logs-show: move show_journal_by_unit _BOOT_ID match

In scrutinizing the journal overhead of `systemctl status $service`
it became apparent that the matching engine was performing the unit
matches on every journal in my system, even ones containing nothing
relevant to the current boot.

This seemed strange and likely suboptimal to me, since there's likely
far more unit data to rifle through than boot IDs in any given
journal.  The _BOOT_ID match seemed like it should be serving as an
early exit match on irrelevant journals, but that wasn't what seemed
to be happening.

As a quick experiment to see if I could get the _BOOT_ID match to be
something along the lines of a higher priority when matching, and try
early exit on these unrelated journals, I moved add_match_this_boot()
to after the unit match adds, inserting a conjunction between them.

The end result seems to be a very substantial performance gain in my
simple uncached tests, and I still get the expected journal output
from the `systemctl status $service` command:

----------------------------------------------------------------------

Unmodified systemctl times:

 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.695s
 user    0m0.005s
 sys     0m0.043s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.696s
 user    0m0.003s
 sys     0m0.046s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.694s
 user    0m0.006s
 sys     0m0.041s

----------------------------------------------------------------------

Modified systemctl including this commit:

 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.168s
 user    0m0.003s
 sys     0m0.016s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.167s
 user    0m0.005s
 sys     0m0.013s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.170s
 user    0m0.005s
 sys     0m0.014s

hwdb.d/60-sensor.hwdb

@@ -777,6 +777,10 @@ sensor:modalias:acpi:BMA250*:dmi:*:bvrTREK.G.WI71C.JGBMRBA*:*:svnInsyde:pnST7041
 sensor:modalias:acpi:BMA250*:dmi:*:bvrTREK.G.WI71C.JGBMRBA*:*:svnTrekStor:pnSurfTabwintron7.0ST70416-6:*
  ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
 
+# SurfTab Wintron 10.1 ST10432-3, generic DMI string, use partial BIOS version match
+sensor:modalias:acpi:SMO8500*:dmi:*:bvrWintron.R25M.02.0*:*:svnInsyde:pnBayTrail:*
+ ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
+
 sensor:modalias:acpi:KIOX000A*:dmi:*:svnTrekStor:pnSurfTabtwin10.1:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 

man/systemd.unit.xml

@@ -1489,6 +1489,68 @@
           to the container and not the physically available ones.</para></listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><varname>ConditionCPUFeature=</varname></term>
+
+          <listitem><para>Verify that a given CPU feature is available via the <literal>CPUID</literal>
+          instruction. This condition only does something on i386 and x86-64 processors. On other
+          processors it is assumed that the CPU does not support the given feature. It checks the leaves
+          <literal>1</literal>, <literal>7</literal>, <literal>0x80000001</literal>, and
+          <literal>0x80000007</literal>. Valid values are:
+          <literal>fpu</literal>,
+          <literal>vme</literal>,
+          <literal>de</literal>,
+          <literal>pse</literal>,
+          <literal>tsc</literal>,
+          <literal>msr</literal>,
+          <literal>pae</literal>,
+          <literal>mce</literal>,
+          <literal>cx8</literal>,
+          <literal>apic</literal>,
+          <literal>sep</literal>,
+          <literal>mtrr</literal>,
+          <literal>pge</literal>,
+          <literal>mca</literal>,
+          <literal>cmov</literal>,
+          <literal>pat</literal>,
+          <literal>pse36</literal>,
+          <literal>clflush</literal>,
+          <literal>mmx</literal>,
+          <literal>fxsr</literal>,
+          <literal>sse</literal>,
+          <literal>sse2</literal>,
+          <literal>ht</literal>,
+          <literal>pni</literal>,
+          <literal>pclmul</literal>,
+          <literal>monitor</literal>,
+          <literal>ssse3</literal>,
+          <literal>fma3</literal>,
+          <literal>cx16</literal>,
+          <literal>sse4_1</literal>,
+          <literal>sse4_2</literal>,
+          <literal>movbe</literal>,
+          <literal>popcnt</literal>,
+          <literal>aes</literal>,
+          <literal>xsave</literal>,
+          <literal>osxsave</literal>,
+          <literal>avx</literal>,
+          <literal>f16c</literal>,
+          <literal>rdrand</literal>,
+          <literal>bmi1</literal>,
+          <literal>avx2</literal>,
+          <literal>bmi2</literal>,
+          <literal>rdseed</literal>,
+          <literal>adx</literal>,
+          <literal>sha_ni</literal>,
+          <literal>syscall</literal>,
+          <literal>rdtscp</literal>,
+          <literal>lm</literal>,
+          <literal>lahf_lm</literal>,
+          <literal>abm</literal>,
+          <literal>constant_tsc</literal>.</para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term><varname>AssertArchitecture=</varname></term>
           <term><varname>AssertVirtualization=</varname></term>

src/basic/cgroup-util.h

@@ -297,7 +297,7 @@ typedef enum ManagedOOMPreference {
         MANAGED_OOM_PREFERENCE_AVOID = 1,
         MANAGED_OOM_PREFERENCE_OMIT = 2,
         _MANAGED_OOM_PREFERENCE_MAX,
-        _MANAGED_OOM_PREFERENCE_INVALID = -1
+        _MANAGED_OOM_PREFERENCE_INVALID = -EINVAL,
 } ManagedOOMPreference;
 
 const char* managed_oom_preference_to_string(ManagedOOMPreference a) _const_;

src/basic/unit-def.h

@@ -62,7 +62,7 @@ typedef enum UnitMarker {
         UNIT_MARKER_NEEDS_RELOAD,
         UNIT_MARKER_NEEDS_RESTART,
         _UNIT_MARKER_MAX,
-        _UNIT_MARKER_INVALID = -1
+        _UNIT_MARKER_INVALID = -EINVAL,
 } UnitMarker;
 
 typedef enum AutomountState {

src/basic/virt.c

@@ -786,6 +786,131 @@ int running_in_chroot(void) {
         return r == 0;
 }
 
+#if defined(__i386__) || defined(__x86_64__)
+struct cpuid_table_entry {
+        uint32_t flag_bit;
+        const char *name;
+};
+
+static const struct cpuid_table_entry leaf1_edx[] = {
+        {  0, "fpu" },
+        {  1, "vme" },
+        {  2, "de" },
+        {  3, "pse" },
+        {  4, "tsc" },
+        {  5, "msr" },
+        {  6, "pae" },
+        {  7, "mce" },
+        {  8, "cx8" },
+        {  9, "apic" },
+        { 11, "sep" },
+        { 12, "mtrr" },
+        { 13, "pge" },
+        { 14, "mca" },
+        { 15, "cmov" },
+        { 16, "pat" },
+        { 17, "pse36" },
+        { 19, "clflush" },
+        { 23, "mmx" },
+        { 24, "fxsr" },
+        { 25, "sse" },
+        { 26, "sse2" },
+        { 28, "ht" },
+};
+
+static const struct cpuid_table_entry leaf1_ecx[] = {
+        {  0, "pni" },
+        {  1, "pclmul" },
+        {  3, "monitor" },
+        {  9, "ssse3" },
+        { 12, "fma3" },
+        { 13, "cx16" },
+        { 19, "sse4_1" },
+        { 20, "sse4_2" },
+        { 22, "movbe" },
+        { 23, "popcnt" },
+        { 25, "aes" },
+        { 26, "xsave" },
+        { 27, "osxsave" },
+        { 28, "avx" },
+        { 29, "f16c" },
+        { 30, "rdrand" },
+};
+
+static const struct cpuid_table_entry leaf7_ebx[] = {
+        {  3, "bmi1" },
+        {  5, "avx2" },
+        {  8, "bmi2" },
+        { 18, "rdseed" },
+        { 19, "adx" },
+        { 29, "sha_ni" },
+};
+
+static const struct cpuid_table_entry leaf81_edx[] = {
+        { 11, "syscall" },
+        { 27, "rdtscp" },
+        { 29, "lm" },
+};
+
+static const struct cpuid_table_entry leaf81_ecx[] = {
+        {  0, "lahf_lm" },
+        {  5, "abm" },
+};
+
+static const struct cpuid_table_entry leaf87_edx[] = {
+        {  8, "constant_tsc" },
+};
+
+static bool given_flag_in_set(const char *flag, const struct cpuid_table_entry *set, size_t set_size, uint32_t val) {
+        for (size_t i = 0; i < set_size; i++) {
+                if ((UINT32_C(1) << set[i].flag_bit) & val &&
+                                streq(flag, set[i].name))
+                        return true;
+        }
+        return false;
+}
+
+static bool real_has_cpu_with_flag(const char *flag) {
+        uint32_t eax, ebx, ecx, edx;
+
+        if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
+                if (given_flag_in_set(flag, leaf1_ecx, ELEMENTSOF(leaf1_ecx), ecx))
+                        return true;
+
+                if (given_flag_in_set(flag, leaf1_edx, ELEMENTSOF(leaf1_edx), edx))
+                        return true;
+        }
+
+        if (__get_cpuid(7, &eax, &ebx, &ecx, &edx)) {
+                if (given_flag_in_set(flag, leaf7_ebx, ELEMENTSOF(leaf7_ebx), ebx))
+                        return true;
+        }
+
+        if (__get_cpuid(0x80000001U, &eax, &ebx, &ecx, &edx)) {
+                if (given_flag_in_set(flag, leaf81_ecx, ELEMENTSOF(leaf81_ecx), ecx))
+                        return true;
+
+                if (given_flag_in_set(flag, leaf81_edx, ELEMENTSOF(leaf81_edx), edx))
+                        return true;
+        }
+
+        if (__get_cpuid(0x80000007U, &eax, &ebx, &ecx, &edx))
+                if (given_flag_in_set(flag, leaf87_edx, ELEMENTSOF(leaf87_edx), edx))
+                        return true;
+
+        return false;
+}
+#endif
+
+bool has_cpu_with_flag(const char *flag) {
+        /* CPUID is an x86 specific interface. Assume on all others that no CPUs have those flags. */
+#if defined(__i386__) || defined(__x86_64__)
+        return real_has_cpu_with_flag(flag);
+#else
+        return false;
+#endif
+}
+
 static const char *const virtualization_table[_VIRTUALIZATION_MAX] = {
         [VIRTUALIZATION_NONE] = "none",
         [VIRTUALIZATION_KVM] = "kvm",

src/basic/virt.h

@@ -61,3 +61,4 @@ int running_in_chroot(void);
 
 const char *virtualization_to_string(int v) _const_;
 int virtualization_from_string(const char *s) _pure_;
+bool has_cpu_with_flag(const char *flag);

src/core/dbus-cgroup.c

@@ -1732,7 +1732,7 @@ int bus_cgroup_set_property(
 
                 p = managed_oom_preference_from_string(pref);
                 if (p < 0)
-                        return -EINVAL;
+                        return p;
 
                 if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
                         c->moom_preference = p;

src/libsystemd-network/dhcp-identifier.h

@@ -16,7 +16,7 @@ typedef enum DUIDType {
         DUID_TYPE_LL        = 3,
         DUID_TYPE_UUID      = 4,
         _DUID_TYPE_MAX,
-        _DUID_TYPE_INVALID  = -1,
+        _DUID_TYPE_INVALID  = -EINVAL,
 } DUIDType;
 
 /* RFC 3315 section 9.1:

src/portable/portable.h

@@ -31,7 +31,7 @@ typedef enum PortableChangeType {
         PORTABLE_WRITE,
         PORTABLE_MKDIR,
         _PORTABLE_CHANGE_TYPE_MAX,
-        _PORTABLE_CHANGE_TYPE_INVALID = INT_MIN,
+        _PORTABLE_CHANGE_TYPE_INVALID = -EINVAL,
 } PortableChangeType;
 
 typedef enum PortableState {

src/resolve/resolved-dns-packet.c

@@ -726,8 +726,9 @@ int dns_packet_append_opt(
                 uint16_t max_udp_size,
                 bool edns0_do,
                 bool include_rfc6975,
+                const char *nsid,
                 int rcode,
-                size_t *start) {
+                size_t *ret_start) {
 
         size_t saved_size;
         int r;
@@ -770,7 +771,6 @@ int dns_packet_append_opt(
         if (r < 0)
                 goto fail;
 
-        /* RDLENGTH */
         if (edns0_do && include_rfc6975) {
                 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
                  * be done on queries, not on replies, hencer callers should turn this off when finishing off
@@ -805,11 +805,32 @@ int dns_packet_append_opt(
                         NSEC3_ALGORITHM_SHA1,
                 };
 
-                r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL);
+                r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL); /* RDLENGTH */
                 if (r < 0)
                         goto fail;
 
-                r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL);
+                r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); /* the payload, as defined above */
+
+        } else if (nsid) {
+
+                if (strlen(nsid) > UINT16_MAX - 4) {
+                        r = -E2BIG;
+                        goto fail;
+                }
+
+                r = dns_packet_append_uint16(p, 4 + strlen(nsid), NULL); /* RDLENGTH */
+                if (r < 0)
+                        goto fail;
+
+                r = dns_packet_append_uint16(p, 3, NULL); /* OPTION-CODE: NSID */
+                if (r < 0)
+                        goto fail;
+
+                r = dns_packet_append_uint16(p, strlen(nsid), NULL); /* OPTION-LENGTH */
+                if (r < 0)
+                        goto fail;
+
+                r = dns_packet_append_blob(p, nsid, strlen(nsid), NULL);
         } else
                 r = dns_packet_append_uint16(p, 0, NULL);
         if (r < 0)
@@ -820,8 +841,8 @@ int dns_packet_append_opt(
         p->opt_start = saved_size;
         p->opt_size = p->size - saved_size;
 
-        if (start)
-                *start = saved_size;
+        if (ret_start)
+                *ret_start = saved_size;
 
         return 0;
 
@@ -2559,6 +2580,52 @@ bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b) {
         return dns_packet_compare_func(a, b) == 0;
 }
 
+int dns_packet_has_nsid_request(DnsPacket *p) {
+        bool has_nsid = false;
+        const uint8_t *d;
+        size_t l;
+
+        assert(p);
+
+        if (!p->opt)
+                return false;
+
+        d = p->opt->opt.data;
+        l = p->opt->opt.data_size;
+
+        while (l > 0) {
+                uint16_t code, length;
+
+                if (l < 4U)
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                               "EDNS0 variable part has invalid size.");
+
+                code = unaligned_read_be16(d);
+                length = unaligned_read_be16(d + 2);
+
+                if (l < 4U + length)
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                               "Truncated option in EDNS0 variable part.");
+
+                if (code == 3) {
+                        if (has_nsid)
+                                return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                                       "Duplicate NSID option in EDNS0 variable part.");
+
+                        if (length != 0)
+                                return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
+                                                       "Non-empty NSID option in DNS request.");
+
+                        has_nsid = true;
+                }
+
+                d += 4U + length;
+                l -= 4U + length;
+        }
+
+        return has_nsid;
+}
+
 static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {
         [DNS_RCODE_SUCCESS] = "SUCCESS",
         [DNS_RCODE_FORMERR] = "FORMERR",

src/resolve/resolved-dns-packet.h

@@ -201,7 +201,7 @@ int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, bool canonica
 int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, bool canonical_candidate, size_t *start);
 int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, const DnsAnswerFlags flags, size_t *start);
 int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAnswerFlags flags, size_t *start, size_t *rdata_start);
-int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, bool include_rfc6975, int rcode, size_t *start);
+int dns_packet_append_opt(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, bool include_rfc6975, const char *nsid, int rcode, size_t *ret_start);
 int dns_packet_append_question(DnsPacket *p, DnsQuestion *q);
 int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a, unsigned *completed);
 
@@ -229,6 +229,8 @@ int dns_packet_extract(DnsPacket *p);
 
 bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b);
 
+int dns_packet_has_nsid_request(DnsPacket *p);
+
 /* https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6 */
 enum {
         DNS_RCODE_SUCCESS = 0,

src/resolve/resolved-dns-server.c

@@ -587,7 +587,7 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature
         else
                 packet_size = server->received_udp_packet_max;
 
-        return dns_packet_append_opt(packet, packet_size, edns_do, /* include_rfc6975 = */ true, 0, NULL);
+        return dns_packet_append_opt(packet, packet_size, edns_do, /* include_rfc6975 = */ true, NULL, 0, NULL);
 }
 
 int dns_server_ifindex(const DnsServer *s) {

src/resolve/resolved-dns-stub.c

@@ -9,6 +9,7 @@
 #include "resolved-dns-stub.h"
 #include "socket-netlink.h"
 #include "socket-util.h"
+#include "stdio-util.h"
 #include "string-table.h"
 
 /* The MTU of the loopback device is 64K on Linux, advertise that as maximum datagram size, but subtract the Ethernet,
@@ -393,6 +394,34 @@ static int dns_stub_add_reply_packet_body(
         return 0;
 }
 
+static const char *nsid_string(void) {
+        static char buffer[SD_ID128_STRING_MAX + STRLEN(".resolved.systemd.io")] = "";
+        sd_id128_t id;
+        int r;
+
+        /* Let's generate a string that we can use as RFC5001 NSID identifier. The string shall identify us
+         * as systemd-resolved, and return a different string for each resolved instance without leaking host
+         * identity. Hence let's use a fixed suffix that identifies resolved, and a prefix generated from the
+         * machine ID but from which the machine ID cannot be determined.
+         *
+         * Clients can use this to determine whether an answer is originating locally or is proxied from
+         * upstream. */
+
+        if (!isempty(buffer))
+                return buffer;
+
+        r = sd_id128_get_machine_app_specific(
+                        SD_ID128_MAKE(ed,d3,12,5d,16,b9,41,f9,a1,49,5f,ab,15,62,ab,27),
+                        &id);
+        if (r < 0) {
+                log_debug_errno(r, "Failed to determine machine ID, igoring: %m");
+                return NULL;
+        }
+
+        xsprintf(buffer, SD_ID128_FORMAT_STR ".resolved.systemd.io", SD_ID128_FORMAT_VAL(id));
+        return buffer;
+}
+
 static int dns_stub_finish_reply_packet(
                 DnsPacket *p,
                 uint16_t id,
@@ -402,14 +431,15 @@ static int dns_stub_finish_reply_packet(
                 bool edns0_do,  /* set the EDNS0 DNSSEC OK bit? */
                 bool ad,        /* set the DNSSEC authenticated data bit? */
                 bool cd,        /* set the DNSSEC checking disabled bit? */
-                uint16_t max_udp_size) { /* The maximum UDP datagram size to advertise to clients */
+                uint16_t max_udp_size, /* The maximum UDP datagram size to advertise to clients */
+                bool nsid) {    /* whether to add NSID */
 
         int r;
 
         assert(p);
 
         if (add_opt) {
-                r = dns_packet_append_opt(p, max_udp_size, edns0_do, /* include_rfc6975 = */ false, rcode, NULL);
+                r = dns_packet_append_opt(p, max_udp_size, edns0_do, /* include_rfc6975 = */ false, nsid ? nsid_string() : NULL, rcode, NULL);
                 if (r == -EMSGSIZE) /* Hit the size limit? then indicate truncation */
                         tc = true;
                 else if (r < 0)
@@ -529,7 +559,8 @@ static int dns_stub_send_reply(
                         edns0_do,
                         DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
                         DNS_PACKET_CD(q->request_packet),
-                        q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX);
+                        q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX,
+                        dns_packet_has_nsid_request(q->request_packet) > 0 && !q->stub_listener_extra);
         if (r < 0)
                 return log_debug_errno(r, "Failed to build failure packet: %m");
 
@@ -568,7 +599,8 @@ static int dns_stub_send_failure(
                         DNS_PACKET_DO(p),
                         DNS_PACKET_AD(p) && authenticated,
                         DNS_PACKET_CD(p),
-                        l ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX);
+                        l ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX,
+                        dns_packet_has_nsid_request(p) > 0 && !l);
         if (r < 0)
                 return log_debug_errno(r, "Failed to build failure packet: %m");
 

src/resolve/resolved-dnstls-openssl.c

@@ -13,8 +13,8 @@
 #include "resolved-dnstls.h"
 #include "resolved-manager.h"
 
-DEFINE_TRIVIAL_CLEANUP_FUNC(SSL*, SSL_free);
-DEFINE_TRIVIAL_CLEANUP_FUNC(BIO*, BIO_free);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
 
 static int dnstls_flush_write_buffer(DnsStream *stream) {
         ssize_t ss;

src/shared/bridge-util.h

@@ -13,7 +13,7 @@ typedef enum BridgeState {
         NETDEV_BRIDGE_STATE_FORWARDING = BR_STATE_FORWARDING,
         NETDEV_BRIDGE_STATE_BLOCKING   = BR_STATE_BLOCKING,
         _NETDEV_BRIDGE_STATE_MAX,
-        _NETDEV_BRIDGE_STATE_INVALID      = -1,
+        _NETDEV_BRIDGE_STATE_INVALID   = -EINVAL,
 } BridgeState;
 
 const char *bridge_state_to_string(BridgeState d) _const_;

src/shared/bus-unit-util.c

@@ -2389,9 +2389,9 @@ int bus_deserialize_and_dump_unit_file_changes(sd_bus_message *m, bool quiet, Un
                 /* We expect only "success" changes to be sent over the bus.
                    Hence, reject anything negative. */
                 UnitFileChangeType ch = unit_file_change_type_from_string(type);
-
                 if (ch < 0) {
-                        log_notice("Manager reported unknown change type \"%s\" for path \"%s\", ignoring.", type, path);
+                        log_notice_errno(ch, "Manager reported unknown change type \"%s\" for path \"%s\", ignoring.",
+                                         type, path);
                         continue;
                 }
 

src/shared/condition.c

@@ -756,6 +756,14 @@ static int condition_test_path_is_read_write(Condition *c, char **env) {
         return path_is_read_only_fs(c->parameter) <= 0;
 }
 
+static int condition_test_cpufeature(Condition *c, char **env) {
+        assert(c);
+        assert(c->parameter);
+        assert(c->type == CONDITION_CPU_FEATURE);
+
+        return has_cpu_with_flag(ascii_strlower(c->parameter));
+}
+
 static int condition_test_path_is_encrypted(Condition *c, char **env) {
         int r;
 
@@ -834,6 +842,7 @@ int condition_test(Condition *c, char **env) {
                 [CONDITION_CPUS]                     = condition_test_cpus,
                 [CONDITION_MEMORY]                   = condition_test_memory,
                 [CONDITION_ENVIRONMENT]              = condition_test_environment,
+                [CONDITION_CPU_FEATURE]              = condition_test_cpufeature,
         };
 
         int r, b;
@@ -956,6 +965,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
         [CONDITION_CPUS] = "ConditionCPUs",
         [CONDITION_MEMORY] = "ConditionMemory",
         [CONDITION_ENVIRONMENT] = "ConditionEnvironment",
+        [CONDITION_CPU_FEATURE] = "ConditionCPUFeature",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(condition_type, ConditionType);
@@ -987,6 +997,7 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = {
         [CONDITION_CPUS] = "AssertCPUs",
         [CONDITION_MEMORY] = "AssertMemory",
         [CONDITION_ENVIRONMENT] = "AssertEnvironment",
+        [CONDITION_CPU_FEATURE] = "AssertCPUFeature",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(assert_type, ConditionType);

src/shared/condition.h

@@ -19,6 +19,7 @@ typedef enum ConditionType {
         CONDITION_MEMORY,
         CONDITION_CPUS,
         CONDITION_ENVIRONMENT,
+        CONDITION_CPU_FEATURE,
 
         CONDITION_NEEDS_UPDATE,
         CONDITION_FIRST_BOOT,

src/shared/exec-util.c

@@ -375,10 +375,9 @@ int exec_command_flags_from_strv(char **ex_opts, ExecCommandFlags *flags) {
 
         STRV_FOREACH(opt, ex_opts) {
                 ex_flag = exec_command_flags_from_string(*opt);
-                if (ex_flag >= 0)
-                        ret_flags |= ex_flag;
-                else
-                        return -EINVAL;
+                if (ex_flag < 0)
+                        return ex_flag;
+                ret_flags |= ex_flag;
         }
 
         *flags = ret_flags;
@@ -394,6 +393,9 @@ int exec_command_flags_to_strv(ExecCommandFlags flags, char ***ex_opts) {
 
         assert(ex_opts);
 
+        if (flags < 0)
+                return flags;
+
         for (i = 0; it != 0; it &= ~(1 << i), i++) {
                 if (FLAGS_SET(flags, (1 << i))) {
                         str = exec_command_flags_to_string(1 << i);

src/shared/exec-util.h

@@ -27,7 +27,7 @@ typedef enum ExecCommandFlags {
         EXEC_COMMAND_NO_SETUID        = 1 << 2,
         EXEC_COMMAND_AMBIENT_MAGIC    = 1 << 3,
         EXEC_COMMAND_NO_ENV_EXPAND    = 1 << 4,
-        _EXEC_COMMAND_FLAGS_INVALID   = -1,
+        _EXEC_COMMAND_FLAGS_INVALID   = -EINVAL,
 } ExecCommandFlags;
 
 int execute_directories(

src/shared/install.h

@@ -31,7 +31,7 @@ enum UnitFileChangeType {
         UNIT_FILE_IS_MASKED,
         UNIT_FILE_IS_DANGLING,
         _UNIT_FILE_CHANGE_TYPE_MAX,
-        _UNIT_FILE_CHANGE_TYPE_INVALID = INT_MIN
+        _UNIT_FILE_CHANGE_TYPE_INVALID = -EINVAL,
 };
 
 enum UnitFileFlags {

src/shared/logs-show.c

@@ -1635,10 +1635,6 @@ int show_journal_by_unit(
         if (r < 0)
                 return log_error_errno(r, "Failed to open journal: %m");
 
-        r = add_match_this_boot(j, NULL);
-        if (r < 0)
-                return r;
-
         if (system_unit)
                 r = add_matches_for_unit(j, unit);
         else
@@ -1646,6 +1642,14 @@ int show_journal_by_unit(
         if (r < 0)
                 return log_error_errno(r, "Failed to add unit matches: %m");
 
+        r = sd_journal_add_conjunction(j);
+        if (r < 0)
+                return log_error_errno(r, "Failed to add conjunction: %m");
+
+        r = add_match_this_boot(j, NULL);
+        if (r < 0)
+                return r;
+
         if (DEBUG_LOGGING) {
                 _cleanup_free_ char *filter;
 

src/shared/resolve-util.h

@@ -15,7 +15,7 @@ enum DnsCacheMode {
         DNS_CACHE_MODE_YES,
         DNS_CACHE_MODE_NO_NEGATIVE,
         _DNS_CACHE_MODE_MAX,
-        _DNS_CACHE_MODE_INVALID = 1
+        _DNS_CACHE_MODE_INVALID = -EINVAL,
 };
 
 typedef enum ResolveSupport ResolveSupport;

src/test/test-condition.c

@@ -439,6 +439,27 @@ static void test_condition_test_kernel_version(void) {
         condition_free(condition);
 }
 
+#if defined(__i386__) || defined(__x86_64__)
+static void test_condition_test_cpufeature(void) {
+        Condition *condition;
+
+        condition = condition_new(CONDITION_CPU_FEATURE, "fpu", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition, environ) > 0);
+        condition_free(condition);
+
+        condition = condition_new(CONDITION_CPU_FEATURE, "somecpufeaturethatreallydoesntmakesense", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition, environ) == 0);
+        condition_free(condition);
+
+        condition = condition_new(CONDITION_CPU_FEATURE, "a", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition, environ) == 0);
+        condition_free(condition);
+}
+#endif
+
 static void test_condition_test_security(void) {
         Condition *condition;
 
@@ -864,6 +885,9 @@ int main(int argc, char *argv[]) {
         test_condition_test_cpus();
         test_condition_test_memory();
         test_condition_test_environment();
+#if defined(__i386__) || defined(__x86_64__)
+        test_condition_test_cpufeature();
+#endif
 
         return 0;
 }