
 
 if [ "$RELEASE_MODE" = rc1 ]; then
-    # Create the release branch (nm-1-xx)
-    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $RELEASE_BRANCH"
-    PUSH_REFS+=( "$RELEASE_BRANCH" )
+    git branch "$RELEASE_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
+    BRANCHES+=( "$RELEASE_BRANCH" )
     CLEANUP_REFS+=( "refs/heads/$RELEASE_BRANCH" )
-
-    # Go back to the commit of the rc1 release, nm-1-xx is one commit further now.
-    git checkout -B "$TMP_BRANCH" "$BUILD_VERSION" || die "cannot checkout $TMP_BRANCH"
-
-    # Second release for rc1: create new dev version on main
-    BUILD_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0-dev"
-    NEXT_VERSION="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).1-dev"
-    build_version "$BUILD_VERSION" "$NEXT_VERSION"
+    git checkout "$TMP_BRANCH"
+    b="${VERSION_ARR[0]}.$((${VERSION_ARR[1]} + 2)).0"
+    set_version_number "${VERSION_ARR[0]}" "$((${VERSION_ARR[1]} + 2))" 0
+    git commit -m "release: bump version to $b (development)" -a || die "failed to commit devel version bump"
+    git tag -s -a -m "Tag $b (development)" "$b-dev" HEAD || die "failed to tag release"
+    BRANCHES+=("$b-dev")
+    CLEANUP_REFS+=("refs/tags/$b-dev")
+    BUILD_TAG="$b-dev"
+    TAR_VERSION="$b"
+    build_tag "$BUILD_TAG" "$TAR_VERSION"
+    RELEASE_TAR_VERSIONS+=("$TAR_VERSION")
+    RELEASE_TAGS+=("$BUILD_TAG")
+    git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
 fi
 
-# Work was done on the temporary branch, advance the real branch
-git checkout -B "$CUR_BRANCH" "$TMP_BRANCH" || die "cannot checkout $CUR_BRANCH"
-PUSH_REFS+=( "$CUR_BRANCH" )
-
 if [[ $GITLAB_TOKEN == "" ]]; then
     [[ -r ~/.config/nm-release-token ]] || die "cannot read ~/.config/nm-release-token"
     GITLAB_TOKEN=$(< ~/.config/nm-release-token)
@@ -531,21 +565,20 @@ if [ -z "$GITLAB_USER_ID" ] || [ "$GITLAB_USER_ID" = "null" ]; then
     die "failed to authenticate to gitlab.freedesktop.org with the private token"
 fi
 
-# Push the modified branches and tags to the origin repository
-do_command git push "$ORIGIN" "${PUSH_REFS[@]}" || die "failed to to push branches ${PUSH_REFS[@]} to $ORIGIN"
+do_command git push "$ORIGIN" "${BRANCHES[@]}" || die "failed to to push branches ${BRANCHES[@]} to $ORIGIN"
 
-# Create the releases
 CREATE_RELEASE_FAIL=0
-for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
-    TAR_FILE="NetworkManager-$BUILD_VERSION.tar.xz"
+for I in "${!RELEASE_TAR_VERSIONS[@]}"; do
+    TAR_FILE="NetworkManager-${RELEASE_TAR_VERSIONS[$I]}.tar.xz"
     SUM_FILE="$TAR_FILE.sha256sum"
+    BUILD_TAG="${RELEASE_TAGS["$I"]}"
     FAIL=0
 
     # upload tarball and checksum file as generic packages
     for F in "$TAR_FILE" "$SUM_FILE"; do
         do_command curl --location --fail-with-body --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
             --upload-file "/tmp/$F" \
-            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$F" \
+            "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$F" \
             || FAIL=1
 
         if [[ $FAIL = 1 ]]; then
@@ -562,25 +595,25 @@ for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
          --request POST "https://gitlab.freedesktop.org/api/v4/projects/411/releases" \
          --data "$(cat <<END
             {
-                "name": "NetworkManager $BUILD_VERSION",
-                "tag_name": "$BUILD_VERSION", 
+                "name": "NetworkManager $BUILD_TAG",
+                "tag_name": "$BUILD_TAG", 
                 "assets": {
                     "links": [
                         {
-                            "name": "NetworkManager $BUILD_VERSION tarball with docs",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$TAR_FILE",
+                            "name": "NetworkManager $BUILD_TAG tarball with docs",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$TAR_FILE",
                             "direct_asset_path": "/$TAR_FILE",
                             "link_type":"package"
                         },
                         {
-                            "name": "NetworkManager $BUILD_VERSION tarball sha256sum",
-                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_VERSION/$SUM_FILE",
+                            "name": "NetworkManager $BUILD_TAG tarball sha256sum",
+                            "url": "https://gitlab.freedesktop.org/api/v4/projects/411/packages/generic/NetworkManager/$BUILD_TAG/$SUM_FILE",
                             "direct_asset_path": "/$SUM_FILE",
                             "link_type":"package"
                         },
                         {
                             "name": "NEWS",
-                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_VERSION/NEWS?ref_type=tags",
+                            "url": "https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/$BUILD_TAG/NEWS?ref_type=tags",
                             "direct_asset_path": "/NEWS",
                             "link_type":"other"
                         }
@@ -590,8 +623,8 @@ for BUILD_VERSION in "${RELEASE_VERSIONS[@]}"; do
 END
             )" || FAIL=1
 
-    if [[ $FAIL = 1 ]]; then
-        fail_msg "failed to create NetworkManager $BUILD_VERSION release"
+    if [[ $? != 0 ]]; then
+        fail_msg "failed to create NetworkManager $BUILD_TAG release"
         CREATE_RELEASE_FAIL=1
         continue
     fi

contrib/scripts/nm-ci-run.sh

@@ -55,7 +55,6 @@ _WITH_LIBTEAM="true"
 _WITH_DOCS="true"
 _WITH_SYSTEMD_LOGIND="true"
 _WITH_NBFT="true"
-_WITH_CLAT="true"
 if [ $IS_ALPINE = 1 ]; then
     _WITH_SYSTEMD_LOGIND="false"
 fi
@@ -64,14 +63,6 @@ if ! pkgconf 'libnvme >= 1.5'; then
     _WITH_NBFT="false"
 fi
 
-if ! pkgconf 'libndp >= 1.9'; then
-    _WITH_CLAT="false"
-fi
-
-if ! pkgconf 'libbpf >= 1.3'; then
-    _WITH_CLAT="false"
-fi
-
 if [ -z "${NMTST_SEED_RAND+x}" ]; then
     NMTST_SEED_RAND="$SRANDOM"
     if [ -z "$NMTST_SEED_RAND" ]; then
@@ -93,14 +84,6 @@ if [ "$CC" != gcc ]; then
     _WITH_CRYPTO=nss
 fi
 
-if [ "$WITH_LIBTEAM" != "" ]; then
-    if _is_true "$WITH_LIBTEAM"; then
-        _WITH_LIBTEAM="true"
-    else
-        _WITH_LIBTEAM="false"
-    fi
-fi
-
 if [ "$WITH_DOCS" != "" ]; then
     if _is_true "$WITH_DOCS"; then
         _WITH_DOCS="true"
@@ -178,7 +161,6 @@ meson setup build \
     -D ld_gc=false \
     -D session_tracking=no \
     -D systemdsystemunitdir=no \
-    -D systemdsystemgeneratordir=no \
     -D systemd_journal=false \
     -D selinux=false \
     -D libaudit=no \
@@ -190,6 +172,8 @@ meson setup build \
     -D crypto=$_WITH_CRYPTO \
     -D docs=$_WITH_DOCS \
     \
+    -D ebpf=false \
+    \
     -D iwd=true \
     -D ofono=true \
     -D teamdctl=$_WITH_LIBTEAM \
@@ -204,7 +188,6 @@ meson setup build \
     -D ifupdown=true \
     \
     -D nbft=$_WITH_NBFT \
-    -D clat=$_WITH_CLAT \
     \
     #end
 

data/NetworkManager-config-initrd.service.in

@@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Configuration (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-journald.socket
 After=systemd-journald.socket
 Before=systemd-udevd.service systemd-udev-trigger.service
+ConditionPathExists=/etc/initrd-release
 
 [Service]
 Type=oneshot
@@ -22,3 +22,6 @@ ExecStartPost=/bin/sh -c ' \
     fi \
 '
 RemainAfterExit=yes
+
+[Install]
+WantedBy=initrd.target

data/NetworkManager-initrd.service.in

@@ -1,11 +1,11 @@
 [Unit]
 Description=NetworkManager (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Wants=systemd-udev-trigger.service network.target
 After=systemd-udev-trigger.service network-pre.target dbus.service NetworkManager-config-initrd.service
 Before=network.target
 BindsTo=dbus.service
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 ConditionPathExistsGlob=|/usr/lib/NetworkManager/system-connections/*
 ConditionPathExistsGlob=|/run/NetworkManager/system-connections/*
@@ -22,3 +22,11 @@ Environment=NM_CONFIG_ENABLE_TAG=initrd
 Restart=on-failure
 ProtectSystem=true
 ProtectHome=read-only
+
+[Install]
+WantedBy=initrd.target
+# We want to enable NetworkManager-wait-online-initrd.service whenever this
+# service is enabled. NetworkManager-wait-online-initrd.service has
+# WantedBy=network-online.target, so enabling it only has an effect if
+# network-online.target itself is enabled or pulled in by some other unit.
+Also=NetworkManager-config-initrd.service NetworkManager-wait-online-initrd.service

data/NetworkManager-wait-online-initrd.service.in

@@ -1,10 +1,10 @@
 [Unit]
 Description=NetworkManager Wait Online (initrd)
-AssertPathExists=/etc/initrd-release
 DefaultDependencies=no
 Requires=NetworkManager-initrd.service
 After=NetworkManager-initrd.service
 Before=network-online.target
+ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/NetworkManager/initrd/neednet
 
 [Service]
@@ -21,3 +21,6 @@ Type=oneshot
 ExecStart=@bindir@/nm-online -s -q
 RemainAfterExit=yes
 Environment=NM_ONLINE_TIMEOUT=3600
+
+[Install]
+WantedBy=initrd.target network-online.target

data/NetworkManager.service.in

@@ -19,18 +19,10 @@ KillMode=process
 # With a huge number of interfaces, starting can take a long time.
 TimeoutStartSec=600
 
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 
-PrivateTmp=true
-
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=read-only
-ProtectKernelLogs=true
 ProtectSystem=true
-
-RestrictRealtime=true
-RestrictSUIDSGID=true
+ProtectHome=read-only
 
 # We require file descriptors for DHCP etc. When activating many interfaces,
 # the default limit of 1024 is easily reached.

data/meson.build

@@ -55,22 +55,21 @@ if install_udevdir
 endif
 
 if enable_polkit
+  policy = 'org.freedesktop.NetworkManager.policy'
+
+  policy_in = configure_file(
+    input: policy + '.in.in',
+    output: '@BASENAME@',
+    configuration: data_conf,
+  )
+
   i18n.merge_file(
-    input: 'org.freedesktop.NetworkManager.policy.in',
+    input: policy_in,
     output: '@BASENAME@',
     po_dir: po_dir,
     install: true,
-    install_dir: polkit_policydir,
+    install_dir: polkit_gobject_policydir,
   )
-
-  if polkit_noauth_group != ''
-    configure_file(
-      input: 'org.freedesktop.NetworkManager.rules.in',
-      output: '@BASENAME@',
-      install_dir: polkit_rulesdir,
-      configuration: {'NM_POLKIT_NOAUTH_GROUP': polkit_noauth_group},
-    )
-  endif
 endif
 
 if enable_firewalld_zone

data/org.freedesktop.NetworkManager.policy.in.in

@@ -117,8 +117,8 @@
     <message>System policy prevents modification of network settings for all users</message>
     <defaults>
       <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>auth_admin_keep</allow_inactive>
-      <allow_active>auth_admin_keep</allow_active>
+      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
+      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
     </defaults>
   </action>
 

data/org.freedesktop.NetworkManager.rules.in

@@ -1,17 +0,0 @@
-// NetworkManager authorizations/policy for the @NM_POLKIT_NOAUTH_GROUP@ group.
-//
-// DO NOT EDIT THIS FILE, it will be overwritten on update.
-//
-// Allow users in the @NM_POLKIT_NOAUTH_GROUP@ group to create system-wide connections without being
-// prompted for a password if they are in a local console.
-// This is optional and is only recommended to maintain backwards compatibility
-// in systems where it was already working in this way. It is discouraged
-// otherwise.
-
-polkit.addRule(function(action, subject) {
-    if (action.id == "org.freedesktop.NetworkManager.settings.modify.system" &&
-        subject.isInGroup("@NM_POLKIT_NOAUTH_GROUP@") &&
-        subject.local) {
-        return polkit.Result.YES;
-    }
-});

docs/api/network-manager-docs.xml

@@ -183,7 +183,6 @@
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Bridge.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Dummy.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Generic.xml"/>
-      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Geneve.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Hsr.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.IPTunnel.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Infiniband.xml"/>

docs/libnm/libnm-docs.xml

@@ -317,7 +317,6 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
     <xi:include href="xml/nm-setting-dummy.xml"/>
     <xi:include href="xml/nm-setting-ethtool.xml"/>
     <xi:include href="xml/nm-setting-generic.xml"/>
-    <xi:include href="xml/nm-setting-geneve.xml"/>
     <xi:include href="xml/nm-setting-gsm.xml"/>
     <xi:include href="xml/nm-setting-hostname.xml"/>
     <xi:include href="xml/nm-setting-hsr.xml"/>
@@ -378,7 +377,6 @@ print ("NetworkManager version " + client.get_version())]]></programlisting></in
     <xi:include href="xml/nm-device-dummy.xml"/>
     <xi:include href="xml/nm-device-ethernet.xml"/>
     <xi:include href="xml/nm-device-generic.xml"/>
-    <xi:include href="xml/nm-device-geneve.xml"/>
     <xi:include href="xml/nm-device-hsr.xml"/>
     <xi:include href="xml/nm-device-infiniband.xml"/>
     <xi:include href="xml/nm-device-ip-tunnel.xml"/>

docs/libnm/libnm.svg

@@ -202,7 +202,7 @@
          sodipodi:role="line"
          x="19.192902"
          y="360.40768"
-         id="tspan3839">Retrieves, adds, and notifies of changes</tspan><tspan
+         id="tspan3839">Retrieves, adds, and notifes of changes</tspan><tspan
          sodipodi:role="line"
          x="19.192902"
          y="372.90768"

examples/C/glib/monitor-nm-state-gdbus.c

@@ -23,8 +23,8 @@ static const char *
 nm_state_to_string(NMState state)
 {
     switch (state) {
-    case NM_STATE_DISABLED:
-        return "network off";
+    case NM_STATE_ASLEEP:
+        return "asleep";
     case NM_STATE_CONNECTING:
         return "connecting";
     case NM_STATE_CONNECTED_LOCAL:

introspection/meson.build

@@ -15,7 +15,6 @@ ifaces = [
   'org.freedesktop.NetworkManager.Device.Bridge',
   'org.freedesktop.NetworkManager.Device.Dummy',
   'org.freedesktop.NetworkManager.Device.Generic',
-  'org.freedesktop.NetworkManager.Device.Geneve',
   'org.freedesktop.NetworkManager.Device.Hsr',
   'org.freedesktop.NetworkManager.Device.IPTunnel',
   'org.freedesktop.NetworkManager.Device.Infiniband',

introspection/org.freedesktop.NetworkManager.Device.Geneve.xml

@@ -1,63 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<node name="/">
-  <!--
-      org.freedesktop.NetworkManager.Device.Geneve:
-      @short_description: GENEVE Device.
-
-  -->
-  <interface name="org.freedesktop.NetworkManager.Device.Geneve">
-
-    <!--
-        Id:
-        @since: 1.58
-
-        The GENEVE Virtual Network Identifier (VNI).
-    -->
-    <property name="Id" type="u" access="read"/>
-
-    <!--
-        Remote:
-        @since: 1.58
-
-        The IP (v4 or v6) address of the remote endpoint to which GENEVE packets
-        are sent.
-    -->
-    <property name="Remote" type="s" access="read"/>
-
-    <!--
-        Tos:
-        @since: 1.58
-
-        The value to use in the IP ToS field for GENEVE packets sent to the remote
-        endpoint.
-    -->
-    <property name="Tos" type="y" access="read"/>
-
-    <!--
-        Ttl:
-        @since: 1.58
-
-        The value to use in the IP TTL field for GENEVE packets sent to the remote
-        endpoint.
-    -->
-    <property name="Ttl" type="i" access="read"/>
-
-    <!--
-        Df:
-        @since: 1.58
-
-        The Don't Fragment (DF) flag setting for GENEVE packets. 0 means unset,
-        1 means set, 2 means inherit from the underlying interface.
-    -->
-    <property name="Df" type="y" access="read"/>
-
-    <!--
-        DstPort:
-        @since: 1.58
-
-        Destination port for outgoing GENEVE packets.
-    -->
-    <property name="DstPort" type="q" access="read"/>
-
-  </interface>
-</node>

introspection/org.freedesktop.NetworkManager.Device.xml

@@ -175,9 +175,6 @@
         property has a similar effect to configuring the device as unmanaged via
         the keyfile.unmanaged-devices setting in NetworkManager.conf. Changes to
         this value are not persistent and lost after NetworkManager restart.
-
-        DEPRECATED: 1.58: Use the SetManaged method instead, which supports
-        additional features like persisting the state to disk
     -->
     <property name="Managed" type="b" access="readwrite"/>
 
@@ -394,20 +391,6 @@
     -->
     <method name="Delete"/>
 
-    <!--
-        SetManaged:
-        @managed:(<link linkend="NMDeviceManaged">NMDeviceManaged</link>) Whether the device is managed. Possible values are "no" (0), "yes" (1) and "reset" (2).
-        @flags: (<link linkend="NMDeviceManagedFlags">NMDeviceManagedFlags</link>) flags.
-        @since: 1.58
-
-        Set the managed state of the device. With the flags argument different
-        behaviors can be achieved, like storing the new managed state to disk.
-    -->
-    <method name="SetManaged">
-      <arg name="managed" type="u" direction="in"/>
-      <arg name="flags" type="u" direction="in"/>
-      </method>
-
     <!--
         StateChanged:
         @new_state: (<link linkend="NMDeviceState">NMDeviceState</link>) The new state of the device.

introspection/org.freedesktop.NetworkManager.Settings.Connection.xml

@@ -62,7 +62,7 @@
 
     <!--
         GetSecrets:
-        @setting_name: Name of the setting to return secrets for (mandatory).
+        @setting_name: Name of the setting to return secrets for. If empty, all secrets will be returned.
         @secrets: Nested settings maps containing secrets.
 
         Get the secrets belonging to this network configuration. Only secrets from

man/NetworkManager.conf.xml

@@ -83,11 +83,6 @@
     note that your distribution or other packages may drop configuration snippets for NetworkManager, such
     that they are part of the factory default.
     </para>
-    <para>
-    The options that are indicated as boolean can be set to one of these values:
-    <literal>yes</literal>, <literal>true</literal>, <literal>on</literal>, <literal>1</literal>,
-    <literal>no</literal>, <literal>false</literal>, <literal>off</literal>, <literal>0</literal>.
-    </para>
 
   </refsect1>
 
@@ -900,15 +895,11 @@ ipv6.ip6-privacy=0
         </varlistentry>
         <varlistentry>
           <term><varname>connection.mptcp-flags</varname></term>
-          <listitem><para>If unspecified, the fallback is 0x122 (<literal>"enabled,subflow,laminar"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
+          <listitem><para>If unspecified, the fallback is 0x22 (<literal>"enabled,subflow"</literal>). Note that if sysctl <literal>/proc/sys/net/mptcp/enabled</literal> is disabled, NetworkManager will still not configure endpoints.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>connection.dns-over-tls</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
-        </varlistentry>
-        <varlistentry>
-          <term><varname>connection.dnssec</varname></term>
-          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is its global setting and for all other plugins "no" (0).</para></listitem>
+          <listitem><para>If unspecified, the ultimate default values depends on the DNS plugin. With systemd-resolved the default currently is global setting and for all other plugins "no" (0).</para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>connection.stable-id</varname></term>
@@ -954,10 +945,6 @@ ipv6.ip6-privacy=0
           <term><varname>ipv4.forwarding</varname></term>
           <listitem><para>Whether to configure IPv4 sysctl interface-specific forwarding. When enabled, the interface will act as a router to forward the IPv4 packet from one interface to another. If left unspecified, "auto" is used, so NetworkManager sets the IPv4 forwarding if any shared connection is active, or it will use the kernel default value otherwise. The "ipv4.forwarding" property is ignored when "ipv4.method" is set to "shared", because forwarding is always enabled in this case. The accepted values are: 0: disabled, 1: enabled, 2: auto, 3: ignored (leave the forwarding unchanged).</para></listitem>
         </varlistentry>
-        <varlistentry>
-          <term><varname>ipv4.clat</varname></term>
-          <listitem><para>If left unspecified, defaults to "no".</para></listitem>
-        </varlistentry>
         <varlistentry>
           <term><varname>ipv4.routed-dns</varname></term>
         </varlistentry>
@@ -976,7 +963,7 @@ ipv6.ip6-privacy=0
         </varlistentry>
         <varlistentry>
           <term><varname>ipv4.dhcp-ipv6-only-preferred</varname></term>
-          <listitem><para>If left unspecified, it defaults to "auto".</para></listitem>
+          <listitem><para>If left unspecified, the "IPv6-only preferred" DHCPv4 option is disabled.</para></listitem>
         </varlistentry>
         <varlistentry>
           <term><varname>ipv4.dhcp-hostname-flags</varname></term>
@@ -1258,13 +1245,12 @@ managed=1
           <term><varname>managed</varname></term>
           <listitem>
             <para>
-              A boolean value specifying whether the device is
-              managed or not. A device can be marked as managed via
-              udev rules (ENV{NM_UNMANAGED}), or via setting plugins
-              (keyfile.unmanaged-devices).  This is yet another
-              way. Note that this configuration can be overruled at
-              runtime via D-Bus. Also, it has higher priority than
-              udev rules.
+              Whether the device is managed or not. A device can be
+              marked as managed via udev rules (ENV{NM_UNMANAGED}),
+              or via setting plugins (keyfile.unmanaged-devices).
+              This is yet another way. Note that this configuration
+              can be overruled at runtime via D-Bus. Also, it has
+              higher priority then udev rules.
             </para>
           </listitem>
         </varlistentry>
@@ -1333,27 +1319,9 @@ managed=1
             </para>
           </listitem>
         </varlistentry>
-        <varlistentry id="check-connectivity">
-          <term><varname>check-connectivity</varname></term>
-          <listitem>
-            <para>
-              A boolean value specifying whether NetworkManager will perform a connectivity check
-              for this device. Defaults to <literal>yes</literal>.
-            </para>
-            <para>
-              This setting does nothing if the connectivity check has been
-              disabled globally using the
-              <literal>connectivity.enabled</literal> setting.
-            </para>
-          </listitem>
-        </varlistentry>
         <varlistentry id="keep-configuration">
-          <term><varname>keep-configuration</varname></term>
+         <term><varname>keep-configuration</varname></term>
           <listitem>
-            <para>
-              A boolean value indicating whether the existing device
-              configuration is kept at startup.
-            </para>
             <para>
               On startup, NetworkManager tries to not interfere with
               interfaces that are already configured. It does so by
@@ -1450,16 +1418,16 @@ managed=1
           <term><varname>wifi.iwd.autoconnect</varname></term>
           <listitem>
             <para>
-              A boolean value. If <literal>wifi.backend</literal> is <literal>iwd</literal>,
-              setting this to <literal>false</literal> forces IWD's autoconnect mechanism to be
-              disabled for this device and connections will only be initiated by NetworkManager
-              whether commanded by a client or automatically.  Leaving it <literal>true</literal>
-              (default) stops NetworkManager from automatically initiating connections and allows
-              IWD to use its network ranking and scanning logic to decide the best networks to
-              autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
-              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings like
-              <literal>permissions</literal> or <literal>multi-connect</literal> may interfere with
-              IWD connection attempts.
+              If <literal>wifi.backend</literal> is <literal>iwd</literal>, setting this to
+              <literal>false</literal> forces IWD's autoconnect mechanism to be disabled for
+              this device and connections will only be initiated by NetworkManager whether
+              commanded by a client or automatically.  Leaving it <literal>true</literal> (default)
+              stops NetworkManager from automatically initiating connections and allows
+              IWD to use its network ranking and scanning logic to decide the best networks
+              to autoconnect to next.  Connections' <literal>autoconnect-priority</literal>,
+              <literal>autoconnect-retries</literal> settings will be ignored.  Other settings
+              like <literal>permissions</literal> or <literal>multi-connect</literal> may interfere
+              with IWD connection attempts.
             </para>
           </listitem>
         </varlistentry>
@@ -1518,7 +1486,7 @@ managed=1
       <variablelist>
         <varlistentry>
           <term><varname>enabled</varname></term>
-          <listitem><para>A boolean indicating whether connectivity check is enabled.
+          <listitem><para>Whether connectivity check is enabled.
           Note that to enable connectivity check, a valid uri must
           also be configured. The value defaults to true, but since
           the uri is unset by default, connectivity check may be disabled.
@@ -1572,12 +1540,8 @@ managed=1
 
   <refsect1>
     <title><literal>global-dns</literal> section</title>
-    <para>This section specifies DNS settings that are applied globally. They
-    override the equivalent options defined in individual connections, making
-    them to be ignored. If a [global-dns-domain-*] section is defined, but this
-    section isn't, an empty [global-dns] section is assumed, thus overwriting
-    connection specific configurations too.
-    </para>
+    <para>This section specifies DNS settings that are applied
+    globally, in addition to connection-specific ones.</para>
     <para>
       <variablelist>
         <varlistentry>
@@ -1637,10 +1601,6 @@ managed=1
     default domain "*". When the global DNS domains are valid, the
     name servers and domains defined globally override the ones from
     active connections.
-
-    If any global DNS domain is defined but a [global-dns] section isn't,
-    an empty [global-dns] section is assumed, thus overwriting its
-    connection specific configurations too.
     </para>
     <para>
       <variablelist>

man/nm-cloud-setup.xml

@@ -143,7 +143,7 @@
       script is to automatically pick up changes to the network.</para>
 
       <para>The dispatcher script will do nothing, unless the systemd service is
-      enabled. To use the dispatcher script you should therefore run
+      enabled. To use the dispatcher script you should therefor run
       <command>systemctl enable nm-cloud-setup.service</command> once.</para>
     </refsect2>
 
@@ -197,7 +197,7 @@
     <para>Enable debug logging by setting <literal>NM_CLOUD_SETUP_LOG</literal> environment variable to <literal>TRACE</literal>.</para>
     <para>In the common case where nm-cloud-setup is running as systemd service, this can be done via <command>systemctl edit nm-cloud-setup.service</command>
     and add <literal>Environment=NM_CLOUD_SETUP_LOG=TRACE</literal> to the <literal>[Service]</literal> section. Afterwards, the log can
-    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as described
+    be found in syslog via <literal>journalctl</literal>. You may also want to enable debug logging in NetworkManager as descibed
     in the DEBUGGING section in <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
     manual. When sharing logs, it's best to share complete logs and not preemptively filter for NetworkManager or nm-cloud-setup logs.</para>
   </refsect1>

man/nm-initrd-generator.xml

@@ -162,7 +162,6 @@
             <member><option>rd.net.dns-backend</option></member>
             <member><option>rd.net.dns-resolve-mode</option></member>
             <member><option>rd.net.timeout.dhcp</option></member>
-            <member><option>rd.net.dhcp.client-id</option></member>
             <member><option>rd.net.dhcp.retry</option></member>
             <member><option>rd.net.dhcp.vendor-class</option></member>
             <member><option>rd.net.dhcp.dscp</option></member>
@@ -269,23 +268,6 @@
         </para>
       </listitem>
 
-      <listitem>
-        <para>NetworkManager supports the
-        <option>rd.net.dhcp.client-id</option>=<replaceable>interface</replaceable>:<replaceable>client-id</replaceable>
-        kernel command line option to set a specific DHCPv4 client identifier
-        for the given interface. The client-id can be specified either as a
-        sequence of bytes in hexadecimal format separated by dashes, or as the
-        character '@' followed by a non-empty string. When using the second
-        format, NetworkManager prepends a zero byte to the given string,
-        according to section 9.14 of RFC 2132. See the "ipv4.dhcp-client-id"
-        section of <link
-        linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>
-        for more details. Examples:
-        <literal>rd.net.dhcp.client-id=eth0:01-52-54-00-45-87-42</literal>,
-        <literal>rd.net.dhcp.client-id=enp1s0:@example.com</literal>.
-        </para>
-      </listitem>
-
     </itemizedlist>
   </refsect1>
 
@@ -296,7 +278,6 @@
 
   <refsect1 id='see_also'><title>See Also</title>
     <para><link linkend='dracut.cmdline'><citerefentry><refentrytitle>dracut.cmdline</refentrytitle><manvolnum>7</manvolnum></citerefentry></link>,
-    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>,
-    <link linkend='nm-settings-nmcli'><citerefentry><refentrytitle>nm-settings-nmcli</refentrytitle><manvolnum>5</manvolnum></citerefentry></link>.</para>
+    <link linkend='NetworkManager'><citerefentry><refentrytitle>NetworkManager</refentrytitle><manvolnum>8</manvolnum></citerefentry></link>.</para>
   </refsect1>
 </refentry>

man/nm-openvswitch.xml

@@ -91,10 +91,6 @@
       NetworkManager inserts the records for Bridges into OVSDB when a Port is
       attached.
       </para>
-
-      <para>Known limitation: when the last NetworkManager's owned port is removed,
-      the bridge is removed too, even if there are other externally attached ports.
-      </para>
     </refsect2>
 
     <refsect2>
@@ -106,10 +102,6 @@
       exist.  Ports can also be configured to do VLAN tagging or Bonding.
       NetworkManager inserts the records for Ports into OVSDB when an Interface is
       attached. Ports must be attached to a Bridge.</para>
-
-      <para>Known limitation: when the last NetworkManager's owned interface is removed,
-      the port is removed too, even if there are other externally attached interfaces.
-      </para>
     </refsect2>
 
     <refsect2>

man/nmcli.xml

@@ -1436,31 +1436,15 @@
           </arg>
           <arg>
             <option>managed</option>
-            <group>
-              <arg choice='plain'>--permanent</arg>
-              <arg choice='plain'>--permanent-only</arg>
-            </group>
             <group choice='req'>
               <arg choice='plain'>yes</arg>
               <arg choice='plain'>no</arg>
-              <arg choice='plain'>up</arg>
-              <arg choice='plain'>down</arg>
-              <arg choice='plain'>reset</arg>
             </group>
           </arg>
         </term>
 
         <listitem>
           <para>Set device properties.</para>
-
-          <para>The <option>managed</option> property accepts a <option>--permanent</option>
-          option to persist the managed state to disk, and not only in runtime. With
-          <option>--permanent-only</option> only the permanent managed state is set, and not the
-          runtime managed state. The special values <option>up</option> and <option>down</option>
-          can be used to set the administrative state of the device at the same time as the runtime
-          managed state. The <option>reset</option> value clears the explicit managed setting, and
-          with <option>--permanent</option> or <option>--permanent-only</option> it also removes
-          the persisted managed setting.</para>
         </listitem>
       </varlistentry>
 
@@ -1734,7 +1718,6 @@
             <group choice='req'>
               <arg choice='plain'>a</arg>
               <arg choice='plain'>bg</arg>
-              <arg choice='plain'>6GHz</arg>
             </group>
           </arg>
           <arg><option>channel</option> <replaceable>channel</replaceable></arg>
@@ -1868,9 +1851,9 @@
           connections with an option of restoring the network configuration to a
           known good state in case of an error.</para>
 
-          <para>If a list of interface names is specified, the checkpoint is
-          taken only on the specified devices. Otherwise a checkpoint is taken for
-          all devices.</para>
+          <para>If the a list of interface names is specified, the checkpoint is
+          taken, the checkpoint is takes only on the specified devices. Otherwise
+          a checkpoint is taken for all devices.</para>
 
           <para>Currently the timeout defaults to 15 seconds. This may change in
           a future version.</para>

meson.build

@@ -5,48 +5,23 @@ project(
 # NOTE: When incrementing version also add corresponding
 #       NM_VERSION_x_y_z macros in
 #       "src/libnm-core-public/nm-version-macros.h.in"
-  version: '1.57.4-dev',
+  version: '1.55.3',
   license: 'GPL2+',
   default_options: [
     'buildtype=debugoptimized',
     'c_std=gnu11',
     'warning_level=2' # value "2" will add "-Wall" and "-Wextra" to the compiler flags
   ],
-  meson_version: '>= 0.56.0',
+  meson_version: '>= 0.53.0',
 )
 
 nm_name = meson.project_name()
+
 nm_version = meson.project_version()
-
-version_and_suffix = nm_version.split('-')
-version_array = version_and_suffix[0].split('.')
-if version_and_suffix.length() == 2
-  version_suffix = version_and_suffix[1]
-else
-  assert(version_and_suffix.length() == 1)
-  version_suffix = ''
-endif
-
-# In the C API we encode the version in 90+ scheme (1.56-rc1 = 1.55.90, rc2 = .91, etc)
-if version_suffix == '' or version_suffix == 'dev'
-  assert(version_array.length() == 3)
-  nm_major_version = version_array[0].to_int()
-  nm_minor_version = version_array[1].to_int()
-  nm_micro_version = version_array[2].to_int()
-elif version_suffix.startswith('rc')
-  assert(version_array.length() == 2)
-  nm_major_version = version_array[0].to_int()
-  nm_minor_version = version_array[1].to_int() - 1
-  nm_micro_version = version_suffix.substring(2).to_int() + 89
-else
-  error('Invalid suffix: ' + version_suffix)
-endif
-
-if nm_minor_version % 2 == 1 and version_suffix == ''
-  error('Expected a "-dev" or "-rc" suffix')
-elif nm_minor_version %2 == 0 and version_suffix != ''
-  error('Unexpected "' + version_suffix + '" suffix')
-endif
+version_array = nm_version.split('.')
+nm_major_version = version_array[0].to_int()
+nm_minor_version = version_array[1].to_int()
+nm_micro_version = version_array[2].to_int()
 
 nm_id_prefix = 'NM'
 
@@ -296,8 +271,7 @@ config_h.set10('WITH_JANSSON', jansson_dep.found())
 jansson_msg = 'no'
 if jansson_dep.found()
   jansson_libdir = jansson_dep.get_variable(pkgconfig: 'libdir')
-  jansson_sysroot = meson.is_cross_build() ? meson.get_external_property('sys_root', '') : ''
-  res = run_command(find_program('eu-readelf', 'readelf'), '-d', jansson_sysroot + join_paths(jansson_libdir, 'libjansson.so'), check: false)
+  res = run_command(find_program('eu-readelf', 'readelf'), '-d', join_paths(jansson_libdir, 'libjansson.so'), check: false)
   jansson_soname = ''
   foreach line: res.stdout().split('\n')
     if line.strip().contains('SONAME')
@@ -353,17 +327,12 @@ config_h.set10('WITH_CONFIG_PLUGIN_IFUPDOWN', enable_ifupdown)
 config_h.set_quoted('NM_DIST_VERSION', dist_version)
 
 enable_wifi = get_option('wifi')
-config_h.set10('WITH_WIFI', enable_wifi)
 
 enable_iwd = get_option('iwd')
 assert((not enable_iwd) or enable_wifi, 'Enabling iwd support requires Wi-Fi support as well')
 config_h.set10('WITH_IWD', enable_iwd)
 
-wext = get_option('wext')
-if wext == 'true'
-  error('Wireless Extensions support is deprecated and will be removed in the future. Use -Dwext=force to keep using it')
-endif
-enable_wext = (wext == 'force')
+enable_wext = get_option('wext')
 config_h.set10('HAVE_WEXT', enable_wext)
 
 # Checks for libdl - on certain platforms its part of libc
@@ -413,14 +382,6 @@ if install_systemdunitdir and systemd_systemdsystemunitdir == ''
   systemd_systemdsystemunitdir = systemd_dep.get_variable(pkgconfig: 'systemdsystemunitdir', pkgconfig_define: ['rootprefix', nm_prefix])
 endif
 
-systemd_systemdsystemgeneratordir = get_option('systemdsystemgeneratordir')
-install_systemdgeneratordir = (systemd_systemdsystemgeneratordir != 'no')
-
-if install_systemdgeneratordir and systemd_systemdsystemgeneratordir == ''
-  assert(systemd_dep.found(), 'systemd required but not found, please provide a valid systemd user generator dir or disable it')
-  systemd_systemdsystemgeneratordir = systemd_dep.get_variable(pkgconfig: 'systemdsystemgeneratordir', pkgconfig_define: ['rootprefix', nm_prefix])
-endif
-
 enable_systemd_journal = get_option('systemd_journal')
 if enable_systemd_journal
   assert(libsystemd_dep.found(), 'Missing systemd-journald support')
@@ -515,15 +476,18 @@ if enable_selinux
 endif
 config_h.set10('HAVE_SELINUX', enable_selinux)
 
-# CLAT support
-enable_clat = get_option('clat')
-if enable_clat
-  libbpf = dependency('libbpf', version: '>= 1.3.0', required: false)
-  assert(libbpf.found(), 'You must have libbpf >= 1.3.0 installed to build. Use -Dclat=false to disable use of it')
-  libndp_dep = dependency('libndp', version: '>= 1.9', required: false)
-  assert(libndp_dep.found(), 'You must have libndp >= 1.9 installed to build with CLAT support. Use -Dclat=false to disable it')
+# eBPF support
+ebpf_opt = get_option('ebpf')
+# 'auto' means 'false', because there are still issues.
+if ebpf_opt != 'true'
+  enable_ebpf = false
+else
+  enable_ebpf = true
+  if not cc.has_header('linux/bpf.h')
+    assert(ebpf_opt != 'true', 'eBPF requires kernel support')
+    enable_ebpf = false
+  endif
 endif
-config_h.set10('HAVE_CLAT', enable_clat)
 
 # libaudit support
 libaudit = get_option('libaudit')
@@ -543,14 +507,12 @@ if enable_teamdctl
   libteamdctl_dep = dependency('libteamdctl', version: '>= 1.9')
   assert(libteamdctl_dep.found(), 'You must have libteamdctl installed to build. Use -Dteamdctl=false to disable it')
 endif
-config_h.set10('WITH_TEAMDCTL', enable_teamdctl)
 
 # polkit
 enable_polkit = get_option('polkit')
 if enable_polkit
   # FIXME: policydir should be relative to `datadir`, not `prefix`. Fixed in https://gitlab.freedesktop.org/polkit/polkit/merge_requests/2
-  polkit_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
-  polkit_rulesdir = join_paths(fs.parent(polkit_policydir), 'rules.d')
+  polkit_gobject_policydir = dependency('polkit-gobject-1').get_variable(pkgconfig: 'policydir', pkgconfig_define: ['prefix', nm_prefix])
 endif
 
 config_auth_polkit_default = get_option('config_auth_polkit_default')
@@ -560,12 +522,6 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 
 enable_modify_system = get_option('modify_system')
-if enable_modify_system
-  # FIXME: remove this after everyone has stopped using modify_system
-  error('modify_system=true is no longer allowed due to security reasons')
-endif
-
-polkit_noauth_group = get_option('polkit_noauth_group')
 
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@@ -660,7 +616,6 @@ if enable_modem_manager
   endif
   config_h.set_quoted('MOBILE_BROADBAND_PROVIDER_INFO_DATABASE', mobile_broadband_provider_info_database)
 endif
-config_h.set10('WITH_WWAN', enable_modem_manager)
 
 # Bluez5 DUN support
 enable_bluez5_dun = get_option('bluez5_dun')
@@ -960,6 +915,7 @@ endif
 test_args = [
   '--called-from-make',
   build_root,
+  '',
   enable_valgrind ? valgrind_path : '',
   enable_valgrind ? valgrind_suppressions_path : '',
   '--launch-dbus=auto',
@@ -998,6 +954,7 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
+data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@@ -1113,7 +1070,6 @@ output = '\nSystem paths:\n'
 output += '  prefix: ' + nm_prefix + '\n'
 output += '  exec_prefix: ' + nm_prefix + '\n'
 output += '  systemdunitdir: ' + systemd_systemdsystemunitdir + '\n'
-output += '  systemdgeneratordir: ' + systemd_systemdsystemgeneratordir + '\n'
 output += '  udev_dir: ' + udev_udevdir + '\n'
 output += '  nmbinary: ' + nm_pkgsbindir + '\n'
 output += '  nmconfdir: ' + nm_pkgconfdir + '\n'
@@ -1128,7 +1084,17 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ', noauth_group: "' + polkit_noauth_group + '")\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
+if enable_polkit
+  output += ' ('
+  if enable_modify_system
+    output += 'permissive'
+  else
+    output += 'restrictive'
+  endif
+  output += ' modify.system)'
+endif
+output += '\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
@@ -1156,7 +1122,6 @@ output += '  ofono: ' + enable_ofono.to_string() + '\n'
 output += '  concheck: ' + enable_concheck.to_string() + '\n'
 output += '  libteamdctl: ' + enable_teamdctl.to_string() + '\n'
 output += '  ovs: ' + enable_ovs.to_string() + '\n'
-output += '  clat: ' + enable_clat.to_string() + '\n'
 output += '  nmcli: ' + enable_nmcli.to_string() + '\n'
 output += '  nmtui: ' + enable_nmtui.to_string() + '\n'
 output += '  nm-cloud-setup: ' + enable_nm_cloud_setup.to_string() + '\n'
@@ -1193,5 +1158,6 @@ output +=      'have-nss: ' + crypto_nss_dep.found().to_string() + ')\n'
 output += '  sanitizers: ' + get_option('b_sanitize') + '\n'
 output += '  Mozilla Public Suffix List: ' + enable_libpsl.to_string() + '\n'
 output += '  vapi: ' + enable_vapi.to_string() + '\n'
+output += '  ebpf: ' + enable_ebpf.to_string() + '\n'
 output += '  readline: ' + with_readline + '\n'
 message(output)

meson_options.txt

@@ -1,6 +1,5 @@
 # system paths
 option('systemdsystemunitdir', type: 'string', value: '', description: 'Directory for systemd service files')
-option('systemdsystemgeneratordir', type: 'string', value: '', description: 'Directory for systemd generator files')
 option('system_ca_path', type: 'string', value: '/etc/ssl/certs', description: 'path to system CA certificates')
 option('udev_dir', type: 'string', value: '', description: 'Absolute path of the udev base directory. Set to \'no\' not to install the udev rule')
 option('dbus_conf_dir', type: 'string', value: '', description: 'where D-Bus system.d directory is')
@@ -19,8 +18,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
-option('polkit_noauth_group', type: 'string', value: '', description: 'Allow users of the selected group, typically sudo or wheel, to modify system connections without introducing a password (discouraged)')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
@@ -30,7 +28,7 @@ option('hostname_persist', type: 'combo', choices: ['default', 'suse', 'gentoo',
 option('libaudit', type: 'combo', choices: ['yes', 'yes-disabled-by-default', 'no'], value: 'yes', description: 'Build with audit daemon support. yes-disabled-by-default enables support, but disables it unless explicitly configured via NetworkManager.conf')
 
 # features
-option('wext', type: 'combo', choices: ['true', 'false', 'force' ], value: 'false', description: 'Enable or disable Linux Wireless Extensions (deprecated). wext support will be removed in a future release, don\'t rely on this.')
+option('wext', type: 'boolean', value: true, description: 'Enable or disable Linux Wireless Extensions')
 option('wifi', type: 'boolean', value: true, description: 'enable Wi-Fi support')
 option('iwd', type: 'boolean', value: false, description: 'enable iwd support (experimental)')
 option('ppp', type: 'boolean', value: true, description: 'enable PPP/PPPoE support')
@@ -46,11 +44,8 @@ option('nmcli', type: 'boolean', value: true, description: 'Build nmcli')
 option('nmtui', type: 'boolean', value: true, description: 'Build nmtui')
 option('nm_cloud_setup', type: 'boolean', value: true, description: 'Build nm-cloud-setup, a tool for automatically configuring networking in cloud')
 option('bluez5_dun', type: 'boolean', value: false, description: 'enable Bluez5 DUN support')
-option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support (deprecated)')
+option('ebpf', type: 'combo', choices: ['auto', 'true', 'false'], description: 'Enable eBPF support')
 option('nbft', type: 'boolean', value: true, description: 'Enable NBFT support in the initrd generator')
-option('clat', type: 'boolean', value: true, description: 'Build with CLAT support')
-option('bpf-compiler', type : 'combo', choices : ['auto', 'clang', 'gcc'],
-       description : 'compiler used to build BPF programs')
 
 # configuration plugins
 option('config_plugins_default', type: 'string', value: '', description: 'Default configuration option for main.plugins setting, used as fallback if the configuration option is unset')

po/LINGUAS

@@ -30,7 +30,6 @@ id
 it
 ja
 ka
-kk
 kn
 ko
 ku

po/POTFILES.in

@@ -1,18 +1,16 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in
+data/org.freedesktop.NetworkManager.policy.in.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c
 src/core/devices/bluetooth/nm-device-bt.c
-src/core/devices/nm-device.c
 src/core/devices/nm-device-6lowpan.c
 src/core/devices/nm-device-bond.c
 src/core/devices/nm-device-bridge.c
 src/core/devices/nm-device-dummy.c
 src/core/devices/nm-device-ethernet-utils.c
 src/core/devices/nm-device-ethernet.c
-src/core/devices/nm-device-geneve.c
 src/core/devices/nm-device-infiniband.c
 src/core/devices/nm-device-ip-tunnel.c
 src/core/devices/nm-device-loopback.c
@@ -48,7 +46,6 @@ src/libnm-client-impl/nm-device-bt.c
 src/libnm-client-impl/nm-device-dummy.c
 src/libnm-client-impl/nm-device-ethernet.c
 src/libnm-client-impl/nm-device-generic.c
-src/libnm-client-impl/nm-device-geneve.c
 src/libnm-client-impl/nm-device-hsr.c
 src/libnm-client-impl/nm-device-infiniband.c
 src/libnm-client-impl/nm-device-ip-tunnel.c
@@ -93,7 +90,6 @@ src/libnm-core-impl/nm-setting-connection.c
 src/libnm-core-impl/nm-setting-dcb.c
 src/libnm-core-impl/nm-setting-ethtool.c
 src/libnm-core-impl/nm-setting-generic.c
-src/libnm-core-impl/nm-setting-geneve.c
 src/libnm-core-impl/nm-setting-gsm.c
 src/libnm-core-impl/nm-setting-hsr.c
 src/libnm-core-impl/nm-setting-infiniband.c

po/ca.po

@@ -8,15 +8,14 @@
 # Lubomir Rintel <lkundrak@v3.sk>, 2016. #zanata
 # Lubomir Rintel <lkundrak@v3.sk>, 2017. #zanata
 # Thomas Haller <thaller@redhat.com>, 2017. #zanata
-# Jordi Mas i Hernàndez <jmas@softcatala.org>, 2025
 msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager\n"
 "Report-Msgid-Bugs-To: https://gitlab.freedesktop.org/NetworkManager/"
 "NetworkManager/issues\n"
 "POT-Creation-Date: 2023-06-16 15:26+0000\n"
-"PO-Revision-Date: 2025-09-28 00:07+0200\n"
-"Last-Translator: Jordi Mas i Hernàndez <jmas@softcatala.org>\n"
+"PO-Revision-Date: 2023-06-17 00:07+0200\n"
+"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Catalan <tradgnome@softcatala.org>\n"
 "Language: ca\n"
 "MIME-Version: 1.0\n"
@@ -356,7 +355,7 @@ msgstr "Connexió WPAN"
 
 #: src/core/devices/team/nm-device-team.c:131
 msgid "Team connection"
-msgstr "Connexió d'equip"
+msgstr "Connexió equip"
 
 #: src/core/devices/wifi/nm-device-olpc-mesh.c:112 src/nmcli/devices.c:1400
 msgid "Mesh"
@@ -649,7 +648,7 @@ msgstr "Surt després de la configuració inicial"
 #: src/core/nm-config.c:639
 msgid "Don't become a daemon, and log to stderr"
 msgstr ""
-"No et converteixis en un dimoni, i envia el registre a la sortida d'error"
+"No et converteixis en un dimoni, i envia el registre a la sortida estàndard"
 
 #: src/core/nm-config.c:648
 msgid "An http(s) address for checking internet connectivity"
@@ -796,7 +795,7 @@ msgstr "La connexió no era una connexió Ethernet o PPPoE."
 
 #: src/libnm-client-impl/nm-device-ethernet.c:206
 msgid "The connection and device differ in S390 subchannels."
-msgstr "La connexió i el dispositiu difereixen als subcanals S390."
+msgstr "La connexió i el dispositiu difereixen als subcanals 5930."
 
 #: src/libnm-client-impl/nm-device-ethernet.c:223
 #, c-format
@@ -882,7 +881,7 @@ msgstr "La connexió no era una connexió tun."
 
 #: src/libnm-client-impl/nm-device-team.c:124
 msgid "The connection was not a team connection."
-msgstr "La connexió no era una connexió d'equip."
+msgstr "La connexió no era una connexió equip."
 
 #: src/libnm-client-impl/nm-device-tun.c:204
 msgid "The connection was not a tun connection."
@@ -1326,27 +1325,27 @@ msgstr ""
 
 #: src/libnm-core-impl/nm-keyfile.c:333
 msgid "ignoring missing number"
-msgstr "s'ignora el número faltant"
+msgstr "s'ignorarà el número faltant"
 
 #: src/libnm-core-impl/nm-keyfile.c:345
 #, c-format
 msgid "ignoring invalid number '%s'"
-msgstr "s'ignora el número «%s» no vàlid"
+msgstr "s'ignorarà el número «%s» no vàlid"
 
 #: src/libnm-core-impl/nm-keyfile.c:374
 #, c-format
 msgid "ignoring invalid %s address: %s"
-msgstr "s'ignora l'adreça %s no vàlida: %s"
+msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:420
 #, c-format
 msgid "ignoring invalid gateway '%s' for %s route"
-msgstr "s'ignora la passarel·la «%s» no vàlida per a la ruta %s"
+msgstr "s'ignorarà la passarel·la «%s» no vàlida per a la ruta %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:442
 #, c-format
 msgid "ignoring invalid %s route: %s"
-msgstr "s'ignora la ruta %s no vàlida: %s"
+msgstr "s'ignorarà la ruta %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:620
 #, c-format
@@ -1362,7 +1361,7 @@ msgstr "caràcter «%c» inesperat per a %s: «%s» (posició %td)"
 #, c-format
 msgid "unexpected character '%c' in prefix length for %s: '%s' (position %td)"
 msgstr ""
-"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)"
+"caràcter «%c» inesperat a la longitud de prefix %s: «%s» (posició %td)<"
 
 #: src/libnm-core-impl/nm-keyfile.c:669
 #, c-format
@@ -1414,11 +1413,11 @@ msgstr "s'ignorarà l'adreça %s no vàlida: %s"
 
 #: src/libnm-core-impl/nm-keyfile.c:1518
 msgid "ignoring invalid SSID"
-msgstr "s'ignora l'SSID no vàlida"
+msgstr "s'ignorarà l'SSID no vàlida"
 
 #: src/libnm-core-impl/nm-keyfile.c:1536
 msgid "ignoring invalid raw password"
-msgstr "s'ignora la contrasenya sense processar no vàlida"
+msgstr "s'ignorarà la contrasenya sense processar no vàlida"
 
 #: src/libnm-core-impl/nm-keyfile.c:1681
 msgid "invalid key/cert value"
@@ -1459,7 +1458,7 @@ msgstr "valor de paritat «%s» no vàlid"
 #: src/libnm-core-impl/nm-keyfile.c:1958 src/libnm-core-impl/nm-keyfile.c:3540
 #, c-format
 msgid "invalid setting: %s"
-msgstr "el paràmetre no és vàlid: %s"
+msgstr "el paràmetre no és vàlid: «%s»"
 
 #: src/libnm-core-impl/nm-keyfile.c:1978
 #, fuzzy, c-format
@@ -1974,7 +1973,7 @@ msgstr "file:// URI no és UTF-8 vàlida"
 
 #: src/libnm-core-impl/nm-setting-connection.c:1501
 msgid "invalid permissions not in format \"user:$UNAME[:]\""
-msgstr "els permisos no són vàlids, no estan en el format «user:$UNAME[:]"
+msgstr "els permisos no són vàlids, no estan en el format «user:$UNANE[:]"
 
 #: src/libnm-core-impl/nm-setting-connection.c:1530
 #, c-format
@@ -2087,7 +2086,7 @@ msgstr "«%s» no és un número"
 
 #: src/libnm-core-impl/nm-setting-gsm.c:479
 msgid "property is empty or wrong size"
-msgstr "la propietat és buida o de mida incorrecta"
+msgstr "la propietat és buda o de mida incorrecta"
 
 #: src/libnm-core-impl/nm-setting-gsm.c:492
 msgid "property must contain only digits"
@@ -2099,12 +2098,12 @@ msgstr "no es pot activar quan hi ha una configuració manual"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:215
 msgid "Must specify a P_Key if specifying parent"
-msgstr "S'ha d'especificar una P_Key si s'especifica el pare"
+msgstr "S'ha d'especificar una P-Key si s'especifica el pare"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:226
 msgid "InfiniBand P_Key connection did not specify parent interface name"
 msgstr ""
-"La connexió InfiniBand P_Key no ha especificat el nom de la interfície pare"
+"La connexió InfiniBand P_Key no ha especificat el nom de l'interfície pare"
 
 #: src/libnm-core-impl/nm-setting-infiniband.c:234
 msgid "the values 0 and 0x8000 are not allowed"
@@ -2157,12 +2156,12 @@ msgstr "Adreça IPv4 «%s» no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:106
 #, c-format
 msgid "Invalid IPv4 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv4 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv4 no vàlida"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:107
 #, c-format
 msgid "Invalid IPv6 address prefix '%u'"
-msgstr "Prefix «%u» d'adreça IPv6 no vàlid"
+msgstr "Prefix «%u» d'adreça IPv6 no vàlida<"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:124
 #, c-format
@@ -2209,7 +2208,7 @@ msgstr "el prefix %s no és vàlid"
 #: src/libnm-core-impl/nm-setting-ip-config.c:1423
 #, c-format
 msgid "%s is not a valid route type"
-msgstr "%s no és un tipus de ruta vàlid"
+msgstr "%s no és un nom de ruta vàlid"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:1442
 #, fuzzy
@@ -2433,7 +2432,7 @@ msgstr "La ruta %d. no és vàlida"
 #: src/libnm-core-impl/nm-setting-ip-config.c:5638
 #, c-format
 msgid "invalid attribute: %s"
-msgstr "atribut no vàlid: %s"
+msgstr "atribut no vàlid: «%s»"
 
 #: src/libnm-core-impl/nm-setting-ip-config.c:5658
 #, c-format
@@ -4106,7 +4105,7 @@ msgstr "«%s» no és vàlid; useu [%s] or [%s]"
 #: src/libnmc-base/nm-client-utils.c:176
 #, c-format
 msgid "'%s' is not valid; use [%s], [%s] or [%s]"
-msgstr "«%s» no és vàlid, useu [%s], [%s] o [%s]"
+msgstr "«%s» no és vàld, useu [%s], [%s] o [%s]"
 
 #: src/libnmc-base/nm-client-utils.c:230
 #, c-format
@@ -4677,7 +4676,7 @@ msgstr "clau privada no vàlida"
 #, fuzzy, c-format
 msgid "Secrets are required to connect WireGuard VPN '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:620
@@ -4699,7 +4698,7 @@ msgid ""
 "Passwords or encryption keys are required to access the wireless network "
 "'%s'."
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:886
@@ -4710,7 +4709,7 @@ msgstr "Autenticació 802.1X de xarxa amb fil"
 #, fuzzy, c-format
 msgid "Secrets are required to access the wired network '%s'"
 msgstr ""
-"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sense "
+"Es requereixen contrasenyes o claus d'encriptació per accedir la xarxa sens "
 "fil «%s»."
 
 #: src/libnmc-base/nm-secret-agent-simple.c:893
@@ -5419,10 +5418,10 @@ msgid ""
 msgstr ""
 "Entreu els bytes com una llista de valors hexadecimals.\n"
 "S'accepten dos formats:\n"
-"(a) una cadena de dígits hexadecimals, on cada dos dígits representen un "
+"(a) una cadena de dígits exadecimals, on cada dos dígits representen un "
 "byte\n"
-"(b) una llista separada per espais de bytes escrits com a dígits hexadecimals "
-"(amb prefix opcional 0x/0X,i un 0 inicial opcional).\n"
+"(b) una llista separada per espais de bytes escrits com a dígits hexadecimas "
+"(amb prefix opcional 0x/0X,i un 0 inicial opcional). \n"
 "\n"
 "Exemples: ab0455a6ea3a74C2\n"
 "          ab 4 55 0xa6 ea 3a 74 C2\n"
@@ -5494,7 +5493,7 @@ msgstr "Demora cap endavant"
 #: src/libnmc-setting/nm-meta-setting-desc.c:5280
 #: src/nmtui/nmt-page-bridge.c:134
 msgid "Hello time"
-msgstr "Temps de benvinguda"
+msgstr "Temps de benviguda"
 
 #: src/libnmc-setting/nm-meta-setting-desc.c:5286
 #: src/nmtui/nmt-page-bridge.c:148
@@ -5568,7 +5567,7 @@ msgid ""
 msgstr ""
 "Entreu les connexions secundàries que s'haurien d'activar quan s'activa "
 "aquesta connexió. Les connexions es poden especificar o bé per UUID o per ID "
-"(nom). nmcli tradueix transparentment els noms a UUID. Noteu que el "
+"(nom). L'nmcli tradueix transparentment els noms a UUID. Noteu que el "
 "NetworkManager actualment sols dóna suport els VPN com a connexions "
 "secundàries.\n"
 "Els elements es poden separar per comes o espais.\n"
@@ -5677,7 +5676,7 @@ msgid ""
 "  priority [prio] [from [src]] [to [dst]], ,...\n"
 "\n"
 msgstr ""
-"Introduïu una llista de regles d'encaminament IPv4 amb el següent format:\n"
+"Introduïu una llista de regles d'encaminanent IPv4 amb el següent format:\n"
 "  priority [prioritat] [from [origen]] [to [destí]], ,...\n"
 "\n"
 "\n"
@@ -5697,7 +5696,7 @@ msgstr ""
 "configuració IPv6 \n"
 "és «auto» aquests servidors DNS s'annexen als que retorna (si retorna cap) "
 "la \n"
-"configuració automàtica. Els servidors DNS no es poden usar amb els mètodes "
+"configuració automatica. Els servidors DNS no es poden usar amb els métodes "
 "de \n"
 "configuracó DNS «shared» o «link-local», atès que no hi una xarxa superior. "
 "A tots\n"
@@ -8152,12 +8151,12 @@ msgstr ""
 "canonada (|) o un ampersand (&). El primer indica que l'element és opcional "
 "i el segon significa que és obligatori. Si hi ha algun element opcional, "
 "llavors la coincidència avalua a cert si almenys un dels elements opcionals "
-"coincideix (O lògica). Si hi ha elements obligatoris, llavors tots han de "
+"coincideix (O lògicà). Si hi ha elements obligatoris, llavors tots han de "
 "coincidir (I lògica). Per defecte, un element és opcional. Això significa "
 "que un element «foo» es comporta igual que «|foo». Un element també es pot "
 "invertir amb el símbol d'exclamació (!) entre el símbol de la canonada (o de "
 "l'ampersand) i abans del patró. Tingueu en compte que «!foo» és una drecera "
-"per al patró obligatori «&!foo». Finalment, es pot utilitzar una barra "
+"per al patró obligatòri «&!foo». Finalment, es pot utilitzar una barra "
 "inversa al començament de l'element (després dels caràcters especials "
 "opcionals) per no considerar-lo inici del patró. Per exemple, «\\!a» és una "
 "coincidència obligatòria per literalment «!a»."
@@ -10723,7 +10722,7 @@ msgstr "Error: «%s» no és una connexió activa.\n"
 
 #: src/nmcli/connections.c:3436
 msgid "Error: not all active connections found."
-msgstr "Error: No s'han trobat totes les connexions actives."
+msgstr "Error: No s'han trobar totes les connexions actives."
 
 #: src/nmcli/connections.c:3444
 msgid "Error: no active connection provided."
@@ -11042,7 +11041,7 @@ msgstr ""
 "Verifica si el paràmetre o la connexió és vàlida i es pot desar més tard.\n"
 "Indica valors no vàlids quan hi ha un error. Alguns errors es poden "
 "corregir\n"
-"automàticament amb l'opció «fix».\n"
+"automàticaent amb l'opció «fix».\n"
 "\n"
 "Exemples: nmcli> verify\n"
 "          nmcli> verify fix\n"
@@ -11064,7 +11063,7 @@ msgid ""
 msgstr ""
 "save [persistent|temporary]  :: desa la connexió\n"
 "\n"
-"Envia el perfil de la connexió al NetworkManager que o bé la desarà de forma\n"
+"Envia el perfil de la connexió al NetworManager que o bé la desarà de forma\n"
 "persistent o bé sols la mantindrà a la memòria. «desa» sense cap argument\n"
 "significa «desa de forma persistent».\n"
 "Noteu que un cop que deseu el perfile de forma persistent aquestes "
@@ -11486,7 +11485,7 @@ msgstr "Opció no vàlida de verificació: %s\n"
 #: src/nmcli/connections.c:8486
 #, c-format
 msgid "Verify setting '%s': %s\n"
-msgstr "Verifica el paràmetre «%s»: %s\n"
+msgstr "Verifica el paràmere «%s»: %s\n"
 
 #: src/nmcli/connections.c:8501
 #, c-format
@@ -11553,12 +11552,12 @@ msgstr "Error: no es pot activar la connexió: %s.\n"
 #: src/nmcli/connections.c:8679
 #, c-format
 msgid "Error: Failed to activate '%s' (%s) connection: %s\n"
-msgstr "Error: no s'ha pogut activar la connexió «%s» (%s): %s\n"
+msgstr "Error: no s'ha pogut desconnectar la connexió «%s» (%s): %s\n"
 
 #: src/nmcli/connections.c:8686
 msgid "Monitoring connection activation (press any key to continue)\n"
 msgstr ""
-"S'està supervisant l'activació de la connexió (premeu qualsevol tecla per "
+"S'està supervisant l'activació de la connexio (premeu qualsevol teclar per "
 "continuar)\n"
 
 #: src/nmcli/connections.c:8721
@@ -11583,7 +11582,7 @@ msgstr "Configuració actual del nmcli:\n"
 #: src/nmcli/connections.c:8753
 #, c-format
 msgid "Invalid configuration option '%s'; allowed [%s]\n"
-msgstr "Opció de configuració no vàlida: «%s»; es permet [%s]\n"
+msgstr "Opció de configuració no vàida: «%s»; es permet [%s]\n"
 
 #: src/nmcli/connections.c:8985
 #, fuzzy
@@ -12397,7 +12396,7 @@ msgstr "Error: no s'ha pogut afegir/activar la connexió nova: %s"
 #: src/nmcli/devices.c:2266
 #, c-format
 msgid "Error: Device activation failed: %s"
-msgstr "Error: no s'ha pogut activar el dispositiu: %s"
+msgstr "Error: no s'ha pogut activar el dispositu: %s"
 
 #: src/nmcli/devices.c:2322
 #, c-format
@@ -12604,7 +12603,7 @@ msgstr "Contrasenya: "
 #: src/nmcli/devices.c:4172
 #, c-format
 msgid "'%s' is not valid WPA PSK"
-msgstr "«%s» no és una WPA PSK vàlida"
+msgstr "«%s» no és una WPS PSK vàlida"
 
 #: src/nmcli/devices.c:4193
 #, c-format
@@ -13539,7 +13538,7 @@ msgstr "Error: s'esperava l'argument «%s», però s'ha proporcionat «%s»."
 #: src/nmcli/utils.c:315
 #, c-format
 msgid "Error: Unexpected argument '%s'"
-msgstr "Error: argument inesperat «%s»"
+msgstr "Error: argument inesperat «%s»."
 
 #: src/nmcli/utils.c:702
 #, fuzzy, c-format
@@ -13898,7 +13897,7 @@ msgstr "«%s» <"
 #. NB: the ordering/numbering here corresponds to NmtPageBondMonitoringMode
 #: src/nmtui/nmt-page-bond.c:92
 msgid "MII (recommended)"
-msgstr "MII (recomanat)"
+msgstr "MII (recomendat)"
 
 #: src/nmtui/nmt-page-bond.c:93
 msgid "ARP"
@@ -14544,7 +14543,7 @@ msgstr ""
 
 #: src/nmtui/nmtui-edit.c:394 src/nmtui/nmtui-edit.c:410
 msgid "New Connection"
-msgstr "Connexió nova"
+msgstr "Connexions nova"
 
 #: src/nmtui/nmtui-edit.c:452
 #, c-format

po/it.po

@@ -12596,7 +12596,7 @@ msgstr "Digitare «help» o «?» per i comandi disponibili."
 #. TRANSLATORS: do not translate 'print', leave it as it is
 #: src/nmcli/connections.c:9072
 msgid "Type 'print' to show all the connection properties."
-msgstr "Digitare «print» per mostrare tutte le proprietà della connessione."
+msgstr "Digitare «stampa» per mostrare tutte le proprietà della connessione."
 
 #. TRANSLATORS: do not translate 'describe', leave it as it is
 #: src/nmcli/connections.c:9075

src/core/NetworkManagerUtils.c

@@ -1495,10 +1495,11 @@ nm_utils_ip_route_attribute_to_platform(int                addr_family,
         r4->scope_inv = nm_platform_route_scope_inv(scope);
     }
 
-    /* For IPv4 routes in kernel, the onlink flag is per-nexthop (rtnh_flags).
-     * Here we set the flag on r_rtm_flags which represents the first nexthop's
-     * flags. For ECMP routes, each nexthop carries its own onlink flag, so
-     * routes with different onlink settings per-nexthop can be merged. */
+    /* Note that for IPv4 routes in kernel, the onlink flag can be set for
+     * each next hop separately (rtnh_flags). Not for NetworkManager. We can
+     * only merge routes as ECMP routes (when setting a weight) if they all
+     * share the same onlink flag. See NM_PLATFORM_IP_ROUTE_CMP_TYPE_ECMP_ID.
+     * That simplifies the code. */
     GET_ATTR(NM_IP_ROUTE_ATTRIBUTE_ONLINK, onlink, BOOLEAN, boolean, FALSE);
     r->r_rtm_flags = ((onlink) ? (unsigned) RTNH_F_ONLINK : 0u);
 

src/core/bpf/clat.h

@@ -1,30 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-#ifndef __NAT64_H__
-#define __NAT64_H__
-
-#include <linux/in6.h>
-
-struct clat_config {
-    struct in6_addr local_v6;
-    struct in6_addr pref64;
-    struct in_addr  local_v4;
-    unsigned        pref64_len;
-};
-
-struct clat_stats {
-    /* egress: v4 to v6 */
-    __u64 egress_tcp;
-    __u64 egress_udp;
-    __u64 egress_icmp;
-    __u64 egress_other;
-    __u64 egress_dropped;
-    /* ingress: v6 to v4 */
-    __u64 ingress_tcp;
-    __u64 ingress_udp;
-    __u64 ingress_icmp;
-    __u64 ingress_other;
-    __u64 ingress_fragment;
-    __u64 ingress_dropped;
-};
-
-#endif

src/core/bpf/meson.build

@@ -1,239 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1+
-
-# Ripped from systemd: https://github.com/systemd/systemd/pull/20429
-
-if not enable_clat
-  subdir_done()
-endif
-
-bpf_compiler = get_option('bpf-compiler')
-clang_found = false
-clang_supports_bpf = false
-bpf_gcc_found = false
-bpftool_strip = false
-
-if bpf_compiler == 'clang' or bpf_compiler == 'auto'
-  # Support 'versioned' clang/llvm-strip binaries, as seen on Debian/Ubuntu
-  # (like clang-10/llvm-strip-10)
-  if meson.is_cross_build() or cc.get_id() != 'clang' or cc.cmd_array()[0].contains('afl-clang') or cc.cmd_array()[0].contains('hfuzz-clang')
-    r = find_program('clang',
-                     version : '>= 10.0.0')
-    clang_found = r.found()
-    if clang_found
-      if meson.version().version_compare('>= 0.55')
-        clang = r.full_path()
-      else
-        clang = r.path()
-      endif
-    endif
-  else
-    clang_found = true
-    clang = cc.cmd_array()
-  endif
-
-  if clang_found
-    # Check if 'clang -target bpf' is supported.
-    clang_supports_bpf = run_command(clang, '-target', 'bpf', '--print-supported-cpus', check : false).returncode() == 0
-  endif
-elif bpf_compiler == 'gcc' or bpf_compiler == 'auto'
-  bpf_gcc = find_program('bpf-gcc',
-                         'bpf-none-gcc',
-                         'bpf-unknown-none-gcc',
-                         version : '>= 13.1.0')
-  bpf_gcc_found = bpf_gcc.found()
-endif
-
-if bpf_compiler == 'auto'
-  if clang_supports_bpf and bpf_gcc_found
-    # Both supported, prefer the one matching our compiler:
-    if cc.get_id() == 'gcc'
-      bpf_compiler = 'gcc'
-    else
-      # Default to clang if we don't know this compiler
-      bpf_compiler = 'clang'
-    endif
-  elif clang_supports_bpf
-    bpf_compiler = 'clang'
-  elif bpf_gcc_found
-    bpf_compiler = 'clang'
-  endif
-endif
-
-if clang_supports_bpf or bpf_gcc_found
-  # Debian installs this in /usr/sbin/ which is not in $PATH.
-  # We check for 'bpftool' first, honouring $PATH, and in /usr/sbin/ for Debian.
-  # We use 'bpftool gen object' subcommand for bpftool strip, it was added by d80b2fcbe0a023619e0fc73112f2a02c2662f6ab (v5.13).
-  bpftool = find_program('bpftool',
-                         '/usr/sbin/bpftool',
-                         required : bpf_compiler == 'gcc',
-                         version : bpf_compiler == 'gcc' ? '>= 7.0.0' : '>= 5.13.0')
-
-  if bpftool.found()
-    bpftool_strip = true
-  elif bpf_compiler == 'clang'
-    # We require the 'bpftool gen skeleton' subcommand, it was added by 985ead416df39d6fe8e89580cc1db6aa273e0175 (v5.6).
-    bpftool = find_program('bpftool',
-                           '/usr/sbin/bpftool',
-                           required : true,
-                           version : '>= 5.6.0')
-  endif
-
-  # We use `llvm-strip` as a fallback if `bpftool gen object` strip support is not available.
-  if not bpftool_strip and bpftool.found() and clang_supports_bpf
-    if not meson.is_cross_build()
-      llvm_strip_bin = run_command(clang, '--print-prog-name', 'llvm-strip',
-                                   check : true).stdout().strip()
-    else
-      llvm_strip_bin = 'llvm-strip'
-    endif
-    llvm_strip = find_program(llvm_strip_bin,
-                              required : true,
-                              version : '>= 10.0.0')
-  endif
-else
-  error('clat support was enabled but couldn\'t find a suitable BPF compiler!')
-endif
-
-bpf_clang_flags = [
-  '-std=gnu17',
-  '-Wunused',
-  '-Wimplicit-fallthrough',
-  '-Wno-compare-distinct-pointer-types',
-  '-fno-stack-protector',
-  '-O2',
-  '-target',
-  'bpf',
-  '-g',
-  '-c',
-]
-
-bpf_gcc_flags = [
-  '-std=gnu17',
-  '-Wunused',
-  '-Wimplicit-fallthrough',
-  '-fno-stack-protector',
-  '-fno-ssa-phiopt',
-  '-O2',
-  '-mcpu=v3',
-  '-mco-re',
-  '-gbtf',
-  '-c',
-]
-
-clang_arch_flag = '-D__@0@__'.format(host_machine.cpu_family())
-
-libbpf_include_dir = dependency('libbpf').get_variable(pkgconfig : 'includedir')
-
-# Generate defines that are appropriate to tell the compiler what architecture
-# we're compiling for. By default we just map meson's cpu_family to __<cpu_family>__.
-# This dictionary contains the exceptions where this doesn't work.
-#
-# C.f. https://mesonbuild.com/Reference-tables.html#cpu-families
-# and src/basic/missing_syscall_def.h.
-cpu_arch_defines = {
-  'ppc'         : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'],
-  'ppc64'       : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'],
-  'riscv32'     : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'],
-  'riscv64'     : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'],
-  'x86'         : ['-D__i386__', '-D__TARGET_ARCH_x86'],
-  's390x'       : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'],
-
-  # For arm, assume hardware fp is available.
-  'arm'         : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'],
-  'loongarch64' : ['-D__loongarch__', '-D__loongarch_grlen=64', '-D__TARGET_ARCH_loongarch']
-}
-
-bpf_arch_flags = cpu_arch_defines.get(host_machine.cpu_family(),
-                                      ['-D__@0@__'.format(host_machine.cpu_family())])
-if bpf_compiler == 'gcc'
-  bpf_arch_flags += ['-m' + host_machine.endian() + '-endian']
-endif
-
-bpf_o_unstripped_cmd = []
-if bpf_compiler == 'clang'
-  bpf_o_unstripped_cmd += [
-    clang,
-    bpf_clang_flags,
-    bpf_arch_flags,
-  ]
-elif bpf_compiler == 'gcc'
-  bpf_o_unstripped_cmd += [
-    bpf_gcc,
-    bpf_gcc_flags,
-    bpf_arch_flags,
-  ]
-endif
-
-bpf_o_unstripped_cmd += ['-I.']
-
-if cc.get_id() == 'gcc' or meson.is_cross_build()
-  if cc.get_id() != 'gcc'
-    warning('Cross compiler is not gcc. Guessing the target triplet for bpf likely fails.')
-  endif
-  target_triplet_cmd = run_command(cc.cmd_array(), '-print-multiarch', check: false)
-else
-  # clang does not support -print-multiarch (D133170) and its -dump-machine
-  # does not match multiarch. Query gcc instead.
-  target_triplet_cmd = run_command('gcc', '-print-multiarch', check: false)
-endif
-
-if target_triplet_cmd.returncode() == 0
-  target_triplet = target_triplet_cmd.stdout().strip()
-  bpf_o_unstripped_cmd += [
-    '-isystem',
-    '/usr/include/@0@'.format(target_triplet)
-  ]
-endif
-
-bpf_o_unstripped_cmd += [
-  '-idirafter',
-  libbpf_include_dir,
-  '@INPUT@',
-  '-o',
-  '@OUTPUT@'
-]
-
-if bpftool_strip
-  bpf_o_cmd = [
-    bpftool,
-    'gen',
-    'object',
-    '@OUTPUT@',
-    '@INPUT@'
-  ]
-elif bpf_compiler == 'clang'
-  bpf_o_cmd = [
-    llvm_strip,
-    '-g',
-    '@INPUT@',
-    '-o',
-    '@OUTPUT@'
-  ]
-endif
-
-skel_h_cmd = [
-  bpftool,
-  'g',
-  's',
-  '@INPUT@'
-]
-
-clat_bpf_o_unstripped = custom_target(
-  'clat.bpf.unstripped.o',
-  input : 'clat.bpf.c',
-  output : 'clat.bpf.unstripped.o',
-  command : bpf_o_unstripped_cmd)
-
-clat_bpf_o = custom_target(
-  'clat.bpf.o',
-  input : clat_bpf_o_unstripped,
-  output : 'clat.bpf.o',
-  command : bpf_o_cmd)
-
-clat_skel_h = custom_target(
-  'clat.skel.h',
-  input : clat_bpf_o,
-  output : 'clat.skel.h',
-  command : skel_h_cmd,
-  capture : true)
-

src/core/devices/nm-device-bond.c

@@ -52,12 +52,12 @@
         NM_SETTING_BOND_OPTION_PACKETS_PER_SLAVE, NM_SETTING_BOND_OPTION_PRIMARY_RESELECT, \
         NM_SETTING_BOND_OPTION_RESEND_IGMP, NM_SETTING_BOND_OPTION_USE_CARRIER,            \
         NM_SETTING_BOND_OPTION_XMIT_HASH_POLICY, NM_SETTING_BOND_OPTION_NUM_GRAT_ARP,      \
-        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY
+        NM_SETTING_BOND_OPTION_PEER_NOTIF_DELAY, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX,    \
+        NM_SETTING_BOND_OPTION_LACP_ACTIVE
 
-#define OPTIONS_REAPPLY_FULL                                                        \
-    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE,                    \
-        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET, \
-        NM_SETTING_BOND_OPTION_ARP_MISSED_MAX
+#define OPTIONS_REAPPLY_FULL                                     \
+    OPTIONS_REAPPLY_SUBSET, NM_SETTING_BOND_OPTION_ACTIVE_SLAVE, \
+        NM_SETTING_BOND_OPTION_ARP_IP_TARGET, NM_SETTING_BOND_OPTION_NS_IP6_TARGET
 
 /*****************************************************************************/
 
@@ -502,8 +502,6 @@ _platform_lnk_bond_init_from_setting(NMSettingBond *s_bond, NMPlatformLnkBond *p
     props->lp_interval_has      = props->lp_interval != 1;
     props->tlb_dynamic_lb_has   = NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB);
     props->lacp_active_has      = NM_IN_SET(props->mode, NM_BOND_MODE_8023AD);
-    props->arp_missed_max_has =
-        !NM_IN_SET(props->mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD);
 }
 
 static void
@@ -910,8 +908,6 @@ reapply_connection(NMDevice *device, NMConnection *con_old, NMConnection *con_ne
     set_bond_arp_ip_targets(device, s_bond);
 
     set_bond_attrs_or_default(device, s_bond, NM_MAKE_STRV(OPTIONS_REAPPLY_SUBSET));
-    if (!NM_IN_SET(mode, NM_BOND_MODE_TLB, NM_BOND_MODE_ALB, NM_BOND_MODE_8023AD))
-        set_bond_attr_or_default(device, s_bond, NM_SETTING_BOND_OPTION_ARP_MISSED_MAX);
 
     _balance_slb_setup(self, con_new);
 }

src/core/devices/nm-device-ethernet.c

@@ -629,17 +629,10 @@ build_supplicant_config(NMDeviceEthernet *self, GError **error)
     mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                    nm_device_get_ifindex(NM_DEVICE(self)));
 
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
 
     security = nm_connection_get_setting_802_1x(connection);
-    if (!nm_supplicant_config_add_setting_8021x(config,
-                                                security,
-                                                con_uuid,
-                                                mtu,
-                                                TRUE,
-                                                nm_device_get_private_files(NM_DEVICE(self)),
-                                                error)) {
+    if (!nm_supplicant_config_add_setting_8021x(config, security, con_uuid, mtu, TRUE, error)) {
         g_prefix_error(error, "802-1x-setting: ");
         g_clear_object(&config);
     }
@@ -707,9 +700,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
     NMDeviceEthernetPrivate            *priv   = NM_DEVICE_ETHERNET_GET_PRIVATE(self);
     gs_unref_object NMSupplicantConfig *config = NULL;
     gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;
 
     config = build_supplicant_config(self, &error);
     if (!config) {
@@ -724,16 +714,6 @@ supplicant_iface_start(NMDeviceEthernet *self)
     }
 
     nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
     nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
     return TRUE;
 }

src/core/devices/nm-device-factory.c

@@ -412,7 +412,6 @@ nm_device_factory_manager_load_factories(NMDeviceFactoryManagerFactoryFunc callb
     _ADD_INTERNAL(nm_dummy_device_factory_get_type);
     _ADD_INTERNAL(nm_ethernet_device_factory_get_type);
     _ADD_INTERNAL(nm_generic_device_factory_get_type);
-    _ADD_INTERNAL(nm_geneve_device_factory_get_type);
     _ADD_INTERNAL(nm_hsr_device_factory_get_type);
     _ADD_INTERNAL(nm_infiniband_device_factory_get_type);
     _ADD_INTERNAL(nm_ip_tunnel_device_factory_get_type);

src/core/devices/nm-device-geneve.c

@@ -1,487 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-/*
- * Copyright (C) 2026 Red Hat, Inc.
- */
-
-#include "src/core/nm-default-daemon.h"
-
-#include "nm-manager.h"
-#include "nm-device-geneve.h"
-
-#include "libnm-core-intern/nm-core-internal.h"
-#include "nm-act-request.h"
-#include "nm-device-private.h"
-#include "nm-setting-geneve.h"
-#include "libnm-platform/nm-platform.h"
-#include "nm-device-factory.h"
-
-#define _NMLOG_DEVICE_TYPE NMDeviceGeneve
-#include "nm-device-logging.h"
-
-NM_GOBJECT_PROPERTIES_DEFINE(NMDeviceGeneve,
-                             PROP_ID,
-                             PROP_REMOTE,
-                             PROP_TOS,
-                             PROP_TTL,
-                             PROP_DF,
-                             PROP_DST_PORT, );
-
-typedef struct {
-    NMPlatformLnkGeneve props;
-} NMDeviceGenevePrivate;
-
-struct _NMDeviceGeneve {
-    NMDevice              parent;
-    NMDeviceGenevePrivate _priv;
-};
-
-struct _NMDeviceGeneveClass {
-    NMDeviceClass parent;
-};
-
-G_DEFINE_TYPE(NMDeviceGeneve, nm_device_geneve, NM_TYPE_DEVICE)
-
-#define NM_DEVICE_GENEVE_GET_PRIVATE(self) \
-    _NM_GET_PRIVATE(self, NMDeviceGeneve, NM_IS_DEVICE_GENEVE, NMDevice)
-
-/*****************************************************************************/
-
-static NMDeviceCapabilities
-get_generic_capabilities(NMDevice *dev)
-{
-    return NM_DEVICE_CAP_IS_SOFTWARE;
-}
-
-static void
-update_properties(NMDevice *device)
-{
-    NMDeviceGeneve            *self;
-    NMDeviceGenevePrivate     *priv;
-    const NMPlatformLink      *plink;
-    const NMPlatformLnkGeneve *props;
-    int                        ifindex;
-
-    g_return_if_fail(NM_IS_DEVICE_GENEVE(device));
-    self = NM_DEVICE_GENEVE(device);
-    priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
-
-    ifindex = nm_device_get_ifindex(device);
-    g_return_if_fail(ifindex > 0);
-    props = nm_platform_link_get_lnk_geneve(nm_device_get_platform(device), ifindex, &plink);
-
-    if (!props) {
-        _LOGW(LOGD_PLATFORM, "could not get GENEVE properties");
-        return;
-    }
-
-    g_object_freeze_notify((GObject *) device);
-
-#define CHECK_PROPERTY_CHANGED(field, prop)      \
-    G_STMT_START                                 \
-    {                                            \
-        if (priv->props.field != props->field) { \
-            priv->props.field = props->field;    \
-            _notify(self, prop);                 \
-        }                                        \
-    }                                            \
-    G_STMT_END
-
-#define CHECK_PROPERTY_CHANGED_IN6ADDR(field, prop)                                 \
-    G_STMT_START                                                                    \
-    {                                                                               \
-        if (memcmp(&priv->props.field, &props->field, sizeof(props->field)) != 0) { \
-            priv->props.field = props->field;                                       \
-            _notify(self, prop);                                                    \
-        }                                                                           \
-    }                                                                               \
-    G_STMT_END
-
-    CHECK_PROPERTY_CHANGED(id, PROP_ID);
-    CHECK_PROPERTY_CHANGED(remote, PROP_REMOTE);
-    CHECK_PROPERTY_CHANGED_IN6ADDR(remote6, PROP_REMOTE);
-    CHECK_PROPERTY_CHANGED(tos, PROP_TOS);
-    CHECK_PROPERTY_CHANGED(ttl, PROP_TTL);
-    CHECK_PROPERTY_CHANGED(df, PROP_DF);
-    CHECK_PROPERTY_CHANGED(dst_port, PROP_DST_PORT);
-
-    g_object_thaw_notify((GObject *) device);
-}
-
-static void
-link_changed(NMDevice *device, const NMPlatformLink *pllink)
-{
-    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->link_changed(device, pllink);
-    update_properties(device);
-}
-
-static void
-unrealize_notify(NMDevice *device)
-{
-    NMDeviceGeneve        *self = NM_DEVICE_GENEVE(device);
-    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(self);
-    guint                  i;
-
-    NM_DEVICE_CLASS(nm_device_geneve_parent_class)->unrealize_notify(device);
-
-    memset(&priv->props, 0, sizeof(NMPlatformLnkGeneve));
-
-    for (i = 1; i < _PROPERTY_ENUMS_LAST; i++)
-        g_object_notify_by_pspec(G_OBJECT(self), obj_properties[i]);
-}
-
-static gboolean
-create_and_realize(NMDevice              *device,
-                   NMConnection          *connection,
-                   NMDevice              *parent,
-                   const NMPlatformLink **out_plink,
-                   GError               **error)
-{
-    const char         *iface = nm_device_get_iface(device);
-    NMPlatformLnkGeneve props = {};
-    NMSettingGeneve    *s_geneve;
-    const char         *str;
-    int                 r;
-
-    s_geneve = nm_connection_get_setting_geneve(connection);
-    g_return_val_if_fail(s_geneve, FALSE);
-
-    props.id = nm_setting_geneve_get_id(s_geneve);
-
-    str = nm_setting_geneve_get_remote(s_geneve);
-    if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.remote)
-        && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.remote6)) {
-        return nm_assert_unreachable_val(FALSE);
-    }
-    props.tos      = nm_setting_geneve_get_tos(s_geneve);
-    props.ttl      = nm_setting_geneve_get_ttl(s_geneve);
-    props.df       = nm_setting_geneve_get_df(s_geneve);
-    props.dst_port = nm_setting_geneve_get_destination_port(s_geneve);
-
-    r = nm_platform_link_geneve_add(nm_device_get_platform(device), iface, &props, out_plink);
-    if (r < 0) {
-        g_set_error(error,
-                    NM_DEVICE_ERROR,
-                    NM_DEVICE_ERROR_CREATION_FAILED,
-                    "Failed to create geneve interface '%s' for '%s': %s",
-                    iface,
-                    nm_connection_get_id(connection),
-                    nm_strerror(r));
-        return FALSE;
-    }
-
-    return TRUE;
-}
-
-static gboolean
-address_matches(const char *candidate, in_addr_t addr4, struct in6_addr *addr6)
-{
-    NMIPAddr candidate_addr;
-    int      addr_family;
-
-    if (!candidate)
-        return addr4 == 0u && IN6_IS_ADDR_UNSPECIFIED(addr6);
-
-    if (!nm_inet_parse_bin(AF_UNSPEC, candidate, &addr_family, &candidate_addr))
-        return FALSE;
-
-    if (!nm_ip_addr_equal(addr_family,
-                          &candidate_addr,
-                          NM_IS_IPv4(addr_family) ? (gpointer) &addr4 : addr6))
-        return FALSE;
-
-    if (NM_IS_IPv4(addr_family))
-        return IN6_IS_ADDR_UNSPECIFIED(addr6);
-    else
-        return addr4 == 0u;
-}
-
-static gboolean
-check_connection_compatible(NMDevice     *device,
-                            NMConnection *connection,
-                            gboolean      check_properties,
-                            GError      **error)
-{
-    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
-    NMSettingGeneve       *s_geneve;
-
-    if (!NM_DEVICE_CLASS(nm_device_geneve_parent_class)
-             ->check_connection_compatible(device, connection, check_properties, error))
-        return FALSE;
-
-    if (check_properties && nm_device_is_real(device)) {
-        s_geneve = nm_connection_get_setting_geneve(connection);
-
-        if (priv->props.id != nm_setting_geneve_get_id(s_geneve)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve id mismatches");
-            return FALSE;
-        }
-
-        if (!address_matches(nm_setting_geneve_get_remote(s_geneve),
-                             priv->props.remote,
-                             &priv->props.remote6)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve remote address mismatches");
-            return FALSE;
-        }
-
-        if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve destination port mismatches");
-            return FALSE;
-        }
-
-        if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve TOS mismatches");
-            return FALSE;
-        }
-
-        if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve TTL mismatches");
-            return FALSE;
-        }
-
-        if (priv->props.df != nm_setting_geneve_get_df(s_geneve)) {
-            nm_utils_error_set_literal(error,
-                                       NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                       "geneve DF mismatches");
-            return FALSE;
-        }
-    }
-
-    return TRUE;
-}
-
-static gboolean
-complete_connection(NMDevice            *device,
-                    NMConnection        *connection,
-                    const char          *specific_object,
-                    NMConnection *const *existing_connections,
-                    GError             **error)
-{
-    NMSettingGeneve *s_geneve;
-
-    nm_utils_complete_generic(nm_device_get_platform(device),
-                              connection,
-                              NM_SETTING_GENEVE_SETTING_NAME,
-                              existing_connections,
-                              NULL,
-                              _("Geneve connection"),
-                              NULL,
-                              NULL);
-
-    s_geneve = nm_connection_get_setting_geneve(connection);
-    if (!s_geneve) {
-        g_set_error_literal(error,
-                            NM_DEVICE_ERROR,
-                            NM_DEVICE_ERROR_INVALID_CONNECTION,
-                            "A 'geneve' setting is required.");
-        return FALSE;
-    }
-
-    return TRUE;
-}
-
-static void
-update_connection(NMDevice *device, NMConnection *connection)
-{
-    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(device);
-    NMSettingGeneve *s_geneve   = _nm_connection_ensure_setting(connection, NM_TYPE_SETTING_GENEVE);
-    char             sbuf[NM_INET_ADDRSTRLEN];
-
-    if (priv->props.id != nm_setting_geneve_get_id(s_geneve))
-        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_ID, priv->props.id, NULL);
-
-    /* Handle remote (IPv4 or IPv6) */
-    if (priv->props.remote) {
-        g_object_set(s_geneve,
-                     NM_SETTING_GENEVE_REMOTE,
-                     nm_inet4_ntop(priv->props.remote, sbuf),
-                     NULL);
-    } else if (memcmp(&priv->props.remote6, &in6addr_any, sizeof(in6addr_any))) {
-        g_object_set(s_geneve,
-                     NM_SETTING_GENEVE_REMOTE,
-                     nm_inet6_ntop(&priv->props.remote6, sbuf),
-                     NULL);
-    }
-
-    if (priv->props.dst_port != nm_setting_geneve_get_destination_port(s_geneve))
-        g_object_set(G_OBJECT(s_geneve),
-                     NM_SETTING_GENEVE_DESTINATION_PORT,
-                     priv->props.dst_port,
-                     NULL);
-
-    if (priv->props.tos != nm_setting_geneve_get_tos(s_geneve))
-        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TOS, priv->props.tos, NULL);
-
-    if (priv->props.ttl != nm_setting_geneve_get_ttl(s_geneve))
-        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_TTL, priv->props.ttl, NULL);
-
-    if (priv->props.df != nm_setting_geneve_get_df(s_geneve))
-        g_object_set(G_OBJECT(s_geneve), NM_SETTING_GENEVE_DF, priv->props.df, NULL);
-}
-
-static void
-get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
-{
-    NMDeviceGenevePrivate *priv = NM_DEVICE_GENEVE_GET_PRIVATE(object);
-
-    switch (prop_id) {
-    case PROP_ID:
-        g_value_set_uint(value, priv->props.id);
-        break;
-    case PROP_REMOTE:
-        if (priv->props.remote)
-            g_value_take_string(value, nm_inet4_ntop_dup(priv->props.remote));
-        else if (!IN6_IS_ADDR_UNSPECIFIED(&priv->props.remote6))
-            g_value_take_string(value, nm_inet6_ntop_dup(&priv->props.remote6));
-        break;
-    case PROP_TOS:
-        g_value_set_uchar(value, priv->props.tos);
-        break;
-    case PROP_TTL:
-        g_value_set_uchar(value, priv->props.ttl);
-        break;
-    case PROP_DF:
-        g_value_set_uint(value, priv->props.df);
-        break;
-    case PROP_DST_PORT:
-        g_value_set_uint(value, priv->props.dst_port);
-        break;
-    default:
-        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
-        break;
-    }
-}
-
-/*****************************************************************************/
-
-static void
-nm_device_geneve_init(NMDeviceGeneve *self)
-{}
-
-static const NMDBusInterfaceInfoExtended interface_info_device_geneve = {
-    .parent = NM_DEFINE_GDBUS_INTERFACE_INFO_INIT(
-        NM_DBUS_INTERFACE_DEVICE_GENEVE,
-        .properties = NM_DEFINE_GDBUS_PROPERTY_INFOS(
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Id", "u", NM_DEVICE_GENEVE_ID),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Remote", "s", NM_DEVICE_GENEVE_REMOTE),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tos", "y", NM_DEVICE_GENEVE_TOS),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Ttl", "y", NM_DEVICE_GENEVE_TTL),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Df", "u", NM_DEVICE_GENEVE_DF),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("DstPort",
-                                                           "q",
-                                                           NM_DEVICE_GENEVE_DST_PORT), ), ),
-};
-
-static void
-nm_device_geneve_class_init(NMDeviceGeneveClass *klass)
-{
-    GObjectClass      *object_class      = G_OBJECT_CLASS(klass);
-    NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS(klass);
-    NMDeviceClass     *device_class      = NM_DEVICE_CLASS(klass);
-
-    object_class->get_property = get_property;
-
-    dbus_object_class->interface_infos = NM_DBUS_INTERFACE_INFOS(&interface_info_device_geneve);
-
-    device_class->connection_type_supported        = NM_SETTING_GENEVE_SETTING_NAME;
-    device_class->connection_type_check_compatible = NM_SETTING_GENEVE_SETTING_NAME;
-    device_class->link_types = NM_DEVICE_DEFINE_LINK_TYPES(NM_LINK_TYPE_GENEVE);
-
-    device_class->link_changed                = link_changed;
-    device_class->unrealize_notify            = unrealize_notify;
-    device_class->create_and_realize          = create_and_realize;
-    device_class->check_connection_compatible = check_connection_compatible;
-    device_class->complete_connection         = complete_connection;
-    device_class->get_generic_capabilities    = get_generic_capabilities;
-    device_class->update_connection           = update_connection;
-
-    obj_properties[PROP_ID] = g_param_spec_uint(NM_DEVICE_GENEVE_ID,
-                                                "",
-                                                "",
-                                                0,
-                                                G_MAXUINT32,
-                                                0,
-                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    obj_properties[PROP_REMOTE] = g_param_spec_string(NM_DEVICE_GENEVE_REMOTE,
-                                                      "",
-                                                      "",
-                                                      NULL,
-                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    obj_properties[PROP_TOS] = g_param_spec_uchar(NM_DEVICE_GENEVE_TOS,
-                                                  "",
-                                                  "",
-                                                  0,
-                                                  255,
-                                                  0,
-                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    obj_properties[PROP_TTL] = g_param_spec_uchar(NM_DEVICE_GENEVE_TTL,
-                                                  "",
-                                                  "",
-                                                  0,
-                                                  255,
-                                                  0,
-                                                  G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    obj_properties[PROP_DF] = g_param_spec_uint(NM_DEVICE_GENEVE_DF,
-                                                "",
-                                                "",
-                                                0,
-                                                2,
-                                                0,
-                                                G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    obj_properties[PROP_DST_PORT] = g_param_spec_uint(NM_DEVICE_GENEVE_DST_PORT,
-                                                      "",
-                                                      "",
-                                                      0,
-                                                      65535,
-                                                      0,
-                                                      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
-
-    g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
-}
-
-/*****************************************************************************/
-
-#define NM_TYPE_GENEVE_DEVICE_FACTORY (nm_geneve_device_factory_get_type())
-#define NM_GENEVE_DEVICE_FACTORY(obj) \
-    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_GENEVE_DEVICE_FACTORY, NMGeneveDeviceFactory))
-
-static NMDevice *
-create_device(NMDeviceFactory      *factory,
-              const char           *iface,
-              const NMPlatformLink *plink,
-              NMConnection         *connection,
-              gboolean             *out_ignore)
-{
-    return g_object_new(NM_TYPE_DEVICE_GENEVE,
-                        NM_DEVICE_IFACE,
-                        iface,
-                        NM_DEVICE_TYPE_DESC,
-                        "Geneve",
-                        NM_DEVICE_DEVICE_TYPE,
-                        NM_DEVICE_TYPE_GENEVE,
-                        NM_DEVICE_LINK_TYPE,
-                        NM_LINK_TYPE_GENEVE,
-                        NULL);
-}
-
-NM_DEVICE_FACTORY_DEFINE_INTERNAL(
-    GENEVE,
-    Geneve,
-    geneve,
-    NM_DEVICE_FACTORY_DECLARE_LINK_TYPES(NM_LINK_TYPE_GENEVE)
-        NM_DEVICE_FACTORY_DECLARE_SETTING_TYPES(NM_SETTING_GENEVE_SETTING_NAME),
-    factory_class->create_device = create_device;);

src/core/devices/nm-device-geneve.h

@@ -1,33 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-/*
- * Copyright (C) 2026 Red Hat, Inc.
- */
-
-#ifndef __NETWORKMANAGER_DEVICE_GENEVE_H__
-#define __NETWORKMANAGER_DEVICE_GENEVE_H__
-
-#include "nm-device.h"
-
-#define NM_TYPE_DEVICE_GENEVE (nm_device_geneve_get_type())
-#define NM_DEVICE_GENEVE(obj) \
-    (_NM_G_TYPE_CHECK_INSTANCE_CAST((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneve))
-#define NM_DEVICE_GENEVE_CLASS(klass) \
-    (G_TYPE_CHECK_CLASS_CAST((klass), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
-#define NM_IS_DEVICE_GENEVE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), NM_TYPE_DEVICE_GENEVE))
-#define NM_IS_DEVICE_GENEVE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass), NM_TYPE_DEVICE_GENEVE))
-#define NM_DEVICE_GENEVE_GET_CLASS(obj) \
-    (G_TYPE_INSTANCE_GET_CLASS((obj), NM_TYPE_DEVICE_GENEVE, NMDeviceGeneveClass))
-
-#define NM_DEVICE_GENEVE_ID       "id"
-#define NM_DEVICE_GENEVE_REMOTE   "remote"
-#define NM_DEVICE_GENEVE_TOS      "tos"
-#define NM_DEVICE_GENEVE_TTL      "ttl"
-#define NM_DEVICE_GENEVE_DF       "df"
-#define NM_DEVICE_GENEVE_DST_PORT "dst-port"
-
-typedef struct _NMDeviceGeneve      NMDeviceGeneve;
-typedef struct _NMDeviceGeneveClass NMDeviceGeneveClass;
-
-GType nm_device_geneve_get_type(void);
-
-#endif /* __NETWORKMANAGER_DEVICE_GENEVE_H__ */

src/core/devices/nm-device-hsr.c

@@ -116,51 +116,29 @@ create_and_realize(NMDevice              *device,
                    const NMPlatformLink **out_plink,
                    GError               **error)
 {
-    const char        *iface   = nm_device_get_iface(device);
-    nm_auto_free char *err_msg = NULL;
-    NMSettingHsr      *s_hsr;
-    NMPlatformLnkHsr   lnk = {};
-    int                r   = 0;
+    const char      *iface = nm_device_get_iface(device);
+    NMSettingHsr    *s_hsr;
+    NMPlatformLnkHsr lnk = {};
+    int              r;
 
     s_hsr = _nm_connection_get_setting(connection, NM_TYPE_SETTING_HSR);
-
     nm_assert(s_hsr);
 
     if (nm_setting_hsr_get_port1(s_hsr) != NULL)
         lnk.port1 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port1(s_hsr));
     if (nm_setting_hsr_get_port2(s_hsr) != NULL)
         lnk.port2 = nm_platform_link_get_ifindex(NM_PLATFORM_GET, nm_setting_hsr_get_port2(s_hsr));
-    if (nm_setting_hsr_get_interlink(s_hsr) != NULL) {
-        const char *ifname  = nm_setting_hsr_get_interlink(s_hsr);
-        int         ifindex = nm_platform_link_get_ifindex(NM_PLATFORM_GET, ifname);
-
-        if (ifindex <= 0) {
-            err_msg = g_strdup_printf("interlink port '%s' does not exist", ifname);
-            goto out;
-        }
-
-        lnk.interlink = ifindex;
-    }
-
-    lnk.multicast_spec   = nm_setting_hsr_get_multicast_spec(s_hsr);
-    lnk.prp              = nm_setting_hsr_get_prp(s_hsr);
-    lnk.protocol_version = nm_setting_hsr_get_protocol_version(s_hsr);
-
+    lnk.multicast_spec = nm_setting_hsr_get_multicast_spec(s_hsr);
+    lnk.prp            = nm_setting_hsr_get_prp(s_hsr);
     r = nm_platform_link_hsr_add(nm_device_get_platform(device), iface, &lnk, out_plink);
-
     if (r < 0) {
-        err_msg = g_strdup(nm_strerror(r) ?: "unknown");
-    }
-
-out:
-    if (err_msg) {
         g_set_error(error,
                     NM_DEVICE_ERROR,
                     NM_DEVICE_ERROR_CREATION_FAILED,
                     "Failed to create HSR interface '%s' for '%s': %s",
                     iface,
                     nm_connection_get_id(connection),
-                    err_msg);
+                    nm_strerror(r));
         return FALSE;
     }
 

src/core/devices/nm-device-macsec.c

@@ -201,8 +201,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
     mtu      = nm_platform_link_get_mtu(nm_device_get_platform(NM_DEVICE(self)),
                                    nm_device_get_ifindex(NM_DEVICE(self)));
 
-    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE,
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(NM_SUPPL_CAP_MASK_NONE);
 
     s_macsec = nm_device_get_applied_setting(NM_DEVICE(self), NM_TYPE_SETTING_MACSEC);
 
@@ -228,13 +227,7 @@ build_supplicant_config(NMDeviceMacsec *self, GError **error)
 
     if (nm_setting_macsec_get_mode(s_macsec) == NM_SETTING_MACSEC_MODE_EAP) {
         s_8021x = nm_connection_get_setting_802_1x(connection);
-        if (!nm_supplicant_config_add_setting_8021x(config,
-                                                    s_8021x,
-                                                    con_uuid,
-                                                    mtu,
-                                                    TRUE,
-                                                    nm_device_get_private_files(NM_DEVICE(self)),
-                                                    error)) {
+        if (!nm_supplicant_config_add_setting_8021x(config, s_8021x, con_uuid, mtu, TRUE, error)) {
             g_prefix_error(error, "802-1x-setting: ");
             return NULL;
         }
@@ -440,9 +433,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
     NMDeviceMacsecPrivate              *priv   = NM_DEVICE_MACSEC_GET_PRIVATE(self);
     gs_unref_object NMSupplicantConfig *config = NULL;
     gs_free_error GError               *error  = NULL;
-    NMActRequest                       *request;
-    NMActiveConnection                 *controller_ac;
-    NMDevice                           *controller;
 
     config = build_supplicant_config(self, &error);
     if (!config) {
@@ -455,16 +445,6 @@ supplicant_iface_start(NMDeviceMacsec *self)
     }
 
     nm_supplicant_interface_disconnect(priv->supplicant.iface);
-
-    /* Tell the supplicant in which bridge the interface is */
-    if ((request = nm_device_get_act_request(NM_DEVICE(self)))
-        && (controller_ac = nm_active_connection_get_controller(NM_ACTIVE_CONNECTION(request)))
-        && (controller = nm_active_connection_get_device(controller_ac))
-        && nm_device_get_device_type(controller) == NM_DEVICE_TYPE_BRIDGE) {
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, nm_device_get_iface(controller));
-    } else
-        nm_supplicant_interface_set_bridge(priv->supplicant.iface, NULL);
-
     nm_supplicant_interface_assoc(priv->supplicant.iface, config, supplicant_iface_assoc_cb, self);
     return TRUE;
 }

src/core/devices/nm-device-macvlan.c

@@ -468,12 +468,7 @@ static const NMDBusInterfaceInfoExtended interface_info_device_macvlan = {
             NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("NoPromisc",
                                                            "b",
                                                            NM_DEVICE_MACVLAN_NO_PROMISC),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tap", "b", NM_DEVICE_MACVLAN_TAP),
-            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE(
-                "Tab",
-                "b",
-                NM_DEVICE_MACVLAN_TAP,
-                .annotations = NM_GDBUS_ANNOTATION_INFO_LIST_DEPRECATED(), ), ), ),
+            NM_DEFINE_DBUS_PROPERTY_INFO_EXTENDED_READABLE("Tab", "b", NM_DEVICE_MACVLAN_TAP), ), ),
 };
 
 static void

src/core/devices/nm-device-private.h

@@ -115,6 +115,9 @@ gboolean nm_device_sysctl_ip_conf_set(NMDevice   *self,
 
 NML3ConfigData *nm_device_create_l3_config_data(NMDevice *self, NMIPConfigSource source);
 
+NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
+                                                                NMConnection *connection);
+
 void nm_device_ip_method_dhcp4_start(NMDevice *self);
 
 void nm_device_ip_method_autoconf6_start(NMDevice *self);
@@ -176,6 +179,4 @@ void nm_device_auth_request(NMDevice                      *self,
 
 void nm_device_link_properties_set(NMDevice *self, gboolean reapply);
 
-GHashTable *nm_device_get_private_files(NMDevice *self);
-
 #endif /* NM_DEVICE_PRIVATE_H */

src/core/devices/nm-device-utils.c

@@ -135,17 +135,13 @@ NM_UTILS_LOOKUP_STR_DEFINE(
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_LINK_NOT_INIT,
                              "unmanaged-link-not-init"),
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_QUITTING, "unmanaged-quitting"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_MANAGER_DISABLED,
-                             "unmanaged-nm-disabled"),
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_SLEEPING, "unmanaged-sleeping"),
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_CONF, "unmanaged-user-conf"),
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_EXPLICIT,
                              "unmanaged-user-explicit"),
     NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_SETTINGS,
                              "unmanaged-user-settings"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_NETWORKING_OFF, "networking-off"),
-    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE,
-                             "modem-no-operator-code"), );
+    NM_UTILS_LOOKUP_STR_ITEM(NM_DEVICE_STATE_REASON_UNMANAGED_USER_UDEV, "unmanaged-user-udev"), );
 
 NM_UTILS_LOOKUP_STR_DEFINE(nm_device_mtu_source_to_string,
                            NMDeviceMtuSource,
@@ -239,7 +235,7 @@ resolve_addr_helper_cb(GObject *source, GAsyncResult *result, gpointer user_data
     gs_free_error GError *error  = NULL;
     gs_free char         *output = NULL;
 
-    output = nm_utils_spawn_helper_finish_string(result, &error);
+    output = nm_utils_spawn_helper_finish(result, &error);
     if (nm_utils_error_is_cancelled(error))
         return;
 
@@ -278,7 +274,6 @@ resolve_addr_spawn_helper(ResolveAddrInfo *info, ResolveAddrService services)
     nm_inet_ntop(info->addr_family, &info->address, addr_str);
     _LOG2D(info, "start lookup via nm-daemon-helper using services: %s", str);
     nm_utils_spawn_helper(NM_MAKE_STRV("resolve-address", addr_str, str),
-                          FALSE,
                           g_task_get_cancellable(info->task),
                           resolve_addr_helper_cb,
                           info);

src/core/devices/nm-device-veth.c

@@ -53,7 +53,7 @@ update_properties(NMDevice *device)
     nm_device_parent_set_ifindex(device, peer_ifindex);
 
     peer = nm_device_parent_get_device(device);
-    if (peer && NM_IS_DEVICE_VETH(peer) && !nm_device_parent_get_device(peer))
+    if (peer && NM_IS_DEVICE_VETH(peer) && nm_device_parent_get_ifindex(peer) <= 0)
         update_properties(peer);
 }
 

src/core/devices/nm-device-vxlan.c

@@ -176,14 +176,14 @@ create_and_realize(NMDevice              *device,
     if (str) {
         if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.local)
             && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.local6))
-            return nm_assert_unreachable_val(FALSE);
+            return FALSE;
     }
 
     str = nm_setting_vxlan_get_remote(s_vxlan);
     if (str) {
         if (!nm_inet_parse_bin(AF_INET, str, NULL, &props.group)
             && !nm_inet_parse_bin(AF_INET6, str, NULL, &props.group6))
-            return nm_assert_unreachable_val(FALSE);
+            return FALSE;
     }
 
     props.tos          = nm_setting_vxlan_get_tos(s_vxlan);

src/core/devices/nm-device-wireguard.c

@@ -1672,57 +1672,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
     return ret;
 }
 
-static gboolean
-skip_peer_route(const NMIPAddr    *peer_addr,
-                guint              peer_addr_prefix,
-                int                addr_family,
-                NMSettingIPConfig *s_ip)
-{
-    guint num_addresses;
-    guint i;
-
-    /*
-     * If the allowed-ip subnet is already reachable on the interface via the
-     * prefix route of a static IP address, skip adding the peer route.
-     * We don't want to override the prefix route with a new one because the
-     * prefix route also specifies the correct source IP address.
-     *
-     * wg-quick does something similar here:
-     * https://git.zx2c4.com/wireguard-tools/tree/src/wg-quick/linux.bash?h=v1.0.20250521#n177
-     * The condition in wg-quick is a bit different because it checks that no
-     * duplicate route exists on the interface. We can't do exactly the same
-     * because here we don't have visibility on all the platform routes.
-     */
-
-    if (!s_ip)
-        return FALSE;
-
-    num_addresses = nm_setting_ip_config_get_num_addresses(s_ip);
-    for (i = 0; i < num_addresses; i++) {
-        NMIPAddr     setting_addr;
-        NMIPAddr     peer_addr_tmp;
-        guint        setting_prefix;
-        NMIPAddress *a;
-
-        peer_addr_tmp = *peer_addr;
-
-        a = nm_setting_ip_config_get_address(s_ip, i);
-        nm_ip_address_get_address_binary(a, &setting_addr);
-        setting_prefix = nm_ip_address_get_prefix(a);
-
-        if (setting_prefix > peer_addr_prefix)
-            continue;
-
-        nm_ip_addr_clear_host_address(addr_family, &setting_addr, NULL, setting_prefix);
-        nm_ip_addr_clear_host_address(addr_family, &peer_addr_tmp, NULL, setting_prefix);
-
-        if (nm_ip_addr_equal(addr_family, &peer_addr_tmp, &setting_addr))
-            return TRUE;
-    }
-
-    return FALSE;
-}
-
 static const NML3ConfigData *
 _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 {
@@ -1789,7 +1738,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 
         n_aips = nm_wireguard_peer_get_allowed_ips_len(peer);
         for (j = 0; j < n_aips; j++) {
-            NMSettingIPConfig *s_ip;
             NMPlatformIPXRoute rt;
             NMIPAddr           addrbin;
             const char        *aip;
@@ -1797,8 +1745,7 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
             int                prefix;
             guint32            rtable_coerced;
 
-            aip  = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
-            s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
+            aip = nm_wireguard_peer_get_allowed_ip(peer, j, &valid);
 
             if (!valid || !nm_inet_parse_with_prefix_bin(addr_family, aip, NULL, &addrbin, &prefix))
                 continue;
@@ -1807,6 +1754,9 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
                 prefix = (addr_family == AF_INET) ? 32 : 128;
 
             if (prefix == 0) {
+                NMSettingIPConfig *s_ip;
+
+                s_ip = nm_connection_get_setting_ip_config(connection, addr_family);
                 if (nm_setting_ip_config_get_never_default(s_ip))
                     continue;
             }
@@ -1819,9 +1769,6 @@ _get_dev2_ip_config(NMDeviceWireGuard *self, int addr_family)
 
             nm_ip_addr_clear_host_address(addr_family, &addrbin, NULL, prefix);
 
-            if (skip_peer_route(&addrbin, prefix, addr_family, s_ip))
-                continue;
-
             rtable_coerced = route_table_coerced;
 
             if (prefix == 0 && auto_default_route_enabled) {

src/core/devices/nm-device.h

@@ -581,8 +581,7 @@ void nm_device_copy_ip6_dns_config(NMDevice *self, NMDevice *from_device);
 /**
  * NMUnmanagedFlags:
  * @NM_UNMANAGED_NONE: placeholder value
- * @NM_UNMANAGED_MANAGER_DISABLED: %TRUE when unmanaged because NM is disabled.
- *   Currently, this happens when sleeping or with networking disabled.
+ * @NM_UNMANAGED_SLEEPING: %TRUE when unmanaged because NM is sleeping.
  * @NM_UNMANAGED_QUITTING: %TRUE when unmanaged because NM is shutting down.
  * @NM_UNMANAGED_PLATFORM_INIT: %TRUE when unmanaged because platform link not
  *   yet initialized. Unrealized device are also unmanaged for this reason.
@@ -611,11 +610,11 @@ typedef enum {
 
     /* these flags are authoritative. If one of them is set,
      * the device cannot be managed. */
-    NM_UNMANAGED_MANAGER_DISABLED = (1LL << 0),
-    NM_UNMANAGED_QUITTING         = (1LL << 1),
-    NM_UNMANAGED_PLATFORM_INIT    = (1LL << 2),
-    NM_UNMANAGED_USER_EXPLICIT    = (1LL << 3),
-    NM_UNMANAGED_USER_SETTINGS    = (1LL << 4),
+    NM_UNMANAGED_SLEEPING      = (1LL << 0),
+    NM_UNMANAGED_QUITTING      = (1LL << 1),
+    NM_UNMANAGED_PLATFORM_INIT = (1LL << 2),
+    NM_UNMANAGED_USER_EXPLICIT = (1LL << 3),
+    NM_UNMANAGED_USER_SETTINGS = (1LL << 4),
 
     /* These flags can be non-effective and be overwritten
      * by other flags. */
@@ -791,7 +790,6 @@ void     nm_device_update_permanent_hw_address(NMDevice *self, gboolean force_fr
 void     nm_device_update_dynamic_ip_setup(NMDevice *self, const char *reason);
 guint    nm_device_get_supplicant_timeout(NMDevice *self);
 
-gboolean nm_device_auth_retries_has_next(NMDevice *self);
 gboolean nm_device_auth_retries_try_next(NMDevice *self);
 
 gboolean nm_device_hw_addr_get_cloned(NMDevice     *self,
@@ -854,7 +852,14 @@ void nm_routing_rules_sync(NMConnection *applied_connection,
                            NMDevice *self,
                            NMNetns  *netns);
 
-NML3ConfigData *nm_device_create_l3_config_data_from_connection(NMDevice     *self,
-                                                                NMConnection *connection);
+NMSettingIPConfigForwarding nm_device_get_ipv4_forwarding(NMDevice *self);
+
+const char *nm_device_get_effective_ip_config_method(NMDevice *self, int addr_family);
+
+char *nm_device_sysctl_ip_conf_get(NMDevice *self, int addr_family, const char *property);
+
+gboolean nm_device_get_refresh_forwarding_done(NMDevice *self);
+
+void nm_device_set_refresh_forwarding_done(NMDevice *self, gboolean is_refresh_forwarding_done);
 
 #endif /* __NETWORKMANAGER_DEVICE_H__ */

src/core/devices/ovs/nm-ovsdb.c

@@ -1460,42 +1460,40 @@ _delete_interface(NMOvsdb *self, json_t *params, const char *ifname)
                 json_array_append_new(new_interfaces, json_pack("[s,s]", "uuid", interface_uuid));
             }
 
-            if (interfaces_changed && num_nm_interfaces == 0) {
-                /* We are deleting the last nm-interface of this port. Don't add it to "new_ports"
-                 * and set ports_changed=TRUE, so that it will be deleted. */
+            if (num_nm_interfaces == 0) {
+                /* The port no longer has any NM interface. Don't add it to "new_ports" and set
+                 * ports_changed=TRUE, so that it will be deleted. */
                 ports_changed = TRUE;
             } else {
-                /* Keep this port: it's still alive, or it's unrelated to the deleted interface */
-                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
-                if (ovs_port->connection_uuid)
-                    num_nm_ports++;
-
                 if (interfaces_changed) {
-                    /* This port is still alive, but an interface needs to be deleted from it */
+                    /* An interface needs to be deleted from this port */
                     _expect_port_interfaces(params, ovs_port->name, interfaces);
                     _set_port_interfaces(params, ovs_port->name, new_interfaces);
                 }
+                /* The port is still alive */
+                json_array_append_new(new_ports, json_pack("[s,s]", "uuid", port_uuid));
+                if (ovs_port->connection_uuid)
+                    num_nm_ports++;
             }
         }
 
-        if (ports_changed && num_nm_ports == 0) {
-            /* We are deleting the last nm-port of this bridge. Don't add it to "new_bridges"
-             * and set bridges_changed=TRUE, so that it will be deleted. */
+        if (num_nm_ports == 0) {
+            /* The bridge no longer has any NM port. Don't add it to "new_bridges" and set
+             * bridges_changed=TRUE, so that it will be deleted. */
             bridges_changed = TRUE;
         } else {
-            /* Keep this bridge: it's still alive, or it's unrelated to the deleted interface */
-            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
-
             if (ports_changed) {
-                /* This bridge is still alive, but a port needs to be deleted from it */
+                /* A port needs to be deleted from this bridge */
                 _expect_bridge_ports(params, ovs_bridge->name, ports);
                 _set_bridge_ports(params, ovs_bridge->name, new_ports);
             }
+            /* The bridge is still alive */
+            json_array_append_new(new_bridges, json_pack("[s,s]", "uuid", ovs_bridge->bridge_uuid));
         }
     }
 
     if (bridges_changed) {
-        /* A bridge needs to be deleted */
+        /* A port needs to be deleted from this bridge */
         _expect_ovs_bridges(params, priv->db_uuid, bridges);
         _set_ovs_bridges(params, priv->db_uuid, new_bridges);
     }
@@ -1890,7 +1888,7 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
         == -1) {
         /* This doesn't really have to be an error; the key might
          * be missing if there really are no bridges present. */
-        _LOGD("monitor: bad update: %s", json_error.text);
+        _LOGD("Bad update: %s", json_error.text);
     }
 
     if (ovs) {
@@ -1936,12 +1934,12 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                              &unused))
                 continue;
 
-            _LOGT("monitor: %s: interface removed: type=%s, obj[iface:%s]%s%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
+            _LOGT("obj[iface:%s]: removed an '%s' interface: %s%s%s",
                   key,
+                  ovs_interface->type,
+                  ovs_interface->name,
                   NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_interface->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self,
@@ -1989,18 +1987,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT(
-                    "monitor: %s: interface changed: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                    "other-config=%s",
-                    ovs_interface->name,
-                    type,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                         ", connection=",
-                                         ovs_interface->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+                _LOGT("obj[iface:%s]: changed an '%s' interface: %s%s%s, external-ids=%s, "
+                      "other-config=%s",
+                      key,
+                      type,
+                      ovs_interface->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                           ", ",
+                                           ovs_interface->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
             }
         } else {
             gs_free char *strtmp1 = NULL;
@@ -2016,17 +2013,17 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->interfaces, ovs_interface);
-            _LOGT("monitor: %s: interface added: type=%s, obj[iface:%s]%s%s, external-ids=%s, "
-                  "other-config=%s",
-                  ovs_interface->name,
-                  ovs_interface->type,
-                  key,
-                  NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
-                                       ", connection=",
-                                       ovs_interface->connection_uuid,
-                                       ""),
-                  (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
-                  (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
+            _LOGT(
+                "obj[iface:%s]: added an '%s' interface: %s%s%s, external-ids=%s, other-config=%s",
+                key,
+                ovs_interface->type,
+                ovs_interface->name,
+                NM_PRINT_FMT_QUOTED2(ovs_interface->connection_uuid,
+                                     ", ",
+                                     ovs_interface->connection_uuid,
+                                     ""),
+                (strtmp1 = _strdict_to_string(ovs_interface->external_ids)),
+                (strtmp2 = _strdict_to_string(ovs_interface->other_config)));
             _signal_emit_device_added(self,
                                       ovs_interface->name,
                                       NM_DEVICE_TYPE_OVS_INTERFACE,
@@ -2072,11 +2069,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
             if (!g_hash_table_steal_extended(priv->ports, &key, (gpointer *) &ovs_port, &unused))
                 continue;
 
-            _LOGT("monitor: %s: port removed: obj[port:%s]%s%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: removed a port: %s%s%s",
                   key,
+                  ovs_port->name,
                   NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_port->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self, ovs_port->name, NM_DEVICE_TYPE_OVS_PORT, NULL);
@@ -2123,16 +2120,15 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT(
-                    "monitor: %s: port changed: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                    ovs_port->name,
-                    key,
-                    NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                         ", connection=",
-                                         ovs_port->connection_uuid,
-                                         ""),
-                    (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
-                    (strtmp2 = _strdict_to_string(ovs_port->other_config)));
+                _LOGT("obj[port:%s]: changed a port: %s%s%s, external-ids=%s, other-config=%s",
+                      key,
+                      ovs_port->name,
+                      NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
+                                           ", ",
+                                           ovs_port->connection_uuid,
+                                           ""),
+                      (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
+                      (strtmp2 = _strdict_to_string(ovs_port->other_config)));
             }
         } else {
             gs_free char *strtmp1 = NULL;
@@ -2148,11 +2144,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->ports, ovs_port);
-            _LOGT("monitor: %s: port added: obj[port:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_port->name,
+            _LOGT("obj[port:%s]: added a port: %s%s%s, external-ids=%s, other-config=%s",
                   key,
+                  ovs_port->name,
                   NM_PRINT_FMT_QUOTED2(ovs_port->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_port->connection_uuid,
                                        ""),
                   (strtmp1 = _strdict_to_string(ovs_port->external_ids)),
@@ -2194,11 +2190,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                                              &unused))
                 continue;
 
-            _LOGT("monitor: %s: bridge removed: obj[bridge:%s]%s%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: removed a bridge: %s%s%s",
                   key,
+                  ovs_bridge->name,
                   NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_bridge->connection_uuid,
                                        ""));
             _signal_emit_device_removed(self, ovs_bridge->name, NM_DEVICE_TYPE_OVS_BRIDGE, NULL);
@@ -2245,12 +2241,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 gs_free char *strtmp1 = NULL;
                 gs_free char *strtmp2 = NULL;
 
-                _LOGT("monitor: %s: bridge changed: obj[bridge:%s]%s%s, external-ids=%s, "
-                      "other-config=%s",
-                      ovs_bridge->name,
+                _LOGT("obj[bridge:%s]: changed a bridge: %s%s%s, external-ids=%s, other-config=%s",
                       key,
+                      ovs_bridge->name,
                       NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                           ", connection=",
+                                           ", ",
                                            ovs_bridge->connection_uuid,
                                            ""),
                       (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),
@@ -2270,11 +2265,11 @@ ovsdb_got_update(NMOvsdb *self, json_t *msg)
                 .other_config    = g_steal_pointer(&other_config_arr),
             };
             g_hash_table_add(priv->bridges, ovs_bridge);
-            _LOGT("monitor: %s: bridge added: obj[bridge:%s]%s%s, external-ids=%s, other-config=%s",
-                  ovs_bridge->name,
+            _LOGT("obj[bridge:%s]: added a bridge: %s%s%s, external-ids=%s, other-config=%s",
                   key,
+                  ovs_bridge->name,
                   NM_PRINT_FMT_QUOTED2(ovs_bridge->connection_uuid,
-                                       ", connection=",
+                                       ", ",
                                        ovs_bridge->connection_uuid,
                                        ""),
                   (strtmp1 = _strdict_to_string(ovs_bridge->external_ids)),

src/core/devices/wifi/nm-device-iwd.c

@@ -2270,37 +2270,6 @@ add_new:
     return NM_ACT_STAGE_RETURN_SUCCESS;
 }
 
-static void
-set_powersave(NMDevice *device)
-{
-    NMDeviceIwd               *self = NM_DEVICE_IWD(device);
-    NMSettingWireless         *s_wireless;
-    NMSettingWirelessPowersave val;
-
-    s_wireless = nm_device_get_applied_setting(device, NM_TYPE_SETTING_WIRELESS);
-
-    g_return_if_fail(s_wireless);
-
-    val = nm_setting_wireless_get_powersave(s_wireless);
-    if (val == NM_SETTING_WIRELESS_POWERSAVE_DEFAULT) {
-        val = nm_config_data_get_connection_default_int64(NM_CONFIG_GET_DATA,
-                                                          "wifi.powersave",
-                                                          device,
-                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE,
-                                                          NM_SETTING_WIRELESS_POWERSAVE_ENABLE,
-                                                          NM_SETTING_WIRELESS_POWERSAVE_IGNORE);
-    }
-
-    _LOGT(LOGD_WIFI, "powersave is set to %u", (unsigned) val);
-
-    if (val == NM_SETTING_WIRELESS_POWERSAVE_IGNORE)
-        return;
-
-    nm_platform_wifi_set_powersave(nm_device_get_platform(device),
-                                   nm_device_get_ifindex(device),
-                                   val == NM_SETTING_WIRELESS_POWERSAVE_ENABLE);
-}
-
 static NMActStageReturn
 act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 {
@@ -2328,8 +2297,6 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
             goto out_fail;
         }
 
-        set_powersave(device);
-
         /* With priv->iwd_autoconnect we have to let IWD handle retries for
          * infrastructure networks.  IWD will not necessarily retry the same
          * network after a failure but it will likely go into an autoconnect

src/core/devices/wifi/nm-device-wifi.c

@@ -191,19 +191,12 @@ static void supplicant_iface_notify_p2p_available(NMSupplicantInterface *iface,
                                                   GParamSpec            *pspec,
                                                   NMDeviceWifi          *self);
 
-static void supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
-static void supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface,
-                                                        NMDeviceWifi          *self);
-
 static void periodic_update(NMDeviceWifi *self);
 
 static void ap_add_remove(NMDeviceWifi *self,
                           gboolean      is_adding,
                           NMWifiAP     *ap,
-                          gboolean      recheck_available_connections,
-                          gboolean      recheck_auto_activate);
+                          gboolean      recheck_available_connections);
 
 static void _hw_addr_set_scanning(NMDeviceWifi *self, gboolean do_reset);
 
@@ -630,14 +623,6 @@ supplicant_interface_acquire_cb(NMSupplicantManager         *supplicant_manager,
                      "notify::" NM_SUPPLICANT_INTERFACE_P2P_AVAILABLE,
                      G_CALLBACK(supplicant_iface_notify_p2p_available),
                      self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_PSK_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_psk_mismatch_cb),
-                     self);
-    g_signal_connect(priv->sup_iface,
-                     NM_SUPPLICANT_INTERFACE_SAE_MISMATCH,
-                     G_CALLBACK(supplicant_iface_notify_wpa_sae_mismatch_cb),
-                     self);
 
     _scan_notify_is_scanning(self);
 
@@ -729,10 +714,7 @@ update_seen_bssids_cache(NMDeviceWifi *self, NMWifiAP *ap)
 }
 
 static void
-set_current_ap(NMDeviceWifi *self,
-               NMWifiAP     *new_ap,
-               gboolean      recheck_available_connections,
-               gboolean      recheck_auto_activate)
+set_current_ap(NMDeviceWifi *self, NMWifiAP *new_ap, gboolean recheck_available_connections)
 {
     NMDeviceWifiPrivate *priv;
     NMWifiAP            *old_ap;
@@ -759,11 +741,7 @@ set_current_ap(NMDeviceWifi *self,
         /* Remove any AP from the internal list if it was created by NM or isn't known to the supplicant */
         if (NM_IN_SET(mode, _NM_802_11_MODE_ADHOC, _NM_802_11_MODE_AP)
             || nm_wifi_ap_get_fake(old_ap))
-            ap_add_remove(self,
-                          FALSE,
-                          old_ap,
-                          recheck_available_connections,
-                          recheck_auto_activate);
+            ap_add_remove(self, FALSE, old_ap, recheck_available_connections);
         g_object_unref(old_ap);
     }
 
@@ -836,8 +814,7 @@ static void
 ap_add_remove(NMDeviceWifi *self,
               gboolean      is_adding, /* or else removing */
               NMWifiAP     *ap,
-              gboolean      recheck_available_connections,
-              gboolean      recheck_auto_activate)
+              gboolean      recheck_available_connections)
 {
     NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
 
@@ -868,14 +845,13 @@ ap_add_remove(NMDeviceWifi *self,
         nm_dbus_object_clear_and_unexport(&ap);
     }
 
-    if (recheck_auto_activate)
-        nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
+    nm_device_recheck_auto_activate_schedule(NM_DEVICE(self));
     if (recheck_available_connections)
         nm_device_recheck_available_connections(NM_DEVICE(self));
 }
 
 static void
-remove_all_aps(NMDeviceWifi *self, gboolean disposing)
+remove_all_aps(NMDeviceWifi *self)
 {
     NMDeviceWifiPrivate *priv = NM_DEVICE_WIFI_GET_PRIVATE(self);
     NMWifiAP            *ap;
@@ -883,13 +859,12 @@ remove_all_aps(NMDeviceWifi *self, gboolean disposing)
     if (c_list_is_empty(&priv->aps_lst_head))
         return;
 
-    set_current_ap(self, NULL, FALSE, !disposing);
+    set_current_ap(self, NULL, FALSE);
 
     while ((ap = c_list_first_entry(&priv->aps_lst_head, NMWifiAP, aps_lst)))
-        ap_add_remove(self, FALSE, ap, FALSE, !disposing);
+        ap_add_remove(self, FALSE, ap, FALSE);
 
-    if (!disposing)
-        nm_device_recheck_available_connections(NM_DEVICE(self));
+    nm_device_recheck_available_connections(NM_DEVICE(self));
 }
 
 static gboolean
@@ -976,7 +951,7 @@ deactivate(NMDevice *device)
 
     priv->rate = 0;
 
-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);
 
     if (!wake_on_wlan_restore(self))
         _LOGW(LOGD_DEVICE | LOGD_WIFI, "Cannot unconfigure WoWLAN.");
@@ -2025,7 +2000,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
             if (nm_wifi_ap_set_fake(found_ap, TRUE))
                 _ap_dump(self, LOGL_DEBUG, found_ap, "updated", 0);
         } else {
-            ap_add_remove(self, FALSE, found_ap, TRUE, TRUE);
+            ap_add_remove(self, FALSE, found_ap, TRUE);
             schedule_ap_list_dump(self);
         }
         return;
@@ -2068,7 +2043,7 @@ supplicant_iface_bss_changed_cb(NMSupplicantInterface *iface,
             }
         }
 
-        ap_add_remove(self, TRUE, ap, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap, TRUE);
     }
 
     /* Update the current AP if the supplicant notified a current BSS change
@@ -2251,26 +2226,6 @@ wps_timeout_cb(gpointer user_data)
     return G_SOURCE_REMOVE;
 }
 
-static gboolean
-wifi_connection_is_new(NMDeviceWifi *self)
-{
-    NMDevice             *device = NM_DEVICE(self);
-    NMActRequest         *req;
-    NMSettingsConnection *connection;
-    guint64               timestamp = 0;
-
-    req = nm_device_get_act_request(device);
-    g_return_val_if_fail(NM_IS_ACT_REQUEST(req), TRUE);
-
-    connection = nm_act_request_get_settings_connection(req);
-    g_return_val_if_fail(NM_IS_SETTINGS_CONNECTION(connection), TRUE);
-
-    if (nm_settings_connection_get_timestamp(connection, &timestamp) && timestamp != 0)
-        return FALSE;
-
-    return TRUE;
-}
-
 static void
 wifi_secrets_get_secrets(NMDeviceWifi                *self,
                          const char                  *setting_name,
@@ -2313,7 +2268,7 @@ link_timeout_cb(gpointer user_data)
     if (nm_device_get_state(device) != NM_DEVICE_STATE_ACTIVATED)
         return FALSE;
 
-    set_current_ap(self, NULL, TRUE, TRUE);
+    set_current_ap(self, NULL, TRUE);
 
     nm_device_state_changed(device,
                             NM_DEVICE_STATE_FAILED,
@@ -2425,21 +2380,18 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
                               NMSupplicantInterfaceState old_state,
                               int                        disconnect_reason)
 {
-    NMDevice                    *device = NM_DEVICE(self);
-    NMActRequest                *req;
-    const char                  *setting_name = NULL;
-    NMSecretAgentGetSecretsFlags secret_flags = NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                                | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
+    NMDevice     *device = NM_DEVICE(self);
+    NMActRequest *req;
+    const char   *setting_name = NULL;
+    gboolean      handled      = FALSE;
 
     g_return_val_if_fail(new_state == NM_SUPPLICANT_INTERFACE_STATE_DISCONNECTED, FALSE);
 
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return FALSE;
-
     req = nm_device_get_act_request(NM_DEVICE(self));
     g_return_val_if_fail(req != NULL, FALSE);
 
-    if (need_new_8021x_secrets(self, old_state, &setting_name)) {
+    if (need_new_8021x_secrets(self, old_state, &setting_name)
+        || need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
         nm_act_request_clear_secrets(req);
 
         _LOGI(LOGD_DEVICE | LOGD_WIFI,
@@ -2449,54 +2401,14 @@ handle_8021x_or_psk_auth_fail(NMDeviceWifi              *self,
         nm_device_state_changed(device,
                                 NM_DEVICE_STATE_NEED_AUTH,
                                 NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-        wifi_secrets_get_secrets(self, setting_name, secret_flags);
-        return TRUE;
+        wifi_secrets_get_secrets(self,
+                                 setting_name,
+                                 NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
+                                     | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
+        handled = TRUE;
     }
 
-    if (need_new_wpa_psk(self, old_state, disconnect_reason, &setting_name)) {
-        nm_act_request_clear_secrets(req);
-        cleanup_association_attempt(self, TRUE);
-
-        if (wifi_connection_is_new(self)) {
-            _LOGI(LOGD_DEVICE | LOGD_WIFI,
-                  "Activation: (wifi) new connection disconnected during association, asking for "
-                  "new key");
-            nm_device_state_changed(device,
-                                    NM_DEVICE_STATE_NEED_AUTH,
-                                    NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-            wifi_secrets_get_secrets(self, setting_name, secret_flags);
-            return TRUE;
-        }
-
-        if (!nm_device_auth_retries_try_next(device)) {
-            nm_device_state_changed(device,
-                                    NM_DEVICE_STATE_FAILED,
-                                    NM_DEVICE_STATE_REASON_NO_SECRETS);
-            return TRUE;
-        }
-
-        if (nm_device_auth_retries_has_next(device)) {
-            secret_flags &= ~NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW;
-            _LOGI(
-                LOGD_DEVICE | LOGD_WIFI,
-                "Activation: (wifi) disconnected during association, reauthenticating connection");
-        } else {
-            _LOGI(LOGD_DEVICE | LOGD_WIFI,
-                  "Activation: (wifi) disconnected during association, asking for new key");
-        }
-
-        nm_device_state_changed(device,
-                                NM_DEVICE_STATE_NEED_AUTH,
-                                NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-        wifi_secrets_get_secrets(self, setting_name, secret_flags);
-
-        return TRUE;
-    }
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) disconnected during association, retrying connection");
-
-    return FALSE;
+    return handled;
 }
 
 static gboolean
@@ -2772,7 +2684,7 @@ supplicant_iface_notify_current_bss(NMSupplicantInterface *iface,
             }
         }
 
-        set_current_ap(self, new_ap, TRUE, TRUE);
+        set_current_ap(self, new_ap, TRUE);
 
         req = nm_device_get_act_request(NM_DEVICE(self));
         if (req) {
@@ -2918,68 +2830,6 @@ handle_auth_or_fail(NMDeviceWifi *self, NMActRequest *req, gboolean new_secrets)
     return TRUE;
 }
 
-static void
-supplicant_iface_notify_wpa_psk_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    if (!wifi_connection_is_new(self) && nm_device_auth_retries_has_next(device)) {
-        _LOGI(LOGD_DEVICE | LOGD_WIFI,
-              "Activation: (wifi) psk mismatch reported by supplicant, retrying connection");
-        return;
-    }
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) psk mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
-static void
-supplicant_iface_notify_wpa_sae_mismatch_cb(NMSupplicantInterface *iface, NMDeviceWifi *self)
-{
-    NMDevice     *device = NM_DEVICE(self);
-    NMActRequest *req;
-    const char   *setting_name = NM_SETTING_WIRELESS_SECURITY_SETTING_NAME;
-
-    if (nm_device_get_state(device) != NM_DEVICE_STATE_CONFIG)
-        return;
-
-    _LOGI(LOGD_DEVICE | LOGD_WIFI,
-          "Activation: (wifi) SAE password mismatch reported by supplicant, asking for new key");
-
-    req = nm_device_get_act_request(NM_DEVICE(self));
-    g_return_if_fail(req != NULL);
-
-    nm_act_request_clear_secrets(req);
-
-    cleanup_association_attempt(self, TRUE);
-    nm_device_state_changed(device,
-                            NM_DEVICE_STATE_NEED_AUTH,
-                            NM_DEVICE_STATE_REASON_SUPPLICANT_DISCONNECT);
-    wifi_secrets_get_secrets(self,
-                             setting_name,
-                             NM_SECRET_AGENT_GET_SECRETS_FLAG_ALLOW_INTERACTION
-                                 | NM_SECRET_AGENT_GET_SECRETS_FLAG_REQUEST_NEW);
-}
-
 /*
  * supplicant_connection_timeout_cb
  *
@@ -3085,8 +2935,7 @@ build_supplicant_config(NMDeviceWifi         *self,
     s_wireless = nm_connection_get_setting_wireless(connection);
     g_return_val_if_fail(s_wireless != NULL, NULL);
 
-    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface),
-                                      nm_utils_get_connection_first_permissions_user(connection));
+    config = nm_supplicant_config_new(nm_supplicant_interface_get_capabilities(priv->sup_iface));
 
     /* Warn if AP mode may not be supported */
     if (nm_streq0(nm_setting_wireless_get_mode(s_wireless), NM_SETTING_WIRELESS_MODE_AP)
@@ -3162,7 +3011,6 @@ build_supplicant_config(NMDeviceWifi         *self,
                 mtu,
                 pmf,
                 fils,
-                nm_device_get_private_files(NM_DEVICE(self)),
                 error)) {
             g_prefix_error(error, "802-11-wireless-security: ");
             goto error;
@@ -3270,7 +3118,7 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
         priv->mode = _NM_802_11_MODE_AP;
 
         /* Scanning not done in AP mode; clear the scan list */
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
     } else if (g_strcmp0(mode, NM_SETTING_WIRELESS_MODE_MESH) == 0)
         priv->mode = _NM_802_11_MODE_MESH;
     _notify(self, PROP_MODE);
@@ -3307,14 +3155,14 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
             nm_wifi_ap_set_address(ap_fake, nm_device_get_hw_address(device));
 
         g_object_freeze_notify(G_OBJECT(self));
-        ap_add_remove(self, TRUE, ap_fake, TRUE, TRUE);
+        ap_add_remove(self, TRUE, ap_fake, TRUE);
         g_object_thaw_notify(G_OBJECT(self));
         ap = ap_fake;
     }
 
     _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 
-    set_current_ap(self, ap, FALSE, TRUE);
+    set_current_ap(self, ap, FALSE);
     nm_active_connection_set_specific_object(NM_ACTIVE_CONNECTION(req),
                                              nm_dbus_object_get_path(NM_DBUS_OBJECT(ap)));
     return NM_ACT_STAGE_RETURN_SUCCESS;
@@ -3323,19 +3171,8 @@ act_stage1_prepare(NMDevice *device, NMDeviceStateReason *out_failure_reason)
 static void
 ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP *ap)
 {
-    guint32     freqs_a[]    = {5180, /* only U-NII-1 channels: non-DFS and available everywhere */
-                                5200,
-                                5220,
-                                5240,
-                                0};
-    guint32     freqs_bg[]   = {2412, 2437, 2462, 2472, 0};
-    guint32     freqs_6ghz[] = {5975, /* only U-NII-5 PSC channels, for better compatibility */
-                                6055,
-                                6135,
-                                6215,
-                                6295,
-                                6375,
-                                0};
+    guint32     a_freqs[]  = {5180, 5200, 5220, 5745, 5765, 5785, 5805, 0};
+    guint32     bg_freqs[] = {2412, 2437, 2462, 2472, 0};
     guint32    *rnd_freqs;
     guint       rnd_freqs_len;
     NMDevice   *device = NM_DEVICE(self);
@@ -3346,7 +3183,7 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
     guint       l;
 
     nm_assert(ap);
-    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg", "6GHz"));
+    nm_assert(NM_IN_STRSET(band, NULL, "a", "bg"));
 
     if (nm_wifi_ap_get_freq(ap))
         return;
@@ -3380,14 +3217,11 @@ ensure_hotspot_frequency(NMDeviceWifi *self, NMSettingWireless *s_wifi, NMWifiAP
     }
 
     if (nm_streq0(band, "a")) {
-        rnd_freqs     = freqs_a;
-        rnd_freqs_len = G_N_ELEMENTS(freqs_a) - 1;
-    } else if (nm_streq0(band, "6GHz")) {
-        rnd_freqs     = freqs_6ghz;
-        rnd_freqs_len = G_N_ELEMENTS(freqs_6ghz) - 1;
+        rnd_freqs     = a_freqs;
+        rnd_freqs_len = G_N_ELEMENTS(a_freqs) - 1;
     } else {
-        rnd_freqs     = freqs_bg;
-        rnd_freqs_len = G_N_ELEMENTS(freqs_bg) - 1;
+        rnd_freqs     = bg_freqs;
+        rnd_freqs_len = G_N_ELEMENTS(bg_freqs) - 1;
     }
 
     /* shuffle the frequencies (inplace). The idea is to choose
@@ -3694,7 +3528,7 @@ device_state_changed(NMDevice           *device,
 
         cleanup_association_attempt(self, TRUE);
         cleanup_supplicant_failures(self);
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
     }
 
     switch (new_state) {
@@ -3732,7 +3566,7 @@ device_state_changed(NMDevice           *device,
     }
 
     if (clear_aps)
-        remove_all_aps(self, FALSE);
+        remove_all_aps(self);
 
     _scan_notify_allowed(self, NM_TERNARY_DEFAULT);
 }
@@ -3974,7 +3808,7 @@ dispose(GObject *object)
 
     g_clear_object(&priv->sup_mgr);
 
-    remove_all_aps(self, TRUE);
+    remove_all_aps(self);
 
     if (priv->p2p_device) {
         /* Destroy the P2P device. */

src/core/devices/wifi/nm-iwd-manager.c

@@ -684,7 +684,7 @@ iwd_config_write(GKeyFile              *config,
      * in the last few filename characters -- it cannot end in .open, .psk
      * or .8021x.
      */
-    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, NULL, error);
+    return nm_utils_file_set_contents(filepath, data, length, 0600, times, NULL, error);
 }
 
 static const char *

src/core/devices/wifi/nm-wifi-ap.c

@@ -574,6 +574,16 @@ nm_wifi_ap_to_string(const NMWifiAP *self, char *str_buf, gulong buf_len, gint64
     return str_buf;
 }
 
+static guint
+freq_to_band(guint32 freq)
+{
+    if (freq >= 4915 && freq <= 5825)
+        return 5;
+    else if (freq >= 2412 && freq <= 2484)
+        return 2;
+    return 0;
+}
+
 gboolean
 nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
 {
@@ -621,12 +631,12 @@ nm_wifi_ap_check_compatible(NMWifiAP *self, NMConnection *connection)
 
     band = nm_setting_wireless_get_band(s_wireless);
     if (band) {
-        const char *ap_band = nm_wifi_freq_to_band_prop(priv->freq);
+        guint ap_band = freq_to_band(priv->freq);
 
-        if (!nm_streq(band, ap_band))
+        if (!strcmp(band, "a") && ap_band != 5)
+            return FALSE;
+        else if (!strcmp(band, "bg") && ap_band != 2)
             return FALSE;
-
-        return TRUE;
     }
 
     channel = nm_setting_wireless_get_channel(s_wireless);

src/core/devices/wifi/nm-wifi-utils.c

@@ -639,7 +639,7 @@ nm_wifi_utils_complete_connection(GBytes       *ap_ssid,
                 chan_valid = FALSE;
             }
 
-            band = nm_wifi_freq_to_band_prop(ap_freq);
+            band = nm_utils_wifi_freq_to_band(ap_freq);
             if (band) {
                 g_object_set(s_wifi, NM_SETTING_WIRELESS_BAND, band, NULL);
             } else {
@@ -1929,19 +1929,3 @@ nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b)
     return a->source == b->source && a->sink == b->sink && a->port == b->port
            && a->has_audio == b->has_audio && a->has_uibc == b->has_uibc && a->has_cp == b->has_cp;
 }
-
-const char *
-nm_wifi_freq_to_band_prop(guint32 freq)
-{
-    switch (nm_utils_wifi_freq_to_band(freq)) {
-    case NM_WIFI_BAND_2_4_GHZ:
-        return "bg";
-    case NM_WIFI_BAND_5_GHZ:
-        return "a";
-    case NM_WIFI_BAND_6_GHZ:
-        return "6GHz";
-    default:
-    case NM_WIFI_BAND_UNKNOWN:
-        return NULL;
-    }
-}

src/core/devices/wifi/nm-wifi-utils.h

@@ -56,6 +56,4 @@ bool    nm_wifi_utils_parse_wfd_ies(GBytes *ies, NMIwdWfdInfo *out_wfd);
 GBytes *nm_wifi_utils_build_wfd_ies(const NMIwdWfdInfo *wfd);
 bool    nm_wifi_utils_wfd_info_eq(const NMIwdWfdInfo *a, const NMIwdWfdInfo *b);
 
-const char *nm_wifi_freq_to_band_prop(guint32 freq);
-
 #endif /* __NM_WIFI_UTILS_H__ */

src/core/devices/wwan/nm-modem-broadband.c

@@ -508,9 +508,8 @@ find_gsm_apn_cb(const char   *apn,
 static gboolean
 try_create_connect_properties(NMModemBroadband *self)
 {
-    NMModemBroadbandPrivate *priv        = NM_MODEM_BROADBAND_GET_PRIVATE(self);
-    ConnectContext          *ctx         = priv->ctx;
-    NMDeviceStateReason      fail_reason = NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED;
+    NMModemBroadbandPrivate *priv = NM_MODEM_BROADBAND_GET_PRIVATE(self);
+    ConnectContext          *ctx  = priv->ctx;
 
     if (MODEM_CAPS_3GPP(ctx->caps)) {
         NMSettingGsm *s_gsm = nm_connection_get_setting_gsm(ctx->connection);
@@ -523,7 +522,7 @@ try_create_connect_properties(NMModemBroadband *self)
             if (s_gsm)
                 network_id = nm_setting_gsm_get_network_id(s_gsm);
             if (!network_id) {
-                if (mm_modem_get_state(self->_priv.modem_iface) != MM_MODEM_STATE_REGISTERED)
+                if (mm_modem_get_state(self->_priv.modem_iface) < MM_MODEM_STATE_REGISTERED)
                     return FALSE;
                 modem_3gpp = mm_object_get_modem_3gpp(priv->modem_object);
                 network_id = mm_modem_3gpp_get_operator_code(modem_3gpp);
@@ -531,7 +530,6 @@ try_create_connect_properties(NMModemBroadband *self)
             if (!network_id) {
                 _LOGW("failed to connect '%s': unable to determine the network id",
                       nm_connection_get_id(ctx->connection));
-                fail_reason = NM_DEVICE_STATE_REASON_MODEM_NO_OPERATOR_CODE;
                 goto out;
             }
 
@@ -560,7 +558,7 @@ try_create_connect_properties(NMModemBroadband *self)
     }
 
 out:
-    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, fail_reason);
+    nm_modem_emit_prepare_result(NM_MODEM(self), FALSE, NM_DEVICE_STATE_REASON_MODEM_INIT_FAILED);
     connect_context_clear(self);
     return TRUE;
 }
@@ -1651,8 +1649,6 @@ nm_modem_broadband_new(GObject *object, GError **error)
                         driver,
                         NM_MODEM_OPERATOR_CODE,
                         operator_code,
-                        NM_MODEM_DEVICE_UID,
-                        mm_modem_get_device(modem_iface),
                         NULL);
 }
 

src/core/devices/wwan/nm-modem-manager.c

@@ -258,7 +258,16 @@ modm_handle_name_owner_changed(MMManager *modem_manager, GParamSpec *pspec, NMMo
     /* Available! */
     g_free(name_owner);
 
-    modm_manager_available(self);
+    /* Hack alert: GDBusObjectManagerClient won't signal neither 'object-added'
+     * nor 'object-removed' if it was created while there was no ModemManager in
+     * the bus. This hack avoids this issue until we get a GIO with the fix
+     * included... */
+    modm_clear_manager(self);
+    modm_ensure_manager(self);
+
+    /* Whenever GDBusObjectManagerClient is fixed, we can just do the following:
+     * modm_manager_available (self);
+     */
 }
 
 static void

src/core/devices/wwan/nm-modem.c

@@ -39,8 +39,7 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMModem,
                              PROP_IP_TYPES,
                              PROP_SIM_OPERATOR_ID,
                              PROP_OPERATOR_CODE,
-                             PROP_APN,
-                             PROP_DEVICE_UID, );
+                             PROP_APN, );
 
 enum {
     PPP_STATS,
@@ -79,7 +78,6 @@ typedef struct _NMModemPrivate {
     char           *sim_operator_id;
     char           *operator_code;
     char           *apn;
-    char           *device_uid;
 
     NMPPPManager *ppp_manager;
     NMPppMgr     *ppp_mgr;
@@ -620,12 +618,6 @@ nm_modem_get_apn(NMModem *self)
     return NM_MODEM_GET_PRIVATE(self)->apn;
 }
 
-const char *
-nm_modem_get_device_uid(NMModem *self)
-{
-    return NM_MODEM_GET_PRIVATE(self)->device_uid;
-}
-
 /*****************************************************************************/
 
 static void
@@ -1129,22 +1121,6 @@ nm_modem_check_connection_compatible(NMModem *self, NMConnection *connection, GE
             }
         }
 
-        str = nm_setting_gsm_get_device_uid(s_gsm);
-        if (str) {
-            if (!priv->device_uid) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "GSM profile has device-uid, device does not");
-                return FALSE;
-            }
-            if (!nm_streq(str, priv->device_uid)) {
-                nm_utils_error_set_literal(error,
-                                           NM_UTILS_ERROR_CONNECTION_AVAILABLE_TEMPORARY,
-                                           "device has differing device-uid than GSM profile");
-                return FALSE;
-            }
-        }
-
         /* SIM properties may not be available before the SIM is unlocked, so
          * to ensure that autoconnect works, the connection's SIM properties
          * are only compared if present on the device.
@@ -1668,9 +1644,6 @@ get_property(GObject *object, guint prop_id, GValue *value, GParamSpec *pspec)
     case PROP_APN:
         g_value_set_string(value, priv->apn);
         break;
-    case PROP_DEVICE_UID:
-        g_value_set_string(value, priv->device_uid);
-        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1726,10 +1699,6 @@ set_property(GObject *object, guint prop_id, const GValue *value, GParamSpec *ps
         /* construct-only */
         priv->operator_code = g_value_dup_string(value);
         break;
-    case PROP_DEVICE_UID:
-        /* construct-only */
-        priv->device_uid = g_value_dup_string(value);
-        break;
     default:
         G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec);
         break;
@@ -1789,7 +1758,6 @@ finalize(GObject *object)
     g_free(priv->sim_operator_id);
     g_free(priv->operator_code);
     g_free(priv->apn);
-    g_free(priv->device_uid);
 
     G_OBJECT_CLASS(nm_modem_parent_class)->finalize(object);
 }
@@ -1895,13 +1863,6 @@ nm_modem_class_init(NMModemClass *klass)
     obj_properties[PROP_APN] =
         g_param_spec_string(NM_MODEM_APN, "", "", NULL, G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
 
-    obj_properties[PROP_DEVICE_UID] =
-        g_param_spec_string(NM_MODEM_DEVICE_UID,
-                            "",
-                            "",
-                            NULL,
-                            G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
-
     g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 
     signals[PPP_STATS] = g_signal_new(NM_MODEM_PPP_STATS,

src/core/devices/wwan/nm-modem.h

@@ -30,7 +30,6 @@
 #define NM_MODEM_SIM_OPERATOR_ID "sim-operator-id"
 #define NM_MODEM_OPERATOR_CODE   "operator-code"
 #define NM_MODEM_APN             "apn"
-#define NM_MODEM_DEVICE_UID      "device-uid"
 
 /* Signals */
 #define NM_MODEM_PPP_STATS      "ppp-stats"
@@ -155,7 +154,6 @@ const char *nm_modem_get_sim_id(NMModem *modem);
 const char *nm_modem_get_sim_operator_id(NMModem *modem);
 const char *nm_modem_get_operator_code(NMModem *modem);
 const char *nm_modem_get_apn(NMModem *modem);
-const char *nm_modem_get_device_uid(NMModem *modem);
 
 gboolean nm_modem_set_data_port(NMModem        *self,
                                 NMPlatform     *platform,

src/core/dhcp/nm-dhcp-client.c

@@ -1460,9 +1460,7 @@ nm_dhcp_client_schedule_ipv6_only_restart(NMDhcpClient *self, guint timeout)
     nm_assert(!priv->is_stopped);
 
     timeout = NM_MAX(priv->v4.ipv6_only_min_wait, timeout);
-    _LOGI("received option \"ipv6-only-preferred\": stopping DHCPv4 for %u seconds. Set "
-          "ipv4.dhcp-ipv6-only-preferred=no to force the use of IPv4 on this IPv6-mostly network",
-          timeout);
+    _LOGI("received option \"ipv6-only-preferred\": stopping DHCPv4 for %u seconds", timeout);
 
     nm_dhcp_client_stop(self, FALSE);
     nm_clear_g_source_inst(&priv->no_lease_timeout_source);

src/core/dhcp/nm-dhcp-manager.c

@@ -289,10 +289,8 @@ nm_dhcp_manager_init(NMDhcpManager *self)
                                  NM_CONFIG_GET_VALUE_STRIP | NM_CONFIG_GET_VALUE_NO_EMPTY);
     client = client_free;
     if (client) {
-        client_factory = _client_factory_find_by_name(client);
+        client_factory = _client_factory_available(_client_factory_find_by_name(client));
         if (!client_factory)
-            _LOGW(AF_UNSPEC, "init: unknown DHCP client '%s', ignoring", client);
-        else if (!(client_factory = _client_factory_available(client_factory)))
             _LOGW(AF_UNSPEC, "init: DHCP client '%s' not available", client);
     }
     if (!client_factory) {

src/core/dhcp/nm-dhcp-nettools.c

@@ -418,6 +418,7 @@ lease_parse_routes(NDhcp4ClientLease *lease,
     in_addr_t     gateway;
     uint8_t       plen;
     guint32       m;
+    gboolean      has_router_from_classless   = FALSE;
     gboolean      has_classless               = FALSE;
     guint32       default_route_metric_offset = 0;
     const guint8 *l_data;
@@ -433,7 +434,7 @@ lease_parse_routes(NDhcp4ClientLease *lease,
      * We will however also parse one of the options into the "l3cd" for configuring routing.
      * Thereby we prefer 121 over 249 over 33.
      *
-     * Preferring 121 over 33 is defined by RFC 3442.
+     * Preferring 121 over 33 is defined by RFC 3443.
      * Preferring 121 over 249 over 33 is made up as it makes sense (the MS docs are not very clear).
      */
     for (i = 0; i < 2; i++) {
@@ -459,7 +460,8 @@ lease_parse_routes(NDhcp4ClientLease *lease,
             if (plen == 0) {
                 /* if there are multiple default routes, we add them with differing
                  * metrics. */
-                m = default_route_metric_offset++;
+                m                         = default_route_metric_offset++;
+                has_router_from_classless = TRUE;
             } else
                 m = 0;
 
@@ -493,7 +495,7 @@ lease_parse_routes(NDhcp4ClientLease *lease,
             nm_str_buf_append_printf(sbuf, "%s/%d %s", dest_str, (int) plen, gateway_str);
 
             if (has_classless) {
-                /* RFC 3442: if the DHCP server returns both a Classless Static Routes
+                /* RFC 3443: if the DHCP server returns both a Classless Static Routes
                  * option and a Static Routes option, the DHCP client MUST ignore the
                  * Static Routes option. */
                 continue;
@@ -537,10 +539,13 @@ lease_parse_routes(NDhcp4ClientLease *lease,
                 continue;
             }
 
-            if (has_classless) {
-                /* RFC 3442: if the DHCP server returns both a Classless Static Routes
-                 * option and a Router option, the DHCP client MUST ignore the Router
-                 * option. */
+            if (has_router_from_classless) {
+                /* If the DHCP server returns both a Classless Static Routes option and a
+                 * Router option, the DHCP client MUST ignore the Router option [RFC 3442].
+                 *
+                 * Be more lenient and ignore the Router option only if Classless Static
+                 * Routes contain a default gateway (as other DHCP backends do).
+                 */
                 continue;
             }
 

src/core/dhcp/nm-dhcp-utils.c

@@ -32,11 +32,11 @@ ip4_process_dhcpcd_rfc3442_routes(const char     *iface,
                                   in_addr_t       address,
                                   guint32        *out_gwaddr)
 {
-    gs_free char **routes = NULL;
-    char         **r;
-    gboolean       have_routes = FALSE;
+    gs_free const char **routes = NULL;
+    const char         **r;
+    gboolean             have_routes = FALSE;
 
-    routes = (char **) nm_strsplit_set(str, " ");
+    routes = nm_strsplit_set(str, " ");
     if (!routes)
         return FALSE;
 

src/core/dns/nm-dns-dnsconfd.c

@@ -374,7 +374,7 @@ server_builder_append_base(GVariantBuilder   *argument_builder,
     NMDnsServer dns_server;
     gsize       addr_size;
 
-    if (!nm_dns_uri_parse(address_family, address_string, &dns_server, NULL))
+    if (!nm_dns_uri_parse(address_family, address_string, &dns_server))
         return FALSE;
     addr_size = nm_utils_addr_family_to_size(dns_server.addr_family);
 

src/core/dns/nm-dns-dnsmasq.c

@@ -521,10 +521,9 @@ _gl_pid_spawn_next_step(void)
     argv[argv_idx++] = "--no-resolv"; /* Use only commandline */
     argv[argv_idx++] = "--keep-in-foreground";
     argv[argv_idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
-    argv[argv_idx++] = "--bind-dynamic";
+    argv[argv_idx++] = "--bind-interfaces";
     argv[argv_idx++] = "--pid-file=" PIDFILE;
-    argv[argv_idx++] = "--listen-address=127.0.0.1";
-    argv[argv_idx++] = "--listen-address=::1";
+    argv[argv_idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
     argv[argv_idx++] = "--cache-size=400";
     argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
     argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */

src/core/dns/nm-dns-manager.c

@@ -26,7 +26,6 @@
 
 #include "libnm-core-intern/nm-core-internal.h"
 #include "libnm-glib-aux/nm-str-buf.h"
-#include "libnm-glib-aux/nm-io-utils.h"
 
 #include "NetworkManagerUtils.h"
 #include "devices/nm-device.h"
@@ -371,7 +370,7 @@ _ASSERT_dns_config_ip_data(const NMDnsConfigIPData *ip_data)
         gboolean has_default = FALSE;
         gsize    i;
 
-        for (i = 0; ip_data->domains.search && ip_data->domains.search[i]; i++) {
+        for (i = 0; ip_data->domains.search && ip_data->domains.search; i++) {
             const char *d = ip_data->domains.search[i];
 
             d = nm_utils_parse_dns_domain(d, NULL);
@@ -587,11 +586,7 @@ add_dns_domains(GPtrArray            *array,
 }
 
 static void
-merge_one_l3cd(NMResolvConfData     *rc,
-               int                   addr_family,
-               int                   ifindex,
-               const NML3ConfigData *l3cd,
-               gboolean              ignore_searches_and_options)
+merge_one_l3cd(NMResolvConfData *rc, int addr_family, int ifindex, const NML3ConfigData *l3cd)
 {
     char               buf[NM_INET_ADDRSTRLEN + 50];
     gboolean           has_trust_ad;
@@ -629,33 +624,31 @@ merge_one_l3cd(NMResolvConfData     *rc,
         add_string_item(rc->nameservers, buf, TRUE);
     }
 
-    if (!ignore_searches_and_options) {
-        add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);
+    add_dns_domains(rc->searches, addr_family, l3cd, FALSE, TRUE);
 
-        has_trust_ad = FALSE;
-        strarr       = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num);
-        for (i = 0; i < num; i++) {
-            const char *option = strarr[i];
+    has_trust_ad = FALSE;
+    strarr       = nm_l3_config_data_get_dns_options(l3cd, addr_family, &num);
+    for (i = 0; i < num; i++) {
+        const char *option = strarr[i];
 
-            if (nm_streq(option, NM_SETTING_DNS_OPTION_TRUST_AD)) {
-                has_trust_ad = TRUE;
-                continue;
-            }
-            add_dns_option_item(rc->options, option);
+        if (nm_streq(option, NM_SETTING_DNS_OPTION_TRUST_AD)) {
+            has_trust_ad = TRUE;
+            continue;
         }
-
-        if (num_nameservers == 0) {
-            /* If the @l3cd contributes no DNS servers, ignore whether trust-ad is set or unset
-             * for this @l3cd. */
-        } else if (has_trust_ad) {
-            /* We only set has_trust_ad to TRUE, if all IP configs agree (or don't contribute).
-             * Once set to FALSE, it doesn't get reset. */
-            if (rc->has_trust_ad == NM_TERNARY_DEFAULT)
-                rc->has_trust_ad = NM_TERNARY_TRUE;
-        } else
-            rc->has_trust_ad = NM_TERNARY_FALSE;
+        add_dns_option_item(rc->options, option);
     }
 
+    if (num_nameservers == 0) {
+        /* If the @l3cd contributes no DNS servers, ignore whether trust-ad is set or unset
+         * for this @l3cd. */
+    } else if (has_trust_ad) {
+        /* We only set has_trust_ad to TRUE, if all IP configs agree (or don't contribute).
+         * Once set to FALSE, it doesn't get reset. */
+        if (rc->has_trust_ad == NM_TERNARY_DEFAULT)
+            rc->has_trust_ad = NM_TERNARY_TRUE;
+    } else
+        rc->has_trust_ad = NM_TERNARY_FALSE;
+
     if (addr_family == AF_INET) {
         const in_addr_t *nis_servers;
         const char      *nis_domain;
@@ -1007,8 +1000,7 @@ _read_link_cached(const char *path, gboolean *is_cached, char **cached)
 #define MY_RESOLV_CONF_TMP MY_RESOLV_CONF ".tmp"
 #define RESOLV_CONF_TMP    "/etc/.resolv.conf.NetworkManager"
 
-#define NO_STUB_RESOLV_CONF     NMRUNDIR "/no-stub-resolv.conf"
-#define NO_STUB_RESOLV_CONF_TMP NMRUNDIR "/no-stub-resolv.conf.tmp"
+#define NO_STUB_RESOLV_CONF NMRUNDIR "/no-stub-resolv.conf"
 
 static void
 update_resolv_conf_no_stub(NMDnsManager      *self,
@@ -1021,14 +1013,7 @@ update_resolv_conf_no_stub(NMDnsManager      *self,
 
     content = create_resolv_conf(searches, nameservers, options);
 
-    if (!nm_utils_file_set_contents(NO_STUB_RESOLV_CONF,
-                                    content,
-                                    -1,
-                                    0644,
-                                    NULL,
-                                    NO_STUB_RESOLV_CONF_TMP,
-                                    NULL,
-                                    &local)) {
+    if (!g_file_set_contents(NO_STUB_RESOLV_CONF, content, -1, &local)) {
         _LOGD("update-resolv-no-stub: failure to write file: %s", local->message);
         g_error_free(local);
         return;
@@ -1246,15 +1231,12 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
 {
     nm_auto_free_checksum GChecksum *sum = NULL;
     NMDnsConfigIPData               *ip_data;
-    gboolean                         has_global_dns_section = FALSE;
 
     sum = g_checksum_new(G_CHECKSUM_SHA1);
     nm_assert(HASH_LEN == g_checksum_type_get_length(G_CHECKSUM_SHA1));
 
-    if (global) {
+    if (global)
         nm_global_dns_config_update_checksum(global, sum);
-        has_global_dns_section = nm_global_dns_has_global_dns_section(global);
-    }
 
     if (!global || !nm_global_dns_config_lookup_domain(global, "*")) {
         const CList *head;
@@ -1266,8 +1248,7 @@ compute_hash(NMDnsManager *self, const NMGlobalDnsConfig *global, guint8 buffer[
             nm_l3_config_data_hash_dns(ip_data->l3cd,
                                        sum,
                                        ip_data->addr_family,
-                                       ip_data->ip_config_type,
-                                       has_global_dns_section);
+                                       ip_data->ip_config_type);
         }
     }
 
@@ -1283,9 +1264,6 @@ merge_global_dns_config(NMResolvConfData *rc, NMGlobalDnsConfig *global_conf)
     const char *const *servers;
     guint              i;
 
-    /* Global config must be processed before connections' config */
-    nm_assert(rc->nameservers->len == 0);
-
     if (!global_conf)
         return FALSE;
 
@@ -1373,17 +1351,12 @@ _collect_resolv_conf_data(NMDnsManager      *self,
             .nis_servers  = g_ptr_array_new(),
             .has_trust_ad = NM_TERNARY_DEFAULT,
     };
-    gboolean has_global_dns_section = FALSE;
 
     priv = NM_DNS_MANAGER_GET_PRIVATE(self);
 
-    if (global_config) {
+    if (global_config)
         merge_global_dns_config(&rc, global_config);
-        has_global_dns_section = nm_global_dns_has_global_dns_section(global_config);
-    }
 
-    /* If global nameservers are defined, no DNS configs are used from connections at all,
-     * including searches and options. */
     if (!global_config || !nm_global_dns_config_lookup_domain(global_config, "*")) {
         nm_auto_str_buf NMStrBuf tmp_strbuf = NM_STR_BUF_INIT(0, FALSE);
         int                      first_prio = 0;
@@ -1417,16 +1390,8 @@ _collect_resolv_conf_data(NMDnsManager      *self,
                   skip ? "<SKIP>" : "",
                   get_nameserver_list(ip_data->addr_family, ip_data->l3cd, &tmp_strbuf));
 
-            if (!skip) {
-                /* Merge the configs from connections. However, if there was a [global-dns]
-                 * it overwrites searches and options from the connections, thus we only
-                 * merge the nameservers. */
-                merge_one_l3cd(&rc,
-                               ip_data->addr_family,
-                               ip_data->data->ifindex,
-                               ip_data->l3cd,
-                               has_global_dns_section);
-            }
+            if (!skip)
+                merge_one_l3cd(&rc, ip_data->addr_family, ip_data->data->ifindex, ip_data->l3cd);
         }
     }
 
@@ -1510,8 +1475,8 @@ _domain_track_is_shadowed(GHashTable  *ht,
                           const char **out_parent,
                           int         *out_parent_priority)
 {
-    const char *parent;
-    int         parent_priority;
+    char *parent;
+    int   parent_priority;
 
     if (!ht)
         return FALSE;

src/core/dns/nm-dns-systemd-resolved.c

@@ -37,7 +37,6 @@
 static const char *const DBUS_OP_SET_LINK_DEFAULT_ROUTE = "SetLinkDefaultRoute";
 static const char *const DBUS_OP_SET_LINK_DNS_OVER_TLS  = "SetLinkDNSOverTLS";
 static const char *const DBUS_OP_SET_LINK_DNS_EX        = "SetLinkDNSEx";
-static const char *const DBUS_OP_SET_LINK_DNSSEC        = "SetLinkDNSSEC";
 
 /*****************************************************************************/
 
@@ -399,7 +398,7 @@ update_add_ip_config(NMDnsSystemdResolved    *self,
     for (i = 0; i < n; i++) {
         NMDnsServer dns_server;
 
-        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server, NULL))
+        if (!nm_dns_uri_parse(ip_data->addr_family, strarr[i], &dns_server))
             continue;
 
         if (!NM_IN_SET(dns_server.scheme,
@@ -485,11 +484,9 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
     NMSettingConnectionMdns       mdns              = NM_SETTING_CONNECTION_MDNS_DEFAULT;
     NMSettingConnectionLlmnr      llmnr             = NM_SETTING_CONNECTION_LLMNR_DEFAULT;
     NMSettingConnectionDnsOverTls dns_over_tls      = NM_SETTING_CONNECTION_DNS_OVER_TLS_DEFAULT;
-    NMSettingConnectionDnssec     dnssec            = NM_SETTING_CONNECTION_DNSSEC_DEFAULT;
     const char                   *mdns_arg          = NULL;
     const char                   *llmnr_arg         = NULL;
     const char                   *dns_over_tls_arg  = NULL;
-    const char                   *dnssec_arg        = NULL;
     gboolean                      has_config        = FALSE;
     gboolean                      has_default_route = FALSE;
     guint                         i;
@@ -520,7 +517,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                 llmnr = NM_MAX(llmnr, nm_l3_config_data_get_llmnr(ip_data->l3cd));
                 dns_over_tls =
                     NM_MAX(dns_over_tls, nm_l3_config_data_get_dns_over_tls(ip_data->l3cd));
-                dnssec = NM_MAX(dnssec, nm_l3_config_data_get_dnssec(ip_data->l3cd));
             }
         }
     }
@@ -593,24 +589,8 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
     }
     nm_assert(dns_over_tls_arg);
 
-    switch (dnssec) {
-    case NM_SETTING_CONNECTION_DNSSEC_NO:
-        dnssec_arg = "no";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_ALLOW_DOWNGRADE:
-        dnssec_arg = "allow-downgrade";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_YES:
-        dnssec_arg = "yes";
-        break;
-    case NM_SETTING_CONNECTION_DNSSEC_DEFAULT:
-        dnssec_arg = "";
-        break;
-    }
-    nm_assert(dnssec_arg);
-
     if (!nm_str_is_empty(mdns_arg) || !nm_str_is_empty(llmnr_arg)
-        || !nm_str_is_empty(dns_over_tls_arg) || !nm_str_is_empty(dnssec_arg))
+        || !nm_str_is_empty(dns_over_tls_arg))
         has_config = TRUE;
 
     _request_item_append(self, "SetLinkDomains", ic->ifindex, g_variant_builder_end(&domains));
@@ -638,10 +618,6 @@ prepare_one_interface(NMDnsSystemdResolved *self, const InterfaceConfig *ic)
                          DBUS_OP_SET_LINK_DNS_OVER_TLS,
                          ic->ifindex,
                          g_variant_new("(is)", ic->ifindex, dns_over_tls_arg ?: ""));
-    _request_item_append(self,
-                         DBUS_OP_SET_LINK_DNSSEC,
-                         ic->ifindex,
-                         g_variant_new("(is)", ic->ifindex, dnssec_arg ?: ""));
 
     return has_config;
 }

src/core/main-utils.c

@@ -81,7 +81,7 @@ nm_main_utils_write_pidfile(const char *pidfile)
     char                  pid[16];
 
     nm_sprintf_buf(pid, "%lld", (long long) getpid());
-    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, NULL, &error)) {
+    if (!nm_utils_file_set_contents(pidfile, pid, -1, 00644, NULL, NULL, &error)) {
         fprintf(stderr, _("Writing to %s failed: %s\n"), pidfile, error->message);
         return FALSE;
     }

src/core/main.c

@@ -298,6 +298,12 @@ main(int argc, char *argv[])
 
     _nm_utils_is_manager_process = TRUE;
 
+    /* Known to cause a possible deadlock upon GDBus initialization:
+     * https://bugzilla.gnome.org/show_bug.cgi?id=674885 */
+    g_type_ensure(G_TYPE_SOCKET);
+    g_type_ensure(G_TYPE_DBUS_CONNECTION);
+    g_type_ensure(NM_TYPE_DBUS_MANAGER);
+
     /* we determine a first-start (contrary to a restart during the same boot)
      * based on the existence of NM_CONFIG_DEVICE_STATE_DIR directory. */
     config_cli = nm_config_cmd_line_options_new(
@@ -322,12 +328,6 @@ main(int argc, char *argv[])
         exit(result);
     }
 
-    /* Known to cause a possible deadlock upon GDBus initialization:
-     * https://bugzilla.gnome.org/show_bug.cgi?id=674885 */
-    g_type_ensure(G_TYPE_SOCKET);
-    g_type_ensure(G_TYPE_DBUS_CONNECTION);
-    g_type_ensure(NM_TYPE_DBUS_MANAGER);
-
     nm_main_utils_ensure_not_running_pidfile(global_opt.pidfile);
 
     nm_main_utils_ensure_statedir();
@@ -339,7 +339,7 @@ main(int argc, char *argv[])
         char *path, *slash;
         int   g;
 
-        /* exe is <builddir>/src/core/NetworkManager, so chop off
+        /* exe is <basedir>/src/.libs/lt-NetworkManager, so chop off
          * the last three components */
         path = realpath("/proc/self/exe", NULL);
         g_assert(path != NULL);
@@ -461,8 +461,14 @@ main(int argc, char *argv[])
     /* the first access to State causes the file to be read (and possibly print a warning) */
     nm_config_state_get(config);
 
-    nm_log_dbg(LOGD_CORE, "WEXT support is %s", HAVE_WEXT ? "enabled" : "disabled");
-    nm_log_dbg(LOGD_CORE, "CLAT support is %s", HAVE_CLAT ? "enabled" : "disabled");
+    nm_log_dbg(LOGD_CORE,
+               "WEXT support is %s",
+#if HAVE_WEXT
+               "enabled"
+#else
+               "disabled"
+#endif
+    );
 
     if (!_dbus_manager_init(config))
         goto done_no_manager;

src/core/meson.build

@@ -32,15 +32,6 @@ install_data(
 
 core_plugins = []
 
-subdir('bpf')
-
-base_sources_addon = []
-base_deps_addon = []
-if enable_clat
-  base_sources_addon += [clat_skel_h]
-  base_deps_addon += [libbpf]
-endif
-
 libNetworkManagerBase = static_library(
   'NetworkManagerBase',
   sources: files(
@@ -64,13 +55,13 @@ libNetworkManagerBase = static_library(
     'nm-l3cfg.c',
     'nm-bond-manager.c',
     'nm-ip-config.c',
-  ) + base_sources_addon,
+  ),
   dependencies: [
     core_default_dep,
     libnm_core_public_dep,
     libsystemd_dep,
     libudev_dep,
-  ] + base_deps_addon,
+  ],
 )
 
 nm_deps = [
@@ -111,7 +102,6 @@ libNetworkManager = static_library(
     'devices/nm-device-ethernet-utils.c',
     'devices/nm-device-factory.c',
     'devices/nm-device-generic.c',
-    'devices/nm-device-geneve.c',
     'devices/nm-device-hsr.c',
     'devices/nm-device-infiniband.c',
     'devices/nm-device-ip-tunnel.c',

src/core/ndisc/nm-lndp-ndisc.c

@@ -19,7 +19,6 @@
 #include "libnm-systemd-shared/nm-sd-utils-shared.h"
 #include "nm-l3cfg.h"
 #include "nm-ndisc-private.h"
-#include "nm-core-utils.h"
 
 #define _NMLOG_PREFIX_NAME "ndisc-lndp"
 
@@ -28,14 +27,6 @@
 typedef struct {
     struct ndp *ndp;
     GSource    *event_source;
-
-    struct {
-        NMRateLimit pio_lft;
-        NMRateLimit mtu;
-        NMRateLimit omit_prefix;
-        NMRateLimit omit_dns;
-        NMRateLimit omit_dnssl;
-    } msg_ratelimit;
 } NMLndpNDiscPrivate;
 
 /*****************************************************************************/
@@ -58,36 +49,6 @@ G_DEFINE_TYPE(NMLndpNDisc, nm_lndp_ndisc, NM_TYPE_NDISC)
 
 /*****************************************************************************/
 
-/*
- * If we log a message about an invalid RA packet, don't repeat the same message
- * at every packet received or sent. Rate limit the message to 6 every 12 hours
- * per type and per ndisc instance.
- */
-
-#define LOG_INV_RA_WINDOW (12 * 3600)
-#define LOG_INV_RA_BURST  6
-
-#define _LOG_INVALID_RA(ndisc, rate_limit, ...)                                  \
-    G_STMT_START                                                                 \
-    {                                                                            \
-        NMNDisc     *__ndisc  = (ndisc);                                         \
-        NMRateLimit *__rl     = (rate_limit);                                    \
-        const char  *__ifname = nm_ndisc_get_ifname(__ndisc);                    \
-                                                                                 \
-        if (__ifname && nm_logging_enabled(LOGL_WARN, LOGD_IP6)                  \
-            && nm_rate_limit_check(__rl, LOG_INV_RA_WINDOW, LOG_INV_RA_BURST)) { \
-            nm_log(LOGL_WARN,                                                    \
-                   LOGD_IP6,                                                     \
-                   __ifname,                                                     \
-                   NULL,                                                         \
-                   "ndisc (%s): " _NM_UTILS_MACRO_FIRST(__VA_ARGS__),            \
-                   __ifname _NM_UTILS_MACRO_REST(__VA_ARGS__));                  \
-        }                                                                        \
-    }                                                                            \
-    G_STMT_END
-
-/*****************************************************************************/
-
 static gboolean
 send_rs(NMNDisc *ndisc, GError **error)
 {
@@ -152,7 +113,6 @@ static int
 receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
 {
     NMNDisc             *ndisc   = (NMNDisc *) user_data;
-    NMLndpNDiscPrivate  *priv    = NM_LNDP_NDISC_GET_PRIVATE(ndisc);
     NMNDiscDataInternal *rdata   = ndisc->rdata;
     NMNDiscConfigMap     changed = 0;
     NMNDiscGateway       gateway;
@@ -269,11 +229,7 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
              * log a system management error in this case.
              */
             if (preferred_time > valid_time) {
-                _LOG_INVALID_RA(
-                    ndisc,
-                    &priv->msg_ratelimit.pio_lft,
-                    "ignoring Prefix Information Option with invalid lifetimes in received IPv6 "
-                    "router advertisement");
+                _LOGW("skipping PIO - preferred lifetime > valid lifetime");
                 continue;
             }
 
@@ -393,38 +349,10 @@ receive_ra(struct ndp *ndp, struct ndp_msg *msg, gpointer user_data)
              * Kernel would set it, but would flush out all IPv6 addresses away
              * from the link, even the link-local, and we wouldn't be able to
              * listen for further RAs that could fix the MTU. */
-            _LOG_INVALID_RA(ndisc,
-                            &priv->msg_ratelimit.mtu,
-                            "ignoring too small MTU %u in received IPv6 "
-                            "router advertisement",
-                            mtu);
+            _LOGW("MTU too small for IPv6 ignored: %d", mtu);
         }
     }
 
-#if HAVE_CLAT
-    /* PREF64 */
-    ndp_msg_opt_for_each_offset (offset, msg, NDP_MSG_OPT_PREF64) {
-        NMNDiscPref64 pref64;
-
-        pref64 = (NMNDiscPref64) {
-            .prefix             = *ndp_msg_opt_pref64_prefix(msg, offset),
-            .plen               = ndp_msg_opt_pref64_prefix_length(msg, offset),
-            .gateway            = gateway.address,
-            .gateway_preference = gateway.preference,
-            .expiry_msec =
-                _nm_ndisc_lifetime_to_expiry(now_msec, ndp_msg_opt_pref64_lifetime(msg, offset)),
-            .gateway_expiry_msec = gateway.expiry_msec,
-        };
-
-        /* libndp should only return lengths defined in RFC 8781 */
-        nm_assert(NM_IN_SET(pref64.plen, 96, 64, 56, 48, 40, 32));
-
-        if (nm_ndisc_add_pref64(ndisc, &pref64, now_msec)) {
-            changed |= NM_NDISC_CONFIG_PREF64;
-        }
-    }
-#endif
-
     nm_ndisc_ra_received(ndisc, now_msec, changed);
     return 0;
 }
@@ -517,11 +445,8 @@ send_ra(NMNDisc *ndisc, GError **error)
 
         prefix = _ndp_msg_add_option(msg, sizeof(*prefix));
         if (!prefix) {
-            /* Maybe we could send separate RAs, but why bother... */
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_prefix,
-                "the outgoing IPv6 router advertisement is too big: omitting some prefixes");
+            /* Maybe we could sent separate RAs, but why bother... */
+            _LOGW("The RA is too big, had to omit some some prefixes.");
             break;
         }
 
@@ -550,10 +475,7 @@ send_ra(NMNDisc *ndisc, GError **error)
 
         option = _ndp_msg_add_option(msg, len);
         if (!option) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dns,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS information");
+            _LOGW("The RA is too big, had to omit DNS information.");
             goto dns_servers_done;
         }
 
@@ -631,10 +553,7 @@ dns_servers_done:
         nm_assert(len / 8u >= 2u);
 
         if (len / 8u >= 256u || !(option = _ndp_msg_add_option(msg, len))) {
-            _LOG_INVALID_RA(
-                ndisc,
-                &priv->msg_ratelimit.omit_dnssl,
-                "the outgoing IPv6 router advertisement is too big: omitting DNS search list");
+            _LOGW("The RA is too big, had to omit DNS search list.");
             goto dns_domains_done;
         }
 

src/core/ndisc/nm-ndisc-private.h

@@ -14,7 +14,6 @@ struct _NMNDiscDataInternal {
     NMNDiscData public;
     GArray *gateways;
     GArray *addresses;
-    GArray *pref64;
     GArray *routes;
     GArray *dns_servers;
     GArray *dns_domains;
@@ -29,7 +28,6 @@ gboolean nm_ndisc_add_gateway(NMNDisc *ndisc, const NMNDiscGateway *new_item, gi
 gboolean
 nm_ndisc_complete_and_add_address(NMNDisc *ndisc, const NMNDiscAddress *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_route(NMNDisc *ndisc, const NMNDiscRoute *new_item, gint64 now_msec);
-gboolean nm_ndisc_add_pref64(NMNDisc *ndisc, const NMNDiscPref64 *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_dns_server(NMNDisc *ndisc, const NMNDiscDNSServer *new_item, gint64 now_msec);
 gboolean nm_ndisc_add_dns_domain(NMNDisc *ndisc, const NMNDiscDNSDomain *new_item, gint64 now_msec);
 

src/core/ndisc/nm-ndisc.c

@@ -34,7 +34,6 @@
 #define _SIZE_MAX_ROUTES      1000u
 #define _SIZE_MAX_DNS_SERVERS 64u
 #define _SIZE_MAX_DNS_DOMAINS 64u
-#define _SIZE_MAX_PREF64      8u
 
 /*****************************************************************************/
 
@@ -110,8 +109,7 @@ nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_idx,
                       int                       ifindex,
                       const NMNDiscData        *rdata,
                       NMSettingIP6ConfigPrivacy ip6_privacy,
-                      NMUtilsIPv6IfaceId       *token,
-                      const char               *network_id)
+                      NMUtilsIPv6IfaceId       *token)
 {
     nm_auto_unref_l3cd_init NML3ConfigData *l3cd = NULL;
     guint32                                 ifa_flags;
@@ -213,21 +211,13 @@ nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_idx,
     for (i = 0; i < rdata->dns_domains_n; i++)
         nm_l3_config_data_add_search(l3cd, AF_INET6, rdata->dns_domains[i].domain);
 
-    if (rdata->pref64_n > 0) {
-        nm_l3_config_data_set_pref64(l3cd, rdata->pref64[0].prefix, rdata->pref64[0].plen);
-    } else {
-        nm_l3_config_data_set_pref64_valid(l3cd, FALSE);
-    }
-
     nm_l3_config_data_set_ndisc_hop_limit(l3cd, rdata->hop_limit);
     nm_l3_config_data_set_ndisc_reachable_time_msec(l3cd, rdata->reachable_time_ms);
     nm_l3_config_data_set_ndisc_retrans_timer_msec(l3cd, rdata->retrans_timer_ms);
 
-    nm_l3_config_data_set_ip6_mtu_ra(l3cd, rdata->mtu);
+    nm_l3_config_data_set_ip6_mtu(l3cd, rdata->mtu);
     if (token)
         nm_l3_config_data_set_ip6_token(l3cd, *token);
-    if (network_id)
-        nm_l3_config_data_set_network_id(l3cd, network_id);
 
     return g_steal_pointer(&l3cd);
 }
@@ -426,7 +416,6 @@ _data_complete(NMNDiscDataInternal *data)
     _SET(data, gateways);
     _SET(data, addresses);
     _SET(data, routes);
-    _SET(data, pref64);
     _SET(data, dns_servers);
     _SET(data, dns_domains);
 #undef _SET
@@ -448,8 +437,7 @@ nm_ndisc_emit_config_change(NMNDisc *self, NMNDiscConfigMap changed)
                                  nm_l3cfg_get_ifindex(priv->config.l3cfg),
                                  rdata,
                                  priv->config.ip6_privacy,
-                                 priv->iid_is_token ? &priv->iid : NULL,
-                                 priv->config.network_id);
+                                 priv->iid_is_token ? &priv->iid : NULL);
     l3cd = nm_l3_config_data_seal(l3cd);
 
     if (!nm_l3_config_data_equal(priv->l3cd, l3cd))
@@ -772,59 +760,6 @@ nm_ndisc_add_route(NMNDisc *ndisc, const NMNDiscRoute *new_item, gint64 now_msec
     return TRUE;
 }
 
-gboolean
-nm_ndisc_add_pref64(NMNDisc *ndisc, const NMNDiscPref64 *new_item, gint64 now_msec)
-{
-    NMNDiscDataInternal *rdata = &NM_NDISC_GET_PRIVATE(ndisc)->rdata;
-    guint                i;
-    guint                insert_idx = G_MAXUINT;
-
-    for (i = 0; i < rdata->pref64->len;) {
-        NMNDiscPref64 *item = &nm_g_array_index(rdata->pref64, NMNDiscPref64, i);
-
-        if (item->plen == new_item->plen && IN6_ARE_ADDR_EQUAL(&item->prefix, &new_item->prefix)
-            && IN6_ARE_ADDR_EQUAL(&item->gateway, &new_item->gateway)) {
-            if (new_item->expiry_msec <= now_msec) {
-                g_array_remove_index(rdata->pref64, i);
-                return TRUE;
-            }
-
-            if (item->gateway_preference != new_item->gateway_preference) {
-                g_array_remove_index(rdata->pref64, i);
-                continue;
-            }
-
-            item->gateway_expiry_msec = new_item->gateway_expiry_msec;
-
-            if (item->expiry_msec == new_item->expiry_msec)
-                return FALSE;
-
-            item->expiry_msec = new_item->expiry_msec;
-            return TRUE;
-        }
-
-        /* Put before less preferable gateways. */
-        if (_preference_to_priority(item->gateway_preference)
-                < _preference_to_priority(new_item->gateway_preference)
-            && insert_idx == G_MAXUINT)
-            insert_idx = i;
-
-        i++;
-    }
-
-    if (rdata->pref64->len >= _SIZE_MAX_PREF64)
-        return FALSE;
-
-    if (new_item->expiry_msec <= now_msec)
-        return FALSE;
-
-    g_array_insert_val(rdata->pref64,
-                       insert_idx == G_MAXUINT ? rdata->pref64->len : insert_idx,
-                       *new_item);
-
-    return TRUE;
-}
-
 gboolean
 nm_ndisc_add_dns_server(NMNDisc *ndisc, const NMNDiscDNSServer *new_item, gint64 now_msec)
 {
@@ -1465,17 +1400,6 @@ _config_changed_log(NMNDisc *ndisc, NMNDiscConfigMap changed)
               nm_icmpv6_router_pref_to_string(route->preference, str_pref, sizeof(str_pref)),
               get_exp(str_exp, now_msec, route));
     }
-    for (i = 0; i < rdata->pref64->len; i++) {
-        const NMNDiscPref64 *pref64 = &nm_g_array_index(rdata->pref64, NMNDiscPref64, i);
-        char                 addrstr2[NM_INET_ADDRSTRLEN];
-
-        _LOGD("  pref64 %s/%u via %s exp %s",
-              nm_inet6_ntop(&pref64->prefix, addrstr),
-              pref64->plen,
-              nm_inet6_ntop(&pref64->gateway, addrstr2),
-              get_exp(str_exp, now_msec, pref64));
-    }
-
     for (i = 0; i < rdata->dns_servers->len; i++) {
         const NMNDiscDNSServer *dns_server =
             &nm_g_array_index(rdata->dns_servers, NMNDiscDNSServer, i);
@@ -1600,45 +1524,6 @@ clean_routes(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64
         *changed |= NM_NDISC_CONFIG_ROUTES;
 }
 
-static void
-clean_pref64(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64 *next_msec)
-{
-    NMNDiscDataInternal *rdata = &NM_NDISC_GET_PRIVATE(ndisc)->rdata;
-    NMNDiscPref64       *arr;
-    guint                i;
-    guint                j;
-
-    if (rdata->pref64->len == 0)
-        return;
-
-    arr = &nm_g_array_first(rdata->pref64, NMNDiscPref64);
-
-    for (i = 0, j = 0; i < rdata->pref64->len; i++) {
-        if (!expiry_next(now_msec, arr[i].expiry_msec, next_msec)
-            || !expiry_next(now_msec,
-                            arr[i].gateway_expiry_msec,
-                            next_msec)) { /* no gateway no party */
-            if (i == 0) {
-                /* Emit the changed signal only when the first PREF64 expires,
-                 * because only the first item is exported into the l3cd. Changes
-                 * in other PREF64s are not relevant. */
-                *changed |= NM_NDISC_CONFIG_PREF64;
-            }
-            continue;
-        }
-
-        if (i != j)
-            arr[j] = arr[i];
-        j++;
-    }
-
-    if (i != j) {
-        g_array_set_size(rdata->pref64, j);
-    }
-
-    _array_set_size_max(rdata->pref64, _SIZE_MAX_PREF64);
-}
-
 static void
 clean_dns_servers(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap *changed, gint64 *next_msec)
 {
@@ -1715,7 +1600,6 @@ check_timestamps(NMNDisc *ndisc, gint64 now_msec, NMNDiscConfigMap changed)
     clean_gateways(ndisc, now_msec, &changed, &next_msec);
     clean_addresses(ndisc, now_msec, &changed, &next_msec);
     clean_routes(ndisc, now_msec, &changed, &next_msec);
-    clean_pref64(ndisc, now_msec, &changed, &next_msec);
     clean_dns_servers(ndisc, now_msec, &changed, &next_msec);
     clean_dns_domains(ndisc, now_msec, &changed, &next_msec);
 
@@ -2035,7 +1919,6 @@ nm_ndisc_init(NMNDisc *ndisc)
     rdata->gateways    = g_array_new(FALSE, FALSE, sizeof(NMNDiscGateway));
     rdata->addresses   = g_array_new(FALSE, FALSE, sizeof(NMNDiscAddress));
     rdata->routes      = g_array_new(FALSE, FALSE, sizeof(NMNDiscRoute));
-    rdata->pref64      = g_array_new(FALSE, FALSE, sizeof(NMNDiscPref64));
     rdata->dns_servers = g_array_new(FALSE, FALSE, sizeof(NMNDiscDNSServer));
     rdata->dns_domains = g_array_new(FALSE, FALSE, sizeof(NMNDiscDNSDomain));
     g_array_set_clear_func(rdata->dns_domains, dns_domain_free);
@@ -2068,7 +1951,6 @@ finalize(GObject *object)
     g_array_unref(rdata->gateways);
     g_array_unref(rdata->addresses);
     g_array_unref(rdata->routes);
-    g_array_unref(rdata->pref64);
     g_array_unref(rdata->dns_servers);
     g_array_unref(rdata->dns_domains);
 

src/core/ndisc/nm-ndisc.h

@@ -119,15 +119,6 @@ typedef struct _NMNDiscRoute {
     bool               duplicate : 1;
 } NMNDiscRoute;
 
-typedef struct _NMNDiscPref64 {
-    struct in6_addr    prefix;
-    struct in6_addr    gateway;
-    gint64             expiry_msec;
-    gint64             gateway_expiry_msec;
-    NMIcmpv6RouterPref gateway_preference;
-    guint8             plen;
-} NMNDiscPref64;
-
 typedef struct {
     struct in6_addr address;
     gint64          expiry_msec;
@@ -150,7 +141,6 @@ typedef enum {
     NM_NDISC_CONFIG_MTU            = 1 << 7,
     NM_NDISC_CONFIG_REACHABLE_TIME = 1 << 8,
     NM_NDISC_CONFIG_RETRANS_TIMER  = 1 << 9,
-    NM_NDISC_CONFIG_PREF64         = 1 << 10,
 } NMNDiscConfigMap;
 
 typedef enum {
@@ -198,14 +188,12 @@ typedef struct {
     guint gateways_n;
     guint addresses_n;
     guint routes_n;
-    guint pref64_n;
     guint dns_servers_n;
     guint dns_domains_n;
 
     const NMNDiscGateway   *gateways;
     const NMNDiscAddress   *addresses;
     const NMNDiscRoute     *routes;
-    const NMNDiscPref64    *pref64;
     const NMNDiscDNSServer *dns_servers;
     const NMNDiscDNSDomain *dns_domains;
 } NMNDiscData;
@@ -294,7 +282,6 @@ struct _NML3ConfigData *nm_ndisc_data_to_l3cd(NMDedupMultiIndex        *multi_id
                                               int                       ifindex,
                                               const NMNDiscData        *rdata,
                                               NMSettingIP6ConfigPrivacy ip6_privacy,
-                                              NMUtilsIPv6IfaceId       *token,
-                                              const char               *network_id);
+                                              NMUtilsIPv6IfaceId       *token);
 
 #endif /* __NETWORKMANAGER_NDISC_H__ */

src/core/nm-checkpoint.c

@@ -39,9 +39,7 @@ typedef struct {
     bool               activation_lifetime_bound_to_profile_visibility : 1;
     bool               settings_connection_is_unsaved : 1;
     bool               settings_connection_is_shadowed_owned : 1;
-    bool               permanent_managed_by_mac : 1;
     NMUnmanFlagOp      unmanaged_explicit;
-    NMTernary          permanent_managed;
     NMActivationReason activation_reason;
     gulong             dev_exported_change_id;
 } DeviceCheckpoint;
@@ -162,7 +160,7 @@ parse_connection_from_shadowed_file(const char *path, GError **error)
 {
     nm_auto_unref_keyfile GKeyFile *keyfile  = NULL;
     gs_free char                   *base_dir = NULL;
-    const char                     *sep;
+    char                           *sep;
 
     keyfile = g_key_file_new();
     if (!g_key_file_load_from_file(keyfile, path, G_KEY_FILE_NONE, error))
@@ -498,19 +496,14 @@ nm_checkpoint_rollback(NMCheckpoint *self)
     /* Start rolling-back each device */
     g_hash_table_iter_init(&iter, priv->devices);
     while (g_hash_table_iter_next(&iter, (gpointer *) &device, (gpointer *) &dev_checkpoint)) {
-        guint32   result              = NM_ROLLBACK_RESULT_OK;
-        NMTernary perm_managed        = NM_TERNARY_DEFAULT;
-        gboolean  perm_managed_by_mac = FALSE;
-        gboolean  force_perm_managed;
+        guint32 result = NM_ROLLBACK_RESULT_OK;
 
         _LOGD("rollback: restoring device %s (state %d, realized %d, explicitly unmanaged %d, "
-              "permanently managed %d, connection-unsaved %d, connection-shadowed %d, "
-              "connection-shadowed-owned %d)",
+              "connection-unsaved %d, connection-shadowed %d, connection-shadowed-owned %d)",
               dev_checkpoint->original_dev_name,
               (int) dev_checkpoint->state,
               dev_checkpoint->realized,
               dev_checkpoint->unmanaged_explicit,
-              dev_checkpoint->permanent_managed,
               dev_checkpoint->settings_connection_is_unsaved,
               !!dev_checkpoint->settings_connection_shadowed,
               dev_checkpoint->settings_connection_is_shadowed_owned);
@@ -548,43 +541,6 @@ nm_checkpoint_rollback(NMCheckpoint *self)
                                                    NM_DEVICE_STATE_REASON_NOW_MANAGED);
         }
 
-        force_perm_managed = !nm_config_get_device_managed(nm_config_get(),
-                                                           device,
-                                                           &perm_managed,
-                                                           &perm_managed_by_mac,
-                                                           NULL);
-
-        if (force_perm_managed || (perm_managed != dev_checkpoint->permanent_managed)
-            || (dev_checkpoint->permanent_managed != NM_TERNARY_DEFAULT
-                && perm_managed_by_mac != dev_checkpoint->permanent_managed_by_mac)) {
-            gs_free_error GError *error = NULL;
-            NMUnmanFlagOp         set_op;
-
-            _LOGD("rollback: restore permanent managed state");
-
-            if (!nm_config_set_device_managed(nm_config_get(),
-                                              device,
-                                              dev_checkpoint->permanent_managed,
-                                              dev_checkpoint->permanent_managed_by_mac,
-                                              &error)) {
-                _LOGE("rollback: failed to restore permanent managed state: %s", error->message);
-                result = NM_ROLLBACK_RESULT_ERR_FAILED;
-                /* even if this failed, we try to continue the rollback */
-            }
-
-            if (dev_checkpoint->permanent_managed == NM_TERNARY_TRUE)
-                set_op = NM_UNMAN_FLAG_OP_SET_MANAGED;
-            else if (dev_checkpoint->permanent_managed == NM_TERNARY_FALSE)
-                set_op = NM_UNMAN_FLAG_OP_SET_UNMANAGED;
-            else
-                set_op = NM_UNMAN_FLAG_OP_FORGET;
-
-            nm_device_set_unmanaged_by_flags_queue(device,
-                                                   NM_UNMANAGED_USER_CONF,
-                                                   set_op,
-                                                   NM_DEVICE_STATE_REASON_NOW_MANAGED);
-        }
-
         if (dev_checkpoint->state == NM_DEVICE_STATE_UNMANAGED) {
             if (nm_device_get_state(device) != NM_DEVICE_STATE_UNMANAGED
                 || dev_checkpoint->unmanaged_explicit == NM_UNMAN_FLAG_OP_SET_UNMANAGED) {
@@ -747,8 +703,6 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
     NMSettingsConnection *settings_connection;
     const char           *path;
     NMActRequest         *act_request;
-    gboolean              perm_managed_by_mac;
-    gs_free_error GError *error = NULL;
 
     nm_assert(NM_IS_DEVICE(device));
     nm_assert(nm_device_is_real(device));
@@ -774,26 +728,12 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
     } else
         dev_checkpoint->unmanaged_explicit = NM_UNMAN_FLAG_OP_FORGET;
 
-    if (nm_config_get_device_managed(nm_config_get(),
-                                     device,
-                                     &dev_checkpoint->permanent_managed,
-                                     &perm_managed_by_mac,
-                                     NULL)) {
-        dev_checkpoint->permanent_managed_by_mac = perm_managed_by_mac;
-    } else {
-        dev_checkpoint->permanent_managed        = NM_TERNARY_DEFAULT;
-        dev_checkpoint->permanent_managed_by_mac = FALSE;
-        _LOGW("error getting permanent managed state for %s: %s",
-              nm_device_get_iface(device),
-              error->message);
-        g_clear_error(&error);
-    }
-
     act_request = nm_device_get_act_request(device);
     if (act_request) {
-        NMSettingsStorage *storage;
-        gboolean           shadowed_owned = FALSE;
-        const char        *shadowed_file;
+        NMSettingsStorage    *storage;
+        gboolean              shadowed_owned = FALSE;
+        const char           *shadowed_file;
+        gs_free_error GError *error = NULL;
 
         settings_connection = nm_act_request_get_settings_connection(act_request);
         applied_connection  = nm_act_request_get_applied_connection(act_request);
@@ -824,7 +764,6 @@ device_checkpoint_create(NMCheckpoint *self, NMDevice *device)
                 _LOGW("error reading shadowed connection file for %s: %s",
                       nm_device_get_iface(device),
                       error->message);
-                g_clear_error(&error);
             }
         }
     }