small refactorings of the machine-credential code (#38982)

This is ultimately preparation for #38764, but makes a lot of sense on
its own.

man/org.freedesktop.systemd1.xml

@@ -2691,6 +2691,15 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       or the restart rate limit is reached. See the <literal>RestartMode=</literal> section in
       <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
       for more details.</para>
+
+      <para><varname>OOMKills</varname> contains a different value depending on whether
+      <varname>OOMPolicy=kill</varname> is enabled for the unit or not. If enabled, the property contains the
+      number of times the kernel OOM killer killed all the processes in the unit's cgroup and its
+      descendant cgroups. If disabled, the property contains the number of processes the kernel OOM killer
+      has killed in the unit's cgroup and its descendant cgroups.</para>
+
+      <para><varname>ManagedOOMKills</varname> contains the number of times <command>systemd-oomd</command>
+      killed all the processes in the unit's cgroup and its descendant cgroups.</para>
     </refsect2>
 
     <refsect2>
@@ -2900,6 +2909,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -4247,6 +4260,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -5139,6 +5156,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -6486,6 +6507,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -7202,6 +7227,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -8379,6 +8408,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -9228,6 +9261,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -10369,6 +10406,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -11071,6 +11112,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -11436,6 +11481,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -11647,6 +11696,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly t IOWriteOperations = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t OOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
+      readonly t ManagedOOMKills = ...;
+      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly b Delegate = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly as DelegateControllers = ['...', ...];
@@ -12050,6 +12103,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
 
+    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
+
+    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
+
     <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@@ -12459,6 +12516,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>LogsDirectoryQuotaUsage</varname>,
       <varname>LogsDirectoryAccounting</varname>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Socket Unit Objects</title>
@@ -12524,6 +12583,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>LogsDirectoryQuotaUsage</varname>,
       <varname>LogsDirectoryAccounting</varname>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Mount Unit Objects</title>
@@ -12584,6 +12645,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>LogsDirectoryQuotaUsage</varname>,
       <varname>LogsDirectoryAccounting</varname>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Swap Unit Objects</title>
@@ -12642,6 +12705,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>LogsDirectoryQuotaUsage</varname>,
       <varname>LogsDirectoryAccounting</varname>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Slice Unit Objects</title>
@@ -12672,6 +12737,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <varname>NCurrentlyActive</varname>,
       <function>RemoveSubgroup()</function>, and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Scope Unit Objects</title>
@@ -12700,6 +12767,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
       <para><varname>ManagedOOMMemoryPressureDurationUSec</varname> was added in version 257.</para>
       <para><function>RemoveSubgroup()</function> and
       <function>KillSubgroup()</function> were added in version 258.</para>
+      <para><varname>OOMKills</varname>, and
+      <varname>ManagedOOMKills</varname> were added in 259.</para>
     </refsect2>
     <refsect2>
       <title>Job Objects</title>

man/repart.d.xml

@@ -874,7 +874,7 @@
 
         <listitem><para>Configures the list of PCRs to use for LUKS2 volumes configured with
         the <varname>Encrypt=tpm2</varname> setting in partition files.
-        This option take the same parameters as the similary named options to
+        This option take the same parameters as the similarly named options to
         <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
         and have the same effect on partitions where TPM2 enrollment is requested.
         This option will be overridden by the global <varname>--tpm2-pcrs=</varname> option.</para>

man/sd_varlink_set_relative_timeout.xml

@@ -45,7 +45,7 @@
     raised as client-generated reply to the method call.</para>
 
     <para>This call is particularly useful for method calls issued via
-    <function>sd_varlink_observe()</function> that shall remain open continously for a long time.</para>
+    <function>sd_varlink_observe()</function> that shall remain open continuously for a long time.</para>
   </refsect1>
 
   <refsect1>

meson.build

@@ -1187,6 +1187,7 @@ conf.set10('HAVE_ACL', libacl.found())
 libaudit = dependency('audit',
                       required : get_option('audit'))
 conf.set10('HAVE_AUDIT', libaudit.found())
+libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true)
 
 libblkid = dependency('blkid',
                       required : get_option('blkid'))
@@ -1305,11 +1306,6 @@ endif
 conf.set10('HAVE_LIBIDN', not have and libidn.found())
 conf.set10('HAVE_LIBIDN2', have)
 
-libiptc = dependency('libiptc',
-                     required : get_option('libiptc'))
-conf.set10('HAVE_LIBIPTC', libiptc.found())
-libiptc_cflags = libiptc.partial_dependency(includes: true, compile_args: true)
-
 libqrencode = dependency('libqrencode',
                          version : '>= 3',
                          required : get_option('qrencode'))
@@ -3052,7 +3048,6 @@ foreach tuple : [
         ['libfido2'],
         ['libidn'],
         ['libidn2'],
-        ['libiptc'],
         ['microhttpd'],
         ['openssl'],
         ['p11kit'],

meson_options.txt

@@ -432,7 +432,7 @@ option('libidn2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
        description : 'libidn2 support')
 option('libidn', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'libidn support')
-option('libiptc', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
+option('libiptc', type : 'feature', deprecated : true,
        description : 'libiptc support')
 option('qrencode', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
        description : 'libqrencode support')

mkosi/mkosi.sanitizers/mkosi.postinst

@@ -90,6 +90,7 @@ wrap=(
     socat
     sshd
     stat
+    stress-ng
     su
     tar
     tgtd

src/analyze/analyze-unit-shell.c

@@ -1,6 +1,5 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 

src/basic/ansi-color.c

@@ -3,7 +3,6 @@
 #include <stdlib.h>
 
 #include "ansi-color.h"
-#include "log.h"
 #include "process-util.h"
 #include "string-table.h"
 #include "string-util.h"

src/basic/build.c

@@ -126,12 +126,6 @@ const char* const systemd_features =
         " -IDN"
 #endif
 
-#if HAVE_LIBIPTC
-        " +IPTC"
-#else
-        " -IPTC"
-#endif
-
 #if HAVE_KMOD
         " +KMOD"
 #else

src/basic/env-file.c

@@ -6,7 +6,6 @@
 #include "alloc-util.h"
 #include "env-file.h"
 #include "env-util.h"
-#include "errno-util.h"
 #include "escape.h"
 #include "fd-util.h"
 #include "fileio.h"

src/basic/fd-util.c

@@ -20,7 +20,6 @@
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
-#include "socket-util.h"
 #include "sort-util.h"
 #include "stat-util.h"
 #include "stdio-util.h"

src/basic/filesystems.c

@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "filesystems-gperf.h"
-#include "nulstr-util.h"
 #include "stat-util.h"
 #include "string-util.h"
 

src/basic/format-util.c

@@ -39,7 +39,8 @@ char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
                                 (t / table[i + 1].factor * 10 / table[n - 1].factor) % 10 :
                                 (t * 10 / table[i].factor) % 10;
 
-                        if (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0)
+                        if (FLAGS_SET(flag, FORMAT_BYTES_ALWAYS_POINT) ||
+                            (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0))
                                 (void) snprintf(buf, l,
                                                 "%" PRIu64 ".%" PRIu64 "%s",
                                                 t / table[i].factor,

src/basic/format-util.h

@@ -64,9 +64,10 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
 #endif
 
 typedef enum {
-        FORMAT_BYTES_USE_IEC     = 1 << 0,
+        FORMAT_BYTES_USE_IEC      = 1 << 0, /* use base 1024 rather than 1000 */
-        FORMAT_BYTES_BELOW_POINT = 1 << 1,
+        FORMAT_BYTES_BELOW_POINT  = 1 << 1, /* show one digit after the point, if non-zero */
-        FORMAT_BYTES_TRAILING_B  = 1 << 2,
+        FORMAT_BYTES_ALWAYS_POINT = 1 << 2, /* show one digit after the point, always */
+        FORMAT_BYTES_TRAILING_B   = 1 << 3, /* suffix the expression with a "B" for "bytes" */
 } FormatBytesFlag;
 
 #define FORMAT_BYTES_MAX 16U
@@ -82,6 +83,7 @@ static inline char* format_bytes(char *buf, size_t l, uint64_t t) {
  * see C11 §6.5.2.5, and
  * https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks */
 #define FORMAT_BYTES(t) format_bytes((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t)
-#define FORMAT_BYTES_FULL(t, flag) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flag)
+#define FORMAT_BYTES_FULL(t, flags) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flags)
+#define FORMAT_BYTES_WITH_POINT(t) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, FORMAT_BYTES_USE_IEC|FORMAT_BYTES_ALWAYS_POINT|FORMAT_BYTES_TRAILING_B)
 
 #define FORMAT_BYTES_CGROUP_PROTECTION(t) (t == CGROUP_LIMIT_MAX ? "infinity" : FORMAT_BYTES(t))

src/basic/forward.h

@@ -284,7 +284,6 @@ typedef struct ConfigTableItem ConfigTableItem;
 typedef struct CPUSet CPUSet;
 typedef struct FDSet FDSet;
 typedef struct Fido2HmacSalt Fido2HmacSalt;
-typedef struct FirewallContext FirewallContext;
 typedef struct GroupRecord GroupRecord;
 typedef struct Image Image;
 typedef struct ImagePolicy ImagePolicy;

src/basic/virt.c

@@ -16,8 +16,8 @@
 #include "log.h"
 #include "namespace-util.h"
 #include "parse-util.h"
-#include "pidref.h"
 #include "process-util.h"
+#include "stat-util.h"
 #include "string-table.h"
 #include "string-util.h"
 #include "strv.h"
@@ -816,16 +816,19 @@ int running_in_chroot(void) {
         if (getenv_bool("SYSTEMD_IGNORE_CHROOT") > 0)
                 return 0;
 
-        r = pidref_from_same_root_fs(&PIDREF_MAKE_FROM_PID(1), NULL);
+        r = inode_same("/proc/1/root", "/", /* flags = */ 0);
-        if (r == -ENOSYS) {
+        if (r == -ENOENT) {
-                if (getpid_cached() == 1)
+                r = proc_mounted();
-                        return false; /* We will mount /proc, assuming we're not in a chroot. */
+                if (r == 0) {
+                        if (getpid_cached() == 1)
+                                return false; /* We will mount /proc, assuming we're not in a chroot. */
 
-                log_debug("/proc/ is not mounted, assuming we're in a chroot.");
+                        log_debug("/proc/ is not mounted, assuming we're in a chroot.");
-                return true;
+                        return true;
+                }
+                if (r > 0) /* If we have fake /proc/, we can't do the check properly. */
+                        return -ENOSYS;
         }
-        if (r == -ESRCH) /* We must have a fake /proc/, we can't do the check properly. */
-                return -ENOSYS;
         if (r < 0)
                 return r;
 

src/core/cgroup.c

@@ -28,12 +28,12 @@
 #include "fd-util.h"
 #include "fdset.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "inotify-util.h"
 #include "ip-protocol-list.h"
 #include "limits-util.h"
 #include "manager.h"
+#include "netlink-internal.h"
 #include "nulstr-util.h"
 #include "parse-util.h"
 #include "path-util.h"
@@ -1335,12 +1335,10 @@ void unit_modify_nft_set(Unit *u, bool add) {
         if (!crt || crt->cgroup_id == 0)
                 return;
 
-        if (!u->manager->fw_ctx) {
+        if (!u->manager->nfnl) {
-                r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
+                r = sd_nfnl_socket_open(&u->manager->nfnl);
                 if (r < 0)
                         return;
-
-                assert(u->manager->fw_ctx);
         }
 
         CGroupContext *c = ASSERT_PTR(unit_get_cgroup_context(u));
@@ -1351,7 +1349,7 @@ void unit_modify_nft_set(Unit *u, bool add) {
 
                 uint64_t element = crt->cgroup_id;
 
-                r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
+                r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
                 if (r < 0)
                         log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, cgroup %" PRIu64 ", ignoring: %m",
                                           add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, crt->cgroup_id);
@@ -3036,20 +3034,43 @@ int unit_check_oom(Unit *u) {
         if (!crt || !crt->cgroup_path)
                 return 0;
 
-        r = cg_get_keyed_attribute(
+        CGroupContext *ctx = unit_get_cgroup_context(u);
+        if (!ctx)
+                return 0;
+
+        /* If memory.oom.group=1, then look up the oom_group_kill field, which reports how many times the
+         * kernel killed every process recursively in this cgroup and its descendants, similar to
+         * systemd-oomd. Because the memory.events.local file was only introduced in kernel 5.12, we fall
+         * back to reading oom_kill if we can't find the file or field. */
+
+        if (ctx->memory_oom_group) {
+                r = cg_get_keyed_attribute(
+                        "memory",
+                        crt->cgroup_path,
+                        "memory.events.local",
+                        STRV_MAKE("oom_group_kill"),
+                        &oom_kill);
+                if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
+                        return log_unit_debug_errno(u, r, "Failed to read oom_group_kill field of memory.events.local cgroup attribute, ignoring: %m");
+        }
+
+        if (isempty(oom_kill)) {
+                r = cg_get_keyed_attribute(
                         "memory",
                         crt->cgroup_path,
                         "memory.events",
                         STRV_MAKE("oom_kill"),
                         &oom_kill);
-        if (IN_SET(r, -ENOENT, -ENXIO)) /* Handle gracefully if cgroup or oom_kill attribute don't exist */
+                if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
+                        return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
+        }
+
+        if (!oom_kill)
                 c = 0;
-        else if (r < 0)
-                return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
         else {
                 r = safe_atou64(oom_kill, &c);
                 if (r < 0)
-                        return log_unit_debug_errno(u, r, "Failed to parse oom_kill field: %m");
+                        return log_unit_debug_errno(u, r, "Failed to parse memory.events cgroup oom field: %m");
         }
 
         increased = c > crt->oom_kill_last;
@@ -3061,7 +3082,7 @@ int unit_check_oom(Unit *u) {
         log_unit_struct(u, LOG_NOTICE,
                         LOG_MESSAGE_ID(SD_MESSAGE_UNIT_OUT_OF_MEMORY_STR),
                         LOG_UNIT_INVOCATION_ID(u),
-                        LOG_UNIT_MESSAGE(u, "A process of this unit has been killed by the OOM killer."));
+                        LOG_UNIT_MESSAGE(u, "The kernel OOM killer killed some processes in this unit."));
 
         unit_notify_cgroup_oom(u, /* managed_oom= */ false);
 

src/core/dbus-cgroup.c

@@ -9,7 +9,6 @@
 #include "cgroup-util.h"
 #include "dbus-cgroup.h"
 #include "escape.h"
-#include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "limits-util.h"
 #include "manager.h"

src/core/dbus-unit.c

@@ -1295,6 +1295,42 @@ static int property_get_cgroup_id(
         return sd_bus_message_append(reply, "t", crt ? crt->cgroup_id : UINT64_C(0));
 }
 
+static int property_get_oom_kills(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Unit *u = ASSERT_PTR(userdata);
+
+        assert(bus);
+        assert(reply);
+
+        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
+        return sd_bus_message_append(reply, "t", crt ? crt->oom_kill_last : UINT64_MAX);
+}
+
+static int property_get_managed_oom_kills(
+                sd_bus *bus,
+                const char *path,
+                const char *interface,
+                const char *property,
+                sd_bus_message *reply,
+                void *userdata,
+                sd_bus_error *error) {
+
+        Unit *u = ASSERT_PTR(userdata);
+
+        assert(bus);
+        assert(reply);
+
+        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
+        return sd_bus_message_append(reply, "t", crt ? crt->managed_oom_kill_last : UINT64_MAX);
+}
+
 static int append_process(sd_bus_message *reply, const char *p, PidRef *pid, Set *pids) {
         _cleanup_free_ char *buf = NULL, *cmdline = NULL;
         int r;
@@ -1715,6 +1751,8 @@ const sd_bus_vtable bus_unit_cgroup_vtable[] = {
         SD_BUS_PROPERTY("IOReadOperations", "t", property_get_io_counter, 0, 0),
         SD_BUS_PROPERTY("IOWriteBytes", "t", property_get_io_counter, 0, 0),
         SD_BUS_PROPERTY("IOWriteOperations", "t", property_get_io_counter, 0, 0),
+        SD_BUS_PROPERTY("OOMKills", "t", property_get_oom_kills, 0, 0),
+        SD_BUS_PROPERTY("ManagedOOMKills", "t", property_get_managed_oom_kills, 0, 0),
 
         SD_BUS_METHOD_WITH_ARGS("GetProcesses",
                                 SD_BUS_NO_ARGS,

src/core/exec-invoke.c

@@ -62,7 +62,6 @@
 #include "open-file.h"
 #include "osc-context.h"
 #include "path-util.h"
-#include "percent-util.h"
 #include "pidref.h"
 #include "proc-cmdline.h"
 #include "process-util.h"

src/core/kmod-setup.c

@@ -115,10 +115,6 @@ int kmod_setup(void) {
                 /* This should never be a module */
                 { "unix",                       "/proc/net/unix",            true,  true,  NULL               },
 
-#if HAVE_LIBIPTC
-                /* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
-                { "ip_tables",                  "/proc/net/ip_tables_names", false, false, NULL               },
-#endif
                 /* virtio_rng would be loaded by udev later, but real entropy might be needed very early */
                 { "virtio_rng",                 NULL,                        false, false, has_virtio_rng     },
 

src/core/load-fragment.c

@@ -32,7 +32,6 @@
 #include "execute.h"
 #include "extract-word.h"
 #include "fd-util.h"
-#include "firewall-util.h"
 #include "fstab-util.h"
 #include "hashmap.h"
 #include "hexdecoct.h"

src/core/manager.c

@@ -12,6 +12,7 @@
 #include "sd-bus.h"
 #include "sd-daemon.h"
 #include "sd-messages.h"
+#include "sd-netlink.h"
 #include "sd-path.h"
 
 #include "all-units.h"
@@ -1753,7 +1754,7 @@ Manager* manager_free(Manager *m) {
         free(m->watchdog_pretimeout_governor);
         free(m->watchdog_pretimeout_governor_overridden);
 
-        fw_ctx_free(m->fw_ctx);
+        sd_netlink_unref(m->nfnl);
 
 #if BPF_FRAMEWORK
         bpf_restrict_fs_destroy(m->restrict_fs);
@@ -3416,7 +3417,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
         }
 
         msg = strjoina("unit=", p);
-        if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
+        if (sym_audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
                 if (ERRNO_IS_PRIVILEGE(errno)) {
                         /* We aren't allowed to send audit messages?  Then let's not retry again. */
                         log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");

src/core/manager.h

@@ -474,7 +474,7 @@ typedef struct Manager {
         sd_event_source *memory_pressure_event_source;
 
         /* For NFTSet= */
-        FirewallContext *fw_ctx;
+        sd_netlink *nfnl;
 
         /* Pin the systemd-executor binary, so that it never changes until re-exec, ensuring we don't have
          * serialization/deserialization compatibility issues during upgrades. */

src/core/meson.build

@@ -132,7 +132,7 @@ libcore_static = static_library(
         implicit_include_directories : false,
         c_args : ['-fvisibility=default'],
         dependencies : [libacl,
-                        libaudit,
+                        libaudit_cflags,
                         libblkid,
                         libdl,
                         libm,

src/core/namespace.c

@@ -38,7 +38,6 @@
 #include "nsflags.h"
 #include "nulstr-util.h"
 #include "os-util.h"
-#include "parse-util.h"
 #include "path-util.h"
 #include "pidref.h"
 #include "process-util.h"

src/core/selinux-access.c

@@ -121,9 +121,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
 
                 if (r >= 0) {
                         if (type == SELINUX_AVC)
-                                audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
+                                sym_audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
                         else if (type == SELINUX_ERROR)
-                                audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
+                                sym_audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
 
                         return 0;
                 }

src/core/unit.c

@@ -35,7 +35,6 @@
 #include "id128-util.h"
 #include "install.h"
 #include "iovec-util.h"
-#include "label-util.h"
 #include "load-dropin.h"
 #include "load-fragment.h"
 #include "log.h"
@@ -44,6 +43,7 @@
 #include "manager.h"
 #include "mount-util.h"
 #include "mountpoint-util.h"
+#include "netlink-internal.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "quota-util.h"
@@ -5290,19 +5290,17 @@ static void unit_modify_user_nft_set(Unit *u, bool add, NFTSetSource source, uin
         if (!c)
                 return;
 
-        if (!u->manager->fw_ctx) {
+        if (!u->manager->nfnl) {
-                r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
+                r = sd_nfnl_socket_open(&u->manager->nfnl);
                 if (r < 0)
                         return;
-
-                assert(u->manager->fw_ctx);
         }
 
         FOREACH_ARRAY(nft_set, c->nft_set_context.sets, c->nft_set_context.n_sets) {
                 if (nft_set->source != source)
                         continue;
 
-                r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
+                r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
                 if (r < 0)
                         log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, ID %u, ignoring: %m",
                                           add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, element);

src/core/varlink-cgroup.c

@@ -615,5 +615,9 @@ int unit_cgroup_runtime_build_json(sd_json_variant **ret, const char *name, void
                         JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadBytes", get_io_counter_build_json, u),
                         JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadOperations", get_io_counter_build_json, u),
                         JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteBytes", get_io_counter_build_json, u),
-                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u));
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u),
+
+                        /* OOM */
+                        SD_JSON_BUILD_PAIR_UNSIGNED("OOMKills", crt->oom_kill_last),
+                        SD_JSON_BUILD_PAIR_UNSIGNED("ManagedOOMKills", crt->managed_oom_kill_last));
 }

src/core/varlink-dynamic-user.c

@@ -3,7 +3,6 @@
 #include "sd-varlink.h"
 
 #include "dynamic-user.h"
-#include "errno-util.h"
 #include "hashmap.h"
 #include "json-util.h"
 #include "manager.h"

src/core/varlink-unit.c

@@ -13,9 +13,7 @@
 #include "set.h"
 #include "strv.h"
 #include "unit.h"
-#include "unit-name.h"
 #include "varlink-cgroup.h"
-#include "varlink-common.h"
 #include "varlink-unit.h"
 #include "varlink-util.h"
 

src/core/varlink.c

@@ -4,7 +4,6 @@
 
 #include "constants.h"
 #include "errno-util.h"
-#include "json-util.h"
 #include "manager.h"
 #include "path-util.h"
 #include "pidref.h"

src/fsck/fsck.c

@@ -22,7 +22,6 @@
 #include "fs-util.h"
 #include "fsck-util.h"
 #include "main-func.h"
-#include "parse-util.h"
 #include "path-util.h"
 #include "proc-cmdline.h"
 #include "process-util.h"

src/fuzz/fuzz-varlink.c

@@ -9,7 +9,6 @@
 #include "fuzz.h"
 #include "hexdecoct.h"
 #include "iovec-util.h"
-#include "log.h"
 
 static FILE *null = NULL;
 

src/import/pull-common.c

@@ -6,7 +6,6 @@
 #include "dirent-util.h"
 #include "escape.h"
 #include "fd-util.h"
-#include "hexdecoct.h"
 #include "io-util.h"
 #include "log.h"
 #include "memory-util.h"

src/import/pull-job.c

@@ -759,7 +759,7 @@ int pull_job_begin(PullJob *j) {
         if (curl_easy_setopt(j->curl, CURLOPT_XFERINFODATA, j) != CURLE_OK)
                 return -EIO;
 
-        if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK)
+        if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0L) != CURLE_OK)
                 return -EIO;
 
         r = curl_glue_add(j->glue, j->curl);

src/include/override/fcntl.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <fcntl.h>
+#include_next <fcntl.h>         /* IWYU pragma: export */
 
 /* This is defined since glibc-2.41. */
 #ifndef F_DUPFD_QUERY

src/include/override/malloc.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <malloc.h>
+#include_next <malloc.h>        /* IWYU pragma: export */
 
 #if !HAVE_MALLINFO2
 struct mallinfo2 {

src/include/override/sched.h

@@ -6,7 +6,7 @@
  * Note, this must be included before sched.h, otherwise the headers conflict with each other. */
 #include <linux/sched/types.h>
 
-#include_next <sched.h>
+#include_next <sched.h>         /* IWYU pragma: export */
 
 #include <assert.h>
 

src/include/override/signal.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <signal.h>
+#include_next <signal.h>        /* IWYU pragma: export */
 
 #if !HAVE_RT_TGSIGQUEUEINFO
 int missing_rt_tgsigqueueinfo(pid_t tgid, pid_t tid, int sig, siginfo_t *info);

src/include/override/sys/mman.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/mman.h>
+#include_next <sys/mman.h>      /* IWYU pragma: export */
 
 #include <assert.h>
 

src/include/override/sys/pidfd.h

@@ -3,7 +3,7 @@
 
 /* since glibc-2.36 */
 #if HAVE_PIDFD_OPEN
-#include_next <sys/pidfd.h>
+#include_next <sys/pidfd.h>     /* IWYU pragma: export */
 #endif
 
 #include <linux/types.h>

src/include/override/sys/quota.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/quota.h>
+#include_next <sys/quota.h>     /* IWYU pragma: export */
 
 /* Supported since kernel v5.14 (64c2c2c62f92339b176ea24403d8db16db36f9e6). */
 #if !HAVE_QUOTACTL_FD

src/include/override/sys/random.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/random.h>
+#include_next <sys/random.h>    /* IWYU pragma: export */
 
 #include <assert.h>
 

src/include/override/sys/socket.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/socket.h>
+#include_next <sys/socket.h>    /* IWYU pragma: export */
 
 /* Supported since kernel v6.5 (5e2ff6704a275be009be8979af17c52361b79b89) */
 #ifndef SO_PASSPIDFD

src/include/override/sys/stat.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/stat.h>
+#include_next <sys/stat.h>      /* IWYU pragma: export */
 
 /* Supported since kernel v6.6 (78252deb023cf0879256fcfbafe37022c390762b). */
 #if !HAVE_FCHMODAT2

src/include/override/sys/syscall.h

@@ -9,7 +9,7 @@
  */
 #pragma once
 
-#include_next <sys/syscall.h>
+#include_next <sys/syscall.h>   /* IWYU pragma: export */
 
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>

src/include/override/sys/wait.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <sys/wait.h>
+#include_next <sys/wait.h>      /* IWYU pragma: export */
 
 #include <assert.h>
 

src/include/override/sys/xattr.h

@@ -3,9 +3,9 @@
 
 /* To make struct xattr_args defined, which is used by setxattrat(). Note, the kernel header must be
  * included before the glibc header, otherwise the struct will not be defined. */
-#include <linux/xattr.h>
+#include <linux/xattr.h>        /* IWYU pragma: export */
 
-#include_next <sys/xattr.h>
+#include_next <sys/xattr.h>     /* IWYU pragma: export */
 
 /* Supported since kernel v6.13 (6140be90ec70c39fa844741ca3cc807dd0866394). */
 #if !HAVE_SETXATTRAT

src/include/override/unistd.h

@@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include_next <unistd.h>
+#include_next <unistd.h>        /* IWYU pragma: export */
 
 /* Defined since glibc-2.34.
  * Supported since kernel v5.9 (9b4feb630e8e9801603f3cab3a36369e3c1cf88d). */

src/journal-remote/journal-upload.c

@@ -308,7 +308,7 @@ int start_upload(Uploader *u,
                 }
 
                 if (STRPTR_IN_SET(arg_trust, "-", "all"))
-                        easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
+                        easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L,
                                     LOG_ERR, return -EUCLEAN);
                 else if (arg_trust || startswith(u->url, "https://"))
                         easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE,

src/journal/journald-manager.c

@@ -18,8 +18,6 @@
 #include "alloc-util.h"
 #include "audit-util.h"
 #include "cgroup-util.h"
-#include "conf-parser.h"
-#include "creds-util.h"
 #include "daemon-util.h"
 #include "dirent-util.h"
 #include "errno-util.h"
@@ -53,14 +51,12 @@
 #include "log-ratelimit.h"
 #include "memory-util.h"
 #include "mkdir.h"
-#include "parse-util.h"
 #include "path-util.h"
 #include "prioq.h"
 #include "process-util.h"
 #include "rm-rf.h"
 #include "set.h"
 #include "signal-util.h"
-#include "socket-netlink.h"
 #include "socket-util.h"
 #include "stdio-util.h"
 #include "string-util.h"

src/journal/journald-manager.h

@@ -7,7 +7,6 @@
 #include "journald-forward.h"
 #include "list.h"
 #include "ratelimit.h"
-#include "socket-util.h"
 
 typedef struct JournalStorageSpace {
         usec_t   timestamp;

src/journal/test-journald-tables.c

@@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
-#include "journald-manager.h"
+#include "journald-config.h"
 #include "test-tables.h"
 #include "tests.h"
 

src/libsystemd-network/sd-dhcp-client-id.c

@@ -4,7 +4,6 @@
 #include "dhcp-client-id-internal.h"
 #include "iovec-util.h"
 #include "json-util.h"
-#include "log.h"
 #include "siphash24.h"
 #include "string-util.h"
 #include "unaligned.h"

src/libsystemd-network/test-lldp-rx.c

@@ -6,10 +6,10 @@
 #include <unistd.h>
 
 #include "sd-event.h"
+#include "sd-json.h"
 #include "sd-lldp-rx.h"
 
 #include "fd-util.h"
-#include "json-util.h"
 #include "lldp-neighbor.h"
 #include "lldp-network.h"
 #include "tests.h"

src/libsystemd/sd-journal/journal-file.c

@@ -34,7 +34,6 @@
 #include "path-util.h"
 #include "prioq.h"
 #include "random-util.h"
-#include "ratelimit.h"
 #include "sort-util.h"
 #include "stat-util.h"
 #include "string-table.h"

src/libsystemd/sd-journal/journal-send.c

@@ -16,7 +16,6 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "journal-send.h"
-#include "log.h"
 #include "memfd-util.h"
 #include "process-util.h"
 #include "socket-util.h"

src/libsystemd/sd-journal/journal-vacuum.c

@@ -16,7 +16,6 @@
 #include "journal-vacuum.h"
 #include "log.h"
 #include "log-ratelimit.h"
-#include "ratelimit.h"
 #include "sort-util.h"
 #include "string-util.h"
 #include "time-util.h"

src/libsystemd/sd-netlink/netlink-message-nfnl.c

@@ -9,7 +9,6 @@
 #include "alloc-util.h"
 #include "errno-util.h"
 #include "iovec-util.h"
-#include "log.h"
 #include "netlink-internal.h"
 #include "netlink-util.h"
 

src/libsystemd/sd-netlink/sd-netlink.c

@@ -466,7 +466,8 @@ static int timeout_compare(const void *a, const void *b) {
 }
 
 size_t netlink_get_reply_callback_count(sd_netlink *nl) {
-        assert(nl);
+        if (!nl)
+                return 0;
 
         return hashmap_size(nl->reply_callbacks);
 }

src/libsystemd/sd-resolve/sd-resolve.c

@@ -19,7 +19,6 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "list.h"
-#include "log.h"
 #include "memory-util.h"
 #include "process-util.h"
 #include "resolve-private.h"

src/machine/machine.c

@@ -15,7 +15,6 @@
 #include "bus-unit-util.h"
 #include "env-file.h"
 #include "errno-util.h"
-#include "escape.h"
 #include "extract-word.h"
 #include "fd-util.h"
 #include "fileio.h"

src/network/networkd-address.c

@@ -669,6 +669,10 @@ static int address_set_masquerade(Address *address, bool add) {
 
         assert(address);
         assert(address->link);
+        assert(address->link->manager);
+
+        if (!address->link->manager->nfnl)
+                return 0;
 
         if (!address->link->network)
                 return 0;
@@ -687,7 +691,7 @@ static int address_set_masquerade(Address *address, bool add) {
         if (r < 0)
                 return r;
 
-        r = fw_add_masquerade(&address->link->manager->fw_ctx, add, address->family, &masked, address->prefixlen);
+        r = fw_nftables_add_masquerade(address->link->manager->nfnl, add, address->family, &masked, address->prefixlen);
         if (r < 0)
                 return r;
 
@@ -702,14 +706,9 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
         assert(address);
         assert(address->link);
         assert(address->link->manager);
+        assert(address->link->manager->nfnl);
         assert(nft_set_context);
 
-        if (!address->link->manager->fw_ctx) {
-                r = fw_ctx_new_full(&address->link->manager->fw_ctx, /* init_tables= */ false);
-                if (r < 0)
-                        return;
-        }
-
         FOREACH_ARRAY(nft_set, nft_set_context->sets, nft_set_context->n_sets) {
                 uint32_t ifindex;
 
@@ -717,16 +716,16 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
 
                 switch (nft_set->source) {
                 case NFT_SET_SOURCE_ADDRESS:
-                        r = nft_set_element_modify_ip(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_ip(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
                                                       &address->in_addr);
                         break;
                 case NFT_SET_SOURCE_PREFIX:
-                        r = nft_set_element_modify_iprange(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_iprange(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
                                                            &address->in_addr, address->prefixlen);
                         break;
                 case NFT_SET_SOURCE_IFINDEX:
                         ifindex = address->link->ifindex;
-                        r = nft_set_element_modify_any(address->link->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_any(address->link->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set,
                                                        &ifindex, sizeof(ifindex));
                         break;
                 default:
@@ -749,6 +748,10 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
 static void address_modify_nft_set(Address *address, bool add) {
         assert(address);
         assert(address->link);
+        assert(address->link->manager);
+
+        if (!address->link->manager->nfnl)
+                return;
 
         if (!IN_SET(address->family, AF_INET, AF_INET6))
                 return;

src/network/networkd-ipv6ll.c

@@ -15,7 +15,6 @@
 #include "siphash24.h"
 #include "socket-util.h"
 #include "string-table.h"
-#include "string-util.h"
 #include "strv.h"
 #include "sysctl-util.h"
 

src/network/networkd-manager.c

@@ -23,9 +23,9 @@
 #include "env-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
-#include "firewall-util.h"
 #include "initrd-util.h"
 #include "mount-util.h"
+#include "netlink-internal.h"
 #include "netlink-util.h"
 #include "networkd-address.h"
 #include "networkd-address-label.h"
@@ -285,6 +285,28 @@ static int manager_connect_genl(Manager *m) {
         return 0;
 }
 
+static int manager_connect_nfnl(Manager *m) {
+        int r;
+
+        assert(m);
+
+        r = sd_nfnl_socket_open(&m->nfnl);
+        if (r < 0) {
+                log_warning_errno(r, "Failed to open nftables netlink socket. IPMasquerade= and NFTSet= settings will not be applied. Ignoring: %m");
+                return 0;
+        }
+
+        r = sd_netlink_increase_rxbuf(m->nfnl, RCVBUF_SIZE);
+        if (r < 0)
+                log_warning_errno(r, "Failed to increase receive buffer size for nftables netlink socket, ignoring: %m");
+
+        r = sd_netlink_attach_event(m->nfnl, m->event, 0);
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
 static int manager_setup_rtnl_filter(Manager *manager) {
         struct sock_filter filter[] = {
                 /* Check the packet length. */
@@ -435,7 +457,7 @@ static int manager_post_handler(sd_event_source *s, void *userdata) {
 
                 if (netlink_get_reply_callback_count(manager->rtnl) > 0 ||
                     netlink_get_reply_callback_count(manager->genl) > 0 ||
-                    fw_ctx_get_reply_callback_count(manager->fw_ctx) > 0)
+                    netlink_get_reply_callback_count(manager->nfnl) > 0)
                         return 0; /* There are some message calls waiting for their replies. */
 
                 (void) manager_serialize(manager);
@@ -557,6 +579,10 @@ int manager_setup(Manager *m) {
         if (r < 0)
                 return r;
 
+        r = manager_connect_nfnl(m);
+        if (r < 0)
+                return r;
+
         if (m->test_mode)
                 return 0;
 
@@ -696,6 +722,7 @@ Manager* manager_free(Manager *m) {
 
         sd_netlink_unref(m->rtnl);
         sd_netlink_unref(m->genl);
+        sd_netlink_unref(m->nfnl);
         sd_resolve_unref(m->resolve);
 
         m->routes = set_free(m->routes);
@@ -720,8 +747,6 @@ Manager* manager_free(Manager *m) {
         safe_close(m->ethtool_fd);
         safe_close(m->persistent_storage_fd);
 
-        m->fw_ctx = fw_ctx_free(m->fw_ctx);
-
         m->serialization_fd = safe_close(m->serialization_fd);
 
         return mfree(m);

src/network/networkd-manager.h

@@ -17,6 +17,7 @@ typedef struct Manager {
         sd_netlink *rtnl;
         /* lazy initialized */
         sd_netlink *genl;
+        sd_netlink *nfnl;
         sd_event *event;
         sd_resolve *resolve;
         sd_bus *bus;
@@ -103,8 +104,6 @@ typedef struct Manager {
         usec_t speed_meter_usec_new;
         usec_t speed_meter_usec_old;
 
-        FirewallContext *fw_ctx;
-
         bool request_queued;
         OrderedSet *request_queue;
         OrderedSet *remove_request_queue;

src/network/networkd-queue.c

@@ -293,7 +293,7 @@ int manager_process_requests(Manager *manager) {
                  * queued, then this event may make reply callback queue in sd-netlink full. */
                 if (netlink_get_reply_callback_count(manager->rtnl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
                     netlink_get_reply_callback_count(manager->genl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
-                    fw_ctx_get_reply_callback_count(manager->fw_ctx) >= REPLY_CALLBACK_COUNT_THRESHOLD)
+                    netlink_get_reply_callback_count(manager->nfnl) >= REPLY_CALLBACK_COUNT_THRESHOLD)
                         break;
 
                 /* Avoid the request and link freed by req->process() and request_detach(). */

src/nspawn/nspawn-expose-ports.c

@@ -76,12 +76,13 @@ void expose_port_free_all(ExposePort *p) {
         LIST_CLEAR(ports, p, free);
 }
 
-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
+int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed) {
         int r;
 
+        assert(IN_SET(af, AF_INET, AF_INET6));
         assert(exposed);
 
-        if (!l)
+        if (!nfnl || !l)
                 return 0;
 
         if (!in_addr_is_set(af, exposed))
@@ -90,14 +91,15 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_
         log_debug("Lost IP address.");
 
         LIST_FOREACH(ports, p, l) {
-                r = fw_add_local_dnat(fw_ctx,
+                r = fw_nftables_add_local_dnat(
-                                      false,
+                                nfnl,
-                                      af,
+                                /* add = */ false,
-                                      p->protocol,
+                                af,
-                                      p->host_port,
+                                p->protocol,
-                                      exposed,
+                                p->host_port,
-                                      p->container_port,
+                                exposed,
-                                      NULL);
+                                p->container_port,
+                                /* previous_remote = */ NULL);
                 if (r < 0)
                         log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
         }
@@ -106,12 +108,15 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_
         return 0;
 }
 
-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
+int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed) {
         _cleanup_free_ struct local_address *addresses = NULL;
         union in_addr_union new_exposed;
         bool add;
         int r;
 
+        assert(rtnl);
+        assert(nfnl);
+        assert(IN_SET(af, AF_INET, AF_INET6));
         assert(exposed);
 
         /* Invoked each time an address is added or removed inside the
@@ -129,7 +134,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
                 addresses[0].scope < RT_SCOPE_LINK;
 
         if (!add)
-                return expose_port_flush(fw_ctx, l, af, exposed);
+                return expose_port_flush(nfnl, l, af, exposed);
 
         new_exposed = addresses[0].address;
         if (in_addr_equal(af, exposed, &new_exposed))
@@ -138,14 +143,15 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
         log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
 
         LIST_FOREACH(ports, p, l) {
-                r = fw_add_local_dnat(fw_ctx,
+                r = fw_nftables_add_local_dnat(
-                                      true,
+                                nfnl,
-                                      af,
+                                /* add = */ true,
-                                      p->protocol,
+                                af,
-                                      p->host_port,
+                                p->protocol,
-                                      &new_exposed,
+                                p->host_port,
-                                      p->container_port,
+                                &new_exposed,
-                                      in_addr_is_set(af, exposed) ? exposed : NULL);
+                                p->container_port,
+                                in_addr_is_set(af, exposed) ? exposed : NULL);
                 if (r < 0)
                         log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
         }

src/nspawn/nspawn-expose-ports.h

@@ -1,7 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
-#include "firewall-util.h"
 #include "forward.h"
 #include "list.h"
 
@@ -18,5 +17,5 @@ int expose_port_parse(ExposePort **l, const char *s);
 int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
 int expose_port_send_rtnl(int send_fd);
 
-int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
+int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed);
-int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
+int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed);

src/nspawn/nspawn-settings.c

@@ -13,7 +13,6 @@
 #include "nspawn-network.h"
 #include "nspawn-settings.h"
 #include "parse-util.h"
-#include "path-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
 #include "socket-util.h"

src/nspawn/nspawn.c

@@ -71,6 +71,7 @@
 #include "mount-util.h"
 #include "mountpoint-util.h"
 #include "namespace-util.h"
+#include "netlink-internal.h"
 #include "notify-recv.h"
 #include "nspawn-bind-user.h"
 #include "nspawn-cgroup.h"
@@ -2539,7 +2540,7 @@ static int setup_kmsg(int fd_inner_socket) {
 struct ExposeArgs {
         union in_addr_union address4;
         union in_addr_union address6;
-        struct FirewallContext *fw_ctx;
+        sd_netlink *nfnl;
 };
 
 static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
@@ -2548,8 +2549,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
         assert(rtnl);
         assert(m);
 
-        (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
+        (void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET, &args->address4);
-        (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
+        (void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET6, &args->address6);
         return 0;
 }
 
@@ -5607,8 +5608,8 @@ static int run_container(
                 if (r < 0)
                         return r;
 
-                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+                (void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
-                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
+                (void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
         }
 
         _cleanup_(osc_context_closep) sd_id128_t osc_context_id = SD_ID128_NULL;
@@ -5730,8 +5731,8 @@ static int run_container(
                 return 0; /* finito */
         }
 
-        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
+        expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
-        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
+        expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
 
         (void) remove_veth_links(veth_name, arg_network_veth_extra);
         *veth_created = false;
@@ -5900,7 +5901,7 @@ static int run(int argc, char *argv[]) {
         _cleanup_(rmdir_and_freep) char *rootdir = NULL;
         _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
         _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
-        _cleanup_(fw_ctx_freep) FirewallContext *fw_ctx = NULL;
+        _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
         _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
 
         log_setup();
@@ -6385,12 +6386,12 @@ static int run(int argc, char *argv[]) {
         }
 
         if (arg_expose_ports) {
-                r = fw_ctx_new(&fw_ctx);
+                r = sd_nfnl_socket_open(&nfnl);
                 if (r < 0) {
-                        log_error_errno(r, "Cannot expose configured ports, firewall initialization failed: %m");
+                        log_error_errno(r, "Cannot expose configured ports, failed to initialize nftables: %m");
                         goto finish;
                 }
-                expose_args.fw_ctx = fw_ctx;
+                expose_args.nfnl = nfnl;
         }
 
         for (;;) {
@@ -6454,8 +6455,8 @@ finish:
 
         cleanup_propagation_and_export_directories();
 
-        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET,  &expose_args.address4);
+        expose_port_flush(nfnl, arg_expose_ports, AF_INET,  &expose_args.address4);
-        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
+        expose_port_flush(nfnl, arg_expose_ports, AF_INET6, &expose_args.address6);
 
         if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
                 if (veth_created)

src/repart/repart.c

@@ -789,7 +789,11 @@ static Partition* partition_unlink_and_free(Context *context, Partition *p) {
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(Partition*, partition_free);
 
-static Context* context_new(sd_id128_t seed, X509 *certificate, EVP_PKEY *private_key) {
+static Context* context_new(
+                sd_id128_t seed,
+                X509 *certificate,
+                EVP_PKEY *private_key) {
+
         Context *context;
 
         /* Note: This function takes ownership of the certificate and private_key arguments. */
@@ -3445,7 +3449,7 @@ static int context_load_partition_table(Context *context) {
                         /* Use the fallback values if we have no better idea */
                         context->sector_size = fdisk_get_sector_size(c);
                         context->default_fs_sector_size = fs_secsz;
-                        context->grain_size = 4096;
+                        context->grain_size = MAX(context->sector_size, 4096U);
                         return /* from_scratch = */ true;
                 }
 
@@ -5489,9 +5493,9 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
                                 strna(p->copy_blocks_path),
                                 glyph(GLYPH_ARROW_RIGHT),
                                 strna(p->definition_path),
-                                FORMAT_BYTES(p->copy_blocks_done),
+                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
-                                FORMAT_BYTES(p->copy_blocks_size),
+                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_size),
-                                FORMAT_BYTES(bps));
+                                FORMAT_BYTES_WITH_POINT(bps));
         else
                 (void) draw_progress_barf(
                                 percent,
@@ -5499,8 +5503,8 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
                                 strna(p->copy_blocks_path),
                                 glyph(GLYPH_ARROW_RIGHT),
                                 strna(p->definition_path),
-                                FORMAT_BYTES(p->copy_blocks_done),
+                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
-                                FORMAT_BYTES(p->copy_blocks_size));
+                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_size));
 
         p->last_percent = percent;
 
@@ -8666,7 +8670,13 @@ static int help(void) {
         return 0;
 }
 
-static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_ui) {
+static int parse_argv(
+                int argc,
+                char *argv[],
+                X509 **ret_certificate,
+                EVP_PKEY **ret_private_key,
+                OpenSSLAskPasswordUI **ret_ui) {
+
         enum {
                 ARG_VERSION = 0x100,
                 ARG_NO_PAGER,

src/resolve/resolved-dns-browse-services.c

@@ -1,9 +1,10 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
 #include "af-list.h"
+#include "alloc-util.h"
 #include "event-util.h"
 #include "dns-domain.h"
-#include "json-util.h"
+#include "log.h"
 #include "random-util.h"
 #include "resolved-dns-browse-services.h"
 #include "resolved-dns-cache.h"
@@ -12,8 +13,8 @@
 #include "resolved-dns-rr.h"
 #include "resolved-dns-scope.h"
 #include "resolved-manager.h"
-#include "resolved-varlink.h"
 #include "string-table.h"
+#include "string-util.h"
 
 typedef enum BrowseServiceUpdateEvent {
         BROWSE_SERVICE_UPDATE_ADDED,

src/resolve/resolved-dnstls.c

@@ -7,7 +7,6 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
-#include <sys/epoll.h>
 
 #include "alloc-util.h"
 #include "openssl-util.h"

src/resolve/resolved-varlink.c

@@ -7,7 +7,6 @@
 #include "dns-domain.h"
 #include "dns-type.h"
 #include "errno-util.h"
-#include "glyph-util.h"
 #include "in-addr-util.h"
 #include "iovec-util.h"
 #include "json-util.h"

src/run/run.c

@@ -5,7 +5,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/resource.h>
-#include <sys/stat.h>
 #include <unistd.h>
 
 #include "sd-bus.h"

src/shared/cpu-set-util.c

@@ -8,7 +8,6 @@
 #include "bitfield.h"
 #include "cpu-set-util.h"
 #include "extract-word.h"
-#include "hexdecoct.h"
 #include "log.h"
 #include "parse-util.h"
 #include "string-util.h"

src/shared/creds-util.c

@@ -1209,7 +1209,7 @@ int decrypt_credential_and_warn(
          *   -EHWPOISON    → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on
          *   -EMEDIUMTYPE  → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa
          *   -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name)
-         *   -ESTALE       → Credential's valdity has passed
+         *   -ESTALE       → Credential's validity has passed
          *   -ESRCH        → User specified for scope does not exist on this system
          *
          *   (plus the various error codes tpm2_unseal() returns) */

src/shared/firewall-util-iptables.c

@@ -1,383 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include <endian.h>
-#include <libiptc/libiptc.h>
-#include <linux/netfilter/nf_nat.h>
-#include <linux/netfilter/xt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <string.h>
-
-#include "alloc-util.h"
-#include "dlfcn-util.h"
-#include "firewall-util-private.h"
-#include "in-addr-util.h"
-#include "log.h"
-#include "socket-util.h"
-
-static DLSYM_PROTOTYPE(iptc_check_entry) = NULL;
-static DLSYM_PROTOTYPE(iptc_commit) = NULL;
-static DLSYM_PROTOTYPE(iptc_delete_entry) = NULL;
-static DLSYM_PROTOTYPE(iptc_free) = NULL;
-static DLSYM_PROTOTYPE(iptc_init) = NULL;
-static DLSYM_PROTOTYPE(iptc_insert_entry) = NULL;
-static DLSYM_PROTOTYPE(iptc_strerror) = NULL;
-
-static void *iptc_dl = NULL;
-
-DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct xtc_handle*, sym_iptc_free, NULL);
-
-static int entry_fill_basics(
-                struct ipt_entry *entry,
-                int protocol,
-                const char *in_interface,
-                const union in_addr_union *source,
-                unsigned source_prefixlen,
-                const char *out_interface,
-                const union in_addr_union *destination,
-                unsigned destination_prefixlen) {
-
-        assert(entry);
-
-        if (out_interface && !ifname_valid(out_interface))
-                return -EINVAL;
-        if (in_interface && !ifname_valid(in_interface))
-                return -EINVAL;
-
-        entry->ip.proto = protocol;
-
-        if (in_interface) {
-                size_t l;
-
-                l = strlen(in_interface);
-                assert(l < sizeof entry->ip.iniface);
-                assert(l < sizeof entry->ip.iniface_mask);
-
-                strcpy(entry->ip.iniface, in_interface);
-                memset(entry->ip.iniface_mask, 0xFF, l + 1);
-        }
-        if (source) {
-                entry->ip.src = source->in;
-                in4_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
-        }
-
-        if (out_interface) {
-                size_t l = strlen(out_interface);
-                assert(l < sizeof entry->ip.outiface);
-                assert(l < sizeof entry->ip.outiface_mask);
-
-                strcpy(entry->ip.outiface, out_interface);
-                memset(entry->ip.outiface_mask, 0xFF, l + 1);
-        }
-        if (destination) {
-                entry->ip.dst = destination->in;
-                in4_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
-        }
-
-        return 0;
-}
-
-int fw_iptables_add_masquerade(
-                bool add,
-                int af,
-                const union in_addr_union *source,
-                unsigned source_prefixlen) {
-
-        static const xt_chainlabel chain = "POSTROUTING";
-        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
-        struct ipt_entry *entry, *mask;
-        struct ipt_entry_target *t;
-        size_t sz;
-        struct nf_nat_ipv4_multi_range_compat *mr;
-        int r, protocol = 0;
-        const char *out_interface = NULL;
-        const union in_addr_union *destination = NULL;
-        unsigned destination_prefixlen = 0;
-
-        if (af != AF_INET)
-                return -EOPNOTSUPP;
-
-        if (!source || source_prefixlen == 0)
-                return -EINVAL;
-
-        r = fw_iptables_init_nat(&h);
-        if (r < 0)
-                return r;
-
-        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
-             XT_ALIGN(sizeof(struct ipt_entry_target)) +
-             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
-
-        /* Put together the entry we want to add or remove */
-        entry = alloca0(sz);
-        entry->next_offset = sz;
-        entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
-        r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
-        if (r < 0)
-                return r;
-
-        /* Fill in target part */
-        t = ipt_get_target(entry);
-        t->u.target_size =
-                XT_ALIGN(sizeof(struct ipt_entry_target)) +
-                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
-        strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
-        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
-        mr->rangesize = 1;
-
-        /* Create a search mask entry */
-        mask = alloca_safe(sz);
-        memset(mask, 0xFF, sz);
-
-        if (add) {
-                if (sym_iptc_check_entry(chain, entry, (unsigned char*) mask, h))
-                        return 0;
-                if (errno != ENOENT) /* if other error than not existing yet, fail */
-                        return -errno;
-
-                if (!sym_iptc_insert_entry(chain, entry, 0, h))
-                        return -errno;
-        } else {
-                if (!sym_iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) {
-                        if (errno == ENOENT) /* if it's already gone, all is good! */
-                                return 0;
-
-                        return -errno;
-                }
-        }
-
-        if (!sym_iptc_commit(h))
-                return -errno;
-
-        return 0;
-}
-
-int fw_iptables_add_local_dnat(
-                bool add,
-                int af,
-                int protocol,
-                uint16_t local_port,
-                const union in_addr_union *remote,
-                uint16_t remote_port,
-                const union in_addr_union *previous_remote) {
-
-        static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT";
-        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
-        struct ipt_entry *entry, *mask;
-        struct ipt_entry_target *t;
-        struct ipt_entry_match *m;
-        struct xt_addrtype_info_v1 *at;
-        struct nf_nat_ipv4_multi_range_compat *mr;
-        size_t sz, msz;
-        int r;
-        const char *in_interface = NULL;
-        const union in_addr_union *source = NULL;
-        unsigned source_prefixlen = 0;
-        const union in_addr_union *destination = NULL;
-        unsigned destination_prefixlen = 0;
-
-        assert(add || !previous_remote);
-
-        if (af != AF_INET)
-                return -EOPNOTSUPP;
-
-        if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
-                return -EOPNOTSUPP;
-
-        if (local_port <= 0)
-                return -EINVAL;
-
-        if (remote_port <= 0)
-                return -EINVAL;
-
-        r = fw_iptables_init_nat(&h);
-        if (r < 0)
-                return r;
-
-        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
-             XT_ALIGN(sizeof(struct ipt_entry_match)) +
-             XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
-             XT_ALIGN(sizeof(struct ipt_entry_target)) +
-             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
-
-        if (protocol == IPPROTO_TCP)
-                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-                      XT_ALIGN(sizeof(struct xt_tcp));
-        else
-                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-                      XT_ALIGN(sizeof(struct xt_udp));
-
-        sz += msz;
-
-        /* Fill in basic part */
-        entry = alloca0(sz);
-        entry->next_offset = sz;
-        entry->target_offset =
-                XT_ALIGN(sizeof(struct ipt_entry)) +
-                XT_ALIGN(sizeof(struct ipt_entry_match)) +
-                XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
-                msz;
-        r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
-        if (r < 0)
-                return r;
-
-        /* Fill in first match */
-        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
-        m->u.match_size = msz;
-        if (protocol == IPPROTO_TCP) {
-                struct xt_tcp *tcp;
-
-                strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
-                tcp = (struct xt_tcp*) m->data;
-                tcp->dpts[0] = tcp->dpts[1] = local_port;
-                tcp->spts[0] = 0;
-                tcp->spts[1] = 0xFFFF;
-
-        } else {
-                struct xt_udp *udp;
-
-                strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
-                udp = (struct xt_udp*) m->data;
-                udp->dpts[0] = udp->dpts[1] = local_port;
-                udp->spts[0] = 0;
-                udp->spts[1] = 0xFFFF;
-        }
-
-        /* Fill in second match */
-        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
-        m->u.match_size =
-                XT_ALIGN(sizeof(struct ipt_entry_match)) +
-                XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
-        strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
-        m->u.user.revision = 1;
-        at = (struct xt_addrtype_info_v1*) m->data;
-        at->dest = XT_ADDRTYPE_LOCAL;
-
-        /* Fill in target part */
-        t = ipt_get_target(entry);
-        t->u.target_size =
-                XT_ALIGN(sizeof(struct ipt_entry_target)) +
-                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
-        strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
-        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
-        mr->rangesize = 1;
-        mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
-        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
-        if (protocol == IPPROTO_TCP)
-                mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htobe16(remote_port);
-        else
-                mr->range[0].min.udp.port = mr->range[0].max.udp.port = htobe16(remote_port);
-
-        mask = alloca0(sz);
-        memset(mask, 0xFF, sz);
-
-        if (add) {
-                /* Add the PREROUTING rule, if it is missing so far */
-                if (!sym_iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) {
-                        if (errno != ENOENT)
-                                return -EINVAL;
-
-                        if (!sym_iptc_insert_entry(chain_pre, entry, 0, h))
-                                return -errno;
-                }
-
-                /* If a previous remote is set, remove its entry */
-                if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
-                        mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
-
-                        if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
-                                if (errno != ENOENT)
-                                        return -errno;
-                        }
-
-                        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
-                }
-
-                /* Add the OUTPUT rule, if it is missing so far */
-                if (!in_interface) {
-
-                        /* Don't apply onto loopback addresses */
-                        if (!destination) {
-                                entry->ip.dst.s_addr = htobe32(0x7F000000);
-                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
-                                entry->ip.invflags = IPT_INV_DSTIP;
-                        }
-
-                        if (!sym_iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) {
-                                if (errno != ENOENT)
-                                        return -errno;
-
-                                if (!sym_iptc_insert_entry(chain_output, entry, 0, h))
-                                        return -errno;
-                        }
-
-                        /* If a previous remote is set, remove its entry */
-                        if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
-                                mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
-
-                                if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
-                                        if (errno != ENOENT)
-                                                return -errno;
-                                }
-                        }
-                }
-        } else {
-                if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
-                        if (errno != ENOENT)
-                                return -errno;
-                }
-
-                if (!in_interface) {
-                        if (!destination) {
-                                entry->ip.dst.s_addr = htobe32(0x7F000000);
-                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
-                                entry->ip.invflags = IPT_INV_DSTIP;
-                        }
-
-                        if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
-                                if (errno != ENOENT)
-                                        return -errno;
-                        }
-                }
-        }
-
-        if (!sym_iptc_commit(h))
-                return -errno;
-
-        return 0;
-}
-
-static int dlopen_iptc(void) {
-        ELF_NOTE_DLOPEN("ip4tc",
-                        "Support for firewall rules with iptables backend",
-                        ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
-                        "libip4tc.so.2");
-
-        return dlopen_many_sym_or_warn(
-                        &iptc_dl,
-                        "libip4tc.so.2", LOG_DEBUG,
-                        DLSYM_ARG(iptc_check_entry),
-                        DLSYM_ARG(iptc_commit),
-                        DLSYM_ARG(iptc_delete_entry),
-                        DLSYM_ARG(iptc_free),
-                        DLSYM_ARG(iptc_init),
-                        DLSYM_ARG(iptc_insert_entry),
-                        DLSYM_ARG(iptc_strerror));
-}
-
-int fw_iptables_init_nat(struct xtc_handle **ret) {
-        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
-        int r;
-
-        r = dlopen_iptc();
-        if (r < 0)
-                return r;
-
-        h = sym_iptc_init("nat");
-        if (!h)
-                return log_debug_errno(errno, "Failed to init \"nat\" table: %s", sym_iptc_strerror(errno));
-
-        if (ret)
-                *ret = TAKE_PTR(h);
-
-        return 0;
-}

src/shared/firewall-util-private.h

@@ -1,64 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-#include "firewall-util.h"
-#include "forward.h"
-
-typedef enum FirewallBackend {
-        FW_BACKEND_NONE,
-#if HAVE_LIBIPTC
-        FW_BACKEND_IPTABLES,
-#endif
-        FW_BACKEND_NFTABLES,
-        _FW_BACKEND_MAX,
-        _FW_BACKEND_INVALID = -EINVAL,
-} FirewallBackend;
-
-struct FirewallContext {
-        FirewallBackend backend;
-        sd_netlink *nfnl;
-};
-
-const char* firewall_backend_to_string(FirewallBackend b) _const_;
-
-int fw_nftables_init(FirewallContext *ctx);
-int fw_nftables_init_full(FirewallContext *ctx, bool init_tables);
-void fw_nftables_exit(FirewallContext *ctx);
-
-int fw_nftables_add_masquerade(
-                FirewallContext *ctx,
-                bool add,
-                int af,
-                const union in_addr_union *source,
-                unsigned source_prefixlen);
-
-int fw_nftables_add_local_dnat(
-                FirewallContext *ctx,
-                bool add,
-                int af,
-                int protocol,
-                uint16_t local_port,
-                const union in_addr_union *remote,
-                uint16_t remote_port,
-                const union in_addr_union *previous_remote);
-
-#if HAVE_LIBIPTC
-struct xtc_handle;
-
-int fw_iptables_add_masquerade(
-                bool add,
-                int af,
-                const union in_addr_union *source,
-                unsigned source_prefixlen);
-
-int fw_iptables_add_local_dnat(
-                bool add,
-                int af,
-                int protocol,
-                uint16_t local_port,
-                const union in_addr_union *remote,
-                uint16_t remote_port,
-                const union in_addr_union *previous_remote);
-
-int fw_iptables_init_nat(struct xtc_handle **ret);
-#endif

src/shared/firewall-util.h

@@ -4,25 +4,15 @@
 #include "conf-parser-forward.h"
 #include "forward.h"
 
-typedef struct FirewallContext FirewallContext;
+int fw_nftables_add_masquerade(
-
+                sd_netlink *nfnl,
-int fw_ctx_new(FirewallContext **ret);
-int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
-FirewallContext *fw_ctx_free(FirewallContext *ctx);
-
-DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
-
-size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
-
-int fw_add_masquerade(
-                FirewallContext **ctx,
                 bool add,
                 int af,
                 const union in_addr_union *source,
                 unsigned source_prefixlen);
 
-int fw_add_local_dnat(
+int fw_nftables_add_local_dnat(
-                FirewallContext **ctx,
+                sd_netlink *nfnl,
                 bool add,
                 int af,
                 int protocol,
@@ -64,7 +54,7 @@ const char* nft_set_source_to_string(int i) _const_;
 int nft_set_source_from_string(const char *s) _pure_;
 
 int nft_set_element_modify_iprange(
-                FirewallContext *ctx,
+                sd_netlink *nfnl,
                 bool add,
                 int nfproto,
                 int af,
@@ -74,7 +64,7 @@ int nft_set_element_modify_iprange(
                 unsigned source_prefixlen);
 
 int nft_set_element_modify_ip(
-                FirewallContext *ctx,
+                sd_netlink *nfnl,
                 bool add,
                 int nfproto,
                 int af,
@@ -83,7 +73,7 @@ int nft_set_element_modify_ip(
                 const union in_addr_union *source);
 
 int nft_set_element_modify_any(
-                FirewallContext *ctx,
+                sd_netlink *nfnl,
                 bool add,
                 int nfproto,
                 const char *table,

src/shared/generator.c

@@ -6,7 +6,6 @@
 
 #include "alloc-util.h"
 #include "argv-util.h"
-#include "cgroup-util.h"
 #include "dropin.h"
 #include "escape.h"
 #include "fd-util.h"

src/shared/label-util.c

@@ -5,7 +5,6 @@
 
 #include "btrfs-util.h"
 #include "errno-util.h"
-#include "fs-util.h"
 #include "label-util.h"
 #include "selinux-util.h"
 #include "smack-util.h"

src/shared/libaudit-util.c

@@ -2,7 +2,6 @@
 
 #include <linux/audit.h>
 #include <linux/netlink.h>
-#include <stdio.h>
 #include <sys/socket.h>
 
 #include "errno-util.h"
@@ -12,6 +11,32 @@
 #include "log.h"
 #include "socket-util.h"
 
+#if HAVE_AUDIT
+static void *libaudit_dl = NULL;
+
+static DLSYM_PROTOTYPE(audit_close) = NULL;
+DLSYM_PROTOTYPE(audit_log_acct_message) = NULL;
+DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL;
+DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL;
+static DLSYM_PROTOTYPE(audit_open) = NULL;
+
+int dlopen_libaudit(void) {
+        ELF_NOTE_DLOPEN("libaudit",
+                        "Support for Audit loggging",
+                        ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
+                        "libaudit.so.1");
+
+        return dlopen_many_sym_or_warn(
+                        &libaudit_dl,
+                        "libaudit.so.1",
+                        LOG_DEBUG,
+                        DLSYM_ARG(audit_close),
+                        DLSYM_ARG(audit_log_acct_message),
+                        DLSYM_ARG(audit_log_user_avc_message),
+                        DLSYM_ARG(audit_log_user_comm_message),
+                        DLSYM_ARG(audit_open));
+}
+
 static int try_audit_request(int fd) {
         struct iovec iov;
         struct msghdr mh;
@@ -49,14 +74,19 @@ static int try_audit_request(int fd) {
 
         return msg.err.error;
 }
+#endif
 
 bool use_audit(void) {
+#if HAVE_AUDIT
         static int cached_use = -1;
         int r;
 
         if (cached_use >= 0)
                 return cached_use;
 
+        if (dlopen_libaudit() < 0)
+                return (cached_use = false);
+
         _cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
         if (fd < 0) {
                 cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno);
@@ -83,12 +113,15 @@ bool use_audit(void) {
         }
 
         return cached_use;
+#else
+        return false;
+#endif
 }
 
 int close_audit_fd(int fd) {
 #if HAVE_AUDIT
         if (fd >= 0)
-                audit_close(fd);
+                sym_audit_close(fd);
 #else
         assert(fd < 0);
 #endif
@@ -97,8 +130,14 @@ int close_audit_fd(int fd) {
 
 int open_audit_fd_or_warn(void) {
 #if HAVE_AUDIT
+        int r;
+
+        r = dlopen_libaudit();
+        if (r < 0)
+                return r;
+
         /* If the kernel lacks netlink or audit support, don't worry about it. */
-        int fd = audit_open();
+        int fd = sym_audit_open();
         if (fd < 0)
                 return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING,
                                       errno, "Failed to connect to audit log, ignoring: %m");

src/shared/libaudit-util.h

@@ -1,11 +1,19 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include "forward.h"
+
 #if HAVE_AUDIT
 #  include <libaudit.h>         /* IWYU pragma: export */
-#endif
 
-#include "forward.h"
+#  include "dlfcn-util.h"
+
+extern DLSYM_PROTOTYPE(audit_log_acct_message);
+extern DLSYM_PROTOTYPE(audit_log_user_avc_message);
+extern DLSYM_PROTOTYPE(audit_log_user_comm_message);
+
+int dlopen_libaudit(void);
+#endif
 
 bool use_audit(void);
 

src/shared/machine-bind-user.c

@@ -2,7 +2,6 @@
 
 #include <grp.h>
 #include <pwd.h>
-#include <unistd.h>
 
 #include "alloc-util.h"
 #include "chase.h"

src/shared/machine-credential.c

@@ -5,11 +5,12 @@
 #include "escape.h"
 #include "extract-word.h"
 #include "fileio.h"
+#include "iovec-util.h"
 #include "log.h"
 #include "machine-credential.h"
 #include "memory-util.h"
 #include "path-util.h"
-#include "string-util-fundamental.h"
+#include "string-util.h"
 
 static void machine_credential_done(MachineCredential *cred) {
         assert(cred);
@@ -28,74 +29,118 @@ void machine_credential_context_done(MachineCredentialContext *ctx) {
         free(ctx->credentials);
 }
 
-bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id) {
+MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id) {
         assert(ctx);
         assert(id);
 
         FOREACH_ARRAY(cred, ctx->credentials, ctx->n_credentials)
                 if (streq(cred->id, id))
-                        return true;
+                        return cred;
 
-        return false;
+        return NULL;
 }
 
-int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
+int machine_credential_add(
+                MachineCredentialContext *ctx,
+                const char *id,
+                const char *value,
+                size_t size) {
+
+        assert(ctx);
+        assert(id);
+        assert(value || size == 0);
+
+        if (!credential_name_valid(id))
+                return -EINVAL;
+
+        if (machine_credential_find(ctx, id))
+                return -EEXIST;
+
+        if (size == SIZE_MAX)
+                size = strlen_ptr(value);
+
         _cleanup_(machine_credential_done) MachineCredential cred = {};
-        ssize_t l;
+        cred.id = strdup(id);
+        if (!cred.id)
+                return -ENOMEM;
+
+        cred.data = memdup(value, size);
+        if (!cred.data)
+                return -ENOMEM;
+
+        cred.size = size;
+
+        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
+                return -ENOMEM;
+
+        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
+        return 0;
+}
+
+static int machine_credential_add_and_log(
+                MachineCredentialContext *ctx,
+                const char *id,
+                const char *value,
+                size_t size) {
+
+        int r;
+
+        assert(ctx);
+        assert(id);
+        assert(value || size == 0);
+
+        r = machine_credential_add(ctx, id, value, size);
+        if (r == -EEXIST)
+                return log_error_errno(r, "Duplicated credential '%s', refusing.", id);
+        if (r == -EINVAL)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", id);
+        if (r == -ENOMEM)
+                return log_oom();
+        if (r < 0)
+                return log_error_errno(r, "Failed to add credential '%s': %m", id);
+
+        return 0;
+}
+
+
+int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
         int r;
 
         assert(ctx);
 
         const char *p = ASSERT_PTR(cred_str);
-
+        _cleanup_free_ char *id = NULL;
-        r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
+        r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
         if (r < 0)
                 return log_error_errno(r, "Failed to parse --set-credential= parameter: %m");
         if (r == 0 || !p)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "Missing value for --set-credential=: %s", cred_str);
 
-        if (!credential_name_valid(cred.id))
+        _cleanup_free_ char *data = NULL;
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
+        ssize_t l;
-
+        l = cunescape(p, UNESCAPE_ACCEPT_NUL, &data);
-        if (machine_credentials_contains(ctx, cred.id))
-                return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
-
-        l = cunescape(p, UNESCAPE_ACCEPT_NUL, &cred.data);
         if (l < 0)
                 return log_error_errno(l, "Failed to unescape credential data: %s", p);
-        cred.size = l;
 
-        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
+        return machine_credential_add_and_log(ctx, id, data, l);
-                return log_oom();
-
-        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
-
-        return 0;
 }
 
 int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path) {
-        _cleanup_(machine_credential_done) MachineCredential cred = {};
-        _cleanup_free_ char *path_alloc = NULL;
-        ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
         int r;
 
         assert(ctx);
 
         const char *p = ASSERT_PTR(cred_path);
-
+        _cleanup_free_ char *id = NULL;
-        r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
+        r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
         if (r < 0)
                 return log_error_errno(r, "Failed to parse --load-credential= parameter: %m");
         if (r == 0 || !p)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Missing value for --load-credential=: %s", cred_path);
 
-        if (!credential_name_valid(cred.id))
+        ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
+        _cleanup_free_ char *path_alloc = NULL;
-
-        if (machine_credentials_contains(ctx, cred.id))
-                return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
-
         if (is_path(p) && path_is_valid(p))
                 flags |= READ_FULL_FILE_CONNECT_SOCKET;
         else if (credential_name_valid(p)) {
@@ -103,8 +148,7 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
 
                 r = get_credentials_dir(&e);
                 if (r < 0)
-                        return log_error_errno(r,
+                        return log_error_errno(r, "Credential not available (no credentials passed at all): %s", p);
-                                               "Credential not available (no credentials passed at all): %s", cred.id);
 
                 path_alloc = path_join(e, p);
                 if (!path_alloc)
@@ -115,17 +159,16 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                        "Credential source appears to be neither a valid path nor a credential name: %s", p);
 
-        r = read_full_file_full(AT_FDCWD, p, UINT64_MAX, SIZE_MAX,
+        _cleanup_(iovec_done_erase) struct iovec iov = {};
-                                flags,
+        r = read_full_file_full(
-                                NULL,
+                        AT_FDCWD, p,
-                                &cred.data, &cred.size);
+                        /* offset= */ UINT64_MAX,
+                        /* size= */ SIZE_MAX,
+                        flags,
+                        /* bind_name= */ NULL,
+                        (char**) &iov.iov_base, &iov.iov_len);
         if (r < 0)
                 return log_error_errno(r, "Failed to read credential '%s': %m", p);
 
-        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
+        return machine_credential_add_and_log(ctx, id, iov.iov_base, iov.iov_len);
-                return log_oom();
-
-        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
-
-        return 0;
 }

src/shared/machine-credential.h

@@ -16,7 +16,8 @@ typedef struct MachineCredentialContext {
 
 void machine_credential_context_done(MachineCredentialContext *ctx);
 
-bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id);
+MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id);
 
+int machine_credential_add(MachineCredentialContext *ctx, const char *id, const char *value, size_t size);
 int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str);
 int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path);

src/shared/meson.build

@@ -76,7 +76,6 @@ shared_sources = files(
         'fdset.c',
         'fido2-util.c',
         'find-esp.c',
-        'firewall-util-nft.c',
         'firewall-util.c',
         'fork-notify.c',
         'format-table.c',
@@ -249,10 +248,6 @@ if conf.get('ENABLE_UTMP') == 1
         shared_sources += files('utmp-wtmp.c')
 endif
 
-if conf.get('HAVE_LIBIPTC') == 1
-        shared_sources += files('firewall-util-iptables.c')
-endif
-
 if conf.get('HAVE_LIBBPF') == 1
         shared_sources += files('bpf-link.c')
 endif
@@ -317,13 +312,12 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag)
 
 libshared_deps = [threads,
                   libacl,
-                  libaudit,
+                  libaudit_cflags,
                   libblkid,
                   libcap,
                   libcrypt,
                   libdl,
                   libgcrypt_cflags,
-                  libiptc_cflags,
                   libkmod_cflags,
                   liblz4_cflags,
                   libmount,

src/shared/openssl-util.c

@@ -1726,13 +1726,15 @@ int openssl_load_private_key(
 
         assert(private_key);
         assert(request);
+        assert(ret_private_key);
 
         if (private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
                 r = openssl_load_private_key_from_file(private_key, ret_private_key);
                 if (r < 0)
                         return r;
 
-                *ret_user_interface = NULL;
+                if (ret_user_interface)
+                        *ret_user_interface = NULL;
         } else {
                 _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
                 r = openssl_ask_password_ui_new(request, &ui);
@@ -1757,7 +1759,8 @@ int openssl_load_private_key(
                                         private_key,
                                         private_key_source);
 
-                *ret_user_interface = TAKE_PTR(ui);
+                if (ret_user_interface)
+                        *ret_user_interface = TAKE_PTR(ui);
         }
 
         return 0;

src/shared/pretty-print.c

@@ -14,7 +14,6 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "fs-util.h"
 #include "log.h"
 #include "path-util.h"
 #include "pretty-print.h"

src/shared/tests.c

@@ -3,8 +3,6 @@
 #include <sched.h>
 #include <stdlib.h>
 #include <sys/mman.h>
-#include <sys/prctl.h>
-#include <sys/wait.h>
 #include <unistd.h>
 
 #include "sd-bus.h"

src/shared/varlink-io.systemd.MountFileSystem.c

@@ -116,7 +116,7 @@ static SD_VARLINK_DEFINE_ERROR(DeniedByImagePolicy);
 static SD_VARLINK_DEFINE_ERROR(KeyNotFound);
 static SD_VARLINK_DEFINE_ERROR(VerityFailure);
 static SD_VARLINK_DEFINE_ERROR(BadFileDescriptorFlags,
-                               SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flag."),
+                               SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flags."),
                                SD_VARLINK_DEFINE_FIELD(parameter, SD_VARLINK_STRING, 0));
 
 SD_VARLINK_DEFINE_INTERFACE(

src/shared/varlink-io.systemd.Unit.c

@@ -455,7 +455,13 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                 SD_VARLINK_FIELD_COMMENT("The total number of bytes written to block devices by the cgroup"),
                 SD_VARLINK_DEFINE_FIELD(IOWriteBytes, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                 SD_VARLINK_FIELD_COMMENT("The total number of write operations performed on block devices by the cgroup"),
-                SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
+                SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
+
+                /* OOM */
+                SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by the kernel OOM killer"),
+                SD_VARLINK_DEFINE_FIELD(OOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
+                SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by systemd-oomd"),
+                SD_VARLINK_DEFINE_FIELD(ManagedOOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
 
 static SD_VARLINK_DEFINE_STRUCT_TYPE(
                 UnitRuntime,

src/systemctl/systemctl-compat-shutdown.c

@@ -11,7 +11,6 @@
 #include "strv.h"
 #include "systemctl.h"
 #include "systemctl-compat-shutdown.h"
-#include "systemctl-logind.h"
 #include "time-util.h"
 
 static int shutdown_help(void) {

src/sysupdate/sysupdate.c

@@ -6,12 +6,9 @@
 #include "sd-daemon.h"
 
 #include "build.h"
-#include "chase.h"
 #include "conf-files.h"
 #include "constants.h"
-#include "dirent-util.h"
 #include "dissect-image.h"
-#include "fd-util.h"
 #include "format-table.h"
 #include "glyph-util.h"
 #include "hexdecoct.h"