2025-11-22 18:24:44 +01:00
118 changed files with 2324 additions and 1906 deletions
--- a/docs/OSC-CONTEXT.md
+++ b/docs/OSC-CONTEXT.md
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@ -2691,15 +2691,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
      or the restart rate limit is reached. See the <literal>RestartMode=</literal> section in
      <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
      for more details.</para>
      <para><varname>OOMKills</varname> contains a different value depending on whether
      <varname>OOMPolicy=kill</varname> is enabled for the unit or not. If enabled, the property contains the
      number of times the kernel OOM killer killed all the processes in the unit's cgroup and its
      descendant cgroups. If disabled, the property contains the number of processes the kernel OOM killer
      has killed in the unit's cgroup and its descendant cgroups.</para>
      <para><varname>ManagedOOMKills</varname> contains the number of times <command>systemd-oomd</command>
      killed all the processes in the unit's cgroup and its descendant cgroups.</para>
    </refsect2>
    <refsect2>
@ -2909,10 +2900,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -4260,10 +4247,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -5156,10 +5139,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -6507,10 +6486,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -7227,10 +7202,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -8408,10 +8379,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -9261,10 +9228,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -10406,10 +10369,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -11112,10 +11071,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -11481,10 +11436,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -11696,10 +11647,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t IOWriteOperations = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t OOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly t ManagedOOMKills = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly b Delegate = ...;
      @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
      readonly as DelegateControllers = ['...', ...];
@ -12103,10 +12050,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
    <variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
    <variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
    <variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
    <variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
@ -12516,8 +12459,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <varname>LogsDirectoryQuotaUsage</varname>,
      <varname>LogsDirectoryAccounting</varname>, and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Socket Unit Objects</title>
@ -12583,8 +12524,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <varname>LogsDirectoryQuotaUsage</varname>,
      <varname>LogsDirectoryAccounting</varname>, and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Mount Unit Objects</title>
@ -12645,8 +12584,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <varname>LogsDirectoryQuotaUsage</varname>,
      <varname>LogsDirectoryAccounting</varname>, and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Swap Unit Objects</title>
@ -12705,8 +12642,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <varname>LogsDirectoryQuotaUsage</varname>,
      <varname>LogsDirectoryAccounting</varname>, and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Slice Unit Objects</title>
@ -12737,8 +12672,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <varname>NCurrentlyActive</varname>,
      <function>RemoveSubgroup()</function>, and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Scope Unit Objects</title>
@ -12767,8 +12700,6 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
      <para><varname>ManagedOOMMemoryPressureDurationUSec</varname> was added in version 257.</para>
      <para><function>RemoveSubgroup()</function> and
      <function>KillSubgroup()</function> were added in version 258.</para>
      <para><varname>OOMKills</varname>, and
      <varname>ManagedOOMKills</varname> were added in 259.</para>
    </refsect2>
    <refsect2>
      <title>Job Objects</title>
--- a/man/repart.d.xml
+++ b/man/repart.d.xml
@ -874,7 +874,7 @@
        <listitem><para>Configures the list of PCRs to use for LUKS2 volumes configured with
        the <varname>Encrypt=tpm2</varname> setting in partition files.
-        This option take the same parameters as the similarly named options to
+        This option take the same parameters as the similary named options to
        <citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        and have the same effect on partitions where TPM2 enrollment is requested.
        This option will be overridden by the global <varname>--tpm2-pcrs=</varname> option.</para>
--- a/man/sd_varlink_set_relative_timeout.xml
+++ b/man/sd_varlink_set_relative_timeout.xml
@ -45,7 +45,7 @@
    raised as client-generated reply to the method call.</para>
    <para>This call is particularly useful for method calls issued via
-    <function>sd_varlink_observe()</function> that shall remain open continuously for a long time.</para>
+    <function>sd_varlink_observe()</function> that shall remain open continously for a long time.</para>
  </refsect1>
  <refsect1>
--- a/meson.build
+++ b/meson.build
@ -1187,7 +1187,6 @@ conf.set10('HAVE_ACL', libacl.found())
 libaudit = dependency('audit',
                      required : get_option('audit'))
 conf.set10('HAVE_AUDIT', libaudit.found())
 libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true)
 libblkid = dependency('blkid',
                      required : get_option('blkid'))
@ -1306,6 +1305,11 @@ endif
 conf.set10('HAVE_LIBIDN', not have and libidn.found())
 conf.set10('HAVE_LIBIDN2', have)
 libiptc = dependency('libiptc',
                     required : get_option('libiptc'))
 conf.set10('HAVE_LIBIPTC', libiptc.found())
 libiptc_cflags = libiptc.partial_dependency(includes: true, compile_args: true)
 libqrencode = dependency('libqrencode',
                         version : '>= 3',
                         required : get_option('qrencode'))
@ -3048,6 +3052,7 @@ foreach tuple : [
        ['libfido2'],
        ['libidn'],
        ['libidn2'],
        ['libiptc'],
        ['microhttpd'],
        ['openssl'],
        ['p11kit'],
--- a/meson_options.txt
+++ b/meson_options.txt
@ -432,7 +432,7 @@ option('libidn2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
       description : 'libidn2 support')
 option('libidn', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
       description : 'libidn support')
-option('libiptc', type : 'feature', deprecated : true,
+option('libiptc', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
       description : 'libiptc support')
 option('qrencode', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
       description : 'libqrencode support')
--- a/mkosi/mkosi.sanitizers/mkosi.postinst
+++ b/mkosi/mkosi.sanitizers/mkosi.postinst
@ -90,7 +90,6 @@ wrap=(
    socat
    sshd
    stat
    stress-ng
    su
    tar
    tgtd
--- a/src/analyze/analyze-unit-shell.c
+++ b/src/analyze/analyze-unit-shell.c
@ -1,5 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
--- a/src/basic/ansi-color.c
+++ b/src/basic/ansi-color.c
@ -3,6 +3,7 @@
 #include <stdlib.h>
 #include "ansi-color.h"
 #include "log.h"
 #include "process-util.h"
 #include "string-table.h"
 #include "string-util.h"
--- a/src/basic/build.c
+++ b/src/basic/build.c
@ -126,6 +126,12 @@ const char* const systemd_features =
        " -IDN"
 #endif
 #if HAVE_LIBIPTC
        " +IPTC"
 #else
        " -IPTC"
 #endif
 #if HAVE_KMOD
        " +KMOD"
 #else
--- a/src/basic/env-file.c
+++ b/src/basic/env-file.c
@ -6,6 +6,7 @@
 #include "alloc-util.h"
 #include "env-file.h"
 #include "env-util.h"
 #include "errno-util.h"
 #include "escape.h"
 #include "fd-util.h"
 #include "fileio.h"
--- a/src/basic/fd-util.c
+++ b/src/basic/fd-util.c
@ -20,6 +20,7 @@
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "socket-util.h"
 #include "sort-util.h"
 #include "stat-util.h"
 #include "stdio-util.h"
--- a/src/basic/filesystems.c
+++ b/src/basic/filesystems.c
@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #include "filesystems-gperf.h"
 #include "nulstr-util.h"
 #include "stat-util.h"
 #include "string-util.h"
--- a/src/basic/format-util.c
+++ b/src/basic/format-util.c
@ -39,8 +39,7 @@ char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
                                (t / table[i + 1].factor * 10 / table[n - 1].factor) % 10 :
                                (t * 10 / table[i].factor) % 10;
-                        if (FLAGS_SET(flag, FORMAT_BYTES_ALWAYS_POINT) ||
+                        if (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0)
                            (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0))
                                (void) snprintf(buf, l,
                                                "%" PRIu64 ".%" PRIu64 "%s",
                                                t / table[i].factor,
--- a/src/basic/format-util.h
+++ b/src/basic/format-util.h
@ -64,10 +64,9 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
 #endif
 typedef enum {
-        FORMAT_BYTES_USE_IEC      = 1 << 0, /* use base 1024 rather than 1000 */
+        FORMAT_BYTES_USE_IEC     = 1 << 0,
-        FORMAT_BYTES_BELOW_POINT  = 1 << 1, /* show one digit after the point, if non-zero */
+        FORMAT_BYTES_BELOW_POINT = 1 << 1,
-        FORMAT_BYTES_ALWAYS_POINT = 1 << 2, /* show one digit after the point, always */
+        FORMAT_BYTES_TRAILING_B  = 1 << 2,
        FORMAT_BYTES_TRAILING_B   = 1 << 3, /* suffix the expression with a "B" for "bytes" */
 } FormatBytesFlag;
 #define FORMAT_BYTES_MAX 16U
@ -83,7 +82,6 @@ static inline char* format_bytes(char *buf, size_t l, uint64_t t) {
 * see C11 §6.5.2.5, and
 * https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks */
 #define FORMAT_BYTES(t) format_bytes((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t)
-#define FORMAT_BYTES_FULL(t, flags) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flags)
+#define FORMAT_BYTES_FULL(t, flag) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flag)
 #define FORMAT_BYTES_WITH_POINT(t) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, FORMAT_BYTES_USE_IEC|FORMAT_BYTES_ALWAYS_POINT|FORMAT_BYTES_TRAILING_B)
 #define FORMAT_BYTES_CGROUP_PROTECTION(t) (t == CGROUP_LIMIT_MAX ? "infinity" : FORMAT_BYTES(t))
--- a/src/basic/forward.h
+++ b/src/basic/forward.h
@ -284,6 +284,7 @@ typedef struct ConfigTableItem ConfigTableItem;
 typedef struct CPUSet CPUSet;
 typedef struct FDSet FDSet;
 typedef struct Fido2HmacSalt Fido2HmacSalt;
 typedef struct FirewallContext FirewallContext;
 typedef struct GroupRecord GroupRecord;
 typedef struct Image Image;
 typedef struct ImagePolicy ImagePolicy;
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@ -16,8 +16,8 @@
 #include "log.h"
 #include "namespace-util.h"
 #include "parse-util.h"
 #include "pidref.h"
 #include "process-util.h"
 #include "stat-util.h"
 #include "string-table.h"
 #include "string-util.h"
 #include "strv.h"
@ -816,19 +816,16 @@ int running_in_chroot(void) {
        if (getenv_bool("SYSTEMD_IGNORE_CHROOT") > 0)
                return 0;
-        r = inode_same("/proc/1/root", "/", /* flags = */ 0);
+        r = pidref_from_same_root_fs(&PIDREF_MAKE_FROM_PID(1), NULL);
-        if (r == -ENOENT) {
+        if (r == -ENOSYS) {
-                r = proc_mounted();
+                if (getpid_cached() == 1)
-                if (r == 0) {
+                        return false; /* We will mount /proc, assuming we're not in a chroot. */
                        if (getpid_cached() == 1)
                                return false; /* We will mount /proc, assuming we're not in a chroot. */
-                        log_debug("/proc/ is not mounted, assuming we're in a chroot.");
+                log_debug("/proc/ is not mounted, assuming we're in a chroot.");
-                        return true;
+                return true;
                }
                if (r > 0) /* If we have fake /proc/, we can't do the check properly. */
                        return -ENOSYS;
        }
        if (r == -ESRCH) /* We must have a fake /proc/, we can't do the check properly. */
                return -ENOSYS;
        if (r < 0)
                return r;
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@ -28,12 +28,12 @@
 #include "fd-util.h"
 #include "fdset.h"
 #include "fileio.h"
 #include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "inotify-util.h"
 #include "ip-protocol-list.h"
 #include "limits-util.h"
 #include "manager.h"
 #include "netlink-internal.h"
 #include "nulstr-util.h"
 #include "parse-util.h"
 #include "path-util.h"
@ -1335,10 +1335,12 @@ void unit_modify_nft_set(Unit *u, bool add) {
        if (!crt || crt->cgroup_id == 0)
                return;
-        if (!u->manager->nfnl) {
+        if (!u->manager->fw_ctx) {
-                r = sd_nfnl_socket_open(&u->manager->nfnl);
+                r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
                if (r < 0)
                        return;
                assert(u->manager->fw_ctx);
        }
        CGroupContext *c = ASSERT_PTR(unit_get_cgroup_context(u));
@ -1349,7 +1351,7 @@ void unit_modify_nft_set(Unit *u, bool add) {
                uint64_t element = crt->cgroup_id;
-                r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
+                r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
                if (r < 0)
                        log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, cgroup %" PRIu64 ", ignoring: %m",
                                          add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, crt->cgroup_id);
@ -3034,43 +3036,20 @@ int unit_check_oom(Unit *u) {
        if (!crt || !crt->cgroup_path)
                return 0;
-        CGroupContext *ctx = unit_get_cgroup_context(u);
+        r = cg_get_keyed_attribute(
        if (!ctx)
                return 0;
        /* If memory.oom.group=1, then look up the oom_group_kill field, which reports how many times the
         * kernel killed every process recursively in this cgroup and its descendants, similar to
         * systemd-oomd. Because the memory.events.local file was only introduced in kernel 5.12, we fall
         * back to reading oom_kill if we can't find the file or field. */
        if (ctx->memory_oom_group) {
                r = cg_get_keyed_attribute(
                        "memory",
                        crt->cgroup_path,
                        "memory.events.local",
                        STRV_MAKE("oom_group_kill"),
                        &oom_kill);
                if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
                        return log_unit_debug_errno(u, r, "Failed to read oom_group_kill field of memory.events.local cgroup attribute, ignoring: %m");
        }
        if (isempty(oom_kill)) {
                r = cg_get_keyed_attribute(
                        "memory",
                        crt->cgroup_path,
                        "memory.events",
                        STRV_MAKE("oom_kill"),
                        &oom_kill);
-                if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
+        if (IN_SET(r, -ENOENT, -ENXIO)) /* Handle gracefully if cgroup or oom_kill attribute don't exist */
                        return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
        }
        if (!oom_kill)
                c = 0;
        else if (r < 0)
                return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
        else {
                r = safe_atou64(oom_kill, &c);
                if (r < 0)
-                        return log_unit_debug_errno(u, r, "Failed to parse memory.events cgroup oom field: %m");
+                        return log_unit_debug_errno(u, r, "Failed to parse oom_kill field: %m");
        }
        increased = c > crt->oom_kill_last;
@ -3082,7 +3061,7 @@ int unit_check_oom(Unit *u) {
        log_unit_struct(u, LOG_NOTICE,
                        LOG_MESSAGE_ID(SD_MESSAGE_UNIT_OUT_OF_MEMORY_STR),
                        LOG_UNIT_INVOCATION_ID(u),
-                        LOG_UNIT_MESSAGE(u, "The kernel OOM killer killed some processes in this unit."));
+                        LOG_UNIT_MESSAGE(u, "A process of this unit has been killed by the OOM killer."));
        unit_notify_cgroup_oom(u, /* managed_oom= */ false);
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@ -9,6 +9,7 @@
 #include "cgroup-util.h"
 #include "dbus-cgroup.h"
 #include "escape.h"
 #include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "limits-util.h"
 #include "manager.h"
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@ -1295,42 +1295,6 @@ static int property_get_cgroup_id(
        return sd_bus_message_append(reply, "t", crt ? crt->cgroup_id : UINT64_C(0));
 }
 static int property_get_oom_kills(
                sd_bus *bus,
                const char *path,
                const char *interface,
                const char *property,
                sd_bus_message *reply,
                void *userdata,
                sd_bus_error *error) {
        Unit *u = ASSERT_PTR(userdata);
        assert(bus);
        assert(reply);
        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
        return sd_bus_message_append(reply, "t", crt ? crt->oom_kill_last : UINT64_MAX);
 }
 static int property_get_managed_oom_kills(
                sd_bus *bus,
                const char *path,
                const char *interface,
                const char *property,
                sd_bus_message *reply,
                void *userdata,
                sd_bus_error *error) {
        Unit *u = ASSERT_PTR(userdata);
        assert(bus);
        assert(reply);
        CGroupRuntime *crt = unit_get_cgroup_runtime(u);
        return sd_bus_message_append(reply, "t", crt ? crt->managed_oom_kill_last : UINT64_MAX);
 }
 static int append_process(sd_bus_message *reply, const char *p, PidRef *pid, Set *pids) {
        _cleanup_free_ char *buf = NULL, *cmdline = NULL;
        int r;
@ -1751,8 +1715,6 @@ const sd_bus_vtable bus_unit_cgroup_vtable[] = {
        SD_BUS_PROPERTY("IOReadOperations", "t", property_get_io_counter, 0, 0),
        SD_BUS_PROPERTY("IOWriteBytes", "t", property_get_io_counter, 0, 0),
        SD_BUS_PROPERTY("IOWriteOperations", "t", property_get_io_counter, 0, 0),
        SD_BUS_PROPERTY("OOMKills", "t", property_get_oom_kills, 0, 0),
        SD_BUS_PROPERTY("ManagedOOMKills", "t", property_get_managed_oom_kills, 0, 0),
        SD_BUS_METHOD_WITH_ARGS("GetProcesses",
                                SD_BUS_NO_ARGS,
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@ -62,6 +62,7 @@
 #include "open-file.h"
 #include "osc-context.h"
 #include "path-util.h"
 #include "percent-util.h"
 #include "pidref.h"
 #include "proc-cmdline.h"
 #include "process-util.h"
--- a/src/core/kmod-setup.c
+++ b/src/core/kmod-setup.c
@ -115,6 +115,10 @@ int kmod_setup(void) {
                /* This should never be a module */
                { "unix",                       "/proc/net/unix",            true,  true,  NULL               },
 #if HAVE_LIBIPTC
                /* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
                { "ip_tables",                  "/proc/net/ip_tables_names", false, false, NULL               },
 #endif
                /* virtio_rng would be loaded by udev later, but real entropy might be needed very early */
                { "virtio_rng",                 NULL,                        false, false, has_virtio_rng     },
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -32,6 +32,7 @@
 #include "execute.h"
 #include "extract-word.h"
 #include "fd-util.h"
 #include "firewall-util.h"
 #include "fstab-util.h"
 #include "hashmap.h"
 #include "hexdecoct.h"
--- a/src/core/manager.c
+++ b/src/core/manager.c
@ -12,7 +12,6 @@
 #include "sd-bus.h"
 #include "sd-daemon.h"
 #include "sd-messages.h"
 #include "sd-netlink.h"
 #include "sd-path.h"
 #include "all-units.h"
@ -1754,7 +1753,7 @@ Manager* manager_free(Manager *m) {
        free(m->watchdog_pretimeout_governor);
        free(m->watchdog_pretimeout_governor_overridden);
-        sd_netlink_unref(m->nfnl);
+        fw_ctx_free(m->fw_ctx);
 #if BPF_FRAMEWORK
        bpf_restrict_fs_destroy(m->restrict_fs);
@ -3417,7 +3416,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
        }
        msg = strjoina("unit=", p);
-        if (sym_audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
+        if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
                if (ERRNO_IS_PRIVILEGE(errno)) {
                        /* We aren't allowed to send audit messages?  Then let's not retry again. */
                        log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");
--- a/src/core/manager.h
+++ b/src/core/manager.h
@ -474,7 +474,7 @@ typedef struct Manager {
        sd_event_source *memory_pressure_event_source;
        /* For NFTSet= */
-        sd_netlink *nfnl;
+        FirewallContext *fw_ctx;
        /* Pin the systemd-executor binary, so that it never changes until re-exec, ensuring we don't have
         * serialization/deserialization compatibility issues during upgrades. */
--- a/src/core/meson.build
+++ b/src/core/meson.build
@ -132,7 +132,7 @@ libcore_static = static_library(
        implicit_include_directories : false,
        c_args : ['-fvisibility=default'],
        dependencies : [libacl,
-                        libaudit_cflags,
+                        libaudit,
                        libblkid,
                        libdl,
                        libm,
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -38,6 +38,7 @@
 #include "nsflags.h"
 #include "nulstr-util.h"
 #include "os-util.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "pidref.h"
 #include "process-util.h"
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@ -121,9 +121,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
                if (r >= 0) {
                        if (type == SELINUX_AVC)
-                                sym_audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
+                                audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
                        else if (type == SELINUX_ERROR)
-                                sym_audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
+                                audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
                        return 0;
                }
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -35,6 +35,7 @@
 #include "id128-util.h"
 #include "install.h"
 #include "iovec-util.h"
 #include "label-util.h"
 #include "load-dropin.h"
 #include "load-fragment.h"
 #include "log.h"
@ -43,7 +44,6 @@
 #include "manager.h"
 #include "mount-util.h"
 #include "mountpoint-util.h"
 #include "netlink-internal.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "quota-util.h"
@ -5290,17 +5290,19 @@ static void unit_modify_user_nft_set(Unit *u, bool add, NFTSetSource source, uin
        if (!c)
                return;
-        if (!u->manager->nfnl) {
+        if (!u->manager->fw_ctx) {
-                r = sd_nfnl_socket_open(&u->manager->nfnl);
+                r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
                if (r < 0)
                        return;
                assert(u->manager->fw_ctx);
        }
        FOREACH_ARRAY(nft_set, c->nft_set_context.sets, c->nft_set_context.n_sets) {
                if (nft_set->source != source)
                        continue;
-                r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
+                r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
                if (r < 0)
                        log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, ID %u, ignoring: %m",
                                          add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, element);
--- a/src/core/varlink-cgroup.c
+++ b/src/core/varlink-cgroup.c
@ -615,9 +615,5 @@ int unit_cgroup_runtime_build_json(sd_json_variant **ret, const char *name, void
                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadBytes", get_io_counter_build_json, u),
                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadOperations", get_io_counter_build_json, u),
                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteBytes", get_io_counter_build_json, u),
-                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u),
+                        JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u));
                        /* OOM */
                        SD_JSON_BUILD_PAIR_UNSIGNED("OOMKills", crt->oom_kill_last),
                        SD_JSON_BUILD_PAIR_UNSIGNED("ManagedOOMKills", crt->managed_oom_kill_last));
 }
--- a/src/core/varlink-dynamic-user.c
+++ b/src/core/varlink-dynamic-user.c
@ -3,6 +3,7 @@
 #include "sd-varlink.h"
 #include "dynamic-user.h"
 #include "errno-util.h"
 #include "hashmap.h"
 #include "json-util.h"
 #include "manager.h"
--- a/src/core/varlink-unit.c
+++ b/src/core/varlink-unit.c
@ -13,7 +13,9 @@
 #include "set.h"
 #include "strv.h"
 #include "unit.h"
 #include "unit-name.h"
 #include "varlink-cgroup.h"
 #include "varlink-common.h"
 #include "varlink-unit.h"
 #include "varlink-util.h"
--- a/src/core/varlink.c
+++ b/src/core/varlink.c
@ -4,6 +4,7 @@
 #include "constants.h"
 #include "errno-util.h"
 #include "json-util.h"
 #include "manager.h"
 #include "path-util.h"
 #include "pidref.h"
--- a/src/fsck/fsck.c
+++ b/src/fsck/fsck.c
@ -22,6 +22,7 @@
 #include "fs-util.h"
 #include "fsck-util.h"
 #include "main-func.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "proc-cmdline.h"
 #include "process-util.h"
--- a/src/fuzz/fuzz-varlink.c
+++ b/src/fuzz/fuzz-varlink.c
@ -9,6 +9,7 @@
 #include "fuzz.h"
 #include "hexdecoct.h"
 #include "iovec-util.h"
 #include "log.h"
 static FILE *null = NULL;
--- a/src/import/pull-common.c
+++ b/src/import/pull-common.c
@ -6,6 +6,7 @@
 #include "dirent-util.h"
 #include "escape.h"
 #include "fd-util.h"
 #include "hexdecoct.h"
 #include "io-util.h"
 #include "log.h"
 #include "memory-util.h"
--- a/src/import/pull-job.c
+++ b/src/import/pull-job.c
@ -759,7 +759,7 @@ int pull_job_begin(PullJob *j) {
        if (curl_easy_setopt(j->curl, CURLOPT_XFERINFODATA, j) != CURLE_OK)
                return -EIO;
-        if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0L) != CURLE_OK)
+        if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK)
                return -EIO;
        r = curl_glue_add(j->glue, j->curl);
--- a/src/include/override/fcntl.h
+++ b/src/include/override/fcntl.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <fcntl.h>         /* IWYU pragma: export */
+#include_next <fcntl.h>
 /* This is defined since glibc-2.41. */
 #ifndef F_DUPFD_QUERY
--- a/src/include/override/malloc.h
+++ b/src/include/override/malloc.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <malloc.h>        /* IWYU pragma: export */
+#include_next <malloc.h>
 #if !HAVE_MALLINFO2
 struct mallinfo2 {
--- a/src/include/override/sched.h
+++ b/src/include/override/sched.h
@ -6,7 +6,7 @@
 * Note, this must be included before sched.h, otherwise the headers conflict with each other. */
 #include <linux/sched/types.h>
-#include_next <sched.h>         /* IWYU pragma: export */
+#include_next <sched.h>
 #include <assert.h>
--- a/src/include/override/signal.h
+++ b/src/include/override/signal.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <signal.h>        /* IWYU pragma: export */
+#include_next <signal.h>
 #if !HAVE_RT_TGSIGQUEUEINFO
 int missing_rt_tgsigqueueinfo(pid_t tgid, pid_t tid, int sig, siginfo_t *info);
--- a/src/include/override/sys/mman.h
+++ b/src/include/override/sys/mman.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/mman.h>      /* IWYU pragma: export */
+#include_next <sys/mman.h>
 #include <assert.h>
--- a/src/include/override/sys/pidfd.h
+++ b/src/include/override/sys/pidfd.h
@ -3,7 +3,7 @@
 /* since glibc-2.36 */
 #if HAVE_PIDFD_OPEN
-#include_next <sys/pidfd.h>     /* IWYU pragma: export */
+#include_next <sys/pidfd.h>
 #endif
 #include <linux/types.h>
--- a/src/include/override/sys/quota.h
+++ b/src/include/override/sys/quota.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/quota.h>     /* IWYU pragma: export */
+#include_next <sys/quota.h>
 /* Supported since kernel v5.14 (64c2c2c62f92339b176ea24403d8db16db36f9e6). */
 #if !HAVE_QUOTACTL_FD
--- a/src/include/override/sys/random.h
+++ b/src/include/override/sys/random.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/random.h>    /* IWYU pragma: export */
+#include_next <sys/random.h>
 #include <assert.h>
--- a/src/include/override/sys/socket.h
+++ b/src/include/override/sys/socket.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/socket.h>    /* IWYU pragma: export */
+#include_next <sys/socket.h>
 /* Supported since kernel v6.5 (5e2ff6704a275be009be8979af17c52361b79b89) */
 #ifndef SO_PASSPIDFD
--- a/src/include/override/sys/stat.h
+++ b/src/include/override/sys/stat.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/stat.h>      /* IWYU pragma: export */
+#include_next <sys/stat.h>
 /* Supported since kernel v6.6 (78252deb023cf0879256fcfbafe37022c390762b). */
 #if !HAVE_FCHMODAT2
--- a/src/include/override/sys/syscall.h
+++ b/src/include/override/sys/syscall.h
@ -9,7 +9,7 @@
 */
 #pragma once
-#include_next <sys/syscall.h>   /* IWYU pragma: export */
+#include_next <sys/syscall.h>
 #ifdef ARCH_MIPS
 #include <asm/sgidefs.h>
--- a/src/include/override/sys/wait.h
+++ b/src/include/override/sys/wait.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <sys/wait.h>      /* IWYU pragma: export */
+#include_next <sys/wait.h>
 #include <assert.h>
--- a/src/include/override/sys/xattr.h
+++ b/src/include/override/sys/xattr.h
@ -3,9 +3,9 @@
 /* To make struct xattr_args defined, which is used by setxattrat(). Note, the kernel header must be
 * included before the glibc header, otherwise the struct will not be defined. */
-#include <linux/xattr.h>        /* IWYU pragma: export */
+#include <linux/xattr.h>
-#include_next <sys/xattr.h>     /* IWYU pragma: export */
+#include_next <sys/xattr.h>
 /* Supported since kernel v6.13 (6140be90ec70c39fa844741ca3cc807dd0866394). */
 #if !HAVE_SETXATTRAT
--- a/src/include/override/unistd.h
+++ b/src/include/override/unistd.h
@ -1,7 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
-#include_next <unistd.h>        /* IWYU pragma: export */
+#include_next <unistd.h>
 /* Defined since glibc-2.34.
 * Supported since kernel v5.9 (9b4feb630e8e9801603f3cab3a36369e3c1cf88d). */
--- a/src/journal-remote/journal-upload.c
+++ b/src/journal-remote/journal-upload.c
@ -308,7 +308,7 @@ int start_upload(Uploader *u,
                }
                if (STRPTR_IN_SET(arg_trust, "-", "all"))
-                        easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L,
+                        easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
                                    LOG_ERR, return -EUCLEAN);
                else if (arg_trust || startswith(u->url, "https://"))
                        easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE,
--- a/src/journal/journald-manager.c
+++ b/src/journal/journald-manager.c
@ -18,6 +18,8 @@
 #include "alloc-util.h"
 #include "audit-util.h"
 #include "cgroup-util.h"
 #include "conf-parser.h"
 #include "creds-util.h"
 #include "daemon-util.h"
 #include "dirent-util.h"
 #include "errno-util.h"
@ -51,12 +53,14 @@
 #include "log-ratelimit.h"
 #include "memory-util.h"
 #include "mkdir.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "prioq.h"
 #include "process-util.h"
 #include "rm-rf.h"
 #include "set.h"
 #include "signal-util.h"
 #include "socket-netlink.h"
 #include "socket-util.h"
 #include "stdio-util.h"
 #include "string-util.h"
--- a/src/journal/journald-manager.h
+++ b/src/journal/journald-manager.h
@ -7,6 +7,7 @@
 #include "journald-forward.h"
 #include "list.h"
 #include "ratelimit.h"
 #include "socket-util.h"
 typedef struct JournalStorageSpace {
        usec_t   timestamp;
--- a/src/journal/test-journald-tables.c
+++ b/src/journal/test-journald-tables.c
@ -1,6 +1,6 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
-#include "journald-config.h"
+#include "journald-manager.h"
 #include "test-tables.h"
 #include "tests.h"
--- a/src/libsystemd-network/sd-dhcp-client-id.c
+++ b/src/libsystemd-network/sd-dhcp-client-id.c
@ -4,6 +4,7 @@
 #include "dhcp-client-id-internal.h"
 #include "iovec-util.h"
 #include "json-util.h"
 #include "log.h"
 #include "siphash24.h"
 #include "string-util.h"
 #include "unaligned.h"
--- a/src/libsystemd-network/test-lldp-rx.c
+++ b/src/libsystemd-network/test-lldp-rx.c
@ -6,10 +6,10 @@
 #include <unistd.h>
 #include "sd-event.h"
 #include "sd-json.h"
 #include "sd-lldp-rx.h"
 #include "fd-util.h"
 #include "json-util.h"
 #include "lldp-neighbor.h"
 #include "lldp-network.h"
 #include "tests.h"
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@ -34,6 +34,7 @@
 #include "path-util.h"
 #include "prioq.h"
 #include "random-util.h"
 #include "ratelimit.h"
 #include "sort-util.h"
 #include "stat-util.h"
 #include "string-table.h"
--- a/src/libsystemd/sd-journal/journal-send.c
+++ b/src/libsystemd/sd-journal/journal-send.c
@ -16,6 +16,7 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "journal-send.h"
 #include "log.h"
 #include "memfd-util.h"
 #include "process-util.h"
 #include "socket-util.h"
--- a/src/libsystemd/sd-journal/journal-vacuum.c
+++ b/src/libsystemd/sd-journal/journal-vacuum.c
@ -16,6 +16,7 @@
 #include "journal-vacuum.h"
 #include "log.h"
 #include "log-ratelimit.h"
 #include "ratelimit.h"
 #include "sort-util.h"
 #include "string-util.h"
 #include "time-util.h"
--- a/src/libsystemd/sd-netlink/netlink-message-nfnl.c
+++ b/src/libsystemd/sd-netlink/netlink-message-nfnl.c
@ -9,6 +9,7 @@
 #include "alloc-util.h"
 #include "errno-util.h"
 #include "iovec-util.h"
 #include "log.h"
 #include "netlink-internal.h"
 #include "netlink-util.h"
--- a/src/libsystemd/sd-netlink/sd-netlink.c
+++ b/src/libsystemd/sd-netlink/sd-netlink.c
@ -466,8 +466,7 @@ static int timeout_compare(const void *a, const void *b) {
 }
 size_t netlink_get_reply_callback_count(sd_netlink *nl) {
-        if (!nl)
+        assert(nl);
                return 0;
        return hashmap_size(nl->reply_callbacks);
 }
--- a/src/libsystemd/sd-resolve/sd-resolve.c
+++ b/src/libsystemd/sd-resolve/sd-resolve.c
@ -19,6 +19,7 @@
 #include "io-util.h"
 #include "iovec-util.h"
 #include "list.h"
 #include "log.h"
 #include "memory-util.h"
 #include "process-util.h"
 #include "resolve-private.h"
--- a/src/machine/machine.c
+++ b/src/machine/machine.c
@ -15,6 +15,7 @@
 #include "bus-unit-util.h"
 #include "env-file.h"
 #include "errno-util.h"
 #include "escape.h"
 #include "extract-word.h"
 #include "fd-util.h"
 #include "fileio.h"
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@ -669,10 +669,6 @@ static int address_set_masquerade(Address *address, bool add) {
        assert(address);
        assert(address->link);
        assert(address->link->manager);
        if (!address->link->manager->nfnl)
                return 0;
        if (!address->link->network)
                return 0;
@ -691,7 +687,7 @@ static int address_set_masquerade(Address *address, bool add) {
        if (r < 0)
                return r;
-        r = fw_nftables_add_masquerade(address->link->manager->nfnl, add, address->family, &masked, address->prefixlen);
+        r = fw_add_masquerade(&address->link->manager->fw_ctx, add, address->family, &masked, address->prefixlen);
        if (r < 0)
                return r;
@ -706,9 +702,14 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
        assert(address);
        assert(address->link);
        assert(address->link->manager);
        assert(address->link->manager->nfnl);
        assert(nft_set_context);
        if (!address->link->manager->fw_ctx) {
                r = fw_ctx_new_full(&address->link->manager->fw_ctx, /* init_tables= */ false);
                if (r < 0)
                        return;
        }
        FOREACH_ARRAY(nft_set, nft_set_context->sets, nft_set_context->n_sets) {
                uint32_t ifindex;
@ -716,16 +717,16 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
                switch (nft_set->source) {
                case NFT_SET_SOURCE_ADDRESS:
-                        r = nft_set_element_modify_ip(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_ip(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
                                                      &address->in_addr);
                        break;
                case NFT_SET_SOURCE_PREFIX:
-                        r = nft_set_element_modify_iprange(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_iprange(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
                                                           &address->in_addr, address->prefixlen);
                        break;
                case NFT_SET_SOURCE_IFINDEX:
                        ifindex = address->link->ifindex;
-                        r = nft_set_element_modify_any(address->link->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set,
+                        r = nft_set_element_modify_any(address->link->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set,
                                                       &ifindex, sizeof(ifindex));
                        break;
                default:
@ -748,10 +749,6 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
 static void address_modify_nft_set(Address *address, bool add) {
        assert(address);
        assert(address->link);
        assert(address->link->manager);
        if (!address->link->manager->nfnl)
                return;
        if (!IN_SET(address->family, AF_INET, AF_INET6))
                return;
--- a/src/network/networkd-ipv6ll.c
+++ b/src/network/networkd-ipv6ll.c
@ -15,6 +15,7 @@
 #include "siphash24.h"
 #include "socket-util.h"
 #include "string-table.h"
 #include "string-util.h"
 #include "strv.h"
 #include "sysctl-util.h"
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@ -23,9 +23,9 @@
 #include "env-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
 #include "firewall-util.h"
 #include "initrd-util.h"
 #include "mount-util.h"
 #include "netlink-internal.h"
 #include "netlink-util.h"
 #include "networkd-address.h"
 #include "networkd-address-label.h"
@ -285,28 +285,6 @@ static int manager_connect_genl(Manager *m) {
        return 0;
 }
 static int manager_connect_nfnl(Manager *m) {
        int r;
        assert(m);
        r = sd_nfnl_socket_open(&m->nfnl);
        if (r < 0) {
                log_warning_errno(r, "Failed to open nftables netlink socket. IPMasquerade= and NFTSet= settings will not be applied. Ignoring: %m");
                return 0;
        }
        r = sd_netlink_increase_rxbuf(m->nfnl, RCVBUF_SIZE);
        if (r < 0)
                log_warning_errno(r, "Failed to increase receive buffer size for nftables netlink socket, ignoring: %m");
        r = sd_netlink_attach_event(m->nfnl, m->event, 0);
        if (r < 0)
                return r;
        return 0;
 }
 static int manager_setup_rtnl_filter(Manager *manager) {
        struct sock_filter filter[] = {
                /* Check the packet length. */
@ -457,7 +435,7 @@ static int manager_post_handler(sd_event_source *s, void *userdata) {
                if (netlink_get_reply_callback_count(manager->rtnl) > 0 ||
                    netlink_get_reply_callback_count(manager->genl) > 0 ||
-                    netlink_get_reply_callback_count(manager->nfnl) > 0)
+                    fw_ctx_get_reply_callback_count(manager->fw_ctx) > 0)
                        return 0; /* There are some message calls waiting for their replies. */
                (void) manager_serialize(manager);
@ -579,10 +557,6 @@ int manager_setup(Manager *m) {
        if (r < 0)
                return r;
        r = manager_connect_nfnl(m);
        if (r < 0)
                return r;
        if (m->test_mode)
                return 0;
@ -722,7 +696,6 @@ Manager* manager_free(Manager *m) {
        sd_netlink_unref(m->rtnl);
        sd_netlink_unref(m->genl);
        sd_netlink_unref(m->nfnl);
        sd_resolve_unref(m->resolve);
        m->routes = set_free(m->routes);
@ -747,6 +720,8 @@ Manager* manager_free(Manager *m) {
        safe_close(m->ethtool_fd);
        safe_close(m->persistent_storage_fd);
        m->fw_ctx = fw_ctx_free(m->fw_ctx);
        m->serialization_fd = safe_close(m->serialization_fd);
        return mfree(m);
--- a/src/network/networkd-manager.h
+++ b/src/network/networkd-manager.h
@ -17,7 +17,6 @@ typedef struct Manager {
        sd_netlink *rtnl;
        /* lazy initialized */
        sd_netlink *genl;
        sd_netlink *nfnl;
        sd_event *event;
        sd_resolve *resolve;
        sd_bus *bus;
@ -104,6 +103,8 @@ typedef struct Manager {
        usec_t speed_meter_usec_new;
        usec_t speed_meter_usec_old;
        FirewallContext *fw_ctx;
        bool request_queued;
        OrderedSet *request_queue;
        OrderedSet *remove_request_queue;
--- a/src/network/networkd-queue.c
+++ b/src/network/networkd-queue.c
@ -293,7 +293,7 @@ int manager_process_requests(Manager *manager) {
                 * queued, then this event may make reply callback queue in sd-netlink full. */
                if (netlink_get_reply_callback_count(manager->rtnl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
                    netlink_get_reply_callback_count(manager->genl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
-                    netlink_get_reply_callback_count(manager->nfnl) >= REPLY_CALLBACK_COUNT_THRESHOLD)
+                    fw_ctx_get_reply_callback_count(manager->fw_ctx) >= REPLY_CALLBACK_COUNT_THRESHOLD)
                        break;
                /* Avoid the request and link freed by req->process() and request_detach(). */
--- a/src/nspawn/nspawn-expose-ports.c
+++ b/src/nspawn/nspawn-expose-ports.c
@ -76,13 +76,12 @@ void expose_port_free_all(ExposePort *p) {
        LIST_CLEAR(ports, p, free);
 }
-int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed) {
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
        int r;
        assert(IN_SET(af, AF_INET, AF_INET6));
        assert(exposed);
-        if (!nfnl || !l)
+        if (!l)
                return 0;
        if (!in_addr_is_set(af, exposed))
@ -91,15 +90,14 @@ int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_uni
        log_debug("Lost IP address.");
        LIST_FOREACH(ports, p, l) {
-                r = fw_nftables_add_local_dnat(
+                r = fw_add_local_dnat(fw_ctx,
-                                nfnl,
+                                      false,
-                                /* add = */ false,
+                                      af,
-                                af,
+                                      p->protocol,
-                                p->protocol,
+                                      p->host_port,
-                                p->host_port,
+                                      exposed,
-                                exposed,
+                                      p->container_port,
-                                p->container_port,
+                                      NULL);
                                /* previous_remote = */ NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }
@ -108,15 +106,12 @@ int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_uni
        return 0;
 }
-int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed) {
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
        _cleanup_free_ struct local_address *addresses = NULL;
        union in_addr_union new_exposed;
        bool add;
        int r;
        assert(rtnl);
        assert(nfnl);
        assert(IN_SET(af, AF_INET, AF_INET6));
        assert(exposed);
        /* Invoked each time an address is added or removed inside the
@ -134,7 +129,7 @@ int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int a
                addresses[0].scope < RT_SCOPE_LINK;
        if (!add)
-                return expose_port_flush(nfnl, l, af, exposed);
+                return expose_port_flush(fw_ctx, l, af, exposed);
        new_exposed = addresses[0].address;
        if (in_addr_equal(af, exposed, &new_exposed))
@ -143,15 +138,14 @@ int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int a
        log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
        LIST_FOREACH(ports, p, l) {
-                r = fw_nftables_add_local_dnat(
+                r = fw_add_local_dnat(fw_ctx,
-                                nfnl,
+                                      true,
-                                /* add = */ true,
+                                      af,
-                                af,
+                                      p->protocol,
-                                p->protocol,
+                                      p->host_port,
-                                p->host_port,
+                                      &new_exposed,
-                                &new_exposed,
+                                      p->container_port,
-                                p->container_port,
+                                      in_addr_is_set(af, exposed) ? exposed : NULL);
                                in_addr_is_set(af, exposed) ? exposed : NULL);
                if (r < 0)
                        log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
        }
--- a/src/nspawn/nspawn-expose-ports.h
+++ b/src/nspawn/nspawn-expose-ports.h
@ -1,6 +1,7 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 #include "firewall-util.h"
 #include "forward.h"
 #include "list.h"
@ -17,5 +18,5 @@ int expose_port_parse(ExposePort **l, const char *s);
 int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
 int expose_port_send_rtnl(int send_fd);
-int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed);
+int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
-int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed);
+int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@ -13,6 +13,7 @@
 #include "nspawn-network.h"
 #include "nspawn-settings.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
 #include "socket-util.h"
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -71,7 +71,6 @@
 #include "mount-util.h"
 #include "mountpoint-util.h"
 #include "namespace-util.h"
 #include "netlink-internal.h"
 #include "notify-recv.h"
 #include "nspawn-bind-user.h"
 #include "nspawn-cgroup.h"
@ -2540,7 +2539,7 @@ static int setup_kmsg(int fd_inner_socket) {
 struct ExposeArgs {
        union in_addr_union address4;
        union in_addr_union address6;
-        sd_netlink *nfnl;
+        struct FirewallContext *fw_ctx;
 };
 static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
@ -2549,8 +2548,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
        assert(rtnl);
        assert(m);
-        (void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET, &args->address4);
+        (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
-        (void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET6, &args->address6);
+        (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
        return 0;
 }
@ -5608,8 +5607,8 @@ static int run_container(
                if (r < 0)
                        return r;
-                (void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
-                (void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
+                (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
        }
        _cleanup_(osc_context_closep) sd_id128_t osc_context_id = SD_ID128_NULL;
@ -5731,8 +5730,8 @@ static int run_container(
                return 0; /* finito */
        }
-        expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
-        expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
+        expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
        (void) remove_veth_links(veth_name, arg_network_veth_extra);
        *veth_created = false;
@ -5901,7 +5900,7 @@ static int run(int argc, char *argv[]) {
        _cleanup_(rmdir_and_freep) char *rootdir = NULL;
        _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
        _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
-        _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
+        _cleanup_(fw_ctx_freep) FirewallContext *fw_ctx = NULL;
        _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
        log_setup();
@ -6386,12 +6385,12 @@ static int run(int argc, char *argv[]) {
        }
        if (arg_expose_ports) {
-                r = sd_nfnl_socket_open(&nfnl);
+                r = fw_ctx_new(&fw_ctx);
                if (r < 0) {
-                        log_error_errno(r, "Cannot expose configured ports, failed to initialize nftables: %m");
+                        log_error_errno(r, "Cannot expose configured ports, firewall initialization failed: %m");
                        goto finish;
                }
-                expose_args.nfnl = nfnl;
+                expose_args.fw_ctx = fw_ctx;
        }
        for (;;) {
@ -6455,8 +6454,8 @@ finish:
        cleanup_propagation_and_export_directories();
-        expose_port_flush(nfnl, arg_expose_ports, AF_INET,  &expose_args.address4);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET,  &expose_args.address4);
-        expose_port_flush(nfnl, arg_expose_ports, AF_INET6, &expose_args.address6);
+        expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
        if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
                if (veth_created)
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@ -789,11 +789,7 @@ static Partition* partition_unlink_and_free(Context *context, Partition *p) {
 DEFINE_TRIVIAL_CLEANUP_FUNC(Partition*, partition_free);
-static Context* context_new(
+static Context* context_new(sd_id128_t seed, X509 *certificate, EVP_PKEY *private_key) {
                sd_id128_t seed,
                X509 *certificate,
                EVP_PKEY *private_key) {
        Context *context;
        /* Note: This function takes ownership of the certificate and private_key arguments. */
@ -3449,7 +3445,7 @@ static int context_load_partition_table(Context *context) {
                        /* Use the fallback values if we have no better idea */
                        context->sector_size = fdisk_get_sector_size(c);
                        context->default_fs_sector_size = fs_secsz;
-                        context->grain_size = MAX(context->sector_size, 4096U);
+                        context->grain_size = 4096;
                        return /* from_scratch = */ true;
                }
@ -5493,9 +5489,9 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
                                strna(p->copy_blocks_path),
                                glyph(GLYPH_ARROW_RIGHT),
                                strna(p->definition_path),
-                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
+                                FORMAT_BYTES(p->copy_blocks_done),
-                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_size),
+                                FORMAT_BYTES(p->copy_blocks_size),
-                                FORMAT_BYTES_WITH_POINT(bps));
+                                FORMAT_BYTES(bps));
        else
                (void) draw_progress_barf(
                                percent,
@ -5503,8 +5499,8 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
                                strna(p->copy_blocks_path),
                                glyph(GLYPH_ARROW_RIGHT),
                                strna(p->definition_path),
-                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
+                                FORMAT_BYTES(p->copy_blocks_done),
-                                FORMAT_BYTES_WITH_POINT(p->copy_blocks_size));
+                                FORMAT_BYTES(p->copy_blocks_size));
        p->last_percent = percent;
@ -8670,13 +8666,7 @@ static int help(void) {
        return 0;
 }
-static int parse_argv(
+static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_ui) {
                int argc,
                char *argv[],
                X509 **ret_certificate,
                EVP_PKEY **ret_private_key,
                OpenSSLAskPasswordUI **ret_ui) {
        enum {
                ARG_VERSION = 0x100,
                ARG_NO_PAGER,
--- a/src/resolve/resolved-dns-browse-services.c
+++ b/src/resolve/resolved-dns-browse-services.c
@ -1,10 +1,9 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #include "af-list.h"
 #include "alloc-util.h"
 #include "event-util.h"
 #include "dns-domain.h"
-#include "log.h"
+#include "json-util.h"
 #include "random-util.h"
 #include "resolved-dns-browse-services.h"
 #include "resolved-dns-cache.h"
@ -13,8 +12,8 @@
 #include "resolved-dns-rr.h"
 #include "resolved-dns-scope.h"
 #include "resolved-manager.h"
 #include "resolved-varlink.h"
 #include "string-table.h"
 #include "string-util.h"
 typedef enum BrowseServiceUpdateEvent {
        BROWSE_SERVICE_UPDATE_ADDED,
--- a/src/resolve/resolved-dnstls.c
+++ b/src/resolve/resolved-dnstls.c
@ -7,6 +7,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <sys/epoll.h>
 #include "alloc-util.h"
 #include "openssl-util.h"
--- a/src/resolve/resolved-varlink.c
+++ b/src/resolve/resolved-varlink.c
@ -7,6 +7,7 @@
 #include "dns-domain.h"
 #include "dns-type.h"
 #include "errno-util.h"
 #include "glyph-util.h"
 #include "in-addr-util.h"
 #include "iovec-util.h"
 #include "json-util.h"
--- a/src/run/run.c
+++ b/src/run/run.c
@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/resource.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include "sd-bus.h"
--- a/src/shared/cpu-set-util.c
+++ b/src/shared/cpu-set-util.c
@ -8,6 +8,7 @@
 #include "bitfield.h"
 #include "cpu-set-util.h"
 #include "extract-word.h"
 #include "hexdecoct.h"
 #include "log.h"
 #include "parse-util.h"
 #include "string-util.h"
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@ -1209,7 +1209,7 @@ int decrypt_credential_and_warn(
         *   -EHWPOISON    → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on
         *   -EMEDIUMTYPE  → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa
         *   -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name)
-         *   -ESTALE       → Credential's validity has passed
+         *   -ESTALE       → Credential's valdity has passed
         *   -ESRCH        → User specified for scope does not exist on this system
         *
         *   (plus the various error codes tpm2_unseal() returns) */
--- a/src/shared/firewall-util-iptables.c
+++ b/src/shared/firewall-util-iptables.c
@ -0,0 +1,383 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #include <endian.h>
 #include <libiptc/libiptc.h>
 #include <linux/netfilter/nf_nat.h>
 #include <linux/netfilter/xt_addrtype.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <string.h>
 #include "alloc-util.h"
 #include "dlfcn-util.h"
 #include "firewall-util-private.h"
 #include "in-addr-util.h"
 #include "log.h"
 #include "socket-util.h"
 static DLSYM_PROTOTYPE(iptc_check_entry) = NULL;
 static DLSYM_PROTOTYPE(iptc_commit) = NULL;
 static DLSYM_PROTOTYPE(iptc_delete_entry) = NULL;
 static DLSYM_PROTOTYPE(iptc_free) = NULL;
 static DLSYM_PROTOTYPE(iptc_init) = NULL;
 static DLSYM_PROTOTYPE(iptc_insert_entry) = NULL;
 static DLSYM_PROTOTYPE(iptc_strerror) = NULL;
 static void *iptc_dl = NULL;
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct xtc_handle*, sym_iptc_free, NULL);
 static int entry_fill_basics(
                struct ipt_entry *entry,
                int protocol,
                const char *in_interface,
                const union in_addr_union *source,
                unsigned source_prefixlen,
                const char *out_interface,
                const union in_addr_union *destination,
                unsigned destination_prefixlen) {
        assert(entry);
        if (out_interface && !ifname_valid(out_interface))
                return -EINVAL;
        if (in_interface && !ifname_valid(in_interface))
                return -EINVAL;
        entry->ip.proto = protocol;
        if (in_interface) {
                size_t l;
                l = strlen(in_interface);
                assert(l < sizeof entry->ip.iniface);
                assert(l < sizeof entry->ip.iniface_mask);
                strcpy(entry->ip.iniface, in_interface);
                memset(entry->ip.iniface_mask, 0xFF, l + 1);
        }
        if (source) {
                entry->ip.src = source->in;
                in4_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
        }
        if (out_interface) {
                size_t l = strlen(out_interface);
                assert(l < sizeof entry->ip.outiface);
                assert(l < sizeof entry->ip.outiface_mask);
                strcpy(entry->ip.outiface, out_interface);
                memset(entry->ip.outiface_mask, 0xFF, l + 1);
        }
        if (destination) {
                entry->ip.dst = destination->in;
                in4_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
        }
        return 0;
 }
 int fw_iptables_add_masquerade(
                bool add,
                int af,
                const union in_addr_union *source,
                unsigned source_prefixlen) {
        static const xt_chainlabel chain = "POSTROUTING";
        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
        struct ipt_entry *entry, *mask;
        struct ipt_entry_target *t;
        size_t sz;
        struct nf_nat_ipv4_multi_range_compat *mr;
        int r, protocol = 0;
        const char *out_interface = NULL;
        const union in_addr_union *destination = NULL;
        unsigned destination_prefixlen = 0;
        if (af != AF_INET)
                return -EOPNOTSUPP;
        if (!source || source_prefixlen == 0)
                return -EINVAL;
        r = fw_iptables_init_nat(&h);
        if (r < 0)
                return r;
        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
             XT_ALIGN(sizeof(struct ipt_entry_target)) +
             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        /* Put together the entry we want to add or remove */
        entry = alloca0(sz);
        entry->next_offset = sz;
        entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
        r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
        if (r < 0)
                return r;
        /* Fill in target part */
        t = ipt_get_target(entry);
        t->u.target_size =
                XT_ALIGN(sizeof(struct ipt_entry_target)) +
                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
        mr->rangesize = 1;
        /* Create a search mask entry */
        mask = alloca_safe(sz);
        memset(mask, 0xFF, sz);
        if (add) {
                if (sym_iptc_check_entry(chain, entry, (unsigned char*) mask, h))
                        return 0;
                if (errno != ENOENT) /* if other error than not existing yet, fail */
                        return -errno;
                if (!sym_iptc_insert_entry(chain, entry, 0, h))
                        return -errno;
        } else {
                if (!sym_iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) {
                        if (errno == ENOENT) /* if it's already gone, all is good! */
                                return 0;
                        return -errno;
                }
        }
        if (!sym_iptc_commit(h))
                return -errno;
        return 0;
 }
 int fw_iptables_add_local_dnat(
                bool add,
                int af,
                int protocol,
                uint16_t local_port,
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote) {
        static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT";
        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
        struct ipt_entry *entry, *mask;
        struct ipt_entry_target *t;
        struct ipt_entry_match *m;
        struct xt_addrtype_info_v1 *at;
        struct nf_nat_ipv4_multi_range_compat *mr;
        size_t sz, msz;
        int r;
        const char *in_interface = NULL;
        const union in_addr_union *source = NULL;
        unsigned source_prefixlen = 0;
        const union in_addr_union *destination = NULL;
        unsigned destination_prefixlen = 0;
        assert(add || !previous_remote);
        if (af != AF_INET)
                return -EOPNOTSUPP;
        if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
                return -EOPNOTSUPP;
        if (local_port <= 0)
                return -EINVAL;
        if (remote_port <= 0)
                return -EINVAL;
        r = fw_iptables_init_nat(&h);
        if (r < 0)
                return r;
        sz = XT_ALIGN(sizeof(struct ipt_entry)) +
             XT_ALIGN(sizeof(struct ipt_entry_match)) +
             XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
             XT_ALIGN(sizeof(struct ipt_entry_target)) +
             XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        if (protocol == IPPROTO_TCP)
                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
                      XT_ALIGN(sizeof(struct xt_tcp));
        else
                msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
                      XT_ALIGN(sizeof(struct xt_udp));
        sz += msz;
        /* Fill in basic part */
        entry = alloca0(sz);
        entry->next_offset = sz;
        entry->target_offset =
                XT_ALIGN(sizeof(struct ipt_entry)) +
                XT_ALIGN(sizeof(struct ipt_entry_match)) +
                XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
                msz;
        r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
        if (r < 0)
                return r;
        /* Fill in first match */
        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
        m->u.match_size = msz;
        if (protocol == IPPROTO_TCP) {
                struct xt_tcp *tcp;
                strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
                tcp = (struct xt_tcp*) m->data;
                tcp->dpts[0] = tcp->dpts[1] = local_port;
                tcp->spts[0] = 0;
                tcp->spts[1] = 0xFFFF;
        } else {
                struct xt_udp *udp;
                strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
                udp = (struct xt_udp*) m->data;
                udp->dpts[0] = udp->dpts[1] = local_port;
                udp->spts[0] = 0;
                udp->spts[1] = 0xFFFF;
        }
        /* Fill in second match */
        m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
        m->u.match_size =
                XT_ALIGN(sizeof(struct ipt_entry_match)) +
                XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
        strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
        m->u.user.revision = 1;
        at = (struct xt_addrtype_info_v1*) m->data;
        at->dest = XT_ADDRTYPE_LOCAL;
        /* Fill in target part */
        t = ipt_get_target(entry);
        t->u.target_size =
                XT_ALIGN(sizeof(struct ipt_entry_target)) +
                XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
        strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
        mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
        mr->rangesize = 1;
        mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
        if (protocol == IPPROTO_TCP)
                mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htobe16(remote_port);
        else
                mr->range[0].min.udp.port = mr->range[0].max.udp.port = htobe16(remote_port);
        mask = alloca0(sz);
        memset(mask, 0xFF, sz);
        if (add) {
                /* Add the PREROUTING rule, if it is missing so far */
                if (!sym_iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) {
                        if (errno != ENOENT)
                                return -EINVAL;
                        if (!sym_iptc_insert_entry(chain_pre, entry, 0, h))
                                return -errno;
                }
                /* If a previous remote is set, remove its entry */
                if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
                        mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
                        if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;
                        }
                        mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
                }
                /* Add the OUTPUT rule, if it is missing so far */
                if (!in_interface) {
                        /* Don't apply onto loopback addresses */
                        if (!destination) {
                                entry->ip.dst.s_addr = htobe32(0x7F000000);
                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
                                entry->ip.invflags = IPT_INV_DSTIP;
                        }
                        if (!sym_iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;
                                if (!sym_iptc_insert_entry(chain_output, entry, 0, h))
                                        return -errno;
                        }
                        /* If a previous remote is set, remove its entry */
                        if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
                                mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
                                if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
                                        if (errno != ENOENT)
                                                return -errno;
                                }
                        }
                }
        } else {
                if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
                        if (errno != ENOENT)
                                return -errno;
                }
                if (!in_interface) {
                        if (!destination) {
                                entry->ip.dst.s_addr = htobe32(0x7F000000);
                                entry->ip.dmsk.s_addr = htobe32(0xFF000000);
                                entry->ip.invflags = IPT_INV_DSTIP;
                        }
                        if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
                                if (errno != ENOENT)
                                        return -errno;
                        }
                }
        }
        if (!sym_iptc_commit(h))
                return -errno;
        return 0;
 }
 static int dlopen_iptc(void) {
        ELF_NOTE_DLOPEN("ip4tc",
                        "Support for firewall rules with iptables backend",
                        ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
                        "libip4tc.so.2");
        return dlopen_many_sym_or_warn(
                        &iptc_dl,
                        "libip4tc.so.2", LOG_DEBUG,
                        DLSYM_ARG(iptc_check_entry),
                        DLSYM_ARG(iptc_commit),
                        DLSYM_ARG(iptc_delete_entry),
                        DLSYM_ARG(iptc_free),
                        DLSYM_ARG(iptc_init),
                        DLSYM_ARG(iptc_insert_entry),
                        DLSYM_ARG(iptc_strerror));
 }
 int fw_iptables_init_nat(struct xtc_handle **ret) {
        _cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
        int r;
        r = dlopen_iptc();
        if (r < 0)
                return r;
        h = sym_iptc_init("nat");
        if (!h)
                return log_debug_errno(errno, "Failed to init \"nat\" table: %s", sym_iptc_strerror(errno));
        if (ret)
                *ret = TAKE_PTR(h);
        return 0;
 }
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
--- a/src/shared/firewall-util-private.h
+++ b/src/shared/firewall-util-private.h
@ -0,0 +1,64 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 #include "firewall-util.h"
 #include "forward.h"
 typedef enum FirewallBackend {
        FW_BACKEND_NONE,
 #if HAVE_LIBIPTC
        FW_BACKEND_IPTABLES,
 #endif
        FW_BACKEND_NFTABLES,
        _FW_BACKEND_MAX,
        _FW_BACKEND_INVALID = -EINVAL,
 } FirewallBackend;
 struct FirewallContext {
        FirewallBackend backend;
        sd_netlink *nfnl;
 };
 const char* firewall_backend_to_string(FirewallBackend b) _const_;
 int fw_nftables_init(FirewallContext *ctx);
 int fw_nftables_init_full(FirewallContext *ctx, bool init_tables);
 void fw_nftables_exit(FirewallContext *ctx);
 int fw_nftables_add_masquerade(
                FirewallContext *ctx,
                bool add,
                int af,
                const union in_addr_union *source,
                unsigned source_prefixlen);
 int fw_nftables_add_local_dnat(
                FirewallContext *ctx,
                bool add,
                int af,
                int protocol,
                uint16_t local_port,
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote);
 #if HAVE_LIBIPTC
 struct xtc_handle;
 int fw_iptables_add_masquerade(
                bool add,
                int af,
                const union in_addr_union *source,
                unsigned source_prefixlen);
 int fw_iptables_add_local_dnat(
                bool add,
                int af,
                int protocol,
                uint16_t local_port,
                const union in_addr_union *remote,
                uint16_t remote_port,
                const union in_addr_union *previous_remote);
 int fw_iptables_init_nat(struct xtc_handle **ret);
 #endif
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@ -4,15 +4,25 @@
 #include "conf-parser-forward.h"
 #include "forward.h"
-int fw_nftables_add_masquerade(
+typedef struct FirewallContext FirewallContext;
-                sd_netlink *nfnl,
+
 int fw_ctx_new(FirewallContext **ret);
 int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
 FirewallContext *fw_ctx_free(FirewallContext *ctx);
 DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
 size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
 int fw_add_masquerade(
                FirewallContext **ctx,
                bool add,
                int af,
                const union in_addr_union *source,
                unsigned source_prefixlen);
-int fw_nftables_add_local_dnat(
+int fw_add_local_dnat(
-                sd_netlink *nfnl,
+                FirewallContext **ctx,
                bool add,
                int af,
                int protocol,
@ -54,7 +64,7 @@ const char* nft_set_source_to_string(int i) _const_;
 int nft_set_source_from_string(const char *s) _pure_;
 int nft_set_element_modify_iprange(
-                sd_netlink *nfnl,
+                FirewallContext *ctx,
                bool add,
                int nfproto,
                int af,
@ -64,7 +74,7 @@ int nft_set_element_modify_iprange(
                unsigned source_prefixlen);
 int nft_set_element_modify_ip(
-                sd_netlink *nfnl,
+                FirewallContext *ctx,
                bool add,
                int nfproto,
                int af,
@ -73,7 +83,7 @@ int nft_set_element_modify_ip(
                const union in_addr_union *source);
 int nft_set_element_modify_any(
-                sd_netlink *nfnl,
+                FirewallContext *ctx,
                bool add,
                int nfproto,
                const char *table,
--- a/src/shared/generator.c
+++ b/src/shared/generator.c
@ -6,6 +6,7 @@
 #include "alloc-util.h"
 #include "argv-util.h"
 #include "cgroup-util.h"
 #include "dropin.h"
 #include "escape.h"
 #include "fd-util.h"
--- a/src/shared/label-util.c
+++ b/src/shared/label-util.c
@ -5,6 +5,7 @@
 #include "btrfs-util.h"
 #include "errno-util.h"
 #include "fs-util.h"
 #include "label-util.h"
 #include "selinux-util.h"
 #include "smack-util.h"
--- a/src/shared/libaudit-util.c
+++ b/src/shared/libaudit-util.c
@ -2,6 +2,7 @@
 #include <linux/audit.h>
 #include <linux/netlink.h>
 #include <stdio.h>
 #include <sys/socket.h>
 #include "errno-util.h"
@ -11,32 +12,6 @@
 #include "log.h"
 #include "socket-util.h"
 #if HAVE_AUDIT
 static void *libaudit_dl = NULL;
 static DLSYM_PROTOTYPE(audit_close) = NULL;
 DLSYM_PROTOTYPE(audit_log_acct_message) = NULL;
 DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL;
 DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL;
 static DLSYM_PROTOTYPE(audit_open) = NULL;
 int dlopen_libaudit(void) {
        ELF_NOTE_DLOPEN("libaudit",
                        "Support for Audit loggging",
                        ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
                        "libaudit.so.1");
        return dlopen_many_sym_or_warn(
                        &libaudit_dl,
                        "libaudit.so.1",
                        LOG_DEBUG,
                        DLSYM_ARG(audit_close),
                        DLSYM_ARG(audit_log_acct_message),
                        DLSYM_ARG(audit_log_user_avc_message),
                        DLSYM_ARG(audit_log_user_comm_message),
                        DLSYM_ARG(audit_open));
 }
 static int try_audit_request(int fd) {
        struct iovec iov;
        struct msghdr mh;
@ -74,19 +49,14 @@ static int try_audit_request(int fd) {
        return msg.err.error;
 }
 #endif
 bool use_audit(void) {
 #if HAVE_AUDIT
        static int cached_use = -1;
        int r;
        if (cached_use >= 0)
                return cached_use;
        if (dlopen_libaudit() < 0)
                return (cached_use = false);
        _cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
        if (fd < 0) {
                cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno);
@ -113,15 +83,12 @@ bool use_audit(void) {
        }
        return cached_use;
 #else
        return false;
 #endif
 }
 int close_audit_fd(int fd) {
 #if HAVE_AUDIT
        if (fd >= 0)
-                sym_audit_close(fd);
+                audit_close(fd);
 #else
        assert(fd < 0);
 #endif
@ -130,14 +97,8 @@ int close_audit_fd(int fd) {
 int open_audit_fd_or_warn(void) {
 #if HAVE_AUDIT
        int r;
        r = dlopen_libaudit();
        if (r < 0)
                return r;
        /* If the kernel lacks netlink or audit support, don't worry about it. */
-        int fd = sym_audit_open();
+        int fd = audit_open();
        if (fd < 0)
                return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING,
                                      errno, "Failed to connect to audit log, ignoring: %m");
--- a/src/shared/libaudit-util.h
+++ b/src/shared/libaudit-util.h
@ -1,20 +1,12 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 #include "forward.h"
 #if HAVE_AUDIT
 #  include <libaudit.h>         /* IWYU pragma: export */
 #  include "dlfcn-util.h"
 extern DLSYM_PROTOTYPE(audit_log_acct_message);
 extern DLSYM_PROTOTYPE(audit_log_user_avc_message);
 extern DLSYM_PROTOTYPE(audit_log_user_comm_message);
 int dlopen_libaudit(void);
 #endif
 #include "forward.h"
 bool use_audit(void);
 int close_audit_fd(int fd);
--- a/src/shared/machine-bind-user.c
+++ b/src/shared/machine-bind-user.c
@ -2,6 +2,7 @@
 #include <grp.h>
 #include <pwd.h>
 #include <unistd.h>
 #include "alloc-util.h"
 #include "chase.h"
--- a/src/shared/machine-credential.c
+++ b/src/shared/machine-credential.c
@ -5,12 +5,11 @@
 #include "escape.h"
 #include "extract-word.h"
 #include "fileio.h"
 #include "iovec-util.h"
 #include "log.h"
 #include "machine-credential.h"
 #include "memory-util.h"
 #include "path-util.h"
-#include "string-util.h"
+#include "string-util-fundamental.h"
 static void machine_credential_done(MachineCredential *cred) {
        assert(cred);
@ -29,118 +28,74 @@ void machine_credential_context_done(MachineCredentialContext *ctx) {
        free(ctx->credentials);
 }
-MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id) {
+bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id) {
        assert(ctx);
        assert(id);
        FOREACH_ARRAY(cred, ctx->credentials, ctx->n_credentials)
                if (streq(cred->id, id))
-                        return cred;
+                        return true;
-        return NULL;
+        return false;
 }
 int machine_credential_add(
                MachineCredentialContext *ctx,
                const char *id,
                const char *value,
                size_t size) {
        assert(ctx);
        assert(id);
        assert(value || size == 0);
        if (!credential_name_valid(id))
                return -EINVAL;
        if (machine_credential_find(ctx, id))
                return -EEXIST;
        if (size == SIZE_MAX)
                size = strlen_ptr(value);
        _cleanup_(machine_credential_done) MachineCredential cred = {};
        cred.id = strdup(id);
        if (!cred.id)
                return -ENOMEM;
        cred.data = memdup(value, size);
        if (!cred.data)
                return -ENOMEM;
        cred.size = size;
        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
                return -ENOMEM;
        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
        return 0;
 }
 static int machine_credential_add_and_log(
                MachineCredentialContext *ctx,
                const char *id,
                const char *value,
                size_t size) {
        int r;
        assert(ctx);
        assert(id);
        assert(value || size == 0);
        r = machine_credential_add(ctx, id, value, size);
        if (r == -EEXIST)
                return log_error_errno(r, "Duplicated credential '%s', refusing.", id);
        if (r == -EINVAL)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", id);
        if (r == -ENOMEM)
                return log_oom();
        if (r < 0)
                return log_error_errno(r, "Failed to add credential '%s': %m", id);
        return 0;
 }
 int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
        _cleanup_(machine_credential_done) MachineCredential cred = {};
        ssize_t l;
        int r;
        assert(ctx);
        const char *p = ASSERT_PTR(cred_str);
-        _cleanup_free_ char *id = NULL;
+
-        r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
+        r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
        if (r < 0)
                return log_error_errno(r, "Failed to parse --set-credential= parameter: %m");
        if (r == 0 || !p)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Missing value for --set-credential=: %s", cred_str);
-        _cleanup_free_ char *data = NULL;
+        if (!credential_name_valid(cred.id))
-        ssize_t l;
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
-        l = cunescape(p, UNESCAPE_ACCEPT_NUL, &data);
+
        if (machine_credentials_contains(ctx, cred.id))
                return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
        l = cunescape(p, UNESCAPE_ACCEPT_NUL, &cred.data);
        if (l < 0)
                return log_error_errno(l, "Failed to unescape credential data: %s", p);
        cred.size = l;
-        return machine_credential_add_and_log(ctx, id, data, l);
+        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
                return log_oom();
        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
        return 0;
 }
 int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path) {
        _cleanup_(machine_credential_done) MachineCredential cred = {};
        _cleanup_free_ char *path_alloc = NULL;
        ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
        int r;
        assert(ctx);
        const char *p = ASSERT_PTR(cred_path);
-        _cleanup_free_ char *id = NULL;
+
-        r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
+        r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
        if (r < 0)
                return log_error_errno(r, "Failed to parse --load-credential= parameter: %m");
        if (r == 0 || !p)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Missing value for --load-credential=: %s", cred_path);
-        ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
+        if (!credential_name_valid(cred.id))
-        _cleanup_free_ char *path_alloc = NULL;
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
        if (machine_credentials_contains(ctx, cred.id))
                return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
        if (is_path(p) && path_is_valid(p))
                flags |= READ_FULL_FILE_CONNECT_SOCKET;
        else if (credential_name_valid(p)) {
@ -148,7 +103,8 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
                r = get_credentials_dir(&e);
                if (r < 0)
-                        return log_error_errno(r, "Credential not available (no credentials passed at all): %s", p);
+                        return log_error_errno(r,
                                               "Credential not available (no credentials passed at all): %s", cred.id);
                path_alloc = path_join(e, p);
                if (!path_alloc)
@ -159,16 +115,17 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Credential source appears to be neither a valid path nor a credential name: %s", p);
-        _cleanup_(iovec_done_erase) struct iovec iov = {};
+        r = read_full_file_full(AT_FDCWD, p, UINT64_MAX, SIZE_MAX,
-        r = read_full_file_full(
+                                flags,
-                        AT_FDCWD, p,
+                                NULL,
-                        /* offset= */ UINT64_MAX,
+                                &cred.data, &cred.size);
                        /* size= */ SIZE_MAX,
                        flags,
                        /* bind_name= */ NULL,
                        (char**) &iov.iov_base, &iov.iov_len);
        if (r < 0)
                return log_error_errno(r, "Failed to read credential '%s': %m", p);
-        return machine_credential_add_and_log(ctx, id, iov.iov_base, iov.iov_len);
+        if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
                return log_oom();
        ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
        return 0;
 }
--- a/src/shared/machine-credential.h
+++ b/src/shared/machine-credential.h
@ -16,8 +16,7 @@ typedef struct MachineCredentialContext {
 void machine_credential_context_done(MachineCredentialContext *ctx);
-MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id);
+bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id);
 int machine_credential_add(MachineCredentialContext *ctx, const char *id, const char *value, size_t size);
 int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str);
 int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path);
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -76,6 +76,7 @@ shared_sources = files(
        'fdset.c',
        'fido2-util.c',
        'find-esp.c',
        'firewall-util-nft.c',
        'firewall-util.c',
        'fork-notify.c',
        'format-table.c',
@ -248,6 +249,10 @@ if conf.get('ENABLE_UTMP') == 1
        shared_sources += files('utmp-wtmp.c')
 endif
 if conf.get('HAVE_LIBIPTC') == 1
        shared_sources += files('firewall-util-iptables.c')
 endif
 if conf.get('HAVE_LIBBPF') == 1
        shared_sources += files('bpf-link.c')
 endif
@ -312,12 +317,13 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag)
 libshared_deps = [threads,
                  libacl,
-                  libaudit_cflags,
+                  libaudit,
                  libblkid,
                  libcap,
                  libcrypt,
                  libdl,
                  libgcrypt_cflags,
                  libiptc_cflags,
                  libkmod_cflags,
                  liblz4_cflags,
                  libmount,
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@ -1726,15 +1726,13 @@ int openssl_load_private_key(
        assert(private_key);
        assert(request);
        assert(ret_private_key);
        if (private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
                r = openssl_load_private_key_from_file(private_key, ret_private_key);
                if (r < 0)
                        return r;
-                if (ret_user_interface)
+                *ret_user_interface = NULL;
                        *ret_user_interface = NULL;
        } else {
                _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
                r = openssl_ask_password_ui_new(request, &ui);
@ -1759,8 +1757,7 @@ int openssl_load_private_key(
                                        private_key,
                                        private_key_source);
-                if (ret_user_interface)
+                *ret_user_interface = TAKE_PTR(ui);
                        *ret_user_interface = TAKE_PTR(ui);
        }
        return 0;
--- a/src/shared/pretty-print.c
+++ b/src/shared/pretty-print.c
@ -14,6 +14,7 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
 #include "log.h"
 #include "path-util.h"
 #include "pretty-print.h"
--- a/src/shared/tests.c
+++ b/src/shared/tests.c
@ -3,6 +3,8 @@
 #include <sched.h>
 #include <stdlib.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/wait.h>
 #include <unistd.h>
 #include "sd-bus.h"
--- a/src/shared/varlink-io.systemd.MountFileSystem.c
+++ b/src/shared/varlink-io.systemd.MountFileSystem.c
@ -116,7 +116,7 @@ static SD_VARLINK_DEFINE_ERROR(DeniedByImagePolicy);
 static SD_VARLINK_DEFINE_ERROR(KeyNotFound);
 static SD_VARLINK_DEFINE_ERROR(VerityFailure);
 static SD_VARLINK_DEFINE_ERROR(BadFileDescriptorFlags,
-                               SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flags."),
+                               SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flag."),
                               SD_VARLINK_DEFINE_FIELD(parameter, SD_VARLINK_STRING, 0));
 SD_VARLINK_DEFINE_INTERFACE(
--- a/src/shared/varlink-io.systemd.Unit.c
+++ b/src/shared/varlink-io.systemd.Unit.c
@ -455,13 +455,7 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
                SD_VARLINK_FIELD_COMMENT("The total number of bytes written to block devices by the cgroup"),
                SD_VARLINK_DEFINE_FIELD(IOWriteBytes, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("The total number of write operations performed on block devices by the cgroup"),
-                SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
+                SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
                /* OOM */
                SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by the kernel OOM killer"),
                SD_VARLINK_DEFINE_FIELD(OOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
                SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by systemd-oomd"),
                SD_VARLINK_DEFINE_FIELD(ManagedOOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
 static SD_VARLINK_DEFINE_STRUCT_TYPE(
                UnitRuntime,
--- a/src/systemctl/systemctl-compat-shutdown.c
+++ b/src/systemctl/systemctl-compat-shutdown.c
@ -11,6 +11,7 @@
 #include "strv.h"
 #include "systemctl.h"
 #include "systemctl-compat-shutdown.h"
 #include "systemctl-logind.h"
 #include "time-util.h"
 static int shutdown_help(void) {
--- a/src/sysupdate/sysupdate.c
+++ b/src/sysupdate/sysupdate.c
@ -6,9 +6,12 @@
 #include "sd-daemon.h"
 #include "build.h"
 #include "chase.h"
 #include "conf-files.h"
 #include "constants.h"
 #include "dirent-util.h"
 #include "dissect-image.h"
 #include "fd-util.h"
 #include "format-table.h"
 #include "glyph-util.h"
 #include "hexdecoct.h"
--- a/Show More
+++ b/Show More