Netplan

Merge ~slyon/netplan/+git/ubuntu:slyon/ubuntu/eoan into ~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu/eoan

Proposed by Lukas Märdian on 2020-05-04

Status:

Merged

Approved by:

Łukasz Zemczak on 2020-05-04

Approved revision:

415bb4b36fecabbcfeee4f153ae07864dc6a15b4

Merged at revision:

415bb4b36fecabbcfeee4f153ae07864dc6a15b4

Proposed branch:

~slyon/netplan/+git/ubuntu:slyon/ubuntu/eoan

Merge into:

~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu/eoan

Diff against target:

6685 lines (+3711/-538)

44 files modified

Makefile (+28/-6)
debian/changelog (+80/-0)
debian/control (+35/-0)
debian/copyright (+1/-1)
debian/libnetplan-dev.dirs (+1/-0)
debian/libnetplan-dev.install (+2/-0)
debian/libnetplan0.install (+1/-0)
debian/libnetplan0.symbols (+25/-0)
debian/netplan.io.install (+4/-0)
debian/patches/0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch (+175/-0)
debian/patches/series (+1/-0)
debian/rules (+4/-1)
debian/tests/control (+27/-0)
dev/null (+0/-11)
doc/netplan.md (+137/-5)
examples/dhcp_wired8021x.yaml (+11/-0)
examples/direct_connect_gateway_ipv6.yaml (+11/-0)
examples/modem.yaml (+15/-0)
netplan/cli/commands/apply.py (+24/-23)
netplan/cli/sriov.py (+320/-0)
netplan/cli/utils.py (+50/-1)
src/generate.c (+10/-9)
src/networkd.c (+240/-80)
src/networkd.h (+1/-1)
src/nm.c (+187/-62)
src/nm.h (+1/-1)
src/parse.c (+326/-156)
src/parse.h (+181/-106)
src/util.c (+62/-0)
src/util.h (+6/-0)
src/validation.c (+26/-25)
src/validation.h (+2/-2)
tests/cli.py (+30/-22)
tests/generator/base.py (+3/-0)
tests/generator/test_auth.py (+67/-6)
tests/generator/test_common.py (+56/-5)
tests/generator/test_errors.py (+58/-0)
tests/generator/test_ethernets.py (+124/-0)
tests/generator/test_modems.py (+374/-0)
tests/generator/test_vlans.py (+93/-0)
tests/generator/test_wifis.py (+283/-14)
tests/integration/base.py (+22/-1)
tests/integration/ethernets.py (+2/-0)
tests/test_sriov.py (+605/-0)

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Łukasz Zemczak		2020-05-04	Approve on 2020-05-04
Review via email: mp+383327@code.launchpad.net

Revision history for this message

Łukasz Zemczak (sil2100) on 2020-05-04:

review: Approve

Update scan failed

At least one of the branches involved have failed to scan. You can manually schedule a rescan if required.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Danilo Egea Gondolfo

Lukas Märdian

Ubuntu Core Development Team

Netplan

Merge ~slyon/netplan/+git/ubuntu:slyon/ubuntu/eoan into ~ubuntu-core-dev/netplan/+git/ubuntu:ubuntu/eoan

Commit message

Description of the change

Update scan failed

Preview Diff

Subscribers

 diff --git a/Makefile b/Makefile
 index d89eb26..3ce1347 100644
 --- a/Makefile
 +++ b/Makefile
@@ -1,4 +1,8 @@
++NETPLAN_SOVER=0.0
++
  BUILDFLAGS = \
++	-g \
++	-fPIC \
  	-std=c99 \
  	-D_XOPEN_SOURCE=500 \
  	-DSBINDIR=\"$(SBINDIR)\" \
@@ -13,12 +17,14 @@ BASH_COMPLETIONS_DIR=$(shell pkg-config --variable=completionsdir bash-completio
  GCOV ?= gcov
  ROOTPREFIX ?=
  PREFIX ?= /usr
++LIBDIR ?= $(PREFIX)/lib
  ROOTLIBEXECDIR ?= $(ROOTPREFIX)/lib
  LIBEXECDIR ?= $(PREFIX)/lib
  SBINDIR ?= $(PREFIX)/sbin
  DATADIR ?= $(PREFIX)/share
  DOCDIR ?= $(DATADIR)/doc
  MANDIR ?= $(DATADIR)/man
++INCLUDEDIR ?= $(PREFIX)/include
  PYCODE = netplan/ $(wildcard src/*.py) $(wildcard tests/*.py) $(wildcard tests/generator/*.py) $(wildcard tests/dbus/*.py)
@@ -29,14 +35,22 @@ NOSETESTS3 ?= $(shell which nosetests-3 || which nosetests3 || echo true)
  default: netplan/_features.py generate netplan-dbus dbus/io.netplan.Netplan.service doc/netplan.html doc/netplan.5 doc/netplan-generate.8 doc/netplan-apply.8 doc/netplan-try.8
--generate: src/generate.[hc] src/parse.[hc] src/util.[hc] src/networkd.[hc] src/nm.[hc] src/validation.[hc] src/error.[hc]
--	$(CC) $(BUILDFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $(filter %.c, $^) `pkg-config --cflags --libs glib-2.0 gio-2.0 yaml-0.1 uuid`
++%.o: src/%.c
++	$(CC) $(BUILDFLAGS) $(CFLAGS) $(LDFLAGS) -c $^ `pkg-config --cflags --libs glib-2.0 gio-2.0 yaml-0.1 uuid`
++
++libnetplan.so.$(NETPLAN_SOVER): parse.o util.o validation.o error.o
++	$(CC) -shared -Wl,-soname,libnetplan.so.$(NETPLAN_SOVER) $(BUILDFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ `pkg-config --libs yaml-0.1`
++	ln -snf libnetplan.so.$(NETPLAN_SOVER) libnetplan.so
++
++#generate: src/generate.[hc] src/parse.[hc] src/util.[hc] src/networkd.[hc] src/nm.[hc] src/validation.[hc] src/error.[hc]
++generate: libnetplan.so.$(NETPLAN_SOVER) nm.o networkd.o generate.o
++	$(CC) $(BUILDFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ -L. -lnetplan `pkg-config --cflags --libs glib-2.0 gio-2.0 yaml-0.1 uuid`
  netplan-dbus: src/dbus.c src/_features.h
--	$(CC) $(BUILDFLAGS) $(CFLAGS) -o $@ $^ `pkg-config --cflags --libs libsystemd glib-2.0`
++	$(CC) $(BUILDFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ `pkg-config --cflags --libs libsystemd glib-2.0`
  src/_features.h: src/[^_]*.[hc]
--	echo "#include <stddef.h>\nstatic const char *feature_flags[] __attribute__((__unused__)) = {" > $@
++	printf "#include <stddef.h>\nstatic const char *feature_flags[] __attribute__((__unused__)) = {\n" > $@
  	awk 'match ($$0, /netplan-feature:.*/ ) { $$0=substr($$0, RSTART, RLENGTH); print "\""$$2"\"," }' $^ >> $@
  	echo "NULL, };" >> $@
@@ -49,6 +63,7 @@ netplan/_features.py: src/[^_]*.[hc]
  clean:
  	rm -f netplan/_features.py src/_features.h
  	rm -f generate doc/*.html doc/*.[1-9]
++	rm -f *.o *.so*
  	rm -f netplan-dbus dbus/*.service
  	rm -f *.gcda *.gcno generate.info
  	rm -rf test-coverage .coverage
@@ -85,20 +100,27 @@ python-coverage:
  	python3-coverage xml --omit=/usr* || true
  install: default
--	mkdir -p $(DESTDIR)/$(SBINDIR) $(DESTDIR)/$(ROOTLIBEXECDIR)/netplan $(DESTDIR)/$(SYSTEMD_GENERATOR_DIR)
++	mkdir -p $(DESTDIR)/$(SBINDIR) $(DESTDIR)/$(ROOTLIBEXECDIR)/netplan $(DESTDIR)/$(SYSTEMD_GENERATOR_DIR) $(DESTDIR)/$(LIBDIR)
  	mkdir -p $(DESTDIR)/$(MANDIR)/man5 $(DESTDIR)/$(MANDIR)/man8
  	mkdir -p $(DESTDIR)/$(DOCDIR)/netplan/examples
  	mkdir -p $(DESTDIR)/$(DATADIR)/netplan/netplan
++	mkdir -p $(DESTDIR)/$(INCLUDEDIR)/netplan
  	install -m 755 generate $(DESTDIR)/$(ROOTLIBEXECDIR)/netplan/
  	find netplan/ -name '*.py' -exec install -Dm 644 "{}" "$(DESTDIR)/$(DATADIR)/netplan/{}" \;
  	install -m 755 src/netplan.script $(DESTDIR)/$(DATADIR)/netplan/
  	ln -srf $(DESTDIR)/$(DATADIR)/netplan/netplan.script $(DESTDIR)/$(SBINDIR)/netplan
  	ln -srf $(DESTDIR)/$(ROOTLIBEXECDIR)/netplan/generate $(DESTDIR)/$(SYSTEMD_GENERATOR_DIR)/netplan
++	# lib
++	install -m 644 *.so.* $(DESTDIR)/$(LIBDIR)/
++	ln -snf libnetplan.so.$(NETPLAN_SOVER) $(DESTDIR)/$(LIBDIR)/libnetplan.so
++	# headers, dev data
++	install -m 644 src/*.h $(DESTDIR)/$(INCLUDEDIR)/netplan/
++	# TODO: install pkg-config once available
++	# docs, data
  	install -m 644 doc/*.html $(DESTDIR)/$(DOCDIR)/netplan/
  	install -m 644 examples/*.yaml $(DESTDIR)/$(DOCDIR)/netplan/examples/
  	install -m 644 doc/*.5 $(DESTDIR)/$(MANDIR)/man5/
  	install -m 644 doc/*.8 $(DESTDIR)/$(MANDIR)/man8/
--	install -D -m 644 src/netplan-wpa@.service $(DESTDIR)/$(SYSTEMD_UNIT_DIR)/netplan-wpa@.service
  	install -T -D -m 644 netplan.completions $(DESTDIR)/$(BASH_COMPLETIONS_DIR)/netplan
  	# dbus
  	mkdir -p $(DESTDIR)/$(DATADIR)/dbus-1/system.d $(DESTDIR)/$(DATADIR)/dbus-1/system-services
 diff --git a/debian/changelog b/debian/changelog
 index ad35a3b..2e8084d 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,83 @@
++netplan.io (0.99-0ubuntu3~19.10.1) UNRELEASED; urgency=medium
++
++  * Backport netplan.io 0.99 to 19.10. (LP: #1871825)
++  * Include proper upstream fix for "Not connect to WiFi after 'netplan apply'
++    (LP: #1874377)
++
++ -- Lukas Märdian <lukas.maerdian@canonical.com>  Mon, 04 May 2020 11:48:04 +0200
++
++netplan.io (0.99-0ubuntu3) groovy; urgency=medium
++
++  * Drop d/p/0001-Not-connect-to-WiFi-after-netplan-apply.patch
++    - Replaced by upstream fix
++  * Add d/p/0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch:
++    - Proper upstream fix, which handles edge cases better and contains tests
++
++ -- Lukas Märdian <lukas.maerdian@canonical.com>  Thu, 30 Apr 2020 12:51:36 +0200
++
++netplan.io (0.99-0ubuntu2) focal; urgency=medium
++
++  [ Lukas Märdian ]
++  * debian/patches/0001-Not-connect-to-WiFi-after-netplan-apply.patch:
++    - Seems like the 'netplan apply' command was not properly adopted when
++      wired wpa_supplicant support was introduced.
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 23 Apr 2020 15:22:07 +0200
++
++netplan.io (0.99-0ubuntu1) focal; urgency=medium
++
++  [ Łukasz 'sil2100' Zemczak ]
++  * New upstream release: 0.99 (LP: #1871825)
++    - Fixed setting MTUBytes= in .network files as well
++    - Added "phase2" keyword to "auth" section
++    - Allowing "critical" to be used without "dhcp4"/"dhcp6" enabled
++    - Added support for GSM modems in the NetworkManager backend (with the
++      "modems" keyword)
++    - Added "emit-lldp" option for networkd backend (LP: #1862607)
++    - Fixed netplan incorrectly generating WPA PSK hex (LP: #1867690)
++    - Split out the netplan parser into a separate libnetplan library
++    - Added "ipv6-address-generation" field for NM backend
++    - Added WiFi flags for "bssid"/"band"/"channel"
++    - Added support for SR-IOV network devices
++  * debian/copyright: Change contact address as Matt is no longer available
++    via the previous e-mail.
++  * debian/control: Add new libnetplan packages
++  * Drop d/p/0002-Adopt-integration-tests-for-NetworkManager-v1.22-foc.patch:
++    included in upstream release
++
++  [ Lukas Märdian ]
++  * Drop d/p/workaround_tests_issues.patch:
++    The problem was solved upstream and is integrated via
++    d/p/0002-Adopt-integration-tests-for-NetworkManager-v1.22-foc.patch
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Thu, 16 Apr 2020 09:13:50 +0200
++
++netplan.io (0.98-0ubuntu4) focal; urgency=medium
++
++  [ Lukas Märdian ]
++  * d/p/0002-Adopt-integration-tests-for-NetworkManager-v1.22-foc.patch:
++    Adopt integration tests for NetworkManager v1.22 (focal)
++  * debian/tests/control: add new autopkgtest dependencies for the new
++    integration tests.
++
++ -- Łukasz 'sil2100' Zemczak <lukasz.zemczak@ubuntu.com>  Mon, 23 Mar 2020 09:24:39 +0100
++
++netplan.io (0.98-0ubuntu3) focal; urgency=medium
++
++  * No change rebuild to get Testsuite-Triggers restored, the previous
++    upload was built on an older serie/dpkg version which lead to the
++    dsc to be missing the reference
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Tue, 03 Mar 2020 11:31:26 +0100
++
++netplan.io (0.98-0ubuntu2) focal; urgency=medium
++
++  * debian/patches/workaround_tests_issues.patch:
++    - workaround a test issue, the default route seems to take a bit of
++      time to be applied in n-m, wait for it before erroring out
++
++ -- Sebastien Bacher <seb128@ubuntu.com>  Wed, 29 Jan 2020 23:33:03 +0100
++
  netplan.io (0.98-0ubuntu1) eoan; urgency=medium
    * New upstream release: 0.98 (LP: #1840832)
 diff --git a/debian/control b/debian/control
 index 533e943..d6a69b1 100644
 --- a/debian/control
 +++ b/debian/control
@@ -34,6 +34,7 @@ Multi-Arch: foreign
  Depends: ${shlibs:Depends},
   ${misc:Depends},
   iproute2,
++ libnetplan0 (>= ${binary:Version}),
   python3,
   python3-yaml,
   python3-netifaces,
@@ -51,3 +52,37 @@ Description: YAML network configuration abstraction for various backends
   networking daemon.
+  .
   Currently supported backends are networkd and NetworkManager.
++
++Package: libnetplan0
++Architecture: any
++Multi-Arch: same
++Depends: ${shlibs:Depends},
++ ${misc:Depends},
++Description: YAML network configuration abstraction runtime library
++ netplan reads YAML network configuration files which are written
++ by administrators, installers, cloud image instantiations, or other OS
++ deployments. During early boot it then generates backend specific
++ configuration files in /run to hand off control of devices to a particular
++ networking daemon.
++ .
++ Currently supported backends are networkd and NetworkManager.
++ .
++ This package contains the necessary runtime library files.
++
++Package: libnetplan-dev
++Architecture: any
++Multi-Arch: same
++Depends: ${misc:Depends},
++ libnetplan0 (= ${binary:Version}),
++Description: Development files for netplan's libnetplan runtime library
++ netplan reads YAML network configuration files which are written
++ by administrators, installers, cloud image instantiations, or other OS
++ deployments. During early boot it then generates backend specific
++ configuration files in /run to hand off control of devices to a particular
++ networking daemon.
++ .
++ Currently supported backends are networkd and NetworkManager.
++ .
++ This package contains development files for developers wanting to use
++ libnetplan in their applications.
++
 diff --git a/debian/copyright b/debian/copyright
 index 5af515c..556c410 100644
 --- a/debian/copyright
 +++ b/debian/copyright
@@ -1,6 +1,6 @@
  Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
  Upstream-Name: netplan.io
--Upstream-Contact: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
++Upstream-Contact: Łukasz 'sil2100' Zemczak <lukasz.zemczak@canonical.com>
  Source: https://github.com/CanonicalLtd/netplan
  Files: *
 diff --git a/debian/libnetplan-dev.dirs b/debian/libnetplan-dev.dirs
 new file mode 100644
 index 0000000..99379cd
 --- /dev/null
 +++ b/debian/libnetplan-dev.dirs
@@ -0,0 +1 @@
++usr/include/netplan
 diff --git a/debian/libnetplan-dev.install b/debian/libnetplan-dev.install
 new file mode 100644
 index 0000000..911f5de
 --- /dev/null
 +++ b/debian/libnetplan-dev.install
@@ -0,0 +1,2 @@
++usr/include/netplan/*.h
++usr/lib/*/libnetplan*.so
 diff --git a/debian/libnetplan0.install b/debian/libnetplan0.install
 new file mode 100644
 index 0000000..514ba93
 --- /dev/null
 +++ b/debian/libnetplan0.install
@@ -0,0 +1 @@
++usr/lib/*/libnetplan*.so.*
 diff --git a/debian/libnetplan0.symbols b/debian/libnetplan0.symbols
 new file mode 100644
 index 0000000..62adadd
 --- /dev/null
 +++ b/debian/libnetplan0.symbols
@@ -0,0 +1,25 @@
++libnetplan.so.0.0 libnetplan0 #MINVER#
++ NETPLAN_OPTIONAL_ADDRESS_TYPES@Base 0.99
++ NETPLAN_WIFI_WOWLAN_TYPES@Base 0.99
++ current_file@Base 0.99
++ g_string_free_to_file@Base 0.99
++ is_ip4_address@Base 0.99
++ is_ip6_address@Base 0.99
++ missing_id@Base 0.99
++ missing_ids_found@Base 0.99
++ netdefs@Base 0.99
++ netdefs_ordered@Base 0.99
++ netplan_finish_parse@Base 0.99
++ netplan_get_global_backend@Base 0.99
++ netplan_parse_yaml@Base 0.99
++ parser_error@Base 0.99
++ safe_mkdir_p_dir@Base 0.99
++ tunnel_mode_to_string@Base 0.99
++ unlink_glob@Base 0.99
++ validate_backend_rules@Base 0.99
++ validate_netdef_grammar@Base 0.99
++ wifi_frequency_24@Base 0.99
++ wifi_frequency_5@Base 0.99
++ wifi_get_freq24@Base 0.99
++ wifi_get_freq5@Base 0.99
++ yaml_error@Base 0.99
 diff --git a/debian/dirs b/debian/netplan.io.dirs
 similarity index 100%
 rename from debian/dirs
 rename to debian/netplan.io.dirs
 diff --git a/debian/netplan.io.install b/debian/netplan.io.install
 new file mode 100644
 index 0000000..88c78f1
 --- /dev/null
 +++ b/debian/netplan.io.install
@@ -0,0 +1,4 @@
++lib/netplan/*
++lib/systemd/system-generators/netplan
++usr/share/*
++usr/sbin/netplan
 diff --git a/debian/patches/0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch b/debian/patches/0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch
 new file mode 100644
 index 0000000..d401e97
 --- /dev/null
 +++ b/debian/patches/0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch
@@ -0,0 +1,175 @@
++From: Lukas Maerdian <lukas.maerdian@canonical.com>
++Date: Tue, 28 Apr 2020 14:35:36 +0200
++Subject: Fix LP#1874377: Not connect to WiFi after 'netplan apply' (#133)
++
++* Fix LP#1874377: Not connect to WiFi after 'netplan apply'
++
++Seems like the 'netplan apply' command was not properly adopted in #109 when wired wpa_supplicant support was introduced.
++
++Fixes: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1874377
++---
++ netplan/cli/commands/apply.py | 10 ++++--
++ netplan/cli/utils.py          |  7 +++++
++ src/networkd.c                |  4 +++
++ tests/generator/test_wifis.py | 71 +++++++++++++++++++++++++++++++++++++++++++
++ tests/integration/base.py     |  2 +-
++ 5 files changed, 91 insertions(+), 3 deletions(-)
++
++diff --git a/netplan/cli/commands/apply.py b/netplan/cli/commands/apply.py
++index 0ec95f5..cf9f122 100644
++--- a/netplan/cli/commands/apply.py
+++++ b/netplan/cli/commands/apply.py
++@@ -108,7 +108,13 @@ class NetplanApply(utils.NetplanCommand):
++         # stop backends
++         if restart_networkd:
++             logging.debug('netplan generated networkd configuration changed, restarting networkd')
++-            utils.systemctl_networkd('stop', sync=sync, extra_services=['netplan-wpa@*.service'])
+++            wpa_services = ['netplan-wpa-*.service']
+++            # Historically (up to v0.98) we had netplan-wpa@*.service files, in case of an
+++            # upgraded system, we need to make sure to stop those.
+++            if utils.systemctl_is_active('netplan-wpa@*.service'):
+++                wpa_services.insert(0, 'netplan-wpa@*.service')
+++            utils.systemctl_networkd('stop', sync=sync, extra_services=wpa_services)
+++
++         else:
++             logging.debug('no netplan generated networkd configuration exists')
++
++@@ -169,7 +175,7 @@ class NetplanApply(utils.NetplanCommand):
++
++         # (re)start backends
++         if restart_networkd:
++-            netplan_wpa = [os.path.basename(f) for f in glob.glob('/run/systemd/system/*.wants/netplan-wpa@*.service')]
+++            netplan_wpa = [os.path.basename(f) for f in glob.glob('/run/systemd/system/*.wants/netplan-wpa-*.service')]
++             utils.systemctl_networkd('start', sync=sync, extra_services=netplan_wpa)
++         if restart_nm:
++             utils.systemctl_network_manager('start', sync=sync)
++diff --git a/netplan/cli/utils.py b/netplan/cli/utils.py
++index 5f54b1a..c0eee03 100644
++--- a/netplan/cli/utils.py
+++++ b/netplan/cli/utils.py
++@@ -86,6 +86,13 @@ def systemctl_networkd(action, sync=False, extra_services=[]):  # pragma: nocove
++     subprocess.check_call(command)
++
++
+++def systemctl_is_active(unit_pattern):  # pragma: nocover (covered in autopkgtest)
+++    '''Return True if at least one matching unit is running'''
+++    if subprocess.call(['systemctl', '--quiet', 'is-active', unit_pattern]) == 0:
+++        return True
+++    return False
+++
+++
++ def get_interface_driver_name(interface, only_down=False):  # pragma: nocover (covered in autopkgtest)
++     devdir = os.path.join('/sys/class/net', interface)
++     if only_down:
++diff --git a/src/networkd.c b/src/networkd.c
++index e2bb111..6f6173a 100644
++--- a/src/networkd.c
+++++ b/src/networkd.c
++@@ -990,8 +990,12 @@ cleanup_networkd_conf(const char* rootdir)
++ {
++     unlink_glob(rootdir, "/run/systemd/network/10-netplan-*");
++     unlink_glob(rootdir, "/run/netplan/wpa-*.conf");
+++    unlink_glob(rootdir, "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa-*.service");
++     unlink_glob(rootdir, "/run/systemd/system/netplan-wpa-*.service");
++     unlink_glob(rootdir, "/run/udev/rules.d/99-netplan-*");
+++    /* Historically (up to v0.98) we had netplan-wpa@*.service files, in case of an
+++     * upgraded system, we need to make sure to clean those up. */
+++    unlink_glob(rootdir, "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa@*.service");
++ }
++
++ /**
++diff --git a/tests/generator/test_wifis.py b/tests/generator/test_wifis.py
++index 8eb804e..d5b79cf 100644
++--- a/tests/generator/test_wifis.py
+++++ b/tests/generator/test_wifis.py
++@@ -116,6 +116,77 @@ network={
++         self.assertTrue(os.path.islink(os.path.join(
++             self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl0.service')))
++
+++    def test_wifi_upgrade(self):
+++        # pretend an old 'netplan-wpa@*.service' link still exists on an upgraded system
+++        os.makedirs(os.path.join(self.workdir.name, 'lib/systemd/system'))
+++        os.makedirs(os.path.join(self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants'))
+++        with open(os.path.join(self.workdir.name, 'lib/systemd/system/netplan-wpa@.service'), 'w') as out:
+++            out.write('''[Unit]
+++Description=WPA supplicant for netplan %I
+++DefaultDependencies=no
+++Requires=sys-subsystem-net-devices-%i.device
+++After=sys-subsystem-net-devices-%i.device
+++Before=network.target
+++Wants=network.target
+++
+++[Service]
+++Type=simple
+++ExecStart=/sbin/wpa_supplicant -c /run/netplan/wpa-%I.conf -i%I''')
+++        os.symlink(os.path.join(self.workdir.name, 'lib/systemd/system/netplan-wpa@.service'),
+++                   os.path.join(self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl0.service'))
+++
+++        # run generate, which should cleanup the old files/symlinks
+++        self.generate('''network:
+++  version: 2
+++  wifis:
+++    wl0:
+++      access-points:
+++        "Joe's Home":
+++          password: "s0s3kr1t"
+++      dhcp4: yes''')
+++
+++        # verify new files/links exist, while old have been removed
+++        self.assertTrue(os.path.isfile(os.path.join(
+++            self.workdir.name, 'run/systemd/system/netplan-wpa-wl0.service')))
+++        self.assertTrue(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl0.service')))
+++        # old files/links
+++        self.assertTrue(os.path.isfile(os.path.join(
+++            self.workdir.name, 'lib/systemd/system/netplan-wpa@.service')))
+++        self.assertFalse(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl0.service')))
+++
+++        # pretend another old systemd service file exists for wl1
+++        os.symlink(os.path.join(self.workdir.name, 'lib/systemd/system/netplan-wpa@.service'),
+++                   os.path.join(self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl1.service'))
+++
+++        # run generate again, to verify the historical netplan-wpa@.service links and wl0 links are gone
+++        self.generate('''network:
+++  version: 2
+++  wifis:
+++    wl1:
+++      access-points:
+++        "Other Home":
+++          password: "s0s3kr1t"
+++      dhcp4: yes''')
+++
+++        # verify new files/links exist, while old have been removed
+++        self.assertTrue(os.path.isfile(os.path.join(
+++            self.workdir.name, 'run/systemd/system/netplan-wpa-wl1.service')))
+++        self.assertTrue(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl1.service')))
+++        # old files/links
+++        self.assertTrue(os.path.isfile(os.path.join(
+++            self.workdir.name, 'lib/systemd/system/netplan-wpa@.service')))
+++        self.assertFalse(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl1.service')))
+++        self.assertFalse(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl0.service')))
+++        self.assertFalse(os.path.isfile(os.path.join(
+++            self.workdir.name, 'run/systemd/system/netplan-wpa-wl0.service')))
+++        self.assertFalse(os.path.islink(os.path.join(
+++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl0.service')))
+++
++     def test_wifi_route(self):
++         self.generate('''network:
++   version: 2
++diff --git a/tests/integration/base.py b/tests/integration/base.py
++index ed7100e..16fd2ee 100644
++--- a/tests/integration/base.py
+++++ b/tests/integration/base.py
++@@ -93,7 +93,7 @@ class IntegrationTestsBase(unittest.TestCase):
++             pass
++
++     def tearDown(self):
++-        subprocess.call(['systemctl', 'stop', 'NetworkManager', 'systemd-networkd', 'netplan-wpa@*',
+++        subprocess.call(['systemctl', 'stop', 'NetworkManager', 'systemd-networkd', 'netplan-wpa-*',
++                                               'systemd-networkd.socket'])
++         # NM has KillMode=process and leaks dhclient processes
++         subprocess.call(['systemctl', 'kill', 'NetworkManager'])
 diff --git a/debian/patches/series b/debian/patches/series
 index e69de29..817f04c 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -0,0 +1 @@
++0001-Fix-LP-1874377-Not-connect-to-WiFi-after-netplan-app.patch
 diff --git a/debian/rules b/debian/rules
 index 2d33f6a..f64d5f7 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -1,4 +1,7 @@
  #!/usr/bin/make -f
  %:
--	dh $@
++	dh $@ --fail-missing
++
++override_dh_auto_install:
++	dh_auto_install -- LIBDIR=/usr/lib/${DEB_HOST_MULTIARCH}/
 diff --git a/debian/tests/control b/debian/tests/control
 index 6202b41..727e3da 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -5,6 +5,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=ethernets
@@ -15,6 +18,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=bridges
@@ -25,6 +31,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=bonds
@@ -35,6 +44,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=routing
@@ -45,6 +57,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=vlans
@@ -55,6 +70,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine, flaky
  Features: test-name=wifi
@@ -65,6 +83,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=tunnels
@@ -75,6 +96,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=scenarios
@@ -85,6 +109,9 @@ Depends: @,
    network-manager,
    hostapd,
    dnsmasq-base,
++  libnm0,
++  python3-gi,
++  gir1.2-nm-1.0,
  Restrictions: allow-stderr, needs-root, isolation-machine
  Features: test-name=regressions
 diff --git a/doc/netplan.md b/doc/netplan.md
 index 1cf8ded..c4b0ba3 100644
 --- a/doc/netplan.md
 +++ b/doc/netplan.md
@@ -30,7 +30,7 @@ either of those directories shadows a file with the same name in
  The top-level node in a netplan configuration file is a ``network:`` mapping
  that contains ``version: 2`` (the YAML currently being used by curtin, MaaS,
  etc. is version 1), and then device definitions grouped by their type, such as
--``ethernets:``, ``wifis:``, or ``bridges:``. These are the types that our
++``ethernets:``, ``modems:``, ``wifis:``, or ``bridges:``. These are the types that our
  renderer can understand and are supported by our backends.
  Each type block contains device definitions as a map where the keys (called
@@ -52,7 +52,7 @@ and the ID field has a different interpretation for each:
  Physical devices
--:   (Examples: ethernet, wifi) These can dynamically come and go between
++:   (Examples: ethernet, modem, wifi) These can dynamically come and go between
      reboots and even during runtime (hotplugging). In the generic case, they
      can be selected by ``match:`` rules on desired properties, such as name/name
      pattern, MAC address, driver, or device paths. In general these will match
@@ -133,6 +133,10 @@ Virtual devices
  :    Enable wake on LAN. Off by default.
++``emit-lldp`` (bool)
++
++:    (networkd backend only) Whether to emit LLDP packets. Off by default.
++
  ## Common properties for all device types
@@ -143,6 +147,11 @@ Virtual devices
      in ``networks:``, for a device type (in e. g. ``ethernets:``) or
      for a particular device definition. Default is ``networkd``.
++    The ``renderer`` property has one additional acceptable value for vlan objects
++    (i. e. defined in ``vlans:``): ``sriov``. If a vlan is defined with the ``sriov``
++    renderer for an SR-IOV Virtual Function interface, this causes netplan to set
++    up a hardware VLAN filter for it. There can be only one defined per VF.
++
  ``dhcp4`` (bool)
  :   Enable DHCP for IPv4. Off by default.
@@ -198,7 +207,7 @@ Virtual devices
  :   (networkd backend only) Designate the connection as "critical to the
      system", meaning that special care will be taken by systemd-networkd to
--    not release the IP from DHCP when the daemon is restarted.
++    not release the assigned IP when the daemon is restarted.
  ``dhcp-identifier`` (scalar)
@@ -235,6 +244,12 @@ Virtual devices
      Example: ``addresses: [192.168.14.2/24, "2001:1::1/64"]``
++``ipv6-address-generation`` (scalar)
++
++:   Configure method for creating the address for use with RFC4862 IPv6
++    Stateless Address Autoconfiguration. Possible values are ``eui64``
++    or ``stable-privacy``.
++
  ``gateway4``, ``gateway6`` (scalar)
  :   Set default gateway for IPv4/6, for manual address configuration. This
@@ -540,10 +555,77 @@ interfaces, as well as individual wifi networks, by means of the ``auth`` block.
       :    Password to use to decrypt the private key specified in
            ``client-key`` if it is encrypted.
++     ``phase2-auth`` (scalar)
++     :    Phase 2 authentication mechanism.
++
  ## Properties for device type ``ethernets:``
--Ethernet device definitions do not support any specific properties beyond the
--common ones described above.
++Ethernet device definitions, beyond common ones described above, also support
++some additional properties that can be used for SR-IOV devices.
++
++``link`` (scalar)
++
++:    (SR-IOV devices only) The ``link`` property declares the device as a
++     Virtual Function of the selected Physical Function device, as identified
++     by the given netplan id.
++
++Example:
++
++    ethernets:
++      enp1: {...}
++      enp1s16f1:
++        link: enp1
++
++``virtual-function-count`` (scalar)
++
++:    (SR-IOV devices only) In certain special cases VFs might need to be
++     configured outside of netplan. For such configurations ``virtual-function-count``
++     can be optionally used to set an explicit number of Virtual Functions for
++     the given Physical Function. If unset, the default is to create only as many
++     VFs as are defined in the netplan configuration. This should be used for special
++     cases only.
++
++## Properties for device type ``modems:``
++GSM/CDMA modem configuration is only supported for the ``NetworkManager`` backend. ``systemd-networkd`` does
++not support modems.
++
++``apn`` (scalar)
++:    Set the carrier APN (Access Point Name). This can be omitted if ``auto-config`` is enabled.
++
++``auto-config`` (bool)
++:    Specify whether to try and autoconfigure the modem by doing a lookup of the carrier
++     against the Mobile Broadband Provider database. This may not work for all carriers.
++
++``device-id`` (scalar)
++:    Specify the device ID (as given by the WWAN management service) of the modem to match.
++     This can be found using ``mmcli``.
++
++``network-id`` (scalar)
++:    Specify the Network ID (GSM LAI format). If this is specified, the device will not roam networks.
++
++``number`` (scalar)
++:    The number to dial to establish the connection to the mobile broadband network. (Deprecated for GSM)
++
++``password`` (scalar)
++:    Specify the password used to authenticate with the carrier network. This can be omitted
++     if ``auto-config`` is enabled.
++
++``pin`` (scalar)
++:    Specify the SIM PIN to allow it to operate if a PIN is set.
++
++``sim-id`` (scalar)
++:    Specify the SIM unique identifier (as given by the WWAN management service) which this
++     connection applies to. If given, the connection will apply to any device also allowed by
++     ``device-id`` which contains a SIM card matching the given identifier.
++
++``sim-operator-id`` (scalar)
++:    Specify the MCC/MNC string (such as "310260" or "21601") which identifies the carrier that
++     this connection should apply to. If given, the connection will apply to any device also
++     allowed by ``device-id`` and ``sim-id`` which contains a SIM card provisioned by the given operator.
++
++``username`` (scalar)
++:    Specify the username used to authentiate with the carrier network. This can be omitted if
++     ``auto-config`` is enabled.
  ## Properties for device type ``wifis:``
  Note that ``systemd-networkd`` does not natively support wifi, so you need
@@ -575,6 +657,28 @@ wpasupplicant installed if you let the ``networkd`` renderer handle wifi.
            and ``adhoc`` (peer to peer networks without a central access point).
            ``ap`` is only supported with NetworkManager.
++     ``bssid`` (scalar)
++     :    If specified, directs the device to only associate with the given
++          access point.
++
++     ``band`` (scalar)
++     :    Possible bands are ``5GHz`` (for 5GHz 802.11a) and ``2.4GHz``
++          (for 2.4GHz 802.11), do not restrict the 802.11 frequency band of the
++          network if unset (the default).
++
++     ``channel`` (scalar)
++     :    Wireless channel to use for the Wi-Fi connection. Because channel
++          numbers overlap between bands, this property takes effect only if
++          the ``band`` property is also set.
++
++``wakeonwlan`` (sequence of scalars)
++
++:    This enables WakeOnWLan on supported devices. Not all drivers support all
++     options. May be any combination of ``any``, ``disconnect``, ``magic_pkt``,
++     ``gtk_rekey_failure``, ``eap_identity_req``, ``four_way_handshake``,
++     ``rfkill_release`` or ``tcp`` (NetworkManager only). Or the exclusive
++     ``default`` flag (the default).
++
  ## Properties for device type ``bridges:``
  ``interfaces`` (sequence of scalars)
@@ -898,6 +1002,34 @@ Example:
          addresses: ...
++## Backend-specific configuration parameters
++
++In addition to the other fields available to configure interfaces, some
++backends may require to record some of their own parameters in netplan,
++especially if the netplan definitions are generated automatically by the
++consumer of that backend. Currently, this is only used with ``NetworkManager``.
++
++``networkmanager`` (mapping)
++
++:    Keeps the NetworkManager-specific configuration parameters used by the
++     daemon to recognize connections.
++
++     ``name`` (scalar)
++     :    Set the display name for the connection.
++
++     ``uuid`` (scalar)
++     :    Defines the UUID (unique identifier) for this connection, as
++          generated by NetworkManager itself.
++
++     ``stable-id`` (scalar)
++     :    Defines the stable ID (a different form of a connection name) used
++          by NetworkManager in case the name of the connection might otherwise
++          change, such as when sharing connections between users.
++
++     ``device`` (scalar)
++     :    Defines the interface name for which this connection applies.
++
++
  ## Examples
  Configure an ethernet device with networkd, identified by its name, and enable
  DHCP:
 diff --git a/examples/dhcp_wired8021x.yaml b/examples/dhcp_wired8021x.yaml
 new file mode 100644
 index 0000000..9f401dd
 --- /dev/null
 +++ b/examples/dhcp_wired8021x.yaml
@@ -0,0 +1,11 @@
++network:
++  version: 2
++  renderer: networkd
++  ethernets:
++    enp3s0:
++      dhcp4: true
++      auth:
++        key-management: 802.1x
++        method: ttls
++        identity: fluffy@cisco.com
++        password: hash:83...11
 diff --git a/examples/direct_connect_gateway_ipv6.yaml b/examples/direct_connect_gateway_ipv6.yaml
 new file mode 100644
 index 0000000..3f821d3
 --- /dev/null
 +++ b/examples/direct_connect_gateway_ipv6.yaml
@@ -0,0 +1,11 @@
++network:
++  version: 2
++  renderer: networkd
++  ethernets:
++    addresses: [ "2001:cafe:face:beef::dead:dead/64" ]
++    routes:
++      - to: "2001:cafe:face::1/128"
++        scope: link
++      - to: "::/0"
++        via: "2001:cafe:face::1"
++        on-link: true
 diff --git a/examples/modem.yaml b/examples/modem.yaml
 new file mode 100644
 index 0000000..043d74a
 --- /dev/null
 +++ b/examples/modem.yaml
@@ -0,0 +1,15 @@
++network:
++  version: 2
++  renderer: NetworkManager
++  modems:
++    cdc-wdm1:
++      mtu: 1600
++      apn: ISP.CINGULAR
++      username: ISP@CINGULARGPRS.COM
++      password: CINGULAR1
++      number: "*99#"
++      network-id: 24005
++      device-id: da812de91eec16620b06cd0ca5cbc7ea25245222
++      pin: 2345
++      sim-id: 89148000000060671234
++      sim-operator-id: 310260
 diff --git a/netplan/cli/commands/apply.py b/netplan/cli/commands/apply.py
 index 3e7019d..0ec95f5 100644
 --- a/netplan/cli/commands/apply.py
 +++ b/netplan/cli/commands/apply.py
@@ -1,7 +1,8 @@
  #!/usr/bin/python3
+ #
--# Copyright (C) 2018 Canonical, Ltd.
++# Copyright (C) 2018-2020 Canonical, Ltd.
  # Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
++# Author: Łukasz 'sil2100' Zemczak <lukasz.zemczak@canonical.com>
+ #
  # This program is free software; you can redistribute it and/or modify
  # it under the terms of the GNU General Public License as published by
@@ -26,6 +27,7 @@ import shutil
  import netplan.cli.utils as utils
  from netplan.configmanager import ConfigManager, ConfigurationError
++from netplan.cli.sriov import apply_sriov_config
  import netifaces
@@ -74,7 +76,14 @@ class NetplanApply(utils.NetplanCommand):
          old_files_networkd = bool(glob.glob('/run/systemd/network/*netplan-*'))
          old_files_nm = bool(glob.glob('/run/NetworkManager/system-connections/netplan-*'))
--        if run_generate and subprocess.call([utils.get_generator_path()]) != 0:
++        generator_call = []
++        generate_out = None
++        if 'NETPLAN_PROFILE' in os.environ:
++            generator_call.extend(['valgrind', '--leak-check=full'])
++            generate_out = subprocess.STDOUT
++
++        generator_call.append(utils.get_generator_path())
++        if run_generate and subprocess.call(generator_call, stderr=generate_out) != 0:
              if exit_on_error:
                  sys.exit(os.EX_CONFIG)
              else:
@@ -118,11 +127,22 @@ class NetplanApply(utils.NetplanCommand):
          else:
              logging.debug('no netplan generated NM configuration exists')
++        # Refresh devices now; restarting a backend might have made something appear.
++        devices = netifaces.interfaces()
++
          # evaluate config for extra steps we need to take (like renaming)
          # for now, only applies to non-virtual (real) devices.
          config_manager.parse()
          changes = NetplanApply.process_link_changes(devices, config_manager)
++        # apply any SR-IOV related changes, if applicable
++        try:
++            apply_sriov_config(devices, config_manager)
++        except (ConfigurationError, RuntimeError) as e:
++            logging.error(str(e))
++            if exit_on_error:
++                sys.exit(1)
++
          # if the interface is up, we can still apply some .link file changes
          devices = netifaces.interfaces()
          for device in devices:
@@ -216,28 +236,9 @@ class NetplanApply(utils.NetplanCommand):
                  # do not rename members of virtual devices. MAC addresses
                  # may be the same for all interface members.
                  continue
--            # try to get the device's driver for matching.
--            devdir = os.path.join('/sys/class/net', interface)
--            try:
--                with open(os.path.join(devdir, 'operstate')) as f:
--                    state = f.read().strip()
--                    if state != 'down':
--                        logging.debug('device %s operstate is %s, not changing', interface, state)
--                        continue
--            except IOError as e:
--                logging.error('Cannot determine operstate of %s: %s', interface, str(e))
--                continue
--            try:
--                driver = os.path.realpath(os.path.join(devdir, 'device', 'driver'))
--                driver_name = os.path.basename(driver)
--            except IOError as e:
--                logging.debug('Cannot replug %s: cannot read link %s/device: %s', interface, devdir, str(e))
--                driver_name = None
--                pass
--
--            link = netifaces.ifaddresses(interface)[netifaces.AF_LINK][0]
--            macaddress = link.get('addr')
++            driver_name = utils.get_interface_driver_name(interface, only_down=True)
++            macaddress = utils.get_interface_macaddress(interface)
              if driver_name in matches['by-driver']:
                  new_name = matches['by-driver'][driver_name]
                  logging.debug(new_name)
 diff --git a/netplan/cli/sriov.py b/netplan/cli/sriov.py
 new file mode 100644
 index 0000000..8feacf1
 --- /dev/null
 +++ b/netplan/cli/sriov.py
@@ -0,0 +1,320 @@
++#!/usr/bin/python3
++#
++# Copyright (C) 2020 Canonical, Ltd.
++# Author: Łukasz 'sil2100' Zemczak <lukasz.zemczak@canonical.com>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; version 3.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++import logging
++import os
++import subprocess
++
++from collections import defaultdict
++
++import netplan.cli.utils as utils
++from netplan.configmanager import ConfigurationError
++
++import netifaces
++
++
++def _get_target_interface(interfaces, config_manager, pf_link, pfs):
++    if pf_link not in pfs:
++        # handle the match: syntax, get the actual device name
++        pf_match = config_manager.ethernets[pf_link].get('match')
++        if pf_match:
++            by_name = pf_match.get('name')
++            by_mac = pf_match.get('macaddress')
++            by_driver = pf_match.get('driver')
++
++            for interface in interfaces:
++                if ((by_name and not utils.is_interface_matching_name(interface, by_name)) or
++                        (by_mac and not utils.is_interface_matching_macaddress(interface, by_mac)) or
++                        (by_driver and not utils.is_interface_matching_driver_name(interface, by_driver))):
++                    continue
++                # we have a matching PF
++                # store the matching interface in the dictionary of
++                # active PFs, but error out if we matched more than one
++                if pf_link in pfs:
++                    raise ConfigurationError('matched more than one interface for a PF device: %s' % pf_link)
++                pfs[pf_link] = interface
++        else:
++            # no match field, assume entry name is interface name
++            if pf_link in interfaces:
++                pfs[pf_link] = pf_link
++
++    return pfs.get(pf_link, None)
++
++
++def get_vf_count_and_functions(interfaces, config_manager,
++                               vf_counts, vfs, pfs):
++    """
++    Go through the list of netplan ethernet devices and identify which are
++    PFs and VFs, matching the former with actual networking interfaces.
++    Count how many VFs each PF will need.
++    """
++    explicit_counts = {}
++    for ethernet, settings in config_manager.ethernets.items():
++        if not settings:
++            continue
++        if ethernet == 'renderer':
++            continue
++
++        # we now also support explicitly stating how many VFs should be
++        # allocated for a PF
++        explicit_num = settings.get('virtual-function-count')
++        if explicit_num:
++            pf = _get_target_interface(interfaces, config_manager, ethernet, pfs)
++            if pf:
++                explicit_counts[pf] = explicit_num
++            continue
++
++        pf_link = settings.get('link')
++        if pf_link and pf_link in config_manager.ethernets:
++            _get_target_interface(interfaces, config_manager, pf_link, pfs)
++
++            if pf_link in pfs:
++                vf_counts[pfs[pf_link]] += 1
++            else:
++                logging.warning('could not match physical interface for the defined PF: %s' % pf_link)
++                # continue looking for other VFs
++                continue
++
++            # we can't yet perform matching on VFs as those are only
++            # created later - but store, for convenience, all the valid
++            # VFs that we encounter so far
++            vfs[ethernet] = None
++
++    # sanity check: since we can explicitly state the VF count, make sure
++    # that this number isn't smaller than the actual number of VFs declared
++    # the explicit number also overrides the number of actual VFs
++    for pf, count in explicit_counts.items():
++        if pf in vf_counts and vf_counts[pf] > count:
++            raise ConfigurationError(
++                'more VFs allocated than the explicit size declared: %s > %s' % (vf_counts[pf], count))
++        vf_counts[pf] = count
++
++
++def set_numvfs_for_pf(pf, vf_count):
++    """
++    Allocate the required number of VFs for the selected PF.
++    """
++    if vf_count > 256:
++        raise ConfigurationError(
++            'cannot allocate more VFs for PF %s than the SR-IOV maximum: %s > 256' % (pf, vf_count))
++
++    devdir = os.path.join('/sys/class/net', pf, 'device')
++    numvfs_path = os.path.join(devdir, 'sriov_numvfs')
++    totalvfs_path = os.path.join(devdir, 'sriov_totalvfs')
++    try:
++        with open(totalvfs_path) as f:
++            vf_max = int(f.read().strip())
++    except IOError as e:
++        raise RuntimeError('failed parsing sriov_totalvfs for %s: %s' % (pf, str(e)))
++    except ValueError:
++        raise RuntimeError('invalid sriov_totalvfs value for %s' % pf)
++
++    if vf_count > vf_max:
++        raise ConfigurationError(
++            'cannot allocate more VFs for PF %s than supported: %s > %s (sriov_totalvfs)' % (pf, vf_count, vf_max))
++
++    try:
++        with open(numvfs_path, 'w') as f:
++            f.write(str(vf_count))
++    except IOError as e:
++        bail = True
++        if e.errno == 16:  # device or resource busy
++            logging.warning('device or resource busy while setting sriov_numvfs for %s, trying workaround' % pf)
++            try:
++                # doing this in two open/close sequences so that
++                # it's as close to writing via shell as possible
++                with open(numvfs_path, 'w') as f:
++                    f.write('0')
++                with open(numvfs_path, 'w') as f:
++                    f.write(str(vf_count))
++            except IOError as e_inner:
++                e = e_inner
++            else:
++                bail = False
++        if bail:
++            raise RuntimeError('failed setting sriov_numvfs to %s for %s: %s' % (vf_count, pf, str(e)))
++
++    return True
++
++
++def perform_hardware_specific_quirks(pf):
++    """
++    Perform any hardware-specific quirks for the given SR-IOV device to make
++    sure all the VF-count changes are applied.
++    """
++    devdir = os.path.join('/sys/class/net', pf, 'device')
++    try:
++        with open(os.path.join(devdir, 'vendor')) as f:
++            device_id = f.read().strip()[2:]
++        with open(os.path.join(devdir, 'device')) as f:
++            vendor_id = f.read().strip()[2:]
++    except IOError as e:
++        raise RuntimeError('could not determine vendor and device ID of %s: %s' % (pf, str(e)))
++
++    combined_id = ':'.join([vendor_id, device_id])
++    quirk_devices = ()  # TODO: add entries to the list
++    if combined_id in quirk_devices:
++        # some devices need special handling, so this is the place
++
++        # Currently this part is empty, but has been added as a preemptive
++        # measure, as apparently a lot of SR-IOV cards have issues with
++        # dynamically allocating VFs. Some cards seem to require a full
++        # kernel module reload cycle after changing the sriov_numvfs value
++        # for the changes to come into effect.
++        # Any identified card/vendor can then be special-cased here, if
++        # needed.
++        pass
++
++
++def apply_vlan_filter_for_vf(pf, vf, vlan_name, vlan_id, prefix='/'):
++    """
++    Apply the hardware VLAN filtering for the selected VF.
++    """
++
++    # this is more complicated, because to do this, we actually need to have
++    # the vf index - just knowing the vf interface name is not enough
++    vf_index = None
++    # the prefix argument is here only for unit testing purposes
++    vf_devdir = os.path.join(prefix, 'sys/class/net', vf, 'device')
++    vf_dev_id = os.path.basename(os.readlink(vf_devdir))
++    pf_devdir = os.path.join(prefix, 'sys/class/net', pf, 'device')
++    for f in os.listdir(pf_devdir):
++        if 'virtfn' in f:
++            dev_path = os.path.join(pf_devdir, f)
++            dev_id = os.path.basename(os.readlink(dev_path))
++            if dev_id == vf_dev_id:
++                vf_index = f[6:]
++                break
++
++    if not vf_index:
++        raise RuntimeError(
++            'could not determine the VF index for %s while configuring vlan %s' % (vf, vlan_name))
++
++    # now, create the VLAN filter
++    # TODO: would be best if we did this directl via python, without calling
++    #  the iproute tooling
++    try:
++        subprocess.check_call(['ip', 'link', 'set',
++                               'dev', pf,
++                               'vf', vf_index,
++                               'vlan', str(vlan_id)],
++                              stdout=subprocess.DEVNULL,
++                              stderr=subprocess.DEVNULL)
++    except subprocess.CalledProcessError:
++        raise RuntimeError(
++            'failed setting SR-IOV VLAN filter for vlan %s (ip link set command failed)' % vlan_name)
++
++
++def apply_sriov_config(interfaces, config_manager):
++    """
++    Go through all interfaces, identify which ones are SR-IOV VFs, create
++    them and perform all other necessary setup.
++    """
++
++    # for sr-iov devices, we identify VFs by them having a link: field
++    # pointing to an PF. So let's browse through all ethernet devices,
++    # find all that are VFs and count how many of those are linked to
++    # particular PFs, as we need to then set the numvfs for each.
++    vf_counts = defaultdict(int)
++    # we also store all matches between VF/PF netplan entry names and
++    # interface that they're currently matching to
++    vfs = {}
++    pfs = {}
++
++    get_vf_count_and_functions(
++        interfaces, config_manager, vf_counts, vfs, pfs)
++
++    # setup the required number of VFs per PF
++    # at the same time store which PFs got changed in case the NICs
++    # require some special quirks for the VF number to change
++    vf_count_changed = []
++    if vf_counts:
++        for pf, vf_count in vf_counts.items():
++            if not set_numvfs_for_pf(pf, vf_count):
++                continue
++
++            vf_count_changed.append(pf)
++
++    if vf_count_changed:
++        # some cards need special treatment when we want to change the
++        # number of enabled VFs
++        for pf in vf_count_changed:
++            perform_hardware_specific_quirks(pf)
++
++        # also, since the VF number changed, the interfaces list also
++        # changed, so we need to refresh it
++        interfaces = netifaces.interfaces()
++
++    # now in theory we should have all the new VFs set up and existing;
++    # this is needed because we will have to now match the defined VF
++    # entries to existing interfaces, otherwise we won't be able to set
++    # filtered VLANs for those.
++    # XXX: does matching those even make sense?
++    for vf in vfs:
++        settings = config_manager.ethernets.get(vf)
++        match = settings.get('match')
++        if match:
++            # right now we only match by name, as I don't think matching per
++            # driver and/or macaddress makes sense
++            by_name = match.get('name')
++            # by_mac = match.get('macaddress')
++            # by_driver = match.get('driver')
++            # TODO: print warning if other matches are provided
++
++            for interface in interfaces:
++                if by_name and not utils.is_interface_matching_name(interface, by_name):
++                    continue
++                if vf in vfs and vfs[vf]:
++                    raise ConfigurationError('matched more than one interface for a VF device: %s' % vf)
++                vfs[vf] = interface
++        else:
++            if vf in interfaces:
++                vfs[vf] = vf
++
++    filtered_vlans_set = set()
++    for vlan, settings in config_manager.vlans.items():
++        # there is a special sriov vlan renderer that one can use to mark
++        # a selected vlan to be done in hardware (VLAN filtering)
++        if settings.get('renderer') == 'sriov':
++            # this only works for SR-IOV VF interfaces
++            link = settings.get('link')
++            vlan_id = settings.get('id')
++            if not vlan_id:
++                raise ConfigurationError(
++                    'no id property defined for SR-IOV vlan %s' % vlan)
++
++            vf = vfs.get(link)
++            if not vf:
++                # it is possible this is not an error, for instance when
++                # the configuration has been defined 'for the future'
++                # XXX: but maybe we should error out here as well?
++                logging.warning(
++                    'SR-IOV vlan defined for %s but link %s is either not a VF or has no matches' % (vlan, link))
++                continue
++
++            # get the parent pf interface
++            # first we fetch the related vf netplan entry
++            vf_parent_entry = config_manager.ethernets.get(link).get('link')
++            # and finally, get the matched pf interface
++            pf = pfs.get(vf_parent_entry)
++
++            if vf in filtered_vlans_set:
++                raise ConfigurationError(
++                    'interface %s for netplan device %s (%s) already has an SR-IOV vlan defined' % (vf, link, vlan))
++
++            apply_vlan_filter_for_vf(pf, vf, vlan, vlan_id)
++            filtered_vlans_set.add(vf)
 diff --git a/netplan/cli/utils.py b/netplan/cli/utils.py
 index 0d1b53f..5f54b1a 100644
 --- a/netplan/cli/utils.py
 +++ b/netplan/cli/utils.py
@@ -1,7 +1,8 @@
  #!/usr/bin/python3
+ #
--# Copyright (C) 2018 Canonical, Ltd.
++# Copyright (C) 2018-2020 Canonical, Ltd.
  # Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
++# Author: Łukasz 'sil2100' Zemczak <lukasz.zemczak@canonical.com>
+ #
  # This program is free software; you can redistribute it and/or modify
  # it under the terms of the GNU General Public License as published by
@@ -17,8 +18,11 @@
  import sys
  import os
++import logging
++import fnmatch
  import argparse
  import subprocess
++import netifaces
  NM_SERVICE_NAME = 'NetworkManager.service'
  NM_SNAP_SERVICE_NAME = 'snap.network-manager.networkmanager.service'
@@ -82,6 +86,51 @@ def systemctl_networkd(action, sync=False, extra_services=[]):  # pragma: nocove
      subprocess.check_call(command)
++def get_interface_driver_name(interface, only_down=False):  # pragma: nocover (covered in autopkgtest)
++    devdir = os.path.join('/sys/class/net', interface)
++    if only_down:
++        try:
++            with open(os.path.join(devdir, 'operstate')) as f:
++                state = f.read().strip()
++                if state != 'down':
++                    logging.debug('device %s operstate is %s, not changing', interface, state)
++                    return None
++        except IOError as e:
++            logging.error('Cannot determine operstate of %s: %s', interface, str(e))
++            return None
++
++    try:
++        driver = os.path.realpath(os.path.join(devdir, 'device', 'driver'))
++        driver_name = os.path.basename(driver)
++    except IOError as e:
++        logging.debug('Cannot replug %s: cannot read link %s/device: %s', interface, devdir, str(e))
++        return None
++
++    return driver_name
++
++
++def get_interface_macaddress(interface):  # pragma: nocover (covered in autopkgtest)
++    link = netifaces.ifaddresses(interface)[netifaces.AF_LINK][0]
++
++    return link.get('addr')
++
++
++def is_interface_matching_name(interface, match_driver):
++    return fnmatch.fnmatchcase(interface, match_driver)
++
++
++def is_interface_matching_driver_name(interface, match_driver):
++    driver_name = get_interface_driver_name(interface)
++
++    return match_driver == driver_name
++
++
++def is_interface_matching_macaddress(interface, match_mac):
++    macaddress = get_interface_macaddress(interface)
++
++    return match_mac == macaddress
++
++
  class NetplanCommand(argparse.Namespace):
      def __init__(self, command_id, description, leaf=True, testing=False):
 diff --git a/src/generate.c b/src/generate.c
 index 2106994..c020d8f 100644
 --- a/src/generate.c
 +++ b/src/generate.c
@@ -53,9 +53,9 @@ reload_udevd(void)
  static void
  nd_iterator_list(gpointer value, gpointer user_data)
+ {
--    if (write_networkd_conf((net_definition*) value, (const char*) user_data))
++    if (write_networkd_conf((NetplanNetDefinition*) value, (const char*) user_data))
          any_networkd = TRUE;
--    write_nm_conf((net_definition*) value, (const char*) user_data);
++    write_nm_conf((NetplanNetDefinition*) value, (const char*) user_data);
+ }
@@ -91,7 +91,7 @@ find_interface(gchar* interface)
      g_hash_table_iter_init (&iter, netdefs);
      while (g_hash_table_iter_next (&iter, &key, &value)) {
--        net_definition *nd = (net_definition *) value;
++        NetplanNetDefinition *nd = (NetplanNetDefinition *) value;
          if (!g_strcmp0(nd->set_name, interface))
              g_ptr_array_add (found, (gpointer) nd);
          else if (!g_strcmp0(nd->id, interface))
@@ -104,7 +104,7 @@ find_interface(gchar* interface)
          // LCOV_EXCL_START
          g_hash_table_iter_init (&iter, netdefs);
          while (g_hash_table_iter_next (&iter, &key, &value)) {
--            net_definition *nd = (net_definition *) value;
++            NetplanNetDefinition *nd = (NetplanNetDefinition *) value;
              if (!g_strcmp0(nd->match.driver, driver))
                  g_ptr_array_add (found, (gpointer) nd);
+         }
@@ -118,10 +118,10 @@ find_interface(gchar* interface)
          goto exit_find;
+     }
      else {
--         net_definition *nd = (net_definition *)g_ptr_array_index (found, 0);
++         const NetplanNetDefinition *nd = (NetplanNetDefinition *)g_ptr_array_index (found, 0);
           g_printf("id=%s, backend=%s, set_name=%s, match_name=%s, match_mac=%s, match_driver=%s\n",
               nd->id,
--             netdef_backend_to_name[nd->backend],
++             netplan_backend_to_name[nd->backend],
               nd->set_name,
               nd->match.original_name,
               nd->match.mac,
@@ -141,7 +141,7 @@ process_input_file(const char* f)
      GError* error = NULL;
      g_debug("Processing input file %s..", f);
--    if (!parse_yaml(f, &error)) {
++    if (!netplan_parse_yaml(f, &error)) {
          g_fprintf(stderr, "%s\n", error->message);
          exit(1);
+     }
@@ -237,7 +237,8 @@ int main(int argc, char** argv)
              process_input_file(g_hash_table_lookup(configs, i->data));
+     }
--    if (!finish_parse(&error)) {
++    netdefs = netplan_finish_parse(&error);
++    if (error) {
          g_fprintf(stderr, "%s\n", error->message);
          exit(1);
+     }
@@ -266,7 +267,7 @@ int main(int argc, char** argv)
      /* Disable /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf
       * (which restricts NM to wifi and wwan) if global renderer is NM */
--    if (get_global_backend() == BACKEND_NM)
++    if (netplan_get_global_backend() == NETPLAN_BACKEND_NM)
          g_string_free_to_file(g_string_new(NULL), rootdir, "/run/NetworkManager/conf.d/10-globally-managed-devices.conf", NULL);
      if (called_as_generator) {
 diff --git a/src/netplan-wpa@.service b/src/netplan-wpa@.service
 deleted file mode 100644
 index d2670d9..0000000
 --- a/src/netplan-wpa@.service
 +++ /dev/null
@@ -1,11 +0,0 @@
--[Unit]
--Description=WPA supplicant for netplan %I
--DefaultDependencies=no
--Requires=sys-subsystem-net-devices-%i.device
--After=sys-subsystem-net-devices-%i.device
--Before=network.target
--Wants=network.target
--
--[Service]
--Type=simple
--ExecStart=/sbin/wpa_supplicant -c /run/netplan/wpa-%I.conf -i%I
 diff --git a/src/networkd.c b/src/networkd.c
 index b6d276f..e2bb111 100644
 --- a/src/networkd.c
 +++ b/src/networkd.c
@@ -16,7 +16,9 @@
   */
  #include <stdlib.h>
++#include <string.h>
  #include <unistd.h>
++#include <ctype.h>
  #include <errno.h>
  #include <sys/stat.h>
@@ -27,12 +29,39 @@
  #include "parse.h"
  #include "util.h"
++/**
++ * Append WiFi frequencies to wpa_supplicant's freq_list=
++ */
++static void
++wifi_append_freq(gpointer key, gpointer value, gpointer user_data)
++{
++    GString* s = user_data;
++    g_string_append_printf(s, "%d ", GPOINTER_TO_INT(value));
++}
++
++/**
++ * append wowlan_triggers= string for wpa_supplicant.conf
++ */
++static void
++append_wifi_wowlan_flags(NetplanWifiWowlanFlag flag, GString* str) {
++    if (flag & NETPLAN_WIFI_WOWLAN_TYPES[0].flag || flag >= NETPLAN_WIFI_WOWLAN_TCP) {
++        g_fprintf(stderr, "ERROR: unsupported wowlan_triggers mask: 0x%x\n", flag);
++        exit(1);
++    }
++    for (unsigned i = 0; NETPLAN_WIFI_WOWLAN_TYPES[i].name != NULL; ++i) {
++        if (flag & NETPLAN_WIFI_WOWLAN_TYPES[i].flag) {
++            g_string_append_printf(str, "%s ", NETPLAN_WIFI_WOWLAN_TYPES[i].name);
++        }
++    }
++    /* replace trailing space with newline */
++    str = g_string_overwrite(str, str->len-1, "\n");
++}
  /**
   * Append [Match] section of @def to @s.
   */
  static void
--append_match_section(net_definition* def, GString* s, gboolean match_rename)
++append_match_section(const NetplanNetDefinition* def, GString* s, gboolean match_rename)
+ {
      /* Note: an empty [Match] section is interpreted as matching all devices,
       * which is what we want for the simple case that you only have one device
@@ -48,7 +77,7 @@ append_match_section(net_definition* def, GString* s, gboolean match_rename)
      if (!match_rename && def->match.original_name)
          g_string_append_printf(s, "OriginalName=%s\n", def->match.original_name);
      if (match_rename) {
--        if (def->type >= ND_VIRTUAL)
++        if (def->type >= NETPLAN_DEF_TYPE_VIRTUAL)
              g_string_append_printf(s, "Name=%s\n", def->id);
          else if (def->set_name)
              g_string_append_printf(s, "Name=%s\n", def->set_name);
@@ -76,7 +105,7 @@ append_match_section(net_definition* def, GString* s, gboolean match_rename)
+ }
  static void
--write_bridge_params(GString* s, net_definition* def)
++write_bridge_params(GString* s, const NetplanNetDefinition* def)
+ {
      GString *params = NULL;
@@ -102,14 +131,14 @@ write_bridge_params(GString* s, net_definition* def)
+ }
  static void
--write_tunnel_params(GString* s, net_definition* def)
++write_tunnel_params(GString* s, const NetplanNetDefinition* def)
+ {
      GString *params = NULL;
      params = g_string_sized_new(200);
      g_string_printf(params, "Independent=true\n");
--    if (def->tunnel.mode == TUNNEL_MODE_IPIP6 || def->tunnel.mode == TUNNEL_MODE_IP6IP6)
++    if (def->tunnel.mode == NETPLAN_TUNNEL_MODE_IPIP6 || def->tunnel.mode == NETPLAN_TUNNEL_MODE_IP6IP6)
          g_string_append_printf(params, "Mode=%s\n", tunnel_mode_to_string(def->tunnel.mode));
      g_string_append_printf(params, "Local=%s\n", def->tunnel.local_ip);
      g_string_append_printf(params, "Remote=%s\n", def->tunnel.remote_ip);
@@ -123,13 +152,15 @@ write_tunnel_params(GString* s, net_definition* def)
+ }
  static void
--write_link_file(net_definition* def, const char* rootdir, const char* path)
++write_link_file(const NetplanNetDefinition* def, const char* rootdir, const char* path)
+ {
      GString* s = NULL;
      mode_t orig_umask;
--    /* Don't write .link files for virtual devices; they use .netdev instead */
--    if (def->type >= ND_VIRTUAL)
++    /* Don't write .link files for virtual devices; they use .netdev instead.
++     * Don't write .link files for MODEM devices, as they aren't supported by networkd.
++     */
++    if (def->type >= NETPLAN_DEF_TYPE_VIRTUAL || def->type == NETPLAN_DEF_TYPE_MODEM)
          return;
      /* do we need to write a .link file? */
@@ -170,7 +201,7 @@ interval_has_suffix(const char* param) {
  static void
--write_bond_parameters(net_definition* def, GString* s)
++write_bond_parameters(const NetplanNetDefinition* def, GString* s)
+ {
      GString* params = NULL;
@@ -249,12 +280,17 @@ write_bond_parameters(net_definition* def, GString* s)
+ }
  static void
--write_netdev_file(net_definition* def, const char* rootdir, const char* path)
++write_netdev_file(const NetplanNetDefinition* def, const char* rootdir, const char* path)
+ {
      GString* s = NULL;
      mode_t orig_umask;
--    g_assert(def->type >= ND_VIRTUAL);
++    g_assert(def->type >= NETPLAN_DEF_TYPE_VIRTUAL);
++
++    if (def->type == NETPLAN_DEF_TYPE_VLAN && def->sriov_vlan_filter) {
++        g_debug("%s is defined as a hardware SR-IOV filtered VLAN, postponing creation", def->id);
++        return;
++    }
      /* build file contents */
      s = g_string_sized_new(200);
@@ -266,37 +302,37 @@ write_netdev_file(net_definition* def, const char* rootdir, const char* path)
          g_string_append_printf(s, "MTUBytes=%u\n", def->mtubytes);
      switch (def->type) {
--        case ND_BRIDGE:
++        case NETPLAN_DEF_TYPE_BRIDGE:
              g_string_append(s, "Kind=bridge\n");
              write_bridge_params(s, def);
              break;
--        case ND_BOND:
++        case NETPLAN_DEF_TYPE_BOND:
              g_string_append(s, "Kind=bond\n");
              write_bond_parameters(def, s);
              break;
--        case ND_VLAN:
++        case NETPLAN_DEF_TYPE_VLAN:
              g_string_append_printf(s, "Kind=vlan\n\n[VLAN]\nId=%u\n", def->vlan_id);
              break;
--        case ND_TUNNEL:
++        case NETPLAN_DEF_TYPE_TUNNEL:
              switch(def->tunnel.mode) {
--                case TUNNEL_MODE_GRE:
--                case TUNNEL_MODE_GRETAP:
--                case TUNNEL_MODE_IPIP:
--                case TUNNEL_MODE_IP6GRE:
--                case TUNNEL_MODE_IP6GRETAP:
--                case TUNNEL_MODE_SIT:
--                case TUNNEL_MODE_VTI:
--                case TUNNEL_MODE_VTI6:
++                case NETPLAN_TUNNEL_MODE_GRE:
++                case NETPLAN_TUNNEL_MODE_GRETAP:
++                case NETPLAN_TUNNEL_MODE_IPIP:
++                case NETPLAN_TUNNEL_MODE_IP6GRE:
++                case NETPLAN_TUNNEL_MODE_IP6GRETAP:
++                case NETPLAN_TUNNEL_MODE_SIT:
++                case NETPLAN_TUNNEL_MODE_VTI:
++                case NETPLAN_TUNNEL_MODE_VTI6:
                      g_string_append_printf(s,
                                            "Kind=%s\n",
                                            tunnel_mode_to_string(def->tunnel.mode));
                      break;
--                case TUNNEL_MODE_IP6IP6:
--                case TUNNEL_MODE_IPIP6:
++                case NETPLAN_TUNNEL_MODE_IP6IP6:
++                case NETPLAN_TUNNEL_MODE_IPIP6:
                      g_string_append(s, "Kind=ip6tnl\n");
                      break;
@@ -323,7 +359,7 @@ write_netdev_file(net_definition* def, const char* rootdir, const char* path)
+ }
  static void
--write_route(ip_route* r, GString* s)
++write_route(NetplanIPRoute* r, GString* s)
+ {
      g_string_append_printf(s, "\n[Route]\n");
@@ -340,14 +376,14 @@ write_route(ip_route* r, GString* s)
          g_string_append_printf(s, "Type=%s\n", r->type);
      if (r->onlink)
          g_string_append_printf(s, "GatewayOnlink=true\n");
--    if (r->metric != METRIC_UNSPEC)
++    if (r->metric != NETPLAN_METRIC_UNSPEC)
          g_string_append_printf(s, "Metric=%d\n", r->metric);
--    if (r->table != ROUTE_TABLE_UNSPEC)
++    if (r->table != NETPLAN_ROUTE_TABLE_UNSPEC)
          g_string_append_printf(s, "Table=%d\n", r->table);
+ }
  static void
--write_ip_rule(ip_rule* r, GString* s)
++write_ip_rule(NetplanIPRule* r, GString* s)
+ {
      g_string_append_printf(s, "\n[RoutingPolicyRule]\n");
@@ -356,13 +392,13 @@ write_ip_rule(ip_rule* r, GString* s)
      if (r->to)
          g_string_append_printf(s, "To=%s\n", r->to);
--    if (r->table != ROUTE_TABLE_UNSPEC)
++    if (r->table != NETPLAN_ROUTE_TABLE_UNSPEC)
          g_string_append_printf(s, "Table=%d\n", r->table);
--    if (r->priority != IP_RULE_PRIO_UNSPEC)
++    if (r->priority != NETPLAN_IP_RULE_PRIO_UNSPEC)
          g_string_append_printf(s, "Priority=%d\n", r->priority);
--    if (r->fwmark != IP_RULE_FW_MARK_UNSPEC)
++    if (r->fwmark != NETPLAN_IP_RULE_FW_MARK_UNSPEC)
          g_string_append_printf(s, "FirewallMark=%d\n", r->fwmark);
--    if (r->tos != IP_RULE_TOS_UNSPEC)
++    if (r->tos != NETPLAN_IP_RULE_TOS_UNSPEC)
          g_string_append_printf(s, "TypeOfService=%d\n", r->tos);
+ }
@@ -371,7 +407,7 @@ write_ip_rule(ip_rule* r, GString* s)
      "dhcp4_overrides and dhcp6_overrides\n"
  static void
--combine_dhcp_overrides(net_definition* def, dhcp_overrides* combined_dhcp_overrides)
++combine_dhcp_overrides(const NetplanNetDefinition* def, NetplanDHCPOverrides* combined_dhcp_overrides)
+ {
      /* if only one of dhcp4 or dhcp6 is enabled, those overrides are used */
      if (def->dhcp4 && !def->dhcp6) {
@@ -424,13 +460,18 @@ combine_dhcp_overrides(net_definition* def, dhcp_overrides* combined_dhcp_overri
+ }
  static void
--write_network_file(net_definition* def, const char* rootdir, const char* path)
++write_network_file(const NetplanNetDefinition* def, const char* rootdir, const char* path)
+ {
      GString* network = NULL;
      GString* link = NULL;
      GString* s = NULL;
      mode_t orig_umask;
++    if (def->type == NETPLAN_DEF_TYPE_VLAN && def->sriov_vlan_filter) {
++        g_debug("%s is defined as a hardware SR-IOV filtered VLAN, postponing creation", def->id);
++        return;
++    }
++
      /* Prepare the [Link] section of the .network file. */
      link = g_string_sized_new(200);
@@ -441,13 +482,20 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
          if (def->optional) {
              g_string_append(link, "RequiredForOnline=no\n");
+         }
--        for (unsigned i = 0; optional_address_options[i].name != NULL; ++i) {
--            if (def->optional_addresses & optional_address_options[i].flag) {
--            g_string_append_printf(link, "OptionalAddresses=%s\n", optional_address_options[i].name);
++        for (unsigned i = 0; NETPLAN_OPTIONAL_ADDRESS_TYPES[i].name != NULL; ++i) {
++            if (def->optional_addresses & NETPLAN_OPTIONAL_ADDRESS_TYPES[i].flag) {
++            g_string_append_printf(link, "OptionalAddresses=%s\n", NETPLAN_OPTIONAL_ADDRESS_TYPES[i].name);
+             }
+         }
+     }
++    if (def->mtubytes) {
++        g_string_append_printf(link, "MTUBytes=%d\n", def->mtubytes);
++    }
++
++    if (def->emit_lldp) {
++        g_string_append(network, "EmitLLDP=true\n");
++    }
      if (def->dhcp4 && def->dhcp6)
          g_string_append(network, "DHCP=yes\n");
@@ -476,9 +524,18 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
      if (def->ip6_addresses)
          for (unsigned i = 0; i < def->ip6_addresses->len; ++i)
              g_string_append_printf(network, "Address=%s\n", g_array_index(def->ip6_addresses, char*, i));
--    if (def->accept_ra == ACCEPT_RA_ENABLED)
++    if (def->ip6_addr_gen_mode) {
++        /* TODO: Figure out how we can configure ipv6-address-generation for networkd.
++         *       IPv6Token= seems to be the corresponding option, but it doesn't do
++         *       exactly what we need and has quite some restrictions, c.f.:
++         *       https://github.com/systemd/systemd/issues/4625
++         *       https://github.com/systemd/systemd/pull/14415 */
++        g_fprintf(stderr, "ERROR: %s: ipv6-address-generation is not supported by networkd\n", def->id);
++        exit(1);
++    }
++    if (def->accept_ra == NETPLAN_RA_MODE_ENABLED)
          g_string_append_printf(network, "IPv6AcceptRA=yes\n");
--    else if (def->accept_ra == ACCEPT_RA_DISABLED)
++    else if (def->accept_ra == NETPLAN_RA_MODE_DISABLED)
          g_string_append_printf(network, "IPv6AcceptRA=no\n");
      if (def->ip6_privacy)
          g_string_append(network, "IPv6PrivacyExtensions=yes\n");
@@ -503,7 +560,7 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
          g_string_append_printf(network, "IPv6MTUBytes=%d\n", def->ipv6_mtubytes);
+     }
--    if (def->type >= ND_VIRTUAL)
++    if (def->type >= NETPLAN_DEF_TYPE_VIRTUAL)
          g_string_append(network, "ConfigureWithoutCarrier=yes\n");
      if (def->bridge) {
@@ -526,41 +583,44 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
      if (def->has_vlans) {
          /* iterate over all netdefs to find VLANs attached to us */
          GList *l = netdefs_ordered;
--        net_definition* nd;
++        const NetplanNetDefinition* nd;
          for (; l != NULL; l = l->next) {
              nd = l->data;
--            if (nd->vlan_link == def)
++            if (nd->vlan_link == def && !nd->sriov_vlan_filter)
                  g_string_append_printf(network, "VLAN=%s\n", nd->id);
+         }
+     }
      if (def->routes != NULL) {
          for (unsigned i = 0; i < def->routes->len; ++i) {
--            ip_route* cur_route = g_array_index (def->routes, ip_route*, i);
++            NetplanIPRoute* cur_route = g_array_index (def->routes, NetplanIPRoute*, i);
              write_route(cur_route, network);
+         }
+     }
      if (def->ip_rules != NULL) {
          for (unsigned i = 0; i < def->ip_rules->len; ++i) {
--            ip_rule* cur_rule = g_array_index (def->ip_rules, ip_rule*, i);
++            NetplanIPRule* cur_rule = g_array_index (def->ip_rules, NetplanIPRule*, i);
              write_ip_rule(cur_rule, network);
+         }
+     }
--    if (def->dhcp4 || def->dhcp6) {
++    if (def->dhcp4 || def->dhcp6 || def->critical) {
          /* NetworkManager compatible route metrics */
          g_string_append(network, "\n[DHCP]\n");
++    }
++
++    if (def->critical)
++        g_string_append_printf(network, "CriticalConnection=true\n");
++    if (def->dhcp4 || def->dhcp6) {
          if (g_strcmp0(def->dhcp_identifier, "duid") != 0)
              g_string_append_printf(network, "ClientIdentifier=%s\n", def->dhcp_identifier);
--        if (def->critical)
--            g_string_append_printf(network, "CriticalConnection=true\n");
--        dhcp_overrides combined_dhcp_overrides;
++        NetplanDHCPOverrides combined_dhcp_overrides;
          combine_dhcp_overrides(def, &combined_dhcp_overrides);
--        if (combined_dhcp_overrides.metric == METRIC_UNSPEC) {
--            g_string_append_printf(network, "RouteMetric=%i\n", (def->type == ND_WIFI ? 600 : 100));
++        if (combined_dhcp_overrides.metric == NETPLAN_METRIC_UNSPEC) {
++            g_string_append_printf(network, "RouteMetric=%i\n", (def->type == NETPLAN_DEF_TYPE_WIFI ? 600 : 100));
          } else {
              g_string_append_printf(network, "RouteMetric=%u\n",
                                     combined_dhcp_overrides.metric);
@@ -613,7 +673,7 @@ write_network_file(net_definition* def, const char* rootdir, const char* path)
+ }
  static void
--write_rules_file(net_definition* def, const char* rootdir)
++write_rules_file(const NetplanNetDefinition* def, const char* rootdir)
+ {
      GString* s = NULL;
      g_autofree char* path = g_strjoin(NULL, "run/udev/rules.d/99-netplan-", def->id, ".rules", NULL);
@@ -622,7 +682,7 @@ write_rules_file(net_definition* def, const char* rootdir)
      /* do we need to write a .rules file?
       * It's only required for reliably setting the name of a physical device
       * until systemd issue #9006 is resolved. */
--    if (def->type >= ND_VIRTUAL)
++    if (def->type >= NETPLAN_DEF_TYPE_VIRTUAL)
          return;
      /* Matching by name does not work.
@@ -657,39 +717,39 @@ write_rules_file(net_definition* def, const char* rootdir)
+ }
  static void
--append_wpa_auth_conf(GString* s, const authentication_settings* auth)
++append_wpa_auth_conf(GString* s, const NetplanAuthenticationSettings* auth, const char* id)
+ {
      switch (auth->key_management) {
--        case KEY_MANAGEMENT_NONE:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_NONE:
              g_string_append(s, "  key_mgmt=NONE\n");
              break;
--        case KEY_MANAGEMENT_WPA_PSK:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK:
              g_string_append(s, "  key_mgmt=WPA-PSK\n");
              break;
--        case KEY_MANAGEMENT_WPA_EAP:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_WPA_EAP:
              g_string_append(s, "  key_mgmt=WPA-EAP\n");
              break;
--        case KEY_MANAGEMENT_8021X:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_8021X:
              g_string_append(s, "  key_mgmt=IEEE8021X\n");
              break;
+     }
      switch (auth->eap_method) {
--        case EAP_NONE:
++        case NETPLAN_AUTH_EAP_NONE:
              break;
--        case EAP_TLS:
++        case NETPLAN_AUTH_EAP_TLS:
              g_string_append(s, "  eap=TLS\n");
              break;
--        case EAP_PEAP:
++        case NETPLAN_AUTH_EAP_PEAP:
              g_string_append(s, "  eap=PEAP\n");
              break;
--        case EAP_TTLS:
++        case NETPLAN_AUTH_EAP_TTLS:
              g_string_append(s, "  eap=TTLS\n");
              break;
+     }
@@ -701,8 +761,25 @@ append_wpa_auth_conf(GString* s, const authentication_settings* auth)
          g_string_append_printf(s, "  anonymous_identity=\"%s\"\n", auth->anonymous_identity);
+     }
      if (auth->password) {
--        if (auth->key_management == KEY_MANAGEMENT_WPA_PSK) {
--            g_string_append_printf(s, "  psk=\"%s\"\n", auth->password);
++        if (auth->key_management == NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK) {
++            size_t len = strlen(auth->password);
++            if (len == 64) {
++                /* must be a hex-digit key representation */
++                for (unsigned i = 0; i < 64; ++i)
++                    if (!isxdigit(auth->password[i])) {
++                        g_fprintf(stderr, "ERROR: %s: PSK length of 64 is only supported for hex-digit representation\n", id);
++                        exit(1);
++                    }
++                /* this is required to be unquoted */
++                g_string_append_printf(s, "  psk=%s\n", auth->password);
++            } else if (len < 8 || len > 63) {
++                /* per wpa_supplicant spec, passphrase needs to be between 8
++                   and 63 characters */
++                g_fprintf(stderr, "ERROR: %s: ASCII passphrase must be between 8 and 63 characters (inclusive)\n", id);
++                exit(1);
++            } else {
++                g_string_append_printf(s, "  psk=\"%s\"\n", auth->password);
++            }
          } else {
              if (strncmp(auth->password, "hash:", 5) == 0) {
                  g_string_append_printf(s, "  password=%s\n", auth->password);
@@ -723,10 +800,50 @@ append_wpa_auth_conf(GString* s, const authentication_settings* auth)
      if (auth->client_key_password) {
          g_string_append_printf(s, "  private_key_passwd=\"%s\"\n", auth->client_key_password);
+     }
++    if (auth->phase2_auth) {
++        g_string_append_printf(s, "  phase2=\"auth=%s\"\n", auth->phase2_auth);
++    }
++
+ }
++/* netplan-feature: generated-supplicant */
  static void
--write_wpa_conf(net_definition* def, const char* rootdir)
++write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir)
++{
++    g_autoptr(GError) err = NULL;
++    g_autofree gchar *stdouth = NULL;
++    g_autofree gchar *stderrh = NULL;
++    gint exit_status = 0;
++
++    gchar *argv[] = {"bin" "/" "systemd-escape", def->id, NULL};
++    g_spawn_sync("/", argv, NULL, 0, NULL, NULL, &stdouth, &stderrh, &exit_status, &err);
++    g_spawn_check_exit_status(exit_status, &err);
++    if (err != NULL) {
++        // LCOV_EXCL_START
++        g_fprintf(stderr, "failed to ask systemd to escape %s; exit %d\nstdout: '%s'\nstderr: '%s'", def->id, exit_status, stdouth, stderrh);
++        exit(1);
++        // LCOV_EXCL_STOP
++    }
++    g_strstrip(stdouth);
++
++    GString* s = g_string_new("[Unit]\n");
++    g_autofree char* path = g_strjoin(NULL, "/run/systemd/system/netplan-wpa-", stdouth, ".service", NULL);
++    g_string_append_printf(s, "Description=WPA supplicant for netplan %s\n", stdouth);
++    g_string_append(s, "DefaultDependencies=no\n");
++    g_string_append_printf(s, "Requires=sys-subsystem-net-devices-%s.device\n", stdouth);
++    g_string_append_printf(s, "After=sys-subsystem-net-devices-%s.device\n", stdouth);
++    g_string_append(s, "Before=network.target\nWants=network.target\n\n");
++    g_string_append(s, "[Service]\nType=simple\n");
++    g_string_append_printf(s, "ExecStart=/sbin/wpa_supplicant -c /run/netplan/wpa-%s.conf -i%s", stdouth, stdouth);
++
++    if (def->type != NETPLAN_DEF_TYPE_WIFI) {
++        g_string_append(s, " -Dwired\n");
++    }
++    g_string_free_to_file(s, rootdir, path, NULL);
++}
++
++static void
++write_wpa_conf(const NetplanNetDefinition* def, const char* rootdir)
+ {
      GHashTableIter iter;
      GString* s = g_string_new("ctrl_interface=/run/wpa_supplicant\n\n");
@@ -734,26 +851,58 @@ write_wpa_conf(net_definition* def, const char* rootdir)
      mode_t orig_umask;
      g_debug("%s: Creating wpa_supplicant configuration file %s", def->id, path);
--    if (def->type == ND_WIFI) {
--        wifi_access_point* ap;
++    if (def->type == NETPLAN_DEF_TYPE_WIFI) {
++        if (def->wowlan && def->wowlan > NETPLAN_WIFI_WOWLAN_DEFAULT) {
++            g_string_append(s, "wowlan_triggers=");
++            append_wifi_wowlan_flags(def->wowlan, s);
++        }
++        NetplanWifiAccessPoint* ap;
          g_hash_table_iter_init(&iter, def->access_points);
          while (g_hash_table_iter_next(&iter, NULL, (gpointer) &ap)) {
              g_string_append_printf(s, "network={\n  ssid=\"%s\"\n", ap->ssid);
++            if (ap->bssid) {
++                g_string_append_printf(s, "  bssid=%s\n", ap->bssid);
++            }
++            if (ap->band == NETPLAN_WIFI_BAND_24) {
++                // initialize 2.4GHz frequency hashtable
++                if(!wifi_frequency_24)
++                    wifi_get_freq24(1);
++                if (ap->channel) {
++                    g_string_append_printf(s, "  freq_list=%d\n", wifi_get_freq24(ap->channel));
++                } else {
++                    g_string_append_printf(s, "  freq_list=");
++                    g_hash_table_foreach(wifi_frequency_24, wifi_append_freq, s);
++                    // overwrite last whitespace with newline
++                    s = g_string_overwrite(s, s->len-1, "\n");
++                }
++            } else if (ap->band == NETPLAN_WIFI_BAND_5) {
++                // initialize 5GHz frequency hashtable
++                if(!wifi_frequency_5)
++                    wifi_get_freq5(7);
++                if (ap->channel) {
++                    g_string_append_printf(s, "  freq_list=%d\n", wifi_get_freq5(ap->channel));
++                } else {
++                    g_string_append_printf(s, "  freq_list=");
++                    g_hash_table_foreach(wifi_frequency_5, wifi_append_freq, s);
++                    // overwrite last whitespace with newline
++                    s = g_string_overwrite(s, s->len-1, "\n");
++                }
++            }
              switch (ap->mode) {
--                case WIFI_MODE_INFRASTRUCTURE:
++                case NETPLAN_WIFI_MODE_INFRASTRUCTURE:
                      /* default in wpasupplicant */
                      break;
--                case WIFI_MODE_ADHOC:
++                case NETPLAN_WIFI_MODE_ADHOC:
                      g_string_append(s, "  mode=1\n");
                      break;
--                case WIFI_MODE_AP:
++                case NETPLAN_WIFI_MODE_AP:
                      g_fprintf(stderr, "ERROR: %s: networkd does not support wifi in access point mode\n", def->id);
                      exit(1);
+             }
              /* wifi auth trumps netdef auth */
              if (ap->has_auth) {
--                append_wpa_auth_conf(s, &ap->auth);
++                append_wpa_auth_conf(s, &ap->auth, ap->ssid);
+             }
              else {
                  g_string_append(s, "  key_mgmt=NONE\n");
@@ -764,7 +913,7 @@ write_wpa_conf(net_definition* def, const char* rootdir)
      else {
          /* wired 802.1x auth or similar */
          g_string_append(s, "network={\n");
--        append_wpa_auth_conf(s, &def->auth);
++        append_wpa_auth_conf(s, &def->auth, def->id);
          g_string_append(s, "}\n");
+     }
@@ -782,7 +931,7 @@ write_wpa_conf(net_definition* def, const char* rootdir)
   * Returns: TRUE if @def applies to networkd, FALSE otherwise.
   */
  gboolean
--write_networkd_conf(net_definition* def, const char* rootdir)
++write_networkd_conf(const NetplanNetDefinition* def, const char* rootdir)
+ {
      g_autofree char* path_base = g_strjoin(NULL, "run/systemd/network/10-netplan-", def->id, NULL);
@@ -791,23 +940,34 @@ write_networkd_conf(net_definition* def, const char* rootdir)
      write_link_file(def, rootdir, path_base);
      write_rules_file(def, rootdir);
--    if (def->backend != BACKEND_NETWORKD) {
++    if (def->backend != NETPLAN_BACKEND_NETWORKD) {
          g_debug("networkd: definition %s is not for us (backend %i)", def->id, def->backend);
          return FALSE;
+     }
--    if (def->type == ND_WIFI || def->has_auth) {
--        g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa@", def->id, ".service", NULL);
--        if (def->type == ND_WIFI && def->has_match) {
++    if (def->type == NETPLAN_DEF_TYPE_MODEM) {
++        g_fprintf(stderr, "ERROR: %s: networkd backend does not support GSM/CDMA modem configuration\n", def->id);
++        exit(1);
++    }
++
++    if (def->type == NETPLAN_DEF_TYPE_WIFI || def->has_auth) {
++        g_autofree char* link = g_strjoin(NULL, rootdir ?: "", "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa-", def->id, ".service", NULL);
++        g_autofree char* slink = g_strjoin(NULL, "/run/systemd/system/netplan-wpa-", def->id, ".service", NULL);
++        if (def->type == NETPLAN_DEF_TYPE_WIFI && def->has_match) {
              g_fprintf(stderr, "ERROR: %s: networkd backend does not support wifi with match:, only by interface name\n", def->id);
              exit(1);
+         }
++        g_debug("Creating wpa_supplicant config");
          write_wpa_conf(def, rootdir);
++        g_debug("Creating wpa_supplicant unit %s", slink);
++        write_wpa_unit(def, rootdir);
++
          g_debug("Creating wpa_supplicant service enablement link %s", link);
          safe_mkdir_p_dir(link);
--        if (symlink("/lib/systemd/system/netplan-wpa@.service", link) < 0 && errno != EEXIST) {
++
++        if (symlink(slink, link) < 0 && errno != EEXIST) {
              // LCOV_EXCL_START
              g_fprintf(stderr, "failed to create enablement symlink: %m\n");
              exit(1);
@@ -816,7 +976,7 @@ write_networkd_conf(net_definition* def, const char* rootdir)
+     }
--    if (def->type >= ND_VIRTUAL)
++    if (def->type >= NETPLAN_DEF_TYPE_VIRTUAL)
          write_netdev_file(def, rootdir, path_base);
      write_network_file(def, rootdir, path_base);
      return TRUE;
@@ -830,7 +990,7 @@ cleanup_networkd_conf(const char* rootdir)
+ {
      unlink_glob(rootdir, "/run/systemd/network/10-netplan-*");
      unlink_glob(rootdir, "/run/netplan/wpa-*.conf");
--    unlink_glob(rootdir, "/run/systemd/system/systemd-networkd.service.wants/netplan-wpa@*.service");
++    unlink_glob(rootdir, "/run/systemd/system/netplan-wpa-*.service");
      unlink_glob(rootdir, "/run/udev/rules.d/99-netplan-*");
+ }
 diff --git a/src/networkd.h b/src/networkd.h
 index 6660f9c..5629a04 100644
 --- a/src/networkd.h
 +++ b/src/networkd.h
@@ -19,6 +19,6 @@
  #include "parse.h"
--gboolean write_networkd_conf(net_definition* def, const char* rootdir);
++gboolean write_networkd_conf(const NetplanNetDefinition* def, const char* rootdir);
  void cleanup_networkd_conf(const char* rootdir);
  void enable_networkd(const char* generator_dir);
 diff --git a/src/nm.c b/src/nm.c
 index 804037f..2cd1d52 100644
 --- a/src/nm.c
 +++ b/src/nm.c
@@ -36,20 +36,20 @@ GString* udev_rules;
   * Append NM device specifier of @def to @s.
   */
  static void
--g_string_append_netdef_match(GString* s, const net_definition* def)
++g_string_append_netdef_match(GString* s, const NetplanNetDefinition* def)
+ {
      g_assert(!def->match.driver || def->set_name);
      if (def->match.mac) {
          g_string_append_printf(s, "mac:%s", def->match.mac);
--    } else if (def->match.original_name || def->set_name || def->type >= ND_VIRTUAL) {
++    } else if (def->match.original_name || def->set_name || def->type >= NETPLAN_DEF_TYPE_VIRTUAL) {
          /* we always have the renamed name here */
          g_string_append_printf(s, "interface-name:%s",
--                (def->type >= ND_VIRTUAL) ? def->id
++                (def->type >= NETPLAN_DEF_TYPE_VIRTUAL) ? def->id
                                            : (def->set_name ?: def->match.original_name));
      } else {
          /* no matches → match all devices of that type */
          switch (def->type) {
--            case ND_ETHERNET:
++            case NETPLAN_DEF_TYPE_ETHERNET:
                  g_string_append(s, "type:ethernet");
                  break;
              /* This cannot be reached with just NM and networkd backends, as
@@ -57,7 +57,7 @@ g_string_append_netdef_match(GString* s, const net_definition* def)
               * wifi device from NM. This would become relevant with another
               * wifi-supporting backend, but until then this just spoils 100%
               * code coverage.
--            case ND_WIFI:
++            case NETPLAN_DEF_TYPE_WIFI:
                  g_string_append(s, "type:wifi");
                  break;
              */
@@ -71,23 +71,46 @@ g_string_append_netdef_match(GString* s, const net_definition* def)
+ }
  /**
++ * Infer if this is a modem netdef of type GSM.
++ * This is done by checking for certain modem_params, which are only
++ * applicable to GSM connections.
++ */
++static const gboolean
++modem_is_gsm(const NetplanNetDefinition* def)
++{
++    if (def->type == NETPLAN_DEF_TYPE_MODEM && (def->modem_params.apn ||
++        def->modem_params.auto_config || def->modem_params.device_id ||
++        def->modem_params.network_id || def->modem_params.pin ||
++        def->modem_params.sim_id || def->modem_params.sim_operator_id))
++        return TRUE;
++
++    return FALSE;
++}
++
++/**
   * Return NM "type=" string.
   */
  static const char*
--type_str(netdef_type type)
++type_str(const NetplanNetDefinition* def)
+ {
++    const NetplanDefType type = def->type;
      switch (type) {
--        case ND_ETHERNET:
++        case NETPLAN_DEF_TYPE_ETHERNET:
              return "ethernet";
--        case ND_WIFI:
++        case NETPLAN_DEF_TYPE_MODEM:
++            if (modem_is_gsm(def))
++                return "gsm";
++            else
++                return "cdma";
++        case NETPLAN_DEF_TYPE_WIFI:
              return "wifi";
--        case ND_BRIDGE:
++        case NETPLAN_DEF_TYPE_BRIDGE:
              return "bridge";
--        case ND_BOND:
++        case NETPLAN_DEF_TYPE_BOND:
              return "bond";
--        case ND_VLAN:
++        case NETPLAN_DEF_TYPE_VLAN:
              return "vlan";
--        case ND_TUNNEL:
++        case NETPLAN_DEF_TYPE_TUNNEL:
              return "ip-tunnel";
          // LCOV_EXCL_START
          default:
@@ -100,14 +123,14 @@ type_str(netdef_type type)
   * Return NM wifi "mode=" string.
   */
  static const char*
--wifi_mode_str(wifi_mode mode)
++wifi_mode_str(const NetplanWifiMode mode)
+ {
      switch (mode) {
--        case WIFI_MODE_INFRASTRUCTURE:
++        case NETPLAN_WIFI_MODE_INFRASTRUCTURE:
              return "infrastructure";
--        case WIFI_MODE_ADHOC:
++        case NETPLAN_WIFI_MODE_ADHOC:
              return "adhoc";
--        case WIFI_MODE_AP:
++        case NETPLAN_WIFI_MODE_AP:
              return "ap";
          // LCOV_EXCL_START
          default:
@@ -116,8 +139,44 @@ wifi_mode_str(wifi_mode mode)
+     }
+ }
++/**
++ * Return NM wifi "band=" string.
++ */
++static const char*
++wifi_band_str(const NetplanWifiBand band)
++{
++    switch (band) {
++        case NETPLAN_WIFI_BAND_5:
++            return "a";
++        case NETPLAN_WIFI_BAND_24:
++            return "bg";
++        // LCOV_EXCL_START
++        default:
++            g_assert_not_reached();
++        // LCOV_EXCL_STOP
++    }
++}
++
++/**
++ * Return NM addr-gen-mode string.
++ */
++static const char*
++addr_gen_mode_str(const NetplanAddrGenMode mode)
++{
++    switch (mode) {
++        case NETPLAN_ADDRGEN_EUI64:
++            return "0";
++        case NETPLAN_ADDRGEN_STABLEPRIVACY:
++            return "1";
++        // LCOV_EXCL_START
++        default:
++            g_assert_not_reached();
++        // LCOV_EXCL_STOP
++    }
++}
++
  static void
--write_search_domains(const net_definition* def, GString *s)
++write_search_domains(const NetplanNetDefinition* def, GString *s)
+ {
      if (def->search_domains) {
          g_string_append(s, "dns-search=");
@@ -128,11 +187,11 @@ write_search_domains(const net_definition* def, GString *s)
+ }
  static void
--write_routes(const net_definition* def, GString *s, int family)
++write_routes(const NetplanNetDefinition* def, GString *s, int family)
+ {
      if (def->routes != NULL) {
          for (unsigned i = 0, j = 1; i < def->routes->len; ++i) {
--            ip_route *cur_route = g_array_index(def->routes, ip_route*, i);
++            const NetplanIPRoute *cur_route = g_array_index(def->routes, NetplanIPRoute*, i);
              if (cur_route->family != family)
                  continue;
@@ -147,7 +206,7 @@ write_routes(const net_definition* def, GString *s, int family)
                  exit(1);
+             }
--            if (cur_route->table != ROUTE_TABLE_UNSPEC) {
++            if (cur_route->table != NETPLAN_ROUTE_TABLE_UNSPEC) {
                  g_fprintf(stderr, "ERROR: %s: NetworkManager does not support non-default routing tables\n", def->id);
                  exit(1);
+             }
@@ -164,7 +223,7 @@ write_routes(const net_definition* def, GString *s, int family)
              g_string_append_printf(s, "route%d=%s,%s",
                                     j, cur_route->to, cur_route->via);
--            if (cur_route->metric != METRIC_UNSPEC)
++            if (cur_route->metric != NETPLAN_METRIC_UNSPEC)
                  g_string_append_printf(s, ",%d", cur_route->metric);
              g_string_append(s, "\n");
              j++;
@@ -173,7 +232,7 @@ write_routes(const net_definition* def, GString *s, int family)
+ }
  static void
--write_bond_parameters(const net_definition* def, GString *s)
++write_bond_parameters(const NetplanNetDefinition* def, GString *s)
+ {
      GString* params = NULL;
@@ -237,7 +296,7 @@ write_bond_parameters(const net_definition* def, GString *s)
+ }
  static void
--write_bridge_params(const net_definition* def, GString *s)
++write_bridge_params(const NetplanNetDefinition* def, GString *s)
+ {
      GString* params = NULL;
@@ -263,7 +322,7 @@ write_bridge_params(const net_definition* def, GString *s)
+ }
  static void
--write_tunnel_params(const net_definition* def, GString *s)
++write_tunnel_params(const NetplanNetDefinition* def, GString *s)
+ {
      g_string_append(s, "\n[ip-tunnel]\n");
@@ -278,23 +337,23 @@ write_tunnel_params(const net_definition* def, GString *s)
+ }
  static void
--write_dot1x_auth_parameters(const authentication_settings* auth, GString *s)
++write_dot1x_auth_parameters(const NetplanAuthenticationSettings* auth, GString *s)
+ {
--    if (auth->eap_method == EAP_NONE) {
++    if (auth->eap_method == NETPLAN_AUTH_EAP_NONE) {
          return;
+     }
      g_string_append_printf(s, "\n[802-1x]\n");
      switch (auth->eap_method) {
--        case EAP_NONE: break; // LCOV_EXCL_LINE
--        case EAP_TLS:
++        case NETPLAN_AUTH_EAP_NONE: break; // LCOV_EXCL_LINE
++        case NETPLAN_AUTH_EAP_TLS:
              g_string_append(s, "eap=tls\n");
              break;
--        case EAP_PEAP:
++        case NETPLAN_AUTH_EAP_PEAP:
              g_string_append(s, "eap=peap\n");
              break;
--        case EAP_TTLS:
++        case NETPLAN_AUTH_EAP_TTLS:
              g_string_append(s, "eap=ttls\n");
              break;
+     }
@@ -305,7 +364,7 @@ write_dot1x_auth_parameters(const authentication_settings* auth, GString *s)
      if (auth->anonymous_identity) {
          g_string_append_printf(s, "anonymous-identity=%s\n", auth->anonymous_identity);
+     }
--    if (auth->password && auth->key_management != KEY_MANAGEMENT_WPA_PSK) {
++    if (auth->password && auth->key_management != NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK) {
          g_string_append_printf(s, "password=%s\n", auth->password);
+     }
      if (auth->ca_certificate) {
@@ -320,29 +379,33 @@ write_dot1x_auth_parameters(const authentication_settings* auth, GString *s)
      if (auth->client_key_password) {
          g_string_append_printf(s, "private-key-password=%s\n", auth->client_key_password);
+     }
++    if (auth->phase2_auth) {
++        g_string_append_printf(s, "phase2-auth=%s\n", auth->phase2_auth);
++    }
++
+ }
  static void
--write_wifi_auth_parameters(const authentication_settings* auth, GString *s)
++write_wifi_auth_parameters(const NetplanAuthenticationSettings* auth, GString *s)
+ {
--    if (auth->key_management == KEY_MANAGEMENT_NONE) {
++    if (auth->key_management == NETPLAN_AUTH_KEY_MANAGEMENT_NONE) {
          return;
+     }
      g_string_append(s, "\n[wifi-security]\n");
      switch (auth->key_management) {
--        case KEY_MANAGEMENT_NONE: break; // LCOV_EXCL_LINE
--        case KEY_MANAGEMENT_WPA_PSK:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_NONE: break; // LCOV_EXCL_LINE
++        case NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK:
              g_string_append(s, "key-mgmt=wpa-psk\n");
              if (auth->password) {
                  g_string_append_printf(s, "psk=%s\n", auth->password);
+             }
              break;
--        case KEY_MANAGEMENT_WPA_EAP:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_WPA_EAP:
              g_string_append(s, "key-mgmt=wpa-eap\n");
              break;
--        case KEY_MANAGEMENT_8021X:
++        case NETPLAN_AUTH_KEY_MANAGEMENT_8021X:
              g_string_append(s, "key-mgmt=ieee8021x\n");
              break;
+     }
@@ -351,7 +414,7 @@ write_wifi_auth_parameters(const authentication_settings* auth, GString *s)
+ }
  static void
--maybe_generate_uuid(net_definition* def)
++maybe_generate_uuid(NetplanNetDefinition* def)
+ {
      if (uuid_is_null(def->uuid))
          uuid_generate(def->uuid);
@@ -359,32 +422,37 @@ maybe_generate_uuid(net_definition* def)
  /**
   * Generate NetworkManager configuration in @rootdir/run/NetworkManager/ for a
-- * particular net_definition and wifi_access_point, as NM requires a separate
++ * particular NetplanNetDefinition and NetplanWifiAccessPoint, as NM requires a separate
   * connection file for each SSID.
-- * @def: The net_definition for which to create a connection
++ * @def: The NetplanNetDefinition for which to create a connection
   * @rootdir: If not %NULL, generate configuration in this root directory
   *           (useful for testing).
   * @ap: The access point for which to create a connection. Must be %NULL for
   *      non-wifi types.
   */
  static void
--write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_access_point* ap)
++write_nm_conf_access_point(NetplanNetDefinition* def, const char* rootdir, const NetplanWifiAccessPoint* ap)
+ {
      GString *s = NULL;
      g_autofree char* conf_path = NULL;
      mode_t orig_umask;
      char uuidstr[37];
--    if (def->type == ND_WIFI)
++    if (def->type == NETPLAN_DEF_TYPE_WIFI)
          g_assert(ap);
      else
          g_assert(ap == NULL);
++    if (def->type == NETPLAN_DEF_TYPE_VLAN && def->sriov_vlan_filter) {
++        g_debug("%s is defined as a hardware SR-IOV filtered VLAN, postponing creation", def->id);
++        return;
++    }
++
      s = g_string_new(NULL);
      g_string_append_printf(s, "[connection]\nid=netplan-%s", def->id);
      if (ap)
          g_string_append_printf(s, "-%s", ap->ssid);
--    g_string_append_printf(s, "\ntype=%s\n", type_str(def->type));
++    g_string_append_printf(s, "\ntype=%s\n", type_str(def));
      /* VLAN devices refer to us as their parent; if our ID is not a name but we
       * have matches, parent= must be the connection UUID, so put it into the
@@ -395,7 +463,7 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          g_string_append_printf(s, "uuid=%s\n", uuidstr);
+     }
--    if (def->type < ND_VIRTUAL) {
++    if (def->type < NETPLAN_DEF_TYPE_VIRTUAL) {
          /* physical (existing) devices use matching; driver matching is not
           * supported, MAC matching is done below (different keyfile section),
           * so only match names here */
@@ -416,9 +484,43 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          /* virtual (created) devices set a name */
          g_string_append_printf(s, "interface-name=%s\n", def->id);
--        if (def->type == ND_BRIDGE)
++        if (def->type == NETPLAN_DEF_TYPE_BRIDGE)
              write_bridge_params(def, s);
+     }
++    if (def->type == NETPLAN_DEF_TYPE_MODEM) {
++        if (modem_is_gsm(def))
++            g_string_append_printf(s, "\n[gsm]\n");
++        else
++            g_string_append_printf(s, "\n[cdma]\n");
++
++        /* Use NetworkManager's auto configuration feature if no APN, username, or password is specified */
++        if (def->modem_params.auto_config || (!def->modem_params.apn &&
++                !def->modem_params.username && !def->modem_params.password)) {
++            g_string_append_printf(s, "auto-config=true\n");
++        } else {
++            if (def->modem_params.apn)
++                g_string_append_printf(s, "apn=%s\n", def->modem_params.apn);
++            if (def->modem_params.password)
++                g_string_append_printf(s, "password=%s\n", def->modem_params.password);
++            if (def->modem_params.username)
++                g_string_append_printf(s, "username=%s\n", def->modem_params.username);
++        }
++
++        if (def->modem_params.device_id)
++            g_string_append_printf(s, "device-id=%s\n", def->modem_params.device_id);
++        if (def->mtubytes)
++            g_string_append_printf(s, "mtu=%u\n", def->mtubytes);
++        if (def->modem_params.network_id)
++            g_string_append_printf(s, "network-id=%s\n", def->modem_params.network_id);
++        if (def->modem_params.number)
++            g_string_append_printf(s, "number=%s\n", def->modem_params.number);
++        if (def->modem_params.pin)
++            g_string_append_printf(s, "pin=%s\n", def->modem_params.pin);
++        if (def->modem_params.sim_id)
++            g_string_append_printf(s, "sim-id=%s\n", def->modem_params.sim_id);
++        if (def->modem_params.sim_operator_id)
++            g_string_append_printf(s, "sim-operator-id=%s\n", def->modem_params.sim_operator_id);
++    }
      if (def->bridge) {
          g_string_append_printf(s, "slave-type=bridge\nmaster=%s\n", def->bridge);
@@ -437,7 +539,7 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          exit(1);
+     }
--    if (def->type < ND_VIRTUAL) {
++    if (def->type < NETPLAN_DEF_TYPE_VIRTUAL) {
          GString *link_str = NULL;
          link_str = g_string_new(NULL);
@@ -453,11 +555,16 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          if (def->mtubytes) {
              g_string_append_printf(link_str, "mtu=%d\n", def->mtubytes);
+         }
++        if (def->wowlan && def->wowlan > NETPLAN_WIFI_WOWLAN_DEFAULT)
++            g_string_append_printf(link_str, "wake-on-wlan=%u\n", def->wowlan);
          if (link_str->len > 0) {
              switch (def->type) {
--                case ND_WIFI:
++                case NETPLAN_DEF_TYPE_WIFI:
                      g_string_append_printf(s, "\n[802-11-wireless]\n%s", link_str->str);  break;
++                case NETPLAN_DEF_TYPE_MODEM:
++                    /* Avoid adding an [ethernet] section into the [gsm/cdma] description. */
++                    break;
                  default:
                      g_string_append_printf(s, "\n[802-3-ethernet]\n%s", link_str->str);  break;
+             }
@@ -483,7 +590,7 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          g_string_free(link_str, TRUE);
+     }
--    if (def->type == ND_VLAN) {
++    if (def->type == NETPLAN_DEF_TYPE_VLAN) {
          g_assert(def->vlan_id < G_MAXUINT);
          g_assert(def->vlan_link != NULL);
          g_string_append_printf(s, "\n[vlan]\nid=%u\nparent=", def->vlan_id);
@@ -499,22 +606,22 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
+         }
+     }
--    if (def->type == ND_BOND)
++    if (def->type == NETPLAN_DEF_TYPE_BOND)
          write_bond_parameters(def, s);
--    if (def->type == ND_TUNNEL)
++    if (def->type == NETPLAN_DEF_TYPE_TUNNEL)
          write_tunnel_params(def, s);
      g_string_append(s, "\n[ipv4]\n");
--    if (ap && ap->mode == WIFI_MODE_AP)
++    if (ap && ap->mode == NETPLAN_WIFI_MODE_AP)
          g_string_append(s, "method=shared\n");
      else if (def->dhcp4)
          g_string_append(s, "method=auto\n");
      else if (def->ip4_addresses)
          /* This requires adding at least one address (done below) */
          g_string_append(s, "method=manual\n");
--    else if (def->type == ND_TUNNEL)
++    else if (def->type == NETPLAN_DEF_TYPE_TUNNEL)
          /* sit tunnels will not start in link-local apparently */
          g_string_append(s, "method=disabled\n");
      else
@@ -544,15 +651,18 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          g_string_append(s, "never-default=true\n");
+     }
--    if (def->dhcp4 && def->dhcp4_overrides.metric != METRIC_UNSPEC)
++    if (def->dhcp4 && def->dhcp4_overrides.metric != NETPLAN_METRIC_UNSPEC)
          g_string_append_printf(s, "route-metric=%u\n", def->dhcp4_overrides.metric);
--    if (def->dhcp6 || def->ip6_addresses || def->gateway6 || def->ip6_nameservers) {
++    if (def->dhcp6 || def->ip6_addresses || def->gateway6 || def->ip6_nameservers || def->ip6_addr_gen_mode) {
          g_string_append(s, "\n[ipv6]\n");
          g_string_append(s, def->dhcp6 ? "method=auto\n" : "method=manual\n");
          if (def->ip6_addresses)
              for (unsigned i = 0; i < def->ip6_addresses->len; ++i)
                  g_string_append_printf(s, "address%i=%s\n", i+1, g_array_index(def->ip6_addresses, char*, i));
++        if (def->ip6_addr_gen_mode) {
++            g_string_append_printf(s, "addr-gen-mode=%s\n", addr_gen_mode_str(def->ip6_addr_gen_mode));
++        }
          if (def->ip6_privacy)
              g_string_append(s, "ip6-privacy=2\n");
          if (def->gateway6)
@@ -575,7 +685,7 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
              g_string_append(s, "never-default=true\n");
+         }
--        if (def->dhcp6_overrides.metric != METRIC_UNSPEC)
++        if (def->dhcp6_overrides.metric != NETPLAN_METRIC_UNSPEC)
              g_string_append_printf(s, "route-metric=%u\n", def->dhcp6_overrides.metric);
+     }
      else {
@@ -587,6 +697,21 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
          conf_path = g_strjoin(NULL, "run/NetworkManager/system-connections/netplan-", def->id, "-", escaped_ssid, ".nmconnection", NULL);
          g_string_append_printf(s, "\n[wifi]\nssid=%s\nmode=%s\n", ap->ssid, wifi_mode_str(ap->mode));
++        if (ap->bssid) {
++            g_string_append_printf(s, "bssid=%s\n", ap->bssid);
++        }
++        if (ap->band == NETPLAN_WIFI_BAND_5 || ap->band == NETPLAN_WIFI_BAND_24) {
++            g_string_append_printf(s, "band=%s\n", wifi_band_str(ap->band));
++            /* Channel is only unambiguous, if band is set. */
++            if (ap->channel) {
++                /* Validate WiFi channel */
++                if (ap->band == NETPLAN_WIFI_BAND_5)
++                    wifi_get_freq5(ap->channel);
++                else
++                    wifi_get_freq24(ap->channel);
++                g_string_append_printf(s, "channel=%u\n", ap->channel);
++            }
++        }
          if (ap->has_auth) {
              write_wifi_auth_parameters(&ap->auth, s);
+         }
@@ -605,14 +730,14 @@ write_nm_conf_access_point(net_definition* def, const char* rootdir, const wifi_
  /**
   * Generate NetworkManager configuration in @rootdir/run/NetworkManager/ for a
-- * particular net_definition.
++ * particular NetplanNetDefinition.
   * @rootdir: If not %NULL, generate configuration in this root directory
   *           (useful for testing).
   */
  void
--write_nm_conf(net_definition* def, const char* rootdir)
++write_nm_conf(NetplanNetDefinition* def, const char* rootdir)
+ {
--    if (def->backend != BACKEND_NM) {
++    if (def->backend != NETPLAN_BACKEND_NM) {
          g_debug("NetworkManager: definition %s is not for us (backend %i)", def->id, def->backend);
          return;
+     }
@@ -623,10 +748,10 @@ write_nm_conf(net_definition* def, const char* rootdir)
+     }
      /* for wifi we need to create a separate connection file for every SSID */
--    if (def->type == ND_WIFI) {
++    if (def->type == NETPLAN_DEF_TYPE_WIFI) {
          GHashTableIter iter;
          gpointer key;
--        wifi_access_point* ap;
++        const NetplanWifiAccessPoint* ap;
          g_assert(def->access_points);
          g_hash_table_iter_init(&iter, def->access_points);
          while (g_hash_table_iter_next(&iter, &key, (gpointer) &ap))
@@ -640,9 +765,9 @@ write_nm_conf(net_definition* def, const char* rootdir)
  static void
  nd_append_non_nm_ids(gpointer data, gpointer str)
+ {
--    net_definition* nd = data;
++    const NetplanNetDefinition* nd = data;
--    if (nd->backend != BACKEND_NM) {
++    if (nd->backend != NETPLAN_BACKEND_NM) {
          if (nd->match.driver) {
              /* NM cannot match on drivers, so ignore these via udev rules */
              if (!udev_rules)
 diff --git a/src/nm.h b/src/nm.h
 index f25c506..9f8f9ca 100644
 --- a/src/nm.h
 +++ b/src/nm.h
@@ -19,6 +19,6 @@
  #include "parse.h"
--void write_nm_conf(net_definition* def, const char* rootdir);
++void write_nm_conf(NetplanNetDefinition* def, const char* rootdir);
  void write_nm_conf_finish(const char* rootdir);
  void cleanup_nm_conf(const char* rootdir);
 diff --git a/src/parse.c b/src/parse.c
 index c72813f..c1dc175 100644
 --- a/src/parse.c
 +++ b/src/parse.c
@@ -30,27 +30,28 @@
  #include "error.h"
  #include "validation.h"
--/* convenience macro to put the offset of a net_definition field into "void* data" */
--#define netdef_offset(field) GUINT_TO_POINTER(offsetof(net_definition, field))
--#define route_offset(field) GUINT_TO_POINTER(offsetof(ip_route, field))
--#define ip_rule_offset(field) GUINT_TO_POINTER(offsetof(ip_rule, field))
--#define auth_offset(field) GUINT_TO_POINTER(offsetof(authentication_settings, field))
++/* convenience macro to put the offset of a NetplanNetDefinition field into "void* data" */
++#define netdef_offset(field) GUINT_TO_POINTER(offsetof(NetplanNetDefinition, field))
++#define route_offset(field) GUINT_TO_POINTER(offsetof(NetplanIPRoute, field))
++#define ip_rule_offset(field) GUINT_TO_POINTER(offsetof(NetplanIPRule, field))
++#define auth_offset(field) GUINT_TO_POINTER(offsetof(NetplanAuthenticationSettings, field))
++#define access_point_offset(field) GUINT_TO_POINTER(offsetof(NetplanWifiAccessPoint, field))
--/* net_definition that is currently being processed */
--net_definition* cur_netdef;
++/* NetplanNetDefinition that is currently being processed */
++static NetplanNetDefinition* cur_netdef;
--/* wifi AP that is currently being processed */
--wifi_access_point* cur_access_point;
++/* NetplanWifiAccessPoint that is currently being processed */
++static NetplanWifiAccessPoint* cur_access_point;
  /* authentication options that are currently being processed */
--authentication_settings* cur_auth;
++static NetplanAuthenticationSettings* cur_auth;
--ip_route* cur_route;
--ip_rule* cur_ip_rule;
++static NetplanIPRoute* cur_route;
++static NetplanIPRule* cur_ip_rule;
--netdef_backend backend_global, backend_cur_type;
++static NetplanBackend backend_global, backend_cur_type;
--/* Global ID → net_definition* map for all parsed config files */
++/* Global ID → NetplanNetDefinition* map for all parsed config files */
  GHashTable* netdefs;
  /* Contains the same objects as 'netdefs' but ordered by dependency */
@@ -59,7 +60,7 @@ GList* netdefs_ordered;
  /* Set of IDs in currently parsed YAML file, for being able to detect
   * "duplicate ID within one file" vs. allowing a drop-in to override/amend an
   * existing definition */
--GHashTable* ids_in_file;
++static GHashTable* ids_in_file;
  /**
   * Load YAML file name into a yaml_document_t.
@@ -87,6 +88,7 @@ load_yaml(const char* yaml, yaml_document_t* doc, GError** error)
          ret = parser_error(&parser, yaml, error);
+     }
++    yaml_parser_delete(&parser);
      fclose(fyaml);
      return ret;
+ }
@@ -136,13 +138,13 @@ scalar(const yaml_node_t* node)
  static void
  add_missing_node(const yaml_node_t* node)
+ {
--    missing_node* missing;
++    NetplanMissingNode* missing;
      /* Let's capture the current netdef we were playing with along with the
       * actual yaml_node_t that errors (that is an identifier not previously
       * seen by the compiler). We can use it later to write an sensible error
       * message and point the user in the right direction. */
--    missing = g_new0(missing_node, 1);
++    missing = g_new0(NetplanMissingNode, 1);
      missing->netdef_id = cur_netdef->id;
      missing->node = node;
@@ -247,24 +249,88 @@ process_mapping(yaml_document_t* doc, yaml_node_t* node, const mapping_entry_han
      return TRUE;
+ }
++/*************************************************************
++ * Generic helper functions to extract data from scalar nodes.
++ *************************************************************/
++
  /**
-- * Generic handler for setting a cur_netdef string field from a scalar node
-- * @data: offset into net_definition where the const char* field to write is
++ * Handler for setting a guint field from a scalar node, inside a given struct
++ * @entryptr: pointer to the begining of the to-be-modified data structure
++ * @data: offset into entryptr struct where the guint field to write is located
++ */
++static gboolean
++handle_generic_guint(yaml_document_t* doc, yaml_node_t* node, const void* entryptr, const void* data, GError** error)
++{
++    g_assert(entryptr);
++    guint offset = GPOINTER_TO_UINT(data);
++    guint64 v;
++    gchar* endptr;
++
++    v = g_ascii_strtoull(scalar(node), &endptr, 10);
++    if (*endptr != '\0' || v > G_MAXUINT)
++        return yaml_error(node, error, "invalid unsigned int value '%s'", scalar(node));
++
++    *((guint*) ((void*) entryptr + offset)) = (guint) v;
++    return TRUE;
++}
++
++/**
++ * Handler for setting a string field from a scalar node, inside a given struct
++ * @entryptr: pointer to the beginning of the to-be-modified data structure
++ * @data: offset into entryptr struct where the const char* field to write is
   *        located
   */
  static gboolean
--handle_netdef_str(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
++handle_generic_str(yaml_document_t* doc, yaml_node_t* node, void* entryptr, const void* data, GError** error)
+ {
++    g_assert(entryptr);
      guint offset = GPOINTER_TO_UINT(data);
--    char** dest = (char**) ((void*) cur_netdef + offset);
++    char** dest = (char**) ((void*) entryptr + offset);
      g_free(*dest);
      *dest = g_strdup(scalar(node));
      return TRUE;
+ }
++/*
++ * Handler for setting a MAC address field from a scalar node, inside a given struct
++ * @entryptr: pointer to the beginning of the to-be-modified data structure
++ * @data: offset into entryptr struct where the const char* field to write is
++ *        located
++ */
++static gboolean
++handle_generic_mac(yaml_document_t* doc, yaml_node_t* node, void* entryptr, const void* data, GError** error)
++{
++    g_assert(entryptr);
++    static regex_t re;
++    static gboolean re_inited = FALSE;
++
++    g_assert(node->type == YAML_SCALAR_NODE);
++
++    if (!re_inited) {
++        g_assert(regcomp(&re, "^[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]$", REG_EXTENDED|REG_NOSUB) == 0);
++        re_inited = TRUE;
++    }
++
++    if (regexec(&re, scalar(node), 0, NULL, 0) != 0)
++        return yaml_error(node, error, "Invalid MAC address '%s', must be XX:XX:XX:XX:XX:XX", scalar(node));
++
++    return handle_generic_str(doc, node, entryptr, data, error);
++}
++
++/**
++ * Generic handler for setting a cur_netdef string field from a scalar node
++ * @data: offset into NetplanNetDefinition where the const char* field to write is
++ *        located
++ */
++static gboolean
++handle_netdef_str(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
++{
++    return handle_generic_str(doc, node, cur_netdef, data, error);
++}
++
  /**
   * Generic handler for setting a cur_netdef ID/iface name field from a scalar node
-- * @data: offset into net_definition where the const char* field to write is
++ * @data: offset into NetplanNetDefinition where the const char* field to write is
   *        located
   */
  static gboolean
@@ -278,20 +344,20 @@ handle_netdef_id(yaml_document_t* doc, yaml_node_t* node, const void* data, GErr
  /**
   * Generic handler for setting a cur_netdef ID/iface name field referring to an
   * existing ID from a scalar node
-- * @data: offset into net_definition where the net_definition* field to write is
++ * @data: offset into NetplanNetDefinition where the NetplanNetDefinition* field to write is
   *        located
   */
  static gboolean
  handle_netdef_id_ref(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
+ {
      guint offset = GPOINTER_TO_UINT(data);
--    net_definition* ref = NULL;
++    NetplanNetDefinition* ref = NULL;
      ref = g_hash_table_lookup(netdefs, scalar(node));
      if (!ref) {
          add_missing_node(node);
      } else {
--        *((net_definition**) ((void*) cur_netdef + offset)) = ref;
++        *((NetplanNetDefinition**) ((void*) cur_netdef + offset)) = ref;
+     }
      return TRUE;
+ }
@@ -299,31 +365,18 @@ handle_netdef_id_ref(yaml_document_t* doc, yaml_node_t* node, const void* data,
  /**
   * Generic handler for setting a cur_netdef MAC address field from a scalar node
-- * @data: offset into net_definition where the const char* field to write is
++ * @data: offset into NetplanNetDefinition where the const char* field to write is
   *        located
   */
  static gboolean
  handle_netdef_mac(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
+ {
--    static regex_t re;
--    static gboolean re_inited = FALSE;
--
--    g_assert(node->type == YAML_SCALAR_NODE);
--
--    if (!re_inited) {
--        g_assert(regcomp(&re, "^[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]:[[:xdigit:]][[:xdigit:]]$", REG_EXTENDED|REG_NOSUB) == 0);
--        re_inited = TRUE;
--    }
--
--    if (regexec(&re, scalar(node), 0, NULL, 0) != 0)
--        return yaml_error(node, error, "Invalid MAC address '%s', must be XX:XX:XX:XX:XX:XX", scalar(node));
--
--    return handle_netdef_str(doc, node, data, error);
++    return handle_generic_mac(doc, node, cur_netdef, data, error);
+ }
  /**
   * Generic handler for setting a cur_netdef gboolean field from a scalar node
-- * @data: offset into net_definition where the gboolean field to write is located
++ * @data: offset into NetplanNetDefinition where the gboolean field to write is located
   */
  static gboolean
  handle_netdef_bool(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
@@ -350,21 +403,12 @@ handle_netdef_bool(yaml_document_t* doc, yaml_node_t* node, const void* data, GE
  /**
   * Generic handler for setting a cur_netdef guint field from a scalar node
-- * @data: offset into net_definition where the guint field to write is located
++ * @data: offset into NetplanNetDefinition where the guint field to write is located
   */
  static gboolean
  handle_netdef_guint(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
+ {
--    guint offset = GPOINTER_TO_UINT(data);
--    guint64 v;
--    gchar* endptr;
--
--    v = g_ascii_strtoull(scalar(node), &endptr, 10);
--    if (*endptr != '\0' || v > G_MAXUINT)
--        return yaml_error(node, error, "invalid unsigned int value '%s'", scalar(node));
--
--    *((guint*) ((void*) cur_netdef + offset)) = (guint) v;
--    return TRUE;
++    return handle_generic_guint(doc, node, cur_netdef, data, error);
+ }
  static gboolean
@@ -427,12 +471,25 @@ handle_netdef_ip6(yaml_document_t* doc, yaml_node_t* node, const void* data, GEr
      return TRUE;
+ }
++static gboolean
++handle_netdef_addrgen(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
++{
++    g_assert(cur_netdef);
++    if (strcmp(scalar(node), "eui64") == 0)
++        cur_netdef->ip6_addr_gen_mode = NETPLAN_ADDRGEN_EUI64;
++    else if (strcmp(scalar(node), "stable-privacy") == 0)
++        cur_netdef->ip6_addr_gen_mode = NETPLAN_ADDRGEN_STABLEPRIVACY;
++    else
++        return yaml_error(node, error, "unknown ipv6-address-generation '%s'", scalar(node));
++    return TRUE;
++}
++
  /****************************************************
   * Grammar and handlers for network config "match" entry
   ****************************************************/
--const mapping_entry_handler match_handlers[] = {
++static const mapping_entry_handler match_handlers[] = {
      {"driver", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(match.driver)},
      {"macaddress", YAML_SCALAR_NODE, handle_netdef_mac, NULL, netdef_offset(match.mac)},
      {"name", YAML_SCALAR_NODE, handle_netdef_id, NULL, netdef_offset(match.original_name)},
@@ -459,13 +516,13 @@ handle_auth_key_management(yaml_document_t* doc, yaml_node_t* node, const void*
+ {
      g_assert(cur_auth);
      if (strcmp(scalar(node), "none") == 0)
--        cur_auth->key_management = KEY_MANAGEMENT_NONE;
++        cur_auth->key_management = NETPLAN_AUTH_KEY_MANAGEMENT_NONE;
      else if (strcmp(scalar(node), "psk") == 0)
--        cur_auth->key_management = KEY_MANAGEMENT_WPA_PSK;
++        cur_auth->key_management = NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK;
      else if (strcmp(scalar(node), "eap") == 0)
--        cur_auth->key_management = KEY_MANAGEMENT_WPA_EAP;
++        cur_auth->key_management = NETPLAN_AUTH_KEY_MANAGEMENT_WPA_EAP;
      else if (strcmp(scalar(node), "802.1x") == 0)
--        cur_auth->key_management = KEY_MANAGEMENT_8021X;
++        cur_auth->key_management = NETPLAN_AUTH_KEY_MANAGEMENT_8021X;
      else
          return yaml_error(node, error, "unknown key management type '%s'", scalar(node));
      return TRUE;
@@ -476,17 +533,17 @@ handle_auth_method(yaml_document_t* doc, yaml_node_t* node, const void* _, GErro
+ {
      g_assert(cur_auth);
      if (strcmp(scalar(node), "tls") == 0)
--        cur_auth->eap_method = EAP_TLS;
++        cur_auth->eap_method = NETPLAN_AUTH_EAP_TLS;
      else if (strcmp(scalar(node), "peap") == 0)
--        cur_auth->eap_method = EAP_PEAP;
++        cur_auth->eap_method = NETPLAN_AUTH_EAP_PEAP;
      else if (strcmp(scalar(node), "ttls") == 0)
--        cur_auth->eap_method = EAP_TTLS;
++        cur_auth->eap_method = NETPLAN_AUTH_EAP_TTLS;
      else
          return yaml_error(node, error, "unknown EAP method '%s'", scalar(node));
      return TRUE;
+ }
--const mapping_entry_handler auth_handlers[] = {
++static const mapping_entry_handler auth_handlers[] = {
      {"key-management", YAML_SCALAR_NODE, handle_auth_key_management},
      {"method", YAML_SCALAR_NODE, handle_auth_method},
      {"identity", YAML_SCALAR_NODE, handle_auth_str, NULL, auth_offset(identity)},
@@ -496,6 +553,7 @@ const mapping_entry_handler auth_handlers[] = {
      {"client-certificate", YAML_SCALAR_NODE, handle_auth_str, NULL, auth_offset(client_certificate)},
      {"client-key", YAML_SCALAR_NODE, handle_auth_str, NULL, auth_offset(client_key)},
      {"client-key-password", YAML_SCALAR_NODE, handle_auth_str, NULL, auth_offset(client_key_password)},
++    {"phase2-auth", YAML_SCALAR_NODE, handle_auth_str, NULL, auth_offset(phase2_auth)},
      {NULL}
  };
@@ -503,15 +561,27 @@ const mapping_entry_handler auth_handlers[] = {
   * Grammar and handlers for network device definition
   ****************************************************/
--static netdef_backend
--get_default_backend_for_type(netdef_type type)
++static NetplanBackend
++get_default_backend_for_type(NetplanDefType type)
+ {
--    if (backend_global != BACKEND_NONE)
++    if (backend_global != NETPLAN_BACKEND_NONE)
          return backend_global;
      /* networkd can handle all device types at the moment, so nothing
       * type-specific */
--    return BACKEND_NETWORKD;
++    return NETPLAN_BACKEND_NETWORKD;
++}
++
++static gboolean
++handle_access_point_guint(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
++{
++    return handle_generic_guint(doc, node, cur_access_point, data, error);
++}
++
++static gboolean
++handle_access_point_mac(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
++{
++    return handle_generic_mac(doc, node, cur_access_point, data, error);
+ }
  static gboolean
@@ -520,7 +590,7 @@ handle_access_point_password(yaml_document_t* doc, yaml_node_t* node, const void
      g_assert(cur_access_point);
      /* shortcut for WPA-PSK */
      cur_access_point->has_auth = TRUE;
--    cur_access_point->auth.key_management = KEY_MANAGEMENT_WPA_PSK;
++    cur_access_point->auth.key_management = NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK;
      g_free(cur_access_point->auth.password);
      cur_access_point->auth.password = g_strdup(scalar(node));
      return TRUE;
@@ -546,17 +616,33 @@ handle_access_point_mode(yaml_document_t* doc, yaml_node_t* node, const void* _,
+ {
      g_assert(cur_access_point);
      if (strcmp(scalar(node), "infrastructure") == 0)
--        cur_access_point->mode = WIFI_MODE_INFRASTRUCTURE;
++        cur_access_point->mode = NETPLAN_WIFI_MODE_INFRASTRUCTURE;
      else if (strcmp(scalar(node), "adhoc") == 0)
--        cur_access_point->mode = WIFI_MODE_ADHOC;
++        cur_access_point->mode = NETPLAN_WIFI_MODE_ADHOC;
      else if (strcmp(scalar(node), "ap") == 0)
--        cur_access_point->mode = WIFI_MODE_AP;
++        cur_access_point->mode = NETPLAN_WIFI_MODE_AP;
      else
          return yaml_error(node, error, "unknown wifi mode '%s'", scalar(node));
      return TRUE;
+ }
--const mapping_entry_handler wifi_access_point_handlers[] = {
++static gboolean
++handle_access_point_band(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
++{
++    g_assert(cur_access_point);
++    if (strcmp(scalar(node), "5GHz") == 0 || strcmp(scalar(node), "5G") == 0)
++        cur_access_point->band = NETPLAN_WIFI_BAND_5;
++    else if (strcmp(scalar(node), "2.4GHz") == 0 || strcmp(scalar(node), "2.4G") == 0)
++        cur_access_point->band = NETPLAN_WIFI_BAND_24;
++    else
++        return yaml_error(node, error, "unknown wifi band '%s'", scalar(node));
++    return TRUE;
++}
++
++static const mapping_entry_handler wifi_access_point_handlers[] = {
++    {"band", YAML_SCALAR_NODE, handle_access_point_band},
++    {"bssid", YAML_SCALAR_NODE, handle_access_point_mac, NULL, access_point_offset(bssid)},
++    {"channel", YAML_SCALAR_NODE, handle_access_point_guint, NULL, access_point_offset(channel)},
      {"mode", YAML_SCALAR_NODE, handle_access_point_mode},
      {"password", YAML_SCALAR_NODE, handle_access_point_password},
      {"auth", YAML_MAPPING_NODE, handle_access_point_auth},
@@ -567,12 +653,12 @@ const mapping_entry_handler wifi_access_point_handlers[] = {
   * Parse scalar node's string into a netdef_backend.
   */
  static gboolean
--parse_renderer(yaml_node_t* node, netdef_backend* backend, GError** error)
++parse_renderer(yaml_node_t* node, NetplanBackend* backend, GError** error)
+ {
      if (strcmp(scalar(node), "networkd") == 0)
--        *backend = BACKEND_NETWORKD;
++        *backend = NETPLAN_BACKEND_NETWORKD;
      else if (strcmp(scalar(node), "NetworkManager") == 0)
--        *backend = BACKEND_NM;
++        *backend = NETPLAN_BACKEND_NM;
      else
          return yaml_error(node, error, "unknown renderer '%s'", scalar(node));
      return TRUE;
@@ -581,6 +667,13 @@ parse_renderer(yaml_node_t* node, netdef_backend* backend, GError** error)
  static gboolean
  handle_netdef_renderer(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
+ {
++    if (cur_netdef->type == NETPLAN_DEF_TYPE_VLAN) {
++        if (strcmp(scalar(node), "sriov") == 0) {
++            cur_netdef->sriov_vlan_filter = TRUE;
++            return TRUE;
++        }
++    }
++
      return parse_renderer(node, &cur_netdef->backend, error);
+ }
@@ -591,12 +684,12 @@ handle_accept_ra(yaml_document_t* doc, yaml_node_t* node, const void* data, GErr
          g_ascii_strcasecmp(scalar(node), "on") == 0 ||
          g_ascii_strcasecmp(scalar(node), "yes") == 0 ||
          g_ascii_strcasecmp(scalar(node), "y") == 0)
--        cur_netdef->accept_ra = ACCEPT_RA_ENABLED;
++        cur_netdef->accept_ra = NETPLAN_RA_MODE_ENABLED;
      else if (g_ascii_strcasecmp(scalar(node), "false") == 0 ||
          g_ascii_strcasecmp(scalar(node), "off") == 0 ||
          g_ascii_strcasecmp(scalar(node), "no") == 0 ||
          g_ascii_strcasecmp(scalar(node), "n") == 0)
--        cur_netdef->accept_ra = ACCEPT_RA_DISABLED;
++        cur_netdef->accept_ra = NETPLAN_RA_MODE_DISABLED;
      else
          return yaml_error(node, error, "invalid boolean value '%s'", scalar(node));
@@ -610,6 +703,42 @@ handle_match(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** er
      return process_mapping(doc, node, match_handlers, error);
+ }
++struct NetplanWifiWowlanType NETPLAN_WIFI_WOWLAN_TYPES[] = {
++    {"default",            NETPLAN_WIFI_WOWLAN_DEFAULT},
++    {"any",                NETPLAN_WIFI_WOWLAN_ANY},
++    {"disconnect",         NETPLAN_WIFI_WOWLAN_DISCONNECT},
++    {"magic_pkt",          NETPLAN_WIFI_WOWLAN_MAGIC},
++    {"gtk_rekey_failure",  NETPLAN_WIFI_WOWLAN_GTK_REKEY_FAILURE},
++    {"eap_identity_req",   NETPLAN_WIFI_WOWLAN_EAP_IDENTITY_REQ},
++    {"four_way_handshake", NETPLAN_WIFI_WOWLAN_4WAY_HANDSHAKE},
++    {"rfkill_release",     NETPLAN_WIFI_WOWLAN_RFKILL_RELEASE},
++    {"tcp",                NETPLAN_WIFI_WOWLAN_TCP},
++    {NULL},
++};
++
++static gboolean
++handle_wowlan(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
++{
++    for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
++        yaml_node_t *entry = yaml_document_get_node(doc, *i);
++        assert_type(entry, YAML_SCALAR_NODE);
++        int found = FALSE;
++
++        for (unsigned i = 0; NETPLAN_WIFI_WOWLAN_TYPES[i].name != NULL; ++i) {
++            if (g_ascii_strcasecmp(scalar(entry), NETPLAN_WIFI_WOWLAN_TYPES[i].name) == 0) {
++                cur_netdef->wowlan |= NETPLAN_WIFI_WOWLAN_TYPES[i].flag;
++                found = TRUE;
++                break;
++            }
++        }
++        if (!found)
++            return yaml_error(node, error, "invalid value for wakeonwlan: '%s'", scalar(entry));
++    }
++    if (cur_netdef->wowlan > NETPLAN_WIFI_WOWLAN_DEFAULT && cur_netdef->wowlan & NETPLAN_WIFI_WOWLAN_TYPES[0].flag)
++        return yaml_error(node, error, "'default' is an exclusive flag for wakeonwlan");
++    return TRUE;
++}
++
  static gboolean
  handle_auth(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
+ {
@@ -702,7 +831,7 @@ handle_wifi_access_points(yaml_document_t* doc, yaml_node_t* node, const void* d
          assert_type(value, YAML_MAPPING_NODE);
          g_assert(cur_access_point == NULL);
--        cur_access_point = g_new0(wifi_access_point, 1);
++        cur_access_point = g_new0(NetplanWifiAccessPoint, 1);
          cur_access_point->ssid = g_strdup(scalar(key));
          g_debug("%s: adding wifi AP '%s'", cur_netdef->id, cur_access_point->ssid);
@@ -739,7 +868,7 @@ handle_bridge_interfaces(yaml_document_t* doc, yaml_node_t* node, const void* da
      /* all entries must refer to already defined IDs */
      for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
          yaml_node_t *entry = yaml_document_get_node(doc, *i);
--        net_definition *component;
++        NetplanNetDefinition *component;
          assert_type(entry, YAML_SCALAR_NODE);
          component = g_hash_table_lookup(netdefs, scalar(entry));
@@ -761,7 +890,7 @@ handle_bridge_interfaces(yaml_document_t* doc, yaml_node_t* node, const void* da
  /**
   * Handler for bond "mode" types.
-- * @data: offset into net_definition where the const char* field to write is
++ * @data: offset into NetplanNetDefinition where the const char* field to write is
   *        located
   */
  static gboolean
@@ -789,7 +918,7 @@ handle_bond_interfaces(yaml_document_t* doc, yaml_node_t* node, const void* data
      /* all entries must refer to already defined IDs */
      for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
          yaml_node_t *entry = yaml_document_get_node(doc, *i);
--        net_definition *component;
++        NetplanNetDefinition *component;
          assert_type(entry, YAML_SCALAR_NODE);
          component = g_hash_table_lookup(netdefs, scalar(entry));
@@ -880,12 +1009,12 @@ handle_link_local(yaml_document_t* doc, yaml_node_t* node, const void* _, GError
      return TRUE;
+ }
--struct optional_address_option optional_address_options[] = {
--    {"ipv4-ll", OPTIONAL_IPV4_LL},
--    {"ipv6-ra", OPTIONAL_IPV6_RA},
--    {"dhcp4",   OPTIONAL_DHCP4},
--    {"dhcp6",   OPTIONAL_DHCP6},
--    {"static",  OPTIONAL_STATIC},
++struct NetplanOptionalAddressType NETPLAN_OPTIONAL_ADDRESS_TYPES[] = {
++    {"ipv4-ll", NETPLAN_OPTIONAL_IPV4_LL},
++    {"ipv6-ra", NETPLAN_OPTIONAL_IPV6_RA},
++    {"dhcp4",   NETPLAN_OPTIONAL_DHCP4},
++    {"dhcp6",   NETPLAN_OPTIONAL_DHCP6},
++    {"static",  NETPLAN_OPTIONAL_STATIC},
      {NULL},
  };
@@ -897,9 +1026,9 @@ handle_optional_addresses(yaml_document_t* doc, yaml_node_t* node, const void* _
          assert_type(entry, YAML_SCALAR_NODE);
          int found = FALSE;
--        for (unsigned i = 0; optional_address_options[i].name != NULL; ++i) {
--            if (g_ascii_strcasecmp(scalar(entry), optional_address_options[i].name) == 0) {
--                cur_netdef->optional_addresses |= optional_address_options[i].flag;
++        for (unsigned i = 0; NETPLAN_OPTIONAL_ADDRESS_TYPES[i].name != NULL; ++i) {
++            if (g_ascii_strcasecmp(scalar(entry), NETPLAN_OPTIONAL_ADDRESS_TYPES[i].name) == 0) {
++                cur_netdef->optional_addresses |= NETPLAN_OPTIONAL_ADDRESS_TYPES[i].flag;
                  found = TRUE;
                  break;
+             }
@@ -1131,7 +1260,7 @@ handle_bridge_path_cost(yaml_document_t* doc, yaml_node_t* node, const void* dat
          yaml_node_t* key, *value;
          guint v;
          gchar* endptr;
--        net_definition *component;
++        NetplanNetDefinition *component;
          guint* ref_ptr;
          key = yaml_document_get_node(doc, entry->key);
@@ -1167,7 +1296,7 @@ handle_bridge_port_priority(yaml_document_t* doc, yaml_node_t* node, const void*
          yaml_node_t* key, *value;
          guint v;
          gchar* endptr;
--        net_definition *component;
++        NetplanNetDefinition *component;
          guint* ref_ptr;
          key = yaml_document_get_node(doc, entry->key);
@@ -1197,7 +1326,7 @@ handle_bridge_port_priority(yaml_document_t* doc, yaml_node_t* node, const void*
      return TRUE;
+ }
--const mapping_entry_handler bridge_params_handlers[] = {
++static const mapping_entry_handler bridge_params_handlers[] = {
      {"ageing-time", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(bridge_params.ageing_time)},
      {"forward-delay", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(bridge_params.forward_delay)},
      {"hello-time", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(bridge_params.hello_time)},
@@ -1221,7 +1350,7 @@ handle_bridge(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** e
   * Grammar and handlers for network config "routes" entry
   ****************************************************/
--const mapping_entry_handler routes_handlers[] = {
++static const mapping_entry_handler routes_handlers[] = {
      {"from", YAML_SCALAR_NODE, handle_routes_ip, NULL, route_offset(from)},
      {"on-link", YAML_SCALAR_NODE, handle_routes_bool, NULL, route_offset(onlink)},
      {"scope", YAML_SCALAR_NODE, handle_routes_scope},
@@ -1239,15 +1368,15 @@ handle_routes(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** e
      for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
          yaml_node_t *entry = yaml_document_get_node(doc, *i);
--        cur_route = g_new0(ip_route, 1);
++        cur_route = g_new0(NetplanIPRoute, 1);
          cur_route->type = g_strdup("unicast");
          cur_route->scope = g_strdup("global");
          cur_route->family = G_MAXUINT; /* 0 is a valid family ID */
--        cur_route->metric = METRIC_UNSPEC; /* 0 is a valid metric */
++        cur_route->metric = NETPLAN_METRIC_UNSPEC; /* 0 is a valid metric */
          if (process_mapping(doc, entry, routes_handlers, error)) {
              if (!cur_netdef->routes) {
--                cur_netdef->routes = g_array_new(FALSE, FALSE, sizeof(ip_route*));
++                cur_netdef->routes = g_array_new(FALSE, FALSE, sizeof(NetplanIPRoute*));
+             }
              g_array_append_val(cur_netdef->routes, cur_route);
@@ -1272,7 +1401,7 @@ handle_routes(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** e
      return TRUE;
+ }
--const mapping_entry_handler ip_rules_handlers[] = {
++static const mapping_entry_handler ip_rules_handlers[] = {
      {"from", YAML_SCALAR_NODE, handle_ip_rule_ip, NULL, ip_rule_offset(from)},
      {"mark", YAML_SCALAR_NODE, handle_ip_rule_fwmark},
      {"priority", YAML_SCALAR_NODE, handle_ip_rule_prio},
@@ -1288,16 +1417,16 @@ handle_ip_rules(yaml_document_t* doc, yaml_node_t* node, const void* _, GError**
      for (yaml_node_item_t *i = node->data.sequence.items.start; i < node->data.sequence.items.top; i++) {
          yaml_node_t *entry = yaml_document_get_node(doc, *i);
--        cur_ip_rule = g_new0(ip_rule, 1);
++        cur_ip_rule = g_new0(NetplanIPRule, 1);
          cur_ip_rule->family = G_MAXUINT; /* 0 is a valid family ID */
--        cur_ip_rule->priority = IP_RULE_PRIO_UNSPEC;
--        cur_ip_rule->table = ROUTE_TABLE_UNSPEC;
--        cur_ip_rule->tos = IP_RULE_TOS_UNSPEC;
--        cur_ip_rule->fwmark = IP_RULE_FW_MARK_UNSPEC;
++        cur_ip_rule->priority = NETPLAN_IP_RULE_PRIO_UNSPEC;
++        cur_ip_rule->table = NETPLAN_ROUTE_TABLE_UNSPEC;
++        cur_ip_rule->tos = NETPLAN_IP_RULE_TOS_UNSPEC;
++        cur_ip_rule->fwmark = NETPLAN_IP_RULE_FW_MARK_UNSPEC;
          if (process_mapping(doc, entry, ip_rules_handlers, error)) {
              if (!cur_netdef->ip_rules) {
--                cur_netdef->ip_rules = g_array_new(FALSE, FALSE, sizeof(ip_rule*));
++                cur_netdef->ip_rules = g_array_new(FALSE, FALSE, sizeof(NetplanIPRule*));
+             }
              g_array_append_val(cur_netdef->ip_rules, cur_ip_rule);
@@ -1346,7 +1475,7 @@ handle_arp_ip_targets(yaml_document_t* doc, yaml_node_t* node, const void* _, GE
  static gboolean
  handle_bond_primary_slave(yaml_document_t* doc, yaml_node_t* node, const void* data, GError** error)
+ {
--    net_definition *component;
++    NetplanNetDefinition *component;
      char** ref_ptr;
      component = g_hash_table_lookup(netdefs, scalar(node));
@@ -1365,7 +1494,7 @@ handle_bond_primary_slave(yaml_document_t* doc, yaml_node_t* node, const void* d
      return TRUE;
+ }
--const mapping_entry_handler bond_params_handlers[] = {
++static const mapping_entry_handler bond_params_handlers[] = {
      {"mode", YAML_SCALAR_NODE, handle_bond_mode, NULL, netdef_offset(bond_params.mode)},
      {"lacp-rate", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(bond_params.lacp_rate)},
      {"mii-monitor-interval", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(bond_params.monitor_interval)},
@@ -1418,9 +1547,9 @@ handle_dhcp_identifier(yaml_document_t* doc, yaml_node_t* node, const void* data
   ****************************************************/
  const char*
--tunnel_mode_to_string(tunnel_mode mode)
++tunnel_mode_to_string(NetplanTunnelMode mode)
+ {
--    return tunnel_mode_table[mode];
++    return netplan_tunnel_mode_table[mode];
+ }
  static gboolean
@@ -1450,11 +1579,11 @@ static gboolean
  handle_tunnel_mode(yaml_document_t* doc, yaml_node_t* node, const void* _, GError** error)
+ {
      const char *key = scalar(node);
--    tunnel_mode i;
++    NetplanTunnelMode i;
      // Skip over unknown (0) tunnel mode.
--    for (i = 1; i < _TUNNEL_MODE_MAX; ++i) {
--        if (g_strcmp0(tunnel_mode_table[i], key) == 0) {
++    for (i = 1; i < NETPLAN_TUNNEL_MODE_MAX_; ++i) {
++        if (g_strcmp0(netplan_tunnel_mode_table[i], key) == 0) {
              cur_netdef->tunnel.mode = i;
              return TRUE;
+         }
@@ -1485,7 +1614,7 @@ handle_tunnel_key(yaml_document_t* doc, yaml_node_t* node, const void* data, GEr
      return TRUE;
+ }
--const mapping_entry_handler tunnel_keys_handlers[] = {
++static const mapping_entry_handler tunnel_keys_handlers[] = {
      {"input", YAML_SCALAR_NODE, handle_tunnel_key, NULL, netdef_offset(tunnel.input_key)},
      {"output", YAML_SCALAR_NODE, handle_tunnel_key, NULL, netdef_offset(tunnel.output_key)},
      {NULL}
@@ -1519,7 +1648,15 @@ handle_tunnel_key_mapping(yaml_document_t* doc, yaml_node_t* node, const void* _
   * Grammar and handlers for network devices
   ****************************************************/
--const mapping_entry_handler nameservers_handlers[] = {
++static const mapping_entry_handler nm_backend_settings_handlers[] = {
++    {"name", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(backend_settings.nm.name)},
++    {"uuid", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(backend_settings.nm.uuid)},
++    {"stable-id", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(backend_settings.nm.stable_id)},
++    {"device", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(backend_settings.nm.device)},
++    {NULL}
++};
++
++static const mapping_entry_handler nameservers_handlers[] = {
      {"search", YAML_SEQUENCE_NODE, handle_nameservers_search},
      {"addresses", YAML_SEQUENCE_NODE, handle_nameservers_addresses},
      {NULL}
@@ -1537,12 +1674,12 @@ const mapping_entry_handler nameservers_handlers[] = {
      {"use-ntp", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(overrides.use_ntp)},              \
      {"use-routes", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(overrides.use_routes)}
--const mapping_entry_handler dhcp4_overrides_handlers[] = {
++static const mapping_entry_handler dhcp4_overrides_handlers[] = {
      COMMON_DHCP_OVERRIDES_HANDLERS(dhcp4_overrides),
      {NULL},
  };
--const mapping_entry_handler dhcp6_overrides_handlers[] = {
++static const mapping_entry_handler dhcp6_overrides_handlers[] = {
      COMMON_DHCP_OVERRIDES_HANDLERS(dhcp6_overrides),
      {NULL},
  };
@@ -1559,6 +1696,7 @@ const mapping_entry_handler dhcp6_overrides_handlers[] = {
      {"dhcp6-overrides", YAML_MAPPING_NODE, NULL, dhcp6_overrides_handlers},                   \
      {"gateway4", YAML_SCALAR_NODE, handle_gateway4},                                          \
      {"gateway6", YAML_SCALAR_NODE, handle_gateway6},                                          \
++    {"ipv6-address-generation", YAML_SCALAR_NODE, handle_netdef_addrgen},                               \
      {"ipv6-mtu", YAML_SCALAR_NODE, handle_netdef_guint, NULL, netdef_offset(ipv6_mtubytes)},  \
      {"ipv6-privacy", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(ip6_privacy)}, \
      {"link-local", YAML_SEQUENCE_NODE, handle_link_local},                                    \
@@ -1571,50 +1709,77 @@ const mapping_entry_handler dhcp6_overrides_handlers[] = {
      {"routes", YAML_SEQUENCE_NODE, handle_routes},                                            \
      {"routing-policy", YAML_SEQUENCE_NODE, handle_ip_rules}
++#define COMMON_BACKEND_HANDLERS							\
++    {"networkmanager", YAML_MAPPING_NODE, NULL, nm_backend_settings_handlers}
++
  /* Handlers for physical links */
  #define PHYSICAL_LINK_HANDLERS                                                           \
      {"match", YAML_MAPPING_NODE, handle_match},                                          \
      {"set-name", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(set_name)},    \
--    {"wakeonlan", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(wake_on_lan)}
++    {"wakeonlan", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(wake_on_lan)}, \
++    {"wakeonwlan", YAML_SEQUENCE_NODE, handle_wowlan, NULL, netdef_offset(wowlan)},       \
++    {"emit-lldp", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(emit_lldp)}
--const mapping_entry_handler ethernet_def_handlers[] = {
++static const mapping_entry_handler ethernet_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      PHYSICAL_LINK_HANDLERS,
      {"auth", YAML_MAPPING_NODE, handle_auth},
++    {"link", YAML_SCALAR_NODE, handle_netdef_id_ref, NULL, netdef_offset(sriov_link)},
++    {"virtual-function-count", YAML_SCALAR_NODE, handle_netdef_guint, NULL, netdef_offset(sriov_explicit_vf_count)},
      {NULL}
  };
--const mapping_entry_handler wifi_def_handlers[] = {
++static const mapping_entry_handler wifi_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      PHYSICAL_LINK_HANDLERS,
      {"access-points", YAML_MAPPING_NODE, handle_wifi_access_points},
      {"auth", YAML_MAPPING_NODE, handle_auth},
      {NULL}
  };
--const mapping_entry_handler bridge_def_handlers[] = {
++static const mapping_entry_handler bridge_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      {"interfaces", YAML_SEQUENCE_NODE, handle_bridge_interfaces, NULL, NULL},
      {"parameters", YAML_MAPPING_NODE, handle_bridge},
      {NULL}
  };
--const mapping_entry_handler bond_def_handlers[] = {
++static const mapping_entry_handler bond_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      {"interfaces", YAML_SEQUENCE_NODE, handle_bond_interfaces, NULL, NULL},
      {"parameters", YAML_MAPPING_NODE, handle_bonding},
      {NULL}
  };
--const mapping_entry_handler vlan_def_handlers[] = {
++static const mapping_entry_handler vlan_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      {"id", YAML_SCALAR_NODE, handle_netdef_guint, NULL, netdef_offset(vlan_id)},
      {"link", YAML_SCALAR_NODE, handle_netdef_id_ref, NULL, netdef_offset(vlan_link)},
      {NULL}
  };
--const mapping_entry_handler tunnel_def_handlers[] = {
++static const mapping_entry_handler modem_def_handlers[] = {
++    COMMON_LINK_HANDLERS,
++    {"apn", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.apn)},
++    {"auto-config", YAML_SCALAR_NODE, handle_netdef_bool, NULL, netdef_offset(modem_params.auto_config)},
++    {"device-id", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.device_id)},
++    {"network-id", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.network_id)},
++    {"number", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.number)},
++    {"password", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.password)},
++    {"pin", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.pin)},
++    {"sim-id", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.sim_id)},
++    {"sim-operator-id", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.sim_operator_id)},
++    {"username", YAML_SCALAR_NODE, handle_netdef_str, NULL, netdef_offset(modem_params.username)},
++};
++
++static const mapping_entry_handler tunnel_def_handlers[] = {
      COMMON_LINK_HANDLERS,
++    COMMON_BACKEND_HANDLERS,
      {"mode", YAML_SCALAR_NODE, handle_tunnel_mode},
      {"local", YAML_SCALAR_NODE, handle_tunnel_addr, NULL, netdef_offset(tunnel.local_ip)},
      {"remote", YAML_SCALAR_NODE, handle_tunnel_addr, NULL, netdef_offset(tunnel.remote_ip)},
@@ -1650,7 +1815,7 @@ handle_network_renderer(yaml_document_t* doc, yaml_node_t* node, const void* _,
+ }
  static void
--initialize_dhcp_overrides(dhcp_overrides* overrides)
++initialize_dhcp_overrides(NetplanDHCPOverrides* overrides)
+ {
      overrides->use_dns = TRUE;
      overrides->use_domains = NULL;
@@ -1660,7 +1825,7 @@ initialize_dhcp_overrides(dhcp_overrides* overrides)
      overrides->use_mtu = TRUE;
      overrides->use_routes = TRUE;
      overrides->hostname = NULL;
--    overrides->metric = METRIC_UNSPEC;
++    overrides->metric = NETPLAN_METRIC_UNSPEC;
+ }
  /**
@@ -1705,19 +1870,20 @@ handle_network_type(yaml_document_t* doc, yaml_node_t* node, const void* data, G
                  return yaml_error(key, error, "Updated definition '%s' changes device type", scalar(key));
          } else {
              /* create new network definition */
--            cur_netdef = g_new0(net_definition, 1);
++            cur_netdef = g_new0(NetplanNetDefinition, 1);
              cur_netdef->type = GPOINTER_TO_UINT(data);
--            cur_netdef->backend = backend_cur_type ?: BACKEND_NONE;
++            cur_netdef->backend = backend_cur_type ?: NETPLAN_BACKEND_NONE;
              cur_netdef->id = g_strdup(scalar(key));
              /* Set some default values */
              cur_netdef->vlan_id = G_MAXUINT; /* 0 is a valid ID */
--            cur_netdef->tunnel.mode = TUNNEL_MODE_UNKNOWN;
++            cur_netdef->tunnel.mode = NETPLAN_TUNNEL_MODE_UNKNOWN;
              cur_netdef->dhcp_identifier = g_strdup("duid"); /* keep networkd's default */
              /* systemd-networkd defaults to IPv6 LL enabled; keep that default */
              cur_netdef->linklocal.ipv6 = TRUE;
              g_hash_table_insert(netdefs, cur_netdef->id, cur_netdef);
              netdefs_ordered = g_list_append(netdefs_ordered, cur_netdef);
++            cur_netdef->sriov_vlan_filter = FALSE;
              /* DHCP override defaults */
              initialize_dhcp_overrides(&cur_netdef->dhcp4_overrides);
@@ -1732,12 +1898,13 @@ handle_network_type(yaml_document_t* doc, yaml_node_t* node, const void* data, G
          /* and fill it with definitions */
          switch (cur_netdef->type) {
--            case ND_BOND: handlers = bond_def_handlers; break;
--            case ND_BRIDGE: handlers = bridge_def_handlers; break;
--            case ND_ETHERNET: handlers = ethernet_def_handlers; break;
--            case ND_TUNNEL: handlers = tunnel_def_handlers; break;
--            case ND_VLAN: handlers = vlan_def_handlers; break;
--            case ND_WIFI: handlers = wifi_def_handlers; break;
++            case NETPLAN_DEF_TYPE_BOND: handlers = bond_def_handlers; break;
++            case NETPLAN_DEF_TYPE_BRIDGE: handlers = bridge_def_handlers; break;
++            case NETPLAN_DEF_TYPE_ETHERNET: handlers = ethernet_def_handlers; break;
++            case NETPLAN_DEF_TYPE_MODEM: handlers = modem_def_handlers; break;
++            case NETPLAN_DEF_TYPE_TUNNEL: handlers = tunnel_def_handlers; break;
++            case NETPLAN_DEF_TYPE_VLAN: handlers = vlan_def_handlers; break;
++            case NETPLAN_DEF_TYPE_WIFI: handlers = wifi_def_handlers; break;
              default: g_assert_not_reached(); // LCOV_EXCL_LINE
+         }
          if (!process_mapping(doc, value, handlers, error))
@@ -1749,22 +1916,23 @@ handle_network_type(yaml_document_t* doc, yaml_node_t* node, const void* data, G
          /* convenience shortcut: physical device without match: means match
           * name on ID */
--        if (cur_netdef->type < ND_VIRTUAL && !cur_netdef->has_match)
++        if (cur_netdef->type < NETPLAN_DEF_TYPE_VIRTUAL && !cur_netdef->has_match)
              cur_netdef->match.original_name = cur_netdef->id;
+     }
--    backend_cur_type = BACKEND_NONE;
++    backend_cur_type = NETPLAN_BACKEND_NONE;
      return TRUE;
+ }
--const mapping_entry_handler network_handlers[] = {
--    {"bonds", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_BOND)},
--    {"bridges", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_BRIDGE)},
--    {"ethernets", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_ETHERNET)},
++static const mapping_entry_handler network_handlers[] = {
++    {"bonds", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_BOND)},
++    {"bridges", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_BRIDGE)},
++    {"ethernets", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_ETHERNET)},
      {"renderer", YAML_SCALAR_NODE, handle_network_renderer},
--    {"tunnels", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_TUNNEL)},
++    {"tunnels", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_TUNNEL)},
      {"version", YAML_SCALAR_NODE, handle_network_version},
--    {"vlans", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_VLAN)},
--    {"wifis", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(ND_WIFI)},
++    {"vlans", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_VLAN)},
++    {"wifis", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_WIFI)},
++    {"modems", YAML_MAPPING_NODE, handle_network_type, NULL, GUINT_TO_POINTER(NETPLAN_DEF_TYPE_MODEM)},
      {NULL}
  };
@@ -1772,7 +1940,7 @@ const mapping_entry_handler network_handlers[] = {
   * Grammar and handlers for root node
   ****************************************************/
--const mapping_entry_handler root_handlers[] = {
++static const mapping_entry_handler root_handlers[] = {
      {"network", YAML_MAPPING_NODE, NULL, network_handlers},
      {NULL}
  };
@@ -1809,7 +1977,7 @@ process_document(yaml_document_t* doc, GError** error)
      if (g_hash_table_size(missing_id) > 0) {
          GHashTableIter iter;
          gpointer key, value;
--        missing_node *missing;
++        NetplanMissingNode *missing;
          g_clear_error(error);
@@ -1817,7 +1985,7 @@ process_document(yaml_document_t* doc, GError** error)
           * approximate early failure and give the user a meaningful error. */
          g_hash_table_iter_init (&iter, missing_id);
          g_hash_table_iter_next (&iter, &key, &value);
--        missing = (missing_node*) value;
++        missing = (NetplanMissingNode*) value;
          return yaml_error(missing->node, error, "%s: interface '%s' is not defined",
                            missing->netdef_id,
@@ -1833,7 +2001,7 @@ process_document(yaml_document_t* doc, GError** error)
   * Parse given YAML file and create/update global "netdefs" list.
   */
  gboolean
--parse_yaml(const char* filename, GError** error)
++netplan_parse_yaml(const char* filename, GError** error)
+ {
      yaml_document_t doc;
      gboolean ret;
@@ -1841,13 +2009,13 @@ parse_yaml(const char* filename, GError** error)
      if (!load_yaml(filename, &doc, error))
          return FALSE;
++    if (!netdefs)
++        netdefs = g_hash_table_new(g_str_hash, g_str_equal);
++
      /* empty file? */
      if (yaml_document_get_root_node(&doc) == NULL)
          return TRUE;
--    if (!netdefs)
--        netdefs = g_hash_table_new(g_str_hash, g_str_equal);
--
      g_assert(ids_in_file == NULL);
      ids_in_file = g_hash_table_new(g_str_hash, NULL);
@@ -1864,10 +2032,10 @@ static void
  finish_iterator(gpointer key, gpointer value, gpointer user_data)
+ {
      GError **error = (GError **)user_data;
--    net_definition* nd = value;
++    NetplanNetDefinition* nd = value;
      /* Take more steps to make sure we always have a backend set for netdefs */
--    if (nd->backend == BACKEND_NONE) {
++    if (nd->backend == NETPLAN_BACKEND_NONE) {
          nd->backend = get_default_backend_for_type(nd->type);
          g_debug("%s: setting default backend to %i", nd->id, nd->backend);
+     }
@@ -1880,23 +2048,25 @@ finish_iterator(gpointer key, gpointer value, gpointer user_data)
  /**
   * Post-processing after parsing all config files
   */
--gboolean
--finish_parse(GError** error)
++GHashTable *
++netplan_finish_parse(GError** error)
+ {
--    if (netdefs)
++    if (netdefs) {
++        g_debug("We have some netdefs, pass them through a final round of validation");
          g_hash_table_foreach(netdefs, finish_iterator, error);
++    }
      if (error && *error)
--        return FALSE;
++        return NULL;
--    return TRUE;
++    return netdefs;
+ }
  /**
   * Return current global backend.
   */
--netdef_backend
--get_global_backend()
++NetplanBackend
++netplan_get_global_backend()
+ {
      return backend_global;
+ }
 diff --git a/src/parse.h b/src/parse.h
 index 381d450..b84ff4c 100644
 --- a/src/parse.h
 +++ b/src/parse.h
@@ -39,114 +39,140 @@ int missing_ids_found;
   ****************************************************/
  typedef enum {
--    ND_NONE,
++    NETPLAN_DEF_TYPE_NONE,
      /* physical devices */
--    ND_ETHERNET,
--    ND_WIFI,
++    NETPLAN_DEF_TYPE_ETHERNET,
++    NETPLAN_DEF_TYPE_WIFI,
++    NETPLAN_DEF_TYPE_MODEM,
      /* virtual devices */
--    ND_VIRTUAL,
--    ND_BRIDGE = ND_VIRTUAL,
--    ND_BOND,
--    ND_VLAN,
--    ND_TUNNEL,
--} netdef_type;
++    NETPLAN_DEF_TYPE_VIRTUAL,
++    NETPLAN_DEF_TYPE_BRIDGE = NETPLAN_DEF_TYPE_VIRTUAL,
++    NETPLAN_DEF_TYPE_BOND,
++    NETPLAN_DEF_TYPE_VLAN,
++    NETPLAN_DEF_TYPE_TUNNEL,
++} NetplanDefType;
  typedef enum {
--    BACKEND_NONE,
--    BACKEND_NETWORKD,
--    BACKEND_NM,
--    _BACKEND_MAX,
--} netdef_backend;
--
--static const char* const netdef_backend_to_name[_BACKEND_MAX] = {
--        [BACKEND_NONE] = "none",
--        [BACKEND_NETWORKD] = "networkd",
--        [BACKEND_NM] = "NetworkManager",
++    NETPLAN_BACKEND_NONE,
++    NETPLAN_BACKEND_NETWORKD,
++    NETPLAN_BACKEND_NM,
++    NETPLAN_BACKEND_MAX_,
++} NetplanBackend;
++
++static const char* const netplan_backend_to_name[NETPLAN_BACKEND_MAX_] = {
++        [NETPLAN_BACKEND_NONE] = "none",
++        [NETPLAN_BACKEND_NETWORKD] = "networkd",
++        [NETPLAN_BACKEND_NM] = "NetworkManager",
  };
  typedef enum {
--    ACCEPT_RA_KERNEL,
--    ACCEPT_RA_ENABLED,
--    ACCEPT_RA_DISABLED,
--} ra_mode;
++    NETPLAN_RA_MODE_KERNEL,
++    NETPLAN_RA_MODE_ENABLED,
++    NETPLAN_RA_MODE_DISABLED,
++} NetplanRAMode;
  typedef enum {
--    OPTIONAL_IPV4_LL = 1<<0,
--    OPTIONAL_IPV6_RA = 1<<1,
--    OPTIONAL_DHCP4   = 1<<2,
--    OPTIONAL_DHCP6   = 1<<3,
--    OPTIONAL_STATIC  = 1<<4,
--} optional_addr;
++    NETPLAN_OPTIONAL_IPV4_LL = 1<<0,
++    NETPLAN_OPTIONAL_IPV6_RA = 1<<1,
++    NETPLAN_OPTIONAL_DHCP4   = 1<<2,
++    NETPLAN_OPTIONAL_DHCP6   = 1<<3,
++    NETPLAN_OPTIONAL_STATIC  = 1<<4,
++} NetplanOptionalAddressFlag;
++
++typedef enum {
++    NETPLAN_ADDRGEN_DEFAULT,
++    NETPLAN_ADDRGEN_EUI64,
++    NETPLAN_ADDRGEN_STABLEPRIVACY,
++} NetplanAddrGenMode;
++
++struct NetplanOptionalAddressType {
++    char* name;
++    NetplanOptionalAddressFlag flag;
++};
++
++extern struct NetplanOptionalAddressType NETPLAN_OPTIONAL_ADDRESS_TYPES[];
  /* Tunnel mode enum; sync with NetworkManager's DBUS API */
  /* TODO: figure out whether networkd's GRETAP and NM's ISATAP
   *       are the same thing.
   */
  typedef enum {
--    TUNNEL_MODE_UNKNOWN     = 0,
--    TUNNEL_MODE_IPIP        = 1,
--    TUNNEL_MODE_GRE         = 2,
--    TUNNEL_MODE_SIT         = 3,
--    TUNNEL_MODE_ISATAP      = 4,  // NM only.
--    TUNNEL_MODE_VTI         = 5,
--    TUNNEL_MODE_IP6IP6      = 6,
--    TUNNEL_MODE_IPIP6       = 7,
--    TUNNEL_MODE_IP6GRE      = 8,
--    TUNNEL_MODE_VTI6        = 9,
++    NETPLAN_TUNNEL_MODE_UNKNOWN     = 0,
++    NETPLAN_TUNNEL_MODE_IPIP        = 1,
++    NETPLAN_TUNNEL_MODE_GRE         = 2,
++    NETPLAN_TUNNEL_MODE_SIT         = 3,
++    NETPLAN_TUNNEL_MODE_ISATAP      = 4,  // NM only.
++    NETPLAN_TUNNEL_MODE_VTI         = 5,
++    NETPLAN_TUNNEL_MODE_IP6IP6      = 6,
++    NETPLAN_TUNNEL_MODE_IPIP6       = 7,
++    NETPLAN_TUNNEL_MODE_IP6GRE      = 8,
++    NETPLAN_TUNNEL_MODE_VTI6        = 9,
      /* systemd-only, apparently? */
--    TUNNEL_MODE_GRETAP      = 101,
--    TUNNEL_MODE_IP6GRETAP   = 102,
++    NETPLAN_TUNNEL_MODE_GRETAP      = 101,
++    NETPLAN_TUNNEL_MODE_IP6GRETAP   = 102,
--    _TUNNEL_MODE_MAX,
--} tunnel_mode;
++    NETPLAN_TUNNEL_MODE_MAX_,
++} NetplanTunnelMode;
  static const char* const
--tunnel_mode_table[_TUNNEL_MODE_MAX] = {
--    [TUNNEL_MODE_UNKNOWN] = "unknown",
--    [TUNNEL_MODE_IPIP] = "ipip",
--    [TUNNEL_MODE_GRE] = "gre",
--    [TUNNEL_MODE_SIT] = "sit",
--    [TUNNEL_MODE_ISATAP] = "isatap",
--    [TUNNEL_MODE_VTI] = "vti",
--    [TUNNEL_MODE_IP6IP6] = "ip6ip6",
--    [TUNNEL_MODE_IPIP6] = "ipip6",
--    [TUNNEL_MODE_IP6GRE] = "ip6gre",
--    [TUNNEL_MODE_VTI6] = "vti6",
--
--    [TUNNEL_MODE_GRETAP] = "gretap",
--    [TUNNEL_MODE_IP6GRETAP] = "ip6gretap",
++netplan_tunnel_mode_table[NETPLAN_TUNNEL_MODE_MAX_] = {
++    [NETPLAN_TUNNEL_MODE_UNKNOWN] = "unknown",
++    [NETPLAN_TUNNEL_MODE_IPIP] = "ipip",
++    [NETPLAN_TUNNEL_MODE_GRE] = "gre",
++    [NETPLAN_TUNNEL_MODE_SIT] = "sit",
++    [NETPLAN_TUNNEL_MODE_ISATAP] = "isatap",
++    [NETPLAN_TUNNEL_MODE_VTI] = "vti",
++    [NETPLAN_TUNNEL_MODE_IP6IP6] = "ip6ip6",
++    [NETPLAN_TUNNEL_MODE_IPIP6] = "ipip6",
++    [NETPLAN_TUNNEL_MODE_IP6GRE] = "ip6gre",
++    [NETPLAN_TUNNEL_MODE_VTI6] = "vti6",
++
++    [NETPLAN_TUNNEL_MODE_GRETAP] = "gretap",
++    [NETPLAN_TUNNEL_MODE_IP6GRETAP] = "ip6gretap",
  };
--struct optional_address_option {
++typedef enum {
++    NETPLAN_WIFI_WOWLAN_DEFAULT           = 1<<0,
++    NETPLAN_WIFI_WOWLAN_ANY               = 1<<1,
++    NETPLAN_WIFI_WOWLAN_DISCONNECT        = 1<<2,
++    NETPLAN_WIFI_WOWLAN_MAGIC             = 1<<3,
++    NETPLAN_WIFI_WOWLAN_GTK_REKEY_FAILURE = 1<<4,
++    NETPLAN_WIFI_WOWLAN_EAP_IDENTITY_REQ  = 1<<5,
++    NETPLAN_WIFI_WOWLAN_4WAY_HANDSHAKE    = 1<<6,
++    NETPLAN_WIFI_WOWLAN_RFKILL_RELEASE    = 1<<7,
++    NETPLAN_WIFI_WOWLAN_TCP               = 1<<8,
++} NetplanWifiWowlanFlag;
++
++struct NetplanWifiWowlanType {
      char* name;
--    optional_addr flag;
++    NetplanWifiWowlanFlag flag;
  };
--extern struct optional_address_option optional_address_options[];
++extern struct NetplanWifiWowlanType NETPLAN_WIFI_WOWLAN_TYPES[];
  typedef enum {
--    KEY_MANAGEMENT_NONE,
--    KEY_MANAGEMENT_WPA_PSK,
--    KEY_MANAGEMENT_WPA_EAP,
--    KEY_MANAGEMENT_8021X,
--} auth_key_management_type;
++    NETPLAN_AUTH_KEY_MANAGEMENT_NONE,
++    NETPLAN_AUTH_KEY_MANAGEMENT_WPA_PSK,
++    NETPLAN_AUTH_KEY_MANAGEMENT_WPA_EAP,
++    NETPLAN_AUTH_KEY_MANAGEMENT_8021X,
++} NetplanAuthKeyManagementType;
  typedef enum {
--    EAP_NONE,
--    EAP_TLS,
--    EAP_PEAP,
--    EAP_TTLS,
--} auth_eap_method;
++    NETPLAN_AUTH_EAP_NONE,
++    NETPLAN_AUTH_EAP_TLS,
++    NETPLAN_AUTH_EAP_PEAP,
++    NETPLAN_AUTH_EAP_TTLS,
++} NetplanAuthEAPMethod;
  typedef struct missing_node {
      char* netdef_id;
      const yaml_node_t* node;
--} missing_node;
++} NetplanMissingNode;
  typedef struct authentication_settings {
--    auth_key_management_type key_management;
--    auth_eap_method eap_method;
++    NetplanAuthKeyManagementType key_management;
++    NetplanAuthEAPMethod eap_method;
      char* identity;
      char* anonymous_identity;
      char* password;
@@ -154,7 +180,8 @@ typedef struct authentication_settings {
      char* client_certificate;
      char* client_key;
      char* client_key_password;
--} authentication_settings;
++    char* phase2_auth;  /* netplan-feature: auth-phase2 */
++} NetplanAuthenticationSettings;
  /* Fields below are valid for dhcp4 and dhcp6 unless otherwise noted. */
  typedef struct dhcp_overrides {
@@ -167,33 +194,39 @@ typedef struct dhcp_overrides {
      char* use_domains; /* netplan-feature: dhcp-use-domains */
      char* hostname;
      guint metric;
--} dhcp_overrides;
++} NetplanDHCPOverrides;
  /**
   * Represent a configuration stanza
   */
--typedef struct net_definition {
--    netdef_type type;
--    netdef_backend backend;
++
++struct net_definition;
++
++typedef struct net_definition NetplanNetDefinition;
++
++struct net_definition {
++    NetplanDefType type;
++    NetplanBackend backend;
      char* id;
      /* only necessary for NetworkManager connection UUIDs in some cases */
      uuid_t uuid;
      /* status options */
      gboolean optional;
--    optional_addr optional_addresses;
++    NetplanOptionalAddressFlag optional_addresses;
      gboolean critical;
      /* addresses */
      gboolean dhcp4;
      gboolean dhcp6;
      char* dhcp_identifier;
--    dhcp_overrides dhcp4_overrides;
--    dhcp_overrides dhcp6_overrides;
--    ra_mode accept_ra;
++    NetplanDHCPOverrides dhcp4_overrides;
++    NetplanDHCPOverrides dhcp6_overrides;
++    NetplanRAMode accept_ra;
      GArray* ip4_addresses;
      GArray* ip6_addresses;
      gboolean ip6_privacy;
++    guint ip6_addr_gen_mode;
      char* gateway4;
      char* gateway6;
      GArray* ip4_nameservers;
@@ -212,7 +245,7 @@ typedef struct net_definition {
      /* vlan */
      guint vlan_id;
--    struct net_definition* vlan_link;
++    NetplanNetDefinition* vlan_link;
      gboolean has_vlans;
      /* Configured custom MAC address */
@@ -233,9 +266,12 @@ typedef struct net_definition {
      } match;
      gboolean has_match;
      gboolean wake_on_lan;
++    NetplanWifiWowlanFlag wowlan;
++    gboolean emit_lldp;
++
--    /* these properties are only valid for ND_WIFI */
--    GHashTable* access_points; /* SSID → wifi_access_point* */
++    /* these properties are only valid for NETPLAN_DEF_TYPE_WIFI */
++    GHashTable* access_points; /* SSID → NetplanWifiAccessPoint* */
      struct {
          char* mode;
@@ -262,6 +298,19 @@ typedef struct net_definition {
      } bond_params;
      struct {
++        char* apn;
++        gboolean auto_config;
++        char* device_id;
++        char* network_id;
++        char* number;
++        char* password;
++        char* pin;
++        char* sim_id;
++        char* sim_operator_id;
++        char* username;
++    } modem_params;
++
++    struct {
          char* ageing_time;
          guint priority;
          guint port_priority;
@@ -274,36 +323,62 @@ typedef struct net_definition {
      gboolean custom_bridging;
      struct {
--        tunnel_mode mode;
++        NetplanTunnelMode mode;
          char *local_ip;
          char *remote_ip;
          char *input_key;
          char *output_key;
      } tunnel;
--    authentication_settings auth;
++    NetplanAuthenticationSettings auth;
      gboolean has_auth;
--} net_definition;
++
++    /* these properties are only valid for SR-IOV NICs */
++    struct net_definition* sriov_link;
++    gboolean sriov_vlan_filter;
++    guint sriov_explicit_vf_count;
++
++    union {
++        struct NetplanNMSettings {
++            char *name;
++            char *uuid;
++            char *stable_id;
++            char *device;
++        } nm;
++        struct NetplanNetworkdSettings {
++            char *unit;
++        } networkd;
++    } backend_settings;
++};
++
++typedef enum {
++    NETPLAN_WIFI_MODE_INFRASTRUCTURE,
++    NETPLAN_WIFI_MODE_ADHOC,
++    NETPLAN_WIFI_MODE_AP
++} NetplanWifiMode;
  typedef enum {
--    WIFI_MODE_INFRASTRUCTURE,
--    WIFI_MODE_ADHOC,
--    WIFI_MODE_AP
--} wifi_mode;
++    NETPLAN_WIFI_BAND_DEFAULT,
++    NETPLAN_WIFI_BAND_5,
++    NETPLAN_WIFI_BAND_24
++} NetplanWifiBand;
  typedef struct {
--    wifi_mode mode;
++    NetplanWifiMode mode;
      char* ssid;
++    NetplanWifiBand band;
++    char* bssid;
++    guint channel;
--    authentication_settings auth;
++    NetplanAuthenticationSettings auth;
      gboolean has_auth;
--} wifi_access_point;
++} NetplanWifiAccessPoint;
--#define METRIC_UNSPEC G_MAXUINT
--#define ROUTE_TABLE_UNSPEC 0
--#define IP_RULE_PRIO_UNSPEC G_MAXUINT
--#define IP_RULE_FW_MARK_UNSPEC 0
--#define IP_RULE_TOS_UNSPEC G_MAXUINT
++#define NETPLAN_METRIC_UNSPEC G_MAXUINT
++#define NETPLAN_ROUTE_TABLE_UNSPEC 0
++#define NETPLAN_IP_RULE_PRIO_UNSPEC G_MAXUINT
++#define NETPLAN_IP_RULE_FW_MARK_UNSPEC 0
++#define NETPLAN_IP_RULE_TOS_UNSPEC G_MAXUINT
  typedef struct {
      guint family;
@@ -320,7 +395,7 @@ typedef struct {
      /* valid metrics are valid positive integers.
       * invalid metrics are represented by METRIC_UNSPEC */
      guint metric;
--} ip_route;
++} NetplanIPRoute;
  typedef struct {
      guint family;
@@ -335,7 +410,7 @@ typedef struct {
      guint fwmark;
      /* type-of-service: between 0 and 255 */
      guint tos;
--} ip_rule;
++} NetplanIPRule;
  /* Written/updated by parse_yaml(): char* id →  net_definition */
  extern GHashTable* netdefs;
@@ -345,7 +420,7 @@ extern GList* netdefs_ordered;
   * Functions
   ****************************************************/
--gboolean parse_yaml(const char* filename, GError** error);
--gboolean finish_parse(GError** error);
--netdef_backend get_global_backend();
--const char* tunnel_mode_to_string(tunnel_mode mode);
++gboolean netplan_parse_yaml(const char* filename, GError** error);
++GHashTable* netplan_finish_parse(GError** error);
++NetplanBackend netplan_get_global_backend();
++const char* tunnel_mode_to_string(NetplanTunnelMode mode);
 diff --git a/src/util.c b/src/util.c
 index e3441d5..4b71ef1 100644
 --- a/src/util.c
 +++ b/src/util.c
@@ -86,3 +86,65 @@ unlink_glob(const char* rootdir, const char* _glob)
      for (size_t i = 0; i < gl.gl_pathc; ++i)
          unlink(gl.gl_pathv[i]);
+ }
++
++/**
++ * Get the frequency of a given 2.4GHz WiFi channel
++ */
++int
++wifi_get_freq24(int channel)
++{
++    if (channel < 1 || channel > 14) {
++        g_fprintf(stderr, "ERROR: invalid 2.4GHz WiFi channel: %d\n", channel);
++        exit(1);
++    }
++
++    if (!wifi_frequency_24) {
++        wifi_frequency_24 = g_hash_table_new(g_direct_hash, g_direct_equal);
++        /* Initialize 2.4GHz frequencies, as of:
++         * https://en.wikipedia.org/wiki/List_of_WLAN_channels#2.4_GHz_(802.11b/g/n/ax) */
++        for (unsigned i = 0; i < 13; i++) {
++            g_hash_table_insert(wifi_frequency_24, GINT_TO_POINTER(i+1),
++                                GINT_TO_POINTER(2412+i*5));
++        }
++        g_hash_table_insert(wifi_frequency_24, GINT_TO_POINTER(14),
++                            GINT_TO_POINTER(2484));
++    }
++    return GPOINTER_TO_INT(g_hash_table_lookup(wifi_frequency_24,
++                           GINT_TO_POINTER(channel)));
++}
++
++/**
++ * Get the frequency of a given 5GHz WiFi channel
++ */
++int
++wifi_get_freq5(int channel)
++{
++    int channels[] = { 7, 8, 9, 11, 12, 16, 32, 34, 36, 38, 40, 42, 44, 46, 48,
++                       50, 52, 54, 56, 58, 60, 62, 64, 68, 96, 100, 102, 104,
++                       106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126,
++                       128, 132, 134, 136, 138, 140, 142, 144, 149, 151, 153,
++                       155, 157, 159, 161, 165, 169, 173 };
++    gboolean found = FALSE;
++    for (unsigned i = 0; i < sizeof(channels) / sizeof(int); i++) {
++        if (channel == channels[i]) {
++            found = TRUE;
++            break;
++        }
++    }
++    if (!found) {
++        g_fprintf(stderr, "ERROR: invalid 5GHz WiFi channel: %d\n", channel);
++        exit(1);
++    }
++    if (!wifi_frequency_5) {
++        wifi_frequency_5 = g_hash_table_new(g_direct_hash, g_direct_equal);
++        /* Initialize 5GHz frequencies, as of:
++         * https://en.wikipedia.org/wiki/List_of_WLAN_channels#5.0_GHz_(802.11j)_WLAN
++         * Skipping channels 183-196. They are valid only in Japan with registration needed */
++        for (unsigned i = 0; i < sizeof(channels) / sizeof(int); i++) {
++            g_hash_table_insert(wifi_frequency_5, GINT_TO_POINTER(channels[i]),
++                                GINT_TO_POINTER(5000+channels[i]*5));
++        }
++    }
++    return GPOINTER_TO_INT(g_hash_table_lookup(wifi_frequency_5,
++                           GINT_TO_POINTER(channel)));
++}
 diff --git a/src/util.h b/src/util.h
 index 4e85a98..4ed1a60 100644
 --- a/src/util.h
 +++ b/src/util.h
@@ -17,6 +17,12 @@
  #pragma once
++GHashTable* wifi_frequency_24;
++GHashTable* wifi_frequency_5;
++
  void safe_mkdir_p_dir(const char* file_path);
  void g_string_free_to_file(GString* s, const char* rootdir, const char* path, const char* suffix);
  void unlink_glob(const char* rootdir, const char* _glob);
++
++int wifi_get_freq24(int channel);
++int wifi_get_freq5(int channel);
 diff --git a/src/validation.c b/src/validation.c
 index 7731be4..ad08988 100644
 --- a/src/validation.c
 +++ b/src/validation.c
@@ -19,6 +19,7 @@
  #include <glib/gstdio.h>
  #include <gio/gio.h>
  #include <arpa/inet.h>
++#include <regex.h>
  #include <yaml.h>
@@ -60,9 +61,9 @@ is_ip6_address(const char* address)
   * Validation for grammar and backend rules.
   ************************************************/
  static gboolean
--validate_tunnel_grammar(net_definition* nd, yaml_node_t* node, GError** error)
++validate_tunnel_grammar(NetplanNetDefinition* nd, yaml_node_t* node, GError** error)
+ {
--    if (nd->tunnel.mode == TUNNEL_MODE_UNKNOWN)
++    if (nd->tunnel.mode == NETPLAN_TUNNEL_MODE_UNKNOWN)
          return yaml_error(node, error, "%s: missing 'mode' property for tunnel", nd->id);
      /* Validate local/remote IPs */
@@ -72,11 +73,11 @@ validate_tunnel_grammar(net_definition* nd, yaml_node_t* node, GError** error)
          return yaml_error(node, error, "%s: missing 'remote' property for tunnel", nd->id);
      switch(nd->tunnel.mode) {
--        case TUNNEL_MODE_IPIP6:
--        case TUNNEL_MODE_IP6IP6:
--        case TUNNEL_MODE_IP6GRE:
--        case TUNNEL_MODE_IP6GRETAP:
--        case TUNNEL_MODE_VTI6:
++        case NETPLAN_TUNNEL_MODE_IPIP6:
++        case NETPLAN_TUNNEL_MODE_IP6IP6:
++        case NETPLAN_TUNNEL_MODE_IP6GRE:
++        case NETPLAN_TUNNEL_MODE_IP6GRETAP:
++        case NETPLAN_TUNNEL_MODE_VTI6:
              if (!is_ip6_address(nd->tunnel.local_ip))
                  return yaml_error(node, error, "%s: 'local' must be a valid IPv6 address for this tunnel type", nd->id);
              if (!is_ip6_address(nd->tunnel.remote_ip))
@@ -95,21 +96,21 @@ validate_tunnel_grammar(net_definition* nd, yaml_node_t* node, GError** error)
+ }
  static gboolean
--validate_tunnel_backend_rules(net_definition* nd, yaml_node_t* node, GError** error)
++validate_tunnel_backend_rules(NetplanNetDefinition* nd, yaml_node_t* node, GError** error)
+ {
      /* Backend-specific validation rules for tunnels */
      switch (nd->backend) {
--        case BACKEND_NETWORKD:
++        case NETPLAN_BACKEND_NETWORKD:
              switch (nd->tunnel.mode) {
--                case TUNNEL_MODE_VTI:
--                case TUNNEL_MODE_VTI6:
++                case NETPLAN_TUNNEL_MODE_VTI:
++                case NETPLAN_TUNNEL_MODE_VTI6:
                      break;
                  /* TODO: Remove this exception and fix ISATAP handling with the
                   *       networkd backend.
                   *       systemd-networkd has grown ISATAP support in 918049a.
                   */
--                case TUNNEL_MODE_ISATAP:
++                case NETPLAN_TUNNEL_MODE_ISATAP:
                      return yaml_error(node, error,
                                      "%s: %s tunnel mode is not supported by networkd",
                                      nd->id,
@@ -125,14 +126,14 @@ validate_tunnel_backend_rules(net_definition* nd, yaml_node_t* node, GError** er
+             }
              break;
--        case BACKEND_NM:
++        case NETPLAN_BACKEND_NM:
              switch (nd->tunnel.mode) {
--                case TUNNEL_MODE_GRE:
--                case TUNNEL_MODE_IP6GRE:
++                case NETPLAN_TUNNEL_MODE_GRE:
++                case NETPLAN_TUNNEL_MODE_IP6GRE:
                      break;
--                case TUNNEL_MODE_GRETAP:
--                case TUNNEL_MODE_IP6GRETAP:
++                case NETPLAN_TUNNEL_MODE_GRETAP:
++                case NETPLAN_TUNNEL_MODE_IP6GRETAP:
                      return yaml_error(node, error,
                                      "%s: %s tunnel mode is not supported by NetworkManager",
                                      nd->id,
@@ -158,12 +159,12 @@ validate_tunnel_backend_rules(net_definition* nd, yaml_node_t* node, GError** er
+ }
  gboolean
--validate_netdef_grammar(net_definition* nd, yaml_node_t* node, GError** error)
++validate_netdef_grammar(NetplanNetDefinition* nd, yaml_node_t* node, GError** error)
+ {
      int missing_id_count = g_hash_table_size(missing_id);
      gboolean valid = FALSE;
--    g_assert(nd->type != ND_NONE);
++    g_assert(nd->type != NETPLAN_DEF_TYPE_NONE);
      /* Skip all validation if we're missing some definition IDs (devices).
       * The ones we have yet to see may be necessary for validation to succeed,
@@ -175,10 +176,10 @@ validate_netdef_grammar(net_definition* nd, yaml_node_t* node, GError** error)
      if (nd->set_name && !nd->has_match)
          return yaml_error(node, error, "%s: 'set-name:' requires 'match:' properties", nd->id);
--    if (nd->type == ND_WIFI && nd->access_points == NULL)
++    if (nd->type == NETPLAN_DEF_TYPE_WIFI && nd->access_points == NULL)
          return yaml_error(node, error, "%s: No access points defined", nd->id);
--    if (nd->type == ND_VLAN) {
++    if (nd->type == NETPLAN_DEF_TYPE_VLAN) {
          if (!nd->vlan_link)
              return yaml_error(node, error, "%s: missing 'link' property", nd->id);
          nd->vlan_link->has_vlans = TRUE;
@@ -188,7 +189,7 @@ validate_netdef_grammar(net_definition* nd, yaml_node_t* node, GError** error)
              return yaml_error(node, error, "%s: invalid id '%u' (allowed values are 0 to 4094)", nd->id, nd->vlan_id);
+     }
--    if (nd->type == ND_TUNNEL) {
++    if (nd->type == NETPLAN_DEF_TYPE_TUNNEL) {
          valid = validate_tunnel_grammar(nd, node, error);
          if (!valid)
              goto netdef_grammar_error;
@@ -201,15 +202,15 @@ netdef_grammar_error:
+ }
  gboolean
--validate_backend_rules(net_definition* nd, GError** error)
++validate_backend_rules(NetplanNetDefinition* nd, GError** error)
+ {
      gboolean valid = FALSE;
      /* Set a dummy, NULL yaml_node_t for error reporting */
      yaml_node_t* node = NULL;
--    g_assert(nd->type != ND_NONE);
++    g_assert(nd->type != NETPLAN_DEF_TYPE_NONE);
--    if (nd->type == ND_TUNNEL) {
++    if (nd->type == NETPLAN_DEF_TYPE_TUNNEL) {
          valid = validate_tunnel_backend_rules(nd, node, error);
          if (!valid)
              goto backend_rules_error;
 diff --git a/src/validation.h b/src/validation.h
 index a30305f..0383a33 100644
 --- a/src/validation.h
 +++ b/src/validation.h
@@ -24,7 +24,7 @@ gboolean is_ip4_address(const char* address);
  gboolean is_ip6_address(const char* address);
  gboolean
--validate_netdef_grammar(net_definition* nd, yaml_node_t* node, GError** error);
++validate_netdef_grammar(NetplanNetDefinition* nd, yaml_node_t* node, GError** error);
  gboolean
--validate_backend_rules(net_definition* nd, GError** error);
++validate_backend_rules(NetplanNetDefinition* nd, GError** error);
 diff --git a/tests/cli.py b/tests/cli.py
 index 6eb2a85..21c8a3b 100755
 --- a/tests/cli.py
 +++ b/tests/cli.py
@@ -33,6 +33,11 @@ if shutil.which('python3-coverage'):
  # Make sure we can import our development netplan.
  os.environ.update({'PYTHONPATH': '.'})
++os.environ.update({'LD_LIBRARY_PATH': '.:{}'.format(os.environ.get('LD_LIBRARY_PATH'))})
++
++
++def _load_yaml(text):
++    return yaml.load(text, Loader=yaml.SafeLoader)
  class TestArgs(unittest.TestCase):
@@ -63,7 +68,9 @@ class TestGenerate(unittest.TestCase):
          self.workdir = tempfile.TemporaryDirectory()
      def test_no_config(self):
--        out = subprocess.check_output(exe_cli + ['generate', '--root-dir', self.workdir.name])
++        p = subprocess.Popen(exe_cli + ['generate', '--root-dir', self.workdir.name], stdout=subprocess.PIPE,
++                             stderr=subprocess.PIPE)
++        (out, err) = p.communicate()
          self.assertEqual(out, b'')
          self.assertEqual(os.listdir(self.workdir.name), [])
@@ -145,6 +152,7 @@ class TestGenerate(unittest.TestCase):
  class TestIfupdownMigrate(unittest.TestCase):
++
      def setUp(self):
          self.workdir = tempfile.TemporaryDirectory()
          self.ifaces_path = os.path.join(self.workdir.name, 'etc/network/interfaces')
@@ -203,20 +211,20 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_dhcp4(self):
          out = self.do_test('auto en1\niface en1 inet dhcp')[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
      def test_dhcp6(self):
          out = self.do_test('auto en1\niface en1 inet6 dhcp')[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp6': True}}}}, out.decode())
      def test_dhcp4_and_6(self):
          out = self.do_test('auto lo\niface lo inet loopback\n\n'
                             'auto en1\niface en1 inet dhcp\niface en1 inet6 dhcp')[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True, 'dhcp6': True}}}}, out.decode())
@@ -224,7 +232,7 @@ source-directory /etc/network/interfaces.d''')[0]
          out = self.do_test('iface lo inet loopback\nauto lo\nsource-directory interfaces.d',
                             dropins={'interfaces.d/std': 'auto en1\niface en1 inet dhcp',
                                      'interfaces.d/std.bak': 'some_bogus dontreadme'})[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
@@ -232,7 +240,7 @@ source-directory /etc/network/interfaces.d''')[0]
          out = self.do_test('iface lo inet loopback\nauto lo\nsource-directory /etc/network/defs/my',
                             dropins={'defs/my/std': 'auto en1\niface en1 inet dhcp',
                                      'defs/my/std.bak': 'some_bogus dontreadme'})[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
@@ -240,7 +248,7 @@ source-directory /etc/network/interfaces.d''')[0]
          out = self.do_test('iface lo inet loopback\nauto lo\nsource interfaces.d/*.cfg',
                             dropins={'interfaces.d/std.cfg': 'auto en1\niface en1 inet dhcp',
                                      'interfaces.d/std.cfgold': 'some_bogus dontreadme'})[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
@@ -248,21 +256,21 @@ source-directory /etc/network/interfaces.d''')[0]
          out = self.do_test('iface lo inet loopback\nauto lo\nsource /etc/network/*.cfg',
                             dropins={'std.cfg': 'auto en1\niface en1 inet dhcp',
                                      'std.cfgold': 'some_bogus dontreadme'})[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
      def test_allow(self):
          out = self.do_test('allow-hotplug en1\niface en1 inet dhcp\n'
                             'allow-auto en2\niface en2 inet dhcp')[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True},
                            'en2': {'dhcp4': True}}}}, out.decode())
      def test_no_scripts(self):
          out = self.do_test('auto en1\niface en1 inet dhcp\nno-scripts en1')[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}}, out.decode())
@@ -276,7 +284,7 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_write_file_haveconfig(self):
          (out, err) = self.do_test('auto en1\niface en1 inet dhcp', dry_run=False)
          with open(self.converted_path) as f:
--            config = yaml.load(f)
++            config = _load_yaml(f)
          self.assertEqual(config, {'network': {
              'version': 2,
              'ethernets': {'en1': {'dhcp4': True}}}})
@@ -302,13 +310,13 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_static_ipv4_prefix(self):
          out = self.do_test('auto en1\niface en1 inet static\naddress 1.2.3.4/8', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["1.2.3.4/8"]}}}}, out.decode())
      def test_static_ipv4_netmask(self):
          out = self.do_test('auto en1\niface en1 inet static\naddress 1.2.3.4\nnetmask 255.0.0.0', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["1.2.3.4/8"]}}}}, out.decode())
@@ -349,14 +357,14 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_static_ipv6_prefix(self):
          out = self.do_test('auto en1\niface en1 inet6 static\naddress fc00:0123:4567:89ab:cdef::1234/64', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["fc00:123:4567:89ab:cdef::1234/64"]}}}}, out.decode())
      def test_static_ipv6_netmask(self):
          out = self.do_test('auto en1\niface en1 inet6 static\n'
                             'address fc00:0123:4567:89ab:cdef::1234\nnetmask 64', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["fc00:123:4567:89ab:cdef::1234/64"]}}}}, out.decode())
@@ -404,7 +412,7 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_static_ipv6_accept_ra_0(self):
          out = self.do_test('auto en1\niface en1 inet6 static\n'
                             'address fc00:0123:4567:89ab:cdef::1234/64\naccept_ra 0', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["fc00:123:4567:89ab:cdef::1234/64"],
                                    'accept_ra': False}}}}, out.decode())
@@ -412,7 +420,7 @@ source-directory /etc/network/interfaces.d''')[0]
      def test_static_ipv6_accept_ra_1(self):
          out = self.do_test('auto en1\niface en1 inet6 static\n'
                             'address fc00:0123:4567:89ab:cdef::1234/64\naccept_ra 1', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["fc00:123:4567:89ab:cdef::1234/64"],
                                    'accept_ra': True}}}}, out.decode())
@@ -438,7 +446,7 @@ iface en1 inet static
  iface en1 inet6 static
    address fc00:0123:4567:89ab:cdef::1234/64
    gateway fc00:0123:4567:89ab::1""", dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1':
                            {'addresses': ["1.2.3.4/8", "fc00:123:4567:89ab:cdef::1234/64"],
@@ -455,7 +463,7 @@ iface en1 inet static
  iface en1 inet6 static
    address fc00:0123:4567:89ab:cdef::1234/64
    dns-nameservers fc00:0123:4567:89ab:1::1  fc00:0123:4567:89ab:2::1""", dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1':
                            {'addresses': ["1.2.3.4/8", "fc00:123:4567:89ab:cdef::1234/64"],
@@ -467,7 +475,7 @@ iface en1 inet6 static
      def test_static_dns2(self):
          out = self.do_test('auto en1\niface en1 inet static\naddress 1.2.3.4/8\ndns-search foo  foo.bar', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["1.2.3.4/8"],
                                    'nameservers': {
@@ -476,7 +484,7 @@ iface en1 inet6 static
      def test_static_mtu(self):
          out = self.do_test('auto en1\niface en1 inet static\naddress 1.2.3.4/8\nmtu 1280', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["1.2.3.4/8"],
                                    'mtu': 1280}}}}, out.decode())
@@ -494,7 +502,7 @@ iface en1 inet6 static
      def test_static_hwaddress(self):
          out = self.do_test('auto en1\niface en1 inet static\naddress 1.2.3.4/8\nhwaddress 52:54:00:6b:3c:59', dry_run=True)[0]
--        self.assertEqual(yaml.load(out), {'network': {
++        self.assertEqual(_load_yaml(out), {'network': {
              'version': 2,
              'ethernets': {'en1': {'addresses': ["1.2.3.4/8"],
                                    'macaddress': '52:54:00:6b:3c:59'}}}}, out.decode())
 diff --git a/tests/generator/base.py b/tests/generator/base.py
 index e5eb18a..2cdbcfd 100644
 --- a/tests/generator/base.py
 +++ b/tests/generator/base.py
@@ -29,6 +29,9 @@ import unittest
  exe_generate = os.path.join(os.path.dirname(os.path.dirname(
      os.path.dirname(os.path.abspath(__file__)))), 'generate')
++# make sure we point to libnetplan properly.
++os.environ.update({'LD_LIBRARY_PATH': '.:{}'.format(os.environ.get('LD_LIBRARY_PATH'))})
++
  # make sure we fail on criticals
  os.environ['G_DEBUG'] = 'fatal-criticals'
 diff --git a/tests/generator/test_auth.py b/tests/generator/test_auth.py
 index 89e9f30..f35f3f8 100644
 --- a/tests/generator/test_auth.py
 +++ b/tests/generator/test_auth.py
@@ -31,11 +31,17 @@ class TestNetworkd(TestBase):
      wl0:
        access-points:
          "Joe's Home":
--          password: "s3kr1t"
++          password: "s0s3kr1t"
          "Luke's Home":
            auth:
              key-management: psk
              password: "4lsos3kr1t"
++        "BobsHome":
++          password: "e03ce667c87bc81ca968d9120ca37f89eb09aec3c55b80386e5d772efd6b926e"
++        "BillsHome":
++          auth:
++            key-management: psk
++            password: "db3b0acf5653aeaddd5fe034fb9f07175b2864f847b005aaa2f09182d9411b04"
          workplace:
            auth:
              key-management: eap
@@ -102,6 +108,20 @@ network={
  ''', new_config)
              self.assertIn('''
  network={
++  ssid="BobsHome"
++  key_mgmt=WPA-PSK
++  psk=e03ce667c87bc81ca968d9120ca37f89eb09aec3c55b80386e5d772efd6b926e
++}
++''', new_config)
++            self.assertIn('''
++network={
++  ssid="BillsHome"
++  key_mgmt=WPA-PSK
++  psk=db3b0acf5653aeaddd5fe034fb9f07175b2864f847b005aaa2f09182d9411b04
++}
++''', new_config)
++            self.assertIn('''
++network={
    ssid="workplace2"
    key_mgmt=WPA-EAP
    eap=PEAP
@@ -153,12 +173,14 @@ network={
  network={
    ssid="Joe's Home"
    key_mgmt=WPA-PSK
--  psk="s3kr1t"
++  psk="s0s3kr1t"
+ }
  ''', new_config)
              self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o600)
++        self.assertTrue(os.path.isfile(os.path.join(
++            self.workdir.name, 'run/systemd/system/netplan-wpa-wl0.service')))
          self.assertTrue(os.path.islink(os.path.join(
--            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@wl0.service')))
++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-wl0.service')))
      def test_auth_wired(self):
          self.generate('''network:
@@ -174,6 +196,7 @@ network={
          client-certificate: /etc/ssl/cust-crt.pem
          client-key: /etc/ssl/cust-key.pem
          client-key-password: "d3cryptPr1v4t3K3y"
++        phase2-auth: MSCHAPV2
        dhcp4: yes
        ''')
@@ -196,11 +219,14 @@ network={
    client_cert="/etc/ssl/cust-crt.pem"
    private_key="/etc/ssl/cust-key.pem"
    private_key_passwd="d3cryptPr1v4t3K3y"
++  phase2="auth=MSCHAPV2"
+ }
  ''')
              self.assertEqual(stat.S_IMODE(os.fstat(f.fileno()).st_mode), 0o600)
++        self.assertTrue(os.path.isfile(os.path.join(
++            self.workdir.name, 'run/systemd/system/netplan-wpa-eth0.service')))
          self.assertTrue(os.path.islink(os.path.join(
--            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa@eth0.service')))
++            self.workdir.name, 'run/systemd/system/systemd-networkd.service.wants/netplan-wpa-eth0.service')))
  class TestNetworkManager(TestBase):
@@ -213,7 +239,7 @@ class TestNetworkManager(TestBase):
      wl0:
        access-points:
          "Joe's Home":
--          password: "s3kr1t"
++          password: "s0s3kr1t"
          "Luke's Home":
            auth:
              key-management: psk
@@ -249,6 +275,7 @@ class TestNetworkManager(TestBase):
              client-certificate: /etc/ssl/cust-crt.pem
              client-key: /etc/ssl/cust-key.pem
              client-key-password: "d3cryptPr1v4t3K3y"
++            phase2-auth: MSCHAPV2
          opennet:
            auth:
              key-management: none
@@ -279,7 +306,7 @@ mode=infrastructure
  [wifi-security]
  key-mgmt=wpa-psk
--psk=s3kr1t
++psk=s0s3kr1t
  ''',
                          'wl0-Luke%27s%20Home': '''[connection]
  id=netplan-wl0-Luke's Home
@@ -413,6 +440,7 @@ ca-cert=/etc/ssl/cust-cacrt.pem
  client-cert=/etc/ssl/cust-crt.pem
  private-key=/etc/ssl/cust-key.pem
  private-key-password=d3cryptPr1v4t3K3y
++phase2-auth=MSCHAPV2
  ''',
                          'wl0-opennet': '''[connection]
  id=netplan-wl0-opennet
@@ -516,3 +544,36 @@ class TestConfigErrors(TestBase):
        auth:
          method: bogus''', expect_fail=True)
          self.assertIn("unknown EAP method 'bogus'", err)
++
++    def test_auth_networkd_wifi_psk_too_big(self):
++        err = self.generate('''network:
++  version: 2
++  wifis:
++    wl0:
++      access-points:
++        "Joe's Home":
++          password: "LoremipsumdolorsitametconsecteturadipiscingelitCrastemporvelitnunc"
++      dhcp4: yes''', expect_fail=True)
++        self.assertIn("ASCII passphrase must be between 8 and 63 characters (inclusive)", err)
++
++    def test_auth_networkd_wifi_psk_too_small(self):
++        err = self.generate('''network:
++  version: 2
++  wifis:
++    wl0:
++      access-points:
++        "Joe's Home":
++          password: "p4ss"
++      dhcp4: yes''', expect_fail=True)
++        self.assertIn("ASCII passphrase must be between 8 and 63 characters (inclusive)", err)
++
++    def test_auth_networkd_wifi_psk_64_non_hexdigit(self):
++        err = self.generate('''network:
++  version: 2
++  wifis:
++    wl0:
++      access-points:
++        "Joe's Home":
++          password: "LoremipsumdolorsitametconsecteturadipiscingelitCrastemporvelitnu"
++      dhcp4: yes''', expect_fail=True)
++        self.assertIn("PSK length of 64 is only supported for hex-digit representation", err)
 diff --git a/tests/generator/test_common.py b/tests/generator/test_common.py
 index 8fb91bd..abbc368 100644
 --- a/tests/generator/test_common.py
 +++ b/tests/generator/test_common.py
@@ -104,13 +104,26 @@ ConfigureWithoutCarrier=yes
              'bond0.network': '''[Match]
  Name=bond0
++[Link]
++MTUBytes=9000
++
  [Network]
  LinkLocalAddressing=ipv6
  ConfigureWithoutCarrier=yes
  VLAN=bond0.108
  ''',
              'eth1.link': '[Match]\nOriginalName=eth1\n\n[Link]\nWakeOnLan=off\nMTUBytes=9000\n',
--            'eth1.network': '[Match]\nName=eth1\n\n[Network]\nLinkLocalAddressing=no\nIPv6MTUBytes=2000\nBond=bond0\n'
++            'eth1.network': '''[Match]
++Name=eth1
++
++[Link]
++MTUBytes=9000
++
++[Network]
++LinkLocalAddressing=no
++IPv6MTUBytes=2000
++Bond=bond0
++'''
          })
          self.assert_networkd_udev(None)
@@ -283,7 +296,6 @@ UseMTU=true
    version: 2
    ethernets:
      engreen:
--      dhcp4: yes
        critical: yes
  ''')
@@ -291,13 +303,10 @@ UseMTU=true
  Name=engreen
  [Network]
--DHCP=ipv4
  LinkLocalAddressing=ipv6
  [DHCP]
  CriticalConnection=true
--RouteMetric=100
--UseMTU=true
  '''})
      def test_dhcp_identifier_mac(self):
@@ -715,6 +724,48 @@ method=auto
  method=auto
  '''})
++    def test_ip6_addr_gen_mode(self):
++        self.generate('''network:
++  version: 2
++  renderer: NetworkManager
++  ethernets:
++    engreen:
++      dhcp6: yes
++      ipv6-address-generation: stable-privacy
++    enblue:
++      dhcp6: yes
++      ipv6-address-generation: eui64''')
++        self.assert_nm({'engreen': '''[connection]
++id=netplan-engreen
++type=ethernet
++interface-name=engreen
++
++[ethernet]
++wake-on-lan=0
++
++[ipv4]
++method=link-local
++
++[ipv6]
++method=auto
++addr-gen-mode=1
++''',
++                        'enblue': '''[connection]
++id=netplan-enblue
++type=ethernet
++interface-name=enblue
++
++[ethernet]
++wake-on-lan=0
++
++[ipv4]
++method=link-local
++
++[ipv6]
++method=auto
++addr-gen-mode=0
++'''})
++
      def test_eth_manual_addresses(self):
          self.generate('''network:
    version: 2
 diff --git a/tests/generator/test_errors.py b/tests/generator/test_errors.py
 index 5f3def8..afe487b 100644
 --- a/tests/generator/test_errors.py
 +++ b/tests/generator/test_errors.py
@@ -210,6 +210,39 @@ class TestConfigErrors(TestBase):
            mode: bogus''', expect_fail=True)
          self.assertIn("unknown wifi mode 'bogus'", err)
++    def test_wifi_ap_unknown_band(self):
++        err = self.generate('''network:
++  version: 2
++  wifis:
++    wl0:
++      access-points:
++        workplace:
++          band: bogus''', expect_fail=True)
++        self.assertIn("unknown wifi band 'bogus'", err)
++
++    def test_wifi_ap_invalid_freq24(self):
++        err = self.generate('''network:
++  version: 2
++  renderer: NetworkManager
++  wifis:
++    wl0:
++      access-points:
++        workplace:
++          band: 2.4GHz
++          channel: 15''', expect_fail=True)
++        self.assertIn("ERROR: invalid 2.4GHz WiFi channel: 15", err)
++
++    def test_wifi_ap_invalid_freq5(self):
++        err = self.generate('''network:
++  version: 2
++  wifis:
++    wl0:
++      access-points:
++        workplace:
++          band: 5GHz
++          channel: 14''', expect_fail=True)
++        self.assertIn("ERROR: invalid 5GHz WiFi channel: 14", err)
++
      def test_invalid_ipv4_address(self):
          err = self.generate('''network:
    version: 2
@@ -288,6 +321,23 @@ class TestConfigErrors(TestBase):
          - 2001::1/''', expect_fail=True)
          self.assertIn("invalid prefix length in address '2001::1/'", err)
++    def test_invalid_addr_gen_mode(self):
++        err = self.generate('''network:
++  version: 2
++  renderer: NetworkManager
++  ethernets:
++    engreen:
++      ipv6-address-generation: 0''', expect_fail=True)
++        self.assertIn("unknown ipv6-address-generation '0'", err)
++
++    def test_addr_gen_mode_not_supported(self):
++        err = self.generate('''network:
++  version: 2
++  ethernets:
++    engreen:
++      ipv6-address-generation: eui64''', expect_fail=True)
++        self.assertIn("ERROR: engreen: ipv6-address-generation is not supported by networkd", err)
++
      def test_invalid_gateway4(self):
          for a in ['300.400.1.1', '1.2.3', '192.168.14.1/24']:
              err = self.generate('''network:
@@ -363,6 +413,14 @@ class TestConfigErrors(TestBase):
      ena: {id: 1, link: en1}''', expect_fail=True)
          self.assertIn("ena: interface 'en1' is not defined", err)
++    def test_vlan_unknown_renderer(self):
++        err = self.generate('''network:
++  version: 2
++  ethernets: {en1: {}}
++  vlans:
++    ena: {id: 1, link: en1, renderer: foo}''', expect_fail=True)
++        self.assertIn("unknown renderer 'foo'", err)
++
      def test_device_bad_route_to(self):
          self.generate('''network:
    version: 2
 diff --git a/tests/generator/test_ethernets.py b/tests/generator/test_ethernets.py
 index 22e6d1e..7a451f7 100644
 --- a/tests/generator/test_ethernets.py
 +++ b/tests/generator/test_ethernets.py
@@ -46,6 +46,22 @@ unmanaged-devices+=interface-name:eth0,''')
          # should not allow NM to manage everything
          self.assertFalse(os.path.exists(self.nm_enable_all_conf))
++    def test_eth_lldp(self):
++        self.generate('''network:
++  version: 2
++  ethernets:
++    eth0:
++      dhcp4: n
++      emit-lldp: true''')
++
++        self.assert_networkd({'eth0.network': '''[Match]
++Name=eth0
++
++[Network]
++EmitLLDP=true
++LinkLocalAddressing=ipv6
++'''})
++
      def test_eth_mtu(self):
          self.generate('''network: