diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
index d51877b..7f0fa8a 100644
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -12,7 +12,7 @@
         default: "graphdriver"
 
 env:
-  GO_VERSION: "1.21.8"
+  GO_VERSION: "1.21.9"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   ITG_CLI_MATRIX_SIZE: 6
diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml
index c5a944b..61251a7 100644
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -19,7 +19,7 @@
         default: false
 
 env:
-  GO_VERSION: "1.21.8"
+  GO_VERSION: "1.21.9"
   GOTESTLIST_VERSION: v0.3.1
   TESTSTAT_VERSION: v0.1.25
   WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
index 97ea1e1..d0abde3 100644
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -13,7 +13,7 @@
   pull_request:
 
 env:
-  GO_VERSION: "1.21.8"
+  GO_VERSION: "1.21.9"
   DESTDIR: ./build
 
 jobs:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c9f6c18..664159e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,7 +13,7 @@
   pull_request:
 
 env:
-  GO_VERSION: "1.21.8"
+  GO_VERSION: "1.21.9"
   GIT_PAGER: "cat"
   PAGER: "cat"
 
diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml
index fb21f9b..b393170 100644
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@@ -11,7 +11,7 @@
       - name: Missing `area/` label
         if: contains(join(github.event.pull_request.labels.*.name, ','), 'impact/') && !contains(join(github.event.pull_request.labels.*.name, ','), 'area/')
         run: |
-          echo "Every PR with an \`impact/*\` label should also have an \`area/*\` label"
+          echo "::error::Every PR with an 'impact/*' label should also have an 'area/*' label"
           exit 1
       - name: OK
         run: exit 0
@@ -32,15 +32,31 @@
           desc=$(echo "$block" |  awk NF)
 
           if [ -z "$desc" ]; then
-            echo "Changelog section is empty. Please provide a description for the changelog."
+            echo "::error::Changelog section is empty. Please provide a description for the changelog."
             exit 1
           fi
 
           len=$(echo -n "$desc" | wc -c)
           if [[ $len -le 6 ]]; then
-            echo "Description looks too short: $desc"
+            echo "::error::Description looks too short: $desc"
             exit 1
           fi
 
           echo "This PR will be included in the release notes with the following note:"
           echo "$desc"
+
+  check-pr-branch:
+    runs-on: ubuntu-20.04
+    env:
+      PR_TITLE: ${{ github.event.pull_request.title }}
+    steps:
+      # Backports or PR that target a release branch directly should mention the target branch in the title, for example:
+      # [X.Y backport] Some change that needs backporting to X.Y
+      # [X.Y] Change directly targeting the X.Y branch
+      - name: Get branch from PR title
+        id: title_branch
+        run: echo "$PR_TITLE" | sed -n 's/^\[\([0-9]*\.[0-9]*\)[^]]*\].*/branch=\1/p' >> $GITHUB_OUTPUT
+
+      - name: Check release branch
+        if: github.event.pull_request.base.ref != steps.title_branch.outputs.branch && !(github.event.pull_request.base.ref == 'master' && steps.title_branch.outputs.branch == '')
+        run: echo "::error::PR title suggests targetting the ${{ steps.title_branch.outputs.branch }} branch, but is opened against ${{ github.event.pull_request.base.ref }}" && exit 1
diff --git a/Dockerfile b/Dockerfile
index 251977e..97a0ac9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.7
 
-ARG GO_VERSION=1.21.8
+ARG GO_VERSION=1.21.9
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
 ARG XX_VERSION=1.4.0
@@ -8,7 +8,7 @@
 ARG VPNKIT_VERSION=0.5.0
 
 ARG DOCKERCLI_REPOSITORY="https://github.com/docker/cli.git"
-ARG DOCKERCLI_VERSION=v26.0.0
+ARG DOCKERCLI_VERSION=v26.1.0
 # cli version used for integration-cli tests
 ARG DOCKERCLI_INTEGRATION_REPOSITORY="https://github.com/docker/cli.git"
 ARG DOCKERCLI_INTEGRATION_VERSION=v17.06.2-ce
@@ -196,7 +196,7 @@
 # When updating the binary version you may also need to update the vendor
 # version to pick up bug fixes or new APIs, however, usually the Go packages
 # are built from a commit from the master branch.
-ARG CONTAINERD_VERSION=v1.7.13
+ARG CONTAINERD_VERSION=v1.7.15
 RUN git fetch -q --depth 1 origin "${CONTAINERD_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS containerd-build
diff --git a/Dockerfile.simple b/Dockerfile.simple
index 09cd021..e863291 100644
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@
 
 # This represents the bare minimum required to build and test Docker.
 
-ARG GO_VERSION=1.21.8
+ARG GO_VERSION=1.21.9
 
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
diff --git a/Dockerfile.windows b/Dockerfile.windows
index 2365333..69e0837 100644
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,10 +161,10 @@
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
-ARG GO_VERSION=1.21.8
+ARG GO_VERSION=1.21.9
 ARG GOTESTSUM_VERSION=v1.8.2
 ARG GOWINRES_VERSION=v0.3.1
-ARG CONTAINERD_VERSION=v1.7.13
+ARG CONTAINERD_VERSION=v1.7.15
 
 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
diff --git a/Makefile b/Makefile
index c1e7599..84ece22 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,3 @@
-.PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate validate-% win
-
 DOCKER ?= docker
 BUILDX ?= $(DOCKER) buildx
 
@@ -157,18 +155,23 @@
 
 default: binary
 
+.PHONY: all
 all: build ## validate all checks, build linux binaries, run all tests,\ncross build non-linux binaries, and generate archives
 	$(DOCKER_RUN_DOCKER) bash -c 'hack/validate/default && hack/make.sh'
 
+.PHONY: binary
 binary: bundles ## build statically linked linux binaries
 	$(BAKE_CMD) binary
 
+.PHONY: dynbinary
 dynbinary: bundles ## build dynamically linked linux binaries
 	$(BAKE_CMD) dynbinary
 
+.PHONY: cross
 cross: bundles ## cross build the binaries
 	$(BAKE_CMD) binary-cross
 
+.PHONY: bundles
 bundles:
 	mkdir bundles
 
@@ -179,12 +182,15 @@
 clean-cache: ## remove the docker volumes that are used for caching in the dev-container
 	docker volume rm -f docker-dev-cache docker-mod-cache
 
+.PHONY: help
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {gsub("\\\\n",sprintf("\n%22c",""), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
+.PHONY: install
 install: ## install the linux binaries
 	KEEPBUNDLE=1 hack/make.sh install-binary
 
+.PHONY: run
 run: build ## run the docker daemon in a container
 	$(DOCKER_RUN_DOCKER) sh -c "KEEPBUNDLE=1 hack/make.sh install-binary run"
  
@@ -197,17 +203,22 @@
 build: bundles
 	$(BUILD_CMD) $(BUILD_OPTS) $(shell_target) --load -t "$(DOCKER_IMAGE)" .
 
+.PHONY: shell
 shell: build  ## start a shell inside the build env
 	$(DOCKER_RUN_DOCKER) bash
 
+.PHONY: test
 test: build test-unit ## run the unit, integration and docker-py tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration test-docker-py
 
+.PHONY: test-docker-py
 test-docker-py: build ## run the docker-py tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-docker-py
 
+.PHONY: test-integration-cli
 test-integration-cli: test-integration ## (DEPRECATED) use test-integration
 
+.PHONY: test-integration
 ifneq ($(and $(TEST_SKIP_INTEGRATION),$(TEST_SKIP_INTEGRATION_CLI)),)
 test-integration:
 	@echo Both integrations suites skipped per environment variables
@@ -216,23 +227,29 @@
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration
 endif
 
+.PHONY: test-integration-flaky
 test-integration-flaky: build ## run the stress test for all new integration tests
 	$(DOCKER_RUN_DOCKER) hack/make.sh dynbinary test-integration-flaky
 
+.PHONY: test-unit
 test-unit: build ## run the unit tests
 	$(DOCKER_RUN_DOCKER) hack/test/unit
 
+.PHONY: validate
 validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isolation, golint, tests, tomls, go vet and vendor
 	$(DOCKER_RUN_DOCKER) hack/validate/all
 
+.PHONY: validate-generate-files
 validate-generate-files:
 	$(BUILD_CMD) --target "validate" \
 		--output "type=cacheonly" \
 		--file "./hack/dockerfiles/generate-files.Dockerfile" .
 
+.PHONY: validate-%
 validate-%: build ## validate specific check
 	$(DOCKER_RUN_DOCKER) hack/validate/$*
 
+.PHONY: win
 win: bundles ## cross build the binary for windows
 	$(BAKE_CMD) --set *.platform=windows/amd64 binary
 
diff --git a/api/server/router/container/container_routes.go b/api/server/router/container/container_routes.go
index bf132f1..3872028 100644
--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -456,15 +456,27 @@
 	if hostConfig == nil {
 		hostConfig = &container.HostConfig{}
 	}
-	if hostConfig.NetworkMode == "" {
-		hostConfig.NetworkMode = "default"
-	}
 	if networkingConfig == nil {
 		networkingConfig = &network.NetworkingConfig{}
 	}
 	if networkingConfig.EndpointsConfig == nil {
 		networkingConfig.EndpointsConfig = make(map[string]*network.EndpointSettings)
 	}
+	// The NetworkMode "default" is used as a way to express a container should
+	// be attached to the OS-dependant default network, in an OS-independent
+	// way. Doing this conversion as soon as possible ensures we have less
+	// NetworkMode to handle down the path (including in the
+	// backward-compatibility layer we have just below).
+	//
+	// Note that this is not the only place where this conversion has to be
+	// done (as there are various other places where containers get created).
+	if hostConfig.NetworkMode == "" || hostConfig.NetworkMode.IsDefault() {
+		hostConfig.NetworkMode = runconfig.DefaultDaemonNetworkMode()
+		if nw, ok := networkingConfig.EndpointsConfig[network.NetworkDefault]; ok {
+			networkingConfig.EndpointsConfig[hostConfig.NetworkMode.NetworkName()] = nw
+			delete(networkingConfig.EndpointsConfig, network.NetworkDefault)
+		}
+	}
 
 	version := httputils.VersionFromContext(ctx)
 
@@ -646,7 +658,7 @@
 			}
 			return "", nil
 		}
-		if !hostConfig.NetworkMode.IsDefault() && !hostConfig.NetworkMode.IsBridge() && !hostConfig.NetworkMode.IsUserDefined() {
+		if !hostConfig.NetworkMode.IsBridge() && !hostConfig.NetworkMode.IsUserDefined() {
 			return "", runconfig.ErrConflictContainerNetworkAndMac
 		}
 
@@ -675,7 +687,7 @@
 		return "", nil
 	}
 	var warning string
-	if hostConfig.NetworkMode.IsDefault() || hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
+	if hostConfig.NetworkMode.IsBridge() || hostConfig.NetworkMode.IsUserDefined() {
 		nwName := hostConfig.NetworkMode.NetworkName()
 		// If there's no endpoint config, create a place to store the configured address.
 		if len(networkingConfig.EndpointsConfig) == 0 {
diff --git a/api/types/client.go b/api/types/client.go
index 882201f..3c75f73 100644
--- a/api/types/client.go
+++ b/api/types/client.go
@@ -2,6 +2,7 @@
 
 import (
 	"bufio"
+	"context"
 	"io"
 	"net"
 
@@ -176,7 +177,7 @@
 // This function returns the registry authentication
 // header value in base 64 format, or an error
 // if the privilege request fails.
-type RequestPrivilegeFunc func() (string, error)
+type RequestPrivilegeFunc func(context.Context) (string, error)
 
 // ImageSearchOptions holds parameters to search images with.
 type ImageSearchOptions struct {
@@ -289,7 +290,7 @@
 	RegistryAuth          string // RegistryAuth is the base64 encoded credentials for the registry
 	RemoteRef             string // RemoteRef is the plugin name on the registry
 	PrivilegeFunc         RequestPrivilegeFunc
-	AcceptPermissionsFunc func(PluginPrivileges) (bool, error)
+	AcceptPermissionsFunc func(context.Context, PluginPrivileges) (bool, error)
 	Args                  []string
 }
 
diff --git a/api/types/image/opts.go b/api/types/image/opts.go
index c6b1f35..616452c 100644
--- a/api/types/image/opts.go
+++ b/api/types/image/opts.go
@@ -1,6 +1,10 @@
 package image
 
-import "github.com/docker/docker/api/types/filters"
+import (
+	"context"
+
+	"github.com/docker/docker/api/types/filters"
+)
 
 // ImportOptions holds information to import images from the client host.
 type ImportOptions struct {
@@ -27,7 +31,7 @@
 	// privilege request fails.
 	//
 	// Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
-	PrivilegeFunc func() (string, error)
+	PrivilegeFunc func(context.Context) (string, error)
 	Platform      string
 }
 
diff --git a/builder/dockerfile/dispatchers_unix.go b/builder/dockerfile/dispatchers_unix.go
index ba8e1d9..d69e184 100644
--- a/builder/dockerfile/dispatchers_unix.go
+++ b/builder/dockerfile/dispatchers_unix.go
@@ -22,7 +22,7 @@
 	if !filepath.IsAbs(requested) {
 		return filepath.Join(string(os.PathSeparator), current, requested), nil
 	}
-	return requested, nil
+	return filepath.Clean(requested), nil
 }
 
 // resolveCmdLine takes a command line arg set and optionally prepends a platform-specific
diff --git a/builder/dockerfile/internals.go b/builder/dockerfile/internals.go
index b6b0b8f..feca83e 100644
--- a/builder/dockerfile/internals.go
+++ b/builder/dockerfile/internals.go
@@ -15,11 +15,13 @@
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/builder"
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/chrootarchive"
 	"github.com/docker/docker/pkg/stringid"
+	"github.com/docker/docker/runconfig"
 	"github.com/docker/go-connections/nat"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -377,12 +379,21 @@
 		Ulimits:      options.Ulimits,
 	}
 
+	// We need to make sure no empty string or "default" NetworkMode is
+	// provided to the daemon as it doesn't support them.
+	//
+	// This is in line with what the ContainerCreate API endpoint does.
+	networkMode := options.NetworkMode
+	if networkMode == "" || networkMode == network.NetworkDefault {
+		networkMode = runconfig.DefaultDaemonNetworkMode().NetworkName()
+	}
+
 	hc := &container.HostConfig{
 		SecurityOpt: options.SecurityOpt,
 		Isolation:   options.Isolation,
 		ShmSize:     options.ShmSize,
 		Resources:   resources,
-		NetworkMode: container.NetworkMode(options.NetworkMode),
+		NetworkMode: container.NetworkMode(networkMode),
 		// Set a log config to override any default value set on the daemon
 		LogConfig:  defaultLogConfig,
 		ExtraHosts: options.ExtraHosts,
diff --git a/client/image_pull.go b/client/image_pull.go
index 6438cf6..1634c4c 100644
--- a/client/image_pull.go
+++ b/client/image_pull.go
@@ -36,7 +36,7 @@
 
 	resp, err := cli.tryImageCreate(ctx, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
 		}
diff --git a/client/image_pull_test.go b/client/image_pull_test.go
index d5a6b26..b190a10 100644
--- a/client/image_pull_test.go
+++ b/client/image_pull_test.go
@@ -49,7 +49,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "", fmt.Errorf("Error requesting privilege")
 	}
 	_, err := client.ImagePull(context.Background(), "myimage", image.PullOptions{
@@ -64,7 +64,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "a-auth-header", nil
 	}
 	_, err := client.ImagePull(context.Background(), "myimage", image.PullOptions{
@@ -105,7 +105,7 @@
 			}, nil
 		}),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "IAmValid", nil
 	}
 	resp, err := client.ImagePull(context.Background(), "myimage", image.PullOptions{
diff --git a/client/image_push.go b/client/image_push.go
index e6a6b11..2b80f2e 100644
--- a/client/image_push.go
+++ b/client/image_push.go
@@ -38,7 +38,7 @@
 
 	resp, err := cli.tryImagePush(ctx, name, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return nil, privilegeErr
 		}
diff --git a/client/image_push_test.go b/client/image_push_test.go
index b79ce49..cd49bfb 100644
--- a/client/image_push_test.go
+++ b/client/image_push_test.go
@@ -54,7 +54,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "", fmt.Errorf("Error requesting privilege")
 	}
 	_, err := client.ImagePush(context.Background(), "myimage", image.PushOptions{
@@ -69,7 +69,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "a-auth-header", nil
 	}
 	_, err := client.ImagePush(context.Background(), "myimage", image.PushOptions{
@@ -106,7 +106,7 @@
 			}, nil
 		}),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "IAmValid", nil
 	}
 	resp, err := client.ImagePush(context.Background(), "myimage:tag", image.PushOptions{
diff --git a/client/image_search.go b/client/image_search.go
index 8971b13..3c6fea4 100644
--- a/client/image_search.go
+++ b/client/image_search.go
@@ -34,7 +34,7 @@
 	resp, err := cli.tryImageSearch(ctx, query, options.RegistryAuth)
 	defer ensureReaderClosed(resp)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			return results, privilegeErr
 		}
diff --git a/client/image_search_test.go b/client/image_search_test.go
index aa66f27..bd3b579 100644
--- a/client/image_search_test.go
+++ b/client/image_search_test.go
@@ -38,7 +38,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "", fmt.Errorf("Error requesting privilege")
 	}
 	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
@@ -53,7 +53,7 @@
 	client := &Client{
 		client: newMockClient(errorMock(http.StatusUnauthorized, "Unauthorized error")),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "a-auth-header", nil
 	}
 	_, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
@@ -98,7 +98,7 @@
 			}, nil
 		}),
 	}
-	privilegeFunc := func() (string, error) {
+	privilegeFunc := func(_ context.Context) (string, error) {
 		return "IAmValid", nil
 	}
 	results, err := client.ImageSearch(context.Background(), "some-image", types.ImageSearchOptions{
diff --git a/client/plugin_install.go b/client/plugin_install.go
index 6918461..a0d8c35 100644
--- a/client/plugin_install.go
+++ b/client/plugin_install.go
@@ -84,7 +84,7 @@
 	resp, err := cli.tryPluginPrivileges(ctx, query, options.RegistryAuth)
 	if errdefs.IsUnauthorized(err) && options.PrivilegeFunc != nil {
 		// todo: do inspect before to check existing name before checking privileges
-		newAuthHeader, privilegeErr := options.PrivilegeFunc()
+		newAuthHeader, privilegeErr := options.PrivilegeFunc(ctx)
 		if privilegeErr != nil {
 			ensureReaderClosed(resp)
 			return nil, privilegeErr
@@ -105,7 +105,7 @@
 	ensureReaderClosed(resp)
 
 	if !options.AcceptAllPermissions && options.AcceptPermissionsFunc != nil && len(privileges) > 0 {
-		accept, err := options.AcceptPermissionsFunc(privileges)
+		accept, err := options.AcceptPermissionsFunc(ctx, privileges)
 		if err != nil {
 			return nil, err
 		}
diff --git a/container/container.go b/container/container.go
index 0183003..9809124 100644
--- a/container/container.go
+++ b/container/container.go
@@ -299,8 +299,8 @@
 		return nil
 	}
 
-	container.Config.WorkingDir = filepath.Clean(container.Config.WorkingDir)
-	pth, err := container.GetResourcePath(container.Config.WorkingDir)
+	workdir := filepath.Clean(container.Config.WorkingDir)
+	pth, err := container.GetResourcePath(workdir)
 	if err != nil {
 		return err
 	}
diff --git a/contrib/download-frozen-image-v2.sh b/contrib/download-frozen-image-v2.sh
index 13534cc..86f26e4 100755
--- a/contrib/download-frozen-image-v2.sh
+++ b/contrib/download-frozen-image-v2.sh
@@ -11,7 +11,7 @@
 # scope, but may not accept contributions beyond that.
 #
 # For users who have a similar need but require more flexibility/functionality,
-# refer the the discussion on GitHub, which mentions various alternatives that
+# refer to the discussion on GitHub, which mentions various alternatives that
 # are more suitable for other uses: https://github.com/moby/moby/issues/40857
 
 # hello-world                      latest              ef872312fe1b        3 months ago        910 B
diff --git a/daemon/cluster/convert/container.go b/daemon/cluster/convert/container.go
index 7700177..b6b610e 100644
--- a/daemon/cluster/convert/container.go
+++ b/daemon/cluster/convert/container.go
@@ -120,8 +120,9 @@
 
 		if m.VolumeOptions != nil {
 			mount.VolumeOptions = &mounttypes.VolumeOptions{
-				NoCopy: m.VolumeOptions.NoCopy,
-				Labels: m.VolumeOptions.Labels,
+				NoCopy:  m.VolumeOptions.NoCopy,
+				Labels:  m.VolumeOptions.Labels,
+				Subpath: m.VolumeOptions.Subpath,
 			}
 			if m.VolumeOptions.DriverConfig != nil {
 				mount.VolumeOptions.DriverConfig = &mounttypes.Driver{
@@ -406,8 +407,9 @@
 
 		if m.VolumeOptions != nil {
 			mount.VolumeOptions = &swarmapi.Mount_VolumeOptions{
-				NoCopy: m.VolumeOptions.NoCopy,
-				Labels: m.VolumeOptions.Labels,
+				NoCopy:  m.VolumeOptions.NoCopy,
+				Labels:  m.VolumeOptions.Labels,
+				Subpath: m.VolumeOptions.Subpath,
 			}
 			if m.VolumeOptions.DriverConfig != nil {
 				mount.VolumeOptions.DriverConfig = &swarmapi.Driver{
diff --git a/daemon/cluster/convert/service_test.go b/daemon/cluster/convert/service_test.go
index 12907f3..6f05882 100644
--- a/daemon/cluster/convert/service_test.go
+++ b/daemon/cluster/convert/service_test.go
@@ -4,11 +4,13 @@
 	"testing"
 
 	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
 	swarmtypes "github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/swarm/runtime"
 	google_protobuf3 "github.com/gogo/protobuf/types"
 	swarmapi "github.com/moby/swarmkit/v2/api"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestServiceConvertFromGRPCRuntimeContainer(t *testing.T) {
@@ -611,3 +613,32 @@
 		})
 	}
 }
+
+func TestServiceConvertToGRPCVolumeSubpath(t *testing.T) {
+	s := swarmtypes.ServiceSpec{
+		TaskTemplate: swarmtypes.TaskSpec{
+			ContainerSpec: &swarmtypes.ContainerSpec{
+				Mounts: []mount.Mount{
+					{
+						Source:   "/foo/bar",
+						Target:   "/baz",
+						Type:     mount.TypeVolume,
+						ReadOnly: false,
+						VolumeOptions: &mount.VolumeOptions{
+							Subpath: "sub",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	g, err := ServiceSpecToGRPC(s)
+	assert.NilError(t, err)
+
+	v, ok := g.Task.Runtime.(*swarmapi.TaskSpec_Container)
+	assert.Assert(t, ok)
+
+	assert.Check(t, is.Len(v.Container.Mounts, 1))
+	assert.Check(t, is.Equal(v.Container.Mounts[0].VolumeOptions.Subpath, "sub"))
+}
diff --git a/daemon/cluster/executor/container/adapter.go b/daemon/cluster/executor/container/adapter.go
index 7360031..262c614 100644
--- a/daemon/cluster/executor/container/adapter.go
+++ b/daemon/cluster/executor/container/adapter.go
@@ -17,12 +17,14 @@
 	"github.com/docker/docker/api/types/backend"
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/registry"
 	containerpkg "github.com/docker/docker/container"
 	"github.com/docker/docker/daemon"
 	"github.com/docker/docker/daemon/cluster/convert"
 	executorpkg "github.com/docker/docker/daemon/cluster/executor"
 	"github.com/docker/docker/libnetwork"
+	"github.com/docker/docker/runconfig"
 	volumeopts "github.com/docker/docker/volume/service/opts"
 	gogotypes "github.com/gogo/protobuf/types"
 	"github.com/moby/swarmkit/v2/agent/exec"
@@ -290,14 +292,34 @@
 }
 
 func (c *containerAdapter) create(ctx context.Context) error {
+	hostConfig := c.container.hostConfig(c.dependencies.Volumes())
+	netConfig := c.container.createNetworkingConfig(c.backend)
+
+	// We need to make sure no empty string or "default" NetworkMode is
+	// provided to the daemon as it doesn't support them.
+	//
+	// This is in line with what the ContainerCreate API endpoint does, but
+	// unlike that endpoint we can't do that in the ServiceCreate endpoint as
+	// the cluster leader and the current node might not be running on the same
+	// OS. Since the normalized value isn't the same on Windows and Linux, we
+	// need to make this normalization happen once we're sure we won't make a
+	// cross-OS API call.
+	if hostConfig.NetworkMode == "" || hostConfig.NetworkMode.IsDefault() {
+		hostConfig.NetworkMode = runconfig.DefaultDaemonNetworkMode()
+		if v, ok := netConfig.EndpointsConfig[network.NetworkDefault]; ok {
+			delete(netConfig.EndpointsConfig, network.NetworkDefault)
+			netConfig.EndpointsConfig[runconfig.DefaultDaemonNetworkMode().NetworkName()] = v
+		}
+	}
+
 	var cr containertypes.CreateResponse
 	var err error
 	if cr, err = c.backend.CreateManagedContainer(ctx, backend.ContainerCreateConfig{
 		Name:       c.container.name(),
 		Config:     c.container.config(),
-		HostConfig: c.container.hostConfig(c.dependencies.Volumes()),
+		HostConfig: hostConfig,
 		// Use the first network in container create
-		NetworkingConfig: c.container.createNetworkingConfig(c.backend),
+		NetworkingConfig: netConfig,
 	}); err != nil {
 		return err
 	}
diff --git a/daemon/cluster/executor/container/container.go b/daemon/cluster/executor/container/container.go
index 8aeb9d3..0257030 100644
--- a/daemon/cluster/executor/container/container.go
+++ b/daemon/cluster/executor/container/container.go
@@ -338,7 +338,8 @@
 
 	if m.VolumeOptions != nil {
 		mount.VolumeOptions = &enginemount.VolumeOptions{
-			NoCopy: m.VolumeOptions.NoCopy,
+			NoCopy:  m.VolumeOptions.NoCopy,
+			Subpath: m.VolumeOptions.Subpath,
 		}
 		if m.VolumeOptions.Labels != nil {
 			mount.VolumeOptions.Labels = make(map[string]string, len(m.VolumeOptions.Labels))
diff --git a/daemon/config/config_linux.go b/daemon/config/config_linux.go
index 986677a..d22874f 100644
--- a/daemon/config/config_linux.go
+++ b/daemon/config/config_linux.go
@@ -196,6 +196,10 @@
 		return errors.Wrap(err, "invalid fixed-cidr-v6")
 	}
 
+	if _, ok := conf.Features["windows-dns-proxy"]; ok {
+		return errors.New("feature option 'windows-dns-proxy' is only available on Windows")
+	}
+
 	return verifyDefaultCgroupNsMode(conf.CgroupNamespaceMode)
 }
 
diff --git a/daemon/container.go b/daemon/container.go
index c86ecf8..f8df74e 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -364,6 +364,6 @@
 	if !system.IsAbs(wd) {
 		return fmt.Errorf("the working directory '%s' is invalid, it needs to be an absolute path", config.WorkingDir)
 	}
-	config.WorkingDir = wd
+	config.WorkingDir = filepath.Clean(wd)
 	return nil
 }
diff --git a/daemon/container_operations.go b/daemon/container_operations.go
index 78b1c98..86da02f 100644
--- a/daemon/container_operations.go
+++ b/daemon/container_operations.go
@@ -54,7 +54,8 @@
 		sboxOptions = append(sboxOptions, libnetwork.OptionUseExternalKey())
 	}
 
-	if err := setupPathsAndSandboxOptions(container, cfg, &sboxOptions); err != nil {
+	// Add platform-specific Sandbox options.
+	if err := buildSandboxPlatformOptions(container, cfg, &sboxOptions); err != nil {
 		return nil, err
 	}
 
@@ -420,9 +421,6 @@
 	}
 
 	networkName := mode.NetworkName()
-	if mode.IsDefault() {
-		networkName = daemon.netController.Config().DefaultNetwork
-	}
 
 	if mode.IsUserDefined() {
 		var err error
@@ -461,15 +459,6 @@
 		}
 	}
 
-	// Convert any settings added by client in default name to
-	// engine's default network name key
-	if mode.IsDefault() {
-		if nConf, ok := container.NetworkSettings.Networks[mode.NetworkName()]; ok {
-			container.NetworkSettings.Networks[networkName] = nConf
-			delete(container.NetworkSettings.Networks, mode.NetworkName())
-		}
-	}
-
 	if !mode.IsUserDefined() {
 		return
 	}
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index fbc7594..4dedc1b 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -417,7 +417,7 @@
 	return false
 }
 
-func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
+func buildSandboxPlatformOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
 	var err error
 	var originResolvConfPath string
 
@@ -481,6 +481,7 @@
 		return err
 	}
 	*sboxOptions = append(*sboxOptions, libnetwork.OptionResolvConfPath(container.ResolvConfPath))
+
 	return nil
 }
 
diff --git a/daemon/container_operations_windows.go b/daemon/container_operations_windows.go
index d52898a..0e7b511 100644
--- a/daemon/container_operations_windows.go
+++ b/daemon/container_operations_windows.go
@@ -163,7 +163,13 @@
 	return true
 }
 
-func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
+func buildSandboxPlatformOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
+	// By default, the Windows internal resolver does not forward requests to
+	// external resolvers - but forwarding can be enabled using feature flag
+	// "windows-dns-proxy":true.
+	if doproxy, exists := cfg.Features["windows-dns-proxy"]; !exists || !doproxy {
+		*sboxOptions = append(*sboxOptions, libnetwork.OptionDNSNoProxy())
+	}
 	return nil
 }
 
diff --git a/daemon/containerd/image_list.go b/daemon/containerd/image_list.go
index 80b2409..641d4e4 100644
--- a/daemon/containerd/image_list.go
+++ b/daemon/containerd/image_list.go
@@ -301,6 +301,13 @@
 		return nil
 	})
 	if err != nil {
+		if errors.Is(err, errNotManifestOrIndex) {
+			log.G(ctx).WithFields(log.Fields{
+				"error": err,
+				"image": img.Name,
+			}).Warn("unexpected image target (neither a manifest nor index)")
+			return nil, nil, nil
+		}
 		return nil, nil, err
 	}
 
diff --git a/daemon/containerd/image_list_test.go b/daemon/containerd/image_list_test.go
index bd98873..46427b9 100644
--- a/daemon/containerd/image_list_test.go
+++ b/daemon/containerd/image_list_test.go
@@ -101,6 +101,9 @@
 	emptyIndex, err := specialimage.EmptyIndex(blobsDir)
 	assert.NilError(t, err)
 
+	configTarget, err := specialimage.ConfigTarget(blobsDir)
+	assert.NilError(t, err)
+
 	cs := &blobsDirContentStore{blobs: filepath.Join(blobsDir, "blobs/sha256")}
 
 	for _, tc := range []struct {
@@ -150,6 +153,16 @@
 				assert.Check(t, is.Len(all, 2))
 			},
 		},
+		{
+			// Make sure an invalid image target doesn't break the whole operation
+			name:   "one good image, second has config as a target",
+			images: imagesFromIndex(multilayer, configTarget),
+			check: func(t *testing.T, all []*imagetypes.Summary) {
+				assert.Check(t, is.Len(all, 1))
+
+				assert.Check(t, is.Equal(all[0].ID, multilayer.Manifests[0].Digest.String()))
+			},
+		},
 	} {
 		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
diff --git a/daemon/containerd/image_manifest.go b/daemon/containerd/image_manifest.go
index f4fe77e..482031e 100644
--- a/daemon/containerd/image_manifest.go
+++ b/daemon/containerd/image_manifest.go
@@ -45,7 +45,7 @@
 		return i.walkPresentChildren(ctx, desc, handleManifest)
 	}
 
-	return errNotManifestOrIndex
+	return errors.Wrapf(errNotManifestOrIndex, "error walking manifest for %s", img.Name)
 }
 
 type ImageManifest struct {
diff --git a/daemon/daemon.go b/daemon/daemon.go
index d832062..e7ca77d 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -32,6 +32,7 @@
 	"github.com/docker/docker/api/types/backend"
 	containertypes "github.com/docker/docker/api/types/container"
 	imagetypes "github.com/docker/docker/api/types/image"
+	networktypes "github.com/docker/docker/api/types/network"
 	registrytypes "github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/volume"
@@ -373,6 +374,21 @@
 						Type: local.Name,
 					}
 				}
+
+				// Normalize the "default" network mode into the network mode
+				// it aliases ("bridge on Linux and "nat" on Windows). This is
+				// also done by the container router, for new containers. But
+				// we need to do it here too to handle containers that were
+				// created prior to v26.0.
+				//
+				// TODO(aker): remove this migration code once the next LTM version of MCR is released.
+				if c.HostConfig.NetworkMode.IsDefault() {
+					c.HostConfig.NetworkMode = runconfig.DefaultDaemonNetworkMode()
+					if nw, ok := c.NetworkSettings.Networks[networktypes.NetworkDefault]; ok {
+						c.NetworkSettings.Networks[c.HostConfig.NetworkMode.NetworkName()] = nw
+						delete(c.NetworkSettings.Networks, networktypes.NetworkDefault)
+					}
+				}
 			}
 
 			if err := daemon.checkpointAndSave(c); err != nil {
diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index 120f514..cda787b 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -104,8 +104,8 @@
 		memory.DisableOOMKiller = config.OomKillDisable
 	}
 
-	if config.KernelMemory != 0 {
-		memory.Kernel = &config.KernelMemory
+	if config.KernelMemory != 0 { //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
+		memory.Kernel = &config.KernelMemory //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
 	}
 
 	if config.KernelMemoryTCP != 0 {
diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
index 1617f8b..f621cea 100644
--- a/daemon/images/image_history.go
+++ b/daemon/images/image_history.go
@@ -43,9 +43,14 @@
 			layerCounter++
 		}
 
+		var created int64
+		if h.Created != nil {
+			created = h.Created.Unix()
+		}
+
 		history = append([]*image.HistoryResponseItem{{
 			ID:        "<missing>",
-			Created:   h.Created.Unix(),
+			Created:   created,
 			CreatedBy: h.CreatedBy,
 			Comment:   h.Comment,
 			Size:      layerSize,
diff --git a/daemon/inspect.go b/daemon/inspect.go
index 62c7896..c4324f1 100644
--- a/daemon/inspect.go
+++ b/daemon/inspect.go
@@ -130,12 +130,8 @@
 	// unconditionally, to keep backward compatibility with clients that use
 	// unversioned API endpoints.
 	if container.Config != nil && container.Config.MacAddress == "" { //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.
-		if nwm := hostConfig.NetworkMode; nwm.IsDefault() || nwm.IsBridge() || nwm.IsUserDefined() {
-			name := nwm.NetworkName()
-			if nwm.IsDefault() {
-				name = daemon.netController.Config().DefaultNetwork
-			}
-			if epConf, ok := container.NetworkSettings.Networks[name]; ok {
+		if nwm := hostConfig.NetworkMode; nwm.IsBridge() || nwm.IsUserDefined() {
+			if epConf, ok := container.NetworkSettings.Networks[nwm.NetworkName()]; ok {
 				container.Config.MacAddress = epConf.DesiredMacAddress //nolint:staticcheck // ignore SA1019: field is deprecated, but still used on API < v1.44.
 			}
 		}
diff --git a/daemon/nvidia_linux.go b/daemon/nvidia_linux.go
index 9f1c914..7243b52 100644
--- a/daemon/nvidia_linux.go
+++ b/daemon/nvidia_linux.go
@@ -83,7 +83,13 @@
 	if s.Hooks == nil {
 		s.Hooks = &specs.Hooks{}
 	}
-	s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
+
+	// This implementation uses prestart hooks, which are deprecated.
+	// CreateRuntime is the closest equivalent, and executed in the same
+	// locations as prestart-hooks, but depending on what these hooks do,
+	// possibly one of the other hooks could be used instead (such as
+	// CreateContainer or StartContainer).
+	s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one.
 		Path: path,
 		Args: []string{
 			nvidiaHook,
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 37ad941..75aecfa 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -73,7 +73,7 @@
 					s.Hooks = &specs.Hooks{}
 				}
 				shortNetCtlrID := stringid.TruncateID(daemon.netController.ID())
-				s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{
+				s.Hooks.Prestart = append(s.Hooks.Prestart, specs.Hook{ //nolint:staticcheck // FIXME(thaJeztah); replace prestart hook with a non-deprecated one.
 					Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),
 					Args: []string{"libnetwork-setkey", "-exec-root=" + daemonCfg.GetExecRoot(), c.ID, shortNetCtlrID},
 				})
diff --git a/daemon/update_linux.go b/daemon/update_linux.go
index 3105402..8f3bde9 100644
--- a/daemon/update_linux.go
+++ b/daemon/update_linux.go
@@ -59,8 +59,8 @@
 	if resources.MemoryReservation != 0 {
 		memory.Reservation = &resources.MemoryReservation
 	}
-	if resources.KernelMemory != 0 {
-		memory.Kernel = &resources.KernelMemory
+	if resources.KernelMemory != 0 { //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
+		memory.Kernel = &resources.KernelMemory //nolint:staticcheck // ignore SA1019: memory.Kernel is deprecated: kernel-memory limits are not supported in cgroups v2, and were obsoleted in [kernel v5.4]. This field should no longer be used, as it may be ignored by runtimes.
 	}
 	if resources.MemorySwap > 0 {
 		memory.Swap = &resources.MemorySwap
diff --git a/docs/api/v1.25.yaml b/docs/api/v1.25.yaml
index a396d8b..1a8008a 100644
--- a/docs/api/v1.25.yaml
+++ b/docs/api/v1.25.yaml
@@ -3909,7 +3909,7 @@
           default: false
         - name: "stream"
           in: "query"
-          description: "Stream attached streams from the the time the request was made onwards"
+          description: "Stream attached streams from the time the request was made onwards"
           type: "boolean"
           default: false
         - name: "stdin"
diff --git a/docs/api/v1.26.yaml b/docs/api/v1.26.yaml
index 4b1d03e..b0a0ba7 100644
--- a/docs/api/v1.26.yaml
+++ b/docs/api/v1.26.yaml
@@ -3913,7 +3913,7 @@
           default: false
         - name: "stream"
           in: "query"
-          description: "Stream attached streams from the the time the request was made onwards"
+          description: "Stream attached streams from the time the request was made onwards"
           type: "boolean"
           default: false
         - name: "stdin"
diff --git a/docs/api/v1.27.yaml b/docs/api/v1.27.yaml
index 802b121..738ace5 100644
--- a/docs/api/v1.27.yaml
+++ b/docs/api/v1.27.yaml
@@ -3980,7 +3980,7 @@
           default: false
         - name: "stream"
           in: "query"
-          description: "Stream attached streams from the the time the request was made onwards"
+          description: "Stream attached streams from the time the request was made onwards"
           type: "boolean"
           default: false
         - name: "stdin"
diff --git a/docs/api/v1.32.yaml b/docs/api/v1.32.yaml
index 75f76e5..7cbe63c 100644
--- a/docs/api/v1.32.yaml
+++ b/docs/api/v1.32.yaml
@@ -3795,7 +3795,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4013,7 +4013,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/docs/api/v1.33.yaml b/docs/api/v1.33.yaml
index 0a5fe19..1c611c3 100644
--- a/docs/api/v1.33.yaml
+++ b/docs/api/v1.33.yaml
@@ -3799,7 +3799,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4017,7 +4017,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/docs/api/v1.34.yaml b/docs/api/v1.34.yaml
index 71d0fed..97e7454 100644
--- a/docs/api/v1.34.yaml
+++ b/docs/api/v1.34.yaml
@@ -3827,7 +3827,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4045,7 +4045,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/docs/api/v1.35.yaml b/docs/api/v1.35.yaml
index 6d06746..cc58e9f 100644
--- a/docs/api/v1.35.yaml
+++ b/docs/api/v1.35.yaml
@@ -3830,7 +3830,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4048,7 +4048,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/docs/api/v1.36.yaml b/docs/api/v1.36.yaml
index bcf04ff..3bb81f0 100644
--- a/docs/api/v1.36.yaml
+++ b/docs/api/v1.36.yaml
@@ -3843,7 +3843,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4061,7 +4061,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/docs/api/v1.37.yaml b/docs/api/v1.37.yaml
index 0ef019f..64e12f0 100644
--- a/docs/api/v1.37.yaml
+++ b/docs/api/v1.37.yaml
@@ -3863,7 +3863,7 @@
           - "process"
       InitBinary:
         description: |
-          Name and, optional, path of the the `docker-init` binary.
+          Name and, optional, path of the `docker-init` binary.
 
           If the path is omitted, the daemon searches the host's `$PATH` for the
           binary and uses the first result.
@@ -4081,7 +4081,7 @@
           - "https://registry-3.docker.io/"
       Secure:
         description: |
-          Indicates if the the registry is part of the list of insecure
+          Indicates if the registry is part of the list of insecure
           registries.
 
           If `false`, the registry is insecure. Insecure registries accept
diff --git a/hack/dockerfile/install/containerd.installer b/hack/dockerfile/install/containerd.installer
index 3275d8f..64e92eb 100755
--- a/hack/dockerfile/install/containerd.installer
+++ b/hack/dockerfile/install/containerd.installer
@@ -15,7 +15,7 @@
 # the binary version you may also need to update the vendor version to pick up
 # bug fixes or new APIs, however, usually the Go packages are built from a
 # commit from the master branch.
-: "${CONTAINERD_VERSION:=v1.7.13}"
+: "${CONTAINERD_VERSION:=v1.7.15}"
 
 install_containerd() (
 	echo "Install containerd version $CONTAINERD_VERSION"
diff --git a/hack/dockerfiles/generate-files.Dockerfile b/hack/dockerfiles/generate-files.Dockerfile
index a68b40e..db0c13f 100644
--- a/hack/dockerfiles/generate-files.Dockerfile
+++ b/hack/dockerfiles/generate-files.Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.21.8
+ARG GO_VERSION=1.21.9
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG PROTOC_VERSION=3.11.4
 
diff --git a/image/tarexport/save.go b/image/tarexport/save.go
index 41c3f09..103c8b3 100644
--- a/image/tarexport/save.go
+++ b/image/tarexport/save.go
@@ -223,8 +223,6 @@
 			})
 		}
 
-		imgPlat := imageDescr.image.Platform()
-
 		m := ocispec.Manifest{
 			Versioned: specs.Versioned{
 				SchemaVersion: 2,
@@ -234,7 +232,6 @@
 				MediaType: ocispec.MediaTypeImageConfig,
 				Digest:    digest.Digest(imageDescr.image.ID()),
 				Size:      int64(len(imageDescr.image.RawJSON())),
-				Platform:  &imgPlat,
 			},
 			Layers: foreign,
 		}
diff --git a/integration-cli/docker_api_network_test.go b/integration-cli/docker_api_network_test.go
index 17d0205..155e13c 100644
--- a/integration-cli/docker_api_network_test.go
+++ b/integration-cli/docker_api_network_test.go
@@ -267,6 +267,8 @@
 }
 
 func createNetwork(c *testing.T, config types.NetworkCreateRequest, expectedStatusCode int) string {
+	c.Helper()
+
 	resp, body, err := request.Post(testutil.GetContext(c), "/networks/create", request.JSONBody(config))
 	assert.NilError(c, err)
 	defer resp.Body.Close()
diff --git a/integration-cli/docker_cli_build_test.go b/integration-cli/docker_cli_build_test.go
index 858d496..05f9e4b 100644
--- a/integration-cli/docker_cli_build_test.go
+++ b/integration-cli/docker_cli_build_test.go
@@ -4296,7 +4296,7 @@
 	imgName := "bldvarstest"
 
 	wdVar := "WDIR"
-	wdVal := "/tmp/"
+	wdVal := "/tmp"
 	addVar := "AFILE"
 	addVal := "addFile"
 	copyVar := "CFILE"
diff --git a/integration/build/build_test.go b/integration/build/build_test.go
index 826f4d5..8d3da03 100644
--- a/integration/build/build_test.go
+++ b/integration/build/build_test.go
@@ -689,6 +689,72 @@
 	assert.Check(t, is.ErrorType(err, errdefs.IsInvalidParameter))
 }
 
+// TestBuildWorkdirNoCacheMiss is a regression test for https://github.com/moby/moby/issues/47627
+func TestBuildWorkdirNoCacheMiss(t *testing.T) {
+	ctx := setupTest(t)
+
+	for _, tc := range []struct {
+		name       string
+		dockerfile string
+	}{
+		{name: "trailing slash", dockerfile: "FROM busybox\nWORKDIR /foo/"},
+		{name: "no trailing slash", dockerfile: "FROM busybox\nWORKDIR /foo"},
+	} {
+		dockerfile := tc.dockerfile
+		t.Run(tc.name, func(t *testing.T) {
+			source := fakecontext.New(t, "", fakecontext.WithDockerfile(dockerfile))
+			defer source.Close()
+
+			apiClient := testEnv.APIClient()
+
+			buildAndGetID := func() string {
+				resp, err := apiClient.ImageBuild(ctx, source.AsTarReader(t), types.ImageBuildOptions{
+					Version: types.BuilderV1,
+				})
+				assert.NilError(t, err)
+				defer resp.Body.Close()
+
+				id := readBuildImageIDs(t, resp.Body)
+				assert.Check(t, id != "")
+				return id
+			}
+
+			firstId := buildAndGetID()
+			secondId := buildAndGetID()
+
+			assert.Check(t, is.Equal(firstId, secondId), "expected cache to be used")
+		})
+	}
+}
+
+func readBuildImageIDs(t *testing.T, rd io.Reader) string {
+	t.Helper()
+	decoder := json.NewDecoder(rd)
+	for {
+		var jm jsonmessage.JSONMessage
+		if err := decoder.Decode(&jm); err != nil {
+			if err == io.EOF {
+				break
+			}
+			assert.NilError(t, err)
+		}
+
+		if jm.Aux == nil {
+			continue
+		}
+
+		var auxId struct {
+			ID string `json:"ID"`
+		}
+
+		if json.Unmarshal(*jm.Aux, &auxId); auxId.ID != "" {
+			return auxId.ID
+		}
+	}
+
+	return ""
+}
+
 func writeTarRecord(t *testing.T, w *tar.Writer, fn, contents string) {
 	err := w.WriteHeader(&tar.Header{
 		Name:     fn,
diff --git a/integration/container/run_linux_test.go b/integration/container/run_linux_test.go
index 810ede1..8675447 100644
--- a/integration/container/run_linux_test.go
+++ b/integration/container/run_linux_test.go
@@ -326,3 +326,33 @@
 
 	assert.Check(t, is.Contains(b.String(), "inet 10.42.1.3/16"))
 }
+
+func TestWorkingDirNormalization(t *testing.T) {
+	ctx := setupTest(t)
+	apiClient := testEnv.APIClient()
+
+	for _, tc := range []struct {
+		name    string
+		workdir string
+	}{
+		{name: "trailing slash", workdir: "/tmp/"},
+		{name: "no trailing slash", workdir: "/tmp"},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			cID := container.Run(ctx, t, apiClient,
+				container.WithImage("busybox"),
+				container.WithWorkingDir(tc.workdir),
+			)
+
+			defer container.Remove(ctx, t, apiClient, cID, containertypes.RemoveOptions{Force: true})
+
+			inspect := container.Inspect(ctx, t, apiClient, cID)
+
+			assert.Check(t, is.Equal(inspect.Config.WorkingDir, "/tmp"))
+		})
+
+	}
+}
diff --git a/integration/internal/network/dns.go b/integration/internal/network/dns.go
new file mode 100644
index 0000000..ab87b2b
--- /dev/null
+++ b/integration/internal/network/dns.go
@@ -0,0 +1,66 @@
+package network
+
+import (
+	"net"
+	"os"
+	"testing"
+
+	"github.com/miekg/dns"
+	"gotest.tools/v3/assert"
+)
+
+const DNSRespAddr = "10.11.12.13"
+
+// WriteTempResolvConf writes a resolv.conf that only contains a single
+// nameserver line, with address addr.
+// It returns the name of the temp file. The temp file will be deleted
+// automatically by a t.Cleanup().
+func WriteTempResolvConf(t *testing.T, addr string) string {
+	t.Helper()
+	// Not using t.TempDir() here because in rootless mode, while the temporary
+	// directory gets mode 0777, it's a subdir of an 0700 directory owned by root.
+	// So, it's not accessible by the daemon.
+	f, err := os.CreateTemp("", "resolv.conf")
+	assert.NilError(t, err)
+	t.Cleanup(func() { os.Remove(f.Name()) })
+	err = f.Chmod(0644)
+	assert.NilError(t, err)
+	f.Write([]byte("nameserver " + addr + "\n"))
+	return f.Name()
+}
+
+// StartDaftDNS starts and returns a really, really daft DNS server that only
+// responds to type-A requests, and always with address dnsRespAddr.
+// The DNS server will be stopped automatically by a t.Cleanup().
+func StartDaftDNS(t *testing.T, addr string) {
+	serveDNS := func(w dns.ResponseWriter, query *dns.Msg) {
+		if query.Question[0].Qtype == dns.TypeA {
+			resp := &dns.Msg{}
+			resp.SetReply(query)
+			answer := &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   query.Question[0].Name,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    600,
+				},
+			}
+			answer.A = net.ParseIP(DNSRespAddr)
+			resp.Answer = append(resp.Answer, answer)
+			_ = w.WriteMsg(resp)
+		}
+	}
+
+	conn, err := net.ListenUDP("udp", &net.UDPAddr{
+		IP:   net.ParseIP(addr),
+		Port: 53,
+	})
+	assert.NilError(t, err)
+
+	server := &dns.Server{Handler: dns.HandlerFunc(serveDNS), PacketConn: conn}
+	go func() {
+		_ = server.ActivateAndServe()
+	}()
+
+	t.Cleanup(func() { server.Shutdown() })
+}
diff --git a/integration/network/ipvlan/ipvlan_test.go b/integration/network/ipvlan/ipvlan_test.go
index 37e3dd0..14c5ea87 100644
--- a/integration/network/ipvlan/ipvlan_test.go
+++ b/integration/network/ipvlan/ipvlan_test.go
@@ -4,12 +4,12 @@
 
 import (
 	"context"
-	"os"
-	"os/exec"
+	"fmt"
 	"strings"
-	"sync"
 	"testing"
 
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
 	dclient "github.com/docker/docker/client"
 	"github.com/docker/docker/integration/internal/container"
 	net "github.com/docker/docker/integration/internal/network"
@@ -17,13 +17,14 @@
 	"github.com/docker/docker/testutil"
 	"github.com/docker/docker/testutil/daemon"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/skip"
 )
 
 func TestDockerNetworkIpvlanPersistance(t *testing.T) {
 	// verify the driver automatically provisions the 802.1q link (di-dummy0.70)
 	skip.If(t, testEnv.IsRemoteDaemon)
-	skip.If(t, !ipvlanKernelSupport(t), "Kernel doesn't support ipvlan")
+	skip.If(t, testEnv.IsRootless, "rootless mode has different view of network")
 
 	ctx := testutil.StartSpan(baseContext, t)
 
@@ -52,7 +53,7 @@
 
 func TestDockerNetworkIpvlan(t *testing.T) {
 	skip.If(t, testEnv.IsRemoteDaemon)
-	skip.If(t, !ipvlanKernelSupport(t), "Kernel doesn't support ipvlan")
+	skip.If(t, testEnv.IsRootless, "rootless mode has different view of network")
 
 	ctx := testutil.StartSpan(baseContext, t)
 
@@ -79,14 +80,23 @@
 			name: "L3InternalMode",
 			test: testIpvlanL3InternalMode,
 		}, {
-			name: "L2MultiSubnet",
-			test: testIpvlanL2MultiSubnet,
+			name: "L2MultiSubnetWithParent",
+			test: testIpvlanL2MultiSubnetWithParent,
+		}, {
+			name: "L2MultiSubnetNoParent",
+			test: testIpvlanL2MultiSubnetNoParent,
 		}, {
 			name: "L3MultiSubnet",
 			test: testIpvlanL3MultiSubnet,
 		}, {
-			name: "Addressing",
-			test: testIpvlanAddressing,
+			name: "L2Addressing",
+			test: testIpvlanL2Addressing,
+		}, {
+			name: "L3Addressing",
+			test: testIpvlanL3Addressing,
+		}, {
+			name: "NoIPv6",
+			test: testIpvlanNoIPv6,
 		},
 	} {
 
@@ -225,10 +235,21 @@
 	assert.NilError(t, err)
 }
 
-func testIpvlanL2MultiSubnet(t *testing.T, ctx context.Context, client dclient.APIClient) {
+func testIpvlanL2MultiSubnetWithParent(t *testing.T, ctx context.Context, client dclient.APIClient) {
+	const parentIfName = "di-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+	testIpvlanL2MultiSubnet(t, ctx, client, parentIfName)
+}
+
+func testIpvlanL2MultiSubnetNoParent(t *testing.T, ctx context.Context, client dclient.APIClient) {
+	testIpvlanL2MultiSubnet(t, ctx, client, "")
+}
+
+func testIpvlanL2MultiSubnet(t *testing.T, ctx context.Context, client dclient.APIClient, parent string) {
 	netName := "dualstackl2"
 	net.CreateNoError(ctx, t, client, netName,
-		net.WithIPvlan("", ""),
+		net.WithIPvlan(parent, ""),
 		net.WithIPv6(),
 		net.WithIPAM("172.28.200.0/24", ""),
 		net.WithIPAM("172.28.202.0/24", "172.28.202.254"),
@@ -250,11 +271,22 @@
 	)
 	c1, err := client.ContainerInspect(ctx, id1)
 	assert.NilError(t, err)
+	if parent == "" {
+		// Inspect the v4 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks[netName].Gateway, ""))
+		// Inspect the v6 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks[netName].IPv6Gateway, ""))
+	} else {
+		// Inspect the v4 gateway to ensure the proper default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks[netName].Gateway, "172.28.200.1"))
+		// Inspect the v6 gateway to ensure the proper default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc8::1"))
+	}
 
-	// verify ipv4 connectivity to the explicit --ipv address second to first
+	// verify ipv4 connectivity to the explicit --ip address second to first
 	_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", c1.NetworkSettings.Networks[netName].IPAddress})
 	assert.NilError(t, err)
-	// verify ipv6 connectivity to the explicit --ipv6 address second to first
+	// verify ipv6 connectivity to the explicit --ip6 address second to first
 	_, err = container.Exec(ctx, client, id2, []string{"ping6", "-c", "1", c1.NetworkSettings.Networks[netName].GlobalIPv6Address})
 	assert.NilError(t, err)
 
@@ -271,22 +303,24 @@
 	)
 	c3, err := client.ContainerInspect(ctx, id3)
 	assert.NilError(t, err)
+	if parent == "" {
+		// Inspect the v4 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks[netName].Gateway, ""))
+		// Inspect the v6 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks[netName].IPv6Gateway, ""))
+	} else {
+		// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks[netName].Gateway, "172.28.202.254"))
+		// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc6::254"))
+	}
 
-	// verify ipv4 connectivity to the explicit --ipv address from third to fourth
+	// verify ipv4 connectivity to the explicit --ip address from third to fourth
 	_, err = container.Exec(ctx, client, id4, []string{"ping", "-c", "1", c3.NetworkSettings.Networks[netName].IPAddress})
 	assert.NilError(t, err)
-	// verify ipv6 connectivity to the explicit --ipv6 address from third to fourth
+	// verify ipv6 connectivity to the explicit --ip6 address from third to fourth
 	_, err = container.Exec(ctx, client, id4, []string{"ping6", "-c", "1", c3.NetworkSettings.Networks[netName].GlobalIPv6Address})
 	assert.NilError(t, err)
-
-	// Inspect the v4 gateway to ensure the proper default GW was assigned
-	assert.Equal(t, c1.NetworkSettings.Networks[netName].Gateway, "172.28.200.1")
-	// Inspect the v6 gateway to ensure the proper default GW was assigned
-	assert.Equal(t, c1.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc8::1")
-	// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
-	assert.Equal(t, c3.NetworkSettings.Networks[netName].Gateway, "172.28.202.254")
-	// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
-	assert.Equal(t, c3.NetworkSettings.Networks[netName].IPv6Gateway, "2001:db8:abc6::254")
 }
 
 func testIpvlanL3MultiSubnet(t *testing.T, ctx context.Context, client dclient.APIClient) {
@@ -353,70 +387,162 @@
 	assert.Equal(t, c3.NetworkSettings.Networks[netName].IPv6Gateway, "")
 }
 
-func testIpvlanAddressing(t *testing.T, ctx context.Context, client dclient.APIClient) {
-	// Verify ipvlan l2 mode sets the proper default gateway routes via netlink
-	// for either an explicitly set route by the user or inferred via default IPAM
+// Verify ipvlan l2 mode sets the proper default gateway routes via netlink
+// for either an explicitly set route by the user or inferred via default IPAM
+func testIpvlanL2Addressing(t *testing.T, ctx context.Context, client dclient.APIClient) {
+	const parentIfName = "di-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+
 	netNameL2 := "dualstackl2"
 	net.CreateNoError(ctx, t, client, netNameL2,
-		net.WithIPvlan("", "l2"),
+		net.WithIPvlan(parentIfName, "l2"),
 		net.WithIPv6(),
 		net.WithIPAM("172.28.140.0/24", "172.28.140.254"),
 		net.WithIPAM("2001:db8:abcb::/64", ""),
 	)
 	assert.Check(t, n.IsNetworkAvailable(ctx, client, netNameL2))
 
-	id1 := container.Run(ctx, t, client,
+	id := container.Run(ctx, t, client,
 		container.WithNetworkMode(netNameL2),
 	)
 	// Validate ipvlan l2 mode defaults gateway sets the default IPAM next-hop inferred from the subnet
-	result, err := container.Exec(ctx, client, id1, []string{"ip", "route"})
+	result, err := container.Exec(ctx, client, id, []string{"ip", "route"})
 	assert.NilError(t, err)
-	assert.Check(t, strings.Contains(result.Combined(), "default via 172.28.140.254 dev eth0"))
+	assert.Check(t, is.Contains(result.Combined(), "default via 172.28.140.254 dev eth0"))
 	// Validate ipvlan l2 mode sets the v6 gateway to the user specified default gateway/next-hop
-	result, err = container.Exec(ctx, client, id1, []string{"ip", "-6", "route"})
+	result, err = container.Exec(ctx, client, id, []string{"ip", "-6", "route"})
 	assert.NilError(t, err)
-	assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abcb::1 dev eth0"))
+	assert.Check(t, is.Contains(result.Combined(), "default via 2001:db8:abcb::1 dev eth0"))
+}
 
-	// Validate ipvlan l3 mode sets the v4 gateway to dev eth0 and disregards any explicit or inferred next-hops
+// Validate ipvlan l3 mode sets the v4 gateway to dev eth0 and disregards any explicit or inferred next-hops
+func testIpvlanL3Addressing(t *testing.T, ctx context.Context, client dclient.APIClient) {
+	const parentIfName = "di-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+
 	netNameL3 := "dualstackl3"
 	net.CreateNoError(ctx, t, client, netNameL3,
-		net.WithIPvlan("", "l3"),
+		net.WithIPvlan(parentIfName, "l3"),
 		net.WithIPv6(),
 		net.WithIPAM("172.28.160.0/24", "172.28.160.254"),
 		net.WithIPAM("2001:db8:abcd::/64", "2001:db8:abcd::254"),
 	)
 	assert.Check(t, n.IsNetworkAvailable(ctx, client, netNameL3))
 
-	id2 := container.Run(ctx, t, client,
+	id := container.Run(ctx, t, client,
 		container.WithNetworkMode(netNameL3),
 	)
 	// Validate ipvlan l3 mode sets the v4 gateway to dev eth0 and disregards any explicit or inferred next-hops
-	result, err = container.Exec(ctx, client, id2, []string{"ip", "route"})
+	result, err := container.Exec(ctx, client, id, []string{"ip", "route"})
 	assert.NilError(t, err)
-	assert.Check(t, strings.Contains(result.Combined(), "default dev eth0"))
+	assert.Check(t, is.Contains(result.Combined(), "default dev eth0"))
 	// Validate ipvlan l3 mode sets the v6 gateway to dev eth0 and disregards any explicit or inferred next-hops
-	result, err = container.Exec(ctx, client, id2, []string{"ip", "-6", "route"})
+	result, err = container.Exec(ctx, client, id, []string{"ip", "-6", "route"})
 	assert.NilError(t, err)
-	assert.Check(t, strings.Contains(result.Combined(), "default dev eth0"))
+	assert.Check(t, is.Contains(result.Combined(), "default dev eth0"))
 }
 
-var (
-	once            sync.Once
-	ipvlanSupported bool
-)
+// Check that an ipvlan interface with '--ipv6=false' doesn't get kernel-assigned
+// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1').
+func testIpvlanNoIPv6(t *testing.T, ctx context.Context, client dclient.APIClient) {
+	const netName = "ipvlannet"
+	net.CreateNoError(ctx, t, client, netName, net.WithIPvlan("", "l3"))
+	assert.Check(t, n.IsNetworkAvailable(ctx, client, netName))
 
-// figure out if ipvlan is supported by the kernel
-func ipvlanKernelSupport(t *testing.T) bool {
-	once.Do(func() {
-		// this may have the side effect of enabling the ipvlan module
-		exec.Command("modprobe", "ipvlan").Run()
-		_, err := os.Stat("/sys/module/ipvlan")
-		if err == nil {
-			ipvlanSupported = true
-		} else if !os.IsNotExist(err) {
-			t.Logf("WARNING: ipvlanKernelSupport: stat failed: %v\n", err)
+	id := container.Run(ctx, t, client, container.WithNetworkMode(netName))
+
+	loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"})
+	assert.Check(t, is.Contains(loRes.Combined(), " inet "))
+	assert.Check(t, is.Contains(loRes.Combined(), " inet6 "))
+
+	eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"})
+	assert.Check(t, is.Contains(eth0Res.Combined(), " inet "))
+	assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "),
+		"result.Combined(): %s", eth0Res.Combined())
+
+	sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"})
+	assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1"))
+}
+
+// TestIPVlanDNS checks whether DNS is forwarded, for combinations of l2/l3 mode,
+// with/without a parent interface, and with '--internal'. Note that, there's no
+// attempt here to give the ipvlan network external connectivity - when this test
+// supplies a parent interface, it's a dummy. External DNS lookups only work
+// because the daemon is configured to see a host resolver on a loopback
+// interface, so the external DNS lookup happens in the host's namespace. The
+// test is checking that an automatically configured dummy interface causes the
+// network to behave as if it was '--internal'. Regression test for
+// https://github.com/moby/moby/issues/47662
+func TestIPVlanDNS(t *testing.T) {
+	skip.If(t, testEnv.IsRootless, "rootless mode has different view of network")
+	ctx := testutil.StartSpan(baseContext, t)
+
+	net.StartDaftDNS(t, "127.0.0.1")
+
+	tmpFileName := net.WriteTempResolvConf(t, "127.0.0.1")
+	d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+	c := d.NewClientT(t)
+
+	const parentIfName = "di-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+
+	const netName = "ipvlan-dns-net"
+
+	testcases := []struct {
+		name     string
+		parent   string
+		internal bool
+		expDNS   bool
+	}{
+		{
+			name:   "with parent",
+			parent: parentIfName,
+			// External DNS should be used (even though the network has no external connectivity).
+			expDNS: true,
+		},
+		{
+			name: "no parent",
+			// External DNS should not be used, equivalent to '--internal'.
+		},
+		{
+			name:     "with parent, internal",
+			parent:   parentIfName,
+			internal: true,
+			// External DNS should not be used.
+		},
+	}
+
+	for _, mode := range []string{"l2", "l3"} {
+		for _, tc := range testcases {
+			name := fmt.Sprintf("Mode=%v/HasParent=%v/Internal=%v", mode, tc.parent != "", tc.internal)
+			t.Run(name, func(t *testing.T) {
+				ctx := testutil.StartSpan(ctx, t)
+				createOpts := []func(*types.NetworkCreate){
+					net.WithIPvlan(tc.parent, mode),
+				}
+				if tc.internal {
+					createOpts = append(createOpts, net.WithInternal())
+				}
+				net.CreateNoError(ctx, t, c, netName, createOpts...)
+				defer c.NetworkRemove(ctx, netName)
+
+				ctrId := container.Run(ctx, t, c, container.WithNetworkMode(netName))
+				defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true})
+				res, err := container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
+				assert.NilError(t, err)
+				if tc.expDNS {
+					assert.Check(t, is.Equal(res.ExitCode, 0))
+					assert.Check(t, is.Contains(res.Stdout(), net.DNSRespAddr))
+				} else {
+					assert.Check(t, is.Equal(res.ExitCode, 1))
+					assert.Check(t, is.Contains(res.Stdout(), "SERVFAIL"))
+				}
+			})
 		}
-	})
-
-	return ipvlanSupported
+	}
 }
diff --git a/integration/network/macvlan/macvlan_test.go b/integration/network/macvlan/macvlan_test.go
index 5b0a174..f07119d 100644
--- a/integration/network/macvlan/macvlan_test.go
+++ b/integration/network/macvlan/macvlan_test.go
@@ -7,6 +7,8 @@
 	"strings"
 	"testing"
 
+	"github.com/docker/docker/api/types"
+	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/integration/internal/container"
 	net "github.com/docker/docker/integration/internal/network"
@@ -14,6 +16,7 @@
 	"github.com/docker/docker/testutil"
 	"github.com/docker/docker/testutil/daemon"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/skip"
 )
 
@@ -66,11 +69,17 @@
 			name: "InternalMode",
 			test: testMacvlanInternalMode,
 		}, {
-			name: "MultiSubnet",
-			test: testMacvlanMultiSubnet,
+			name: "MultiSubnetWithParent",
+			test: testMacvlanMultiSubnetWithParent,
+		}, {
+			name: "MultiSubnetNoParent",
+			test: testMacvlanMultiSubnetNoParent,
 		}, {
 			name: "Addressing",
 			test: testMacvlanAddressing,
+		}, {
+			name: "NoIPv6",
+			test: testMacvlanNoIPv6,
 		},
 	} {
 		tc := tc
@@ -173,10 +182,21 @@
 	assert.Check(t, err == nil)
 }
 
-func testMacvlanMultiSubnet(t *testing.T, ctx context.Context, client client.APIClient) {
+func testMacvlanMultiSubnetWithParent(t *testing.T, ctx context.Context, client client.APIClient) {
+	const parentIfName = "dm-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+	testMacvlanMultiSubnet(t, ctx, client, parentIfName)
+}
+
+func testMacvlanMultiSubnetNoParent(t *testing.T, ctx context.Context, client client.APIClient) {
+	testMacvlanMultiSubnet(t, ctx, client, "")
+}
+
+func testMacvlanMultiSubnet(t *testing.T, ctx context.Context, client client.APIClient, parent string) {
 	netName := "dualstackbridge"
 	net.CreateNoError(ctx, t, client, netName,
-		net.WithMacvlan(""),
+		net.WithMacvlan(parent),
 		net.WithIPv6(),
 		net.WithIPAM("172.28.100.0/24", ""),
 		net.WithIPAM("172.28.102.0/24", "172.28.102.254"),
@@ -199,11 +219,22 @@
 	)
 	c1, err := client.ContainerInspect(ctx, id1)
 	assert.NilError(t, err)
+	if parent == "" {
+		// Inspect the v4 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks["dualstackbridge"].Gateway, ""))
+		// Inspect the v6 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, ""))
+	} else {
+		// Inspect the v4 gateway to ensure the proper default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.100.1"))
+		// Inspect the v6 gateway to ensure the proper default GW was assigned
+		assert.Check(t, is.Equal(c1.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8:abc2::1"))
+	}
 
-	// verify ipv4 connectivity to the explicit --ipv address second to first
+	// verify ipv4 connectivity to the explicit --ip address second to first
 	_, err = container.Exec(ctx, client, id2, []string{"ping", "-c", "1", c1.NetworkSettings.Networks["dualstackbridge"].IPAddress})
 	assert.NilError(t, err)
-	// verify ipv6 connectivity to the explicit --ipv6 address second to first
+	// verify ipv6 connectivity to the explicit --ip6 address second to first
 	_, err = container.Exec(ctx, client, id2, []string{"ping6", "-c", "1", c1.NetworkSettings.Networks["dualstackbridge"].GlobalIPv6Address})
 	assert.NilError(t, err)
 
@@ -220,29 +251,35 @@
 	)
 	c3, err := client.ContainerInspect(ctx, id3)
 	assert.NilError(t, err)
+	if parent == "" {
+		// Inspect the v4 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks["dualstackbridge"].Gateway, ""))
+		// Inspect the v6 gateway to ensure no default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, ""))
+	} else {
+		// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.102.254"))
+		// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
+		assert.Check(t, is.Equal(c3.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8:abc4::254"))
+	}
 
-	// verify ipv4 connectivity to the explicit --ipv address from third to fourth
+	// verify ipv4 connectivity to the explicit --ip address from third to fourth
 	_, err = container.Exec(ctx, client, id4, []string{"ping", "-c", "1", c3.NetworkSettings.Networks["dualstackbridge"].IPAddress})
 	assert.NilError(t, err)
-	// verify ipv6 connectivity to the explicit --ipv6 address from third to fourth
+	// verify ipv6 connectivity to the explicit --ip6 address from third to fourth
 	_, err = container.Exec(ctx, client, id4, []string{"ping6", "-c", "1", c3.NetworkSettings.Networks["dualstackbridge"].GlobalIPv6Address})
 	assert.NilError(t, err)
-
-	// Inspect the v4 gateway to ensure the proper default GW was assigned
-	assert.Equal(t, c1.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.100.1")
-	// Inspect the v6 gateway to ensure the proper default GW was assigned
-	assert.Equal(t, c1.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8:abc2::1")
-	// Inspect the v4 gateway to ensure the proper explicitly assigned default GW was assigned
-	assert.Equal(t, c3.NetworkSettings.Networks["dualstackbridge"].Gateway, "172.28.102.254")
-	// Inspect the v6 gateway to ensure the proper explicitly assigned default GW was assigned
-	assert.Equal(t, c3.NetworkSettings.Networks["dualstackbridge"].IPv6Gateway, "2001:db8:abc4::254")
 }
 
 func testMacvlanAddressing(t *testing.T, ctx context.Context, client client.APIClient) {
+	const parentIfName = "dm-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+
 	// Ensure the default gateways, next-hops and default dev devices are properly set
 	netName := "dualstackbridge"
 	net.CreateNoError(ctx, t, client, netName,
-		net.WithMacvlan(""),
+		net.WithMacvlan(parentIfName),
 		net.WithIPv6(),
 		net.WithOption("macvlan_mode", "bridge"),
 		net.WithIPAM("172.28.130.0/24", ""),
@@ -263,3 +300,107 @@
 	assert.NilError(t, err)
 	assert.Check(t, strings.Contains(result.Combined(), "default via 2001:db8:abca::254 dev eth0"))
 }
+
+// Check that a macvlan interface with '--ipv6=false' doesn't get kernel-assigned
+// IPv6 addresses, but the loopback interface does still have an IPv6 address ('::1').
+func testMacvlanNoIPv6(t *testing.T, ctx context.Context, client client.APIClient) {
+	const netName = "macvlannet"
+
+	net.CreateNoError(ctx, t, client, netName,
+		net.WithMacvlan(""),
+		net.WithOption("macvlan_mode", "bridge"),
+	)
+	assert.Check(t, n.IsNetworkAvailable(ctx, client, netName))
+
+	id := container.Run(ctx, t, client, container.WithNetworkMode(netName))
+
+	loRes := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "lo"})
+	assert.Check(t, is.Contains(loRes.Combined(), " inet "))
+	assert.Check(t, is.Contains(loRes.Combined(), " inet6 "))
+
+	eth0Res := container.ExecT(ctx, t, client, id, []string{"ip", "a", "show", "dev", "eth0"})
+	assert.Check(t, is.Contains(eth0Res.Combined(), " inet "))
+	assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "),
+		"result.Combined(): %s", eth0Res.Combined())
+
+	sysctlRes := container.ExecT(ctx, t, client, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"})
+	assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1"))
+}
+
+// TestMACVlanDNS checks whether DNS is forwarded, with/without a parent
+// interface, and with '--internal'. Note that there's no attempt here to give
+// the macvlan network external connectivity - when this test supplies a parent
+// interface, it's a dummy. External DNS lookups only work because the daemon is
+// configured to see a host resolver on a loopback interface, so the external DNS
+// lookup happens in the host's namespace. The test is checking that an
+// automatically configured dummy interface causes the network to behave as if it
+// was '--internal'.
+func TestMACVlanDNS(t *testing.T) {
+	skip.If(t, testEnv.IsRootless, "rootless mode has different view of network")
+
+	ctx := testutil.StartSpan(baseContext, t)
+
+	net.StartDaftDNS(t, "127.0.0.1")
+
+	tmpFileName := net.WriteTempResolvConf(t, "127.0.0.1")
+	d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
+	d.StartWithBusybox(ctx, t)
+	t.Cleanup(func() { d.Stop(t) })
+	c := d.NewClientT(t)
+
+	const parentIfName = "dm-dummy0"
+	n.CreateMasterDummy(ctx, t, parentIfName)
+	defer n.DeleteInterface(ctx, t, parentIfName)
+
+	const netName = "macvlan-dns-net"
+
+	testcases := []struct {
+		name     string
+		parent   string
+		internal bool
+		expDNS   bool
+	}{
+		{
+			name:   "with parent",
+			parent: parentIfName,
+			// External DNS should be used (even though the network has no external connectivity).
+			expDNS: true,
+		},
+		{
+			name: "no parent",
+			// External DNS should not be used, equivalent to '--internal'.
+		},
+		{
+			name:     "with parent, internal",
+			parent:   parentIfName,
+			internal: true,
+			expDNS:   false,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := testutil.StartSpan(ctx, t)
+			createOpts := []func(*types.NetworkCreate){
+				net.WithMacvlan(tc.parent),
+			}
+			if tc.internal {
+				createOpts = append(createOpts, net.WithInternal())
+			}
+			net.CreateNoError(ctx, t, c, netName, createOpts...)
+			defer c.NetworkRemove(ctx, netName)
+
+			ctrId := container.Run(ctx, t, c, container.WithNetworkMode(netName))
+			defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true})
+			res, err := container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
+			assert.NilError(t, err)
+			if tc.expDNS {
+				assert.Check(t, is.Equal(res.ExitCode, 0))
+				assert.Check(t, is.Contains(res.Stdout(), net.DNSRespAddr))
+			} else {
+				assert.Check(t, is.Equal(res.ExitCode, 1))
+				assert.Check(t, is.Contains(res.Stdout(), "SERVFAIL"))
+			}
+		})
+	}
+}
diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go
index b5eb0fd..cb2abfa 100644
--- a/integration/networking/bridge_test.go
+++ b/integration/networking/bridge_test.go
@@ -4,6 +4,7 @@
 	"context"
 	"fmt"
 	"regexp"
+	"strings"
 	"testing"
 	"time"
 
@@ -468,7 +469,6 @@
 	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
 
 	ctx := setupTest(t)
-	d := daemon.New(t)
 
 	type testStep struct {
 		stepName    string
@@ -486,13 +486,13 @@
 				{
 					stepName:    "Set up initial UL prefix",
 					fixedCIDRV6: "fd1c:f1a0:5d8d:aaaa::/64",
-					expAddrs:    []string{"fd1c:f1a0:5d8d:aaaa::1/64", "fe80::1/64"},
+					expAddrs:    []string{"fd1c:f1a0:5d8d:aaaa::1/64", "fe80::"},
 				},
 				{
 					// Modify that prefix, the default bridge's address must be deleted and re-added.
 					stepName:    "Modify UL prefix - address change",
 					fixedCIDRV6: "fd1c:f1a0:5d8d:bbbb::/64",
-					expAddrs:    []string{"fd1c:f1a0:5d8d:bbbb::1/64", "fe80::1/64"},
+					expAddrs:    []string{"fd1c:f1a0:5d8d:bbbb::1/64", "fe80::"},
 				},
 				{
 					// Modify the prefix length, the default bridge's address should not change.
@@ -500,7 +500,7 @@
 					fixedCIDRV6: "fd1c:f1a0:5d8d:bbbb::/80",
 					// The prefix length displayed by 'ip a' is not updated - it's informational, and
 					// can't be changed without unnecessarily deleting and re-adding the address.
-					expAddrs: []string{"fd1c:f1a0:5d8d:bbbb::1/64", "fe80::1/64"},
+					expAddrs: []string{"fd1c:f1a0:5d8d:bbbb::1/64", "fe80::"},
 				},
 			},
 		},
@@ -510,14 +510,14 @@
 				{
 					stepName:    "Standard LL subnet prefix",
 					fixedCIDRV6: "fe80::/64",
-					expAddrs:    []string{"fe80::1/64"},
+					expAddrs:    []string{"fe80::"},
 				},
 				{
 					// Modify that prefix, the default bridge's address must be deleted and re-added.
 					// The bridge must still have an address in the required (standard) LL subnet.
 					stepName:    "Nonstandard LL prefix - address change",
 					fixedCIDRV6: "fe80:1234::/32",
-					expAddrs:    []string{"fe80:1234::1/32", "fe80::1/64"},
+					expAddrs:    []string{"fe80:1234::1/32", "fe80::"},
 				},
 				{
 					// Modify the prefix length, the addresses should not change.
@@ -525,32 +525,48 @@
 					fixedCIDRV6: "fe80:1234::/64",
 					// The prefix length displayed by 'ip a' is not updated - it's informational, and
 					// can't be changed without unnecessarily deleting and re-adding the address.
-					expAddrs: []string{"fe80:1234::1/", "fe80::1/64"},
+					expAddrs: []string{"fe80:1234::1/", "fe80::"},
 				},
 			},
 		},
 	}
 
-	for _, tc := range testcases {
-		t.Run(tc.name, func(t *testing.T) {
-			for _, step := range tc.steps {
-				// Check that the daemon starts - regression test for:
-				//   https://github.com/moby/moby/issues/46829
-				d.Start(t, "--experimental", "--ipv6", "--ip6tables", "--fixed-cidr-v6="+step.fixedCIDRV6)
-				d.Stop(t)
+	for _, preserveKernelLL := range []bool{false, true} {
+		var dopts []daemon.Option
+		if preserveKernelLL {
+			dopts = append(dopts, daemon.WithEnvVars("DOCKER_BRIDGE_PRESERVE_KERNEL_LL=1"))
+		}
+		d := daemon.New(t, dopts...)
+		c := d.NewClientT(t)
 
-				// Check that the expected addresses have been applied to the bridge. (Skip in
-				// rootless mode, because the bridge is in a different network namespace.)
-				if !testEnv.IsRootless() {
-					res := testutil.RunCommand(ctx, "ip", "-6", "addr", "show", "docker0")
-					assert.Equal(t, res.ExitCode, 0, step.stepName)
-					stdout := res.Stdout()
-					for _, expAddr := range step.expAddrs {
-						assert.Check(t, is.Contains(stdout, expAddr))
+		for _, tc := range testcases {
+			for _, step := range tc.steps {
+				tcName := fmt.Sprintf("kernel_ll_%v/%s/%s", preserveKernelLL, tc.name, step.stepName)
+				t.Run(tcName, func(t *testing.T) {
+					ctx := testutil.StartSpan(ctx, t)
+					// Check that the daemon starts - regression test for:
+					//   https://github.com/moby/moby/issues/46829
+					d.StartWithBusybox(ctx, t, "--experimental", "--ipv6", "--ip6tables", "--fixed-cidr-v6="+step.fixedCIDRV6)
+
+					// Start a container, so that the bridge is set "up" and gets a kernel_ll address.
+					cID := container.Run(ctx, t, c)
+					defer c.ContainerRemove(ctx, cID, containertypes.RemoveOptions{Force: true})
+
+					d.Stop(t)
+
+					// Check that the expected addresses have been applied to the bridge. (Skip in
+					// rootless mode, because the bridge is in a different network namespace.)
+					if !testEnv.IsRootless() {
+						res := testutil.RunCommand(ctx, "ip", "-6", "addr", "show", "docker0")
+						assert.Equal(t, res.ExitCode, 0, step.stepName)
+						stdout := res.Stdout()
+						for _, expAddr := range step.expAddrs {
+							assert.Check(t, is.Contains(stdout, expAddr))
+						}
 					}
-				}
+				})
 			}
-		})
+		}
 	}
 }
 
@@ -611,8 +627,8 @@
 	assert.Check(t, is.Contains(res.Stderr(), "Network is unreachable"))
 }
 
-// Check that the container's interface has no IPv6 address when IPv6 is
-// disabled in a container via sysctl.
+// Check that the container's interfaces have no IPv6 address when IPv6 is
+// disabled in a container via sysctl (including 'lo').
 func TestDisableIPv6Addrs(t *testing.T) {
 	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
 
@@ -676,6 +692,40 @@
 	}
 }
 
+// Check that an interface to an '--ipv6=false' network has no IPv6
+// address - either IPAM assigned, or kernel-assigned LL, but the loopback
+// interface does still have an IPv6 address ('::1').
+func TestNonIPv6Network(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
+
+	ctx := setupTest(t)
+	d := daemon.New(t)
+	d.StartWithBusybox(ctx, t)
+	defer d.Stop(t)
+
+	c := d.NewClientT(t)
+	defer c.Close()
+
+	const netName = "testnet"
+	network.CreateNoError(ctx, t, c, netName)
+	defer network.RemoveNoError(ctx, t, c, netName)
+
+	id := container.Run(ctx, t, c, container.WithNetworkMode(netName))
+	defer c.ContainerRemove(ctx, id, containertypes.RemoveOptions{Force: true})
+
+	loRes := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "lo"})
+	assert.Check(t, is.Contains(loRes.Combined(), " inet "))
+	assert.Check(t, is.Contains(loRes.Combined(), " inet6 "))
+
+	eth0Res := container.ExecT(ctx, t, c, id, []string{"ip", "a", "show", "dev", "eth0"})
+	assert.Check(t, is.Contains(eth0Res.Combined(), " inet "))
+	assert.Check(t, !strings.Contains(eth0Res.Combined(), " inet6 "),
+		"result.Combined(): %s", eth0Res.Combined())
+
+	sysctlRes := container.ExecT(ctx, t, c, id, []string{"sysctl", "-n", "net.ipv6.conf.eth0.disable_ipv6"})
+	assert.Check(t, is.Equal(strings.TrimSpace(sysctlRes.Combined()), "1"))
+}
+
 // Test that it's possible to set a sysctl on an interface in the container.
 // Regression test for https://github.com/moby/moby/issues/47619
 func TestSetInterfaceSysctl(t *testing.T) {
@@ -703,3 +753,78 @@
 	stdout := runRes.Stdout.String()
 	assert.Check(t, is.Contains(stdout, scName))
 }
+
+// With a read-only "/proc/sys/net" filesystem (simulated using env var
+// DOCKER_TEST_RO_DISABLE_IPV6), check that if IPv6 can't be disabled on a
+// container interface, container creation fails - unless the error is ignored by
+// setting env var DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1.
+// Regression test for https://github.com/moby/moby/issues/47751
+func TestReadOnlySlashProc(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType == "windows")
+
+	ctx := setupTest(t)
+
+	testcases := []struct {
+		name      string
+		daemonEnv []string
+		expErr    string
+	}{
+		{
+			name: "Normality",
+		},
+		{
+			name: "Read only no workaround",
+			daemonEnv: []string{
+				"DOCKER_TEST_RO_DISABLE_IPV6=1",
+			},
+			expErr: "failed to disable IPv6 on container's interface eth0, set env var DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1 to ignore this error",
+		},
+		{
+			name: "Read only with workaround",
+			daemonEnv: []string{
+				"DOCKER_TEST_RO_DISABLE_IPV6=1",
+				"DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1",
+			},
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctx := testutil.StartSpan(ctx, t)
+
+			d := daemon.New(t, daemon.WithEnvVars(tc.daemonEnv...))
+			d.StartWithBusybox(ctx, t)
+			defer d.Stop(t)
+			c := d.NewClientT(t)
+
+			const net4Name = "testnet4"
+			network.CreateNoError(ctx, t, c, net4Name)
+			defer network.RemoveNoError(ctx, t, c, net4Name)
+			id4 := container.Create(ctx, t, c,
+				container.WithNetworkMode(net4Name),
+				container.WithCmd("ls"),
+			)
+			defer c.ContainerRemove(ctx, id4, containertypes.RemoveOptions{Force: true})
+			err := c.ContainerStart(ctx, id4, containertypes.StartOptions{})
+			if tc.expErr == "" {
+				assert.Check(t, err)
+			} else {
+				assert.Check(t, is.ErrorContains(err, tc.expErr))
+			}
+
+			// It should always be possible to create a container on an IPv6 network (IPv6
+			// doesn't need to be disabled on the interface).
+			const net6Name = "testnet6"
+			network.CreateNoError(ctx, t, c, net6Name,
+				network.WithIPv6(),
+				network.WithIPAM("fd5c:15e3:0b62:5395::/64", "fd5c:15e3:0b62:5395::1"),
+			)
+			defer network.RemoveNoError(ctx, t, c, net6Name)
+			id6 := container.Run(ctx, t, c,
+				container.WithNetworkMode(net6Name),
+				container.WithCmd("ls"),
+			)
+			defer c.ContainerRemove(ctx, id6, containertypes.RemoveOptions{Force: true})
+		})
+	}
+}
diff --git a/integration/networking/resolvconf_test.go b/integration/networking/resolvconf_test.go
index f776d7b..ad89954 100644
--- a/integration/networking/resolvconf_test.go
+++ b/integration/networking/resolvconf_test.go
@@ -1,38 +1,20 @@
 package networking
 
 import (
-	"net"
-	"os"
+	"context"
 	"strings"
 	"testing"
+	"time"
 
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/integration/internal/container"
 	"github.com/docker/docker/integration/internal/network"
 	"github.com/docker/docker/testutil/daemon"
-	"github.com/miekg/dns"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/skip"
 )
 
-// writeTempResolvConf writes a resolv.conf that only contains a single
-// nameserver line, with address addr.
-// It returns the name of the temp file.
-func writeTempResolvConf(t *testing.T, addr string) string {
-	t.Helper()
-	// Not using t.TempDir() here because in rootless mode, while the temporary
-	// directory gets mode 0777, it's a subdir of an 0700 directory owned by root.
-	// So, it's not accessible by the daemon.
-	f, err := os.CreateTemp("", "resolv.conf")
-	assert.NilError(t, err)
-	t.Cleanup(func() { os.Remove(f.Name()) })
-	err = f.Chmod(0644)
-	assert.NilError(t, err)
-	f.Write([]byte("nameserver " + addr + "\n"))
-	return f.Name()
-}
-
 // Regression test for https://github.com/moby/moby/issues/46968
 func TestResolvConfLocalhostIPv6(t *testing.T) {
 	// No "/etc/resolv.conf" on Windows.
@@ -40,7 +22,7 @@
 
 	ctx := setupTest(t)
 
-	tmpFileName := writeTempResolvConf(t, "127.0.0.53")
+	tmpFileName := network.WriteTempResolvConf(t, "127.0.0.53")
 
 	d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
 	d.StartWithBusybox(ctx, t, "--experimental", "--ip6tables")
@@ -81,43 +63,6 @@
 `))
 }
 
-const dnsRespAddr = "10.11.12.13"
-
-// startDaftDNS starts and returns a really, really daft DNS server that only
-// responds to type-A requests, and always with address dnsRespAddr.
-func startDaftDNS(t *testing.T, addr string) *dns.Server {
-	serveDNS := func(w dns.ResponseWriter, query *dns.Msg) {
-		if query.Question[0].Qtype == dns.TypeA {
-			resp := &dns.Msg{}
-			resp.SetReply(query)
-			answer := &dns.A{
-				Hdr: dns.RR_Header{
-					Name:   query.Question[0].Name,
-					Rrtype: dns.TypeA,
-					Class:  dns.ClassINET,
-					Ttl:    600,
-				},
-			}
-			answer.A = net.ParseIP(dnsRespAddr)
-			resp.Answer = append(resp.Answer, answer)
-			_ = w.WriteMsg(resp)
-		}
-	}
-
-	conn, err := net.ListenUDP("udp", &net.UDPAddr{
-		IP:   net.ParseIP(addr),
-		Port: 53,
-	})
-	assert.NilError(t, err)
-
-	server := &dns.Server{Handler: dns.HandlerFunc(serveDNS), PacketConn: conn}
-	go func() {
-		_ = server.ActivateAndServe()
-	}()
-
-	return server
-}
-
 // Check that when a container is connected to an internal network, DNS
 // requests sent to daemon's internal DNS resolver are not forwarded to
 // an upstream resolver listening on a localhost address.
@@ -128,11 +73,10 @@
 	ctx := setupTest(t)
 
 	// Start a DNS server on the loopback interface.
-	server := startDaftDNS(t, "127.0.0.1")
-	defer server.Shutdown()
+	network.StartDaftDNS(t, "127.0.0.1")
 
 	// Set up a temp resolv.conf pointing at that DNS server, and a daemon using it.
-	tmpFileName := writeTempResolvConf(t, "127.0.0.1")
+	tmpFileName := network.WriteTempResolvConf(t, "127.0.0.1")
 	d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
 	d.StartWithBusybox(ctx, t, "--experimental", "--ip6tables")
 	defer d.Stop(t)
@@ -160,7 +104,7 @@
 	res, err := container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
 	assert.NilError(t, err)
 	assert.Check(t, is.Equal(res.ExitCode, 0))
-	assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
+	assert.Check(t, is.Contains(res.Stdout(), network.DNSRespAddr))
 
 	// Connect the container to the internal network as well.
 	// External DNS should still be used.
@@ -169,7 +113,7 @@
 	res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
 	assert.NilError(t, err)
 	assert.Check(t, is.Equal(res.ExitCode, 0))
-	assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
+	assert.Check(t, is.Contains(res.Stdout(), network.DNSRespAddr))
 
 	// Disconnect from the external network.
 	// Expect no access to the external DNS.
@@ -187,5 +131,29 @@
 	res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
 	assert.NilError(t, err)
 	assert.Check(t, is.Equal(res.ExitCode, 0))
-	assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
+	assert.Check(t, is.Contains(res.Stdout(), network.DNSRespAddr))
+}
+
+// TestNslookupWindows checks that nslookup gets results from external DNS.
+// Regression test for https://github.com/moby/moby/issues/46792
+func TestNslookupWindows(t *testing.T) {
+	skip.If(t, testEnv.DaemonInfo.OSType != "windows")
+
+	ctx := setupTest(t)
+	c := testEnv.APIClient()
+
+	attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+	res := container.RunAttach(attachCtx, t, c,
+		container.WithCmd("nslookup", "docker.com"),
+	)
+	defer c.ContainerRemove(ctx, res.ContainerID, containertypes.RemoveOptions{Force: true})
+
+	assert.Check(t, is.Equal(res.ExitCode, 0))
+	// Current default is to not-forward requests to external servers, which
+	// can only be changed in daemon.json using feature flag "windows-dns-proxy".
+	// So, expect the lookup to fail...
+	assert.Check(t, is.Contains(res.Stderr.String(), "Server failed"))
+	// When the default behaviour is changed, nslookup should succeed...
+	//assert.Check(t, is.Contains(res.Stdout.String(), "Addresses:"))
 }
diff --git a/internal/testutils/specialimage/configtarget.go b/internal/testutils/specialimage/configtarget.go
new file mode 100644
index 0000000..944e9d5
--- /dev/null
+++ b/internal/testutils/specialimage/configtarget.go
@@ -0,0 +1,33 @@
+package specialimage
+
+import (
+	"github.com/containerd/containerd/platforms"
+	"github.com/distribution/reference"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+// ConfigTarget creates an image index with an image config being used as an
+// image target instead of a manifest or index.
+func ConfigTarget(dir string) (*ocispec.Index, error) {
+	const imageRef = "config:latest"
+
+	ref, err := reference.ParseNormalizedNamed(imageRef)
+	if err != nil {
+		return nil, err
+	}
+
+	desc, err := writeJsonBlob(dir, ocispec.MediaTypeImageConfig, ocispec.Image{
+		Platform: platforms.MustParse("linux/amd64"),
+		Config: ocispec.ImageConfig{
+			Env: []string{"FOO=BAR"},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	desc.Annotations = map[string]string{
+		"io.containerd.image.name": ref.String(),
+	}
+
+	return ociImage(dir, ref, desc)
+}
diff --git a/internal/testutils/specialimage/multilayer.go b/internal/testutils/specialimage/multilayer.go
index b7352d0..6875051 100644
--- a/internal/testutils/specialimage/multilayer.go
+++ b/internal/testutils/specialimage/multilayer.go
@@ -102,19 +102,24 @@
 		}
 	}
 
-	idx := ocispec.Index{
-		Versioned: specs.Versioned{SchemaVersion: 2},
-		MediaType: ocispec.MediaTypeImageIndex,
-		Manifests: []ocispec.Descriptor{manifestDesc},
-	}
-	if err := writeJson(idx, filepath.Join(dir, "index.json")); err != nil {
-		return nil, err
-	}
 	if err := writeJson(legacyManifests, filepath.Join(dir, "manifest.json")); err != nil {
 		return nil, err
 	}
 
-	err = os.WriteFile(filepath.Join(dir, "oci-layout"), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0o644)
+	return ociImage(dir, ref, manifestDesc)
+}
+
+func ociImage(dir string, ref reference.Named, target ocispec.Descriptor) (*ocispec.Index, error) {
+	idx := ocispec.Index{
+		Versioned: specs.Versioned{SchemaVersion: 2},
+		MediaType: ocispec.MediaTypeImageIndex,
+		Manifests: []ocispec.Descriptor{target},
+	}
+	if err := writeJson(idx, filepath.Join(dir, "index.json")); err != nil {
+		return nil, err
+	}
+
+	err := os.WriteFile(filepath.Join(dir, "oci-layout"), []byte(`{"imageLayoutVersion": "1.0.0"}`), 0o644)
 	if err != nil {
 		return nil, err
 	}
diff --git a/libnetwork/cnmallocator/drivers_ipam.go b/libnetwork/cnmallocator/drivers_ipam.go
index 455d64b..8d0608c 100644
--- a/libnetwork/cnmallocator/drivers_ipam.go
+++ b/libnetwork/cnmallocator/drivers_ipam.go
@@ -7,8 +7,7 @@
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/ipamapi"
-	builtinIpam "github.com/docker/docker/libnetwork/ipams/builtin"
-	nullIpam "github.com/docker/docker/libnetwork/ipams/null"
+	"github.com/docker/docker/libnetwork/ipams"
 	"github.com/docker/docker/libnetwork/ipamutils"
 	"github.com/moby/swarmkit/v2/manager/allocator/networkallocator"
 )
@@ -33,20 +32,13 @@
 		str.WriteString(strconv.Itoa(int(netConfig.SubnetSize)))
 
 	}
-	if err := ipamutils.ConfigGlobalScopeDefaultNetworks(addressPool); err != nil {
-		return err
-	}
-	if addressPool != nil {
+
+	if len(addressPool) > 0 {
 		log.G(context.TODO()).Infof("Swarm initialized global default address pool to: " + str.String())
 	}
 
-	for _, fn := range [](func(ipamapi.Registerer) error){
-		builtinIpam.Register,
-		nullIpam.Register,
-	} {
-		if err := fn(r); err != nil {
-			return err
-		}
+	if err := ipams.Register(r, nil, nil, addressPool); err != nil {
+		return err
 	}
 
 	return nil
diff --git a/libnetwork/cnmallocator/networkallocator.go b/libnetwork/cnmallocator/networkallocator.go
index a3cf41e..30da92d 100644
--- a/libnetwork/cnmallocator/networkallocator.go
+++ b/libnetwork/cnmallocator/networkallocator.go
@@ -11,6 +11,7 @@
 	"github.com/docker/docker/libnetwork/drivers/remote"
 	"github.com/docker/docker/libnetwork/drvregistry"
 	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	remoteipam "github.com/docker/docker/libnetwork/ipams/remote"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/scope"
@@ -803,7 +804,7 @@
 
 // Resolve the IPAM driver
 func (na *cnmNetworkAllocator) resolveIPAM(n *api.Network) (ipamapi.Ipam, string, map[string]string, error) {
-	dName := ipamapi.DefaultIPAM
+	dName := defaultipam.DriverName
 	if n.Spec.IPAM != nil && n.Spec.IPAM.Driver != nil && n.Spec.IPAM.Driver.Name != "" {
 		dName = n.Spec.IPAM.Driver.Name
 	}
@@ -884,13 +885,18 @@
 	}
 
 	for i, ic := range ipamConfigs {
-		poolID, poolIP, meta, err := ipam.RequestPool(asName, ic.Subnet, ic.Range, dOptions, false)
+		alloc, err := ipam.RequestPool(ipamapi.PoolRequest{
+			AddressSpace: asName,
+			Pool:         ic.Subnet,
+			SubPool:      ic.Range,
+			Options:      dOptions,
+		})
 		if err != nil {
 			// Rollback by releasing all the resources allocated so far.
 			releasePools(ipam, ipamConfigs[:i], pools)
 			return nil, err
 		}
-		pools[poolIP.String()] = poolID
+		pools[alloc.Pool.String()] = alloc.PoolID
 
 		// The IPAM contract allows the IPAM driver to autonomously
 		// provide a network gateway in response to the pool request.
@@ -902,7 +908,7 @@
 			gwIP *net.IPNet
 			ip   net.IP
 		)
-		if gws, ok := meta[netlabel.Gateway]; ok {
+		if gws, ok := alloc.Meta[netlabel.Gateway]; ok {
 			if ip, gwIP, err = net.ParseCIDR(gws); err != nil {
 				return nil, fmt.Errorf("failed to parse gateway address (%v) returned by ipam driver: %v", gws, err)
 			}
@@ -917,7 +923,7 @@
 		defer delete(dOptions, ipamapi.RequestAddressType)
 
 		if ic.Gateway != "" || gwIP == nil {
-			gwIP, _, err = ipam.RequestAddress(poolID, net.ParseIP(ic.Gateway), dOptions)
+			gwIP, _, err = ipam.RequestAddress(alloc.PoolID, net.ParseIP(ic.Gateway), dOptions)
 			if err != nil {
 				// Rollback by releasing all the resources allocated so far.
 				releasePools(ipam, ipamConfigs[:i], pools)
@@ -926,7 +932,7 @@
 		}
 
 		if ic.Subnet == "" {
-			ic.Subnet = poolIP.String()
+			ic.Subnet = alloc.Pool.String()
 		}
 
 		if ic.Gateway == "" {
diff --git a/libnetwork/cnmallocator/networkallocator_test.go b/libnetwork/cnmallocator/networkallocator_test.go
index b4a5783..30165f3 100644
--- a/libnetwork/cnmallocator/networkallocator_test.go
+++ b/libnetwork/cnmallocator/networkallocator_test.go
@@ -3,9 +3,10 @@
 import (
 	"fmt"
 	"net"
+	"net/netip"
 	"testing"
 
-	"github.com/docker/docker/libnetwork/types"
+	"github.com/docker/docker/libnetwork/ipamapi"
 	"github.com/moby/swarmkit/v2/api"
 	"github.com/moby/swarmkit/v2/manager/allocator/networkallocator"
 	"gotest.tools/v3/assert"
@@ -728,11 +729,14 @@
 	return "defaultAS", "defaultAS", nil
 }
 
-func (a *mockIpam) RequestPool(addressSpace, pool, subPool string, options map[string]string, v6 bool) (string, *net.IPNet, map[string]string, error) {
-	a.actualIpamOptions = options
+func (a *mockIpam) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) {
+	a.actualIpamOptions = req.Options
 
-	poolCidr, _ := types.ParseCIDR(pool)
-	return fmt.Sprintf("%s/%s", "defaultAS", pool), poolCidr, nil, nil
+	poolCidr := netip.MustParsePrefix(req.Pool)
+	return ipamapi.AllocatedPool{
+		PoolID: fmt.Sprintf("defaultAS/%s", req.Pool),
+		Pool:   poolCidr,
+	}, nil
 }
 
 func (a *mockIpam) ReleasePool(poolID string) error {
diff --git a/libnetwork/cnmallocator/provider.go b/libnetwork/cnmallocator/provider.go
index 331505d..78120a8 100644
--- a/libnetwork/cnmallocator/provider.go
+++ b/libnetwork/cnmallocator/provider.go
@@ -6,6 +6,7 @@
 	"github.com/docker/docker/libnetwork/driverapi"
 	"github.com/docker/docker/libnetwork/drivers/overlay/overlayutils"
 	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/pkg/plugingetter"
 	"github.com/moby/swarmkit/v2/api"
 	"github.com/moby/swarmkit/v2/manager/allocator/networkallocator"
@@ -35,7 +36,7 @@
 	if driver.Name == "" {
 		return status.Errorf(codes.InvalidArgument, "driver name: if driver is specified name is required")
 	}
-	if strings.ToLower(driver.Name) == ipamapi.DefaultIPAM {
+	if strings.ToLower(driver.Name) == defaultipam.DriverName {
 		return nil
 	}
 	return p.validatePluginDriver(driver, ipamapi.PluginEndpointType)
diff --git a/libnetwork/controller.go b/libnetwork/controller.go
index 9a34a87..dcb5524 100644
--- a/libnetwork/controller.go
+++ b/libnetwork/controller.go
@@ -63,6 +63,7 @@
 	remotedriver "github.com/docker/docker/libnetwork/drivers/remote"
 	"github.com/docker/docker/libnetwork/drvregistry"
 	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/osl"
 	"github.com/docker/docker/libnetwork/scope"
@@ -132,7 +133,7 @@
 		return nil, err
 	}
 
-	if err := initIPAMDrivers(&c.ipamRegistry, c.cfg.PluginGetter, c.cfg.DefaultAddressPool); err != nil {
+	if err := ipams.Register(&c.ipamRegistry, c.cfg.PluginGetter, c.cfg.DefaultAddressPool, nil); err != nil {
 		return nil, err
 	}
 
diff --git a/libnetwork/drivers/bridge/interface_linux.go b/libnetwork/drivers/bridge/interface_linux.go
index 2a9c375..a78c02ca 100644
--- a/libnetwork/drivers/bridge/interface_linux.go
+++ b/libnetwork/drivers/bridge/interface_linux.go
@@ -5,6 +5,7 @@
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/errdefs"
@@ -73,18 +74,20 @@
 func getRequiredIPv6Addrs(config *networkConfiguration) (requiredAddrs map[netip.Addr]netip.Prefix, err error) {
 	requiredAddrs = make(map[netip.Addr]netip.Prefix)
 
-	// Always give the bridge 'fe80::1' - every interface is required to have an
-	// address in 'fe80::/64'. Linux may assign an address, but we'll replace it with
-	// 'fe80::1'. Then, if the configured prefix is 'fe80::/64', the IPAM pool
-	// assigned address will not be a second address in the LL subnet.
-	ra, ok := netiputil.ToPrefix(bridgeIPv6)
-	if !ok {
-		err = fmt.Errorf("Failed to convert Link-Local IPv6 address to netip.Prefix")
-		return nil, err
+	if os.Getenv("DOCKER_BRIDGE_PRESERVE_KERNEL_LL") != "1" {
+		// Always give the bridge 'fe80::1' - every interface is required to have an
+		// address in 'fe80::/64'. Linux may assign an address, but we'll replace it with
+		// 'fe80::1'. Then, if the configured prefix is 'fe80::/64', the IPAM pool
+		// assigned address will not be a second address in the LL subnet.
+		ra, ok := netiputil.ToPrefix(bridgeIPv6)
+		if !ok {
+			err = fmt.Errorf("Failed to convert Link-Local IPv6 address to netip.Prefix")
+			return nil, err
+		}
+		requiredAddrs[ra.Addr()] = ra
 	}
-	requiredAddrs[ra.Addr()] = ra
 
-	ra, ok = netiputil.ToPrefix(config.AddressIPv6)
+	ra, ok := netiputil.ToPrefix(config.AddressIPv6)
 	if !ok {
 		err = fmt.Errorf("failed to convert bridge IPv6 address '%s' to netip.Prefix", config.AddressIPv6.String())
 		return nil, err
@@ -116,6 +119,14 @@
 		if !ok {
 			return errdefs.System(fmt.Errorf("Failed to convert IPv6 address '%s' to netip.Addr", config.AddressIPv6))
 		}
+		// Optionally, avoid deleting the kernel-assigned link local address.
+		// (Don't delete fe80::1 either - if it was previously assigned to the bridge, and the
+		// kernel_ll address was deleted, the bridge won't get a new kernel_ll address.)
+		if os.Getenv("DOCKER_BRIDGE_PRESERVE_KERNEL_LL") == "1" {
+			if p, _ := ea.Prefix(64); p == linkLocalPrefix {
+				continue
+			}
+		}
 		// Ignore the prefix length when comparing addresses, it's informational
 		// (RFC-5942 section 4), and removing/re-adding an address that's still valid
 		// would disrupt traffic on live-restore.
diff --git a/libnetwork/drivers/bridge/setup_ipv6_linux.go b/libnetwork/drivers/bridge/setup_ipv6_linux.go
index 779306f..2cb0da7 100644
--- a/libnetwork/drivers/bridge/setup_ipv6_linux.go
+++ b/libnetwork/drivers/bridge/setup_ipv6_linux.go
@@ -4,6 +4,7 @@
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 
 	"github.com/containerd/log"
@@ -13,6 +14,9 @@
 // bridgeIPv6 is the default, link-local IPv6 address for the bridge (fe80::1/64)
 var bridgeIPv6 = &net.IPNet{IP: net.ParseIP("fe80::1"), Mask: net.CIDRMask(64, 128)}
 
+// Standard link local prefix
+var linkLocalPrefix = netip.MustParsePrefix("fe80::/64")
+
 const (
 	ipv6ForwardConfPerm    = 0o644
 	ipv6ForwardConfDefault = "/proc/sys/net/ipv6/conf/default/forwarding"
diff --git a/libnetwork/drivers/ipvlan/ipvlan_joinleave.go b/libnetwork/drivers/ipvlan/ipvlan_joinleave.go
index f00e279..59e27bb 100644
--- a/libnetwork/drivers/ipvlan/ipvlan_joinleave.go
+++ b/libnetwork/drivers/ipvlan/ipvlan_joinleave.go
@@ -122,6 +122,10 @@
 			log.G(context.TODO()).Debugf("Ipvlan Endpoint Joined with IPv6_Addr: %s IpVlan_Mode: %s, Parent: %s",
 				ep.addrv6.IP.String(), n.config.IpvlanMode, n.config.Parent)
 		}
+		// If n.config.Internal was set locally by the driver because there's no parent
+		// interface, libnetwork doesn't know the network is internal. So, stop it from
+		// adding a gateway endpoint.
+		jinfo.DisableGatewayService()
 	}
 	iNames := jinfo.InterfaceName()
 	err = iNames.SetNames(vethName, containerVethPrefix)
diff --git a/libnetwork/drivers/ipvlan/ipvlan_network.go b/libnetwork/drivers/ipvlan/ipvlan_network.go
index 11bde5a..0ef0d12 100644
--- a/libnetwork/drivers/ipvlan/ipvlan_network.go
+++ b/libnetwork/drivers/ipvlan/ipvlan_network.go
@@ -41,6 +41,7 @@
 	// if parent interface not specified, create a dummy type link to use named dummy+net_id
 	if config.Parent == "" {
 		config.Parent = getDummyName(stringid.TruncateID(config.ID))
+		config.Internal = true
 	}
 	foundExisting, err := d.createNetwork(config)
 	if err != nil {
diff --git a/libnetwork/drivers/macvlan/macvlan_joinleave.go b/libnetwork/drivers/macvlan/macvlan_joinleave.go
index ed32ddc..95a35bb 100644
--- a/libnetwork/drivers/macvlan/macvlan_joinleave.go
+++ b/libnetwork/drivers/macvlan/macvlan_joinleave.go
@@ -83,6 +83,10 @@
 			log.G(context.TODO()).Debugf("Macvlan Endpoint Joined with IPv6_Addr: %s MacVlan_Mode: %s, Parent: %s",
 				ep.addrv6.IP.String(), n.config.MacvlanMode, n.config.Parent)
 		}
+		// If n.config.Internal was set locally by the driver because there's no parent
+		// interface, libnetwork doesn't know the network is internal. So, stop it from
+		// adding a gateway endpoint.
+		jinfo.DisableGatewayService()
 	}
 	iNames := jinfo.InterfaceName()
 	err = iNames.SetNames(vethName, containerVethPrefix)
diff --git a/libnetwork/drivers/macvlan/macvlan_network.go b/libnetwork/drivers/macvlan/macvlan_network.go
index 77aa323..75313dd 100644
--- a/libnetwork/drivers/macvlan/macvlan_network.go
+++ b/libnetwork/drivers/macvlan/macvlan_network.go
@@ -31,6 +31,7 @@
 	// if parent interface not specified, create a dummy type link to use named dummy+net_id
 	if config.Parent == "" {
 		config.Parent = getDummyName(stringid.TruncateID(config.ID))
+		config.Internal = true
 	}
 	foundExisting, err := d.createNetwork(config)
 	if err != nil {
diff --git a/libnetwork/drivers/overlay/joinleave.go b/libnetwork/drivers/overlay/joinleave.go
index bcfa3ca..3f56918 100644
--- a/libnetwork/drivers/overlay/joinleave.go
+++ b/libnetwork/drivers/overlay/joinleave.go
@@ -67,7 +67,7 @@
 
 	veth, err := nlh.LinkByName(overlayIfName)
 	if err != nil {
-		return fmt.Errorf("cound not find link by name %s: %v", overlayIfName, err)
+		return fmt.Errorf("could not find link by name %s: %v", overlayIfName, err)
 	}
 	err = nlh.LinkSetMTU(veth, mtu)
 	if err != nil {
diff --git a/libnetwork/drivers_ipam.go b/libnetwork/drivers_ipam.go
deleted file mode 100644
index 1c46890..0000000
--- a/libnetwork/drivers_ipam.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package libnetwork
-
-import (
-	"github.com/docker/docker/libnetwork/ipamapi"
-	builtinIpam "github.com/docker/docker/libnetwork/ipams/builtin"
-	nullIpam "github.com/docker/docker/libnetwork/ipams/null"
-	remoteIpam "github.com/docker/docker/libnetwork/ipams/remote"
-	"github.com/docker/docker/libnetwork/ipamutils"
-	"github.com/docker/docker/pkg/plugingetter"
-)
-
-func initIPAMDrivers(r ipamapi.Registerer, pg plugingetter.PluginGetter, addressPool []*ipamutils.NetworkToSplit) error {
-	// TODO: pass address pools as arguments to builtinIpam.Init instead of
-	// indirectly through global mutable state. Swarmkit references that
-	// function so changing its signature breaks the build.
-	if err := builtinIpam.SetDefaultIPAddressPool(addressPool); err != nil {
-		return err
-	}
-
-	for _, fn := range [](func(ipamapi.Registerer) error){
-		builtinIpam.Register,
-		nullIpam.Register,
-	} {
-		if err := fn(r); err != nil {
-			return err
-		}
-	}
-
-	return remoteIpam.Register(r, pg)
-}
diff --git a/libnetwork/drvregistry/ipams_test.go b/libnetwork/drvregistry/ipams_test.go
index 6c0ec37..eb8ac49 100644
--- a/libnetwork/drvregistry/ipams_test.go
+++ b/libnetwork/drvregistry/ipams_test.go
@@ -6,9 +6,7 @@
 	"testing"
 
 	"github.com/docker/docker/libnetwork/ipamapi"
-	builtinIpam "github.com/docker/docker/libnetwork/ipams/builtin"
-	nullIpam "github.com/docker/docker/libnetwork/ipams/null"
-	remoteIpam "github.com/docker/docker/libnetwork/ipams/remote"
+	"github.com/docker/docker/libnetwork/ipams"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 )
@@ -16,9 +14,7 @@
 func getNewIPAMs(t *testing.T) *IPAMs {
 	r := &IPAMs{}
 
-	assert.Assert(t, builtinIpam.Register(r))
-	assert.Assert(t, remoteIpam.Register(r, nil))
-	assert.Assert(t, nullIpam.Register(r))
+	assert.Assert(t, ipams.Register(r, nil, nil, nil))
 
 	return r
 }
diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
index 9c1b7ee..836313c 100644
--- a/libnetwork/endpoint.go
+++ b/libnetwork/endpoint.go
@@ -11,6 +11,7 @@
 	"sync"
 
 	"github.com/containerd/log"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/sliceutil"
 	"github.com/docker/docker/libnetwork/datastore"
 	"github.com/docker/docker/libnetwork/ipamapi"
@@ -543,6 +544,10 @@
 		return err
 	}
 
+	if err = addEpToResolver(context.TODO(), n.Name(), ep.Name(), &sb.config, ep.iface, n.Resolvers()); err != nil {
+		return errdefs.System(err)
+	}
+
 	if err = n.getController().updateToStore(ep); err != nil {
 		return err
 	}
@@ -569,12 +574,12 @@
 		return sb.setupDefaultGW()
 	}
 
-	currentExtEp := sb.getGatewayEndpoint()
 	// Enable upstream forwarding if the sandbox gained external connectivity.
 	if sb.resolver != nil {
-		sb.resolver.SetForwardingPolicy(currentExtEp != nil)
+		sb.resolver.SetForwardingPolicy(sb.hasExternalAccess())
 	}
 
+	currentExtEp := sb.getGatewayEndpoint()
 	moveExtConn := currentExtEp != extEp
 	if moveExtConn {
 		if extEp != nil {
@@ -745,6 +750,10 @@
 		log.G(context.TODO()).Warnf("Failed to clean up service info on container %s disconnect: %v", ep.name, err)
 	}
 
+	if err := deleteEpFromResolver(ep.Name(), ep.iface, n.Resolvers()); err != nil {
+		log.G(context.TODO()).Warnf("Failed to clean up resolver info on container %s disconnect: %v", ep.name, err)
+	}
+
 	if err := sb.clearNetworkResources(ep); err != nil {
 		log.G(context.TODO()).Warnf("Failed to clean up network resources on container %s disconnect: %v", ep.name, err)
 	}
@@ -767,13 +776,13 @@
 		return sb.setupDefaultGW()
 	}
 
-	// New endpoint providing external connectivity for the sandbox
-	extEp = sb.getGatewayEndpoint()
 	// Disable upstream forwarding if the sandbox lost external connectivity.
 	if sb.resolver != nil {
-		sb.resolver.SetForwardingPolicy(extEp != nil)
+		sb.resolver.SetForwardingPolicy(sb.hasExternalAccess())
 	}
 
+	// New endpoint providing external connectivity for the sandbox
+	extEp = sb.getGatewayEndpoint()
 	if moveExtConn && extEp != nil {
 		log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
 		extN, err := extEp.getNetworkFromStore()
diff --git a/libnetwork/endpoint_info.go b/libnetwork/endpoint_info.go
index 3938b41..31b421d 100644
--- a/libnetwork/endpoint_info.go
+++ b/libnetwork/endpoint_info.go
@@ -382,6 +382,31 @@
 	return nil
 }
 
+// hasGatewayOrDefaultRoute returns true if ep has a gateway, or a route to '0.0.0.0'/'::'.
+func (ep *Endpoint) hasGatewayOrDefaultRoute() bool {
+	ep.mu.Lock()
+	defer ep.mu.Unlock()
+
+	if ep.joinInfo != nil {
+		if len(ep.joinInfo.gw) > 0 {
+			return true
+		}
+		for _, route := range ep.joinInfo.StaticRoutes {
+			if route.Destination.IP.IsUnspecified() && net.IP(route.Destination.Mask).IsUnspecified() {
+				return true
+			}
+		}
+	}
+	if ep.iface != nil {
+		for _, route := range ep.iface.routes {
+			if route.IP.IsUnspecified() && net.IP(route.Mask).IsUnspecified() {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func (ep *Endpoint) retrieveFromStore() (*Endpoint, error) {
 	n, err := ep.getNetworkFromStore()
 	if err != nil {
diff --git a/libnetwork/endpoint_unix_test.go b/libnetwork/endpoint_unix_test.go
index 30a1f68..f421851 100644
--- a/libnetwork/endpoint_unix_test.go
+++ b/libnetwork/endpoint_unix_test.go
@@ -7,7 +7,7 @@
 	"testing"
 
 	"github.com/docker/docker/internal/testutils/netnsutils"
-	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/libnetwork/osl"
 )
 
@@ -24,7 +24,7 @@
 fe90::2	somehost.example.com somehost
 `
 
-	opts := []NetworkOption{NetworkOptionEnableIPv6(true), NetworkOptionIpam(ipamapi.DefaultIPAM, "",
+	opts := []NetworkOption{NetworkOptionEnableIPv6(true), NetworkOptionIpam(defaultipam.DriverName, "",
 		[]*IpamConf{{PreferredPool: "192.168.222.0/24", Gateway: "192.168.222.1"}},
 		[]*IpamConf{{PreferredPool: "fe90::/64", Gateway: "fe90::1"}},
 		nil)}
diff --git a/libnetwork/internal/netiputil/netiputil.go b/libnetwork/internal/netiputil/netiputil.go
index 76cb592..7c90756 100644
--- a/libnetwork/internal/netiputil/netiputil.go
+++ b/libnetwork/internal/netiputil/netiputil.go
@@ -51,3 +51,11 @@
 	end = start + (1 << uint64(subnet.Addr().BitLen()-subnet.Bits())) - 1
 	return start, end
 }
+
+// AddrPortFromNet converts a net.Addr into a netip.AddrPort.
+func AddrPortFromNet(addr net.Addr) netip.AddrPort {
+	if a, ok := addr.(interface{ AddrPort() netip.AddrPort }); ok {
+		return a.AddrPort()
+	}
+	return netip.AddrPort{}
+}
diff --git a/libnetwork/ipam/allocator.go b/libnetwork/ipam/allocator.go
deleted file mode 100644
index 79376c4..0000000
--- a/libnetwork/ipam/allocator.go
+++ /dev/null
@@ -1,410 +0,0 @@
-package ipam
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-
-	"github.com/containerd/log"
-	"github.com/docker/docker/libnetwork/bitmap"
-	"github.com/docker/docker/libnetwork/internal/netiputil"
-	"github.com/docker/docker/libnetwork/ipamapi"
-	"github.com/docker/docker/libnetwork/ipbits"
-	"github.com/docker/docker/libnetwork/types"
-)
-
-const (
-	localAddressSpace  = "LocalDefault"
-	globalAddressSpace = "GlobalDefault"
-)
-
-// Allocator provides per address space ipv4/ipv6 book keeping
-type Allocator struct {
-	// The address spaces
-	local, global *addrSpace
-}
-
-// NewAllocator returns an instance of libnetwork ipam
-func NewAllocator(lcAs, glAs []*net.IPNet) (*Allocator, error) {
-	var (
-		a   Allocator
-		err error
-	)
-	a.local, err = newAddrSpace(lcAs)
-	if err != nil {
-		return nil, fmt.Errorf("could not construct local address space: %w", err)
-	}
-	a.global, err = newAddrSpace(glAs)
-	if err != nil {
-		return nil, fmt.Errorf("could not construct global address space: %w", err)
-	}
-	return &a, nil
-}
-
-func newAddrSpace(predefined []*net.IPNet) (*addrSpace, error) {
-	pdf := make([]netip.Prefix, len(predefined))
-	for i, n := range predefined {
-		var ok bool
-		pdf[i], ok = netiputil.ToPrefix(n)
-		if !ok {
-			return nil, fmt.Errorf("network at index %d (%v) is not in canonical form", i, n)
-		}
-	}
-	return &addrSpace{
-		subnets:    map[netip.Prefix]*PoolData{},
-		predefined: pdf,
-	}, nil
-}
-
-// GetDefaultAddressSpaces returns the local and global default address spaces
-func (a *Allocator) GetDefaultAddressSpaces() (string, string, error) {
-	return localAddressSpace, globalAddressSpace, nil
-}
-
-// RequestPool returns an address pool along with its unique id.
-// addressSpace must be a valid address space name and must not be the empty string.
-// If requestedPool is the empty string then the default predefined pool for addressSpace will be used, otherwise pool must be a valid IP address and length in CIDR notation.
-// If requestedSubPool is not empty, it must be a valid IP address and length in CIDR notation which is a sub-range of requestedPool.
-// requestedSubPool must be empty if requestedPool is empty.
-func (a *Allocator) RequestPool(addressSpace, requestedPool, requestedSubPool string, _ map[string]string, v6 bool) (poolID string, pool *net.IPNet, meta map[string]string, err error) {
-	log.G(context.TODO()).Debugf("RequestPool(%s, %s, %s, _, %t)", addressSpace, requestedPool, requestedSubPool, v6)
-
-	parseErr := func(err error) error {
-		return types.InternalErrorf("failed to parse pool request for address space %q pool %q subpool %q: %v", addressSpace, requestedPool, requestedSubPool, err)
-	}
-
-	if addressSpace == "" {
-		return "", nil, nil, parseErr(ipamapi.ErrInvalidAddressSpace)
-	}
-	aSpace, err := a.getAddrSpace(addressSpace)
-	if err != nil {
-		return "", nil, nil, err
-	}
-	if requestedPool == "" && requestedSubPool != "" {
-		return "", nil, nil, parseErr(ipamapi.ErrInvalidSubPool)
-	}
-
-	k := PoolID{AddressSpace: addressSpace}
-	if requestedPool == "" {
-		k.Subnet, err = aSpace.allocatePredefinedPool(v6)
-		if err != nil {
-			return "", nil, nil, err
-		}
-		return k.String(), netiputil.ToIPNet(k.Subnet), nil, nil
-	}
-
-	if k.Subnet, err = netip.ParsePrefix(requestedPool); err != nil {
-		return "", nil, nil, parseErr(ipamapi.ErrInvalidPool)
-	}
-
-	if requestedSubPool != "" {
-		k.ChildSubnet, err = netip.ParsePrefix(requestedSubPool)
-		if err != nil {
-			return "", nil, nil, parseErr(ipamapi.ErrInvalidSubPool)
-		}
-	}
-
-	k.Subnet, k.ChildSubnet = k.Subnet.Masked(), k.ChildSubnet.Masked()
-	// Prior to https://github.com/moby/moby/pull/44968, libnetwork would happily accept a ChildSubnet with a bigger
-	// mask than its parent subnet. In such case, it was producing IP addresses based on the parent subnet, and the
-	// child subnet was not allocated from the address pool. Following condition take care of restoring this behavior
-	// for networks created before upgrading to v24.0.
-	if k.ChildSubnet.IsValid() && k.ChildSubnet.Bits() < k.Subnet.Bits() {
-		k.ChildSubnet = k.Subnet
-	}
-
-	err = aSpace.allocateSubnet(k.Subnet, k.ChildSubnet)
-	if err != nil {
-		return "", nil, nil, err
-	}
-
-	return k.String(), netiputil.ToIPNet(k.Subnet), nil, nil
-}
-
-// ReleasePool releases the address pool identified by the passed id
-func (a *Allocator) ReleasePool(poolID string) error {
-	log.G(context.TODO()).Debugf("ReleasePool(%s)", poolID)
-	k, err := PoolIDFromString(poolID)
-	if err != nil {
-		return types.InvalidParameterErrorf("invalid pool id: %s", poolID)
-	}
-
-	aSpace, err := a.getAddrSpace(k.AddressSpace)
-	if err != nil {
-		return err
-	}
-
-	return aSpace.releaseSubnet(k.Subnet, k.ChildSubnet)
-}
-
-// Given the address space, returns the local or global PoolConfig based on whether the
-// address space is local or global. AddressSpace locality is registered with IPAM out of band.
-func (a *Allocator) getAddrSpace(as string) (*addrSpace, error) {
-	switch as {
-	case localAddressSpace:
-		return a.local, nil
-	case globalAddressSpace:
-		return a.global, nil
-	}
-	return nil, types.InvalidParameterErrorf("cannot find address space %s", as)
-}
-
-func newPoolData(pool netip.Prefix) *PoolData {
-	ones, bits := pool.Bits(), pool.Addr().BitLen()
-	numAddresses := uint64(1 << uint(bits-ones))
-
-	// Allow /64 subnet
-	if pool.Addr().Is6() && numAddresses == 0 {
-		numAddresses--
-	}
-
-	// Generate the new address masks.
-	h := bitmap.New(numAddresses)
-
-	// Pre-reserve the network address on IPv4 networks large
-	// enough to have one (i.e., anything bigger than a /31.
-	if !(pool.Addr().Is4() && numAddresses <= 2) {
-		h.Set(0)
-	}
-
-	// Pre-reserve the broadcast address on IPv4 networks large
-	// enough to have one (i.e., anything bigger than a /31).
-	if pool.Addr().Is4() && numAddresses > 2 {
-		h.Set(numAddresses - 1)
-	}
-
-	return &PoolData{addrs: h, children: map[netip.Prefix]struct{}{}}
-}
-
-// getPredefineds returns the predefined subnets for the address space.
-//
-// It should not be called concurrently with any other method on the addrSpace.
-func (aSpace *addrSpace) getPredefineds() []netip.Prefix {
-	i := aSpace.predefinedStartIndex
-	// defensive in case the list changed since last update
-	if i >= len(aSpace.predefined) {
-		i = 0
-	}
-	return append(aSpace.predefined[i:], aSpace.predefined[:i]...)
-}
-
-// updatePredefinedStartIndex rotates the predefined subnet list by amt.
-//
-// It should not be called concurrently with any other method on the addrSpace.
-func (aSpace *addrSpace) updatePredefinedStartIndex(amt int) {
-	i := aSpace.predefinedStartIndex + amt
-	if i < 0 || i >= len(aSpace.predefined) {
-		i = 0
-	}
-	aSpace.predefinedStartIndex = i
-}
-
-func (aSpace *addrSpace) allocatePredefinedPool(ipV6 bool) (netip.Prefix, error) {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	for i, nw := range aSpace.getPredefineds() {
-		if ipV6 != nw.Addr().Is6() {
-			continue
-		}
-		// Checks whether pool has already been allocated
-		if _, ok := aSpace.subnets[nw]; ok {
-			continue
-		}
-		// Shouldn't be necessary, but check prevents IP collisions should
-		// predefined pools overlap for any reason.
-		if !aSpace.overlaps(nw) {
-			aSpace.updatePredefinedStartIndex(i + 1)
-			err := aSpace.allocateSubnetL(nw, netip.Prefix{})
-			if err != nil {
-				return netip.Prefix{}, err
-			}
-			return nw, nil
-		}
-	}
-
-	v := 4
-	if ipV6 {
-		v = 6
-	}
-	return netip.Prefix{}, types.NotFoundErrorf("could not find an available, non-overlapping IPv%d address pool among the defaults to assign to the network", v)
-}
-
-// RequestAddress returns an address from the specified pool ID
-func (a *Allocator) RequestAddress(poolID string, prefAddress net.IP, opts map[string]string) (*net.IPNet, map[string]string, error) {
-	log.G(context.TODO()).Debugf("RequestAddress(%s, %v, %v)", poolID, prefAddress, opts)
-	k, err := PoolIDFromString(poolID)
-	if err != nil {
-		return nil, nil, types.InvalidParameterErrorf("invalid pool id: %s", poolID)
-	}
-
-	aSpace, err := a.getAddrSpace(k.AddressSpace)
-	if err != nil {
-		return nil, nil, err
-	}
-	var pref netip.Addr
-	if prefAddress != nil {
-		var ok bool
-		pref, ok = netip.AddrFromSlice(prefAddress)
-		if !ok {
-			return nil, nil, types.InvalidParameterErrorf("invalid preferred address: %v", prefAddress)
-		}
-	}
-	p, err := aSpace.requestAddress(k.Subnet, k.ChildSubnet, pref.Unmap(), opts)
-	if err != nil {
-		return nil, nil, err
-	}
-	return &net.IPNet{
-		IP:   p.AsSlice(),
-		Mask: net.CIDRMask(k.Subnet.Bits(), k.Subnet.Addr().BitLen()),
-	}, nil, nil
-}
-
-func (aSpace *addrSpace) requestAddress(nw, sub netip.Prefix, prefAddress netip.Addr, opts map[string]string) (netip.Addr, error) {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	p, ok := aSpace.subnets[nw]
-	if !ok {
-		return netip.Addr{}, types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
-	}
-
-	if prefAddress != (netip.Addr{}) && !nw.Contains(prefAddress) {
-		return netip.Addr{}, ipamapi.ErrIPOutOfRange
-	}
-
-	if sub != (netip.Prefix{}) {
-		if _, ok := p.children[sub]; !ok {
-			return netip.Addr{}, types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
-		}
-	}
-
-	// In order to request for a serial ip address allocation, callers can pass in the option to request
-	// IP allocation serially or first available IP in the subnet
-	serial := opts[ipamapi.AllocSerialPrefix] == "true"
-	ip, err := getAddress(nw, p.addrs, prefAddress, sub, serial)
-	if err != nil {
-		return netip.Addr{}, err
-	}
-
-	return ip, nil
-}
-
-// ReleaseAddress releases the address from the specified pool ID
-func (a *Allocator) ReleaseAddress(poolID string, address net.IP) error {
-	log.G(context.TODO()).Debugf("ReleaseAddress(%s, %v)", poolID, address)
-	k, err := PoolIDFromString(poolID)
-	if err != nil {
-		return types.InvalidParameterErrorf("invalid pool id: %s", poolID)
-	}
-
-	aSpace, err := a.getAddrSpace(k.AddressSpace)
-	if err != nil {
-		return err
-	}
-
-	addr, ok := netip.AddrFromSlice(address)
-	if !ok {
-		return types.InvalidParameterErrorf("invalid address: %v", address)
-	}
-
-	return aSpace.releaseAddress(k.Subnet, k.ChildSubnet, addr.Unmap())
-}
-
-func (aSpace *addrSpace) releaseAddress(nw, sub netip.Prefix, address netip.Addr) error {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	p, ok := aSpace.subnets[nw]
-	if !ok {
-		return types.NotFoundErrorf("cannot find address pool for %v/%v", nw, sub)
-	}
-	if sub != (netip.Prefix{}) {
-		if _, ok := p.children[sub]; !ok {
-			return types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
-		}
-	}
-
-	if !address.IsValid() {
-		return types.InvalidParameterErrorf("invalid address")
-	}
-
-	if !nw.Contains(address) {
-		return ipamapi.ErrIPOutOfRange
-	}
-
-	defer log.G(context.TODO()).Debugf("Released address Address:%v Sequence:%s", address, p.addrs)
-
-	return p.addrs.Unset(netiputil.HostID(address, uint(nw.Bits())))
-}
-
-func getAddress(base netip.Prefix, bitmask *bitmap.Bitmap, prefAddress netip.Addr, ipr netip.Prefix, serial bool) (netip.Addr, error) {
-	var (
-		ordinal uint64
-		err     error
-	)
-
-	log.G(context.TODO()).Debugf("Request address PoolID:%v %s Serial:%v PrefAddress:%v ", base, bitmask, serial, prefAddress)
-
-	if bitmask.Unselected() == 0 {
-		return netip.Addr{}, ipamapi.ErrNoAvailableIPs
-	}
-	if ipr == (netip.Prefix{}) && prefAddress == (netip.Addr{}) {
-		ordinal, err = bitmask.SetAny(serial)
-	} else if prefAddress != (netip.Addr{}) {
-		ordinal = netiputil.HostID(prefAddress, uint(base.Bits()))
-		err = bitmask.Set(ordinal)
-	} else {
-		start, end := netiputil.SubnetRange(base, ipr)
-		ordinal, err = bitmask.SetAnyInRange(start, end, serial)
-	}
-
-	switch err {
-	case nil:
-		// Convert IP ordinal for this subnet into IP address
-		return ipbits.Add(base.Addr(), ordinal, 0), nil
-	case bitmap.ErrBitAllocated:
-		return netip.Addr{}, ipamapi.ErrIPAlreadyAllocated
-	case bitmap.ErrNoBitAvailable:
-		return netip.Addr{}, ipamapi.ErrNoAvailableIPs
-	default:
-		return netip.Addr{}, err
-	}
-}
-
-// DumpDatabase dumps the internal info
-func (a *Allocator) DumpDatabase() string {
-	aspaces := map[string]*addrSpace{
-		localAddressSpace:  a.local,
-		globalAddressSpace: a.global,
-	}
-
-	var b strings.Builder
-	for _, as := range []string{localAddressSpace, globalAddressSpace} {
-		fmt.Fprintf(&b, "\n### %s\n", as)
-		b.WriteString(aspaces[as].DumpDatabase())
-	}
-	return b.String()
-}
-
-func (aSpace *addrSpace) DumpDatabase() string {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	var b strings.Builder
-	for k, config := range aSpace.subnets {
-		fmt.Fprintf(&b, "%v: %v\n", k, config)
-		fmt.Fprintf(&b, "  Bitmap: %v\n", config.addrs)
-		for k := range config.children {
-			fmt.Fprintf(&b, "  - Subpool: %v\n", k)
-		}
-	}
-	return b.String()
-}
-
-// IsBuiltIn returns true for builtin drivers
-func (a *Allocator) IsBuiltIn() bool {
-	return true
-}
diff --git a/libnetwork/ipam/structures.go b/libnetwork/ipam/structures.go
deleted file mode 100644
index c96495d..0000000
--- a/libnetwork/ipam/structures.go
+++ /dev/null
@@ -1,169 +0,0 @@
-package ipam
-
-import (
-	"fmt"
-	"net/netip"
-	"strings"
-	"sync"
-
-	"github.com/docker/docker/libnetwork/bitmap"
-	"github.com/docker/docker/libnetwork/ipamapi"
-	"github.com/docker/docker/libnetwork/types"
-)
-
-// PoolID is the pointer to the configured pools in each address space
-type PoolID struct {
-	AddressSpace string
-	SubnetKey
-}
-
-// PoolData contains the configured pool data
-type PoolData struct {
-	addrs    *bitmap.Bitmap
-	children map[netip.Prefix]struct{}
-
-	// Whether to implicitly release the pool once it no longer has any children.
-	autoRelease bool
-}
-
-// SubnetKey is the composite key to an address pool within an address space.
-type SubnetKey struct {
-	Subnet, ChildSubnet netip.Prefix
-}
-
-// addrSpace contains the pool configurations for the address space
-type addrSpace struct {
-	// Master subnet pools, indexed by the value's stringified PoolData.Pool field.
-	subnets map[netip.Prefix]*PoolData
-
-	// Predefined pool for the address space
-	predefined           []netip.Prefix
-	predefinedStartIndex int
-
-	sync.Mutex
-}
-
-// PoolIDFromString creates a new PoolID and populates the SubnetKey object
-// reading it from the given string.
-func PoolIDFromString(str string) (pID PoolID, err error) {
-	if str == "" {
-		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
-	}
-
-	p := strings.Split(str, "/")
-	if len(p) != 3 && len(p) != 5 {
-		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
-	}
-	pID.AddressSpace = p[0]
-	pID.Subnet, err = netip.ParsePrefix(p[1] + "/" + p[2])
-	if err != nil {
-		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
-	}
-	if len(p) == 5 {
-		pID.ChildSubnet, err = netip.ParsePrefix(p[3] + "/" + p[4])
-		if err != nil {
-			return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
-		}
-	}
-
-	return pID, nil
-}
-
-// String returns the string form of the SubnetKey object
-func (s *PoolID) String() string {
-	if s.ChildSubnet == (netip.Prefix{}) {
-		return s.AddressSpace + "/" + s.Subnet.String()
-	} else {
-		return s.AddressSpace + "/" + s.Subnet.String() + "/" + s.ChildSubnet.String()
-	}
-}
-
-// String returns the string form of the PoolData object
-func (p *PoolData) String() string {
-	return fmt.Sprintf("PoolData[Children: %d]", len(p.children))
-}
-
-// allocateSubnet adds the subnet k to the address space.
-func (aSpace *addrSpace) allocateSubnet(nw, sub netip.Prefix) error {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	// Check if already allocated
-	if pool, ok := aSpace.subnets[nw]; ok {
-		var childExists bool
-		if sub != (netip.Prefix{}) {
-			_, childExists = pool.children[sub]
-		}
-		if sub == (netip.Prefix{}) || childExists {
-			// This means the same pool is already allocated. allocateSubnet is called when there
-			// is request for a pool/subpool. It should ensure there is no overlap with existing pools
-			return ipamapi.ErrPoolOverlap
-		}
-	}
-
-	return aSpace.allocateSubnetL(nw, sub)
-}
-
-func (aSpace *addrSpace) allocateSubnetL(nw, sub netip.Prefix) error {
-	// If master pool, check for overlap
-	if sub == (netip.Prefix{}) {
-		if aSpace.overlaps(nw) {
-			return ipamapi.ErrPoolOverlap
-		}
-		// This is a new master pool, add it along with corresponding bitmask
-		aSpace.subnets[nw] = newPoolData(nw)
-		return nil
-	}
-
-	// This is a new non-master pool (subPool)
-	if nw.Addr().BitLen() != sub.Addr().BitLen() {
-		return fmt.Errorf("pool and subpool are of incompatible address families")
-	}
-
-	// Look for parent pool
-	pp, ok := aSpace.subnets[nw]
-	if !ok {
-		// Parent pool does not exist, add it along with corresponding bitmask
-		pp = newPoolData(nw)
-		pp.autoRelease = true
-		aSpace.subnets[nw] = pp
-	}
-	pp.children[sub] = struct{}{}
-	return nil
-}
-
-func (aSpace *addrSpace) releaseSubnet(nw, sub netip.Prefix) error {
-	aSpace.Lock()
-	defer aSpace.Unlock()
-
-	p, ok := aSpace.subnets[nw]
-	if !ok {
-		return ipamapi.ErrBadPool
-	}
-
-	if sub != (netip.Prefix{}) {
-		if _, ok := p.children[sub]; !ok {
-			return ipamapi.ErrBadPool
-		}
-		delete(p.children, sub)
-	} else {
-		p.autoRelease = true
-	}
-
-	if len(p.children) == 0 && p.autoRelease {
-		delete(aSpace.subnets, nw)
-	}
-
-	return nil
-}
-
-// overlaps reports whether nw contains any IP addresses in common with any of
-// the existing subnets in this address space.
-func (aSpace *addrSpace) overlaps(nw netip.Prefix) bool {
-	for pool := range aSpace.subnets {
-		if pool.Overlaps(nw) {
-			return true
-		}
-	}
-	return false
-}
diff --git a/libnetwork/ipamapi/contract.go b/libnetwork/ipamapi/contract.go
index 86f3414..5b88327 100644
--- a/libnetwork/ipamapi/contract.go
+++ b/libnetwork/ipamapi/contract.go
@@ -3,16 +3,13 @@
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/docker/docker/libnetwork/types"
 )
 
 // IPAM plugin types
 const (
-	// DefaultIPAM is the name of the built-in default ipam driver
-	DefaultIPAM = "default"
-	// NullIPAM is the name of the built-in null ipam driver
-	NullIPAM = "null"
 	// PluginEndpointType represents the Endpoint Type used by Plugin system
 	PluginEndpointType = "IpamDriver"
 	// RequestAddressType represents the Address Type used when requesting an address
@@ -45,13 +42,9 @@
 type Ipam interface {
 	// GetDefaultAddressSpaces returns the default local and global address spaces for this ipam
 	GetDefaultAddressSpaces() (string, string, error)
-	// RequestPool returns an address pool along with its unique id. Address space is a mandatory field
-	// which denotes a set of non-overlapping pools. requestedPool describes the pool of addresses in CIDR notation.
-	// requestedSubPool indicates a smaller range of addresses from the pool, for now it is specified in CIDR notation.
-	// Both requestedPool and requestedSubPool are non-mandatory fields. When they are not specified, Ipam driver may choose to
-	// return a self chosen pool for this request. In such case the v6 flag needs to be set appropriately so
-	// that the driver would return the expected ip version pool.
-	RequestPool(addressSpace, requestedPool, requestedSubPool string, options map[string]string, v6 bool) (poolID string, pool *net.IPNet, meta map[string]string, err error)
+	// RequestPool allocate an address pool either statically or dynamically
+	// based on req.
+	RequestPool(req PoolRequest) (AllocatedPool, error)
 	// ReleasePool releases the address pool identified by the passed id
 	ReleasePool(poolID string) error
 	// RequestAddress request an address from the specified pool ID. Input options or required IP can be passed.
@@ -63,6 +56,41 @@
 	IsBuiltIn() bool
 }
 
+type PoolRequest struct {
+	// AddressSpace is a mandatory field which denotes which block of pools
+	// should be used to make the allocation. This value is opaque, and only
+	// the IPAM driver can interpret it. Each driver might support a different
+	// set of AddressSpace.
+	AddressSpace string
+	// Pool is a prefix in CIDR notation. It's non-mandatory. When specified
+	// the Pool will be statically allocated. The Pool is used for dynamic
+	// address allocation -- except when SubPool is specified.
+	Pool string
+	// SubPool is a subnet from Pool, in CIDR notation too. It's non-mandatory.
+	// When specified, it represents the subnet where addresses will be
+	// dynamically allocated. It can't be specified if Pool isn't specified.
+	SubPool string
+	// Options is a map of opaque k/v passed to the driver. It's non-mandatory.
+	// Drivers are free to ignore it.
+	Options map[string]string
+	// V6 indicates which address family should be used to dynamically allocate
+	// a prefix (ie. when Pool isn't specified).
+	V6 bool
+}
+
+type AllocatedPool struct {
+	// PoolID represents the ID of the allocated pool. Its value is opaque and
+	// shouldn't be interpreted by anything but the IPAM driver that generated
+	// it.
+	PoolID string
+	// Pool is the allocated prefix.
+	Pool netip.Prefix
+	// Meta represents a list of extra IP addresses automatically reserved
+	// during the pool allocation. These are generally keyed by well-known
+	// strings defined in the netlabel package.
+	Meta map[string]string
+}
+
 // Capability represents the requirements and capabilities of the IPAM driver
 type Capability struct {
 	// Whether on address request, libnetwork must
diff --git a/libnetwork/ipams/builtin/builtin.go b/libnetwork/ipams/builtin/builtin.go
deleted file mode 100644
index 66b28a7..0000000
--- a/libnetwork/ipams/builtin/builtin.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package builtin
-
-import (
-	"net"
-
-	"github.com/docker/docker/libnetwork/ipam"
-	"github.com/docker/docker/libnetwork/ipamapi"
-	"github.com/docker/docker/libnetwork/ipamutils"
-)
-
-// defaultAddressPool Stores user configured subnet list
-var defaultAddressPool []*net.IPNet
-
-// registerBuiltin registers the built-in ipam driver with libnetwork.
-func registerBuiltin(ic ipamapi.Registerer) error {
-	var localAddressPool []*net.IPNet
-	if len(defaultAddressPool) > 0 {
-		localAddressPool = append([]*net.IPNet(nil), defaultAddressPool...)
-	} else {
-		localAddressPool = ipamutils.GetLocalScopeDefaultNetworks()
-	}
-
-	a, err := ipam.NewAllocator(localAddressPool, ipamutils.GetGlobalScopeDefaultNetworks())
-	if err != nil {
-		return err
-	}
-
-	cps := &ipamapi.Capability{RequiresRequestReplay: true}
-
-	return ic.RegisterIpamDriverWithCapabilities(ipamapi.DefaultIPAM, a, cps)
-}
-
-// SetDefaultIPAddressPool stores default address pool.
-func SetDefaultIPAddressPool(addressPool []*ipamutils.NetworkToSplit) error {
-	nets, err := ipamutils.SplitNetworks(addressPool)
-	if err != nil {
-		return err
-	}
-	defaultAddressPool = nets
-	return nil
-}
diff --git a/libnetwork/ipams/builtin/builtin_unix.go b/libnetwork/ipams/builtin/builtin_unix.go
deleted file mode 100644
index c063cb4..0000000
--- a/libnetwork/ipams/builtin/builtin_unix.go
+++ /dev/null
@@ -1,12 +0,0 @@
-//go:build linux || freebsd || darwin
-
-package builtin
-
-import (
-	"github.com/docker/docker/libnetwork/ipamapi"
-)
-
-// Register registers the built-in ipam service with libnetwork.
-func Register(r ipamapi.Registerer) error {
-	return registerBuiltin(r)
-}
diff --git a/libnetwork/ipams/builtin/builtin_windows.go b/libnetwork/ipams/builtin/builtin_windows.go
deleted file mode 100644
index cb364a8..0000000
--- a/libnetwork/ipams/builtin/builtin_windows.go
+++ /dev/null
@@ -1,17 +0,0 @@
-//go:build windows
-
-package builtin
-
-import (
-	"github.com/docker/docker/libnetwork/ipamapi"
-	"github.com/docker/docker/libnetwork/ipams/windowsipam"
-)
-
-// Register registers the built-in ipam services with libnetwork.
-func Register(r ipamapi.Registerer) error {
-	if err := registerBuiltin(r); err != nil {
-		return err
-	}
-
-	return windowsipam.Register(windowsipam.DefaultIPAM, r)
-}
diff --git a/libnetwork/ipams/defaultipam/address_space.go b/libnetwork/ipams/defaultipam/address_space.go
new file mode 100644
index 0000000..84d6f8b
--- /dev/null
+++ b/libnetwork/ipams/defaultipam/address_space.go
@@ -0,0 +1,228 @@
+package defaultipam
+
+import (
+	"context"
+	"fmt"
+	"net/netip"
+	"sync"
+
+	"github.com/containerd/log"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
+	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/types"
+)
+
+// addrSpace contains the pool configurations for the address space
+type addrSpace struct {
+	// Master subnet pools, indexed by the value's stringified PoolData.Pool field.
+	subnets map[netip.Prefix]*PoolData
+
+	// Predefined pool for the address space
+	predefined           []netip.Prefix
+	predefinedStartIndex int
+
+	mu sync.Mutex
+}
+
+func newAddrSpace(predefined []netip.Prefix) (*addrSpace, error) {
+	return &addrSpace{
+		subnets:    map[netip.Prefix]*PoolData{},
+		predefined: predefined,
+	}, nil
+}
+
+// allocateSubnet adds the subnet k to the address space.
+func (aSpace *addrSpace) allocateSubnet(nw, sub netip.Prefix) error {
+	aSpace.mu.Lock()
+	defer aSpace.mu.Unlock()
+
+	// Check if already allocated
+	if pool, ok := aSpace.subnets[nw]; ok {
+		var childExists bool
+		if sub != (netip.Prefix{}) {
+			_, childExists = pool.children[sub]
+		}
+		if sub == (netip.Prefix{}) || childExists {
+			// This means the same pool is already allocated. allocateSubnet is called when there
+			// is request for a pool/subpool. It should ensure there is no overlap with existing pools
+			return ipamapi.ErrPoolOverlap
+		}
+	}
+
+	return aSpace.allocateSubnetL(nw, sub)
+}
+
+func (aSpace *addrSpace) allocateSubnetL(nw, sub netip.Prefix) error {
+	// If master pool, check for overlap
+	if sub == (netip.Prefix{}) {
+		if aSpace.overlaps(nw) {
+			return ipamapi.ErrPoolOverlap
+		}
+		// This is a new master pool, add it along with corresponding bitmask
+		aSpace.subnets[nw] = newPoolData(nw)
+		return nil
+	}
+
+	// This is a new non-master pool (subPool)
+	if nw.Addr().BitLen() != sub.Addr().BitLen() {
+		return fmt.Errorf("pool and subpool are of incompatible address families")
+	}
+
+	// Look for parent pool
+	pp, ok := aSpace.subnets[nw]
+	if !ok {
+		// Parent pool does not exist, add it along with corresponding bitmask
+		pp = newPoolData(nw)
+		pp.autoRelease = true
+		aSpace.subnets[nw] = pp
+	}
+	pp.children[sub] = struct{}{}
+	return nil
+}
+
+// overlaps reports whether nw contains any IP addresses in common with any of
+// the existing subnets in this address space.
+func (aSpace *addrSpace) overlaps(nw netip.Prefix) bool {
+	for pool := range aSpace.subnets {
+		if pool.Overlaps(nw) {
+			return true
+		}
+	}
+	return false
+}
+
+// getPredefineds returns the predefined subnets for the address space.
+//
+// It should not be called concurrently with any other method on the addrSpace.
+func (aSpace *addrSpace) getPredefineds() []netip.Prefix {
+	i := aSpace.predefinedStartIndex
+	// defensive in case the list changed since last update
+	if i >= len(aSpace.predefined) {
+		i = 0
+	}
+	return append(aSpace.predefined[i:], aSpace.predefined[:i]...)
+}
+
+// updatePredefinedStartIndex rotates the predefined subnet list by amt.
+//
+// It should not be called concurrently with any other method on the addrSpace.
+func (aSpace *addrSpace) updatePredefinedStartIndex(amt int) {
+	i := aSpace.predefinedStartIndex + amt
+	if i < 0 || i >= len(aSpace.predefined) {
+		i = 0
+	}
+	aSpace.predefinedStartIndex = i
+}
+
+func (aSpace *addrSpace) allocatePredefinedPool(ipV6 bool) (netip.Prefix, error) {
+	aSpace.mu.Lock()
+	defer aSpace.mu.Unlock()
+
+	for i, nw := range aSpace.getPredefineds() {
+		if ipV6 != nw.Addr().Is6() {
+			continue
+		}
+		// Checks whether pool has already been allocated
+		if _, ok := aSpace.subnets[nw]; ok {
+			continue
+		}
+		// Shouldn't be necessary, but check prevents IP collisions should
+		// predefined pools overlap for any reason.
+		if !aSpace.overlaps(nw) {
+			aSpace.updatePredefinedStartIndex(i + 1)
+			err := aSpace.allocateSubnetL(nw, netip.Prefix{})
+			if err != nil {
+				return netip.Prefix{}, err
+			}
+			return nw, nil
+		}
+	}
+
+	v := 4
+	if ipV6 {
+		v = 6
+	}
+	return netip.Prefix{}, types.NotFoundErrorf("could not find an available, non-overlapping IPv%d address pool among the defaults to assign to the network", v)
+}
+
+func (aSpace *addrSpace) releaseSubnet(nw, sub netip.Prefix) error {
+	aSpace.mu.Lock()
+	defer aSpace.mu.Unlock()
+
+	p, ok := aSpace.subnets[nw]
+	if !ok {
+		return ipamapi.ErrBadPool
+	}
+
+	if sub != (netip.Prefix{}) {
+		if _, ok := p.children[sub]; !ok {
+			return ipamapi.ErrBadPool
+		}
+		delete(p.children, sub)
+	} else {
+		p.autoRelease = true
+	}
+
+	if len(p.children) == 0 && p.autoRelease {
+		delete(aSpace.subnets, nw)
+	}
+
+	return nil
+}
+
+func (aSpace *addrSpace) requestAddress(nw, sub netip.Prefix, prefAddress netip.Addr, opts map[string]string) (netip.Addr, error) {
+	aSpace.mu.Lock()
+	defer aSpace.mu.Unlock()
+
+	p, ok := aSpace.subnets[nw]
+	if !ok {
+		return netip.Addr{}, types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
+	}
+
+	if prefAddress != (netip.Addr{}) && !nw.Contains(prefAddress) {
+		return netip.Addr{}, ipamapi.ErrIPOutOfRange
+	}
+
+	if sub != (netip.Prefix{}) {
+		if _, ok := p.children[sub]; !ok {
+			return netip.Addr{}, types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
+		}
+	}
+
+	// In order to request for a serial ip address allocation, callers can pass in the option to request
+	// IP allocation serially or first available IP in the subnet
+	serial := opts[ipamapi.AllocSerialPrefix] == "true"
+	ip, err := getAddress(nw, p.addrs, prefAddress, sub, serial)
+	if err != nil {
+		return netip.Addr{}, err
+	}
+
+	return ip, nil
+}
+
+func (aSpace *addrSpace) releaseAddress(nw, sub netip.Prefix, address netip.Addr) error {
+	aSpace.mu.Lock()
+	defer aSpace.mu.Unlock()
+
+	p, ok := aSpace.subnets[nw]
+	if !ok {
+		return types.NotFoundErrorf("cannot find address pool for %v/%v", nw, sub)
+	}
+	if sub != (netip.Prefix{}) {
+		if _, ok := p.children[sub]; !ok {
+			return types.NotFoundErrorf("cannot find address pool for poolID:%v/%v", nw, sub)
+		}
+	}
+
+	if !address.IsValid() {
+		return types.InvalidParameterErrorf("invalid address")
+	}
+
+	if !nw.Contains(address) {
+		return ipamapi.ErrIPOutOfRange
+	}
+
+	defer log.G(context.TODO()).Debugf("Released address Address:%v Sequence:%s", address, p.addrs)
+
+	return p.addrs.Unset(netiputil.HostID(address, uint(nw.Bits())))
+}
diff --git a/libnetwork/ipams/defaultipam/allocator.go b/libnetwork/ipams/defaultipam/allocator.go
new file mode 100644
index 0000000..65e6ebf
--- /dev/null
+++ b/libnetwork/ipams/defaultipam/allocator.go
@@ -0,0 +1,332 @@
+package defaultipam
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+
+	"github.com/containerd/log"
+	"github.com/docker/docker/libnetwork/bitmap"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
+	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipamutils"
+	"github.com/docker/docker/libnetwork/ipbits"
+	"github.com/docker/docker/libnetwork/types"
+)
+
+const (
+	// DriverName is the name of the built-in default IPAM driver.
+	DriverName = "default"
+
+	localAddressSpace  = "LocalDefault"
+	globalAddressSpace = "GlobalDefault"
+)
+
+// Register registers the default ipam driver with libnetwork. It takes
+// two optional address pools respectively containing the list of user-defined
+// address pools for 'local' and 'global' address spaces.
+func Register(ic ipamapi.Registerer, lAddrPools, gAddrPools []*ipamutils.NetworkToSplit) error {
+	localAddressPools := ipamutils.GetLocalScopeDefaultNetworks()
+	if len(lAddrPools) > 0 {
+		var err error
+		localAddressPools, err = ipamutils.SplitNetworks(lAddrPools)
+		if err != nil {
+			return err
+		}
+	}
+
+	globalAddressPools := ipamutils.GetGlobalScopeDefaultNetworks()
+	if len(gAddrPools) > 0 {
+		var err error
+		globalAddressPools, err = ipamutils.SplitNetworks(gAddrPools)
+		if err != nil {
+			return err
+		}
+	}
+
+	a, err := NewAllocator(localAddressPools, globalAddressPools)
+	if err != nil {
+		return err
+	}
+
+	cps := &ipamapi.Capability{RequiresRequestReplay: true}
+
+	return ic.RegisterIpamDriverWithCapabilities(DriverName, a, cps)
+}
+
+// Allocator provides per address space ipv4/ipv6 book keeping
+type Allocator struct {
+	// The address spaces
+	local4, local6, global4, global6 *addrSpace
+}
+
+// NewAllocator returns an instance of libnetwork ipam
+func NewAllocator(lcAs, glAs []*net.IPNet) (*Allocator, error) {
+	var (
+		a                          Allocator
+		err                        error
+		lcAs4, lcAs6, glAs4, glAs6 []netip.Prefix
+	)
+
+	lcAs4, lcAs6, err = splitByIPFamily(lcAs)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct local address space: %w", err)
+	}
+
+	glAs4, glAs6, err = splitByIPFamily(glAs)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct global address space: %w", err)
+	}
+
+	a.local4, err = newAddrSpace(lcAs4)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct local v4 address space: %w", err)
+	}
+	a.local6, err = newAddrSpace(lcAs6)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct local v6 address space: %w", err)
+	}
+	a.global4, err = newAddrSpace(glAs4)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct global v4 address space: %w", err)
+	}
+	a.global6, err = newAddrSpace(glAs6)
+	if err != nil {
+		return nil, fmt.Errorf("could not construct global v6 address space: %w", err)
+	}
+	return &a, nil
+}
+
+func splitByIPFamily(s []*net.IPNet) ([]netip.Prefix, []netip.Prefix, error) {
+	var v4, v6 []netip.Prefix
+
+	for i, n := range s {
+		p, ok := netiputil.ToPrefix(n)
+		if !ok {
+			return []netip.Prefix{}, []netip.Prefix{}, fmt.Errorf("network at index %d (%v) is not in canonical form", i, n)
+		}
+
+		if p.Addr().Is4() {
+			v4 = append(v4, p)
+		} else {
+			v6 = append(v6, p)
+		}
+	}
+
+	return v4, v6, nil
+}
+
+// GetDefaultAddressSpaces returns the local and global default address spaces
+func (a *Allocator) GetDefaultAddressSpaces() (string, string, error) {
+	return localAddressSpace, globalAddressSpace, nil
+}
+
+// RequestPool returns an address pool along with its unique id.
+// addressSpace must be a valid address space name and must not be the empty string.
+// If requestedPool is the empty string then the default predefined pool for addressSpace will be used, otherwise pool must be a valid IP address and length in CIDR notation.
+// If requestedSubPool is not empty, it must be a valid IP address and length in CIDR notation which is a sub-range of requestedPool.
+// requestedSubPool must be empty if requestedPool is empty.
+func (a *Allocator) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) {
+	log.G(context.TODO()).Debugf("RequestPool: %+v", req)
+
+	parseErr := func(err error) error {
+		return types.InternalErrorf("failed to parse pool request for address space %q pool %q subpool %q: %v", req.AddressSpace, req.Pool, req.SubPool, err)
+	}
+
+	if req.AddressSpace == "" {
+		return ipamapi.AllocatedPool{}, parseErr(ipamapi.ErrInvalidAddressSpace)
+	}
+	aSpace, err := a.getAddrSpace(req.AddressSpace, req.V6)
+	if err != nil {
+		return ipamapi.AllocatedPool{}, err
+	}
+	if req.Pool == "" && req.SubPool != "" {
+		return ipamapi.AllocatedPool{}, parseErr(ipamapi.ErrInvalidSubPool)
+	}
+
+	k := PoolID{AddressSpace: req.AddressSpace}
+	if req.Pool == "" {
+		if k.Subnet, err = aSpace.allocatePredefinedPool(req.V6); err != nil {
+			return ipamapi.AllocatedPool{}, err
+		}
+		return ipamapi.AllocatedPool{PoolID: k.String(), Pool: k.Subnet}, nil
+	}
+
+	if k.Subnet, err = netip.ParsePrefix(req.Pool); err != nil {
+		return ipamapi.AllocatedPool{}, parseErr(ipamapi.ErrInvalidPool)
+	}
+
+	if req.SubPool != "" {
+		if k.ChildSubnet, err = netip.ParsePrefix(req.SubPool); err != nil {
+			return ipamapi.AllocatedPool{}, types.InternalErrorf("invalid pool request: %v", ipamapi.ErrInvalidSubPool)
+		}
+	}
+
+	k.Subnet, k.ChildSubnet = k.Subnet.Masked(), k.ChildSubnet.Masked()
+	// Prior to https://github.com/moby/moby/pull/44968, libnetwork would happily accept a ChildSubnet with a bigger
+	// mask than its parent subnet. In such case, it was producing IP addresses based on the parent subnet, and the
+	// child subnet was not allocated from the address pool. Following condition take care of restoring this behavior
+	// for networks created before upgrading to v24.0.
+	if k.ChildSubnet.IsValid() && k.ChildSubnet.Bits() < k.Subnet.Bits() {
+		k.ChildSubnet = k.Subnet
+	}
+
+	err = aSpace.allocateSubnet(k.Subnet, k.ChildSubnet)
+	if err != nil {
+		return ipamapi.AllocatedPool{}, types.ForbiddenErrorf("invalid pool request: %v", err)
+	}
+
+	return ipamapi.AllocatedPool{PoolID: k.String(), Pool: k.Subnet}, nil
+}
+
+// ReleasePool releases the address pool identified by the passed id
+func (a *Allocator) ReleasePool(poolID string) error {
+	log.G(context.TODO()).Debugf("ReleasePool(%s)", poolID)
+	k, err := PoolIDFromString(poolID)
+	if err != nil {
+		return types.InvalidParameterErrorf("invalid pool id: %s", poolID)
+	}
+
+	aSpace, err := a.getAddrSpace(k.AddressSpace, k.Is6())
+	if err != nil {
+		return err
+	}
+
+	return aSpace.releaseSubnet(k.Subnet, k.ChildSubnet)
+}
+
+// Given the address space, returns the local or global PoolConfig based on whether the
+// address space is local or global. AddressSpace locality is registered with IPAM out of band.
+func (a *Allocator) getAddrSpace(as string, v6 bool) (*addrSpace, error) {
+	switch as {
+	case localAddressSpace:
+		if v6 {
+			return a.local6, nil
+		}
+		return a.local4, nil
+	case globalAddressSpace:
+		if v6 {
+			return a.global6, nil
+		}
+		return a.global4, nil
+	}
+	return nil, types.InvalidParameterErrorf("cannot find address space %s", as)
+}
+
+func newPoolData(pool netip.Prefix) *PoolData {
+	ones, bits := pool.Bits(), pool.Addr().BitLen()
+	numAddresses := uint64(1 << uint(bits-ones))
+
+	// Allow /64 subnet
+	if pool.Addr().Is6() && numAddresses == 0 {
+		numAddresses--
+	}
+
+	// Generate the new address masks.
+	h := bitmap.New(numAddresses)
+
+	// Pre-reserve the network address on IPv4 networks large
+	// enough to have one (i.e., anything bigger than a /31.
+	if !(pool.Addr().Is4() && numAddresses <= 2) {
+		h.Set(0)
+	}
+
+	// Pre-reserve the broadcast address on IPv4 networks large
+	// enough to have one (i.e., anything bigger than a /31).
+	if pool.Addr().Is4() && numAddresses > 2 {
+		h.Set(numAddresses - 1)
+	}
+
+	return &PoolData{addrs: h, children: map[netip.Prefix]struct{}{}}
+}
+
+// RequestAddress returns an address from the specified pool ID
+func (a *Allocator) RequestAddress(poolID string, prefAddress net.IP, opts map[string]string) (*net.IPNet, map[string]string, error) {
+	log.G(context.TODO()).Debugf("RequestAddress(%s, %v, %v)", poolID, prefAddress, opts)
+	k, err := PoolIDFromString(poolID)
+	if err != nil {
+		return nil, nil, types.InvalidParameterErrorf("invalid pool id: %s", poolID)
+	}
+
+	aSpace, err := a.getAddrSpace(k.AddressSpace, k.Is6())
+	if err != nil {
+		return nil, nil, err
+	}
+	var pref netip.Addr
+	if prefAddress != nil {
+		var ok bool
+		pref, ok = netip.AddrFromSlice(prefAddress)
+		if !ok {
+			return nil, nil, types.InvalidParameterErrorf("invalid preferred address: %v", prefAddress)
+		}
+	}
+	p, err := aSpace.requestAddress(k.Subnet, k.ChildSubnet, pref.Unmap(), opts)
+	if err != nil {
+		return nil, nil, err
+	}
+	return &net.IPNet{
+		IP:   p.AsSlice(),
+		Mask: net.CIDRMask(k.Subnet.Bits(), k.Subnet.Addr().BitLen()),
+	}, nil, nil
+}
+
+// ReleaseAddress releases the address from the specified pool ID
+func (a *Allocator) ReleaseAddress(poolID string, address net.IP) error {
+	log.G(context.TODO()).Debugf("ReleaseAddress(%s, %v)", poolID, address)
+	k, err := PoolIDFromString(poolID)
+	if err != nil {
+		return types.InvalidParameterErrorf("invalid pool id: %s", poolID)
+	}
+
+	aSpace, err := a.getAddrSpace(k.AddressSpace, k.Is6())
+	if err != nil {
+		return err
+	}
+
+	addr, ok := netip.AddrFromSlice(address)
+	if !ok {
+		return types.InvalidParameterErrorf("invalid address: %v", address)
+	}
+
+	return aSpace.releaseAddress(k.Subnet, k.ChildSubnet, addr.Unmap())
+}
+
+func getAddress(base netip.Prefix, bitmask *bitmap.Bitmap, prefAddress netip.Addr, ipr netip.Prefix, serial bool) (netip.Addr, error) {
+	var (
+		ordinal uint64
+		err     error
+	)
+
+	log.G(context.TODO()).Debugf("Request address PoolID:%v %s Serial:%v PrefAddress:%v ", base, bitmask, serial, prefAddress)
+
+	if bitmask.Unselected() == 0 {
+		return netip.Addr{}, ipamapi.ErrNoAvailableIPs
+	}
+	if ipr == (netip.Prefix{}) && prefAddress == (netip.Addr{}) {
+		ordinal, err = bitmask.SetAny(serial)
+	} else if prefAddress != (netip.Addr{}) {
+		ordinal = netiputil.HostID(prefAddress, uint(base.Bits()))
+		err = bitmask.Set(ordinal)
+	} else {
+		start, end := netiputil.SubnetRange(base, ipr)
+		ordinal, err = bitmask.SetAnyInRange(start, end, serial)
+	}
+
+	switch err {
+	case nil:
+		// Convert IP ordinal for this subnet into IP address
+		return ipbits.Add(base.Addr(), ordinal, 0), nil
+	case bitmap.ErrBitAllocated:
+		return netip.Addr{}, ipamapi.ErrIPAlreadyAllocated
+	case bitmap.ErrNoBitAvailable:
+		return netip.Addr{}, ipamapi.ErrNoAvailableIPs
+	default:
+		return netip.Addr{}, err
+	}
+}
+
+// IsBuiltIn returns true for builtin drivers
+func (a *Allocator) IsBuiltIn() bool {
+	return true
+}
diff --git a/libnetwork/ipam/allocator_test.go b/libnetwork/ipams/defaultipam/allocator_test.go
similarity index 73%
rename from libnetwork/ipam/allocator_test.go
rename to libnetwork/ipams/defaultipam/allocator_test.go
index 5339f79..29e4cc7 100644
--- a/libnetwork/ipam/allocator_test.go
+++ b/libnetwork/ipams/defaultipam/allocator_test.go
@@ -1,4 +1,4 @@
-package ipam
+package defaultipam
 
 import (
 	"context"
@@ -14,6 +14,7 @@
 	"time"
 
 	"github.com/docker/docker/libnetwork/bitmap"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/ipamapi"
 	"github.com/docker/docker/libnetwork/ipamutils"
 	"github.com/docker/docker/libnetwork/types"
@@ -58,55 +59,55 @@
 		t.Fatal(err)
 	}
 
-	pid0, _, _, err := a.RequestPool(localAddressSpace, "10.0.0.0/8", "", nil, false)
+	alloc1, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"})
 	if err != nil {
 		t.Fatal("Unexpected failure in adding subnet")
 	}
 
-	pid1, _, _, err := a.RequestPool(globalAddressSpace, "10.0.0.0/8", "", nil, false)
+	alloc2, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: globalAddressSpace, Pool: "10.0.0.0/8"})
 	if err != nil {
 		t.Fatalf("Unexpected failure in adding overlapping subnets to different address spaces: %v", err)
 	}
 
-	if pid0 == pid1 {
+	if alloc1.PoolID == alloc2.PoolID {
 		t.Fatal("returned same pool id for same subnets in different namespaces")
 	}
 
-	_, _, _, err = a.RequestPool(globalAddressSpace, "10.0.0.0/8", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: globalAddressSpace, Pool: "10.0.0.0/8"})
 	if err == nil {
 		t.Fatalf("Expected failure requesting existing subnet")
 	}
 
-	_, _, _, err = a.RequestPool(globalAddressSpace, "10.128.0.0/9", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: globalAddressSpace, Pool: "10.128.0.0/9"})
 	if err == nil {
 		t.Fatal("Expected failure on adding overlapping base subnet")
 	}
 
-	_, _, _, err = a.RequestPool(globalAddressSpace, "10.0.0.0/8", "10.128.0.0/9", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: globalAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.128.0.0/9"})
 	if err != nil {
 		t.Fatalf("Unexpected failure on adding sub pool: %v", err)
 	}
-	_, _, _, err = a.RequestPool(globalAddressSpace, "10.0.0.0/8", "10.128.0.0/9", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: globalAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.128.0.0/9"})
 	if err == nil {
 		t.Fatalf("Expected failure on adding overlapping sub pool")
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.20.2.0/24", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.20.2.0/24"})
 	if err == nil {
 		t.Fatal("Failed to detect overlapping subnets")
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.128.0.0/9", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.128.0.0/9"})
 	if err == nil {
 		t.Fatal("Failed to detect overlapping subnets")
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "1003:1:2:3:4:5:6::/112", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "1003:1:2:3:4:5:6::/112"})
 	if err != nil {
 		t.Fatalf("Failed to add v6 subnet: %s", err.Error())
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "1003:1:2:3::/64", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "1003:1:2:3::/64"})
 	if err == nil {
 		t.Fatal("Failed to detect overlapping v6 subnet")
 	}
@@ -118,13 +119,13 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	pid0, _, _, err := a.RequestPool(localAddressSpace, "10.0.0.0/8", "", nil, false)
+	alloc1, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"})
 	assert.NilError(t, err)
 
-	err = a.ReleasePool(pid0)
+	err = a.ReleasePool(alloc1.PoolID)
 	assert.NilError(t, err)
 
-	err = a.ReleasePool(pid0)
+	err = a.ReleasePool(alloc1.PoolID)
 	assert.Check(t, is.ErrorContains(err, ""))
 }
 
@@ -132,21 +133,21 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	_, err = a.getAddrSpace(localAddressSpace)
+	_, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	pid0, _, _, err := a.RequestPool(localAddressSpace, "10.0.0.0/8", "", nil, false)
+	alloc1, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"})
 	if err != nil {
 		t.Fatalf("Unexpected failure in adding pool: %v", err)
 	}
-	k0, err := PoolIDFromString(pid0)
+	k0, err := PoolIDFromString(alloc1.PoolID)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	aSpace, err := a.getAddrSpace(localAddressSpace)
+	aSpace, err := a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -155,20 +156,20 @@
 		t.Errorf("Unexpected autoRelease value for %s: %v", k0, got)
 	}
 
-	pid1, _, _, err := a.RequestPool(localAddressSpace, "10.0.0.0/8", "10.0.0.0/16", nil, false)
+	alloc2, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.0.0.0/16"})
 	if err != nil {
 		t.Fatalf("Unexpected failure in adding sub pool: %v", err)
 	}
-	k1, err := PoolIDFromString(pid1)
+	k1, err := PoolIDFromString(alloc2.PoolID)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if pid0 == pid1 {
-		t.Fatalf("Incorrect poolIDs returned %s, %s", pid0, pid1)
+	if alloc1.PoolID == alloc2.PoolID {
+		t.Fatalf("Incorrect poolIDs returned %s, %s", alloc1.PoolID, alloc2.PoolID)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -177,12 +178,12 @@
 		t.Errorf("Unexpected autoRelease value for %s: %v", k1, got)
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/8", "10.0.0.0/16", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.0.0.0/16"})
 	if err == nil {
 		t.Fatalf("Expected failure in adding sub pool: %v", err)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -191,11 +192,11 @@
 		t.Errorf("Unexpected autoRelease value for %s: %v", k0, got)
 	}
 
-	if err := a.ReleasePool(pid1); err != nil {
+	if err := a.ReleasePool(alloc2.PoolID); err != nil {
 		t.Fatal(err)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -203,7 +204,7 @@
 	if got := aSpace.subnets[k0.Subnet].autoRelease; got != false {
 		t.Errorf("Unexpected autoRelease value for %s: %v", k0, got)
 	}
-	if err := a.ReleasePool(pid0); err != nil {
+	if err := a.ReleasePool(alloc1.PoolID); err != nil {
 		t.Error(err)
 	}
 
@@ -211,15 +212,15 @@
 		t.Error("Pool should have been deleted when released")
 	}
 
-	pid00, _, _, err := a.RequestPool(localAddressSpace, "10.0.0.0/8", "", nil, false)
+	alloc10, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"})
 	if err != nil {
 		t.Errorf("Unexpected failure in adding pool: %v", err)
 	}
-	if pid00 != pid0 {
-		t.Errorf("main pool should still exist. Got poolID %q, want %q", pid00, pid0)
+	if alloc10.PoolID != alloc1.PoolID {
+		t.Errorf("main pool should still exist. Got poolID %q, want %q", alloc10.PoolID, alloc1.PoolID)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -228,11 +229,11 @@
 		t.Errorf("Unexpected autoRelease value for %s: %v", k0, got)
 	}
 
-	if err := a.ReleasePool(pid00); err != nil {
+	if err := a.ReleasePool(alloc10.PoolID); err != nil {
 		t.Error(err)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -241,12 +242,12 @@
 		t.Errorf("Base pool %s is still present: %v", k0, bp)
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/8", "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"})
 	if err != nil {
 		t.Errorf("Unexpected failure in adding pool: %v", err)
 	}
 
-	aSpace, err = a.getAddrSpace(localAddressSpace)
+	aSpace, err = a.getAddrSpace(localAddressSpace, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -260,25 +261,25 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	pid, nw, _, err := a.RequestPool(localAddressSpace, "", "", nil, false)
+	alloc1, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	pid2, nw2, _, err := a.RequestPool(localAddressSpace, "", "", nil, false)
+	alloc2, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	if types.CompareIPNet(nw, nw2) {
-		t.Fatalf("Unexpected default network returned: %s = %s", nw2, nw)
+	if alloc1.Pool == alloc2.Pool {
+		t.Fatalf("Unexpected default network returned: %s = %s", alloc2.Pool, alloc1.Pool)
 	}
 
-	if err := a.ReleasePool(pid); err != nil {
+	if err := a.ReleasePool(alloc1.PoolID); err != nil {
 		t.Fatal(err)
 	}
 
-	if err := a.ReleasePool(pid2); err != nil {
+	if err := a.ReleasePool(alloc2.PoolID); err != nil {
 		t.Fatal(err)
 	}
 }
@@ -287,32 +288,29 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	input := []struct {
-		addrSpace string
-		subnet    string
-		v6        bool
-	}{
-		{localAddressSpace, "192.168.0.0/16", false},
-		{localAddressSpace, "172.17.0.0/16", false},
-		{localAddressSpace, "10.0.0.0/8", false},
-		{localAddressSpace, "2001:db8:1:2:3:4:ffff::/112", false},
-		{globalAddressSpace, "172.17.0.0/16", false},
-		{globalAddressSpace, "10.0.0.0/8", false},
-		{globalAddressSpace, "2001:db8:1:2:3:4:5::/112", true},
-		{globalAddressSpace, "2001:db8:1:2:3:4:ffff::/112", true},
+	reqs := []ipamapi.PoolRequest{
+		{AddressSpace: localAddressSpace, Pool: "192.168.0.0/16"},
+		{AddressSpace: localAddressSpace, Pool: "172.17.0.0/16"},
+		{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8"},
+		{AddressSpace: localAddressSpace, Pool: "2001:db8:1:2:3:4:ffff::/112", V6: true},
+		{AddressSpace: globalAddressSpace, Pool: "172.17.0.0/16"},
+		{AddressSpace: globalAddressSpace, Pool: "10.0.0.0/8"},
+		{AddressSpace: globalAddressSpace, Pool: "2001:db8:1:2:3:4:5::/112", V6: true},
+		{AddressSpace: globalAddressSpace, Pool: "2001:db8:1:2:3:4:ffff::/112", V6: true},
 	}
+	allocs := make([]ipamapi.AllocatedPool, 0, len(reqs))
 
-	poolIDs := make([]string, len(input))
-
-	for ind, i := range input {
-		if poolIDs[ind], _, _, err = a.RequestPool(i.addrSpace, i.subnet, "", nil, i.v6); err != nil {
+	for _, req := range reqs {
+		alloc, err := a.RequestPool(req)
+		if err != nil {
 			t.Fatalf("Failed to apply input. Can't proceed: %s", err.Error())
 		}
+		allocs = append(allocs, alloc)
 	}
 
-	for ind, id := range poolIDs {
-		if err := a.ReleasePool(id); err != nil {
-			t.Fatalf("Failed to release poolID %s (%d)", id, ind)
+	for idx, alloc := range allocs {
+		if err := a.ReleasePool(alloc.PoolID); err != nil {
+			t.Fatalf("Failed to release poolID %s (%d)", alloc.PoolID, idx)
 		}
 	}
 }
@@ -321,18 +319,18 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, "192.168.100.0/24", "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "192.168.100.0/24"})
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	ip := net.ParseIP("192.168.100.250")
-	_, _, err = a.RequestAddress(pid, ip, nil)
+	_, _, err = a.RequestAddress(alloc.PoolID, ip, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_, _, err = a.RequestAddress(pid, ip, nil)
+	_, _, err = a.RequestAddress(alloc.PoolID, ip, nil)
 	if err == nil {
 		t.Fatal(err)
 	}
@@ -343,15 +341,14 @@
 	assert.NilError(t, err)
 
 	// First get all pools until they are exhausted to
-	pList := []string{}
-	pool, _, _, err := a.RequestPool(localAddressSpace, "", "", nil, false)
+	allocs := []ipamapi.AllocatedPool{}
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
 	for err == nil {
-		pList = append(pList, pool)
-		pool, _, _, err = a.RequestPool(localAddressSpace, "", "", nil, false)
+		allocs = append(allocs, alloc)
+		alloc, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
 	}
-	nPools := len(pList)
-	for _, pool := range pList {
-		if err := a.ReleasePool(pool); err != nil {
+	for _, alloc := range allocs {
+		if err := a.ReleasePool(alloc.PoolID); err != nil {
 			t.Fatal(err)
 		}
 	}
@@ -360,16 +357,16 @@
 	// Verify that we don't see any repeat networks even though
 	// we have freed them.
 	seen := map[string]bool{}
-	for i := 0; i < nPools; i++ {
-		pool, nw, _, err := a.RequestPool(localAddressSpace, "", "", nil, false)
+	for range allocs {
+		alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
 		if err != nil {
 			t.Fatal(err)
 		}
-		if _, ok := seen[nw.String()]; ok {
-			t.Fatalf("Network %s was reused before exhausing the pool list", nw.String())
+		if _, ok := seen[alloc.Pool.String()]; ok {
+			t.Fatalf("Network %s was reused before exhausing the pool list", alloc.Pool.String())
 		}
-		seen[nw.String()] = true
-		if err := a.ReleasePool(pool); err != nil {
+		seen[alloc.Pool.String()] = true
+		if err := a.ReleasePool(alloc.PoolID); err != nil {
 			t.Fatal(err)
 		}
 	}
@@ -380,12 +377,12 @@
 	assert.NilError(t, err)
 
 	// Requesting a subpool of same size of the master pool should not cause any problem on ip allocation
-	pid, _, _, err := a.RequestPool(localAddressSpace, "172.18.0.0/16", "172.18.0.0/16", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "172.18.0.0/16", SubPool: "172.18.0.0/16"})
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	_, _, err = a.RequestAddress(pid, nil, nil)
+	_, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -395,7 +392,7 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	poolID, _, _, err := a.RequestPool(localAddressSpace, "172.28.0.0/16", "172.28.30.0/24", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "172.28.0.0/16", SubPool: "172.28.30.0/24"})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -404,7 +401,7 @@
 	expected := &net.IPNet{IP: net.IP{172, 28, 30, 255}, Mask: net.IPMask{255, 255, 0, 0}}
 	for err == nil {
 		var c *net.IPNet
-		if c, _, err = a.RequestAddress(poolID, nil, nil); err == nil {
+		if c, _, err = a.RequestAddress(alloc.PoolID, nil, nil); err == nil {
 			ip = c
 		}
 	}
@@ -415,28 +412,28 @@
 		t.Fatalf("Unexpected last IP from subpool. Expected: %s. Got: %v.", expected, ip)
 	}
 	rp := &net.IPNet{IP: net.IP{172, 28, 30, 97}, Mask: net.IPMask{255, 255, 0, 0}}
-	if err = a.ReleaseAddress(poolID, rp.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, rp.IP); err != nil {
 		t.Fatal(err)
 	}
-	if ip, _, err = a.RequestAddress(poolID, nil, nil); err != nil {
+	if ip, _, err = a.RequestAddress(alloc.PoolID, nil, nil); err != nil {
 		t.Fatal(err)
 	}
 	if !types.CompareIPNet(rp, ip) {
 		t.Fatalf("Unexpected IP from subpool. Expected: %s. Got: %v.", rp, ip)
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/8", "10.0.0.0/16", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.0.0.0/16"})
 	if err != nil {
 		t.Fatal(err)
 	}
-	poolID, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/16", "10.0.0.0/24", nil, false)
+	alloc, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/16", SubPool: "10.0.0.0/24"})
 	if err != nil {
 		t.Fatal(err)
 	}
 	expected = &net.IPNet{IP: net.IP{10, 0, 0, 255}, Mask: net.IPMask{255, 255, 0, 0}}
 	for err == nil {
 		var c *net.IPNet
-		if c, _, err = a.RequestAddress(poolID, nil, nil); err == nil {
+		if c, _, err = a.RequestAddress(alloc.PoolID, nil, nil); err == nil {
 			ip = c
 		}
 	}
@@ -447,10 +444,10 @@
 		t.Fatalf("Unexpected last IP from subpool. Expected: %s. Got: %v.", expected, ip)
 	}
 	rp = &net.IPNet{IP: net.IP{10, 0, 0, 79}, Mask: net.IPMask{255, 255, 0, 0}}
-	if err = a.ReleaseAddress(poolID, rp.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, rp.IP); err != nil {
 		t.Fatal(err)
 	}
-	if ip, _, err = a.RequestAddress(poolID, nil, nil); err != nil {
+	if ip, _, err = a.RequestAddress(alloc.PoolID, nil, nil); err != nil {
 		t.Fatal(err)
 	}
 	if !types.CompareIPNet(rp, ip) {
@@ -462,10 +459,10 @@
 	dueExp, _ := types.ParseCIDR("10.2.2.2/16")
 	treExp, _ := types.ParseCIDR("10.2.2.1/16")
 
-	if poolID, _, _, err = a.RequestPool(localAddressSpace, "10.2.0.0/16", "10.2.2.0/24", nil, false); err != nil {
+	if alloc, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.2.0.0/16", SubPool: "10.2.2.0/24"}); err != nil {
 		t.Fatal(err)
 	}
-	tre, _, err := a.RequestAddress(poolID, treExp.IP, nil)
+	tre, _, err := a.RequestAddress(alloc.PoolID, treExp.IP, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -473,7 +470,7 @@
 		t.Fatalf("Unexpected address: want %v, got %v", treExp, tre)
 	}
 
-	uno, _, err := a.RequestAddress(poolID, nil, nil)
+	uno, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -481,7 +478,7 @@
 		t.Fatalf("Unexpected address: %v", uno)
 	}
 
-	due, _, err := a.RequestAddress(poolID, nil, nil)
+	due, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -489,10 +486,10 @@
 		t.Fatalf("Unexpected address: %v", due)
 	}
 
-	if err = a.ReleaseAddress(poolID, uno.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, uno.IP); err != nil {
 		t.Fatal(err)
 	}
-	uno, _, err = a.RequestAddress(poolID, nil, nil)
+	uno, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -500,10 +497,10 @@
 		t.Fatalf("Unexpected address: %v", uno)
 	}
 
-	if err = a.ReleaseAddress(poolID, tre.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, tre.IP); err != nil {
 		t.Fatal(err)
 	}
-	tre, _, err = a.RequestAddress(poolID, nil, nil)
+	tre, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -519,7 +516,7 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	poolID, _, _, err := a.RequestPool(localAddressSpace, "172.28.0.0/16", "172.28.30.0/24", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "172.28.0.0/16", SubPool: "172.28.30.0/24"})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -528,7 +525,7 @@
 	expected := &net.IPNet{IP: net.IP{172, 28, 30, 255}, Mask: net.IPMask{255, 255, 0, 0}}
 	for err == nil {
 		var c *net.IPNet
-		if c, _, err = a.RequestAddress(poolID, nil, opts); err == nil {
+		if c, _, err = a.RequestAddress(alloc.PoolID, nil, opts); err == nil {
 			ip = c
 		}
 	}
@@ -539,28 +536,28 @@
 		t.Fatalf("Unexpected last IP from subpool. Expected: %s. Got: %v.", expected, ip)
 	}
 	rp := &net.IPNet{IP: net.IP{172, 28, 30, 97}, Mask: net.IPMask{255, 255, 0, 0}}
-	if err = a.ReleaseAddress(poolID, rp.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, rp.IP); err != nil {
 		t.Fatal(err)
 	}
-	if ip, _, err = a.RequestAddress(poolID, nil, opts); err != nil {
+	if ip, _, err = a.RequestAddress(alloc.PoolID, nil, opts); err != nil {
 		t.Fatal(err)
 	}
 	if !types.CompareIPNet(rp, ip) {
 		t.Fatalf("Unexpected IP from subpool. Expected: %s. Got: %v.", rp, ip)
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/8", "10.0.0.0/16", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/8", SubPool: "10.0.0.0/16"})
 	if err != nil {
 		t.Fatal(err)
 	}
-	poolID, _, _, err = a.RequestPool(localAddressSpace, "10.0.0.0/16", "10.0.0.0/24", nil, false)
+	alloc, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.0.0.0/16", SubPool: "10.0.0.0/24"})
 	if err != nil {
 		t.Fatal(err)
 	}
 	expected = &net.IPNet{IP: net.IP{10, 0, 0, 255}, Mask: net.IPMask{255, 255, 0, 0}}
 	for err == nil {
 		var c *net.IPNet
-		if c, _, err = a.RequestAddress(poolID, nil, opts); err == nil {
+		if c, _, err = a.RequestAddress(alloc.PoolID, nil, opts); err == nil {
 			ip = c
 		}
 	}
@@ -571,10 +568,10 @@
 		t.Fatalf("Unexpected last IP from subpool. Expected: %s. Got: %v.", expected, ip)
 	}
 	rp = &net.IPNet{IP: net.IP{10, 0, 0, 79}, Mask: net.IPMask{255, 255, 0, 0}}
-	if err = a.ReleaseAddress(poolID, rp.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, rp.IP); err != nil {
 		t.Fatal(err)
 	}
-	if ip, _, err = a.RequestAddress(poolID, nil, opts); err != nil {
+	if ip, _, err = a.RequestAddress(alloc.PoolID, nil, opts); err != nil {
 		t.Fatal(err)
 	}
 	if !types.CompareIPNet(rp, ip) {
@@ -587,10 +584,10 @@
 	treExp, _ := types.ParseCIDR("10.2.2.1/16")
 	quaExp, _ := types.ParseCIDR("10.2.2.3/16")
 	fivExp, _ := types.ParseCIDR("10.2.2.4/16")
-	if poolID, _, _, err = a.RequestPool(localAddressSpace, "10.2.0.0/16", "10.2.2.0/24", nil, false); err != nil {
+	if alloc, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "10.2.0.0/16", SubPool: "10.2.2.0/24"}); err != nil {
 		t.Fatal(err)
 	}
-	tre, _, err := a.RequestAddress(poolID, treExp.IP, opts)
+	tre, _, err := a.RequestAddress(alloc.PoolID, treExp.IP, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -598,7 +595,7 @@
 		t.Fatalf("Unexpected address: want %v, got %v", treExp, tre)
 	}
 
-	uno, _, err := a.RequestAddress(poolID, nil, opts)
+	uno, _, err := a.RequestAddress(alloc.PoolID, nil, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -606,7 +603,7 @@
 		t.Fatalf("Unexpected address: %v", uno)
 	}
 
-	due, _, err := a.RequestAddress(poolID, nil, opts)
+	due, _, err := a.RequestAddress(alloc.PoolID, nil, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -614,10 +611,10 @@
 		t.Fatalf("Unexpected address: %v", due)
 	}
 
-	if err = a.ReleaseAddress(poolID, uno.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, uno.IP); err != nil {
 		t.Fatal(err)
 	}
-	uno, _, err = a.RequestAddress(poolID, nil, opts)
+	uno, _, err = a.RequestAddress(alloc.PoolID, nil, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -625,10 +622,10 @@
 		t.Fatalf("Unexpected address: %v", uno)
 	}
 
-	if err = a.ReleaseAddress(poolID, tre.IP); err != nil {
+	if err = a.ReleaseAddress(alloc.PoolID, tre.IP); err != nil {
 		t.Fatal(err)
 	}
-	tre, _, err = a.RequestAddress(poolID, nil, opts)
+	tre, _, err = a.RequestAddress(alloc.PoolID, nil, opts)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -659,22 +656,22 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	_, _, _, err = a.RequestPool("", pool, "", nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{Pool: pool})
 	if err == nil {
 		t.Fatal("Failed to detect wrong request: empty address space")
 	}
 
-	_, _, _, err = a.RequestPool("", pool, subPool, nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{Pool: pool, SubPool: subPool})
 	if err == nil {
 		t.Fatal("Failed to detect wrong request: empty address space")
 	}
 
-	_, _, _, err = a.RequestPool(localAddressSpace, "", subPool, nil, false)
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, SubPool: subPool})
 	if err == nil {
 		t.Fatal("Failed to detect wrong request: subPool specified and no pool")
 	}
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, pool, subPool, nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: pool, SubPool: subPool})
 	if err != nil {
 		t.Fatalf("Unexpected failure: %v", err)
 	}
@@ -685,13 +682,13 @@
 	}
 
 	ip := net.ParseIP("172.17.0.23")
-	_, _, err = a.RequestAddress(pid, ip, nil)
+	_, _, err = a.RequestAddress(alloc.PoolID, ip, nil)
 	if err == nil {
 		t.Fatal("Failed to detect wrong request: requested IP from different subnet")
 	}
 
 	ip = net.ParseIP("192.168.0.50")
-	_, _, err = a.RequestAddress(pid, ip, nil)
+	_, _, err = a.RequestAddress(alloc.PoolID, ip, nil)
 	if err != nil {
 		t.Fatalf("Unexpected failure: %v", err)
 	}
@@ -701,14 +698,14 @@
 		t.Fatal("Failed to detect wrong request: no pool id specified")
 	}
 
-	err = a.ReleaseAddress(pid, nil)
+	err = a.ReleaseAddress(alloc.PoolID, nil)
 	if err == nil {
 		t.Fatal("Failed to detect wrong request: no pool id specified")
 	}
 
-	err = a.ReleaseAddress(pid, ip)
+	err = a.ReleaseAddress(alloc.PoolID, ip)
 	if err != nil {
-		t.Fatalf("Unexpected failure: %v: %s, %s", err, pid, ip)
+		t.Fatalf("Unexpected failure: %v: %s, %s", err, alloc.PoolID, ip)
 	}
 }
 
@@ -807,12 +804,12 @@
 
 		// Set up some existing allocations.  This should always succeed.
 		for _, env := range tc.environment {
-			_, _, _, err = a.RequestPool(localAddressSpace, env, "", nil, false)
+			_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: env})
 			assert.NilError(t, err)
 		}
 
 		// Make the test allocation.
-		_, _, _, err = a.RequestPool(localAddressSpace, tc.subnet, "", nil, false)
+		_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: tc.subnet})
 		if tc.ok {
 			assert.NilError(t, err)
 		} else {
@@ -848,7 +845,7 @@
 	// IPv4 /31 blocks.  See RFC 3021.
 	//
 
-	pool, _, _, err := allocator.RequestPool(localAddressSpace, subnet, "", nil, false)
+	alloc, err := allocator.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: subnet})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -856,7 +853,7 @@
 	// Outside-the-range
 
 	for _, outside := range outsideTheRangeAddresses {
-		_, _, errx := allocator.RequestAddress(pool, net.ParseIP(outside.address), nil)
+		_, _, errx := allocator.RequestAddress(alloc.PoolID, net.ParseIP(outside.address), nil)
 		if errx != ipamapi.ErrIPOutOfRange {
 			t.Fatalf("Address %s failed to throw expected error: %s", outside.address, errx.Error())
 		}
@@ -865,7 +862,7 @@
 	// Should get just these two IPs followed by exhaustion on the next request
 
 	for _, expected := range expectedAddresses {
-		got, _, errx := allocator.RequestAddress(pool, nil, nil)
+		got, _, errx := allocator.RequestAddress(alloc.PoolID, nil, nil)
 		if errx != nil {
 			t.Fatalf("Failed to obtain the address: %s", errx.Error())
 		}
@@ -876,7 +873,7 @@
 		}
 	}
 
-	_, _, err = allocator.RequestAddress(pool, nil, nil)
+	_, _, err = allocator.RequestAddress(alloc.PoolID, nil, nil)
 	if err != ipamapi.ErrNoAvailableIPs {
 		t.Fatal("Did not get expected error when pool is exhausted.")
 	}
@@ -888,14 +885,14 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, subnet, "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: subnet})
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	// Allocate all addresses
 	for err != ipamapi.ErrNoAvailableIPs {
-		_, _, err = a.RequestAddress(pid, nil, nil)
+		_, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 	}
 
 	toRelease := []struct {
@@ -928,13 +925,13 @@
 	// One by one, release the address and request again. We should get the same IP
 	for i, inp := range toRelease {
 		ip0 := net.ParseIP(inp.address)
-		a.ReleaseAddress(pid, ip0)
-		bm := a.local.subnets[netip.MustParsePrefix(subnet)].addrs
+		a.ReleaseAddress(alloc.PoolID, ip0)
+		bm := a.local4.subnets[netip.MustParsePrefix(subnet)].addrs
 		if bm.Unselected() != 1 {
 			t.Fatalf("Failed to update free address count after release. Expected %d, Found: %d", i+1, bm.Unselected())
 		}
 
-		nw, _, err := a.RequestAddress(pid, nil, nil)
+		nw, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
 		if err != nil {
 			t.Fatalf("Failed to obtain the address: %s", err.Error())
 		}
@@ -988,7 +985,7 @@
 	a, err := NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), ipamutils.GetGlobalScopeDefaultNetworks())
 	assert.NilError(t, err)
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, subnet, "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: subnet})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -996,7 +993,7 @@
 	i := 0
 	start := time.Now()
 	for ; i < numReq; i++ {
-		nw, _, err = a.RequestAddress(pid, nil, nil)
+		nw, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -1011,9 +1008,9 @@
 }
 
 func benchmarkRequest(b *testing.B, a *Allocator, subnet string) {
-	pid, _, _, err := a.RequestPool(localAddressSpace, subnet, "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: subnet})
 	for err != ipamapi.ErrNoAvailableIPs {
-		_, _, err = a.RequestAddress(pid, nil, nil)
+		_, _, err = a.RequestAddress(alloc.PoolID, nil, nil)
 	}
 }
 
@@ -1046,7 +1043,7 @@
 		t.Fatal(err)
 	}
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, pool, subPool, nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: pool, SubPool: subPool})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1055,7 +1052,7 @@
 	indices := make(map[int]*net.IPNet, num)
 	allocated := make(map[string]bool, num)
 	for i := 0; i < num; i++ {
-		ip, _, err := a.RequestAddress(pid, nil, nil)
+		ip, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -1078,7 +1075,7 @@
 	for i := 0; i < num/2; i++ {
 		idx := pattern[i]
 		ip := indices[idx]
-		err := a.ReleaseAddress(pid, ip.IP)
+		err := a.ReleaseAddress(alloc.PoolID, ip.IP)
 		if err != nil {
 			t.Fatalf("Unexpected failure on deallocation of %s: %v.\nSeed: %d.", ip, err, seed)
 		}
@@ -1088,7 +1085,7 @@
 
 	// Request a quarter of addresses
 	for i := 0; i < num/2; i++ {
-		ip, _, err := a.RequestAddress(pid, nil, nil)
+		ip, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -1148,7 +1145,8 @@
 		defer done.Done()
 	}
 
-	_, pools[instance], _, err = allocator.RequestPool(localAddressSpace, "", "", nil, false)
+	alloc, err := allocator.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
+	pools[instance] = netiputil.ToIPNet(alloc.Pool)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1183,7 +1181,7 @@
 	}
 	var l sync.Mutex
 
-	poolID, _, _, err := a.RequestPool(localAddressSpace, "198.168.0.0/23", "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: "198.168.0.0/23"})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1203,7 +1201,7 @@
 				break outer
 			default:
 			}
-			if c, _, err = a.RequestAddress(poolID, nil, opts); err == nil {
+			if c, _, err = a.RequestAddress(alloc.PoolID, nil, opts); err == nil {
 				break
 			}
 			// No addresses available. Spin until one is.
@@ -1236,7 +1234,7 @@
 				l.Lock()
 				ips = append(ips, IP{ip, -1})
 				l.Unlock()
-				return a.ReleaseAddress(poolID, ip.IP)
+				return a.ReleaseAddress(alloc.PoolID, ip.IP)
 			})
 		}
 	}
diff --git a/libnetwork/ipam/parallel_test.go b/libnetwork/ipams/defaultipam/parallel_test.go
similarity index 95%
rename from libnetwork/ipam/parallel_test.go
rename to libnetwork/ipams/defaultipam/parallel_test.go
index d34a859..1312e30 100644
--- a/libnetwork/ipam/parallel_test.go
+++ b/libnetwork/ipams/defaultipam/parallel_test.go
@@ -1,4 +1,4 @@
-package ipam
+package defaultipam
 
 import (
 	"context"
@@ -45,7 +45,7 @@
 	// total ips 2^(32-mask) - 2 (network and broadcast)
 	totalIps := 1<<uint(32-mask) - 2
 
-	pid, _, _, err := a.RequestPool(localAddressSpace, network, "", nil, false)
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace, Pool: network})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -55,7 +55,7 @@
 		opts:   options,
 		ipList: make([]*net.IPNet, 0, totalIps),
 		ipMap:  make(map[string]bool),
-		pid:    pid,
+		pid:    alloc.PoolID,
 		maxIP:  totalIps,
 	}
 }
@@ -93,21 +93,21 @@
 
 	for i := 0; i < 120; i++ {
 		group.Go(func() error {
-			name, _, _, err := a.RequestPool("GlobalDefault", "", "", nil, false)
+			alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: "GlobalDefault"})
 			if err != nil {
 				t.Log(err) // log so we can see the error in real time rather than at the end when we actually call "Wait".
 				return fmt.Errorf("request error %v", err)
 			}
 			idx := atomic.AddInt32(&operationIndex, 1)
-			ch <- &op{idx, true, name}
+			ch <- &op{idx, true, alloc.PoolID}
 			time.Sleep(time.Duration(rand.Intn(100)) * time.Millisecond)
 			idx = atomic.AddInt32(&operationIndex, 1)
-			err = a.ReleasePool(name)
+			err = a.ReleasePool(alloc.PoolID)
 			if err != nil {
 				t.Log(err) // log so we can see the error in real time rather than at the end when we actually call "Wait".
 				return fmt.Errorf("release error %v", err)
 			}
-			ch <- &op{idx, false, name}
+			ch <- &op{idx, false, alloc.PoolID}
 			return nil
 		})
 	}
diff --git a/libnetwork/ipams/defaultipam/structures.go b/libnetwork/ipams/defaultipam/structures.go
new file mode 100644
index 0000000..37deed6
--- /dev/null
+++ b/libnetwork/ipams/defaultipam/structures.go
@@ -0,0 +1,74 @@
+package defaultipam
+
+import (
+	"fmt"
+	"net/netip"
+	"strings"
+
+	"github.com/docker/docker/libnetwork/bitmap"
+	"github.com/docker/docker/libnetwork/types"
+)
+
+// PoolID is the pointer to the configured pools in each address space
+type PoolID struct {
+	AddressSpace string
+	SubnetKey
+}
+
+// PoolData contains the configured pool data
+type PoolData struct {
+	addrs    *bitmap.Bitmap
+	children map[netip.Prefix]struct{}
+
+	// Whether to implicitly release the pool once it no longer has any children.
+	autoRelease bool
+}
+
+// SubnetKey is the composite key to an address pool within an address space.
+type SubnetKey struct {
+	Subnet, ChildSubnet netip.Prefix
+}
+
+func (k SubnetKey) Is6() bool {
+	return k.Subnet.Addr().Is6()
+}
+
+// PoolIDFromString creates a new PoolID and populates the SubnetKey object
+// reading it from the given string.
+func PoolIDFromString(str string) (pID PoolID, err error) {
+	if str == "" {
+		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
+	}
+
+	p := strings.Split(str, "/")
+	if len(p) != 3 && len(p) != 5 {
+		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
+	}
+	pID.AddressSpace = p[0]
+	pID.Subnet, err = netip.ParsePrefix(p[1] + "/" + p[2])
+	if err != nil {
+		return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
+	}
+	if len(p) == 5 {
+		pID.ChildSubnet, err = netip.ParsePrefix(p[3] + "/" + p[4])
+		if err != nil {
+			return pID, types.InvalidParameterErrorf("invalid string form for subnetkey: %s", str)
+		}
+	}
+
+	return pID, nil
+}
+
+// String returns the string form of the SubnetKey object
+func (s *PoolID) String() string {
+	if s.ChildSubnet == (netip.Prefix{}) {
+		return s.AddressSpace + "/" + s.Subnet.String()
+	} else {
+		return s.AddressSpace + "/" + s.Subnet.String() + "/" + s.ChildSubnet.String()
+	}
+}
+
+// String returns the string form of the PoolData object
+func (p *PoolData) String() string {
+	return fmt.Sprintf("PoolData[Children: %d]", len(p.children))
+}
diff --git a/libnetwork/ipams/drivers.go b/libnetwork/ipams/drivers.go
new file mode 100644
index 0000000..f9232ad
--- /dev/null
+++ b/libnetwork/ipams/drivers.go
@@ -0,0 +1,31 @@
+package ipams
+
+import (
+	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
+	"github.com/docker/docker/libnetwork/ipams/null"
+	remoteIpam "github.com/docker/docker/libnetwork/ipams/remote"
+	"github.com/docker/docker/libnetwork/ipams/windowsipam"
+	"github.com/docker/docker/libnetwork/ipamutils"
+	"github.com/docker/docker/pkg/plugingetter"
+)
+
+// Register registers all the builtin drivers (ie. default, windowsipam, null
+// and remote). If 'pg' is nil, the remote driver won't be registered.
+func Register(r ipamapi.Registerer, pg plugingetter.PluginGetter, lAddrPools, gAddrPools []*ipamutils.NetworkToSplit) error {
+	if err := defaultipam.Register(r, lAddrPools, gAddrPools); err != nil {
+		return err
+	}
+	if err := windowsipam.Register(r); err != nil {
+		return err
+	}
+	if err := null.Register(r); err != nil {
+		return err
+	}
+	if pg != nil {
+		if err := remoteIpam.Register(r, pg); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/libnetwork/ipams/null/null.go b/libnetwork/ipams/null/null.go
index 9e59684..7be5763 100644
--- a/libnetwork/ipams/null/null.go
+++ b/libnetwork/ipams/null/null.go
@@ -4,18 +4,22 @@
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/docker/docker/libnetwork/ipamapi"
 	"github.com/docker/docker/libnetwork/types"
 )
 
 const (
+	// DriverName is the name of the built-in null ipam driver
+	DriverName = "null"
+
 	defaultAddressSpace = "null"
 	defaultPoolCIDR     = "0.0.0.0/0"
 	defaultPoolID       = defaultAddressSpace + "/" + defaultPoolCIDR
 )
 
-var defaultPool, _ = types.ParseCIDR(defaultPoolCIDR)
+var defaultPool = netip.MustParsePrefix(defaultPoolCIDR)
 
 type allocator struct{}
 
@@ -23,20 +27,23 @@
 	return defaultAddressSpace, defaultAddressSpace, nil
 }
 
-func (a *allocator) RequestPool(addressSpace, requestedPool, requestedSubPool string, _ map[string]string, v6 bool) (string, *net.IPNet, map[string]string, error) {
-	if addressSpace != defaultAddressSpace {
-		return "", nil, nil, types.InvalidParameterErrorf("unknown address space: %s", addressSpace)
+func (a *allocator) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) {
+	if req.AddressSpace != defaultAddressSpace {
+		return ipamapi.AllocatedPool{}, types.InvalidParameterErrorf("unknown address space: %s", req.AddressSpace)
 	}
-	if requestedPool != "" {
-		return "", nil, nil, types.InvalidParameterErrorf("null ipam driver does not handle specific address pool requests")
+	if req.Pool != "" {
+		return ipamapi.AllocatedPool{}, types.InvalidParameterErrorf("null ipam driver does not handle specific address pool requests")
 	}
-	if requestedSubPool != "" {
-		return "", nil, nil, types.InvalidParameterErrorf("null ipam driver does not handle specific address subpool requests")
+	if req.SubPool != "" {
+		return ipamapi.AllocatedPool{}, types.InvalidParameterErrorf("null ipam driver does not handle specific address subpool requests")
 	}
-	if v6 {
-		return "", nil, nil, types.InvalidParameterErrorf("null ipam driver does not handle IPv6 address pool requests")
+	if req.V6 {
+		return ipamapi.AllocatedPool{}, types.InvalidParameterErrorf("null ipam driver does not handle IPv6 address pool requests")
 	}
-	return defaultPoolID, defaultPool, nil, nil
+	return ipamapi.AllocatedPool{
+		PoolID: defaultPoolID,
+		Pool:   defaultPool,
+	}, nil
 }
 
 func (a *allocator) ReleasePool(poolID string) error {
@@ -63,5 +70,5 @@
 
 // Register registers the null ipam driver with r.
 func Register(r ipamapi.Registerer) error {
-	return r.RegisterIpamDriver(ipamapi.NullIPAM, &allocator{})
+	return r.RegisterIpamDriver(DriverName, &allocator{})
 }
diff --git a/libnetwork/ipams/null/null_test.go b/libnetwork/ipams/null/null_test.go
index c055b28..4c76966 100644
--- a/libnetwork/ipams/null/null_test.go
+++ b/libnetwork/ipams/null/null_test.go
@@ -3,42 +3,30 @@
 import (
 	"testing"
 
-	"github.com/docker/docker/libnetwork/types"
+	"github.com/docker/docker/libnetwork/ipamapi"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestPoolRequest(t *testing.T) {
 	a := allocator{}
 
-	pid, pool, _, err := a.RequestPool(defaultAddressSpace, "", "", nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !types.CompareIPNet(defaultPool, pool) {
-		t.Fatalf("Unexpected pool returned. Expected %v. Got: %v", defaultPool, pool)
-	}
-	if pid != defaultPoolID {
-		t.Fatalf("Unexpected pool id returned. Expected: %s. Got: %s", defaultPoolID, pid)
-	}
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: defaultAddressSpace})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, defaultPoolID))
+	assert.Check(t, is.Equal(alloc.Pool, defaultPool))
 
-	_, _, _, err = a.RequestPool("default", "", "", nil, false)
-	if err == nil {
-		t.Fatal("Unexpected success")
-	}
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: "default"})
+	assert.ErrorContains(t, err, "unknown address space: default")
 
-	_, _, _, err = a.RequestPool(defaultAddressSpace, "192.168.0.0/16", "", nil, false)
-	if err == nil {
-		t.Fatal("Unexpected success")
-	}
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: defaultAddressSpace, Pool: "192.168.0.0/16"})
+	assert.ErrorContains(t, err, "null ipam driver does not handle specific address pool requests")
 
-	_, _, _, err = a.RequestPool(defaultAddressSpace, "", "192.168.0.0/24", nil, false)
-	if err == nil {
-		t.Fatal("Unexpected success")
-	}
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: defaultAddressSpace, SubPool: "192.168.0.0/24"})
+	assert.ErrorContains(t, err, "null ipam driver does not handle specific address subpool requests")
 
-	_, _, _, err = a.RequestPool(defaultAddressSpace, "", "", nil, true)
-	if err == nil {
-		t.Fatal("Unexpected success")
-	}
+	_, err = a.RequestPool(ipamapi.PoolRequest{AddressSpace: defaultAddressSpace, V6: true})
+	assert.ErrorContains(t, err, "null ipam driver does not handle IPv6 address pool requests")
 }
 
 func TestOtherRequests(t *testing.T) {
diff --git a/libnetwork/ipams/remote/remote.go b/libnetwork/ipams/remote/remote.go
index 0eef543..4ddadc9 100644
--- a/libnetwork/ipams/remote/remote.go
+++ b/libnetwork/ipams/remote/remote.go
@@ -4,6 +4,7 @@
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/ipamapi"
@@ -116,14 +117,25 @@
 }
 
 // RequestPool requests an address pool in the specified address space
-func (a *allocator) RequestPool(addressSpace, requestedPool, requestedSubPool string, options map[string]string, v6 bool) (string, *net.IPNet, map[string]string, error) {
-	req := &api.RequestPoolRequest{AddressSpace: addressSpace, Pool: requestedPool, SubPool: requestedSubPool, Options: options, V6: v6}
-	res := &api.RequestPoolResponse{}
-	if err := a.call("RequestPool", req, res); err != nil {
-		return "", nil, nil, err
+func (a *allocator) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) {
+	remoteReq := &api.RequestPoolRequest{
+		AddressSpace: req.AddressSpace,
+		Pool:         req.Pool,
+		SubPool:      req.SubPool,
+		Options:      req.Options,
+		V6:           req.V6,
 	}
-	retPool, err := types.ParseCIDR(res.Pool)
-	return res.PoolID, retPool, res.Data, err
+	res := &api.RequestPoolResponse{}
+	if err := a.call("RequestPool", remoteReq, res); err != nil {
+		return ipamapi.AllocatedPool{}, err
+	}
+
+	retPool, err := netip.ParsePrefix(res.Pool)
+	return ipamapi.AllocatedPool{
+		PoolID: res.PoolID,
+		Pool:   retPool,
+		Meta:   res.Data,
+	}, err
 }
 
 // ReleasePool removes an address pool from the specified address space
diff --git a/libnetwork/ipams/remote/remote_test.go b/libnetwork/ipams/remote/remote_test.go
index af4943a..f438c32 100644
--- a/libnetwork/ipams/remote/remote_test.go
+++ b/libnetwork/ipams/remote/remote_test.go
@@ -14,6 +14,8 @@
 
 	"github.com/docker/docker/libnetwork/ipamapi"
 	"github.com/docker/docker/pkg/plugins"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func decodeToMap(r *http.Request) (res map[string]interface{}, err error) {
@@ -248,72 +250,51 @@
 	d := newAllocator(plugin, client)
 
 	l, g, err := d.(*allocator).GetDefaultAddressSpaces()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if l != "white" || g != "blue" {
-		t.Fatalf("Unexpected default local/global address spaces: %s, %s", l, g)
-	}
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(l, "white"))
+	assert.Check(t, is.Equal(g, "blue"))
 
 	// Request any pool
-	poolID, pool, _, err := d.RequestPool("white", "", "", nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if poolID != "white/172.18.0.0/16" {
-		t.Fatalf("Unexpected pool id: %s", poolID)
-	}
-	if pool == nil || pool.String() != "172.18.0.0/16" {
-		t.Fatalf("Unexpected pool: %s", pool)
-	}
+	alloc, err := d.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: "white",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, "white/172.18.0.0/16"))
+	assert.Check(t, is.Equal(alloc.Pool.String(), "172.18.0.0/16"))
 
 	// Request specific pool
-	poolID2, pool2, ops, err := d.RequestPool("white", "172.20.0.0/16", "", nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if poolID2 != "white/172.20.0.0/16" {
-		t.Fatalf("Unexpected pool id: %s", poolID2)
-	}
-	if pool2 == nil || pool2.String() != "172.20.0.0/16" {
-		t.Fatalf("Unexpected pool: %s", pool2)
-	}
-	if dns, ok := ops["DNS"]; !ok || dns != "8.8.8.8" {
-		t.Fatal("Missing options")
-	}
+	alloc, err = d.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: "white",
+		Pool:         "172.20.0.0/16",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, "white/172.20.0.0/16"))
+	assert.Check(t, is.Equal(alloc.Pool.String(), "172.20.0.0/16"))
+	assert.Check(t, is.Equal(alloc.Meta["DNS"], "8.8.8.8"))
 
 	// Request specific pool and subpool
-	poolID3, pool3, _, err := d.RequestPool("white", "172.20.0.0/16", "172.20.3.0/24" /*nil*/, map[string]string{"culo": "yes"}, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if poolID3 != "white/172.20.0.0/16/172.20.3.0/24" {
-		t.Fatalf("Unexpected pool id: %s", poolID3)
-	}
-	if pool3 == nil || pool3.String() != "172.20.0.0/16" {
-		t.Fatalf("Unexpected pool: %s", pool3)
-	}
+	alloc, err = d.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: "white",
+		Pool:         "172.20.0.0/16",
+		SubPool:      "172.20.3.0/24",
+		Options:      map[string]string{"culo": "yes"},
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, "white/172.20.0.0/16/172.20.3.0/24"))
+	assert.Check(t, is.Equal(alloc.Pool.String(), "172.20.0.0/16"))
 
 	// Request any address
-	addr, _, err := d.RequestAddress(poolID2, nil, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if addr == nil || addr.String() != "172.20.0.34/16" {
-		t.Fatalf("Unexpected address: %s", addr)
-	}
+	addr, _, err := d.RequestAddress("white/172.20.0.0/16", nil, nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(addr.String(), "172.20.0.34/16"))
 
 	// Request specific address
-	addr2, _, err := d.RequestAddress(poolID2, net.ParseIP("172.20.1.45"), nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if addr2 == nil || addr2.String() != "172.20.1.45/16" {
-		t.Fatalf("Unexpected address: %s", addr2)
-	}
+	addr2, _, err := d.RequestAddress("white/172.20.0.0/16", net.ParseIP("172.20.1.45"), nil)
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(addr2.String(), "172.20.1.45/16"))
 
 	// Release address
-	err = d.ReleaseAddress(poolID, net.ParseIP("172.18.1.45"))
+	err = d.ReleaseAddress("white/172.20.0.0/16", net.ParseIP("172.18.1.45"))
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/libnetwork/ipams/windowsipam/windowsipam.go b/libnetwork/ipams/windowsipam/windowsipam.go
index d8f37e0..5e4ad22 100644
--- a/libnetwork/ipams/windowsipam/windowsipam.go
+++ b/libnetwork/ipams/windowsipam/windowsipam.go
@@ -1,8 +1,12 @@
+//go:build windows
+
 package windowsipam
 
 import (
 	"context"
+	"fmt"
 	"net"
+	"net/netip"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/ipamapi"
@@ -17,13 +21,13 @@
 // DefaultIPAM defines the default ipam-driver for local-scoped windows networks
 const DefaultIPAM = "windows"
 
-var defaultPool, _ = types.ParseCIDR("0.0.0.0/0")
+var defaultPool = netip.MustParsePrefix("0.0.0.0/0")
 
 type allocator struct{}
 
 // Register registers the built-in ipam service with libnetwork
-func Register(ipamName string, r ipamapi.Registerer) error {
-	return r.RegisterIpamDriver(ipamName, &allocator{})
+func Register(r ipamapi.Registerer) error {
+	return r.RegisterIpamDriver(DefaultIPAM, &allocator{})
 }
 
 func (a *allocator) GetDefaultAddressSpaces() (string, string, error) {
@@ -32,25 +36,24 @@
 
 // RequestPool returns an address pool along with its unique id. This is a null ipam driver. It allocates the
 // subnet user asked and does not validate anything. Doesn't support subpool allocation
-func (a *allocator) RequestPool(addressSpace, requestedPool, requestedSubPool string, options map[string]string, v6 bool) (string, *net.IPNet, map[string]string, error) {
-	log.G(context.TODO()).Debugf("RequestPool(%s, %s, %s, %v, %t)", addressSpace, requestedPool, requestedSubPool, options, v6)
-	if requestedSubPool != "" || v6 {
-		return "", nil, nil, types.InternalErrorf("This request is not supported by null ipam driver")
+func (a *allocator) RequestPool(req ipamapi.PoolRequest) (ipamapi.AllocatedPool, error) {
+	log.G(context.TODO()).Debugf("RequestPool: %+v", req)
+	if req.SubPool != "" || req.V6 {
+		return ipamapi.AllocatedPool{}, types.InternalErrorf("this request is not supported by the 'windows' ipam driver")
 	}
 
-	var ipNet *net.IPNet
-	var err error
-
-	if requestedPool != "" {
-		_, ipNet, err = net.ParseCIDR(requestedPool)
-		if err != nil {
-			return "", nil, nil, err
+	pool := defaultPool
+	if req.Pool != "" {
+		var err error
+		if pool, err = netip.ParsePrefix(req.Pool); err != nil {
+			return ipamapi.AllocatedPool{}, fmt.Errorf("invalid IPAM request: %w", err)
 		}
-	} else {
-		ipNet = defaultPool
 	}
 
-	return ipNet.String(), ipNet, nil, nil
+	return ipamapi.AllocatedPool{
+		PoolID: pool.String(),
+		Pool:   pool,
+	}, nil
 }
 
 // ReleasePool releases the address pool - always succeeds
diff --git a/libnetwork/ipams/windowsipam/windowsipam_other.go b/libnetwork/ipams/windowsipam/windowsipam_other.go
new file mode 100644
index 0000000..045fa52
--- /dev/null
+++ b/libnetwork/ipams/windowsipam/windowsipam_other.go
@@ -0,0 +1,10 @@
+//go:build !windows
+
+package windowsipam
+
+import "github.com/docker/docker/libnetwork/ipamapi"
+
+// Register is a no-op -- windowsipam is only supported on Windows.
+func Register(ipamapi.Registerer) error {
+	return nil
+}
diff --git a/libnetwork/ipams/windowsipam/windowsipam_test.go b/libnetwork/ipams/windowsipam/windowsipam_test.go
index f09cdbd..f9abb7f 100644
--- a/libnetwork/ipams/windowsipam/windowsipam_test.go
+++ b/libnetwork/ipams/windowsipam/windowsipam_test.go
@@ -1,3 +1,5 @@
+//go:build windows
+
 package windowsipam
 
 import (
@@ -7,41 +9,42 @@
 	"github.com/docker/docker/libnetwork/ipamapi"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/types"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 )
 
 func TestWindowsIPAM(t *testing.T) {
 	a := &allocator{}
+
+	alloc, err := a.RequestPool(ipamapi.PoolRequest{AddressSpace: localAddressSpace})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, defaultPool.String()))
+	assert.Check(t, is.Equal(alloc.Pool, defaultPool))
+
+	alloc, err = a.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: localAddressSpace,
+		Pool:         "192.168.0.0/16",
+	})
+	assert.NilError(t, err)
+	assert.Check(t, is.Equal(alloc.PoolID, "192.168.0.0/16"))
+	assert.Check(t, is.Equal(alloc.Pool.String(), "192.168.0.0/16"))
+
+	_, err = a.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: localAddressSpace,
+		Pool:         "192.168.0.0/16",
+		SubPool:      "192.168.0.0/16",
+	})
+	assert.ErrorContains(t, err, "this request is not supported by the 'windows' ipam driver")
+
+	_, err = a.RequestPool(ipamapi.PoolRequest{
+		AddressSpace: localAddressSpace,
+		V6:           true,
+	})
+	assert.ErrorContains(t, err, "this request is not supported by the 'windows' ipam driver")
+
 	requestPool, _ := types.ParseCIDR("192.168.0.0/16")
 	requestAddress := net.ParseIP("192.168.1.1")
 
-	pid, pool, _, err := a.RequestPool(localAddressSpace, "", "", nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !types.CompareIPNet(defaultPool, pool) ||
-		pid != pool.String() {
-		t.Fatalf("Unexpected data returned. Expected %v : %s. Got: %v : %s", defaultPool, pid, pool, pool.String())
-	}
-
-	pid, pool, _, err = a.RequestPool(localAddressSpace, requestPool.String(), "", nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !types.CompareIPNet(requestPool, pool) ||
-		pid != requestPool.String() {
-		t.Fatalf("Unexpected data returned. Expected %v : %s. Got: %v : %s", requestPool, requestPool.String(), pool, pool.String())
-	}
-
-	_, _, _, err = a.RequestPool(localAddressSpace, requestPool.String(), requestPool.String(), nil, false)
-	if err == nil {
-		t.Fatal("Unexpected success for subpool request")
-	}
-
-	_, _, _, err = a.RequestPool(localAddressSpace, requestPool.String(), "", nil, true)
-	if err == nil {
-		t.Fatal("Unexpected success for v6 request")
-	}
-
 	err = a.ReleasePool(requestPool.String())
 	if err != nil {
 		t.Fatal(err)
diff --git a/libnetwork/ipamutils/utils.go b/libnetwork/ipamutils/utils.go
index 107f807..ed3a5b2 100644
--- a/libnetwork/ipamutils/utils.go
+++ b/libnetwork/ipamutils/utils.go
@@ -4,7 +4,6 @@
 import (
 	"fmt"
 	"net"
-	"sync"
 )
 
 var (
@@ -14,7 +13,6 @@
 	// predefinedGlobalScopeDefaultNetworks contains a list of 64K IPv4 private networks with host size 8
 	// (10.x.x.x/24) which do not overlap with the networks in `PredefinedLocalScopeDefaultNetworks`
 	predefinedGlobalScopeDefaultNetworks []*net.IPNet
-	mutex                                sync.Mutex
 	localScopeDefaultNetworks            = []*NetworkToSplit{
 		{"172.17.0.0/16", 16},
 		{"172.18.0.0/16", 16},
@@ -48,26 +46,8 @@
 	}
 }
 
-// ConfigGlobalScopeDefaultNetworks configures global default pool.
-// Ideally this will be called from SwarmKit as part of swarm init
-func ConfigGlobalScopeDefaultNetworks(defaultAddressPool []*NetworkToSplit) error {
-	if defaultAddressPool == nil {
-		return nil
-	}
-	mutex.Lock()
-	defer mutex.Unlock()
-	defaultNetworks, err := SplitNetworks(defaultAddressPool)
-	if err != nil {
-		return err
-	}
-	predefinedGlobalScopeDefaultNetworks = defaultNetworks
-	return nil
-}
-
 // GetGlobalScopeDefaultNetworks returns a copy of the global-sopce network list.
 func GetGlobalScopeDefaultNetworks() []*net.IPNet {
-	mutex.Lock()
-	defer mutex.Unlock()
 	return append([]*net.IPNet(nil), predefinedGlobalScopeDefaultNetworks...)
 }
 
diff --git a/libnetwork/ipamutils/utils_test.go b/libnetwork/ipamutils/utils_test.go
index 6c0334f..94221b4 100644
--- a/libnetwork/ipamutils/utils_test.go
+++ b/libnetwork/ipamutils/utils_test.go
@@ -32,17 +32,6 @@
 	return pl
 }
 
-func initGlobalScopeNetworks() []*net.IPNet {
-	pl := make([]*net.IPNet, 0, 256*256)
-	mask := []byte{255, 255, 255, 0}
-	for i := 0; i < 256; i++ {
-		for j := 0; j < 256; j++ {
-			pl = append(pl, &net.IPNet{IP: []byte{30, byte(i), byte(j), 0}, Mask: mask})
-		}
-	}
-	return pl
-}
-
 func TestDefaultNetwork(t *testing.T) {
 	for _, nw := range GetGlobalScopeDefaultNetworks() {
 		if ones, bits := nw.Mask.Size(); bits != 32 || ones != 24 {
@@ -83,21 +72,3 @@
 
 	assert.Check(t, is.Len(m, 0))
 }
-
-func TestConfigGlobalScopeDefaultNetworks(t *testing.T) {
-	err := ConfigGlobalScopeDefaultNetworks([]*NetworkToSplit{{"30.0.0.0/8", 24}})
-	assert.NilError(t, err)
-
-	originalGlobalScopeNetworks := initGlobalScopeNetworks()
-	m := make(map[string]bool)
-	for _, v := range originalGlobalScopeNetworks {
-		m[v.String()] = true
-	}
-	for _, nw := range GetGlobalScopeDefaultNetworks() {
-		_, ok := m[nw.String()]
-		assert.Check(t, ok)
-		delete(m, nw.String())
-	}
-
-	assert.Check(t, is.Len(m, 0))
-}
diff --git a/libnetwork/libnetwork_internal_test.go b/libnetwork/libnetwork_internal_test.go
index 96084c6..a53c898 100644
--- a/libnetwork/libnetwork_internal_test.go
+++ b/libnetwork/libnetwork_internal_test.go
@@ -12,7 +12,7 @@
 
 	"github.com/docker/docker/internal/testutils/netnsutils"
 	"github.com/docker/docker/libnetwork/driverapi"
-	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/netutils"
 	"github.com/docker/docker/libnetwork/scope"
@@ -320,7 +320,7 @@
 	}
 	defer c.Stop()
 
-	n := &Network{ipamType: ipamapi.DefaultIPAM, networkType: "bridge", ctrlr: c}
+	n := &Network{ipamType: defaultipam.DriverName, networkType: "bridge", ctrlr: c}
 
 	input := []struct {
 		masterPool   string
@@ -581,7 +581,7 @@
 
 	// Test whether ipam state release is invoked  on network create failure from net driver
 	// by checking whether subsequent network creation requesting same gateway IP succeeds
-	ipamOpt := NetworkOptionIpam(ipamapi.DefaultIPAM, "", []*IpamConf{{PreferredPool: "10.34.0.0/16", Gateway: "10.34.255.254"}}, nil, nil)
+	ipamOpt := NetworkOptionIpam(defaultipam.DriverName, "", []*IpamConf{{PreferredPool: "10.34.0.0/16", Gateway: "10.34.255.254"}}, nil, nil)
 	if _, err := c.NewNetwork(badDriverName, "badnet1", "", ipamOpt); err == nil {
 		t.Fatalf("bad network driver should have failed network creation")
 	}
@@ -611,7 +611,7 @@
 	}
 
 	// Now create good bridge network with different gateway
-	ipamOpt2 := NetworkOptionIpam(ipamapi.DefaultIPAM, "", []*IpamConf{{PreferredPool: "10.35.0.0/16", Gateway: "10.35.255.253"}}, nil, nil)
+	ipamOpt2 := NetworkOptionIpam(defaultipam.DriverName, "", []*IpamConf{{PreferredPool: "10.35.0.0/16", Gateway: "10.35.255.253"}}, nil, nil)
 	gnw, err = c.NewNetwork("bridge", "goodnet2", "", ipamOpt2)
 	if err != nil {
 		t.Fatal(err)
diff --git a/libnetwork/libnetwork_linux_test.go b/libnetwork/libnetwork_linux_test.go
index 7128e0f..d7df1fc 100644
--- a/libnetwork/libnetwork_linux_test.go
+++ b/libnetwork/libnetwork_linux_test.go
@@ -22,7 +22,8 @@
 	"github.com/docker/docker/libnetwork/config"
 	"github.com/docker/docker/libnetwork/datastore"
 	"github.com/docker/docker/libnetwork/driverapi"
-	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
+	"github.com/docker/docker/libnetwork/ipams/null"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/options"
 	"github.com/docker/docker/libnetwork/osl"
@@ -68,7 +69,7 @@
 func createTestNetwork(c *libnetwork.Controller, networkType, networkName string, netOption options.Generic, ipamV4Configs, ipamV6Configs []*libnetwork.IpamConf) (*libnetwork.Network, error) {
 	return c.NewNetwork(networkType, networkName, "",
 		libnetwork.NetworkOptionGeneric(netOption),
-		libnetwork.NetworkOptionIpam(ipamapi.DefaultIPAM, "", ipamV4Configs, ipamV6Configs, nil))
+		libnetwork.NetworkOptionIpam(defaultipam.DriverName, "", ipamV4Configs, ipamV6Configs, nil))
 }
 
 func getEmptyGenericOption() map[string]interface{} {
@@ -1421,7 +1422,7 @@
 	network, err := controller.NewNetwork(bridgeNetType, "testipv6mac", "",
 		libnetwork.NetworkOptionGeneric(netOption),
 		libnetwork.NetworkOptionEnableIPv6(true),
-		libnetwork.NetworkOptionIpam(ipamapi.DefaultIPAM, "", ipamV4ConfList, ipamV6ConfList, nil),
+		libnetwork.NetworkOptionIpam(defaultipam.DriverName, "", ipamV4ConfList, ipamV6ConfList, nil),
 		libnetwork.NetworkOptionDeferIPv6Alloc(true))
 	if err != nil {
 		t.Fatal(err)
@@ -1495,7 +1496,7 @@
 	n1, err := controller.NewNetwork(bridgeNetType, "testnetwork1", "",
 		libnetwork.NetworkOptionGeneric(netOption),
 		libnetwork.NetworkOptionEnableIPv6(true),
-		libnetwork.NetworkOptionIpam(ipamapi.DefaultIPAM, "", nil, ipamV6ConfList, nil),
+		libnetwork.NetworkOptionIpam(defaultipam.DriverName, "", nil, ipamV6ConfList, nil),
 		libnetwork.NetworkOptionDeferIPv6Alloc(true))
 	if err != nil {
 		t.Fatal(err)
@@ -2118,7 +2119,7 @@
 	defer netnsutils.SetupTestOSContext(t)()
 	controller := newController(t)
 
-	_, err := controller.NewNetwork(bridgeNetType, "testnetworkinternal", "", libnetwork.NetworkOptionIpam(ipamapi.NullIPAM, "", nil, nil, nil))
+	_, err := controller.NewNetwork(bridgeNetType, "testnetworkinternal", "", libnetwork.NetworkOptionIpam(null.DriverName, "", nil, nil, nil))
 	if err == nil || err.Error() != "ipv4 pool is empty" {
 		t.Fatal("bridge network should complain empty pool")
 	}
diff --git a/libnetwork/netutils/utils.go b/libnetwork/netutils/utils.go
index 4896d10..8022c94 100644
--- a/libnetwork/netutils/utils.go
+++ b/libnetwork/netutils/utils.go
@@ -14,7 +14,6 @@
 	"sync"
 
 	"github.com/containerd/log"
-	"github.com/docker/docker/libnetwork/types"
 )
 
 var (
@@ -45,26 +44,6 @@
 	return netX.Contains(netY.IP) || netY.Contains(netX.IP)
 }
 
-// NetworkRange calculates the first and last IP addresses in an IPNet
-func NetworkRange(network *net.IPNet) (net.IP, net.IP) {
-	if network == nil {
-		return nil, nil
-	}
-
-	firstIP := network.IP.Mask(network.Mask)
-	lastIP := types.GetIPCopy(firstIP)
-	for i := 0; i < len(firstIP); i++ {
-		lastIP[i] = firstIP[i] | ^network.Mask[i]
-	}
-
-	if network.IP.To4() != nil {
-		firstIP = firstIP.To4()
-		lastIP = lastIP.To4()
-	}
-
-	return firstIP, lastIP
-}
-
 func genMAC(ip net.IP) net.HardwareAddr {
 	hw := make(net.HardwareAddr, 6)
 	// The first byte of the MAC address has to comply with these rules:
diff --git a/libnetwork/netutils/utils_linux_test.go b/libnetwork/netutils/utils_linux_test.go
index 18c2a49..762c82f 100644
--- a/libnetwork/netutils/utils_linux_test.go
+++ b/libnetwork/netutils/utils_linux_test.go
@@ -125,68 +125,6 @@
 	AssertNoOverlap("172.16.1.1/25", "172.16.2.1/24", t)
 }
 
-func TestNetworkRange(t *testing.T) {
-	// Simple class C test
-	_, network, _ := net.ParseCIDR("192.168.0.1/24")
-	first, last := NetworkRange(network)
-	if !first.Equal(net.ParseIP("192.168.0.0")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("192.168.0.255")) {
-		t.Error(last.String())
-	}
-
-	// Class A test
-	_, network, _ = net.ParseCIDR("10.0.0.1/8")
-	first, last = NetworkRange(network)
-	if !first.Equal(net.ParseIP("10.0.0.0")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("10.255.255.255")) {
-		t.Error(last.String())
-	}
-
-	// Class A, random IP address
-	_, network, _ = net.ParseCIDR("10.1.2.3/8")
-	first, last = NetworkRange(network)
-	if !first.Equal(net.ParseIP("10.0.0.0")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("10.255.255.255")) {
-		t.Error(last.String())
-	}
-
-	// 32bit mask
-	_, network, _ = net.ParseCIDR("10.1.2.3/32")
-	first, last = NetworkRange(network)
-	if !first.Equal(net.ParseIP("10.1.2.3")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("10.1.2.3")) {
-		t.Error(last.String())
-	}
-
-	// 31bit mask
-	_, network, _ = net.ParseCIDR("10.1.2.3/31")
-	first, last = NetworkRange(network)
-	if !first.Equal(net.ParseIP("10.1.2.2")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("10.1.2.3")) {
-		t.Error(last.String())
-	}
-
-	// 26bit mask
-	_, network, _ = net.ParseCIDR("10.1.2.3/26")
-	first, last = NetworkRange(network)
-	if !first.Equal(net.ParseIP("10.1.2.0")) {
-		t.Error(first.String())
-	}
-	if !last.Equal(net.ParseIP("10.1.2.63")) {
-		t.Error(last.String())
-	}
-}
-
 // Test veth name generation "veth"+rand (e.g.veth0f60e2c)
 func TestGenerateRandomName(t *testing.T) {
 	const vethPrefix = "veth"
diff --git a/libnetwork/network.go b/libnetwork/network.go
index 311f0e8..7340ad1 100644
--- a/libnetwork/network.go
+++ b/libnetwork/network.go
@@ -17,8 +17,10 @@
 	"github.com/docker/docker/libnetwork/datastore"
 	"github.com/docker/docker/libnetwork/driverapi"
 	"github.com/docker/docker/libnetwork/etchosts"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/internal/setmatrix"
 	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/netutils"
 	"github.com/docker/docker/libnetwork/networkdb"
@@ -192,7 +194,6 @@
 	dbExists         bool
 	persist          bool
 	drvOnce          *sync.Once
-	resolverOnce     sync.Once //nolint:nolintlint,unused // only used on windows
 	resolver         []*Resolver
 	internal         bool
 	attachable       bool
@@ -204,6 +205,7 @@
 	configFrom       string
 	loadBalancerIP   net.IP
 	loadBalancerMode string
+	platformNetwork  //nolint:nolintlint,unused // only populated on windows
 	mu               sync.Mutex
 }
 
@@ -244,6 +246,13 @@
 	return n.networkType
 }
 
+func (n *Network) Resolvers() []*Resolver {
+	n.mu.Lock()
+	defer n.mu.Unlock()
+
+	return n.resolver
+}
+
 func (n *Network) Key() []string {
 	n.mu.Lock()
 	defer n.mu.Unlock()
@@ -635,7 +644,7 @@
 	if v, ok := netMap["ipamType"]; ok {
 		n.ipamType = v.(string)
 	} else {
-		n.ipamType = ipamapi.DefaultIPAM
+		n.ipamType = defaultipam.DriverName
 	}
 	if v, ok := netMap["addrSpace"]; ok {
 		n.addrSpace = v.(string)
@@ -777,7 +786,7 @@
 	return func(n *Network) {
 		if ipamDriver != "" {
 			n.ipamType = ipamDriver
-			if ipamDriver == ipamapi.DefaultIPAM {
+			if ipamDriver == defaultipam.DriverName {
 				n.ipamType = defaultIpamForNetworkType(n.Type())
 			}
 		}
@@ -1508,7 +1517,7 @@
 	return err
 }
 
-func (n *Network) requestPoolHelper(ipam ipamapi.Ipam, addressSpace, requestedPool, requestedSubPool string, options map[string]string, v6 bool) (poolID string, pool *net.IPNet, meta map[string]string, err error) {
+func (n *Network) requestPoolHelper(ipam ipamapi.Ipam, addressSpace, requestedPool, requestedSubPool string, options map[string]string, v6 bool) (string, *net.IPNet, map[string]string, error) {
 	var tmpPoolLeases []string
 	defer func() {
 		// Prevent repeated lock/unlock in the loop.
@@ -1516,13 +1525,19 @@
 		// Release all pools we held on to.
 		for _, pID := range tmpPoolLeases {
 			if err := ipam.ReleasePool(pID); err != nil {
-				log.G(context.TODO()).Warnf("Failed to release overlapping pool %s while returning from pool request helper for network %s", pool, nwName)
+				log.G(context.TODO()).Warnf("Failed to release overlapping pool while returning from pool request helper for network %s", nwName)
 			}
 		}
 	}()
 
 	for {
-		poolID, pool, meta, err = ipam.RequestPool(addressSpace, requestedPool, requestedSubPool, options, v6)
+		alloc, err := ipam.RequestPool(ipamapi.PoolRequest{
+			AddressSpace: addressSpace,
+			Pool:         requestedPool,
+			SubPool:      requestedSubPool,
+			Options:      options,
+			V6:           v6,
+		})
 		if err != nil {
 			return "", nil, nil, err
 		}
@@ -1544,13 +1559,13 @@
 		// instead would likely have avoided that as well, so we can only guess.
 		//
 		// [1]: https://github.com/moby/libnetwork/commit/5ca79d6b87873264516323a7b76f0af7d0298492#diff-bdcd879439d041827d334846f9aba01de6e3683ed8fdd01e63917dae6df23846
-		if requestedPool != "" || n.Scope() == scope.Global || pool.String() == "0.0.0.0/0" {
-			return poolID, pool, meta, nil
+		if requestedPool != "" || n.Scope() == scope.Global || alloc.Pool.String() == "0.0.0.0/0" {
+			return alloc.PoolID, netiputil.ToIPNet(alloc.Pool), alloc.Meta, nil
 		}
 
 		// Check for overlap and if none found, we have found the right pool.
-		if _, err := netutils.FindAvailableNetwork([]*net.IPNet{pool}); err == nil {
-			return poolID, pool, meta, nil
+		if _, err := netutils.FindAvailableNetwork([]*net.IPNet{netiputil.ToIPNet(alloc.Pool)}); err == nil {
+			return alloc.PoolID, netiputil.ToIPNet(alloc.Pool), alloc.Meta, nil
 		}
 
 		// Pool obtained in this iteration is overlapping. Hold onto the pool
@@ -1558,7 +1573,7 @@
 		// the same pool over again. But make sure we still do a deferred release
 		// when we have either obtained a non-overlapping pool or ran out of
 		// pre-defined pools.
-		tmpPoolLeases = append(tmpPoolLeases, poolID)
+		tmpPoolLeases = append(tmpPoolLeases, alloc.PoolID)
 	}
 }
 
@@ -2097,10 +2112,6 @@
 	return srv, ip
 }
 
-func (n *Network) ExecFunc(f func()) error {
-	return types.NotImplementedErrorf("ExecFunc not supported by network")
-}
-
 func (n *Network) NdotsSet() bool {
 	return false
 }
diff --git a/libnetwork/network_unix.go b/libnetwork/network_unix.go
index 282b6b4..5f274a8 100644
--- a/libnetwork/network_unix.go
+++ b/libnetwork/network_unix.go
@@ -2,13 +2,33 @@
 
 package libnetwork
 
-import "github.com/docker/docker/libnetwork/ipamapi"
+import (
+	"context"
+
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
+)
+
+type platformNetwork struct{} //nolint:nolintlint,unused // only populated on windows
 
 // Stub implementations for DNS related functions
 
 func (n *Network) startResolver() {
 }
 
+func addEpToResolver(
+	ctx context.Context,
+	netName, epName string,
+	config *containerConfig,
+	epIface *EndpointInterface,
+	resolvers []*Resolver,
+) error {
+	return nil
+}
+
+func deleteEpFromResolver(epName string, epIface *EndpointInterface, resolvers []*Resolver) error {
+	return nil
+}
+
 func defaultIpamForNetworkType(networkType string) string {
-	return ipamapi.DefaultIPAM
+	return defaultipam.DriverName
 }
diff --git a/libnetwork/network_windows.go b/libnetwork/network_windows.go
index ae8ddef..6ddfe83 100644
--- a/libnetwork/network_windows.go
+++ b/libnetwork/network_windows.go
@@ -4,16 +4,27 @@
 
 import (
 	"context"
+	"fmt"
+	"net"
+	"net/netip"
 	"runtime"
+	"strings"
+	"sync"
 	"time"
 
 	"github.com/Microsoft/hcsshim"
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/drivers/windows"
-	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/libnetwork/ipams/windowsipam"
+	"github.com/pkg/errors"
 )
 
+type platformNetwork struct {
+	resolverOnce   sync.Once
+	dnsCompartment uint32
+}
+
 func executeInCompartment(compartmentID uint32, x func()) {
 	runtime.LockOSThread()
 
@@ -28,6 +39,11 @@
 	x()
 }
 
+func (n *Network) ExecFunc(f func()) error {
+	executeInCompartment(n.dnsCompartment, f)
+	return nil
+}
+
 func (n *Network) startResolver() {
 	if n.networkType == "ics" {
 		return
@@ -48,9 +64,10 @@
 		for _, subnet := range hnsresponse.Subnets {
 			if subnet.GatewayAddress != "" {
 				for i := 0; i < 3; i++ {
-					resolver := NewResolver(subnet.GatewayAddress, false, n)
+					resolver := NewResolver(subnet.GatewayAddress, true, n)
 					log.G(context.TODO()).Debugf("Binding a resolver on network %s gateway %s", n.Name(), subnet.GatewayAddress)
-					executeInCompartment(hnsresponse.DNSServerCompartment, resolver.SetupFunc(53))
+					n.dnsCompartment = hnsresponse.DNSServerCompartment
+					n.ExecFunc(resolver.SetupFunc(53))
 
 					if err = resolver.Start(); err != nil {
 						log.G(context.TODO()).Errorf("Resolver Setup/Start failed for container %s, %q", n.Name(), err)
@@ -66,9 +83,169 @@
 	})
 }
 
+// addEpToResolver configures the internal DNS resolver for an endpoint.
+//
+// Windows resolvers don't consistently fall back to a secondary server if they
+// get a SERVFAIL from our resolver. So, our resolver needs to forward the query
+// upstream.
+//
+// To retrieve the list of DNS Servers to use for requests originating from an
+// endpoint, this method finds the HNSEndpoint represented by the endpoint. If
+// HNSEndpoint's list of DNS servers includes the HNSEndpoint's gateway address,
+// it's the Resolver running at that address. Other DNS servers in the
+// list have either come from config ('--dns') or have been set up by HNS as
+// external resolvers, these are the external servers the Resolver should
+// use for DNS requests from that endpoint.
+func addEpToResolver(
+	ctx context.Context,
+	netName, epName string,
+	config *containerConfig,
+	epIface *EndpointInterface,
+	resolvers []*Resolver,
+) error {
+	if config.dnsNoProxy {
+		return nil
+	}
+	hnsEndpoints, err := hcsshim.HNSListEndpointRequest()
+	if err != nil {
+		return nil
+	}
+	return addEpToResolverImpl(ctx, netName, epName, epIface, resolvers, hnsEndpoints)
+}
+
+func addEpToResolverImpl(
+	ctx context.Context,
+	netName, epName string,
+	epIface *EndpointInterface,
+	resolvers []*Resolver,
+	hnsEndpoints []hcsshim.HNSEndpoint,
+) error {
+	// Find the HNSEndpoint represented by ep, matching on endpoint address.
+	hnsEp := findHNSEp(epIface.addr, epIface.addrv6, hnsEndpoints)
+	if hnsEp == nil || !hnsEp.EnableInternalDNS {
+		return nil
+	}
+
+	// Find the resolver for that HNSEndpoint, matching on gateway address.
+	resolver := findResolver(resolvers, hnsEp.GatewayAddress, hnsEp.GatewayAddressV6)
+	if resolver == nil {
+		log.G(ctx).WithFields(log.Fields{
+			"network":  netName,
+			"endpoint": epName,
+		}).Debug("No internal DNS resolver to configure")
+		return nil
+	}
+
+	// Get the list of DNS servers HNS has set up for this Endpoint.
+	var dnsList []extDNSEntry
+	dnsServers := strings.Split(hnsEp.DNSServerList, ",")
+
+	// Create an extDNSEntry for each DNS server, apart from 'resolver' itself.
+	var foundSelf bool
+	hnsGw4, _ := netip.ParseAddr(hnsEp.GatewayAddress)
+	hnsGw6, _ := netip.ParseAddr(hnsEp.GatewayAddressV6)
+	for _, dnsServer := range dnsServers {
+		dnsAddr, _ := netip.ParseAddr(dnsServer)
+		if dnsAddr.IsValid() && (dnsAddr == hnsGw4 || dnsAddr == hnsGw6) {
+			foundSelf = true
+		} else {
+			dnsList = append(dnsList, extDNSEntry{IPStr: dnsServer})
+		}
+	}
+	if !foundSelf {
+		log.G(ctx).WithFields(log.Fields{
+			"network":  netName,
+			"endpoint": epName,
+		}).Debug("Endpoint is not configured to use internal DNS resolver")
+		return nil
+	}
+
+	// If the internal resolver is configured as one of this endpoint's DNS servers,
+	// tell it which ext servers to use for requests from this endpoint's addresses.
+	log.G(ctx).Infof("External DNS servers for '%s': %v", epName, dnsList)
+	if srcAddr, ok := netip.AddrFromSlice(hnsEp.IPAddress); ok {
+		if err := resolver.SetExtServersForSrc(srcAddr.Unmap(), dnsList); err != nil {
+			return errors.Wrapf(err, "failed to set external DNS servers for %s address %s",
+				epName, hnsEp.IPAddress)
+		}
+	}
+	if srcAddr, ok := netip.AddrFromSlice(hnsEp.IPv6Address); ok {
+		if err := resolver.SetExtServersForSrc(srcAddr, dnsList); err != nil {
+			return errors.Wrapf(err, "failed to set external DNS servers for %s address %s",
+				epName, hnsEp.IPv6Address)
+		}
+	}
+	return nil
+}
+
+func deleteEpFromResolver(epName string, epIface *EndpointInterface, resolvers []*Resolver) error {
+	hnsEndpoints, err := hcsshim.HNSListEndpointRequest()
+	if err != nil {
+		return nil
+	}
+	return deleteEpFromResolverImpl(epName, epIface, resolvers, hnsEndpoints)
+}
+
+func deleteEpFromResolverImpl(
+	epName string,
+	epIface *EndpointInterface,
+	resolvers []*Resolver,
+	hnsEndpoints []hcsshim.HNSEndpoint,
+) error {
+	// Find the HNSEndpoint represented by ep, matching on endpoint address.
+	hnsEp := findHNSEp(epIface.addr, epIface.addrv6, hnsEndpoints)
+	if hnsEp == nil {
+		return fmt.Errorf("no HNS endpoint for %s", epName)
+	}
+
+	// Find the resolver for that HNSEndpoint, matching on gateway address.
+	resolver := findResolver(resolvers, hnsEp.GatewayAddress, hnsEp.GatewayAddressV6)
+	if resolver == nil {
+		return nil
+	}
+
+	// Delete external DNS servers for the endpoint's IP addresses.
+	if srcAddr, ok := netip.AddrFromSlice(hnsEp.IPAddress); ok {
+		if err := resolver.SetExtServersForSrc(srcAddr.Unmap(), nil); err != nil {
+			return errors.Wrapf(err, "failed to delete external DNS servers for %s address %s",
+				epName, hnsEp.IPv6Address)
+		}
+	}
+	if srcAddr, ok := netip.AddrFromSlice(hnsEp.IPv6Address); ok {
+		if err := resolver.SetExtServersForSrc(srcAddr, nil); err != nil {
+			return errors.Wrapf(err, "failed to delete external DNS servers for %s address %s",
+				epName, hnsEp.IPv6Address)
+		}
+	}
+
+	return nil
+}
+
+func findHNSEp(ip4, ip6 *net.IPNet, hnsEndpoints []hcsshim.HNSEndpoint) *hcsshim.HNSEndpoint {
+	for _, hnsEp := range hnsEndpoints {
+		if (hnsEp.IPAddress != nil && hnsEp.IPAddress.Equal(ip4.IP)) ||
+			(hnsEp.IPv6Address != nil && hnsEp.IPv6Address.Equal(ip6.IP)) {
+			return &hnsEp
+		}
+	}
+	return nil
+}
+
+func findResolver(resolvers []*Resolver, gw4, gw6 string) *Resolver {
+	gw4addr, _ := netip.ParseAddr(gw4)
+	gw6addr, _ := netip.ParseAddr(gw6)
+	for _, resolver := range resolvers {
+		ns := resolver.NameServer()
+		if ns.IsValid() && (ns == gw4addr || ns == gw6addr) {
+			return resolver
+		}
+	}
+	return nil
+}
+
 func defaultIpamForNetworkType(networkType string) string {
 	if windows.IsBuiltinLocalDriver(networkType) {
 		return windowsipam.DefaultIPAM
 	}
-	return ipamapi.DefaultIPAM
+	return defaultipam.DriverName
 }
diff --git a/libnetwork/network_windows_test.go b/libnetwork/network_windows_test.go
new file mode 100644
index 0000000..10c443b
--- /dev/null
+++ b/libnetwork/network_windows_test.go
@@ -0,0 +1,201 @@
+package libnetwork
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
+)
+
+func TestAddEpToResolver(t *testing.T) {
+	const (
+		ep1v4      = "192.0.2.11"
+		ep2v4      = "192.0.2.12"
+		epFiveDNS  = "192.0.2.13"
+		epNoIntDNS = "192.0.2.14"
+		ep1v6      = "2001:db8:aaaa::2"
+		gw1v4      = "192.0.2.1"
+		gw2v4      = "192.0.2.2"
+		gw1v6      = "2001:db8:aaaa::1"
+		dns1v4     = "198.51.100.1"
+		dns2v4     = "198.51.100.2"
+		dns3v4     = "198.51.100.3"
+	)
+	hnsEndpoints := map[string]hcsshim.HNSEndpoint{
+		ep1v4: {
+			IPAddress:         net.ParseIP(ep1v4),
+			GatewayAddress:    gw1v4,
+			DNSServerList:     gw1v4 + "," + dns1v4,
+			EnableInternalDNS: true,
+		},
+		ep2v4: {
+			IPAddress:         net.ParseIP(ep2v4),
+			GatewayAddress:    gw1v4,
+			DNSServerList:     gw1v4 + "," + dns2v4,
+			EnableInternalDNS: true,
+		},
+		epFiveDNS: {
+			IPAddress:         net.ParseIP(epFiveDNS),
+			GatewayAddress:    gw1v4,
+			DNSServerList:     gw1v4 + "," + dns1v4 + "," + dns2v4 + "," + dns3v4 + ",198.51.100.4",
+			EnableInternalDNS: true,
+		},
+		epNoIntDNS: {
+			IPAddress:      net.ParseIP(epNoIntDNS),
+			GatewayAddress: gw1v4,
+			DNSServerList:  gw1v4 + "," + dns1v4,
+			//EnableInternalDNS: false,
+		},
+		ep1v6: {
+			IPv6Address:       net.ParseIP(ep1v6),
+			GatewayAddressV6:  gw1v6,
+			DNSServerList:     gw1v6 + "," + dns1v4,
+			EnableInternalDNS: true,
+		},
+	}
+
+	makeIPNet := func(addr, netmask string) *net.IPNet {
+		t.Helper()
+		ip, ipnet, err := net.ParseCIDR(addr + "/" + netmask)
+		assert.NilError(t, err)
+		return &net.IPNet{IP: ip, Mask: ipnet.Mask}
+	}
+
+	testcases := []struct {
+		name           string
+		epToAdd        *EndpointInterface
+		hnsEndpoints   []hcsshim.HNSEndpoint
+		resolverLAs    []string
+		expIPToExtDNS  map[netip.Addr][maxExtDNS]extDNSEntry
+		expResolverIdx int
+	}{
+		{
+			name: "ipv4",
+			epToAdd: &EndpointInterface{
+				addr: makeIPNet(ep1v4, "32"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[ep1v4],
+			},
+			resolverLAs: []string{gw1v4},
+			expIPToExtDNS: map[netip.Addr][maxExtDNS]extDNSEntry{
+				netip.MustParseAddr(ep1v4): {{IPStr: dns1v4}},
+			},
+		},
+		{
+			name: "limit of three dns servers",
+			epToAdd: &EndpointInterface{
+				addr: makeIPNet(epFiveDNS, "32"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[epFiveDNS],
+			},
+			resolverLAs: []string{gw1v4},
+			// Expect the internal resolver to keep the first three ext-servers.
+			expIPToExtDNS: map[netip.Addr][maxExtDNS]extDNSEntry{
+				netip.MustParseAddr(epFiveDNS): {
+					{IPStr: dns1v4},
+					{IPStr: dns2v4},
+					{IPStr: dns3v4},
+				},
+			},
+		},
+		{
+			name: "disabled internal resolver",
+			epToAdd: &EndpointInterface{
+				addr: makeIPNet(epNoIntDNS, "32"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[epNoIntDNS],
+				hnsEndpoints[ep2v4],
+			},
+			resolverLAs: []string{gw1v4},
+		},
+		{
+			name: "missing internal resolver",
+			epToAdd: &EndpointInterface{
+				addr: makeIPNet(ep1v4, "32"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[ep1v4],
+			},
+			// The only resolver is for the gateway on a different network.
+			resolverLAs: []string{gw2v4},
+		},
+		{
+			name: "multiple resolvers and endpoints",
+			epToAdd: &EndpointInterface{
+				addr: makeIPNet(ep2v4, "32"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[ep1v4],
+				hnsEndpoints[ep2v4],
+			},
+			// Put the internal resolver for this network second in the list.
+			expResolverIdx: 1,
+			resolverLAs:    []string{gw2v4, gw1v4},
+			expIPToExtDNS: map[netip.Addr][maxExtDNS]extDNSEntry{
+				netip.MustParseAddr(ep2v4): {{IPStr: dns2v4}},
+			},
+		},
+		{
+			name: "ipv6",
+			epToAdd: &EndpointInterface{
+				addrv6: makeIPNet(ep1v6, "80"),
+			},
+			hnsEndpoints: []hcsshim.HNSEndpoint{
+				hnsEndpoints[ep1v6],
+			},
+			resolverLAs: []string{gw1v6},
+			expIPToExtDNS: map[netip.Addr][maxExtDNS]extDNSEntry{
+				netip.MustParseAddr(ep1v6): {{IPStr: dns1v4}},
+			},
+		},
+	}
+
+	eMapCmpOpts := []cmp.Option{
+		cmpopts.EquateEmpty(),
+		cmpopts.EquateComparable(netip.Addr{}),
+		cmpopts.IgnoreUnexported(extDNSEntry{}),
+	}
+	emptyEMap := map[netip.Addr][maxExtDNS]extDNSEntry{}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Set up resolvers with the required listen-addresses.
+			var resolvers []*Resolver
+			for _, la := range tc.resolverLAs {
+				resolvers = append(resolvers, NewResolver(la, true, nil))
+			}
+
+			// Add the endpoint and check expected results.
+			err := addEpToResolverImpl(context.TODO(),
+				"netname", "epname", tc.epToAdd, resolvers, tc.hnsEndpoints)
+			assert.Check(t, err)
+			for i, resolver := range resolvers {
+				if i == tc.expResolverIdx {
+					assert.Check(t, is.DeepEqual(resolver.ipToExtDNS.eMap, tc.expIPToExtDNS,
+						eMapCmpOpts...), fmt.Sprintf("resolveridx=%d", i))
+				} else {
+					assert.Check(t, is.DeepEqual(resolver.ipToExtDNS.eMap, emptyEMap,
+						eMapCmpOpts...), fmt.Sprintf("resolveridx=%d", i))
+				}
+			}
+
+			// Delete the endpoint, check nothing got left behind.
+			err = deleteEpFromResolverImpl("epname", tc.epToAdd, resolvers, tc.hnsEndpoints)
+			assert.Check(t, err)
+			for i, resolver := range resolvers {
+				assert.Check(t, is.DeepEqual(resolver.ipToExtDNS.eMap, emptyEMap,
+					eMapCmpOpts...), fmt.Sprintf("resolveridx=%d", i))
+			}
+		})
+	}
+}
diff --git a/libnetwork/osl/interface_linux.go b/libnetwork/osl/interface_linux.go
index e87efba..3491aac 100644
--- a/libnetwork/osl/interface_linux.go
+++ b/libnetwork/osl/interface_linux.go
@@ -363,17 +363,24 @@
 }
 
 func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *Interface) error {
-	if i.AddressIPv6() == nil {
+	addr := i.AddressIPv6()
+	// IPv6 must be enabled on the interface if and only if the network is
+	// IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't
+	// disabled, the interface will be put into IPv6 multicast groups making
+	// it unexpectedly susceptible to NDP cache poisoning, route injection, etc.
+	// (At present, there will always be a pre-configured IPv6 address if the
+	// network is IPv6-enabled.)
+	if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil {
+		return fmt.Errorf("failed to configure ipv6: %v", err)
+	}
+	if addr == nil {
 		return nil
 	}
-	if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil {
+	if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil {
 		return err
 	}
-	if err := setIPv6(i.ns.path, i.DstName(), true); err != nil {
-		return fmt.Errorf("failed to enable ipv6: %v", err)
-	}
-	ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD}
-	return nlh.AddrAdd(iface, ipAddr)
+	nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD}
+	return nlh.AddrAdd(iface, nlAddr)
 }
 
 func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *Interface) error {
diff --git a/libnetwork/osl/namespace_linux.go b/libnetwork/osl/namespace_linux.go
index 8a41f6a..70dbc9d 100644
--- a/libnetwork/osl/namespace_linux.go
+++ b/libnetwork/osl/namespace_linux.go
@@ -646,17 +646,47 @@
 			value = '0'
 		}
 
-		if _, err := os.Stat(path); err != nil {
+		if curVal, err := os.ReadFile(path); err != nil {
 			if os.IsNotExist(err) {
-				log.G(context.TODO()).WithError(err).Warn("Cannot configure IPv6 forwarding on container interface. Has IPv6 been disabled in this node's kernel?")
+				if enable {
+					log.G(context.TODO()).WithError(err).Warn("Cannot enable IPv6 on container interface. Has IPv6 been disabled in this node's kernel?")
+				} else {
+					log.G(context.TODO()).WithError(err).Debug("Not disabling IPv6 on container interface. Has IPv6 been disabled in this node's kernel?")
+				}
 				return
 			}
 			errCh <- err
 			return
+		} else if len(curVal) > 0 && curVal[0] == value {
+			// Nothing to do, the setting is already correct.
+			return
 		}
 
-		if err = os.WriteFile(path, []byte{value, '\n'}, 0o644); err != nil {
-			errCh <- fmt.Errorf("failed to %s IPv6 forwarding for container's interface %s: %w", action, iface, err)
+		if err = os.WriteFile(path, []byte{value, '\n'}, 0o644); err != nil || os.Getenv("DOCKER_TEST_RO_DISABLE_IPV6") != "" {
+			logger := log.G(context.TODO()).WithFields(log.Fields{
+				"error":     err,
+				"interface": iface,
+			})
+			if enable {
+				// The user asked for IPv6 on the interface, and we can't give it to them.
+				// But, in line with the IsNotExist case above, just log.
+				logger.Warn("Cannot enable IPv6 on container interface, continuing.")
+			} else if os.Getenv("DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE") == "1" {
+				// TODO(robmry) - remove this escape hatch for https://github.com/moby/moby/issues/47751
+				//   If the "/proc" file exists but isn't writable, we can't disable IPv6, which is
+				//   https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 ... so,
+				//   the user is required to override the error (or configure IPv6, or disable IPv6
+				//   by default in the OS, or make the "/proc" file writable). Once it's possible
+				//   to enable IPv6 without having to configure IPAM etc, the env var should be
+				//   removed. Then the user will have to explicitly enable IPv6 if it can't be
+				//   disabled on the interface.
+				logger.Info("Cannot disable IPv6 on container interface but DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1, continuing.")
+			} else {
+				logger.Error("Cannot disable IPv6 on container interface. Set env var DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1 to ignore.")
+				errCh <- fmt.Errorf(
+					"failed to %s IPv6 on container's interface %s, set env var DOCKER_ALLOW_IPV6_ON_IPV4_INTERFACE=1 to ignore this error",
+					action, iface)
+			}
 			return
 		}
 	}()
diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
index 5a7afac..3ce1c4b 100644
--- a/libnetwork/resolver.go
+++ b/libnetwork/resolver.go
@@ -6,6 +6,7 @@
 	"fmt"
 	"math/rand"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -13,6 +14,7 @@
 	"time"
 
 	"github.com/containerd/log"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/types"
 	"github.com/miekg/dns"
 	"go.opentelemetry.io/otel"
@@ -65,17 +67,25 @@
 	HostLoopback bool
 }
 
+func (e extDNSEntry) String() string {
+	if e.HostLoopback {
+		return "host(" + e.IPStr + ")"
+	}
+	return e.IPStr
+}
+
 // Resolver is the embedded DNS server in Docker. It operates by listening on
 // the container's loopback interface for DNS queries.
 type Resolver struct {
 	backend       DNSBackend
-	extDNSList    [maxExtDNS]extDNSEntry
+	extDNSList    [maxExtDNS]extDNSEntry // Ext servers to use when there's no entry in ipToExtDNS.
+	ipToExtDNS    addrToExtDNSMap        // DNS query source IP -> ext servers.
 	server        *dns.Server
 	conn          *net.UDPConn
 	tcpServer     *dns.Server
 	tcpListen     *net.TCPListener
 	err           error
-	listenAddress string
+	listenAddress netip.Addr
 	proxyDNS      atomic.Bool
 	startCh       chan struct{}
 	logger        *log.Entry
@@ -87,18 +97,45 @@
 // NewResolver creates a new instance of the Resolver
 func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
 	r := &Resolver{
-		backend:       backend,
-		listenAddress: address,
-		err:           fmt.Errorf("setup not done yet"),
-		startCh:       make(chan struct{}, 1),
-		fwdSem:        semaphore.NewWeighted(maxConcurrent),
-		logInverval:   rate.Sometimes{Interval: logInterval},
+		backend:     backend,
+		err:         fmt.Errorf("setup not done yet"),
+		startCh:     make(chan struct{}, 1),
+		fwdSem:      semaphore.NewWeighted(maxConcurrent),
+		logInverval: rate.Sometimes{Interval: logInterval},
 	}
+	r.listenAddress, _ = netip.ParseAddr(address)
 	r.proxyDNS.Store(proxyDNS)
 
 	return r
 }
 
+type addrToExtDNSMap struct {
+	mu   sync.Mutex
+	eMap map[netip.Addr][maxExtDNS]extDNSEntry
+}
+
+func (am *addrToExtDNSMap) get(addr netip.Addr) ([maxExtDNS]extDNSEntry, bool) {
+	am.mu.Lock()
+	defer am.mu.Unlock()
+	entries, ok := am.eMap[addr]
+	return entries, ok
+}
+
+func (am *addrToExtDNSMap) set(addr netip.Addr, entries []extDNSEntry) {
+	var e [maxExtDNS]extDNSEntry
+	copy(e[:], entries)
+	am.mu.Lock()
+	defer am.mu.Unlock()
+	if len(entries) > 0 {
+		if am.eMap == nil {
+			am.eMap = map[netip.Addr][maxExtDNS]extDNSEntry{}
+		}
+		am.eMap[addr] = e
+	} else {
+		delete(am.eMap, addr)
+	}
+}
+
 func (r *Resolver) log(ctx context.Context) *log.Entry {
 	if r.logger == nil {
 		return log.G(ctx)
@@ -108,25 +145,23 @@
 
 // SetupFunc returns the setup function that should be run in the container's
 // network namespace.
-func (r *Resolver) SetupFunc(port int) func() {
+func (r *Resolver) SetupFunc(port uint16) func() {
 	return func() {
 		var err error
 
 		// DNS operates primarily on UDP
-		r.conn, err = net.ListenUDP("udp", &net.UDPAddr{
-			IP:   net.ParseIP(r.listenAddress),
-			Port: port,
-		})
+		r.conn, err = net.ListenUDP("udp", net.UDPAddrFromAddrPort(
+			netip.AddrPortFrom(r.listenAddress, port)),
+		)
 		if err != nil {
 			r.err = fmt.Errorf("error in opening name server socket %v", err)
 			return
 		}
 
 		// Listen on a TCP as well
-		r.tcpListen, err = net.ListenTCP("tcp", &net.TCPAddr{
-			IP:   net.ParseIP(r.listenAddress),
-			Port: port,
-		})
+		r.tcpListen, err = net.ListenTCP("tcp", net.TCPAddrFromAddrPort(
+			netip.AddrPortFrom(r.listenAddress, port)),
+		)
 		if err != nil {
 			r.err = fmt.Errorf("error in opening name TCP server socket %v", err)
 			return
@@ -186,7 +221,8 @@
 }
 
 // SetExtServers configures the external nameservers the resolver should use
-// when forwarding queries.
+// when forwarding queries, unless SetExtServersForSrc has configured servers
+// for the DNS client making the request.
 func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
 	l := len(extDNS)
 	if l > maxExtDNS {
@@ -203,8 +239,17 @@
 	r.proxyDNS.Store(policy)
 }
 
+// SetExtServersForSrc configures the external nameservers the resolver should
+// use when forwarding queries from srcAddr. If set, these servers will be used
+// in preference to servers set by SetExtServers. Supplying a nil or empty extDNS
+// deletes nameservers for srcAddr.
+func (r *Resolver) SetExtServersForSrc(srcAddr netip.Addr, extDNS []extDNSEntry) error {
+	r.ipToExtDNS.set(srcAddr, extDNS)
+	return nil
+}
+
 // NameServer returns the IP of the DNS resolver for the containers.
-func (r *Resolver) NameServer() string {
+func (r *Resolver) NameServer() netip.Addr {
 	return r.listenAddress
 }
 
@@ -439,7 +484,7 @@
 			!strings.Contains(strings.TrimSuffix(queryName, "."), ".") {
 			resp = createRespMsg(query)
 		} else {
-			resp = r.forwardExtDNS(ctx, w.LocalAddr().Network(), query)
+			resp = r.forwardExtDNS(ctx, w.LocalAddr().Network(), w.RemoteAddr(), query)
 		}
 	}
 
@@ -481,11 +526,11 @@
 	return extConn, nil
 }
 
-func (r *Resolver) forwardExtDNS(ctx context.Context, proto string, query *dns.Msg) *dns.Msg {
+func (r *Resolver) forwardExtDNS(ctx context.Context, proto string, remoteAddr net.Addr, query *dns.Msg) *dns.Msg {
 	ctx, span := otel.Tracer("").Start(ctx, "resolver.forwardExtDNS")
 	defer span.End()
 
-	for _, extDNS := range r.extDNSList {
+	for _, extDNS := range r.extDNS(netiputil.AddrPortFromNet(remoteAddr)) {
 		if extDNS.IPStr == "" {
 			break
 		}
@@ -548,6 +593,13 @@
 	return nil
 }
 
+func (r *Resolver) extDNS(remoteAddr netip.AddrPort) []extDNSEntry {
+	if res, ok := r.ipToExtDNS.get(remoteAddr.Addr()); ok {
+		return res[:]
+	}
+	return r.extDNSList[:]
+}
+
 func (r *Resolver) exchange(ctx context.Context, proto string, extDNS extDNSEntry, query *dns.Msg) *dns.Msg {
 	ctx, span := otel.Tracer("").Start(ctx, "resolver.exchange", trace.WithAttributes(
 		attribute.String("libnet.resolver.upstream.proto", proto),
diff --git a/libnetwork/sandbox.go b/libnetwork/sandbox.go
index b7c242e..e1138da 100644
--- a/libnetwork/sandbox.go
+++ b/libnetwork/sandbox.go
@@ -92,6 +92,7 @@
 }
 
 type containerConfig struct {
+	containerConfigOS //nolint:nolintlint,unused // only populated on windows
 	hostsPathConfig
 	resolvConfPathConfig
 	generic           map[string]interface{}
@@ -507,6 +508,21 @@
 	return nil, ipv6Miss
 }
 
+// hasExternalAccess returns true if any of sb's Endpoints appear to have external
+// network access.
+func (sb *Sandbox) hasExternalAccess() bool {
+	for _, ep := range sb.Endpoints() {
+		nw := ep.getNetwork()
+		if nw.Internal() || nw.Type() == "null" || nw.Type() == "host" {
+			continue
+		}
+		if ep.hasGatewayOrDefaultRoute() {
+			return true
+		}
+	}
+	return false
+}
+
 // EnableService makes a managed container's service available by adding the
 // endpoint to the service load balancer and service discovery.
 func (sb *Sandbox) EnableService() (err error) {
diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
index 2dea55a..f335a63 100644
--- a/libnetwork/sandbox_dns_unix.go
+++ b/libnetwork/sandbox_dns_unix.go
@@ -4,6 +4,7 @@
 
 import (
 	"context"
+	"fmt"
 	"io/fs"
 	"net/netip"
 	"os"
@@ -48,7 +49,7 @@
 		// have a gateway. So, if the Sandbox is only connected to an 'internal' network,
 		// it will not forward DNS requests to external resolvers. The resolver's
 		// proxyDNS setting is then updated as network Endpoints are added/removed.
-		sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
+		sb.resolver = NewResolver(resolverIPSandbox, sb.hasExternalAccess(), sb)
 		defer func() {
 			if err != nil {
 				sb.resolver = nil
@@ -343,9 +344,9 @@
 		}
 	}
 
-	intNS, err := netip.ParseAddr(sb.resolver.NameServer())
-	if err != nil {
-		return err
+	intNS := sb.resolver.NameServer()
+	if !intNS.IsValid() {
+		return fmt.Errorf("no listen-address for internal resolver")
 	}
 
 	// Work out whether ndots has been set from host config or overrides.
diff --git a/libnetwork/sandbox_linux.go b/libnetwork/sandbox_linux.go
index 7db5edf..c34e96c 100644
--- a/libnetwork/sandbox_linux.go
+++ b/libnetwork/sandbox_linux.go
@@ -12,6 +12,9 @@
 	"github.com/docker/docker/libnetwork/types"
 )
 
+// Linux-specific container configuration flags.
+type containerConfigOS struct{} //nolint:nolintlint,unused // only populated on windows
+
 func releaseOSSboxResources(ns *osl.Namespace, ep *Endpoint) {
 	for _, i := range ns.Interfaces() {
 		// Only remove the interfaces owned by this endpoint from the sandbox.
diff --git a/libnetwork/sandbox_options_windows.go b/libnetwork/sandbox_options_windows.go
new file mode 100644
index 0000000..8022e40
--- /dev/null
+++ b/libnetwork/sandbox_options_windows.go
@@ -0,0 +1,7 @@
+package libnetwork
+
+func OptionDNSNoProxy() SandboxOption {
+	return func(sb *Sandbox) {
+		sb.config.dnsNoProxy = true
+	}
+}
diff --git a/libnetwork/sandbox_unix_test.go b/libnetwork/sandbox_unix_test.go
index f0eb45d..1dd5ba2 100644
--- a/libnetwork/sandbox_unix_test.go
+++ b/libnetwork/sandbox_unix_test.go
@@ -9,7 +9,7 @@
 	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/internal/testutils/netnsutils"
 	"github.com/docker/docker/libnetwork/config"
-	"github.com/docker/docker/libnetwork/ipamapi"
+	"github.com/docker/docker/libnetwork/ipams/defaultipam"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/options"
 	"github.com/docker/docker/libnetwork/osl"
@@ -114,7 +114,7 @@
 	defer netnsutils.SetupTestOSContext(t)()
 
 	opts := [][]NetworkOption{
-		{NetworkOptionEnableIPv6(true), NetworkOptionIpam(ipamapi.DefaultIPAM, "", nil, []*IpamConf{{PreferredPool: "fe90::/64"}}, nil)},
+		{NetworkOptionEnableIPv6(true), NetworkOptionIpam(defaultipam.DriverName, "", nil, []*IpamConf{{PreferredPool: "fe90::/64"}}, nil)},
 		{NetworkOptionInternalNetwork()},
 		{},
 	}
@@ -200,7 +200,7 @@
 	opts := [][]NetworkOption{
 		{},
 		{},
-		{NetworkOptionEnableIPv6(true), NetworkOptionIpam(ipamapi.DefaultIPAM, "", nil, []*IpamConf{{PreferredPool: "fe90::/64"}}, nil)},
+		{NetworkOptionEnableIPv6(true), NetworkOptionIpam(defaultipam.DriverName, "", nil, []*IpamConf{{PreferredPool: "fe90::/64"}}, nil)},
 		{NetworkOptionInternalNetwork()},
 	}
 
diff --git a/libnetwork/sandbox_unsupported.go b/libnetwork/sandbox_windows.go
similarity index 87%
rename from libnetwork/sandbox_unsupported.go
rename to libnetwork/sandbox_windows.go
index b8c47bf..d9d9ce7 100644
--- a/libnetwork/sandbox_unsupported.go
+++ b/libnetwork/sandbox_windows.go
@@ -1,9 +1,12 @@
-//go:build !linux
-
 package libnetwork
 
 import "github.com/docker/docker/libnetwork/osl"
 
+// Windows-specific container configuration flags.
+type containerConfigOS struct {
+	dnsNoProxy bool
+}
+
 func releaseOSSboxResources(*osl.Namespace, *Endpoint) {}
 
 func (sb *Sandbox) updateGateway(*Endpoint) error {
diff --git a/pkg/system/stat_illumos.go b/pkg/system/stat_illumos.go
new file mode 100644
index 0000000..851374e
--- /dev/null
+++ b/pkg/system/stat_illumos.go
@@ -0,0 +1,15 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{
+		size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtim,
+	}, nil
+}
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
index cf8c34c..8dbc1b6 100644
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@@ -25,6 +25,10 @@
   umount,
   # Host (privileged) processes may send signals to container processes.
   signal (receive) peer=unconfined,
+  # runc may send signals to container processes (for "docker stop").
+  signal (receive) peer=runc,
+  # crun may send signals to container processes (for "docker stop" when used with crun OCI runtime).
+  signal (receive) peer=crun,
   # dockerd may send signals to container processes (for "docker kill").
   signal (receive) peer={{.DaemonProfile}},
   # Container processes may send signals amongst themselves.
diff --git a/vendor.mod b/vendor.mod
index 6b1729f..3ed1b69 100644
--- a/vendor.mod
+++ b/vendor.mod
@@ -14,7 +14,7 @@
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
 	github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0
-	github.com/Microsoft/go-winio v0.6.1
+	github.com/Microsoft/go-winio v0.6.2
 	github.com/Microsoft/hcsshim v0.11.4
 	github.com/RackSec/srslog v0.0.0-20180709174129-a4725f04ec91
 	github.com/aws/aws-sdk-go-v2 v1.24.1
@@ -25,7 +25,7 @@
 	github.com/aws/smithy-go v1.19.0
 	github.com/cloudflare/cfssl v1.6.4
 	github.com/containerd/cgroups/v3 v3.0.3
-	github.com/containerd/containerd v1.7.14
+	github.com/containerd/containerd v1.7.16
 	github.com/containerd/continuity v0.4.3
 	github.com/containerd/fifo v1.1.0
 	github.com/containerd/log v0.1.0
@@ -66,7 +66,7 @@
 	github.com/moby/locker v1.0.1
 	github.com/moby/patternmatcher v0.6.0
 	github.com/moby/pubsub v1.0.0
-	github.com/moby/swarmkit/v2 v2.0.0-20240227173239-911c97650f2e
+	github.com/moby/swarmkit/v2 v2.0.0-20240412154004-f3ffc0881d0e
 	github.com/moby/sys/mount v0.3.3
 	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/sys/sequential v0.5.0
@@ -78,7 +78,7 @@
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc5
 	github.com/opencontainers/runc v1.1.12
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/opencontainers/selinux v1.11.0
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
@@ -99,8 +99,8 @@
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
 	go.opentelemetry.io/otel/trace v1.21.0
-	golang.org/x/mod v0.13.0
-	golang.org/x/net v0.18.0
+	golang.org/x/mod v0.17.0
+	golang.org/x/net v0.23.0
 	golang.org/x/sync v0.5.0
 	golang.org/x/sys v0.18.0
 	golang.org/x/text v0.14.0
@@ -110,7 +110,7 @@
 	google.golang.org/protobuf v1.33.0
 	gotest.tools/v3 v3.5.1
 	resenje.org/singleflight v0.4.1
-	tags.cncf.io/container-device-interface v0.6.2
+	tags.cncf.io/container-device-interface v0.7.2
 )
 
 require (
@@ -136,7 +136,7 @@
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/cilium/ebpf v0.11.0 // indirect
+	github.com/cilium/ebpf v0.12.3 // indirect
 	github.com/container-storage-interface/spec v1.5.0 // indirect
 	github.com/containerd/cgroups v1.1.0 // indirect
 	github.com/containerd/console v1.0.4 // indirect
@@ -216,10 +216,10 @@
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.21.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	golang.org/x/oauth2 v0.11.0 // indirect
-	golang.org/x/tools v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 	google.golang.org/api v0.128.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20231016165738-49dd2c1f3d0b // indirect
@@ -228,5 +228,5 @@
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.90.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
-	tags.cncf.io/container-device-interface/specs-go v0.6.0 // indirect
+	tags.cncf.io/container-device-interface/specs-go v0.7.0 // indirect
 )
diff --git a/vendor.sum b/vendor.sum
index b4a2307..233aad6 100644
--- a/vendor.sum
+++ b/vendor.sum
@@ -38,8 +38,8 @@
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0 h1:cOjLyhBhe91glgZZNbQUg9BJC57l6BiSKov0Ivv7k0U=
 github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0/go.mod h1:fBaQWrftOD5CrVCUfoYGHs4X4VViTuGOXA8WloCjTY0=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8=
 github.com/Microsoft/hcsshim v0.11.4/go.mod h1:smjE4dvqPX9Zldna+t5FG3rnoHhaB7QYxPRqGcpAD9w=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -124,8 +124,8 @@
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.11.0 h1:V8gS/bTCCjX9uUnkUFUpPsksM8n1lXBAvHcpiFk1X2Y=
-github.com/cilium/ebpf v0.11.0/go.mod h1:WE7CZAnqOL2RouJ4f1uyNhqr2P4CCvXFIqdRDUgWsVs=
+github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
+github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -156,8 +156,8 @@
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/containerd v1.7.14 h1:H/XLzbnGuenZEGK+v0RkwTdv2u1QFAruMe5N0GNPJwA=
-github.com/containerd/containerd v1.7.14/go.mod h1:YMC9Qt5yzNqXx/fO4j/5yYVIHXSRrlB3H7sxkUTvspg=
+github.com/containerd/containerd v1.7.16 h1:7Zsfe8Fkj4Wi2My6DXGQ87hiqIrmOXolm72ZEkFU5Mg=
+github.com/containerd/containerd v1.7.16/go.mod h1:NL49g7A/Fui7ccmxV6zkBWwqMgmMxFWzujYCc+JLt7k=
 github.com/containerd/continuity v0.4.3 h1:6HVkalIp+2u1ZLH1J/pYX2oBVXlJZvh1X1A7bEZ9Su8=
 github.com/containerd/continuity v0.4.3/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ=
 github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
@@ -490,8 +490,8 @@
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/pubsub v1.0.0 h1:jkp/imWsmJz2f6LyFsk7EkVeN2HxR/HTTOY8kHrsxfA=
 github.com/moby/pubsub v1.0.0/go.mod h1:bXSO+3h5MNXXCaEG+6/NlAIk7MMZbySZlnB+cUQhKKc=
-github.com/moby/swarmkit/v2 v2.0.0-20240227173239-911c97650f2e h1:4FRRm/5kOaCc+ssRBPmmcQM7b0KHdOgqKob93VnvHPs=
-github.com/moby/swarmkit/v2 v2.0.0-20240227173239-911c97650f2e/go.mod h1:kNy225f/gWAnF8wPftteMc5nbAHhrH+HUfvyjmhFjeQ=
+github.com/moby/swarmkit/v2 v2.0.0-20240412154004-f3ffc0881d0e h1:ZCx3cYIxF6OdZkiSbesvyJyJetMmICNvMGVHFop+Mec=
+github.com/moby/swarmkit/v2 v2.0.0-20240412154004-f3ffc0881d0e/go.mod h1:kNy225f/gWAnF8wPftteMc5nbAHhrH+HUfvyjmhFjeQ=
 github.com/moby/sys/mount v0.3.3 h1:fX1SVkXFJ47XWDoeFW4Sq7PdQJnV2QIDZAqjNqgEjUs=
 github.com/moby/sys/mount v0.3.3/go.mod h1:PBaEorSNTLG5t/+4EgukEQVlAvVEc6ZjTySwKdqp5K0=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
@@ -542,8 +542,8 @@
 github.com/opencontainers/runc v1.1.12 h1:BOIssBaW1La0/qbNZHXOOa71dZfZEQOzW7dqQf3phss=
 github.com/opencontainers/runc v1.1.12/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8=
 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
-github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
+github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
 github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
@@ -800,8 +800,8 @@
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -829,8 +829,8 @@
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
-golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -862,8 +862,8 @@
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -942,8 +942,8 @@
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@@ -990,8 +990,8 @@
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
-golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
-golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1106,7 +1106,7 @@
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-tags.cncf.io/container-device-interface v0.6.2 h1:dThE6dtp/93ZDGhqaED2Pu374SOeUkBfuvkLuiTdwzg=
-tags.cncf.io/container-device-interface v0.6.2/go.mod h1:Shusyhjs1A5Na/kqPVLL0KqnHQHuunol9LFeUNkuGVE=
-tags.cncf.io/container-device-interface/specs-go v0.6.0 h1:V+tJJN6dqu8Vym6p+Ru+K5mJ49WL6Aoc5SJFSY0RLsQ=
-tags.cncf.io/container-device-interface/specs-go v0.6.0/go.mod h1:hMAwAbMZyBLdmYqWgYcKH0F/yctNpV3P35f+/088A80=
+tags.cncf.io/container-device-interface v0.7.2 h1:MLqGnWfOr1wB7m08ieI4YJ3IoLKKozEnnNYBtacDPQU=
+tags.cncf.io/container-device-interface v0.7.2/go.mod h1:Xb1PvXv2BhfNb3tla4r9JL129ck1Lxv9KuU6eVOfKto=
+tags.cncf.io/container-device-interface/specs-go v0.7.0 h1:w/maMGVeLP6TIQJVYT5pbqTi8SCw/iHZ+n4ignuGHqg=
+tags.cncf.io/container-device-interface/specs-go v0.7.0/go.mod h1:hMAwAbMZyBLdmYqWgYcKH0F/yctNpV3P35f+/088A80=
diff --git a/vendor/github.com/Microsoft/go-winio/.golangci.yml b/vendor/github.com/Microsoft/go-winio/.golangci.yml
index 7b503d2..faedfe9 100644
--- a/vendor/github.com/Microsoft/go-winio/.golangci.yml
+++ b/vendor/github.com/Microsoft/go-winio/.golangci.yml
@@ -1,7 +1,3 @@
-run:
-  skip-dirs:
-    - pkg/etw/sample
-
 linters:
   enable:
     # style
@@ -20,9 +16,13 @@
     - gofmt # files are gofmt'ed
     - gosec # security
     - nilerr # returns nil even with non-nil error
+    - thelper #  test helpers without t.Helper()
     - unparam # unused function params
 
 issues:
+  exclude-dirs:
+    - pkg/etw/sample
+
   exclude-rules:
     # err is very often shadowed in nested scopes
     - linters:
@@ -69,9 +69,7 @@
       # struct order is often for Win32 compat
       # also, ignore pointer bytes/GC issues for now until performance becomes an issue
       - fieldalignment
-    check-shadowing: true
   nolintlint:
-    allow-leading-space: false
     require-explanation: true
     require-specific: true
   revive:
diff --git a/vendor/github.com/Microsoft/go-winio/backup.go b/vendor/github.com/Microsoft/go-winio/backup.go
index 09621c8..b54341d 100644
--- a/vendor/github.com/Microsoft/go-winio/backup.go
+++ b/vendor/github.com/Microsoft/go-winio/backup.go
@@ -10,14 +10,14 @@
 	"io"
 	"os"
 	"runtime"
-	"syscall"
 	"unicode/utf16"
 
+	"github.com/Microsoft/go-winio/internal/fs"
 	"golang.org/x/sys/windows"
 )
 
-//sys backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupRead
-//sys backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupWrite
+//sys backupRead(h windows.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupRead
+//sys backupWrite(h windows.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) = BackupWrite
 
 const (
 	BackupData = uint32(iota + 1)
@@ -104,7 +104,7 @@
 		if err := binary.Read(r.r, binary.LittleEndian, name); err != nil {
 			return nil, err
 		}
-		hdr.Name = syscall.UTF16ToString(name)
+		hdr.Name = windows.UTF16ToString(name)
 	}
 	if wsi.StreamID == BackupSparseBlock {
 		if err := binary.Read(r.r, binary.LittleEndian, &hdr.Offset); err != nil {
@@ -205,7 +205,7 @@
 // Read reads a backup stream from the file by calling the Win32 API BackupRead().
 func (r *BackupFileReader) Read(b []byte) (int, error) {
 	var bytesRead uint32
-	err := backupRead(syscall.Handle(r.f.Fd()), b, &bytesRead, false, r.includeSecurity, &r.ctx)
+	err := backupRead(windows.Handle(r.f.Fd()), b, &bytesRead, false, r.includeSecurity, &r.ctx)
 	if err != nil {
 		return 0, &os.PathError{Op: "BackupRead", Path: r.f.Name(), Err: err}
 	}
@@ -220,7 +220,7 @@
 // the underlying file.
 func (r *BackupFileReader) Close() error {
 	if r.ctx != 0 {
-		_ = backupRead(syscall.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
+		_ = backupRead(windows.Handle(r.f.Fd()), nil, nil, true, false, &r.ctx)
 		runtime.KeepAlive(r.f)
 		r.ctx = 0
 	}
@@ -244,7 +244,7 @@
 // Write restores a portion of the file using the provided backup stream.
 func (w *BackupFileWriter) Write(b []byte) (int, error) {
 	var bytesWritten uint32
-	err := backupWrite(syscall.Handle(w.f.Fd()), b, &bytesWritten, false, w.includeSecurity, &w.ctx)
+	err := backupWrite(windows.Handle(w.f.Fd()), b, &bytesWritten, false, w.includeSecurity, &w.ctx)
 	if err != nil {
 		return 0, &os.PathError{Op: "BackupWrite", Path: w.f.Name(), Err: err}
 	}
@@ -259,7 +259,7 @@
 // close the underlying file.
 func (w *BackupFileWriter) Close() error {
 	if w.ctx != 0 {
-		_ = backupWrite(syscall.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
+		_ = backupWrite(windows.Handle(w.f.Fd()), nil, nil, true, false, &w.ctx)
 		runtime.KeepAlive(w.f)
 		w.ctx = 0
 	}
@@ -271,17 +271,14 @@
 //
 // If the file opened was a directory, it cannot be used with Readdir().
 func OpenForBackup(path string, access uint32, share uint32, createmode uint32) (*os.File, error) {
-	winPath, err := syscall.UTF16FromString(path)
-	if err != nil {
-		return nil, err
-	}
-	h, err := syscall.CreateFile(&winPath[0],
-		access,
-		share,
+	h, err := fs.CreateFile(path,
+		fs.AccessMask(access),
+		fs.FileShareMode(share),
 		nil,
-		createmode,
-		syscall.FILE_FLAG_BACKUP_SEMANTICS|syscall.FILE_FLAG_OPEN_REPARSE_POINT,
-		0)
+		fs.FileCreationDisposition(createmode),
+		fs.FILE_FLAG_BACKUP_SEMANTICS|fs.FILE_FLAG_OPEN_REPARSE_POINT,
+		0,
+	)
 	if err != nil {
 		err = &os.PathError{Op: "open", Path: path, Err: err}
 		return nil, err
diff --git a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
index 6b3b0cd..7f852bb 100644
--- a/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
+++ b/vendor/github.com/Microsoft/go-winio/backuptar/tar.go
@@ -11,7 +11,6 @@
 	"path/filepath"
 	"strconv"
 	"strings"
-	"syscall"
 	"time"
 
 	"github.com/Microsoft/go-winio"
@@ -106,7 +105,7 @@
 	hdr.PAXRecords[hdrFileAttributes] = fmt.Sprintf("%d", fileInfo.FileAttributes)
 	hdr.PAXRecords[hdrCreationTime] = formatPAXTime(time.Unix(0, fileInfo.CreationTime.Nanoseconds()))
 
-	if (fileInfo.FileAttributes & syscall.FILE_ATTRIBUTE_DIRECTORY) != 0 {
+	if (fileInfo.FileAttributes & windows.FILE_ATTRIBUTE_DIRECTORY) != 0 {
 		hdr.Mode |= cISDIR
 		hdr.Size = 0
 		hdr.Typeflag = tar.TypeDir
@@ -378,7 +377,7 @@
 // WriteTarFileFromBackupStream.
 func FileInfoFromHeader(hdr *tar.Header) (name string, size int64, fileInfo *winio.FileBasicInfo, err error) {
 	name = hdr.Name
-	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+	if hdr.Typeflag == tar.TypeReg {
 		size = hdr.Size
 	}
 	fileInfo = &winio.FileBasicInfo{
@@ -396,7 +395,7 @@
 		fileInfo.FileAttributes = uint32(attr)
 	} else {
 		if hdr.Typeflag == tar.TypeDir {
-			fileInfo.FileAttributes |= syscall.FILE_ATTRIBUTE_DIRECTORY
+			fileInfo.FileAttributes |= windows.FILE_ATTRIBUTE_DIRECTORY
 		}
 	}
 	if creationTimeStr, ok := hdr.PAXRecords[hdrCreationTime]; ok {
@@ -469,7 +468,7 @@
 		}
 	}
 
-	if hdr.Typeflag == tar.TypeReg || hdr.Typeflag == tar.TypeRegA {
+	if hdr.Typeflag == tar.TypeReg {
 		bhdr := winio.BackupHeader{
 			Id:   winio.BackupData,
 			Size: hdr.Size,
diff --git a/vendor/github.com/Microsoft/go-winio/file.go b/vendor/github.com/Microsoft/go-winio/file.go
index 175a99d..fe82a18 100644
--- a/vendor/github.com/Microsoft/go-winio/file.go
+++ b/vendor/github.com/Microsoft/go-winio/file.go
@@ -15,26 +15,11 @@
 	"golang.org/x/sys/windows"
 )
 
-//sys cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) = CancelIoEx
-//sys createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) = CreateIoCompletionPort
-//sys getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) = GetQueuedCompletionStatus
-//sys setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) = SetFileCompletionNotificationModes
-//sys wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) = ws2_32.WSAGetOverlappedResult
-
-type atomicBool int32
-
-func (b *atomicBool) isSet() bool { return atomic.LoadInt32((*int32)(b)) != 0 }
-func (b *atomicBool) setFalse()   { atomic.StoreInt32((*int32)(b), 0) }
-func (b *atomicBool) setTrue()    { atomic.StoreInt32((*int32)(b), 1) }
-
-//revive:disable-next-line:predeclared Keep "new" to maintain consistency with "atomic" pkg
-func (b *atomicBool) swap(new bool) bool {
-	var newInt int32
-	if new {
-		newInt = 1
-	}
-	return atomic.SwapInt32((*int32)(b), newInt) == 1
-}
+//sys cancelIoEx(file windows.Handle, o *windows.Overlapped) (err error) = CancelIoEx
+//sys createIoCompletionPort(file windows.Handle, port windows.Handle, key uintptr, threadCount uint32) (newport windows.Handle, err error) = CreateIoCompletionPort
+//sys getQueuedCompletionStatus(port windows.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) = GetQueuedCompletionStatus
+//sys setFileCompletionNotificationModes(h windows.Handle, flags uint8) (err error) = SetFileCompletionNotificationModes
+//sys wsaGetOverlappedResult(h windows.Handle, o *windows.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) = ws2_32.WSAGetOverlappedResult
 
 var (
 	ErrFileClosed = errors.New("file has already been closed")
@@ -50,7 +35,7 @@
 type timeoutChan chan struct{}
 
 var ioInitOnce sync.Once
-var ioCompletionPort syscall.Handle
+var ioCompletionPort windows.Handle
 
 // ioResult contains the result of an asynchronous IO operation.
 type ioResult struct {
@@ -60,12 +45,12 @@
 
 // ioOperation represents an outstanding asynchronous Win32 IO.
 type ioOperation struct {
-	o  syscall.Overlapped
+	o  windows.Overlapped
 	ch chan ioResult
 }
 
 func initIO() {
-	h, err := createIoCompletionPort(syscall.InvalidHandle, 0, 0, 0xffffffff)
+	h, err := createIoCompletionPort(windows.InvalidHandle, 0, 0, 0xffffffff)
 	if err != nil {
 		panic(err)
 	}
@@ -76,10 +61,10 @@
 // win32File implements Reader, Writer, and Closer on a Win32 handle without blocking in a syscall.
 // It takes ownership of this handle and will close it if it is garbage collected.
 type win32File struct {
-	handle        syscall.Handle
+	handle        windows.Handle
 	wg            sync.WaitGroup
 	wgLock        sync.RWMutex
-	closing       atomicBool
+	closing       atomic.Bool
 	socket        bool
 	readDeadline  deadlineHandler
 	writeDeadline deadlineHandler
@@ -90,11 +75,11 @@
 	channel     timeoutChan
 	channelLock sync.RWMutex
 	timer       *time.Timer
-	timedout    atomicBool
+	timedout    atomic.Bool
 }
 
 // makeWin32File makes a new win32File from an existing file handle.
-func makeWin32File(h syscall.Handle) (*win32File, error) {
+func makeWin32File(h windows.Handle) (*win32File, error) {
 	f := &win32File{handle: h}
 	ioInitOnce.Do(initIO)
 	_, err := createIoCompletionPort(h, ioCompletionPort, 0, 0xffffffff)
@@ -110,7 +95,12 @@
 	return f, nil
 }
 
+// Deprecated: use NewOpenFile instead.
 func MakeOpenFile(h syscall.Handle) (io.ReadWriteCloser, error) {
+	return NewOpenFile(windows.Handle(h))
+}
+
+func NewOpenFile(h windows.Handle) (io.ReadWriteCloser, error) {
 	// If we return the result of makeWin32File directly, it can result in an
 	// interface-wrapped nil, rather than a nil interface value.
 	f, err := makeWin32File(h)
@@ -124,13 +114,13 @@
 func (f *win32File) closeHandle() {
 	f.wgLock.Lock()
 	// Atomically set that we are closing, releasing the resources only once.
-	if !f.closing.swap(true) {
+	if !f.closing.Swap(true) {
 		f.wgLock.Unlock()
 		// cancel all IO and wait for it to complete
 		_ = cancelIoEx(f.handle, nil)
 		f.wg.Wait()
 		// at this point, no new IO can start
-		syscall.Close(f.handle)
+		windows.Close(f.handle)
 		f.handle = 0
 	} else {
 		f.wgLock.Unlock()
@@ -145,14 +135,14 @@
 
 // IsClosed checks if the file has been closed.
 func (f *win32File) IsClosed() bool {
-	return f.closing.isSet()
+	return f.closing.Load()
 }
 
 // prepareIO prepares for a new IO operation.
 // The caller must call f.wg.Done() when the IO is finished, prior to Close() returning.
 func (f *win32File) prepareIO() (*ioOperation, error) {
 	f.wgLock.RLock()
-	if f.closing.isSet() {
+	if f.closing.Load() {
 		f.wgLock.RUnlock()
 		return nil, ErrFileClosed
 	}
@@ -164,12 +154,12 @@
 }
 
 // ioCompletionProcessor processes completed async IOs forever.
-func ioCompletionProcessor(h syscall.Handle) {
+func ioCompletionProcessor(h windows.Handle) {
 	for {
 		var bytes uint32
 		var key uintptr
 		var op *ioOperation
-		err := getQueuedCompletionStatus(h, &bytes, &key, &op, syscall.INFINITE)
+		err := getQueuedCompletionStatus(h, &bytes, &key, &op, windows.INFINITE)
 		if op == nil {
 			panic(err)
 		}
@@ -182,11 +172,11 @@
 // asyncIO processes the return value from ReadFile or WriteFile, blocking until
 // the operation has actually completed.
 func (f *win32File) asyncIO(c *ioOperation, d *deadlineHandler, bytes uint32, err error) (int, error) {
-	if err != syscall.ERROR_IO_PENDING { //nolint:errorlint // err is Errno
+	if err != windows.ERROR_IO_PENDING { //nolint:errorlint // err is Errno
 		return int(bytes), err
 	}
 
-	if f.closing.isSet() {
+	if f.closing.Load() {
 		_ = cancelIoEx(f.handle, &c.o)
 	}
 
@@ -201,8 +191,8 @@
 	select {
 	case r = <-c.ch:
 		err = r.err
-		if err == syscall.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
-			if f.closing.isSet() {
+		if err == windows.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
+			if f.closing.Load() {
 				err = ErrFileClosed
 			}
 		} else if err != nil && f.socket {
@@ -214,7 +204,7 @@
 		_ = cancelIoEx(f.handle, &c.o)
 		r = <-c.ch
 		err = r.err
-		if err == syscall.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
+		if err == windows.ERROR_OPERATION_ABORTED { //nolint:errorlint // err is Errno
 			err = ErrTimeout
 		}
 	}
@@ -235,23 +225,22 @@
 	}
 	defer f.wg.Done()
 
-	if f.readDeadline.timedout.isSet() {
+	if f.readDeadline.timedout.Load() {
 		return 0, ErrTimeout
 	}
 
 	var bytes uint32
-	err = syscall.ReadFile(f.handle, b, &bytes, &c.o)
+	err = windows.ReadFile(f.handle, b, &bytes, &c.o)
 	n, err := f.asyncIO(c, &f.readDeadline, bytes, err)
 	runtime.KeepAlive(b)
 
 	// Handle EOF conditions.
 	if err == nil && n == 0 && len(b) != 0 {
 		return 0, io.EOF
-	} else if err == syscall.ERROR_BROKEN_PIPE { //nolint:errorlint // err is Errno
+	} else if err == windows.ERROR_BROKEN_PIPE { //nolint:errorlint // err is Errno
 		return 0, io.EOF
-	} else {
-		return n, err
 	}
+	return n, err
 }
 
 // Write writes to a file handle.
@@ -262,12 +251,12 @@
 	}
 	defer f.wg.Done()
 
-	if f.writeDeadline.timedout.isSet() {
+	if f.writeDeadline.timedout.Load() {
 		return 0, ErrTimeout
 	}
 
 	var bytes uint32
-	err = syscall.WriteFile(f.handle, b, &bytes, &c.o)
+	err = windows.WriteFile(f.handle, b, &bytes, &c.o)
 	n, err := f.asyncIO(c, &f.writeDeadline, bytes, err)
 	runtime.KeepAlive(b)
 	return n, err
@@ -282,7 +271,7 @@
 }
 
 func (f *win32File) Flush() error {
-	return syscall.FlushFileBuffers(f.handle)
+	return windows.FlushFileBuffers(f.handle)
 }
 
 func (f *win32File) Fd() uintptr {
@@ -299,7 +288,7 @@
 		}
 		d.timer = nil
 	}
-	d.timedout.setFalse()
+	d.timedout.Store(false)
 
 	select {
 	case <-d.channel:
@@ -314,7 +303,7 @@
 	}
 
 	timeoutIO := func() {
-		d.timedout.setTrue()
+		d.timedout.Store(true)
 		close(d.channel)
 	}
 
diff --git a/vendor/github.com/Microsoft/go-winio/fileinfo.go b/vendor/github.com/Microsoft/go-winio/fileinfo.go
index 702950e..c860eb9 100644
--- a/vendor/github.com/Microsoft/go-winio/fileinfo.go
+++ b/vendor/github.com/Microsoft/go-winio/fileinfo.go
@@ -18,9 +18,18 @@
 	_                                                       uint32 // padding
 }
 
+// alignedFileBasicInfo is a FileBasicInfo, but aligned to uint64 by containing
+// uint64 rather than windows.Filetime. Filetime contains two uint32s. uint64
+// alignment is necessary to pass this as FILE_BASIC_INFO.
+type alignedFileBasicInfo struct {
+	CreationTime, LastAccessTime, LastWriteTime, ChangeTime uint64
+	FileAttributes                                          uint32
+	_                                                       uint32 // padding
+}
+
 // GetFileBasicInfo retrieves times and attributes for a file.
 func GetFileBasicInfo(f *os.File) (*FileBasicInfo, error) {
-	bi := &FileBasicInfo{}
+	bi := &alignedFileBasicInfo{}
 	if err := windows.GetFileInformationByHandleEx(
 		windows.Handle(f.Fd()),
 		windows.FileBasicInfo,
@@ -30,16 +39,21 @@
 		return nil, &os.PathError{Op: "GetFileInformationByHandleEx", Path: f.Name(), Err: err}
 	}
 	runtime.KeepAlive(f)
-	return bi, nil
+	// Reinterpret the alignedFileBasicInfo as a FileBasicInfo so it matches the
+	// public API of this module. The data may be unnecessarily aligned.
+	return (*FileBasicInfo)(unsafe.Pointer(bi)), nil
 }
 
 // SetFileBasicInfo sets times and attributes for a file.
 func SetFileBasicInfo(f *os.File, bi *FileBasicInfo) error {
+	// Create an alignedFileBasicInfo based on a FileBasicInfo. The copy is
+	// suitable to pass to GetFileInformationByHandleEx.
+	biAligned := *(*alignedFileBasicInfo)(unsafe.Pointer(bi))
 	if err := windows.SetFileInformationByHandle(
 		windows.Handle(f.Fd()),
 		windows.FileBasicInfo,
-		(*byte)(unsafe.Pointer(bi)),
-		uint32(unsafe.Sizeof(*bi)),
+		(*byte)(unsafe.Pointer(&biAligned)),
+		uint32(unsafe.Sizeof(biAligned)),
 	); err != nil {
 		return &os.PathError{Op: "SetFileInformationByHandle", Path: f.Name(), Err: err}
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/hvsock.go b/vendor/github.com/Microsoft/go-winio/hvsock.go
index c881916..c4fdd9d 100644
--- a/vendor/github.com/Microsoft/go-winio/hvsock.go
+++ b/vendor/github.com/Microsoft/go-winio/hvsock.go
@@ -10,7 +10,6 @@
 	"io"
 	"net"
 	"os"
-	"syscall"
 	"time"
 	"unsafe"
 
@@ -181,13 +180,13 @@
 var _ net.Conn = &HvsockConn{}
 
 func newHVSocket() (*win32File, error) {
-	fd, err := syscall.Socket(afHVSock, syscall.SOCK_STREAM, 1)
+	fd, err := windows.Socket(afHVSock, windows.SOCK_STREAM, 1)
 	if err != nil {
 		return nil, os.NewSyscallError("socket", err)
 	}
 	f, err := makeWin32File(fd)
 	if err != nil {
-		syscall.Close(fd)
+		windows.Close(fd)
 		return nil, err
 	}
 	f.socket = true
@@ -197,16 +196,24 @@
 // ListenHvsock listens for connections on the specified hvsock address.
 func ListenHvsock(addr *HvsockAddr) (_ *HvsockListener, err error) {
 	l := &HvsockListener{addr: *addr}
-	sock, err := newHVSocket()
+
+	var sock *win32File
+	sock, err = newHVSocket()
 	if err != nil {
 		return nil, l.opErr("listen", err)
 	}
+	defer func() {
+		if err != nil {
+			_ = sock.Close()
+		}
+	}()
+
 	sa := addr.raw()
-	err = socket.Bind(windows.Handle(sock.handle), &sa)
+	err = socket.Bind(sock.handle, &sa)
 	if err != nil {
 		return nil, l.opErr("listen", os.NewSyscallError("socket", err))
 	}
-	err = syscall.Listen(sock.handle, 16)
+	err = windows.Listen(sock.handle, 16)
 	if err != nil {
 		return nil, l.opErr("listen", os.NewSyscallError("listen", err))
 	}
@@ -246,7 +253,7 @@
 	var addrbuf [addrlen * 2]byte
 
 	var bytes uint32
-	err = syscall.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0 /* rxdatalen */, addrlen, addrlen, &bytes, &c.o)
+	err = windows.AcceptEx(l.sock.handle, sock.handle, &addrbuf[0], 0 /* rxdatalen */, addrlen, addrlen, &bytes, &c.o)
 	if _, err = l.sock.asyncIO(c, nil, bytes, err); err != nil {
 		return nil, l.opErr("accept", os.NewSyscallError("acceptex", err))
 	}
@@ -263,7 +270,7 @@
 	conn.remote.fromRaw((*rawHvsockAddr)(unsafe.Pointer(&addrbuf[addrlen])))
 
 	// initialize the accepted socket and update its properties with those of the listening socket
-	if err = windows.Setsockopt(windows.Handle(sock.handle),
+	if err = windows.Setsockopt(sock.handle,
 		windows.SOL_SOCKET, windows.SO_UPDATE_ACCEPT_CONTEXT,
 		(*byte)(unsafe.Pointer(&l.sock.handle)), int32(unsafe.Sizeof(l.sock.handle))); err != nil {
 		return nil, conn.opErr("accept", os.NewSyscallError("setsockopt", err))
@@ -334,7 +341,7 @@
 	}()
 
 	sa := addr.raw()
-	err = socket.Bind(windows.Handle(sock.handle), &sa)
+	err = socket.Bind(sock.handle, &sa)
 	if err != nil {
 		return nil, conn.opErr(op, os.NewSyscallError("bind", err))
 	}
@@ -347,7 +354,7 @@
 	var bytes uint32
 	for i := uint(0); i <= d.Retries; i++ {
 		err = socket.ConnectEx(
-			windows.Handle(sock.handle),
+			sock.handle,
 			&sa,
 			nil, // sendBuf
 			0,   // sendDataLen
@@ -367,7 +374,7 @@
 
 	// update the connection properties, so shutdown can be used
 	if err = windows.Setsockopt(
-		windows.Handle(sock.handle),
+		sock.handle,
 		windows.SOL_SOCKET,
 		windows.SO_UPDATE_CONNECT_CONTEXT,
 		nil, // optvalue
@@ -378,7 +385,7 @@
 
 	// get the local name
 	var sal rawHvsockAddr
-	err = socket.GetSockName(windows.Handle(sock.handle), &sal)
+	err = socket.GetSockName(sock.handle, &sal)
 	if err != nil {
 		return nil, conn.opErr(op, os.NewSyscallError("getsockname", err))
 	}
@@ -421,7 +428,7 @@
 	return ctx.Err()
 }
 
-// assumes error is a plain, unwrapped syscall.Errno provided by direct syscall.
+// assumes error is a plain, unwrapped windows.Errno provided by direct syscall.
 func canRedial(err error) bool {
 	//nolint:errorlint // guaranteed to be an Errno
 	switch err {
@@ -447,9 +454,9 @@
 		return 0, conn.opErr("read", err)
 	}
 	defer conn.sock.wg.Done()
-	buf := syscall.WSABuf{Buf: &b[0], Len: uint32(len(b))}
+	buf := windows.WSABuf{Buf: &b[0], Len: uint32(len(b))}
 	var flags, bytes uint32
-	err = syscall.WSARecv(conn.sock.handle, &buf, 1, &bytes, &flags, &c.o, nil)
+	err = windows.WSARecv(conn.sock.handle, &buf, 1, &bytes, &flags, &c.o, nil)
 	n, err := conn.sock.asyncIO(c, &conn.sock.readDeadline, bytes, err)
 	if err != nil {
 		var eno windows.Errno
@@ -482,9 +489,9 @@
 		return 0, conn.opErr("write", err)
 	}
 	defer conn.sock.wg.Done()
-	buf := syscall.WSABuf{Buf: &b[0], Len: uint32(len(b))}
+	buf := windows.WSABuf{Buf: &b[0], Len: uint32(len(b))}
 	var bytes uint32
-	err = syscall.WSASend(conn.sock.handle, &buf, 1, &bytes, 0, &c.o, nil)
+	err = windows.WSASend(conn.sock.handle, &buf, 1, &bytes, 0, &c.o, nil)
 	n, err := conn.sock.asyncIO(c, &conn.sock.writeDeadline, bytes, err)
 	if err != nil {
 		var eno windows.Errno
@@ -511,7 +518,7 @@
 		return socket.ErrSocketClosed
 	}
 
-	err := syscall.Shutdown(conn.sock.handle, how)
+	err := windows.Shutdown(conn.sock.handle, how)
 	if err != nil {
 		// If the connection was closed, shutdowns fail with "not connected"
 		if errors.Is(err, windows.WSAENOTCONN) ||
@@ -525,7 +532,7 @@
 
 // CloseRead shuts down the read end of the socket, preventing future read operations.
 func (conn *HvsockConn) CloseRead() error {
-	err := conn.shutdown(syscall.SHUT_RD)
+	err := conn.shutdown(windows.SHUT_RD)
 	if err != nil {
 		return conn.opErr("closeread", err)
 	}
@@ -535,7 +542,7 @@
 // CloseWrite shuts down the write end of the socket, preventing future write operations and
 // notifying the other endpoint that no more data will be written.
 func (conn *HvsockConn) CloseWrite() error {
-	err := conn.shutdown(syscall.SHUT_WR)
+	err := conn.shutdown(windows.SHUT_WR)
 	if err != nil {
 		return conn.opErr("closewrite", err)
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go b/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
index 509b3ec..0cd9621 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/fs.go
@@ -11,12 +11,14 @@
 //go:generate go run github.com/Microsoft/go-winio/tools/mkwinsyscall -output zsyscall_windows.go fs.go
 
 // https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew
-//sys CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = CreateFileW
+//sys CreateFile(name string, access AccessMask, mode FileShareMode, sa *windows.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) [failretval==windows.InvalidHandle] = CreateFileW
 
 const NullHandle windows.Handle = 0
 
 // AccessMask defines standard, specific, and generic rights.
 //
+// Used with CreateFile and NtCreateFile (and co.).
+//
 //	Bitmask:
 //	 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
 //	 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
@@ -47,6 +49,12 @@
 	// https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew#parameters
 	FILE_ANY_ACCESS AccessMask = 0
 
+	GENERIC_READ           AccessMask = 0x8000_0000
+	GENERIC_WRITE          AccessMask = 0x4000_0000
+	GENERIC_EXECUTE        AccessMask = 0x2000_0000
+	GENERIC_ALL            AccessMask = 0x1000_0000
+	ACCESS_SYSTEM_SECURITY AccessMask = 0x0100_0000
+
 	// Specific Object Access
 	// from ntioapi.h
 
@@ -124,14 +132,32 @@
 	TRUNCATE_EXISTING FileCreationDisposition = 0x05
 )
 
+// Create disposition values for NtCreate*
+type NTFileCreationDisposition uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// From ntioapi.h
+
+	FILE_SUPERSEDE           NTFileCreationDisposition = 0x00
+	FILE_OPEN                NTFileCreationDisposition = 0x01
+	FILE_CREATE              NTFileCreationDisposition = 0x02
+	FILE_OPEN_IF             NTFileCreationDisposition = 0x03
+	FILE_OVERWRITE           NTFileCreationDisposition = 0x04
+	FILE_OVERWRITE_IF        NTFileCreationDisposition = 0x05
+	FILE_MAXIMUM_DISPOSITION NTFileCreationDisposition = 0x05
+)
+
 // CreateFile and co. take flags or attributes together as one parameter.
 // Define alias until we can use generics to allow both
-
+//
 // https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants
 type FileFlagOrAttribute uint32
 
 //nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
-const ( // from winnt.h
+const (
+	// from winnt.h
+
 	FILE_FLAG_WRITE_THROUGH       FileFlagOrAttribute = 0x8000_0000
 	FILE_FLAG_OVERLAPPED          FileFlagOrAttribute = 0x4000_0000
 	FILE_FLAG_NO_BUFFERING        FileFlagOrAttribute = 0x2000_0000
@@ -145,17 +171,51 @@
 	FILE_FLAG_FIRST_PIPE_INSTANCE FileFlagOrAttribute = 0x0008_0000
 )
 
+// NtCreate* functions take a dedicated CreateOptions parameter.
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/Winternl/nf-winternl-ntcreatefile
+//
+// https://learn.microsoft.com/en-us/windows/win32/devnotes/nt-create-named-pipe-file
+type NTCreateOptions uint32
+
+//nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
+const (
+	// From ntioapi.h
+
+	FILE_DIRECTORY_FILE            NTCreateOptions = 0x0000_0001
+	FILE_WRITE_THROUGH             NTCreateOptions = 0x0000_0002
+	FILE_SEQUENTIAL_ONLY           NTCreateOptions = 0x0000_0004
+	FILE_NO_INTERMEDIATE_BUFFERING NTCreateOptions = 0x0000_0008
+
+	FILE_SYNCHRONOUS_IO_ALERT    NTCreateOptions = 0x0000_0010
+	FILE_SYNCHRONOUS_IO_NONALERT NTCreateOptions = 0x0000_0020
+	FILE_NON_DIRECTORY_FILE      NTCreateOptions = 0x0000_0040
+	FILE_CREATE_TREE_CONNECTION  NTCreateOptions = 0x0000_0080
+
+	FILE_COMPLETE_IF_OPLOCKED NTCreateOptions = 0x0000_0100
+	FILE_NO_EA_KNOWLEDGE      NTCreateOptions = 0x0000_0200
+	FILE_DISABLE_TUNNELING    NTCreateOptions = 0x0000_0400
+	FILE_RANDOM_ACCESS        NTCreateOptions = 0x0000_0800
+
+	FILE_DELETE_ON_CLOSE        NTCreateOptions = 0x0000_1000
+	FILE_OPEN_BY_FILE_ID        NTCreateOptions = 0x0000_2000
+	FILE_OPEN_FOR_BACKUP_INTENT NTCreateOptions = 0x0000_4000
+	FILE_NO_COMPRESSION         NTCreateOptions = 0x0000_8000
+)
+
 type FileSQSFlag = FileFlagOrAttribute
 
 //nolint:revive // SNAKE_CASE is not idiomatic in Go, but aligned with Win32 API.
-const ( // from winbase.h
+const (
+	// from winbase.h
+
 	SECURITY_ANONYMOUS      FileSQSFlag = FileSQSFlag(SecurityAnonymous << 16)
 	SECURITY_IDENTIFICATION FileSQSFlag = FileSQSFlag(SecurityIdentification << 16)
 	SECURITY_IMPERSONATION  FileSQSFlag = FileSQSFlag(SecurityImpersonation << 16)
 	SECURITY_DELEGATION     FileSQSFlag = FileSQSFlag(SecurityDelegation << 16)
 
-	SECURITY_SQOS_PRESENT     FileSQSFlag = 0x00100000
-	SECURITY_VALID_SQOS_FLAGS FileSQSFlag = 0x001F0000
+	SECURITY_SQOS_PRESENT     FileSQSFlag = 0x0010_0000
+	SECURITY_VALID_SQOS_FLAGS FileSQSFlag = 0x001F_0000
 )
 
 // GetFinalPathNameByHandle flags
diff --git a/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
index e2f7bb2..a94e234 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -45,7 +42,7 @@
 	procCreateFileW = modkernel32.NewProc("CreateFileW")
 )
 
-func CreateFile(name string, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+func CreateFile(name string, access AccessMask, mode FileShareMode, sa *windows.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
 	var _p0 *uint16
 	_p0, err = syscall.UTF16PtrFromString(name)
 	if err != nil {
@@ -54,8 +51,8 @@
 	return _CreateFile(_p0, access, mode, sa, createmode, attrs, templatefile)
 }
 
-func _CreateFile(name *uint16, access AccessMask, mode FileShareMode, sa *syscall.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0)
+func _CreateFile(name *uint16, access AccessMask, mode FileShareMode, sa *windows.SecurityAttributes, createmode FileCreationDisposition, attrs FileFlagOrAttribute, templatefile windows.Handle) (handle windows.Handle, err error) {
+	r0, _, e1 := syscall.SyscallN(procCreateFileW.Addr(), uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile))
 	handle = windows.Handle(r0)
 	if handle == windows.InvalidHandle {
 		err = errnoErr(e1)
diff --git a/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go b/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
index aeb7b72..88580d9 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/socket.go
@@ -156,9 +156,7 @@
 	bytesSent *uint32,
 	overlapped *windows.Overlapped,
 ) (err error) {
-	// todo: after upgrading to 1.18, switch from syscall.Syscall9 to syscall.SyscallN
-	r1, _, e1 := syscall.Syscall9(connectExFunc.addr,
-		7,
+	r1, _, e1 := syscall.SyscallN(connectExFunc.addr,
 		uintptr(s),
 		uintptr(name),
 		uintptr(namelen),
@@ -166,8 +164,8 @@
 		uintptr(sendDataLen),
 		uintptr(unsafe.Pointer(bytesSent)),
 		uintptr(unsafe.Pointer(overlapped)),
-		0,
-		0)
+	)
+
 	if r1 == 0 {
 		if e1 != 0 {
 			err = error(e1)
diff --git a/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go
index 6d2e1a9..e150412 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -48,7 +45,7 @@
 )
 
 func bind(s windows.Handle, name unsafe.Pointer, namelen int32) (err error) {
-	r1, _, e1 := syscall.Syscall(procbind.Addr(), 3, uintptr(s), uintptr(name), uintptr(namelen))
+	r1, _, e1 := syscall.SyscallN(procbind.Addr(), uintptr(s), uintptr(name), uintptr(namelen))
 	if r1 == socketError {
 		err = errnoErr(e1)
 	}
@@ -56,7 +53,7 @@
 }
 
 func getpeername(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) {
-	r1, _, e1 := syscall.Syscall(procgetpeername.Addr(), 3, uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
+	r1, _, e1 := syscall.SyscallN(procgetpeername.Addr(), uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
 	if r1 == socketError {
 		err = errnoErr(e1)
 	}
@@ -64,7 +61,7 @@
 }
 
 func getsockname(s windows.Handle, name unsafe.Pointer, namelen *int32) (err error) {
-	r1, _, e1 := syscall.Syscall(procgetsockname.Addr(), 3, uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
+	r1, _, e1 := syscall.SyscallN(procgetsockname.Addr(), uintptr(s), uintptr(name), uintptr(unsafe.Pointer(namelen)))
 	if r1 == socketError {
 		err = errnoErr(e1)
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go b/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
index 7ad5057..42ebc01 100644
--- a/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
+++ b/vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go
@@ -62,7 +62,7 @@
 // ResizeTo grows the buffer to at least c and returns the new capacity, freeing the
 // previous buffer back into pool.
 func (b *WString) ResizeTo(c uint32) uint32 {
-	// allready sufficient (or n is 0)
+	// already sufficient (or n is 0)
 	if c <= b.Cap() {
 		return b.Cap()
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/pipe.go b/vendor/github.com/Microsoft/go-winio/pipe.go
index 25cc811..a2da663 100644
--- a/vendor/github.com/Microsoft/go-winio/pipe.go
+++ b/vendor/github.com/Microsoft/go-winio/pipe.go
@@ -11,7 +11,6 @@
 	"net"
 	"os"
 	"runtime"
-	"syscall"
 	"time"
 	"unsafe"
 
@@ -20,20 +19,44 @@
 	"github.com/Microsoft/go-winio/internal/fs"
 )
 
-//sys connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) = ConnectNamedPipe
-//sys createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error)  [failretval==syscall.InvalidHandle] = CreateNamedPipeW
-//sys getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
-//sys getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
-//sys localAlloc(uFlags uint32, length uint32) (ptr uintptr) = LocalAlloc
-//sys ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) = ntdll.NtCreateNamedPipeFile
+//sys connectNamedPipe(pipe windows.Handle, o *windows.Overlapped) (err error) = ConnectNamedPipe
+//sys createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error)  [failretval==windows.InvalidHandle] = CreateNamedPipeW
+//sys disconnectNamedPipe(pipe windows.Handle) (err error) = DisconnectNamedPipe
+//sys getNamedPipeInfo(pipe windows.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) = GetNamedPipeInfo
+//sys getNamedPipeHandleState(pipe windows.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) = GetNamedPipeHandleStateW
+//sys ntCreateNamedPipeFile(pipe *windows.Handle, access ntAccessMask, oa *objectAttributes, iosb *ioStatusBlock, share ntFileShareMode, disposition ntFileCreationDisposition, options ntFileOptions, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) = ntdll.NtCreateNamedPipeFile
 //sys rtlNtStatusToDosError(status ntStatus) (winerr error) = ntdll.RtlNtStatusToDosErrorNoTeb
 //sys rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntStatus) = ntdll.RtlDosPathNameToNtPathName_U
 //sys rtlDefaultNpAcl(dacl *uintptr) (status ntStatus) = ntdll.RtlDefaultNpAcl
 
+type PipeConn interface {
+	net.Conn
+	Disconnect() error
+	Flush() error
+}
+
+// type aliases for mkwinsyscall code
+type (
+	ntAccessMask              = fs.AccessMask
+	ntFileShareMode           = fs.FileShareMode
+	ntFileCreationDisposition = fs.NTFileCreationDisposition
+	ntFileOptions             = fs.NTCreateOptions
+)
+
 type ioStatusBlock struct {
 	Status, Information uintptr
 }
 
+//	typedef struct _OBJECT_ATTRIBUTES {
+//	  ULONG           Length;
+//	  HANDLE          RootDirectory;
+//	  PUNICODE_STRING ObjectName;
+//	  ULONG           Attributes;
+//	  PVOID           SecurityDescriptor;
+//	  PVOID           SecurityQualityOfService;
+//	} OBJECT_ATTRIBUTES;
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/ntdef/ns-ntdef-_object_attributes
 type objectAttributes struct {
 	Length             uintptr
 	RootDirectory      uintptr
@@ -49,6 +72,17 @@
 	Buffer        uintptr
 }
 
+//	typedef struct _SECURITY_DESCRIPTOR {
+//	  BYTE                        Revision;
+//	  BYTE                        Sbz1;
+//	  SECURITY_DESCRIPTOR_CONTROL Control;
+//	  PSID                        Owner;
+//	  PSID                        Group;
+//	  PACL                        Sacl;
+//	  PACL                        Dacl;
+//	} SECURITY_DESCRIPTOR, *PISECURITY_DESCRIPTOR;
+//
+// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-security_descriptor
 type securityDescriptor struct {
 	Revision byte
 	Sbz1     byte
@@ -80,6 +114,8 @@
 	path string
 }
 
+var _ PipeConn = (*win32Pipe)(nil)
+
 type win32MessageBytePipe struct {
 	win32Pipe
 	writeClosed bool
@@ -103,6 +139,10 @@
 	return f.SetWriteDeadline(t)
 }
 
+func (f *win32Pipe) Disconnect() error {
+	return disconnectNamedPipe(f.win32File.handle)
+}
+
 // CloseWrite closes the write side of a message pipe in byte mode.
 func (f *win32MessageBytePipe) CloseWrite() error {
 	if f.writeClosed {
@@ -146,7 +186,7 @@
 		// zero-byte message, ensure that all future Read() calls
 		// also return EOF.
 		f.readEOF = true
-	} else if err == syscall.ERROR_MORE_DATA { //nolint:errorlint // err is Errno
+	} else if err == windows.ERROR_MORE_DATA { //nolint:errorlint // err is Errno
 		// ERROR_MORE_DATA indicates that the pipe's read mode is message mode
 		// and the message still has more bytes. Treat this as a success, since
 		// this package presents all named pipes as byte streams.
@@ -164,21 +204,20 @@
 }
 
 // tryDialPipe attempts to dial the pipe at `path` until `ctx` cancellation or timeout.
-func tryDialPipe(ctx context.Context, path *string, access fs.AccessMask) (syscall.Handle, error) {
+func tryDialPipe(ctx context.Context, path *string, access fs.AccessMask, impLevel PipeImpLevel) (windows.Handle, error) {
 	for {
 		select {
 		case <-ctx.Done():
-			return syscall.Handle(0), ctx.Err()
+			return windows.Handle(0), ctx.Err()
 		default:
-			wh, err := fs.CreateFile(*path,
+			h, err := fs.CreateFile(*path,
 				access,
 				0,   // mode
 				nil, // security attributes
 				fs.OPEN_EXISTING,
-				fs.FILE_FLAG_OVERLAPPED|fs.SECURITY_SQOS_PRESENT|fs.SECURITY_ANONYMOUS,
+				fs.FILE_FLAG_OVERLAPPED|fs.SECURITY_SQOS_PRESENT|fs.FileSQSFlag(impLevel),
 				0, // template file handle
 			)
-			h := syscall.Handle(wh)
 			if err == nil {
 				return h, nil
 			}
@@ -214,15 +253,33 @@
 // DialPipeContext attempts to connect to a named pipe by `path` until `ctx`
 // cancellation or timeout.
 func DialPipeContext(ctx context.Context, path string) (net.Conn, error) {
-	return DialPipeAccess(ctx, path, syscall.GENERIC_READ|syscall.GENERIC_WRITE)
+	return DialPipeAccess(ctx, path, uint32(fs.GENERIC_READ|fs.GENERIC_WRITE))
 }
 
+// PipeImpLevel is an enumeration of impersonation levels that may be set
+// when calling DialPipeAccessImpersonation.
+type PipeImpLevel uint32
+
+const (
+	PipeImpLevelAnonymous      = PipeImpLevel(fs.SECURITY_ANONYMOUS)
+	PipeImpLevelIdentification = PipeImpLevel(fs.SECURITY_IDENTIFICATION)
+	PipeImpLevelImpersonation  = PipeImpLevel(fs.SECURITY_IMPERSONATION)
+	PipeImpLevelDelegation     = PipeImpLevel(fs.SECURITY_DELEGATION)
+)
+
 // DialPipeAccess attempts to connect to a named pipe by `path` with `access` until `ctx`
 // cancellation or timeout.
 func DialPipeAccess(ctx context.Context, path string, access uint32) (net.Conn, error) {
+	return DialPipeAccessImpLevel(ctx, path, access, PipeImpLevelAnonymous)
+}
+
+// DialPipeAccessImpLevel attempts to connect to a named pipe by `path` with
+// `access` at `impLevel` until `ctx` cancellation or timeout. The other
+// DialPipe* implementations use PipeImpLevelAnonymous.
+func DialPipeAccessImpLevel(ctx context.Context, path string, access uint32, impLevel PipeImpLevel) (net.Conn, error) {
 	var err error
-	var h syscall.Handle
-	h, err = tryDialPipe(ctx, &path, fs.AccessMask(access))
+	var h windows.Handle
+	h, err = tryDialPipe(ctx, &path, fs.AccessMask(access), impLevel)
 	if err != nil {
 		return nil, err
 	}
@@ -235,7 +292,7 @@
 
 	f, err := makeWin32File(h)
 	if err != nil {
-		syscall.Close(h)
+		windows.Close(h)
 		return nil, err
 	}
 
@@ -255,7 +312,7 @@
 }
 
 type win32PipeListener struct {
-	firstHandle syscall.Handle
+	firstHandle windows.Handle
 	path        string
 	config      PipeConfig
 	acceptCh    chan (chan acceptResponse)
@@ -263,8 +320,8 @@
 	doneCh      chan int
 }
 
-func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (syscall.Handle, error) {
-	path16, err := syscall.UTF16FromString(path)
+func makeServerPipeHandle(path string, sd []byte, c *PipeConfig, first bool) (windows.Handle, error) {
+	path16, err := windows.UTF16FromString(path)
 	if err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
@@ -280,16 +337,20 @@
 	).Err(); err != nil {
 		return 0, &os.PathError{Op: "open", Path: path, Err: err}
 	}
-	defer localFree(ntPath.Buffer)
+	defer windows.LocalFree(windows.Handle(ntPath.Buffer)) //nolint:errcheck
 	oa.ObjectName = &ntPath
 	oa.Attributes = windows.OBJ_CASE_INSENSITIVE
 
 	// The security descriptor is only needed for the first pipe.
 	if first {
 		if sd != nil {
+			//todo: does `sdb` need to be allocated on the heap, or can go allocate it?
 			l := uint32(len(sd))
-			sdb := localAlloc(0, l)
-			defer localFree(sdb)
+			sdb, err := windows.LocalAlloc(0, l)
+			if err != nil {
+				return 0, fmt.Errorf("LocalAlloc for security descriptor with of length %d: %w", l, err)
+			}
+			defer windows.LocalFree(windows.Handle(sdb)) //nolint:errcheck
 			copy((*[0xffff]byte)(unsafe.Pointer(sdb))[:], sd)
 			oa.SecurityDescriptor = (*securityDescriptor)(unsafe.Pointer(sdb))
 		} else {
@@ -298,7 +359,7 @@
 			if err := rtlDefaultNpAcl(&dacl).Err(); err != nil {
 				return 0, fmt.Errorf("getting default named pipe ACL: %w", err)
 			}
-			defer localFree(dacl)
+			defer windows.LocalFree(windows.Handle(dacl)) //nolint:errcheck
 
 			sdb := &securityDescriptor{
 				Revision: 1,
@@ -314,27 +375,27 @@
 		typ |= windows.FILE_PIPE_MESSAGE_TYPE
 	}
 
-	disposition := uint32(windows.FILE_OPEN)
-	access := uint32(syscall.GENERIC_READ | syscall.GENERIC_WRITE | syscall.SYNCHRONIZE)
+	disposition := fs.FILE_OPEN
+	access := fs.GENERIC_READ | fs.GENERIC_WRITE | fs.SYNCHRONIZE
 	if first {
-		disposition = windows.FILE_CREATE
+		disposition = fs.FILE_CREATE
 		// By not asking for read or write access, the named pipe file system
 		// will put this pipe into an initially disconnected state, blocking
 		// client connections until the next call with first == false.
-		access = syscall.SYNCHRONIZE
+		access = fs.SYNCHRONIZE
 	}
 
 	timeout := int64(-50 * 10000) // 50ms
 
 	var (
-		h    syscall.Handle
+		h    windows.Handle
 		iosb ioStatusBlock
 	)
 	err = ntCreateNamedPipeFile(&h,
 		access,
 		&oa,
 		&iosb,
-		syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE,
+		fs.FILE_SHARE_READ|fs.FILE_SHARE_WRITE,
 		disposition,
 		0,
 		typ,
@@ -359,7 +420,7 @@
 	}
 	f, err := makeWin32File(h)
 	if err != nil {
-		syscall.Close(h)
+		windows.Close(h)
 		return nil, err
 	}
 	return f, nil
@@ -418,7 +479,7 @@
 			closed = err == ErrPipeListenerClosed //nolint:errorlint // err is Errno
 		}
 	}
-	syscall.Close(l.firstHandle)
+	windows.Close(l.firstHandle)
 	l.firstHandle = 0
 	// Notify Close() and Accept() callers that the handle has been closed.
 	close(l.doneCh)
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go
index 7ac377a..7c7f145 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/bind_filter.go
@@ -11,7 +11,6 @@
 	"os"
 	"path/filepath"
 	"strings"
-	"syscall"
 	"unsafe"
 
 	"golang.org/x/sys/windows"
@@ -244,7 +243,7 @@
 		}
 		buf = make([]uint16, n)
 	}
-	finalPath := syscall.UTF16ToString(buf)
+	finalPath := windows.UTF16ToString(buf)
 	// We got VOLUME_NAME_DOS, we need to strip away some leading slashes.
 	// Leave unchanged if we ended up requesting VOLUME_NAME_GUID
 	if len(finalPath) > 4 && finalPath[:4] == `\\?\` && flags == 0x0 {
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go
index 45c45c9..1da9b3f 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/bindfilter/zsyscall_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -52,7 +49,7 @@
 	if hr != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall6(procBfGetMappings.Addr(), 6, uintptr(flags), uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(outBuffer)))
+	r0, _, _ := syscall.SyscallN(procBfGetMappings.Addr(), uintptr(flags), uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(bufferSize)), uintptr(unsafe.Pointer(outBuffer)))
 	if int32(r0) < 0 {
 		if r0&0x1fff0000 == 0x00070000 {
 			r0 &= 0xffff
@@ -76,7 +73,7 @@
 	if hr != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall(procBfRemoveMapping.Addr(), 2, uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)), 0)
+	r0, _, _ := syscall.SyscallN(procBfRemoveMapping.Addr(), uintptr(jobHandle), uintptr(unsafe.Pointer(virtRootPath)))
 	if int32(r0) < 0 {
 		if r0&0x1fff0000 == 0x00070000 {
 			r0 &= 0xffff
@@ -105,7 +102,7 @@
 	if hr != nil {
 		return
 	}
-	r0, _, _ := syscall.Syscall6(procBfSetupFilter.Addr(), 6, uintptr(jobHandle), uintptr(flags), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(virtTargetPath)), uintptr(unsafe.Pointer(virtExceptions)), uintptr(virtExceptionPathCount))
+	r0, _, _ := syscall.SyscallN(procBfSetupFilter.Addr(), uintptr(jobHandle), uintptr(flags), uintptr(unsafe.Pointer(virtRootPath)), uintptr(unsafe.Pointer(virtTargetPath)), uintptr(unsafe.Pointer(virtExceptions)), uintptr(virtExceptionPathCount))
 	if int32(r0) < 0 {
 		if r0&0x1fff0000 == 0x00070000 {
 			r0 &= 0xffff
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go
index a635475..f971cc7 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go
@@ -6,7 +6,8 @@
 import (
 	"bytes"
 	"encoding/binary"
-	"syscall"
+
+	"golang.org/x/sys/windows"
 )
 
 // eventData maintains a buffer which builds up the data for an ETW event. It
@@ -69,6 +70,6 @@
 }
 
 // writeFiletime appends a FILETIME to the buffer.
-func (ed *eventData) writeFiletime(value syscall.Filetime) {
+func (ed *eventData) writeFiletime(value windows.Filetime) {
 	_ = binary.Write(&ed.buffer, binary.LittleEndian, value)
 }
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdescriptor.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdescriptor.go
index ef29ca3..aac68d7 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdescriptor.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdescriptor.go
@@ -1,7 +1,7 @@
-//go:build windows
-
 package etw
 
+import "fmt"
+
 // Channel represents the ETW logging channel that is used. It can be used by
 // event consumers to give an event special treatment.
 type Channel uint8
@@ -19,7 +19,11 @@
 // will always be collected.
 type Level uint8
 
+var _ fmt.Stringer = Level(0)
+
 // Predefined ETW log levels from winmeta.xml in the Windows SDK.
+//
+//go:generate go run golang.org/x/tools/cmd/stringer -type=Level -trimprefix=Level
 const (
 	LevelAlways Level = iota
 	LevelCritical
@@ -32,7 +36,11 @@
 // Opcode represents the operation that the event indicates is being performed.
 type Opcode uint8
 
+var _ fmt.Stringer = Opcode(0)
+
 // Predefined ETW opcodes from winmeta.xml in the Windows SDK.
+//
+//go:generate go run golang.org/x/tools/cmd/stringer -type=Opcode -trimprefix=Opcode
 const (
 	// OpcodeInfo indicates an informational event.
 	OpcodeInfo Opcode = iota
@@ -46,7 +54,7 @@
 	OpcodeDCStop
 )
 
-// EventDescriptor represents various metadata for an ETW event.
+// eventDescriptor represents various metadata for an ETW event.
 type eventDescriptor struct {
 	id      uint16
 	version uint8
@@ -57,7 +65,7 @@
 	keyword uint64
 }
 
-// NewEventDescriptor returns an EventDescriptor initialized for use with
+// newEventDescriptor returns an EventDescriptor initialized for use with
 // TraceLogging.
 func newEventDescriptor() *eventDescriptor {
 	// Standard TraceLogging events default to the TraceLogging channel, and
@@ -68,7 +76,7 @@
 	}
 }
 
-// Identity returns the identity of the event. If the identity is not 0, it
+// identity returns the identity of the event. If the identity is not 0, it
 // should uniquely identify the other event metadata (contained in
 // EventDescriptor, and field metadata). Only the lower 24 bits of this value
 // are relevant.
@@ -78,7 +86,7 @@
 	return (uint32(ed.version) << 16) | uint32(ed.id)
 }
 
-// SetIdentity sets the identity of the event. If the identity is not 0, it
+// setIdentity sets the identity of the event. If the identity is not 0, it
 // should uniquely identify the other event metadata (contained in
 // EventDescriptor, and field metadata). Only the lower 24 bits of this value
 // are relevant.
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go
index b769c89..57114d8 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go
@@ -7,9 +7,10 @@
 	"fmt"
 	"math"
 	"reflect"
-	"syscall"
 	"time"
 	"unsafe"
+
+	"golang.org/x/sys/windows"
 )
 
 // FieldOpt defines the option function type that can be passed to
@@ -56,6 +57,14 @@
 	}
 }
 
+// JSONStringField adds a JSON-encoded string field to the event.
+func JSONStringField(name string, value string) FieldOpt {
+	return func(em *eventMetadata, ed *eventData) {
+		em.writeField(name, inTypeANSIString, outTypeJSON, 0)
+		ed.writeString(value)
+	}
+}
+
 // StringArray adds an array of string to the event.
 func StringArray(name string, values []string) FieldOpt {
 	return func(em *eventMetadata, ed *eventData) {
@@ -389,7 +398,7 @@
 func Time(name string, value time.Time) FieldOpt {
 	return func(em *eventMetadata, ed *eventData) {
 		em.writeField(name, inTypeFileTime, outTypeDateTimeUTC, 0)
-		ed.writeFiletime(syscall.NsecToFiletime(value.UTC().UnixNano()))
+		ed.writeFiletime(windows.NsecToFiletime(value.UTC().UnixNano()))
 	}
 }
 
@@ -498,7 +507,7 @@
 		case reflect.Float32:
 			return SmartField(name, float32(rv.Float()))
 		case reflect.Float64:
-			return SmartField(name, float64(rv.Float())) //nolint:unconvert // make look consistent
+			return SmartField(name, float64(rv.Float()))
 		case reflect.String:
 			return SmartField(name, rv.String())
 		case reflect.Struct:
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/level_string.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/level_string.go
new file mode 100644
index 0000000..c606878
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/level_string.go
@@ -0,0 +1,28 @@
+// Code generated by "stringer -type=Level -trimprefix=Level"; DO NOT EDIT.
+
+package etw
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[LevelAlways-0]
+	_ = x[LevelCritical-1]
+	_ = x[LevelError-2]
+	_ = x[LevelWarning-3]
+	_ = x[LevelInfo-4]
+	_ = x[LevelVerbose-5]
+}
+
+const _Level_name = "AlwaysCriticalErrorWarningInfoVerbose"
+
+var _Level_index = [...]uint8{0, 6, 14, 19, 26, 30, 37}
+
+func (i Level) String() string {
+	if i >= Level(len(_Level_index)-1) {
+		return "Level(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _Level_name[_Level_index[i]:_Level_index[i+1]]
+}
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/opcode_string.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/opcode_string.go
new file mode 100644
index 0000000..8d90a43
--- /dev/null
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/opcode_string.go
@@ -0,0 +1,27 @@
+// Code generated by "stringer -type=Opcode -trimprefix=Opcode"; DO NOT EDIT.
+
+package etw
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[OpcodeInfo-0]
+	_ = x[OpcodeStart-1]
+	_ = x[OpcodeStop-2]
+	_ = x[OpcodeDCStart-3]
+	_ = x[OpcodeDCStop-4]
+}
+
+const _Opcode_name = "InfoStartStopDCStartDCStop"
+
+var _Opcode_index = [...]uint8{0, 4, 9, 13, 20, 26}
+
+func (i Opcode) String() string {
+	if i >= Opcode(len(_Opcode_index)-1) {
+		return "Opcode(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _Opcode_name[_Opcode_index[i]:_Opcode_index[i+1]]
+}
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go
index c78a6ed..752fe6f 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -49,7 +46,7 @@
 )
 
 func eventRegister(providerId *windows.GUID, callback uintptr, callbackContext uintptr, providerHandle *providerHandle) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procEventRegister.Addr(), 4, uintptr(unsafe.Pointer(providerId)), uintptr(callback), uintptr(callbackContext), uintptr(unsafe.Pointer(providerHandle)), 0, 0)
+	r0, _, _ := syscall.SyscallN(procEventRegister.Addr(), uintptr(unsafe.Pointer(providerId)), uintptr(callback), uintptr(callbackContext), uintptr(unsafe.Pointer(providerHandle)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -57,7 +54,7 @@
 }
 
 func eventSetInformation_64(providerHandle providerHandle, class eventInfoClass, information uintptr, length uint32) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 4, uintptr(providerHandle), uintptr(class), uintptr(information), uintptr(length), 0, 0)
+	r0, _, _ := syscall.SyscallN(procEventSetInformation.Addr(), uintptr(providerHandle), uintptr(class), uintptr(information), uintptr(length))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -65,7 +62,7 @@
 }
 
 func eventSetInformation_32(providerHandle_low uint32, providerHandle_high uint32, class eventInfoClass, information uintptr, length uint32) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 5, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(class), uintptr(information), uintptr(length), 0)
+	r0, _, _ := syscall.SyscallN(procEventSetInformation.Addr(), uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(class), uintptr(information), uintptr(length))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -73,7 +70,7 @@
 }
 
 func eventUnregister_64(providerHandle providerHandle) (win32err error) {
-	r0, _, _ := syscall.Syscall(procEventUnregister.Addr(), 1, uintptr(providerHandle), 0, 0)
+	r0, _, _ := syscall.SyscallN(procEventUnregister.Addr(), uintptr(providerHandle))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -81,7 +78,7 @@
 }
 
 func eventUnregister_32(providerHandle_low uint32, providerHandle_high uint32) (win32err error) {
-	r0, _, _ := syscall.Syscall(procEventUnregister.Addr(), 2, uintptr(providerHandle_low), uintptr(providerHandle_high), 0)
+	r0, _, _ := syscall.SyscallN(procEventUnregister.Addr(), uintptr(providerHandle_low), uintptr(providerHandle_high))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -89,7 +86,7 @@
 }
 
 func eventWriteTransfer_64(providerHandle providerHandle, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procEventWriteTransfer.Addr(), 6, uintptr(providerHandle), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)))
+	r0, _, _ := syscall.SyscallN(procEventWriteTransfer.Addr(), uintptr(providerHandle), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -97,7 +94,7 @@
 }
 
 func eventWriteTransfer_32(providerHandle_low uint32, providerHandle_high uint32, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) {
-	r0, _, _ := syscall.Syscall9(procEventWriteTransfer.Addr(), 7, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)), 0, 0)
+	r0, _, _ := syscall.SyscallN(procEventWriteTransfer.Addr(), uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/pkg/fs/resolve.go b/vendor/github.com/Microsoft/go-winio/pkg/fs/resolve.go
index b876c4c..fd64f48 100644
--- a/vendor/github.com/Microsoft/go-winio/pkg/fs/resolve.go
+++ b/vendor/github.com/Microsoft/go-winio/pkg/fs/resolve.go
@@ -20,28 +20,9 @@
 // It is intended to address short-comings of [filepath.EvalSymlinks], which does not work
 // well on Windows.
 func ResolvePath(path string) (string, error) {
-	// We are not able to use builtin Go functionality for opening a directory path:
-	//   - os.Open on a directory returns a os.File where Fd() is a search handle from FindFirstFile.
-	//   - syscall.Open does not provide a way to specify FILE_FLAG_BACKUP_SEMANTICS, which is needed to
-	//     open a directory.
-	//
-	// We could use os.Open if the path is a file, but it's easier to just use the same code for both.
-	// Therefore, we call windows.CreateFile directly.
-	h, err := fs.CreateFile(
-		path,
-		fs.FILE_ANY_ACCESS, // access
-		fs.FILE_SHARE_READ|fs.FILE_SHARE_WRITE|fs.FILE_SHARE_DELETE,
-		nil, // security attributes
-		fs.OPEN_EXISTING,
-		fs.FILE_FLAG_BACKUP_SEMANTICS, // Needed to open a directory handle.
-		fs.NullHandle,                 // template file
-	)
+	h, err := openMetadata(path)
 	if err != nil {
-		return "", &os.PathError{
-			Op:   "CreateFile",
-			Path: path,
-			Err:  err,
-		}
+		return "", err
 	}
 	defer windows.CloseHandle(h) //nolint:errcheck
 
@@ -126,3 +107,33 @@
 	}
 	return rPath, err
 }
+
+// openMetadata takes a path, opens it with only meta-data access, and returns the resulting handle.
+// It works for both file and directory paths.
+func openMetadata(path string) (windows.Handle, error) {
+	// We are not able to use builtin Go functionality for opening a directory path:
+	//   - os.Open on a directory returns a os.File where Fd() is a search handle from FindFirstFile.
+	//   - syscall.Open does not provide a way to specify FILE_FLAG_BACKUP_SEMANTICS, which is needed to
+	//     open a directory.
+	//
+	// We could use os.Open if the path is a file, but it's easier to just use the same code for both.
+	// Therefore, we call windows.CreateFile directly.
+	h, err := fs.CreateFile(
+		path,
+		fs.FILE_ANY_ACCESS,
+		fs.FILE_SHARE_READ|fs.FILE_SHARE_WRITE|fs.FILE_SHARE_DELETE,
+		nil, // security attributes
+		fs.OPEN_EXISTING,
+		fs.FILE_FLAG_BACKUP_SEMANTICS, // Needed to open a directory handle.
+		fs.NullHandle,
+	)
+
+	if err != nil {
+		return 0, &os.PathError{
+			Op:   "CreateFile",
+			Path: path,
+			Err:  err,
+		}
+	}
+	return h, nil
+}
diff --git a/vendor/github.com/Microsoft/go-winio/privilege.go b/vendor/github.com/Microsoft/go-winio/privilege.go
index 0ff9dac..d9b90b6 100644
--- a/vendor/github.com/Microsoft/go-winio/privilege.go
+++ b/vendor/github.com/Microsoft/go-winio/privilege.go
@@ -9,7 +9,6 @@
 	"fmt"
 	"runtime"
 	"sync"
-	"syscall"
 	"unicode/utf16"
 
 	"golang.org/x/sys/windows"
@@ -18,8 +17,8 @@
 //sys adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) [true] = advapi32.AdjustTokenPrivileges
 //sys impersonateSelf(level uint32) (err error) = advapi32.ImpersonateSelf
 //sys revertToSelf() (err error) = advapi32.RevertToSelf
-//sys openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) = advapi32.OpenThreadToken
-//sys getCurrentThread() (h syscall.Handle) = GetCurrentThread
+//sys openThreadToken(thread windows.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) = advapi32.OpenThreadToken
+//sys getCurrentThread() (h windows.Handle) = GetCurrentThread
 //sys lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) = advapi32.LookupPrivilegeValueW
 //sys lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) = advapi32.LookupPrivilegeNameW
 //sys lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) = advapi32.LookupPrivilegeDisplayNameW
@@ -29,7 +28,7 @@
 	SE_PRIVILEGE_ENABLED = windows.SE_PRIVILEGE_ENABLED
 
 	//revive:disable-next-line:var-naming ALL_CAPS
-	ERROR_NOT_ALL_ASSIGNED syscall.Errno = windows.ERROR_NOT_ALL_ASSIGNED
+	ERROR_NOT_ALL_ASSIGNED windows.Errno = windows.ERROR_NOT_ALL_ASSIGNED
 
 	SeBackupPrivilege   = "SeBackupPrivilege"
 	SeRestorePrivilege  = "SeRestorePrivilege"
@@ -177,7 +176,7 @@
 	}
 
 	var token windows.Token
-	err = openThreadToken(getCurrentThread(), syscall.TOKEN_ADJUST_PRIVILEGES|syscall.TOKEN_QUERY, false, &token)
+	err = openThreadToken(getCurrentThread(), windows.TOKEN_ADJUST_PRIVILEGES|windows.TOKEN_QUERY, false, &token)
 	if err != nil {
 		rerr := revertToSelf()
 		if rerr != nil {
diff --git a/vendor/github.com/Microsoft/go-winio/sd.go b/vendor/github.com/Microsoft/go-winio/sd.go
index 5550ef6..c3685e9 100644
--- a/vendor/github.com/Microsoft/go-winio/sd.go
+++ b/vendor/github.com/Microsoft/go-winio/sd.go
@@ -5,7 +5,7 @@
 
 import (
 	"errors"
-	"syscall"
+	"fmt"
 	"unsafe"
 
 	"golang.org/x/sys/windows"
@@ -15,10 +15,6 @@
 //sys lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) = advapi32.LookupAccountSidW
 //sys convertSidToStringSid(sid *byte, str **uint16) (err error) = advapi32.ConvertSidToStringSidW
 //sys convertStringSidToSid(str *uint16, sid **byte) (err error) = advapi32.ConvertStringSidToSidW
-//sys convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd *uintptr, size *uint32) (err error) = advapi32.ConvertStringSecurityDescriptorToSecurityDescriptorW
-//sys convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) = advapi32.ConvertSecurityDescriptorToStringSecurityDescriptorW
-//sys localFree(mem uintptr) = LocalFree
-//sys getSecurityDescriptorLength(sd uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength
 
 type AccountLookupError struct {
 	Name string
@@ -64,7 +60,7 @@
 
 	var sidSize, sidNameUse, refDomainSize uint32
 	err = lookupAccountName(nil, name, nil, &sidSize, nil, &refDomainSize, &sidNameUse)
-	if err != nil && err != syscall.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
+	if err != nil && err != windows.ERROR_INSUFFICIENT_BUFFER { //nolint:errorlint // err is Errno
 		return "", &AccountLookupError{name, err}
 	}
 	sidBuffer := make([]byte, sidSize)
@@ -78,8 +74,8 @@
 	if err != nil {
 		return "", &AccountLookupError{name, err}
 	}
-	sid = syscall.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(strBuffer))[:])
-	localFree(uintptr(unsafe.Pointer(strBuffer)))
+	sid = windows.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(strBuffer))[:])
+	_, _ = windows.LocalFree(windows.Handle(unsafe.Pointer(strBuffer)))
 	return sid, nil
 }
 
@@ -100,7 +96,7 @@
 	if err = convertStringSidToSid(sidBuffer, &sidPtr); err != nil {
 		return "", &AccountLookupError{sid, err}
 	}
-	defer localFree(uintptr(unsafe.Pointer(sidPtr)))
+	defer windows.LocalFree(windows.Handle(unsafe.Pointer(sidPtr))) //nolint:errcheck
 
 	var nameSize, refDomainSize, sidNameUse uint32
 	err = lookupAccountSid(nil, sidPtr, nil, &nameSize, nil, &refDomainSize, &sidNameUse)
@@ -120,25 +116,18 @@
 }
 
 func SddlToSecurityDescriptor(sddl string) ([]byte, error) {
-	var sdBuffer uintptr
-	err := convertStringSecurityDescriptorToSecurityDescriptor(sddl, 1, &sdBuffer, nil)
+	sd, err := windows.SecurityDescriptorFromString(sddl)
 	if err != nil {
-		return nil, &SddlConversionError{sddl, err}
+		return nil, &SddlConversionError{Sddl: sddl, Err: err}
 	}
-	defer localFree(sdBuffer)
-	sd := make([]byte, getSecurityDescriptorLength(sdBuffer))
-	copy(sd, (*[0xffff]byte)(unsafe.Pointer(sdBuffer))[:len(sd)])
-	return sd, nil
+	b := unsafe.Slice((*byte)(unsafe.Pointer(sd)), sd.Length())
+	return b, nil
 }
 
 func SecurityDescriptorToSddl(sd []byte) (string, error) {
-	var sddl *uint16
-	// The returned string length seems to include an arbitrary number of terminating NULs.
-	// Don't use it.
-	err := convertSecurityDescriptorToStringSecurityDescriptor(&sd[0], 1, 0xff, &sddl, nil)
-	if err != nil {
-		return "", err
+	if l := int(unsafe.Sizeof(windows.SECURITY_DESCRIPTOR{})); len(sd) < l {
+		return "", fmt.Errorf("SecurityDescriptor (%d) smaller than expected (%d): %w", len(sd), l, windows.ERROR_INCORRECT_SIZE)
 	}
-	defer localFree(uintptr(unsafe.Pointer(sddl)))
-	return syscall.UTF16ToString((*[0xffff]uint16)(unsafe.Pointer(sddl))[:]), nil
+	s := (*windows.SECURITY_DESCRIPTOR)(unsafe.Pointer(&sd[0]))
+	return s.String(), nil
 }
diff --git a/vendor/github.com/Microsoft/go-winio/tools.go b/vendor/github.com/Microsoft/go-winio/tools.go
deleted file mode 100644
index 2aa0458..0000000
--- a/vendor/github.com/Microsoft/go-winio/tools.go
+++ /dev/null
@@ -1,5 +0,0 @@
-//go:build tools
-
-package winio
-
-import _ "golang.org/x/tools/cmd/stringer"
diff --git a/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go b/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go
index d0e917d..95c0407 100644
--- a/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -50,7 +47,7 @@
 )
 
 func attachVirtualDisk(handle syscall.Handle, securityDescriptor *uintptr, attachVirtualDiskFlag uint32, providerSpecificFlags uint32, parameters *AttachVirtualDiskParameters, overlapped *syscall.Overlapped) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procAttachVirtualDisk.Addr(), 6, uintptr(handle), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(attachVirtualDiskFlag), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)))
+	r0, _, _ := syscall.SyscallN(procAttachVirtualDisk.Addr(), uintptr(handle), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(attachVirtualDiskFlag), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -67,7 +64,7 @@
 }
 
 func _createVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (win32err error) {
-	r0, _, _ := syscall.Syscall9(procCreateVirtualDisk.Addr(), 9, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(createVirtualDiskFlags), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)), uintptr(unsafe.Pointer(handle)))
+	r0, _, _ := syscall.SyscallN(procCreateVirtualDisk.Addr(), uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(createVirtualDiskFlags), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)), uintptr(unsafe.Pointer(handle)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -75,7 +72,7 @@
 }
 
 func detachVirtualDisk(handle syscall.Handle, detachVirtualDiskFlags uint32, providerSpecificFlags uint32) (win32err error) {
-	r0, _, _ := syscall.Syscall(procDetachVirtualDisk.Addr(), 3, uintptr(handle), uintptr(detachVirtualDiskFlags), uintptr(providerSpecificFlags))
+	r0, _, _ := syscall.SyscallN(procDetachVirtualDisk.Addr(), uintptr(handle), uintptr(detachVirtualDiskFlags), uintptr(providerSpecificFlags))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -83,7 +80,7 @@
 }
 
 func getVirtualDiskPhysicalPath(handle syscall.Handle, diskPathSizeInBytes *uint32, buffer *uint16) (win32err error) {
-	r0, _, _ := syscall.Syscall(procGetVirtualDiskPhysicalPath.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(diskPathSizeInBytes)), uintptr(unsafe.Pointer(buffer)))
+	r0, _, _ := syscall.SyscallN(procGetVirtualDiskPhysicalPath.Addr(), uintptr(handle), uintptr(unsafe.Pointer(diskPathSizeInBytes)), uintptr(unsafe.Pointer(buffer)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
@@ -100,7 +97,7 @@
 }
 
 func _openVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *openVirtualDiskParameters, handle *syscall.Handle) (win32err error) {
-	r0, _, _ := syscall.Syscall6(procOpenVirtualDisk.Addr(), 6, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(openVirtualDiskFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(handle)))
+	r0, _, _ := syscall.SyscallN(procOpenVirtualDisk.Addr(), uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(openVirtualDiskFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(handle)))
 	if r0 != 0 {
 		win32err = syscall.Errno(r0)
 	}
diff --git a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
index 469b16f..89b66ed 100644
--- a/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
+++ b/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go
@@ -33,9 +33,6 @@
 	case errnoERROR_IO_PENDING:
 		return errERROR_IO_PENDING
 	}
-	// TODO: add more here, after collecting data on the common
-	// error values see on Windows. (perhaps when running
-	// all.bat?)
 	return e
 }
 
@@ -45,38 +42,34 @@
 	modntdll    = windows.NewLazySystemDLL("ntdll.dll")
 	modws2_32   = windows.NewLazySystemDLL("ws2_32.dll")
 
-	procAdjustTokenPrivileges                                = modadvapi32.NewProc("AdjustTokenPrivileges")
-	procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW")
-	procConvertSidToStringSidW                               = modadvapi32.NewProc("ConvertSidToStringSidW")
-	procConvertStringSecurityDescriptorToSecurityDescriptorW = modadvapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW")
-	procConvertStringSidToSidW                               = modadvapi32.NewProc("ConvertStringSidToSidW")
-	procGetSecurityDescriptorLength                          = modadvapi32.NewProc("GetSecurityDescriptorLength")
-	procImpersonateSelf                                      = modadvapi32.NewProc("ImpersonateSelf")
-	procLookupAccountNameW                                   = modadvapi32.NewProc("LookupAccountNameW")
-	procLookupAccountSidW                                    = modadvapi32.NewProc("LookupAccountSidW")
-	procLookupPrivilegeDisplayNameW                          = modadvapi32.NewProc("LookupPrivilegeDisplayNameW")
-	procLookupPrivilegeNameW                                 = modadvapi32.NewProc("LookupPrivilegeNameW")
-	procLookupPrivilegeValueW                                = modadvapi32.NewProc("LookupPrivilegeValueW")
-	procOpenThreadToken                                      = modadvapi32.NewProc("OpenThreadToken")
-	procRevertToSelf                                         = modadvapi32.NewProc("RevertToSelf")
-	procBackupRead                                           = modkernel32.NewProc("BackupRead")
-	procBackupWrite                                          = modkernel32.NewProc("BackupWrite")
-	procCancelIoEx                                           = modkernel32.NewProc("CancelIoEx")
-	procConnectNamedPipe                                     = modkernel32.NewProc("ConnectNamedPipe")
-	procCreateIoCompletionPort                               = modkernel32.NewProc("CreateIoCompletionPort")
-	procCreateNamedPipeW                                     = modkernel32.NewProc("CreateNamedPipeW")
-	procGetCurrentThread                                     = modkernel32.NewProc("GetCurrentThread")
-	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
-	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
-	procGetQueuedCompletionStatus                            = modkernel32.NewProc("GetQueuedCompletionStatus")
-	procLocalAlloc                                           = modkernel32.NewProc("LocalAlloc")
-	procLocalFree                                            = modkernel32.NewProc("LocalFree")
-	procSetFileCompletionNotificationModes                   = modkernel32.NewProc("SetFileCompletionNotificationModes")
-	procNtCreateNamedPipeFile                                = modntdll.NewProc("NtCreateNamedPipeFile")
-	procRtlDefaultNpAcl                                      = modntdll.NewProc("RtlDefaultNpAcl")
-	procRtlDosPathNameToNtPathName_U                         = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
-	procRtlNtStatusToDosErrorNoTeb                           = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
-	procWSAGetOverlappedResult                               = modws2_32.NewProc("WSAGetOverlappedResult")
+	procAdjustTokenPrivileges              = modadvapi32.NewProc("AdjustTokenPrivileges")
+	procConvertSidToStringSidW             = modadvapi32.NewProc("ConvertSidToStringSidW")
+	procConvertStringSidToSidW             = modadvapi32.NewProc("ConvertStringSidToSidW")
+	procImpersonateSelf                    = modadvapi32.NewProc("ImpersonateSelf")
+	procLookupAccountNameW                 = modadvapi32.NewProc("LookupAccountNameW")
+	procLookupAccountSidW                  = modadvapi32.NewProc("LookupAccountSidW")
+	procLookupPrivilegeDisplayNameW        = modadvapi32.NewProc("LookupPrivilegeDisplayNameW")
+	procLookupPrivilegeNameW               = modadvapi32.NewProc("LookupPrivilegeNameW")
+	procLookupPrivilegeValueW              = modadvapi32.NewProc("LookupPrivilegeValueW")
+	procOpenThreadToken                    = modadvapi32.NewProc("OpenThreadToken")
+	procRevertToSelf                       = modadvapi32.NewProc("RevertToSelf")
+	procBackupRead                         = modkernel32.NewProc("BackupRead")
+	procBackupWrite                        = modkernel32.NewProc("BackupWrite")
+	procCancelIoEx                         = modkernel32.NewProc("CancelIoEx")
+	procConnectNamedPipe                   = modkernel32.NewProc("ConnectNamedPipe")
+	procCreateIoCompletionPort             = modkernel32.NewProc("CreateIoCompletionPort")
+	procCreateNamedPipeW                   = modkernel32.NewProc("CreateNamedPipeW")
+	procDisconnectNamedPipe                = modkernel32.NewProc("DisconnectNamedPipe")
+	procGetCurrentThread                   = modkernel32.NewProc("GetCurrentThread")
+	procGetNamedPipeHandleStateW           = modkernel32.NewProc("GetNamedPipeHandleStateW")
+	procGetNamedPipeInfo                   = modkernel32.NewProc("GetNamedPipeInfo")
+	procGetQueuedCompletionStatus          = modkernel32.NewProc("GetQueuedCompletionStatus")
+	procSetFileCompletionNotificationModes = modkernel32.NewProc("SetFileCompletionNotificationModes")
+	procNtCreateNamedPipeFile              = modntdll.NewProc("NtCreateNamedPipeFile")
+	procRtlDefaultNpAcl                    = modntdll.NewProc("RtlDefaultNpAcl")
+	procRtlDosPathNameToNtPathName_U       = modntdll.NewProc("RtlDosPathNameToNtPathName_U")
+	procRtlNtStatusToDosErrorNoTeb         = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
+	procWSAGetOverlappedResult             = modws2_32.NewProc("WSAGetOverlappedResult")
 )
 
 func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) {
@@ -84,7 +77,7 @@
 	if releaseAll {
 		_p0 = 1
 	}
-	r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
+	r0, _, e1 := syscall.SyscallN(procAdjustTokenPrivileges.Addr(), uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize)))
 	success = r0 != 0
 	if true {
 		err = errnoErr(e1)
@@ -92,33 +85,8 @@
 	return
 }
 
-func convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procConvertSecurityDescriptorToStringSecurityDescriptorW.Addr(), 5, uintptr(unsafe.Pointer(sd)), uintptr(revision), uintptr(secInfo), uintptr(unsafe.Pointer(sddl)), uintptr(unsafe.Pointer(sddlSize)), 0)
-	if r1 == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
 func convertSidToStringSid(sid *byte, str **uint16) (err error) {
-	r1, _, e1 := syscall.Syscall(procConvertSidToStringSidW.Addr(), 2, uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(str)), 0)
-	if r1 == 0 {
-		err = errnoErr(e1)
-	}
-	return
-}
-
-func convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd *uintptr, size *uint32) (err error) {
-	var _p0 *uint16
-	_p0, err = syscall.UTF16PtrFromString(str)
-	if err != nil {
-		return
-	}
-	return _convertStringSecurityDescriptorToSecurityDescriptor(_p0, revision, sd, size)
-}
-
-func _convertStringSecurityDescriptorToSecurityDescriptor(str *uint16, revision uint32, sd *uintptr, size *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procConvertStringSecurityDescriptorToSecurityDescriptorW.Addr(), 4, uintptr(unsafe.Pointer(str)), uintptr(revision), uintptr(unsafe.Pointer(sd)), uintptr(unsafe.Pointer(size)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procConvertSidToStringSidW.Addr(), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(str)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -126,21 +94,15 @@
 }
 
 func convertStringSidToSid(str *uint16, sid **byte) (err error) {
-	r1, _, e1 := syscall.Syscall(procConvertStringSidToSidW.Addr(), 2, uintptr(unsafe.Pointer(str)), uintptr(unsafe.Pointer(sid)), 0)
+	r1, _, e1 := syscall.SyscallN(procConvertStringSidToSidW.Addr(), uintptr(unsafe.Pointer(str)), uintptr(unsafe.Pointer(sid)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func getSecurityDescriptorLength(sd uintptr) (len uint32) {
-	r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(sd), 0, 0)
-	len = uint32(r0)
-	return
-}
-
 func impersonateSelf(level uint32) (err error) {
-	r1, _, e1 := syscall.Syscall(procImpersonateSelf.Addr(), 1, uintptr(level), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procImpersonateSelf.Addr(), uintptr(level))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -157,7 +119,7 @@
 }
 
 func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procLookupAccountNameW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procLookupAccountNameW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -165,7 +127,7 @@
 }
 
 func lookupAccountSid(systemName *uint16, sid *byte, name *uint16, nameSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procLookupAccountSidW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(nameSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procLookupAccountSidW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(nameSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -182,7 +144,7 @@
 }
 
 func _lookupPrivilegeDisplayName(systemName *uint16, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeDisplayNameW.Addr(), 5, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)), 0)
+	r1, _, e1 := syscall.SyscallN(procLookupPrivilegeDisplayNameW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -199,7 +161,7 @@
 }
 
 func _lookupPrivilegeName(systemName *uint16, luid *uint64, buffer *uint16, size *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procLookupPrivilegeNameW.Addr(), 4, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procLookupPrivilegeNameW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -221,19 +183,19 @@
 }
 
 func _lookupPrivilegeValue(systemName *uint16, name *uint16, luid *uint64) (err error) {
-	r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid)))
+	r1, _, e1 := syscall.SyscallN(procLookupPrivilegeValueW.Addr(), uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) {
+func openThreadToken(thread windows.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) {
 	var _p0 uint32
 	if openAsSelf {
 		_p0 = 1
 	}
-	r1, _, e1 := syscall.Syscall6(procOpenThreadToken.Addr(), 4, uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procOpenThreadToken.Addr(), uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
@@ -241,14 +203,14 @@
 }
 
 func revertToSelf() (err error) {
-	r1, _, e1 := syscall.Syscall(procRevertToSelf.Addr(), 0, 0, 0, 0)
+	r1, _, e1 := syscall.SyscallN(procRevertToSelf.Addr())
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) {
+func backupRead(h windows.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) {
 	var _p0 *byte
 	if len(b) > 0 {
 		_p0 = &b[0]
@@ -261,14 +223,14 @@
 	if processSecurity {
 		_p2 = 1
 	}
-	r1, _, e1 := syscall.Syscall9(procBackupRead.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesRead)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procBackupRead.Addr(), uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesRead)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) {
+func backupWrite(h windows.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) {
 	var _p0 *byte
 	if len(b) > 0 {
 		_p0 = &b[0]
@@ -281,39 +243,39 @@
 	if processSecurity {
 		_p2 = 1
 	}
-	r1, _, e1 := syscall.Syscall9(procBackupWrite.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesWritten)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0)
+	r1, _, e1 := syscall.SyscallN(procBackupWrite.Addr(), uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesWritten)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0)
+func cancelIoEx(file windows.Handle, o *windows.Overlapped) (err error) {
+	r1, _, e1 := syscall.SyscallN(procCancelIoEx.Addr(), uintptr(file), uintptr(unsafe.Pointer(o)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) {
-	r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0)
+func connectNamedPipe(pipe windows.Handle, o *windows.Overlapped) (err error) {
+	r1, _, e1 := syscall.SyscallN(procConnectNamedPipe.Addr(), uintptr(pipe), uintptr(unsafe.Pointer(o)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0)
-	newport = syscall.Handle(r0)
+func createIoCompletionPort(file windows.Handle, port windows.Handle, key uintptr, threadCount uint32) (newport windows.Handle, err error) {
+	r0, _, e1 := syscall.SyscallN(procCreateIoCompletionPort.Addr(), uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount))
+	newport = windows.Handle(r0)
 	if newport == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
+func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error) {
 	var _p0 *uint16
 	_p0, err = syscall.UTF16PtrFromString(name)
 	if err != nil {
@@ -322,96 +284,93 @@
 	return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa)
 }
 
-func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) {
-	r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0)
-	handle = syscall.Handle(r0)
-	if handle == syscall.InvalidHandle {
+func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *windows.SecurityAttributes) (handle windows.Handle, err error) {
+	r0, _, e1 := syscall.SyscallN(procCreateNamedPipeW.Addr(), uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)))
+	handle = windows.Handle(r0)
+	if handle == windows.InvalidHandle {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func getCurrentThread() (h syscall.Handle) {
-	r0, _, _ := syscall.Syscall(procGetCurrentThread.Addr(), 0, 0, 0, 0)
-	h = syscall.Handle(r0)
-	return
-}
-
-func getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) {
-	r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0)
+func disconnectNamedPipe(pipe windows.Handle) (err error) {
+	r1, _, e1 := syscall.SyscallN(procDisconnectNamedPipe.Addr(), uintptr(pipe))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0)
+func getCurrentThread() (h windows.Handle) {
+	r0, _, _ := syscall.SyscallN(procGetCurrentThread.Addr())
+	h = windows.Handle(r0)
+	return
+}
+
+func getNamedPipeHandleState(pipe windows.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetNamedPipeHandleStateW.Addr(), uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) {
-	r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0)
+func getNamedPipeInfo(pipe windows.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetNamedPipeInfo.Addr(), uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func localAlloc(uFlags uint32, length uint32) (ptr uintptr) {
-	r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0)
-	ptr = uintptr(r0)
-	return
-}
-
-func localFree(mem uintptr) {
-	syscall.Syscall(procLocalFree.Addr(), 1, uintptr(mem), 0, 0)
-	return
-}
-
-func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) {
-	r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0)
+func getQueuedCompletionStatus(port windows.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetQueuedCompletionStatus.Addr(), uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 
-func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) {
-	r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0)
+func setFileCompletionNotificationModes(h windows.Handle, flags uint8) (err error) {
+	r1, _, e1 := syscall.SyscallN(procSetFileCompletionNotificationModes.Addr(), uintptr(h), uintptr(flags))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func ntCreateNamedPipeFile(pipe *windows.Handle, access ntAccessMask, oa *objectAttributes, iosb *ioStatusBlock, share ntFileShareMode, disposition ntFileCreationDisposition, options ntFileOptions, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntStatus) {
+	r0, _, _ := syscall.SyscallN(procNtCreateNamedPipeFile.Addr(), uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)))
 	status = ntStatus(r0)
 	return
 }
 
 func rtlDefaultNpAcl(dacl *uintptr) (status ntStatus) {
-	r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0)
+	r0, _, _ := syscall.SyscallN(procRtlDefaultNpAcl.Addr(), uintptr(unsafe.Pointer(dacl)))
 	status = ntStatus(r0)
 	return
 }
 
 func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntStatus) {
-	r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0)
+	r0, _, _ := syscall.SyscallN(procRtlDosPathNameToNtPathName_U.Addr(), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved))
 	status = ntStatus(r0)
 	return
 }
 
 func rtlNtStatusToDosError(status ntStatus) (winerr error) {
-	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0)
+	r0, _, _ := syscall.SyscallN(procRtlNtStatusToDosErrorNoTeb.Addr(), uintptr(status))
 	if r0 != 0 {
 		winerr = syscall.Errno(r0)
 	}
 	return
 }
 
-func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) {
+func wsaGetOverlappedResult(h windows.Handle, o *windows.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) {
 	var _p0 uint32
 	if wait {
 		_p0 = 1
 	}
-	r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0)
+	r1, _, e1 := syscall.SyscallN(procWSAGetOverlappedResult.Addr(), uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
diff --git a/vendor/github.com/cilium/ebpf/.clang-format b/vendor/github.com/cilium/ebpf/.clang-format
index 3f74dc0..0ff4257 100644
--- a/vendor/github.com/cilium/ebpf/.clang-format
+++ b/vendor/github.com/cilium/ebpf/.clang-format
@@ -4,6 +4,9 @@
 AlignAfterOpenBracket: DontAlign
 AlignConsecutiveAssignments: true
 AlignEscapedNewlines: DontAlign
+# mkdocs annotations in source code are written as trailing comments
+# and alignment pushes these really far away from the content.
+AlignTrailingComments: false
 AlwaysBreakBeforeMultilineStrings: true
 AlwaysBreakTemplateDeclarations: false
 AllowAllParametersOfDeclarationOnNextLine: false
@@ -16,4 +19,7 @@
 ColumnLimit:     1000
 # Go compiler comments need to stay unindented.
 CommentPragmas: '^go:.*'
+# linux/bpf.h needs to be included before bpf/bpf_helpers.h for types like __u64
+# and sorting makes this impossible.
+SortIncludes: false
 ...
diff --git a/vendor/github.com/cilium/ebpf/.golangci.yaml b/vendor/github.com/cilium/ebpf/.golangci.yaml
index 06743df..65f91b9 100644
--- a/vendor/github.com/cilium/ebpf/.golangci.yaml
+++ b/vendor/github.com/cilium/ebpf/.golangci.yaml
@@ -1,15 +1,7 @@
 ---
-issues:
-  exclude-rules:
-    # syscall param structs will have unused fields in Go code.
-    - path: syscall.*.go
-      linters:
-        - structcheck
-
 linters:
   disable-all: true
   enable:
-    - errcheck
     - goimports
     - gosimple
     - govet
@@ -19,8 +11,3 @@
     - typecheck
     - unused
     - gofmt
-
-    # Could be enabled later:
-    # - gocyclo
-    # - maligned
-    # - gosec
diff --git a/vendor/github.com/cilium/ebpf/Makefile b/vendor/github.com/cilium/ebpf/Makefile
index abcd6c1..0fa8cdc 100644
--- a/vendor/github.com/cilium/ebpf/Makefile
+++ b/vendor/github.com/cilium/ebpf/Makefile
@@ -1,9 +1,9 @@
 # The development version of clang is distributed as the 'clang' binary,
 # while stable/released versions have a version number attached.
 # Pin the default clang to a stable version.
-CLANG ?= clang-14
-STRIP ?= llvm-strip-14
-OBJCOPY ?= llvm-objcopy-14
+CLANG ?= clang-17
+STRIP ?= llvm-strip-17
+OBJCOPY ?= llvm-objcopy-17
 CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
 
 CI_KERNEL_URL ?= https://github.com/cilium/ci-kernels/raw/master/
@@ -21,12 +21,9 @@
 IMAGE := $(shell cat ${REPODIR}/testdata/docker/IMAGE)
 VERSION := $(shell cat ${REPODIR}/testdata/docker/VERSION)
 
-
-# clang <8 doesn't tag relocs properly (STT_NOTYPE)
-# clang 9 is the first version emitting BTF
 TARGETS := \
-	testdata/loader-clang-7 \
-	testdata/loader-clang-9 \
+	testdata/loader-clang-11 \
+	testdata/loader-clang-14 \
 	testdata/loader-$(CLANG) \
 	testdata/manyprogs \
 	testdata/btf_map_init \
@@ -36,6 +33,7 @@
 	testdata/invalid_btf_map_init \
 	testdata/strings \
 	testdata/freplace \
+	testdata/fentry_fexit \
 	testdata/iproute2_map_compat \
 	testdata/map_spin_lock \
 	testdata/subprog_reloc \
@@ -45,6 +43,7 @@
 	testdata/kfunc \
 	testdata/invalid-kfunc \
 	testdata/kfunc-kmod \
+	testdata/constants \
 	btf/testdata/relocs \
 	btf/testdata/relocs_read \
 	btf/testdata/relocs_read_tgt \
@@ -56,22 +55,26 @@
 
 # Build all ELF binaries using a containerized LLVM toolchain.
 container-all:
-	+${CONTAINER_ENGINE} run --rm -ti ${CONTAINER_RUN_ARGS} \
+	+${CONTAINER_ENGINE} run --rm -t ${CONTAINER_RUN_ARGS} \
 		-v "${REPODIR}":/ebpf -w /ebpf --env MAKEFLAGS \
-		--env CFLAGS="-fdebug-prefix-map=/ebpf=." \
 		--env HOME="/tmp" \
+		--env BPF2GO_CC="$(CLANG)" \
+		--env BPF2GO_FLAGS="-fdebug-prefix-map=/ebpf=. $(CFLAGS)" \
 		"${IMAGE}:${VERSION}" \
 		make all
 
 # (debug) Drop the user into a shell inside the container as root.
+# Set BPF2GO_ envs to make 'make generate' just work.
 container-shell:
 	${CONTAINER_ENGINE} run --rm -ti \
 		-v "${REPODIR}":/ebpf -w /ebpf \
+		--env BPF2GO_CC="$(CLANG)" \
+		--env BPF2GO_FLAGS="-fdebug-prefix-map=/ebpf=. $(CFLAGS)" \
 		"${IMAGE}:${VERSION}"
 
 clean:
-	-$(RM) testdata/*.elf
-	-$(RM) btf/testdata/*.elf
+	find "$(CURDIR)" -name "*.elf" -delete
+	find "$(CURDIR)" -name "*.o" -delete
 
 format:
 	find . -type f -name "*.c" | xargs clang-format -i
@@ -80,9 +83,6 @@
 	ln -srf testdata/loader-$(CLANG)-el.elf testdata/loader-el.elf
 	ln -srf testdata/loader-$(CLANG)-eb.elf testdata/loader-eb.elf
 
-# $BPF_CLANG is used in go:generate invocations.
-generate: export BPF_CLANG := $(CLANG)
-generate: export BPF_CFLAGS := $(CFLAGS)
 generate:
 	go generate ./...
 
@@ -103,13 +103,12 @@
 	$(STRIP) -g $@
 
 .PHONY: generate-btf
-generate-btf: KERNEL_VERSION?=5.19
+generate-btf: KERNEL_VERSION?=6.1.29
 generate-btf:
 	$(eval TMP := $(shell mktemp -d))
-	curl -fL "$(CI_KERNEL_URL)/linux-$(KERNEL_VERSION).bz" -o "$(TMP)/bzImage"
-	/lib/modules/$(uname -r)/build/scripts/extract-vmlinux "$(TMP)/bzImage" > "$(TMP)/vmlinux"
+	curl -fL "$(CI_KERNEL_URL)/linux-$(KERNEL_VERSION)-amd64.tgz" -o "$(TMP)/linux.tgz"
+	tar xvf "$(TMP)/linux.tgz" -C "$(TMP)" --strip-components=2 ./boot/vmlinuz ./lib/modules
+	/lib/modules/$(shell uname -r)/build/scripts/extract-vmlinux "$(TMP)/vmlinuz" > "$(TMP)/vmlinux"
 	$(OBJCOPY) --dump-section .BTF=/dev/stdout "$(TMP)/vmlinux" /dev/null | gzip > "btf/testdata/vmlinux.btf.gz"
-	curl -fL "$(CI_KERNEL_URL)/linux-$(KERNEL_VERSION)-selftests-bpf.tgz" -o "$(TMP)/selftests.tgz"
-	tar -xf "$(TMP)/selftests.tgz" --to-stdout tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.ko | \
-		$(OBJCOPY) --dump-section .BTF="btf/testdata/btf_testmod.btf" - /dev/null
+	find "$(TMP)/modules" -type f -name bpf_testmod.ko -exec $(OBJCOPY) --dump-section .BTF="btf/testdata/btf_testmod.btf" {} /dev/null \;
 	$(RM) -r "$(TMP)"
diff --git a/vendor/github.com/cilium/ebpf/README.md b/vendor/github.com/cilium/ebpf/README.md
index eff08d8..81235a6 100644
--- a/vendor/github.com/cilium/ebpf/README.md
+++ b/vendor/github.com/cilium/ebpf/README.md
@@ -2,7 +2,7 @@
 
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/cilium/ebpf)](https://pkg.go.dev/github.com/cilium/ebpf)
 
-![HoneyGopher](.github/images/cilium-ebpf.png)
+![HoneyGopher](docs/ebpf/ebpf-go.png)
 
 ebpf-go is a pure Go library that provides utilities for loading, compiling, and
 debugging eBPF programs. It has minimal external dependencies and is intended to
diff --git a/vendor/github.com/cilium/ebpf/asm/alu.go b/vendor/github.com/cilium/ebpf/asm/alu.go
index 3f60245..282233d 100644
--- a/vendor/github.com/cilium/ebpf/asm/alu.go
+++ b/vendor/github.com/cilium/ebpf/asm/alu.go
@@ -1,26 +1,26 @@
 package asm
 
-//go:generate stringer -output alu_string.go -type=Source,Endianness,ALUOp
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output alu_string.go -type=Source,Endianness,ALUOp
 
 // Source of ALU / ALU64 / Branch operations
 //
-//	msb      lsb
-//	+----+-+---+
-//	|op  |S|cls|
-//	+----+-+---+
-type Source uint8
+//	msb              lsb
+//	+------------+-+---+
+//	|     op     |S|cls|
+//	+------------+-+---+
+type Source uint16
 
-const sourceMask OpCode = 0x08
+const sourceMask OpCode = 0x0008
 
 // Source bitmask
 const (
 	// InvalidSource is returned by getters when invoked
 	// on non ALU / branch OpCodes.
-	InvalidSource Source = 0xff
+	InvalidSource Source = 0xffff
 	// ImmSource src is from constant
-	ImmSource Source = 0x00
+	ImmSource Source = 0x0000
 	// RegSource src is from register
-	RegSource Source = 0x08
+	RegSource Source = 0x0008
 )
 
 // The Endianness of a byte swap instruction.
@@ -39,46 +39,56 @@
 
 // ALUOp are ALU / ALU64 operations
 //
-//	msb      lsb
-//	+----+-+---+
-//	|OP  |s|cls|
-//	+----+-+---+
-type ALUOp uint8
+//	msb              lsb
+//	+-------+----+-+---+
+//	|  EXT  | OP |s|cls|
+//	+-------+----+-+---+
+type ALUOp uint16
 
-const aluMask OpCode = 0xf0
+const aluMask OpCode = 0x3ff0
 
 const (
 	// InvalidALUOp is returned by getters when invoked
 	// on non ALU OpCodes
-	InvalidALUOp ALUOp = 0xff
+	InvalidALUOp ALUOp = 0xffff
 	// Add - addition
-	Add ALUOp = 0x00
+	Add ALUOp = 0x0000
 	// Sub - subtraction
-	Sub ALUOp = 0x10
+	Sub ALUOp = 0x0010
 	// Mul - multiplication
-	Mul ALUOp = 0x20
+	Mul ALUOp = 0x0020
 	// Div - division
-	Div ALUOp = 0x30
+	Div ALUOp = 0x0030
+	// SDiv - signed division
+	SDiv ALUOp = Div + 0x0100
 	// Or - bitwise or
-	Or ALUOp = 0x40
+	Or ALUOp = 0x0040
 	// And - bitwise and
-	And ALUOp = 0x50
+	And ALUOp = 0x0050
 	// LSh - bitwise shift left
-	LSh ALUOp = 0x60
+	LSh ALUOp = 0x0060
 	// RSh - bitwise shift right
-	RSh ALUOp = 0x70
+	RSh ALUOp = 0x0070
 	// Neg - sign/unsign signing bit
-	Neg ALUOp = 0x80
+	Neg ALUOp = 0x0080
 	// Mod - modulo
-	Mod ALUOp = 0x90
+	Mod ALUOp = 0x0090
+	// SMod - signed modulo
+	SMod ALUOp = Mod + 0x0100
 	// Xor - bitwise xor
-	Xor ALUOp = 0xa0
+	Xor ALUOp = 0x00a0
 	// Mov - move value from one place to another
-	Mov ALUOp = 0xb0
-	// ArSh - arithmatic shift
-	ArSh ALUOp = 0xc0
+	Mov ALUOp = 0x00b0
+	// MovSX8 - move lower 8 bits, sign extended upper bits of target
+	MovSX8 ALUOp = Mov + 0x0100
+	// MovSX16 - move lower 16 bits, sign extended upper bits of target
+	MovSX16 ALUOp = Mov + 0x0200
+	// MovSX32 - move lower 32 bits, sign extended upper bits of target
+	MovSX32 ALUOp = Mov + 0x0300
+	// ArSh - arithmetic shift
+	ArSh ALUOp = 0x00c0
 	// Swap - endian conversions
-	Swap ALUOp = 0xd0
+	Swap ALUOp = 0x00d0
 )
 
 // HostTo converts from host to another endianness.
@@ -102,6 +112,27 @@
 	}
 }
 
+// BSwap unconditionally reverses the order of bytes in a register.
+func BSwap(dst Register, size Size) Instruction {
+	var imm int64
+	switch size {
+	case Half:
+		imm = 16
+	case Word:
+		imm = 32
+	case DWord:
+		imm = 64
+	default:
+		return Instruction{OpCode: InvalidOpCode}
+	}
+
+	return Instruction{
+		OpCode:   OpCode(ALU64Class).SetALUOp(Swap),
+		Dst:      dst,
+		Constant: imm,
+	}
+}
+
 // Op returns the OpCode for an ALU operation with a given source.
 func (op ALUOp) Op(source Source) OpCode {
 	return OpCode(ALU64Class).SetALUOp(op).SetSource(source)
diff --git a/vendor/github.com/cilium/ebpf/asm/alu_string.go b/vendor/github.com/cilium/ebpf/asm/alu_string.go
index 72d3fe6..35b406b 100644
--- a/vendor/github.com/cilium/ebpf/asm/alu_string.go
+++ b/vendor/github.com/cilium/ebpf/asm/alu_string.go
@@ -8,7 +8,7 @@
 	// An "invalid array index" compiler error signifies that the constant values have changed.
 	// Re-run the stringer command to generate them again.
 	var x [1]struct{}
-	_ = x[InvalidSource-255]
+	_ = x[InvalidSource-65535]
 	_ = x[ImmSource-0]
 	_ = x[RegSource-8]
 }
@@ -25,7 +25,7 @@
 		return _Source_name_0
 	case i == 8:
 		return _Source_name_1
-	case i == 255:
+	case i == 65535:
 		return _Source_name_2
 	default:
 		return "Source(" + strconv.FormatInt(int64(i), 10) + ")"
@@ -62,41 +62,51 @@
 	// An "invalid array index" compiler error signifies that the constant values have changed.
 	// Re-run the stringer command to generate them again.
 	var x [1]struct{}
-	_ = x[InvalidALUOp-255]
+	_ = x[InvalidALUOp-65535]
 	_ = x[Add-0]
 	_ = x[Sub-16]
 	_ = x[Mul-32]
 	_ = x[Div-48]
+	_ = x[SDiv-304]
 	_ = x[Or-64]
 	_ = x[And-80]
 	_ = x[LSh-96]
 	_ = x[RSh-112]
 	_ = x[Neg-128]
 	_ = x[Mod-144]
+	_ = x[SMod-400]
 	_ = x[Xor-160]
 	_ = x[Mov-176]
+	_ = x[MovSX8-432]
+	_ = x[MovSX16-688]
+	_ = x[MovSX32-944]
 	_ = x[ArSh-192]
 	_ = x[Swap-208]
 }
 
-const _ALUOp_name = "AddSubMulDivOrAndLShRShNegModXorMovArShSwapInvalidALUOp"
+const _ALUOp_name = "AddSubMulDivOrAndLShRShNegModXorMovArShSwapSDivSModMovSX8MovSX16MovSX32InvalidALUOp"
 
 var _ALUOp_map = map[ALUOp]string{
-	0:   _ALUOp_name[0:3],
-	16:  _ALUOp_name[3:6],
-	32:  _ALUOp_name[6:9],
-	48:  _ALUOp_name[9:12],
-	64:  _ALUOp_name[12:14],
-	80:  _ALUOp_name[14:17],
-	96:  _ALUOp_name[17:20],
-	112: _ALUOp_name[20:23],
-	128: _ALUOp_name[23:26],
-	144: _ALUOp_name[26:29],
-	160: _ALUOp_name[29:32],
-	176: _ALUOp_name[32:35],
-	192: _ALUOp_name[35:39],
-	208: _ALUOp_name[39:43],
-	255: _ALUOp_name[43:55],
+	0:     _ALUOp_name[0:3],
+	16:    _ALUOp_name[3:6],
+	32:    _ALUOp_name[6:9],
+	48:    _ALUOp_name[9:12],
+	64:    _ALUOp_name[12:14],
+	80:    _ALUOp_name[14:17],
+	96:    _ALUOp_name[17:20],
+	112:   _ALUOp_name[20:23],
+	128:   _ALUOp_name[23:26],
+	144:   _ALUOp_name[26:29],
+	160:   _ALUOp_name[29:32],
+	176:   _ALUOp_name[32:35],
+	192:   _ALUOp_name[35:39],
+	208:   _ALUOp_name[39:43],
+	304:   _ALUOp_name[43:47],
+	400:   _ALUOp_name[47:51],
+	432:   _ALUOp_name[51:57],
+	688:   _ALUOp_name[57:64],
+	944:   _ALUOp_name[64:71],
+	65535: _ALUOp_name[71:83],
 }
 
 func (i ALUOp) String() string {
diff --git a/vendor/github.com/cilium/ebpf/asm/func.go b/vendor/github.com/cilium/ebpf/asm/func.go
index 18f6a75..84a40b2 100644
--- a/vendor/github.com/cilium/ebpf/asm/func.go
+++ b/vendor/github.com/cilium/ebpf/asm/func.go
@@ -1,6 +1,6 @@
 package asm
 
-//go:generate stringer -output func_string.go -type=BuiltinFunc
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output func_string.go -type=BuiltinFunc
 
 // BuiltinFunc is a built-in eBPF function.
 type BuiltinFunc int32
diff --git a/vendor/github.com/cilium/ebpf/asm/instruction.go b/vendor/github.com/cilium/ebpf/asm/instruction.go
index ef01eaa..67cd39d 100644
--- a/vendor/github.com/cilium/ebpf/asm/instruction.go
+++ b/vendor/github.com/cilium/ebpf/asm/instruction.go
@@ -60,6 +60,34 @@
 	}
 
 	ins.Offset = int16(bo.Uint16(data[2:4]))
+
+	if ins.OpCode.Class().IsALU() {
+		switch ins.OpCode.ALUOp() {
+		case Div:
+			if ins.Offset == 1 {
+				ins.OpCode = ins.OpCode.SetALUOp(SDiv)
+				ins.Offset = 0
+			}
+		case Mod:
+			if ins.Offset == 1 {
+				ins.OpCode = ins.OpCode.SetALUOp(SMod)
+				ins.Offset = 0
+			}
+		case Mov:
+			switch ins.Offset {
+			case 8:
+				ins.OpCode = ins.OpCode.SetALUOp(MovSX8)
+				ins.Offset = 0
+			case 16:
+				ins.OpCode = ins.OpCode.SetALUOp(MovSX16)
+				ins.Offset = 0
+			case 32:
+				ins.OpCode = ins.OpCode.SetALUOp(MovSX32)
+				ins.Offset = 0
+			}
+		}
+	}
+
 	// Convert to int32 before widening to int64
 	// to ensure the signed bit is carried over.
 	ins.Constant = int64(int32(bo.Uint32(data[4:8])))
@@ -106,8 +134,38 @@
 		return 0, fmt.Errorf("can't marshal registers: %s", err)
 	}
 
+	if ins.OpCode.Class().IsALU() {
+		newOffset := int16(0)
+		switch ins.OpCode.ALUOp() {
+		case SDiv:
+			ins.OpCode = ins.OpCode.SetALUOp(Div)
+			newOffset = 1
+		case SMod:
+			ins.OpCode = ins.OpCode.SetALUOp(Mod)
+			newOffset = 1
+		case MovSX8:
+			ins.OpCode = ins.OpCode.SetALUOp(Mov)
+			newOffset = 8
+		case MovSX16:
+			ins.OpCode = ins.OpCode.SetALUOp(Mov)
+			newOffset = 16
+		case MovSX32:
+			ins.OpCode = ins.OpCode.SetALUOp(Mov)
+			newOffset = 32
+		}
+		if newOffset != 0 && ins.Offset != 0 {
+			return 0, fmt.Errorf("extended ALU opcodes should have an .Offset of 0: %s", ins)
+		}
+		ins.Offset = newOffset
+	}
+
+	op, err := ins.OpCode.bpfOpCode()
+	if err != nil {
+		return 0, err
+	}
+
 	data := make([]byte, InstructionSize)
-	data[0] = byte(ins.OpCode)
+	data[0] = op
 	data[1] = byte(regs)
 	bo.PutUint16(data[2:4], uint16(ins.Offset))
 	bo.PutUint32(data[4:8], uint32(cons))
@@ -298,9 +356,9 @@
 		goto ref
 	}
 
-	fmt.Fprintf(f, "%v ", op)
 	switch cls := op.Class(); {
 	case cls.isLoadOrStore():
+		fmt.Fprintf(f, "%v ", op)
 		switch op.Mode() {
 		case ImmMode:
 			fmt.Fprintf(f, "dst: %s imm: %d", ins.Dst, ins.Constant)
@@ -308,21 +366,30 @@
 			fmt.Fprintf(f, "imm: %d", ins.Constant)
 		case IndMode:
 			fmt.Fprintf(f, "dst: %s src: %s imm: %d", ins.Dst, ins.Src, ins.Constant)
-		case MemMode:
+		case MemMode, MemSXMode:
 			fmt.Fprintf(f, "dst: %s src: %s off: %d imm: %d", ins.Dst, ins.Src, ins.Offset, ins.Constant)
 		case XAddMode:
 			fmt.Fprintf(f, "dst: %s src: %s", ins.Dst, ins.Src)
 		}
 
 	case cls.IsALU():
-		fmt.Fprintf(f, "dst: %s ", ins.Dst)
-		if op.ALUOp() == Swap || op.Source() == ImmSource {
+		fmt.Fprintf(f, "%v", op)
+		if op == Swap.Op(ImmSource) {
+			fmt.Fprintf(f, "%d", ins.Constant)
+		}
+
+		fmt.Fprintf(f, " dst: %s ", ins.Dst)
+		switch {
+		case op.ALUOp() == Swap:
+			break
+		case op.Source() == ImmSource:
 			fmt.Fprintf(f, "imm: %d", ins.Constant)
-		} else {
+		default:
 			fmt.Fprintf(f, "src: %s", ins.Src)
 		}
 
 	case cls.IsJump():
+		fmt.Fprintf(f, "%v ", op)
 		switch jop := op.JumpOp(); jop {
 		case Call:
 			switch ins.Src {
@@ -336,6 +403,13 @@
 				fmt.Fprint(f, BuiltinFunc(ins.Constant))
 			}
 
+		case Ja:
+			if ins.OpCode.Class() == Jump32Class {
+				fmt.Fprintf(f, "imm: %d", ins.Constant)
+			} else {
+				fmt.Fprintf(f, "off: %d", ins.Offset)
+			}
+
 		default:
 			fmt.Fprintf(f, "dst: %s off: %d ", ins.Dst, ins.Offset)
 			if op.Source() == ImmSource {
@@ -344,6 +418,8 @@
 				fmt.Fprintf(f, "src: %s", ins.Src)
 			}
 		}
+	default:
+		fmt.Fprintf(f, "%v ", op)
 	}
 
 ref:
@@ -772,7 +848,8 @@
 		}
 
 		switch {
-		case ins.IsFunctionReference() && ins.Constant == -1:
+		case ins.IsFunctionReference() && ins.Constant == -1,
+			ins.OpCode == Ja.opCode(Jump32Class, ImmSource) && ins.Constant == -1:
 			symOffset, ok := symbolOffsets[ins.Reference()]
 			if !ok {
 				return fmt.Errorf("%s at insn %d: symbol %q: %w", ins.OpCode, i, ins.Reference(), ErrUnsatisfiedProgramReference)
diff --git a/vendor/github.com/cilium/ebpf/asm/jump.go b/vendor/github.com/cilium/ebpf/asm/jump.go
index 2c8a3db..2738d73 100644
--- a/vendor/github.com/cilium/ebpf/asm/jump.go
+++ b/vendor/github.com/cilium/ebpf/asm/jump.go
@@ -1,6 +1,6 @@
 package asm
 
-//go:generate stringer -output jump_string.go -type=JumpOp
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output jump_string.go -type=JumpOp
 
 // JumpOp affect control flow.
 //
@@ -10,7 +10,7 @@
 //	+----+-+---+
 type JumpOp uint8
 
-const jumpMask OpCode = aluMask
+const jumpMask OpCode = 0xf0
 
 const (
 	// InvalidJumpOp is returned by getters when invoked
@@ -103,13 +103,21 @@
 }
 
 func (op JumpOp) opCode(class Class, source Source) OpCode {
-	if op == Exit || op == Call || op == Ja {
+	if op == Exit || op == Call {
 		return InvalidOpCode
 	}
 
 	return OpCode(class).SetJumpOp(op).SetSource(source)
 }
 
+// LongJump returns a jump always instruction with a range of [-2^31, 2^31 - 1].
+func LongJump(label string) Instruction {
+	return Instruction{
+		OpCode:   Ja.opCode(Jump32Class, ImmSource),
+		Constant: -1,
+	}.WithReference(label)
+}
+
 // Label adjusts PC to the address of the label.
 func (op JumpOp) Label(label string) Instruction {
 	if op == Call {
diff --git a/vendor/github.com/cilium/ebpf/asm/load_store.go b/vendor/github.com/cilium/ebpf/asm/load_store.go
index f109497..cdb5c5c 100644
--- a/vendor/github.com/cilium/ebpf/asm/load_store.go
+++ b/vendor/github.com/cilium/ebpf/asm/load_store.go
@@ -1,6 +1,6 @@
 package asm
 
-//go:generate stringer -output load_store_string.go -type=Mode,Size
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output load_store_string.go -type=Mode,Size
 
 // Mode for load and store operations
 //
@@ -24,6 +24,8 @@
 	IndMode Mode = 0x40
 	// MemMode - load from memory
 	MemMode Mode = 0x60
+	// MemSXMode - load from memory, sign extension
+	MemSXMode Mode = 0x80
 	// XAddMode - add atomically across processors.
 	XAddMode Mode = 0xc0
 )
@@ -73,6 +75,11 @@
 	return OpCode(LdXClass).SetMode(MemMode).SetSize(size)
 }
 
+// LoadMemSXOp returns the OpCode to load a value of given size from memory sign extended.
+func LoadMemSXOp(size Size) OpCode {
+	return OpCode(LdXClass).SetMode(MemSXMode).SetSize(size)
+}
+
 // LoadMem emits `dst = *(size *)(src + offset)`.
 func LoadMem(dst, src Register, offset int16, size Size) Instruction {
 	return Instruction{
@@ -83,6 +90,20 @@
 	}
 }
 
+// LoadMemSX emits `dst = *(size *)(src + offset)` but sign extends dst.
+func LoadMemSX(dst, src Register, offset int16, size Size) Instruction {
+	if size == DWord {
+		return Instruction{OpCode: InvalidOpCode}
+	}
+
+	return Instruction{
+		OpCode: LoadMemSXOp(size),
+		Dst:    dst,
+		Src:    src,
+		Offset: offset,
+	}
+}
+
 // LoadImmOp returns the OpCode to load an immediate of given size.
 //
 // As of kernel 4.20, only DWord size is accepted.
diff --git a/vendor/github.com/cilium/ebpf/asm/load_store_string.go b/vendor/github.com/cilium/ebpf/asm/load_store_string.go
index 76d29a0..c480803 100644
--- a/vendor/github.com/cilium/ebpf/asm/load_store_string.go
+++ b/vendor/github.com/cilium/ebpf/asm/load_store_string.go
@@ -13,6 +13,7 @@
 	_ = x[AbsMode-32]
 	_ = x[IndMode-64]
 	_ = x[MemMode-96]
+	_ = x[MemSXMode-128]
 	_ = x[XAddMode-192]
 }
 
@@ -21,8 +22,9 @@
 	_Mode_name_1 = "AbsMode"
 	_Mode_name_2 = "IndMode"
 	_Mode_name_3 = "MemMode"
-	_Mode_name_4 = "XAddMode"
-	_Mode_name_5 = "InvalidMode"
+	_Mode_name_4 = "MemSXMode"
+	_Mode_name_5 = "XAddMode"
+	_Mode_name_6 = "InvalidMode"
 )
 
 func (i Mode) String() string {
@@ -35,10 +37,12 @@
 		return _Mode_name_2
 	case i == 96:
 		return _Mode_name_3
-	case i == 192:
+	case i == 128:
 		return _Mode_name_4
-	case i == 255:
+	case i == 192:
 		return _Mode_name_5
+	case i == 255:
+		return _Mode_name_6
 	default:
 		return "Mode(" + strconv.FormatInt(int64(i), 10) + ")"
 	}
diff --git a/vendor/github.com/cilium/ebpf/asm/opcode.go b/vendor/github.com/cilium/ebpf/asm/opcode.go
index 9e3c30b..1dfd0b1 100644
--- a/vendor/github.com/cilium/ebpf/asm/opcode.go
+++ b/vendor/github.com/cilium/ebpf/asm/opcode.go
@@ -5,7 +5,7 @@
 	"strings"
 )
 
-//go:generate stringer -output opcode_string.go -type=Class
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output opcode_string.go -type=Class
 
 // Class of operations
 //
@@ -66,18 +66,43 @@
 	return cls.IsJump() || cls.IsALU()
 }
 
-// OpCode is a packed eBPF opcode.
+// OpCode represents a single operation.
+// It is not a 1:1 mapping to real eBPF opcodes.
 //
-// Its encoding is defined by a Class value:
+// The encoding varies based on a 3-bit Class:
 //
-//	msb      lsb
-//	+----+-+---+
-//	| ???? |CLS|
-//	+----+-+---+
-type OpCode uint8
+//	7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
+//	           ???           | CLS
+//
+// For ALUClass and ALUCLass32:
+//
+//	7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
+//	           OPC         |S| CLS
+//
+// For LdClass, LdXclass, StClass and StXClass:
+//
+//	7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
+//	        0      | MDE |SIZ| CLS
+//
+// For JumpClass, Jump32Class:
+//
+//	7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
+//	        0      |  OPC  |S| CLS
+type OpCode uint16
 
 // InvalidOpCode is returned by setters on OpCode
-const InvalidOpCode OpCode = 0xff
+const InvalidOpCode OpCode = 0xffff
+
+// bpfOpCode returns the actual BPF opcode.
+func (op OpCode) bpfOpCode() (byte, error) {
+	const opCodeMask = 0xff
+
+	if !valid(op, opCodeMask) {
+		return 0, fmt.Errorf("invalid opcode %x", op)
+	}
+
+	return byte(op & opCodeMask), nil
+}
 
 // rawInstructions returns the number of BPF instructions required
 // to encode this opcode.
@@ -147,7 +172,7 @@
 	jumpOp := JumpOp(op & jumpMask)
 
 	// Some JumpOps are only supported by JumpClass, not Jump32Class.
-	if op.Class() == Jump32Class && (jumpOp == Exit || jumpOp == Call || jumpOp == Ja) {
+	if op.Class() == Jump32Class && (jumpOp == Exit || jumpOp == Call) {
 		return InvalidJumpOp
 	}
 
@@ -234,17 +259,24 @@
 		}
 
 	case class.IsALU():
+		if op.ALUOp() == Swap && op.Class() == ALU64Class {
+			// B to make BSwap, uncontitional byte swap
+			f.WriteString("B")
+		}
+
 		f.WriteString(op.ALUOp().String())
 
 		if op.ALUOp() == Swap {
-			// Width for Endian is controlled by Constant
-			f.WriteString(op.Endianness().String())
+			if op.Class() == ALUClass {
+				// Width for Endian is controlled by Constant
+				f.WriteString(op.Endianness().String())
+			}
 		} else {
+			f.WriteString(strings.TrimSuffix(op.Source().String(), "Source"))
+
 			if class == ALUClass {
 				f.WriteString("32")
 			}
-
-			f.WriteString(strings.TrimSuffix(op.Source().String(), "Source"))
 		}
 
 	case class.IsJump():
@@ -254,7 +286,7 @@
 			f.WriteString("32")
 		}
 
-		if jop := op.JumpOp(); jop != Exit && jop != Call {
+		if jop := op.JumpOp(); jop != Exit && jop != Call && jop != Ja {
 			f.WriteString(strings.TrimSuffix(op.Source().String(), "Source"))
 		}
 
diff --git a/vendor/github.com/cilium/ebpf/btf/btf.go b/vendor/github.com/cilium/ebpf/btf/btf.go
index 86eb7d6..80f64d7 100644
--- a/vendor/github.com/cilium/ebpf/btf/btf.go
+++ b/vendor/github.com/cilium/ebpf/btf/btf.go
@@ -14,7 +14,6 @@
 
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/sys"
-	"github.com/cilium/ebpf/internal/unix"
 )
 
 const btfMagic = 0xeB9F
@@ -47,51 +46,13 @@
 	// Includes all struct flavors and types with the same name.
 	namedTypes map[essentialName][]Type
 
-	// String table from ELF, may be nil.
+	// String table from ELF.
 	strings *stringTable
 
 	// Byte order of the ELF we decoded the spec from, may be nil.
 	byteOrder binary.ByteOrder
 }
 
-var btfHeaderLen = binary.Size(&btfHeader{})
-
-type btfHeader struct {
-	Magic   uint16
-	Version uint8
-	Flags   uint8
-	HdrLen  uint32
-
-	TypeOff   uint32
-	TypeLen   uint32
-	StringOff uint32
-	StringLen uint32
-}
-
-// typeStart returns the offset from the beginning of the .BTF section
-// to the start of its type entries.
-func (h *btfHeader) typeStart() int64 {
-	return int64(h.HdrLen + h.TypeOff)
-}
-
-// stringStart returns the offset from the beginning of the .BTF section
-// to the start of its string table.
-func (h *btfHeader) stringStart() int64 {
-	return int64(h.HdrLen + h.StringOff)
-}
-
-// newSpec creates a Spec containing only Void.
-func newSpec() *Spec {
-	return &Spec{
-		[]Type{(*Void)(nil)},
-		map[Type]TypeID{(*Void)(nil): 0},
-		0,
-		make(map[essentialName][]Type),
-		nil,
-		nil,
-	}
-}
-
 // LoadSpec opens file and calls LoadSpecFromReader on it.
 func LoadSpec(file string) (*Spec, error) {
 	fh, err := os.Open(file)
@@ -240,10 +201,6 @@
 			return nil, fmt.Errorf("can't use split BTF as base")
 		}
 
-		if base.strings == nil {
-			return nil, fmt.Errorf("parse split BTF: base must be loaded from an ELF")
-		}
-
 		baseStrings = base.strings
 
 		firstTypeID, err = base.nextTypeID()
@@ -252,12 +209,7 @@
 		}
 	}
 
-	rawTypes, rawStrings, err := parseBTF(btf, bo, baseStrings)
-	if err != nil {
-		return nil, err
-	}
-
-	types, err := inflateRawTypes(rawTypes, rawStrings, base)
+	types, rawStrings, err := parseBTF(btf, bo, baseStrings, base)
 	if err != nil {
 		return nil, err
 	}
@@ -365,12 +317,12 @@
 	}
 	defer file.Close()
 
-	spec, err := loadSpecFromELF(file)
+	spec, err := LoadSpecFromReader(file)
 	return spec, true, err
 }
 
 // findVMLinux scans multiple well-known paths for vmlinux kernel images.
-func findVMLinux() (*internal.SafeELFFile, error) {
+func findVMLinux() (*os.File, error) {
 	release, err := internal.KernelRelease()
 	if err != nil {
 		return nil, err
@@ -389,7 +341,7 @@
 	}
 
 	for _, loc := range locations {
-		file, err := internal.OpenSafeELFFile(fmt.Sprintf(loc, release))
+		file, err := os.Open(fmt.Sprintf(loc, release))
 		if errors.Is(err, os.ErrNotExist) {
 			continue
 		}
@@ -399,37 +351,6 @@
 	return nil, fmt.Errorf("no BTF found for kernel version %s: %w", release, internal.ErrNotSupported)
 }
 
-// parseBTFHeader parses the header of the .BTF section.
-func parseBTFHeader(r io.Reader, bo binary.ByteOrder) (*btfHeader, error) {
-	var header btfHeader
-	if err := binary.Read(r, bo, &header); err != nil {
-		return nil, fmt.Errorf("can't read header: %v", err)
-	}
-
-	if header.Magic != btfMagic {
-		return nil, fmt.Errorf("incorrect magic value %v", header.Magic)
-	}
-
-	if header.Version != 1 {
-		return nil, fmt.Errorf("unexpected version %v", header.Version)
-	}
-
-	if header.Flags != 0 {
-		return nil, fmt.Errorf("unsupported flags %v", header.Flags)
-	}
-
-	remainder := int64(header.HdrLen) - int64(binary.Size(&header))
-	if remainder < 0 {
-		return nil, errors.New("header length shorter than btfHeader size")
-	}
-
-	if _, err := io.CopyN(internal.DiscardZeroes{}, r, remainder); err != nil {
-		return nil, fmt.Errorf("header padding: %v", err)
-	}
-
-	return &header, nil
-}
-
 func guessRawBTFByteOrder(r io.ReaderAt) binary.ByteOrder {
 	buf := new(bufio.Reader)
 	for _, bo := range []binary.ByteOrder{
@@ -447,7 +368,7 @@
 
 // parseBTF reads a .BTF section into memory and parses it into a list of
 // raw types and a string table.
-func parseBTF(btf io.ReaderAt, bo binary.ByteOrder, baseStrings *stringTable) ([]rawType, *stringTable, error) {
+func parseBTF(btf io.ReaderAt, bo binary.ByteOrder, baseStrings *stringTable, base *Spec) ([]Type, *stringTable, error) {
 	buf := internal.NewBufferedSectionReader(btf, 0, math.MaxInt64)
 	header, err := parseBTFHeader(buf, bo)
 	if err != nil {
@@ -461,12 +382,12 @@
 	}
 
 	buf.Reset(io.NewSectionReader(btf, header.typeStart(), int64(header.TypeLen)))
-	rawTypes, err := readTypes(buf, bo, header.TypeLen)
+	types, err := readAndInflateTypes(buf, bo, header.TypeLen, rawStrings, base)
 	if err != nil {
-		return nil, nil, fmt.Errorf("can't read types: %w", err)
+		return nil, nil, err
 	}
 
-	return rawTypes, rawStrings, nil
+	return types, rawStrings, nil
 }
 
 type symbol struct {
@@ -773,97 +694,3 @@
 	iter.index++
 	return true
 }
-
-// haveBTF attempts to load a BTF blob containing an Int. It should pass on any
-// kernel that supports BPF_BTF_LOAD.
-var haveBTF = internal.NewFeatureTest("BTF", "4.18", func() error {
-	// 0-length anonymous integer
-	err := probeBTF(&Int{})
-	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
-		return internal.ErrNotSupported
-	}
-	return err
-})
-
-// haveMapBTF attempts to load a minimal BTF blob containing a Var. It is
-// used as a proxy for .bss, .data and .rodata map support, which generally
-// come with a Var and Datasec. These were introduced in Linux 5.2.
-var haveMapBTF = internal.NewFeatureTest("Map BTF (Var/Datasec)", "5.2", func() error {
-	if err := haveBTF(); err != nil {
-		return err
-	}
-
-	v := &Var{
-		Name: "a",
-		Type: &Pointer{(*Void)(nil)},
-	}
-
-	err := probeBTF(v)
-	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
-		// Treat both EINVAL and EPERM as not supported: creating the map may still
-		// succeed without Btf* attrs.
-		return internal.ErrNotSupported
-	}
-	return err
-})
-
-// haveProgBTF attempts to load a BTF blob containing a Func and FuncProto. It
-// is used as a proxy for ext_info (func_info) support, which depends on
-// Func(Proto) by definition.
-var haveProgBTF = internal.NewFeatureTest("Program BTF (func/line_info)", "5.0", func() error {
-	if err := haveBTF(); err != nil {
-		return err
-	}
-
-	fn := &Func{
-		Name: "a",
-		Type: &FuncProto{Return: (*Void)(nil)},
-	}
-
-	err := probeBTF(fn)
-	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
-		return internal.ErrNotSupported
-	}
-	return err
-})
-
-var haveFuncLinkage = internal.NewFeatureTest("BTF func linkage", "5.6", func() error {
-	if err := haveProgBTF(); err != nil {
-		return err
-	}
-
-	fn := &Func{
-		Name:    "a",
-		Type:    &FuncProto{Return: (*Void)(nil)},
-		Linkage: GlobalFunc,
-	}
-
-	err := probeBTF(fn)
-	if errors.Is(err, unix.EINVAL) {
-		return internal.ErrNotSupported
-	}
-	return err
-})
-
-func probeBTF(typ Type) error {
-	b, err := NewBuilder([]Type{typ})
-	if err != nil {
-		return err
-	}
-
-	buf, err := b.Marshal(nil, nil)
-	if err != nil {
-		return err
-	}
-
-	fd, err := sys.BtfLoad(&sys.BtfLoadAttr{
-		Btf:     sys.NewSlicePointer(buf),
-		BtfSize: uint32(len(buf)),
-	})
-
-	if err == nil {
-		fd.Close()
-	}
-
-	return err
-}
diff --git a/vendor/github.com/cilium/ebpf/btf/btf_types.go b/vendor/github.com/cilium/ebpf/btf/btf_types.go
index a253b7c..f0e327a 100644
--- a/vendor/github.com/cilium/ebpf/btf/btf_types.go
+++ b/vendor/github.com/cilium/ebpf/btf/btf_types.go
@@ -2,12 +2,15 @@
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"unsafe"
+
+	"github.com/cilium/ebpf/internal"
 )
 
-//go:generate stringer -linecomment -output=btf_types_string.go -type=FuncLinkage,VarLinkage,btfKind
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -linecomment -output=btf_types_string.go -type=FuncLinkage,VarLinkage,btfKind
 
 // btfKind describes a Type.
 type btfKind uint8
@@ -69,6 +72,63 @@
 	btfTypeKindFlagMask  = 1
 )
 
+var btfHeaderLen = binary.Size(&btfHeader{})
+
+type btfHeader struct {
+	Magic   uint16
+	Version uint8
+	Flags   uint8
+	HdrLen  uint32
+
+	TypeOff   uint32
+	TypeLen   uint32
+	StringOff uint32
+	StringLen uint32
+}
+
+// typeStart returns the offset from the beginning of the .BTF section
+// to the start of its type entries.
+func (h *btfHeader) typeStart() int64 {
+	return int64(h.HdrLen + h.TypeOff)
+}
+
+// stringStart returns the offset from the beginning of the .BTF section
+// to the start of its string table.
+func (h *btfHeader) stringStart() int64 {
+	return int64(h.HdrLen + h.StringOff)
+}
+
+// parseBTFHeader parses the header of the .BTF section.
+func parseBTFHeader(r io.Reader, bo binary.ByteOrder) (*btfHeader, error) {
+	var header btfHeader
+	if err := binary.Read(r, bo, &header); err != nil {
+		return nil, fmt.Errorf("can't read header: %v", err)
+	}
+
+	if header.Magic != btfMagic {
+		return nil, fmt.Errorf("incorrect magic value %v", header.Magic)
+	}
+
+	if header.Version != 1 {
+		return nil, fmt.Errorf("unexpected version %v", header.Version)
+	}
+
+	if header.Flags != 0 {
+		return nil, fmt.Errorf("unsupported flags %v", header.Flags)
+	}
+
+	remainder := int64(header.HdrLen) - int64(binary.Size(&header))
+	if remainder < 0 {
+		return nil, errors.New("header length shorter than btfHeader size")
+	}
+
+	if _, err := io.CopyN(internal.DiscardZeroes{}, r, remainder); err != nil {
+		return nil, fmt.Errorf("header padding: %v", err)
+	}
+
+	return &header, nil
+}
+
 var btfTypeLen = binary.Size(btfType{})
 
 // btfType is equivalent to struct btf_type in Documentation/bpf/btf.rst.
@@ -93,6 +153,19 @@
 	SizeType uint32
 }
 
+var btfTypeSize = int(unsafe.Sizeof(btfType{}))
+
+func unmarshalBtfType(bt *btfType, b []byte, bo binary.ByteOrder) (int, error) {
+	if len(b) < btfTypeSize {
+		return 0, fmt.Errorf("not enough bytes to unmarshal btfType")
+	}
+
+	bt.NameOff = bo.Uint32(b[0:])
+	bt.Info = bo.Uint32(b[4:])
+	bt.SizeType = bo.Uint32(b[8:])
+	return btfTypeSize, nil
+}
+
 func mask(len uint32) uint32 {
 	return (1 << len) - 1
 }
@@ -240,6 +313,17 @@
 	btfIntBitsShift     = 0
 )
 
+var btfIntLen = int(unsafe.Sizeof(btfInt{}))
+
+func unmarshalBtfInt(bi *btfInt, b []byte, bo binary.ByteOrder) (int, error) {
+	if len(b) < btfIntLen {
+		return 0, fmt.Errorf("not enough bytes to unmarshal btfInt")
+	}
+
+	bi.Raw = bo.Uint32(b[0:])
+	return btfIntLen, nil
+}
+
 func (bi btfInt) Encoding() IntEncoding {
 	return IntEncoding(readBits(bi.Raw, btfIntEncodingLen, btfIntEncodingShift))
 }
@@ -270,102 +354,166 @@
 	Nelems    uint32
 }
 
+var btfArrayLen = int(unsafe.Sizeof(btfArray{}))
+
+func unmarshalBtfArray(ba *btfArray, b []byte, bo binary.ByteOrder) (int, error) {
+	if len(b) < btfArrayLen {
+		return 0, fmt.Errorf("not enough bytes to unmarshal btfArray")
+	}
+
+	ba.Type = TypeID(bo.Uint32(b[0:]))
+	ba.IndexType = TypeID(bo.Uint32(b[4:]))
+	ba.Nelems = bo.Uint32(b[8:])
+	return btfArrayLen, nil
+}
+
 type btfMember struct {
 	NameOff uint32
 	Type    TypeID
 	Offset  uint32
 }
 
+var btfMemberLen = int(unsafe.Sizeof(btfMember{}))
+
+func unmarshalBtfMembers(members []btfMember, b []byte, bo binary.ByteOrder) (int, error) {
+	off := 0
+	for i := range members {
+		if off+btfMemberLen > len(b) {
+			return 0, fmt.Errorf("not enough bytes to unmarshal btfMember %d", i)
+		}
+
+		members[i].NameOff = bo.Uint32(b[off+0:])
+		members[i].Type = TypeID(bo.Uint32(b[off+4:]))
+		members[i].Offset = bo.Uint32(b[off+8:])
+
+		off += btfMemberLen
+	}
+
+	return off, nil
+}
+
 type btfVarSecinfo struct {
 	Type   TypeID
 	Offset uint32
 	Size   uint32
 }
 
+var btfVarSecinfoLen = int(unsafe.Sizeof(btfVarSecinfo{}))
+
+func unmarshalBtfVarSecInfos(secinfos []btfVarSecinfo, b []byte, bo binary.ByteOrder) (int, error) {
+	off := 0
+	for i := range secinfos {
+		if off+btfVarSecinfoLen > len(b) {
+			return 0, fmt.Errorf("not enough bytes to unmarshal btfVarSecinfo %d", i)
+		}
+
+		secinfos[i].Type = TypeID(bo.Uint32(b[off+0:]))
+		secinfos[i].Offset = bo.Uint32(b[off+4:])
+		secinfos[i].Size = bo.Uint32(b[off+8:])
+
+		off += btfVarSecinfoLen
+	}
+
+	return off, nil
+}
+
 type btfVariable struct {
 	Linkage uint32
 }
 
+var btfVariableLen = int(unsafe.Sizeof(btfVariable{}))
+
+func unmarshalBtfVariable(bv *btfVariable, b []byte, bo binary.ByteOrder) (int, error) {
+	if len(b) < btfVariableLen {
+		return 0, fmt.Errorf("not enough bytes to unmarshal btfVariable")
+	}
+
+	bv.Linkage = bo.Uint32(b[0:])
+	return btfVariableLen, nil
+}
+
 type btfEnum struct {
 	NameOff uint32
 	Val     uint32
 }
 
+var btfEnumLen = int(unsafe.Sizeof(btfEnum{}))
+
+func unmarshalBtfEnums(enums []btfEnum, b []byte, bo binary.ByteOrder) (int, error) {
+	off := 0
+	for i := range enums {
+		if off+btfEnumLen > len(b) {
+			return 0, fmt.Errorf("not enough bytes to unmarshal btfEnum %d", i)
+		}
+
+		enums[i].NameOff = bo.Uint32(b[off+0:])
+		enums[i].Val = bo.Uint32(b[off+4:])
+
+		off += btfEnumLen
+	}
+
+	return off, nil
+}
+
 type btfEnum64 struct {
 	NameOff uint32
 	ValLo32 uint32
 	ValHi32 uint32
 }
 
+var btfEnum64Len = int(unsafe.Sizeof(btfEnum64{}))
+
+func unmarshalBtfEnums64(enums []btfEnum64, b []byte, bo binary.ByteOrder) (int, error) {
+	off := 0
+	for i := range enums {
+		if off+btfEnum64Len > len(b) {
+			return 0, fmt.Errorf("not enough bytes to unmarshal btfEnum64 %d", i)
+		}
+
+		enums[i].NameOff = bo.Uint32(b[off+0:])
+		enums[i].ValLo32 = bo.Uint32(b[off+4:])
+		enums[i].ValHi32 = bo.Uint32(b[off+8:])
+
+		off += btfEnum64Len
+	}
+
+	return off, nil
+}
+
 type btfParam struct {
 	NameOff uint32
 	Type    TypeID
 }
 
+var btfParamLen = int(unsafe.Sizeof(btfParam{}))
+
+func unmarshalBtfParams(params []btfParam, b []byte, bo binary.ByteOrder) (int, error) {
+	off := 0
+	for i := range params {
+		if off+btfParamLen > len(b) {
+			return 0, fmt.Errorf("not enough bytes to unmarshal btfParam %d", i)
+		}
+
+		params[i].NameOff = bo.Uint32(b[off+0:])
+		params[i].Type = TypeID(bo.Uint32(b[off+4:]))
+
+		off += btfParamLen
+	}
+
+	return off, nil
+}
+
 type btfDeclTag struct {
 	ComponentIdx uint32
 }
 
-func readTypes(r io.Reader, bo binary.ByteOrder, typeLen uint32) ([]rawType, error) {
-	var header btfType
-	// because of the interleaving between types and struct members it is difficult to
-	// precompute the numbers of raw types this will parse
-	// this "guess" is a good first estimation
-	sizeOfbtfType := uintptr(btfTypeLen)
-	tyMaxCount := uintptr(typeLen) / sizeOfbtfType / 2
-	types := make([]rawType, 0, tyMaxCount)
+var btfDeclTagLen = int(unsafe.Sizeof(btfDeclTag{}))
 
-	for id := TypeID(1); ; id++ {
-		if err := binary.Read(r, bo, &header); err == io.EOF {
-			return types, nil
-		} else if err != nil {
-			return nil, fmt.Errorf("can't read type info for id %v: %v", id, err)
-		}
-
-		var data interface{}
-		switch header.Kind() {
-		case kindInt:
-			data = new(btfInt)
-		case kindPointer:
-		case kindArray:
-			data = new(btfArray)
-		case kindStruct:
-			fallthrough
-		case kindUnion:
-			data = make([]btfMember, header.Vlen())
-		case kindEnum:
-			data = make([]btfEnum, header.Vlen())
-		case kindForward:
-		case kindTypedef:
-		case kindVolatile:
-		case kindConst:
-		case kindRestrict:
-		case kindFunc:
-		case kindFuncProto:
-			data = make([]btfParam, header.Vlen())
-		case kindVar:
-			data = new(btfVariable)
-		case kindDatasec:
-			data = make([]btfVarSecinfo, header.Vlen())
-		case kindFloat:
-		case kindDeclTag:
-			data = new(btfDeclTag)
-		case kindTypeTag:
-		case kindEnum64:
-			data = make([]btfEnum64, header.Vlen())
-		default:
-			return nil, fmt.Errorf("type id %v: unknown kind: %v", id, header.Kind())
-		}
-
-		if data == nil {
-			types = append(types, rawType{header, nil})
-			continue
-		}
-
-		if err := binary.Read(r, bo, data); err != nil {
-			return nil, fmt.Errorf("type id %d: kind %v: can't read %T: %v", id, header.Kind(), data, err)
-		}
-
-		types = append(types, rawType{header, data})
+func unmarshalBtfDeclTag(bdt *btfDeclTag, b []byte, bo binary.ByteOrder) (int, error) {
+	if len(b) < btfDeclTagLen {
+		return 0, fmt.Errorf("not enough bytes to unmarshal btfDeclTag")
 	}
+
+	bdt.ComponentIdx = bo.Uint32(b[0:])
+	return btfDeclTagLen, nil
 }
diff --git a/vendor/github.com/cilium/ebpf/btf/core.go b/vendor/github.com/cilium/ebpf/btf/core.go
index a5c40d3..ded7d43 100644
--- a/vendor/github.com/cilium/ebpf/btf/core.go
+++ b/vendor/github.com/cilium/ebpf/btf/core.go
@@ -18,8 +18,8 @@
 // COREFixup is the result of computing a CO-RE relocation for a target.
 type COREFixup struct {
 	kind   coreKind
-	local  uint32
-	target uint32
+	local  uint64
+	target uint64
 	// True if there is no valid fixup. The instruction is replaced with an
 	// invalid dummy.
 	poison bool
@@ -196,12 +196,12 @@
 
 			result[i] = COREFixup{
 				kind:  relo.kind,
-				local: uint32(relo.id),
+				local: uint64(relo.id),
 				// NB: Using relo.id as the target here is incorrect, since
 				// it doesn't match the BTF we generate on the fly. This isn't
 				// too bad for now since there are no uses of the local type ID
 				// in the kernel, yet.
-				target: uint32(relo.id),
+				target: uint64(relo.id),
 			}
 			continue
 		}
@@ -311,10 +311,10 @@
 // coreCalculateFixup calculates the fixup for a single local type, target type
 // and relocation.
 func coreCalculateFixup(relo *CORERelocation, target Type, targetID TypeID, bo binary.ByteOrder) (COREFixup, error) {
-	fixup := func(local, target uint32) (COREFixup, error) {
+	fixup := func(local, target uint64) (COREFixup, error) {
 		return COREFixup{kind: relo.kind, local: local, target: target}, nil
 	}
-	fixupWithoutValidation := func(local, target uint32) (COREFixup, error) {
+	fixupWithoutValidation := func(local, target uint64) (COREFixup, error) {
 		return COREFixup{kind: relo.kind, local: local, target: target, skipLocalValidation: true}, nil
 	}
 	poison := func() (COREFixup, error) {
@@ -346,7 +346,7 @@
 			return fixup(1, 1)
 
 		case reloTypeIDTarget:
-			return fixup(uint32(relo.id), uint32(targetID))
+			return fixup(uint64(relo.id), uint64(targetID))
 
 		case reloTypeSize:
 			localSize, err := Sizeof(local)
@@ -359,7 +359,7 @@
 				return zero, err
 			}
 
-			return fixup(uint32(localSize), uint32(targetSize))
+			return fixup(uint64(localSize), uint64(targetSize))
 		}
 
 	case reloEnumvalValue, reloEnumvalExists:
@@ -376,7 +376,7 @@
 			return fixup(1, 1)
 
 		case reloEnumvalValue:
-			return fixup(uint32(localValue.Value), uint32(targetValue.Value))
+			return fixup(localValue.Value, targetValue.Value)
 		}
 
 	case reloFieldByteOffset, reloFieldByteSize, reloFieldExists, reloFieldLShiftU64, reloFieldRShiftU64, reloFieldSigned:
@@ -405,7 +405,7 @@
 			return fixup(1, 1)
 
 		case reloFieldByteOffset:
-			return maybeSkipValidation(fixup(localField.offset, targetField.offset))
+			return maybeSkipValidation(fixup(uint64(localField.offset), uint64(targetField.offset)))
 
 		case reloFieldByteSize:
 			localSize, err := Sizeof(localField.Type)
@@ -417,24 +417,24 @@
 			if err != nil {
 				return zero, err
 			}
-			return maybeSkipValidation(fixup(uint32(localSize), uint32(targetSize)))
+			return maybeSkipValidation(fixup(uint64(localSize), uint64(targetSize)))
 
 		case reloFieldLShiftU64:
-			var target uint32
+			var target uint64
 			if bo == binary.LittleEndian {
 				targetSize, err := targetField.sizeBits()
 				if err != nil {
 					return zero, err
 				}
 
-				target = uint32(64 - targetField.bitfieldOffset - targetSize)
+				target = uint64(64 - targetField.bitfieldOffset - targetSize)
 			} else {
 				loadWidth, err := Sizeof(targetField.Type)
 				if err != nil {
 					return zero, err
 				}
 
-				target = uint32(64 - Bits(loadWidth*8) + targetField.bitfieldOffset)
+				target = uint64(64 - Bits(loadWidth*8) + targetField.bitfieldOffset)
 			}
 			return fixupWithoutValidation(0, target)
 
@@ -444,7 +444,7 @@
 				return zero, err
 			}
 
-			return fixupWithoutValidation(0, uint32(64-targetSize))
+			return fixupWithoutValidation(0, uint64(64-targetSize))
 
 		case reloFieldSigned:
 			switch local := UnderlyingType(localField.Type).(type) {
@@ -454,7 +454,7 @@
 					return zero, fmt.Errorf("target isn't *Enum but %T", targetField.Type)
 				}
 
-				return fixup(boolToUint32(local.Signed), boolToUint32(target.Signed))
+				return fixup(boolToUint64(local.Signed), boolToUint64(target.Signed))
 			case *Int:
 				target, ok := as[*Int](targetField.Type)
 				if !ok {
@@ -462,8 +462,8 @@
 				}
 
 				return fixup(
-					uint32(local.Encoding&Signed),
-					uint32(target.Encoding&Signed),
+					uint64(local.Encoding&Signed),
+					uint64(target.Encoding&Signed),
 				)
 			default:
 				return zero, fmt.Errorf("type %T: %w", local, errNoSignedness)
@@ -474,7 +474,7 @@
 	return zero, ErrNotSupported
 }
 
-func boolToUint32(val bool) uint32 {
+func boolToUint64(val bool) uint64 {
 	if val {
 		return 1
 	}
@@ -799,7 +799,7 @@
 		if visited[target] {
 			continue
 		}
-		if len(visited) >= maxTypeDepth {
+		if len(visited) >= maxResolveDepth {
 			// This check is different than libbpf, which restricts the entire
 			// path to BPF_CORE_SPEC_MAX_LEN items.
 			return Member{}, false, fmt.Errorf("type is nested too deep")
@@ -895,7 +895,7 @@
 	)
 
 	for ; l != nil && t != nil; l, t = localTs.Shift(), targetTs.Shift() {
-		if depth >= maxTypeDepth {
+		if depth >= maxResolveDepth {
 			return errors.New("types are nested too deep")
 		}
 
diff --git a/vendor/github.com/cilium/ebpf/btf/ext_info.go b/vendor/github.com/cilium/ebpf/btf/ext_info.go
index b764fb7..d85f45a 100644
--- a/vendor/github.com/cilium/ebpf/btf/ext_info.go
+++ b/vendor/github.com/cilium/ebpf/btf/ext_info.go
@@ -16,9 +16,9 @@
 // ExtInfos contains ELF section metadata.
 type ExtInfos struct {
 	// The slices are sorted by offset in ascending order.
-	funcInfos       map[string][]funcInfo
-	lineInfos       map[string][]lineInfo
-	relocationInfos map[string][]coreRelocationInfo
+	funcInfos       map[string]FuncInfos
+	lineInfos       map[string]LineInfos
+	relocationInfos map[string]CORERelocationInfos
 }
 
 // loadExtInfosFromELF parses ext infos from the .BTF.ext section in an ELF.
@@ -34,11 +34,11 @@
 		return nil, fmt.Errorf("compressed ext_info is not supported")
 	}
 
-	return loadExtInfos(section.ReaderAt, file.ByteOrder, spec, spec.strings)
+	return loadExtInfos(section.ReaderAt, file.ByteOrder, spec)
 }
 
 // loadExtInfos parses bare ext infos.
-func loadExtInfos(r io.ReaderAt, bo binary.ByteOrder, spec *Spec, strings *stringTable) (*ExtInfos, error) {
+func loadExtInfos(r io.ReaderAt, bo binary.ByteOrder, spec *Spec) (*ExtInfos, error) {
 	// Open unbuffered section reader. binary.Read() calls io.ReadFull on
 	// the header structs, resulting in one syscall per header.
 	headerRd := io.NewSectionReader(r, 0, math.MaxInt64)
@@ -53,12 +53,12 @@
 	}
 
 	buf := internal.NewBufferedSectionReader(r, extHeader.funcInfoStart(), int64(extHeader.FuncInfoLen))
-	btfFuncInfos, err := parseFuncInfos(buf, bo, strings)
+	btfFuncInfos, err := parseFuncInfos(buf, bo, spec.strings)
 	if err != nil {
 		return nil, fmt.Errorf("parsing BTF function info: %w", err)
 	}
 
-	funcInfos := make(map[string][]funcInfo, len(btfFuncInfos))
+	funcInfos := make(map[string]FuncInfos, len(btfFuncInfos))
 	for section, bfis := range btfFuncInfos {
 		funcInfos[section], err = newFuncInfos(bfis, spec)
 		if err != nil {
@@ -67,14 +67,14 @@
 	}
 
 	buf = internal.NewBufferedSectionReader(r, extHeader.lineInfoStart(), int64(extHeader.LineInfoLen))
-	btfLineInfos, err := parseLineInfos(buf, bo, strings)
+	btfLineInfos, err := parseLineInfos(buf, bo, spec.strings)
 	if err != nil {
 		return nil, fmt.Errorf("parsing BTF line info: %w", err)
 	}
 
-	lineInfos := make(map[string][]lineInfo, len(btfLineInfos))
+	lineInfos := make(map[string]LineInfos, len(btfLineInfos))
 	for section, blis := range btfLineInfos {
-		lineInfos[section], err = newLineInfos(blis, strings)
+		lineInfos[section], err = newLineInfos(blis, spec.strings)
 		if err != nil {
 			return nil, fmt.Errorf("section %s: line infos: %w", section, err)
 		}
@@ -86,14 +86,14 @@
 
 	var btfCORERelos map[string][]bpfCORERelo
 	buf = internal.NewBufferedSectionReader(r, extHeader.coreReloStart(coreHeader), int64(coreHeader.COREReloLen))
-	btfCORERelos, err = parseCORERelos(buf, bo, strings)
+	btfCORERelos, err = parseCORERelos(buf, bo, spec.strings)
 	if err != nil {
 		return nil, fmt.Errorf("parsing CO-RE relocation info: %w", err)
 	}
 
-	coreRelos := make(map[string][]coreRelocationInfo, len(btfCORERelos))
+	coreRelos := make(map[string]CORERelocationInfos, len(btfCORERelos))
 	for section, brs := range btfCORERelos {
-		coreRelos[section], err = newRelocationInfos(brs, spec, strings)
+		coreRelos[section], err = newRelocationInfos(brs, spec, spec.strings)
 		if err != nil {
 			return nil, fmt.Errorf("section %s: CO-RE relocations: %w", section, err)
 		}
@@ -111,21 +111,31 @@
 	lineInfos := ei.lineInfos[section]
 	reloInfos := ei.relocationInfos[section]
 
+	AssignMetadataToInstructions(insns, funcInfos, lineInfos, reloInfos)
+}
+
+// Assign per-instruction metadata to the instructions in insns.
+func AssignMetadataToInstructions(
+	insns asm.Instructions,
+	funcInfos FuncInfos,
+	lineInfos LineInfos,
+	reloInfos CORERelocationInfos,
+) {
 	iter := insns.Iterate()
 	for iter.Next() {
-		if len(funcInfos) > 0 && funcInfos[0].offset == iter.Offset {
-			*iter.Ins = WithFuncMetadata(*iter.Ins, funcInfos[0].fn)
-			funcInfos = funcInfos[1:]
+		if len(funcInfos.infos) > 0 && funcInfos.infos[0].offset == iter.Offset {
+			*iter.Ins = WithFuncMetadata(*iter.Ins, funcInfos.infos[0].fn)
+			funcInfos.infos = funcInfos.infos[1:]
 		}
 
-		if len(lineInfos) > 0 && lineInfos[0].offset == iter.Offset {
-			*iter.Ins = iter.Ins.WithSource(lineInfos[0].line)
-			lineInfos = lineInfos[1:]
+		if len(lineInfos.infos) > 0 && lineInfos.infos[0].offset == iter.Offset {
+			*iter.Ins = iter.Ins.WithSource(lineInfos.infos[0].line)
+			lineInfos.infos = lineInfos.infos[1:]
 		}
 
-		if len(reloInfos) > 0 && reloInfos[0].offset == iter.Offset {
-			iter.Ins.Metadata.Set(coreRelocationMeta{}, reloInfos[0].relo)
-			reloInfos = reloInfos[1:]
+		if len(reloInfos.infos) > 0 && reloInfos.infos[0].offset == iter.Offset {
+			iter.Ins.Metadata.Set(coreRelocationMeta{}, reloInfos.infos[0].relo)
+			reloInfos.infos = reloInfos.infos[1:]
 		}
 	}
 }
@@ -323,6 +333,11 @@
 	return recordSize, nil
 }
 
+// FuncInfos contains a sorted list of func infos.
+type FuncInfos struct {
+	infos []funcInfo
+}
+
 // The size of a FuncInfo in BTF wire format.
 var FuncInfoSize = uint32(binary.Size(bpfFuncInfo{}))
 
@@ -359,21 +374,39 @@
 	}, nil
 }
 
-func newFuncInfos(bfis []bpfFuncInfo, spec *Spec) ([]funcInfo, error) {
-	fis := make([]funcInfo, 0, len(bfis))
+func newFuncInfos(bfis []bpfFuncInfo, spec *Spec) (FuncInfos, error) {
+	fis := FuncInfos{
+		infos: make([]funcInfo, 0, len(bfis)),
+	}
 	for _, bfi := range bfis {
 		fi, err := newFuncInfo(bfi, spec)
 		if err != nil {
-			return nil, fmt.Errorf("offset %d: %w", bfi.InsnOff, err)
+			return FuncInfos{}, fmt.Errorf("offset %d: %w", bfi.InsnOff, err)
 		}
-		fis = append(fis, *fi)
+		fis.infos = append(fis.infos, *fi)
 	}
-	sort.Slice(fis, func(i, j int) bool {
-		return fis[i].offset <= fis[j].offset
+	sort.Slice(fis.infos, func(i, j int) bool {
+		return fis.infos[i].offset <= fis.infos[j].offset
 	})
 	return fis, nil
 }
 
+// LoadFuncInfos parses BTF func info in kernel wire format.
+func LoadFuncInfos(reader io.Reader, bo binary.ByteOrder, recordNum uint32, spec *Spec) (FuncInfos, error) {
+	fis, err := parseFuncInfoRecords(
+		reader,
+		bo,
+		FuncInfoSize,
+		recordNum,
+		false,
+	)
+	if err != nil {
+		return FuncInfos{}, fmt.Errorf("parsing BTF func info: %w", err)
+	}
+
+	return newFuncInfos(fis, spec)
+}
+
 // marshal into the BTF wire format.
 func (fi *funcInfo) marshal(w *bytes.Buffer, b *Builder) error {
 	id, err := b.Add(fi.fn)
@@ -409,7 +442,7 @@
 			return nil, err
 		}
 
-		records, err := parseFuncInfoRecords(r, bo, recordSize, infoHeader.NumInfo)
+		records, err := parseFuncInfoRecords(r, bo, recordSize, infoHeader.NumInfo, true)
 		if err != nil {
 			return nil, fmt.Errorf("section %v: %w", secName, err)
 		}
@@ -421,7 +454,7 @@
 // parseFuncInfoRecords parses a stream of func_infos into a funcInfos.
 // These records appear after a btf_ext_info_sec header in the func_info
 // sub-section of .BTF.ext.
-func parseFuncInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize uint32, recordNum uint32) ([]bpfFuncInfo, error) {
+func parseFuncInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize uint32, recordNum uint32, offsetInBytes bool) ([]bpfFuncInfo, error) {
 	var out []bpfFuncInfo
 	var fi bpfFuncInfo
 
@@ -435,13 +468,15 @@
 			return nil, fmt.Errorf("can't read function info: %v", err)
 		}
 
-		if fi.InsnOff%asm.InstructionSize != 0 {
-			return nil, fmt.Errorf("offset %v is not aligned with instruction size", fi.InsnOff)
-		}
+		if offsetInBytes {
+			if fi.InsnOff%asm.InstructionSize != 0 {
+				return nil, fmt.Errorf("offset %v is not aligned with instruction size", fi.InsnOff)
+			}
 
-		// ELF tracks offset in bytes, the kernel expects raw BPF instructions.
-		// Convert as early as possible.
-		fi.InsnOff /= asm.InstructionSize
+			// ELF tracks offset in bytes, the kernel expects raw BPF instructions.
+			// Convert as early as possible.
+			fi.InsnOff /= asm.InstructionSize
+		}
 
 		out = append(out, fi)
 	}
@@ -480,6 +515,11 @@
 	return li.line
 }
 
+// LineInfos contains a sorted list of line infos.
+type LineInfos struct {
+	infos []lineInfo
+}
+
 type lineInfo struct {
 	line   *Line
 	offset asm.RawInstructionOffset
@@ -500,21 +540,37 @@
 	LineCol     uint32
 }
 
-func newLineInfo(li bpfLineInfo, strings *stringTable) (*lineInfo, error) {
+// LoadLineInfos parses BTF line info in kernel wire format.
+func LoadLineInfos(reader io.Reader, bo binary.ByteOrder, recordNum uint32, spec *Spec) (LineInfos, error) {
+	lis, err := parseLineInfoRecords(
+		reader,
+		bo,
+		LineInfoSize,
+		recordNum,
+		false,
+	)
+	if err != nil {
+		return LineInfos{}, fmt.Errorf("parsing BTF line info: %w", err)
+	}
+
+	return newLineInfos(lis, spec.strings)
+}
+
+func newLineInfo(li bpfLineInfo, strings *stringTable) (lineInfo, error) {
 	line, err := strings.Lookup(li.LineOff)
 	if err != nil {
-		return nil, fmt.Errorf("lookup of line: %w", err)
+		return lineInfo{}, fmt.Errorf("lookup of line: %w", err)
 	}
 
 	fileName, err := strings.Lookup(li.FileNameOff)
 	if err != nil {
-		return nil, fmt.Errorf("lookup of filename: %w", err)
+		return lineInfo{}, fmt.Errorf("lookup of filename: %w", err)
 	}
 
 	lineNumber := li.LineCol >> bpfLineShift
 	lineColumn := li.LineCol & bpfColumnMax
 
-	return &lineInfo{
+	return lineInfo{
 		&Line{
 			fileName,
 			line,
@@ -525,17 +581,19 @@
 	}, nil
 }
 
-func newLineInfos(blis []bpfLineInfo, strings *stringTable) ([]lineInfo, error) {
-	lis := make([]lineInfo, 0, len(blis))
+func newLineInfos(blis []bpfLineInfo, strings *stringTable) (LineInfos, error) {
+	lis := LineInfos{
+		infos: make([]lineInfo, 0, len(blis)),
+	}
 	for _, bli := range blis {
 		li, err := newLineInfo(bli, strings)
 		if err != nil {
-			return nil, fmt.Errorf("offset %d: %w", bli.InsnOff, err)
+			return LineInfos{}, fmt.Errorf("offset %d: %w", bli.InsnOff, err)
 		}
-		lis = append(lis, *li)
+		lis.infos = append(lis.infos, li)
 	}
-	sort.Slice(lis, func(i, j int) bool {
-		return lis[i].offset <= lis[j].offset
+	sort.Slice(lis.infos, func(i, j int) bool {
+		return lis.infos[i].offset <= lis.infos[j].offset
 	})
 	return lis, nil
 }
@@ -595,7 +653,7 @@
 			return nil, err
 		}
 
-		records, err := parseLineInfoRecords(r, bo, recordSize, infoHeader.NumInfo)
+		records, err := parseLineInfoRecords(r, bo, recordSize, infoHeader.NumInfo, true)
 		if err != nil {
 			return nil, fmt.Errorf("section %v: %w", secName, err)
 		}
@@ -607,8 +665,7 @@
 // parseLineInfoRecords parses a stream of line_infos into a lineInfos.
 // These records appear after a btf_ext_info_sec header in the line_info
 // sub-section of .BTF.ext.
-func parseLineInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize uint32, recordNum uint32) ([]bpfLineInfo, error) {
-	var out []bpfLineInfo
+func parseLineInfoRecords(r io.Reader, bo binary.ByteOrder, recordSize uint32, recordNum uint32, offsetInBytes bool) ([]bpfLineInfo, error) {
 	var li bpfLineInfo
 
 	if exp, got := uint32(binary.Size(li)), recordSize; exp != got {
@@ -616,18 +673,21 @@
 		return nil, fmt.Errorf("expected LineInfo record size %d, but BTF blob contains %d", exp, got)
 	}
 
+	out := make([]bpfLineInfo, 0, recordNum)
 	for i := uint32(0); i < recordNum; i++ {
 		if err := binary.Read(r, bo, &li); err != nil {
 			return nil, fmt.Errorf("can't read line info: %v", err)
 		}
 
-		if li.InsnOff%asm.InstructionSize != 0 {
-			return nil, fmt.Errorf("offset %v is not aligned with instruction size", li.InsnOff)
-		}
+		if offsetInBytes {
+			if li.InsnOff%asm.InstructionSize != 0 {
+				return nil, fmt.Errorf("offset %v is not aligned with instruction size", li.InsnOff)
+			}
 
-		// ELF tracks offset in bytes, the kernel expects raw BPF instructions.
-		// Convert as early as possible.
-		li.InsnOff /= asm.InstructionSize
+			// ELF tracks offset in bytes, the kernel expects raw BPF instructions.
+			// Convert as early as possible.
+			li.InsnOff /= asm.InstructionSize
+		}
 
 		out = append(out, li)
 	}
@@ -661,6 +721,11 @@
 	return relo
 }
 
+// CORERelocationInfos contains a sorted list of co:re relocation infos.
+type CORERelocationInfos struct {
+	infos []coreRelocationInfo
+}
+
 type coreRelocationInfo struct {
 	relo   *CORERelocation
 	offset asm.RawInstructionOffset
@@ -693,17 +758,19 @@
 	}, nil
 }
 
-func newRelocationInfos(brs []bpfCORERelo, spec *Spec, strings *stringTable) ([]coreRelocationInfo, error) {
-	rs := make([]coreRelocationInfo, 0, len(brs))
+func newRelocationInfos(brs []bpfCORERelo, spec *Spec, strings *stringTable) (CORERelocationInfos, error) {
+	rs := CORERelocationInfos{
+		infos: make([]coreRelocationInfo, 0, len(brs)),
+	}
 	for _, br := range brs {
 		relo, err := newRelocationInfo(br, spec, strings)
 		if err != nil {
-			return nil, fmt.Errorf("offset %d: %w", br.InsnOff, err)
+			return CORERelocationInfos{}, fmt.Errorf("offset %d: %w", br.InsnOff, err)
 		}
-		rs = append(rs, *relo)
+		rs.infos = append(rs.infos, *relo)
 	}
-	sort.Slice(rs, func(i, j int) bool {
-		return rs[i].offset < rs[j].offset
+	sort.Slice(rs.infos, func(i, j int) bool {
+		return rs.infos[i].offset < rs.infos[j].offset
 	})
 	return rs, nil
 }
diff --git a/vendor/github.com/cilium/ebpf/btf/feature.go b/vendor/github.com/cilium/ebpf/btf/feature.go
new file mode 100644
index 0000000..6feb08d
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/btf/feature.go
@@ -0,0 +1,123 @@
+package btf
+
+import (
+	"errors"
+	"math"
+
+	"github.com/cilium/ebpf/internal"
+	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/unix"
+)
+
+// haveBTF attempts to load a BTF blob containing an Int. It should pass on any
+// kernel that supports BPF_BTF_LOAD.
+var haveBTF = internal.NewFeatureTest("BTF", "4.18", func() error {
+	// 0-length anonymous integer
+	err := probeBTF(&Int{})
+	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
+		return internal.ErrNotSupported
+	}
+	return err
+})
+
+// haveMapBTF attempts to load a minimal BTF blob containing a Var. It is
+// used as a proxy for .bss, .data and .rodata map support, which generally
+// come with a Var and Datasec. These were introduced in Linux 5.2.
+var haveMapBTF = internal.NewFeatureTest("Map BTF (Var/Datasec)", "5.2", func() error {
+	if err := haveBTF(); err != nil {
+		return err
+	}
+
+	v := &Var{
+		Name: "a",
+		Type: &Pointer{(*Void)(nil)},
+	}
+
+	err := probeBTF(v)
+	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
+		// Treat both EINVAL and EPERM as not supported: creating the map may still
+		// succeed without Btf* attrs.
+		return internal.ErrNotSupported
+	}
+	return err
+})
+
+// haveProgBTF attempts to load a BTF blob containing a Func and FuncProto. It
+// is used as a proxy for ext_info (func_info) support, which depends on
+// Func(Proto) by definition.
+var haveProgBTF = internal.NewFeatureTest("Program BTF (func/line_info)", "5.0", func() error {
+	if err := haveBTF(); err != nil {
+		return err
+	}
+
+	fn := &Func{
+		Name: "a",
+		Type: &FuncProto{Return: (*Void)(nil)},
+	}
+
+	err := probeBTF(fn)
+	if errors.Is(err, unix.EINVAL) || errors.Is(err, unix.EPERM) {
+		return internal.ErrNotSupported
+	}
+	return err
+})
+
+var haveFuncLinkage = internal.NewFeatureTest("BTF func linkage", "5.6", func() error {
+	if err := haveProgBTF(); err != nil {
+		return err
+	}
+
+	fn := &Func{
+		Name:    "a",
+		Type:    &FuncProto{Return: (*Void)(nil)},
+		Linkage: GlobalFunc,
+	}
+
+	err := probeBTF(fn)
+	if errors.Is(err, unix.EINVAL) {
+		return internal.ErrNotSupported
+	}
+	return err
+})
+
+var haveEnum64 = internal.NewFeatureTest("ENUM64", "6.0", func() error {
+	if err := haveBTF(); err != nil {
+		return err
+	}
+
+	enum := &Enum{
+		Size: 8,
+		Values: []EnumValue{
+			{"TEST", math.MaxUint32 + 1},
+		},
+	}
+
+	err := probeBTF(enum)
+	if errors.Is(err, unix.EINVAL) {
+		return internal.ErrNotSupported
+	}
+	return err
+})
+
+func probeBTF(typ Type) error {
+	b, err := NewBuilder([]Type{typ})
+	if err != nil {
+		return err
+	}
+
+	buf, err := b.Marshal(nil, nil)
+	if err != nil {
+		return err
+	}
+
+	fd, err := sys.BtfLoad(&sys.BtfLoadAttr{
+		Btf:     sys.NewSlicePointer(buf),
+		BtfSize: uint32(len(buf)),
+	})
+
+	if err == nil {
+		fd.Close()
+	}
+
+	return err
+}
diff --git a/vendor/github.com/cilium/ebpf/btf/format.go b/vendor/github.com/cilium/ebpf/btf/format.go
index e852202..5e581b4 100644
--- a/vendor/github.com/cilium/ebpf/btf/format.go
+++ b/vendor/github.com/cilium/ebpf/btf/format.go
@@ -77,7 +77,13 @@
 	gf.w.WriteString("; const ( ")
 	for _, ev := range e.Values {
 		id := gf.enumIdentifier(name, ev.Name)
-		fmt.Fprintf(&gf.w, "%s %s = %d; ", id, name, ev.Value)
+		var value any
+		if e.Signed {
+			value = int64(ev.Value)
+		} else {
+			value = ev.Value
+		}
+		fmt.Fprintf(&gf.w, "%s %s = %d; ", id, name, value)
 	}
 	gf.w.WriteString(")")
 
@@ -112,7 +118,7 @@
 //	uint32
 func (gf *GoFormatter) writeTypeLit(typ Type, depth int) error {
 	depth++
-	if depth > maxTypeDepth {
+	if depth > maxResolveDepth {
 		return errNestedTooDeep
 	}
 
@@ -259,7 +265,7 @@
 		}
 
 		depth++
-		if depth > maxTypeDepth {
+		if depth > maxResolveDepth {
 			return errNestedTooDeep
 		}
 
@@ -332,7 +338,7 @@
 
 func skipQualifiers(typ Type) Type {
 	result := typ
-	for depth := 0; depth <= maxTypeDepth; depth++ {
+	for depth := 0; depth <= maxResolveDepth; depth++ {
 		switch v := (result).(type) {
 		case qualifier:
 			result = v.qualify()
diff --git a/vendor/github.com/cilium/ebpf/btf/marshal.go b/vendor/github.com/cilium/ebpf/btf/marshal.go
index bfe53b4..0d093c6 100644
--- a/vendor/github.com/cilium/ebpf/btf/marshal.go
+++ b/vendor/github.com/cilium/ebpf/btf/marshal.go
@@ -18,6 +18,8 @@
 	Order binary.ByteOrder
 	// Remove function linkage information for compatibility with <5.6 kernels.
 	StripFuncLinkage bool
+	// Replace Enum64 with a placeholder for compatibility with <6.0 kernels.
+	ReplaceEnum64 bool
 }
 
 // KernelMarshalOptions will generate BTF suitable for the current kernel.
@@ -25,6 +27,7 @@
 	return &MarshalOptions{
 		Order:            internal.NativeEndian,
 		StripFuncLinkage: haveFuncLinkage() != nil,
+		ReplaceEnum64:    haveEnum64() != nil,
 	}
 }
 
@@ -328,21 +331,13 @@
 		raw.data, err = e.convertMembers(&raw.btfType, v.Members)
 
 	case *Union:
-		raw.SetKind(kindUnion)
-		raw.SetSize(v.Size)
-		raw.data, err = e.convertMembers(&raw.btfType, v.Members)
+		err = e.deflateUnion(&raw, v)
 
 	case *Enum:
-		raw.SetSize(v.size())
-		raw.SetVlen(len(v.Values))
-		raw.SetSigned(v.Signed)
-
-		if v.has64BitValues() {
-			raw.SetKind(kindEnum64)
-			raw.data, err = e.deflateEnum64Values(v.Values)
+		if v.Size == 8 {
+			err = e.deflateEnum64(&raw, v)
 		} else {
-			raw.SetKind(kindEnum)
-			raw.data, err = e.deflateEnumValues(v.Values)
+			err = e.deflateEnum(&raw, v)
 		}
 
 	case *Fwd:
@@ -415,6 +410,13 @@
 	return raw.Marshal(e.buf, e.Order)
 }
 
+func (e *encoder) deflateUnion(raw *rawType, union *Union) (err error) {
+	raw.SetKind(kindUnion)
+	raw.SetSize(union.Size)
+	raw.data, err = e.convertMembers(&raw.btfType, union.Members)
+	return
+}
+
 func (e *encoder) convertMembers(header *btfType, members []Member) ([]btfMember, error) {
 	bms := make([]btfMember, 0, len(members))
 	isBitfield := false
@@ -443,16 +445,32 @@
 	return bms, nil
 }
 
-func (e *encoder) deflateEnumValues(values []EnumValue) ([]btfEnum, error) {
-	bes := make([]btfEnum, 0, len(values))
-	for _, value := range values {
+func (e *encoder) deflateEnum(raw *rawType, enum *Enum) (err error) {
+	raw.SetKind(kindEnum)
+	raw.SetSize(enum.Size)
+	raw.SetVlen(len(enum.Values))
+	// Signedness appeared together with ENUM64 support.
+	raw.SetSigned(enum.Signed && !e.ReplaceEnum64)
+	raw.data, err = e.deflateEnumValues(enum)
+	return
+}
+
+func (e *encoder) deflateEnumValues(enum *Enum) ([]btfEnum, error) {
+	bes := make([]btfEnum, 0, len(enum.Values))
+	for _, value := range enum.Values {
 		nameOff, err := e.strings.Add(value.Name)
 		if err != nil {
 			return nil, err
 		}
 
-		if value.Value > math.MaxUint32 {
-			return nil, fmt.Errorf("value of enum %q exceeds 32 bits", value.Name)
+		if enum.Signed {
+			if signedValue := int64(value.Value); signedValue < math.MinInt32 || signedValue > math.MaxInt32 {
+				return nil, fmt.Errorf("value %d of enum %q exceeds 32 bits", signedValue, value.Name)
+			}
+		} else {
+			if value.Value > math.MaxUint32 {
+				return nil, fmt.Errorf("value %d of enum %q exceeds 32 bits", value.Value, value.Name)
+			}
 		}
 
 		bes = append(bes, btfEnum{
@@ -464,6 +482,41 @@
 	return bes, nil
 }
 
+func (e *encoder) deflateEnum64(raw *rawType, enum *Enum) (err error) {
+	if e.ReplaceEnum64 {
+		// Replace the ENUM64 with a union of fields with the correct size.
+		// This matches libbpf behaviour on purpose.
+		placeholder := &Int{
+			"enum64_placeholder",
+			enum.Size,
+			Unsigned,
+		}
+		if enum.Signed {
+			placeholder.Encoding = Signed
+		}
+		if err := e.allocateID(placeholder); err != nil {
+			return fmt.Errorf("add enum64 placeholder: %w", err)
+		}
+
+		members := make([]Member, 0, len(enum.Values))
+		for _, v := range enum.Values {
+			members = append(members, Member{
+				Name: v.Name,
+				Type: placeholder,
+			})
+		}
+
+		return e.deflateUnion(raw, &Union{enum.Name, enum.Size, members})
+	}
+
+	raw.SetKind(kindEnum64)
+	raw.SetSize(enum.Size)
+	raw.SetVlen(len(enum.Values))
+	raw.SetSigned(enum.Signed)
+	raw.data, err = e.deflateEnum64Values(enum.Values)
+	return
+}
+
 func (e *encoder) deflateEnum64Values(values []EnumValue) ([]btfEnum64, error) {
 	bes := make([]btfEnum64, 0, len(values))
 	for _, value := range values {
diff --git a/vendor/github.com/cilium/ebpf/btf/strings.go b/vendor/github.com/cilium/ebpf/btf/strings.go
index bc6aff2..114d250 100644
--- a/vendor/github.com/cilium/ebpf/btf/strings.go
+++ b/vendor/github.com/cilium/ebpf/btf/strings.go
@@ -9,11 +9,13 @@
 	"strings"
 
 	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 )
 
 type stringTable struct {
 	base    *stringTable
 	offsets []uint32
+	prevIdx int
 	strings []string
 }
 
@@ -60,7 +62,7 @@
 		return nil, errors.New("first item in string table is non-empty")
 	}
 
-	return &stringTable{base, offsets, strings}, nil
+	return &stringTable{base, offsets, 0, strings}, nil
 }
 
 func splitNull(data []byte, atEOF bool) (advance int, token []byte, err error) {
@@ -83,53 +85,36 @@
 }
 
 func (st *stringTable) lookup(offset uint32) (string, error) {
-	i := search(st.offsets, offset)
-	if i == len(st.offsets) || st.offsets[i] != offset {
+	// Fast path: zero offset is the empty string, looked up frequently.
+	if offset == 0 && st.base == nil {
+		return "", nil
+	}
+
+	// Accesses tend to be globally increasing, so check if the next string is
+	// the one we want. This skips the binary search in about 50% of cases.
+	if st.prevIdx+1 < len(st.offsets) && st.offsets[st.prevIdx+1] == offset {
+		st.prevIdx++
+		return st.strings[st.prevIdx], nil
+	}
+
+	i, found := slices.BinarySearch(st.offsets, offset)
+	if !found {
 		return "", fmt.Errorf("offset %d isn't start of a string", offset)
 	}
 
+	// Set the new increment index, but only if its greater than the current.
+	if i > st.prevIdx+1 {
+		st.prevIdx = i
+	}
+
 	return st.strings[i], nil
 }
 
-func (st *stringTable) Marshal(w io.Writer) error {
-	for _, str := range st.strings {
-		_, err := io.WriteString(w, str)
-		if err != nil {
-			return err
-		}
-		_, err = w.Write([]byte{0})
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // Num returns the number of strings in the table.
 func (st *stringTable) Num() int {
 	return len(st.strings)
 }
 
-// search is a copy of sort.Search specialised for uint32.
-//
-// Licensed under https://go.dev/LICENSE
-func search(ints []uint32, needle uint32) int {
-	// Define f(-1) == false and f(n) == true.
-	// Invariant: f(i-1) == false, f(j) == true.
-	i, j := 0, len(ints)
-	for i < j {
-		h := int(uint(i+j) >> 1) // avoid overflow when computing h
-		// i ≤ h < j
-		if !(ints[h] >= needle) {
-			i = h + 1 // preserves f(i-1) == false
-		} else {
-			j = h // preserves f(j) == true
-		}
-	}
-	// i == j, f(i-1) == false, and f(j) (= f(i)) == true  =>  answer is i.
-	return i
-}
-
 // stringTableBuilder builds BTF string tables.
 type stringTableBuilder struct {
 	length  uint32
diff --git a/vendor/github.com/cilium/ebpf/btf/types.go b/vendor/github.com/cilium/ebpf/btf/types.go
index 68d4a17..8bd7fc7 100644
--- a/vendor/github.com/cilium/ebpf/btf/types.go
+++ b/vendor/github.com/cilium/ebpf/btf/types.go
@@ -1,19 +1,22 @@
 package btf
 
 import (
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math"
-	"reflect"
 	"strings"
 
 	"github.com/cilium/ebpf/asm"
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/sys"
+	"golang.org/x/exp/slices"
 )
 
-const maxTypeDepth = 32
+// Mirrors MAX_RESOLVE_DEPTH in libbpf.
+// https://github.com/libbpf/libbpf/blob/e26b84dc330c9644c07428c271ab491b0f01f4e1/src/btf.c#L761
+const maxResolveDepth = 32
 
 // TypeID identifies a type in a BTF section.
 type TypeID = sys.TypeID
@@ -116,7 +119,7 @@
 }
 
 func (i *Int) Format(fs fmt.State, verb rune) {
-	formatType(fs, verb, i, i.Encoding, "size=", i.Size*8)
+	formatType(fs, verb, i, i.Encoding, "size=", i.Size)
 }
 
 func (i *Int) TypeName() string { return i.Name }
@@ -278,21 +281,6 @@
 	return &cpy
 }
 
-// has64BitValues returns true if the Enum contains a value larger than 32 bits.
-// Kernels before 6.0 have enum values that overrun u32 replaced with zeroes.
-//
-// 64-bit enums have their Enum.Size attributes correctly set to 8, but if we
-// use the size attribute as a heuristic during BTF marshaling, we'll emit
-// ENUM64s to kernels that don't support them.
-func (e *Enum) has64BitValues() bool {
-	for _, v := range e.Values {
-		if v.Value > math.MaxUint32 {
-			return true
-		}
-	}
-	return false
-}
-
 // FwdKind is the type of forward declaration.
 type FwdKind int
 
@@ -605,7 +593,7 @@
 		elem int64
 	)
 
-	for i := 0; i < maxTypeDepth; i++ {
+	for i := 0; i < maxResolveDepth; i++ {
 		switch v := typ.(type) {
 		case *Array:
 			if n > 0 && int64(v.Nelems) > math.MaxInt64/n {
@@ -740,17 +728,22 @@
 
 type typeDeque = internal.Deque[*Type]
 
-// inflateRawTypes takes a list of raw btf types linked via type IDs, and turns
-// it into a graph of Types connected via pointers.
+// readAndInflateTypes reads the raw btf type info and turns it into a graph
+// of Types connected via pointers.
 //
-// If base is provided, then the raw types are considered to be of a split BTF
+// If base is provided, then the types are considered to be of a split BTF
 // (e.g., a kernel module).
 //
 // Returns a slice of types indexed by TypeID. Since BTF ignores compilation
 // units, multiple types may share the same name. A Type may form a cyclic graph
 // by pointing at itself.
-func inflateRawTypes(rawTypes []rawType, rawStrings *stringTable, base *Spec) ([]Type, error) {
-	types := make([]Type, 0, len(rawTypes)+1) // +1 for Void added to base types
+func readAndInflateTypes(r io.Reader, bo binary.ByteOrder, typeLen uint32, rawStrings *stringTable, base *Spec) ([]Type, error) {
+	// because of the interleaving between types and struct members it is difficult to
+	// precompute the numbers of raw types this will parse
+	// this "guess" is a good first estimation
+	sizeOfbtfType := uintptr(btfTypeLen)
+	tyMaxCount := uintptr(typeLen) / sizeOfbtfType / 2
+	types := make([]Type, 0, tyMaxCount)
 
 	// Void is defined to always be type ID 0, and is thus omitted from BTF.
 	types = append(types, (*Void)(nil))
@@ -773,11 +766,11 @@
 	}
 
 	var fixups []fixupDef
-	fixup := func(id TypeID, typ *Type) bool {
+	fixup := func(id TypeID, typ *Type) {
 		if id < firstTypeID {
 			if baseType, err := base.TypeByID(id); err == nil {
 				*typ = baseType
-				return true
+				return
 			}
 		}
 
@@ -785,31 +778,10 @@
 		if idx < len(types) {
 			// We've already inflated this type, fix it up immediately.
 			*typ = types[idx]
-			return true
+			return
 		}
 
 		fixups = append(fixups, fixupDef{id, typ})
-		return false
-	}
-
-	type assertion struct {
-		id   TypeID
-		typ  *Type
-		want reflect.Type
-	}
-
-	var assertions []assertion
-	fixupAndAssert := func(id TypeID, typ *Type, want reflect.Type) error {
-		if !fixup(id, typ) {
-			assertions = append(assertions, assertion{id, typ, want})
-			return nil
-		}
-
-		// The type has already been fixed up, check the type immediately.
-		if reflect.TypeOf(*typ) != want {
-			return fmt.Errorf("type ID %d: expected %s, got %T", id, want, *typ)
-		}
-		return nil
 	}
 
 	type bitfieldFixupDef struct {
@@ -876,62 +848,128 @@
 		return members, nil
 	}
 
+	var (
+		buf       = make([]byte, 1024)
+		header    btfType
+		bInt      btfInt
+		bArr      btfArray
+		bMembers  []btfMember
+		bEnums    []btfEnum
+		bParams   []btfParam
+		bVariable btfVariable
+		bSecInfos []btfVarSecinfo
+		bDeclTag  btfDeclTag
+		bEnums64  []btfEnum64
+	)
+
 	var declTags []*declTag
-	for _, raw := range rawTypes {
+	for {
 		var (
 			id  = firstTypeID + TypeID(len(types))
 			typ Type
 		)
 
+		if _, err := io.ReadFull(r, buf[:btfTypeLen]); err == io.EOF {
+			break
+		} else if err != nil {
+			return nil, fmt.Errorf("can't read type info for id %v: %v", id, err)
+		}
+
+		if _, err := unmarshalBtfType(&header, buf[:btfTypeLen], bo); err != nil {
+			return nil, fmt.Errorf("can't unmarshal type info for id %v: %v", id, err)
+		}
+
 		if id < firstTypeID {
 			return nil, fmt.Errorf("no more type IDs")
 		}
 
-		name, err := rawStrings.Lookup(raw.NameOff)
+		name, err := rawStrings.Lookup(header.NameOff)
 		if err != nil {
 			return nil, fmt.Errorf("get name for type id %d: %w", id, err)
 		}
 
-		switch raw.Kind() {
+		switch header.Kind() {
 		case kindInt:
-			size := raw.Size()
-			bi := raw.data.(*btfInt)
-			if bi.Offset() > 0 || bi.Bits().Bytes() != size {
-				legacyBitfields[id] = [2]Bits{bi.Offset(), bi.Bits()}
+			size := header.Size()
+			buf = buf[:btfIntLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfInt, id: %d: %w", id, err)
 			}
-			typ = &Int{name, raw.Size(), bi.Encoding()}
+			if _, err := unmarshalBtfInt(&bInt, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfInt, id: %d: %w", id, err)
+			}
+			if bInt.Offset() > 0 || bInt.Bits().Bytes() != size {
+				legacyBitfields[id] = [2]Bits{bInt.Offset(), bInt.Bits()}
+			}
+			typ = &Int{name, header.Size(), bInt.Encoding()}
 
 		case kindPointer:
 			ptr := &Pointer{nil}
-			fixup(raw.Type(), &ptr.Target)
+			fixup(header.Type(), &ptr.Target)
 			typ = ptr
 
 		case kindArray:
-			btfArr := raw.data.(*btfArray)
-			arr := &Array{nil, nil, btfArr.Nelems}
-			fixup(btfArr.IndexType, &arr.Index)
-			fixup(btfArr.Type, &arr.Type)
+			buf = buf[:btfArrayLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfArray, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfArray(&bArr, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfArray, id: %d: %w", id, err)
+			}
+
+			arr := &Array{nil, nil, bArr.Nelems}
+			fixup(bArr.IndexType, &arr.Index)
+			fixup(bArr.Type, &arr.Type)
 			typ = arr
 
 		case kindStruct:
-			members, err := convertMembers(raw.data.([]btfMember), raw.Bitfield())
+			vlen := header.Vlen()
+			bMembers = slices.Grow(bMembers[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfMemberLen)[:vlen*btfMemberLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfMembers, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfMembers(bMembers, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfMembers, id: %d: %w", id, err)
+			}
+
+			members, err := convertMembers(bMembers, header.Bitfield())
 			if err != nil {
 				return nil, fmt.Errorf("struct %s (id %d): %w", name, id, err)
 			}
-			typ = &Struct{name, raw.Size(), members}
+			typ = &Struct{name, header.Size(), members}
 
 		case kindUnion:
-			members, err := convertMembers(raw.data.([]btfMember), raw.Bitfield())
+			vlen := header.Vlen()
+			bMembers = slices.Grow(bMembers[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfMemberLen)[:vlen*btfMemberLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfMembers, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfMembers(bMembers, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfMembers, id: %d: %w", id, err)
+			}
+
+			members, err := convertMembers(bMembers, header.Bitfield())
 			if err != nil {
 				return nil, fmt.Errorf("union %s (id %d): %w", name, id, err)
 			}
-			typ = &Union{name, raw.Size(), members}
+			typ = &Union{name, header.Size(), members}
 
 		case kindEnum:
-			rawvals := raw.data.([]btfEnum)
-			vals := make([]EnumValue, 0, len(rawvals))
-			signed := raw.Signed()
-			for i, btfVal := range rawvals {
+			vlen := header.Vlen()
+			bEnums = slices.Grow(bEnums[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfEnumLen)[:vlen*btfEnumLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfEnums, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfEnums(bEnums, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfEnums, id: %d: %w", id, err)
+			}
+
+			vals := make([]EnumValue, 0, vlen)
+			signed := header.Signed()
+			for i, btfVal := range bEnums {
 				name, err := rawStrings.Lookup(btfVal.NameOff)
 				if err != nil {
 					return nil, fmt.Errorf("get name for enum value %d: %s", i, err)
@@ -943,42 +981,49 @@
 				}
 				vals = append(vals, EnumValue{name, value})
 			}
-			typ = &Enum{name, raw.Size(), signed, vals}
+			typ = &Enum{name, header.Size(), signed, vals}
 
 		case kindForward:
-			typ = &Fwd{name, raw.FwdKind()}
+			typ = &Fwd{name, header.FwdKind()}
 
 		case kindTypedef:
 			typedef := &Typedef{name, nil}
-			fixup(raw.Type(), &typedef.Type)
+			fixup(header.Type(), &typedef.Type)
 			typ = typedef
 
 		case kindVolatile:
 			volatile := &Volatile{nil}
-			fixup(raw.Type(), &volatile.Type)
+			fixup(header.Type(), &volatile.Type)
 			typ = volatile
 
 		case kindConst:
 			cnst := &Const{nil}
-			fixup(raw.Type(), &cnst.Type)
+			fixup(header.Type(), &cnst.Type)
 			typ = cnst
 
 		case kindRestrict:
 			restrict := &Restrict{nil}
-			fixup(raw.Type(), &restrict.Type)
+			fixup(header.Type(), &restrict.Type)
 			typ = restrict
 
 		case kindFunc:
-			fn := &Func{name, nil, raw.Linkage()}
-			if err := fixupAndAssert(raw.Type(), &fn.Type, reflect.TypeOf((*FuncProto)(nil))); err != nil {
-				return nil, err
-			}
+			fn := &Func{name, nil, header.Linkage()}
+			fixup(header.Type(), &fn.Type)
 			typ = fn
 
 		case kindFuncProto:
-			rawparams := raw.data.([]btfParam)
-			params := make([]FuncParam, 0, len(rawparams))
-			for i, param := range rawparams {
+			vlen := header.Vlen()
+			bParams = slices.Grow(bParams[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfParamLen)[:vlen*btfParamLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfParams, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfParams(bParams, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfParams, id: %d: %w", id, err)
+			}
+
+			params := make([]FuncParam, 0, vlen)
+			for i, param := range bParams {
 				name, err := rawStrings.Lookup(param.NameOff)
 				if err != nil {
 					return nil, fmt.Errorf("get name for func proto parameter %d: %s", i, err)
@@ -988,57 +1033,90 @@
 				})
 			}
 			for i := range params {
-				fixup(rawparams[i].Type, &params[i].Type)
+				fixup(bParams[i].Type, &params[i].Type)
 			}
 
 			fp := &FuncProto{nil, params}
-			fixup(raw.Type(), &fp.Return)
+			fixup(header.Type(), &fp.Return)
 			typ = fp
 
 		case kindVar:
-			variable := raw.data.(*btfVariable)
-			v := &Var{name, nil, VarLinkage(variable.Linkage)}
-			fixup(raw.Type(), &v.Type)
+			buf = buf[:btfVariableLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfVariable, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfVariable(&bVariable, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't read btfVariable, id: %d: %w", id, err)
+			}
+
+			v := &Var{name, nil, VarLinkage(bVariable.Linkage)}
+			fixup(header.Type(), &v.Type)
 			typ = v
 
 		case kindDatasec:
-			btfVars := raw.data.([]btfVarSecinfo)
-			vars := make([]VarSecinfo, 0, len(btfVars))
-			for _, btfVar := range btfVars {
+			vlen := header.Vlen()
+			bSecInfos = slices.Grow(bSecInfos[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfVarSecinfoLen)[:vlen*btfVarSecinfoLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfVarSecInfos, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfVarSecInfos(bSecInfos, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfVarSecInfos, id: %d: %w", id, err)
+			}
+
+			vars := make([]VarSecinfo, 0, vlen)
+			for _, btfVar := range bSecInfos {
 				vars = append(vars, VarSecinfo{
 					Offset: btfVar.Offset,
 					Size:   btfVar.Size,
 				})
 			}
 			for i := range vars {
-				fixup(btfVars[i].Type, &vars[i].Type)
+				fixup(bSecInfos[i].Type, &vars[i].Type)
 			}
-			typ = &Datasec{name, raw.Size(), vars}
+			typ = &Datasec{name, header.Size(), vars}
 
 		case kindFloat:
-			typ = &Float{name, raw.Size()}
+			typ = &Float{name, header.Size()}
 
 		case kindDeclTag:
-			btfIndex := raw.data.(*btfDeclTag).ComponentIdx
+			buf = buf[:btfDeclTagLen]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfDeclTag, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfDeclTag(&bDeclTag, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't read btfDeclTag, id: %d: %w", id, err)
+			}
+
+			btfIndex := bDeclTag.ComponentIdx
 			if uint64(btfIndex) > math.MaxInt {
 				return nil, fmt.Errorf("type id %d: index exceeds int", id)
 			}
 
 			dt := &declTag{nil, name, int(int32(btfIndex))}
-			fixup(raw.Type(), &dt.Type)
+			fixup(header.Type(), &dt.Type)
 			typ = dt
 
 			declTags = append(declTags, dt)
 
 		case kindTypeTag:
 			tt := &typeTag{nil, name}
-			fixup(raw.Type(), &tt.Type)
+			fixup(header.Type(), &tt.Type)
 			typ = tt
 
 		case kindEnum64:
-			rawvals := raw.data.([]btfEnum64)
-			vals := make([]EnumValue, 0, len(rawvals))
-			for i, btfVal := range rawvals {
+			vlen := header.Vlen()
+			bEnums64 = slices.Grow(bEnums64[:0], vlen)[:vlen]
+			buf = slices.Grow(buf[:0], vlen*btfEnum64Len)[:vlen*btfEnum64Len]
+			if _, err := io.ReadFull(r, buf); err != nil {
+				return nil, fmt.Errorf("can't read btfEnum64s, id: %d: %w", id, err)
+			}
+			if _, err := unmarshalBtfEnums64(bEnums64, buf, bo); err != nil {
+				return nil, fmt.Errorf("can't unmarshal btfEnum64s, id: %d: %w", id, err)
+			}
+
+			vals := make([]EnumValue, 0, vlen)
+			for i, btfVal := range bEnums64 {
 				name, err := rawStrings.Lookup(btfVal.NameOff)
 				if err != nil {
 					return nil, fmt.Errorf("get name for enum64 value %d: %s", i, err)
@@ -1046,10 +1124,10 @@
 				value := (uint64(btfVal.ValHi32) << 32) | uint64(btfVal.ValLo32)
 				vals = append(vals, EnumValue{name, value})
 			}
-			typ = &Enum{name, raw.Size(), raw.Signed(), vals}
+			typ = &Enum{name, header.Size(), header.Signed(), vals}
 
 		default:
-			return nil, fmt.Errorf("type id %d: unknown kind: %v", id, raw.Kind())
+			return nil, fmt.Errorf("type id %d: unknown kind: %v", id, header.Kind())
 		}
 
 		types = append(types, typ)
@@ -1081,12 +1159,6 @@
 		}
 	}
 
-	for _, assertion := range assertions {
-		if reflect.TypeOf(*assertion.typ) != assertion.want {
-			return nil, fmt.Errorf("type ID %d: expected %s, got %T", assertion.id, assertion.want, *assertion.typ)
-		}
-	}
-
 	for _, dt := range declTags {
 		switch t := dt.Type.(type) {
 		case *Var, *Typedef:
@@ -1100,7 +1172,12 @@
 			}
 
 		case *Func:
-			if dt.Index >= len(t.Type.(*FuncProto).Params) {
+			fp, ok := t.Type.(*FuncProto)
+			if !ok {
+				return nil, fmt.Errorf("type %s: %s is not a FuncProto", dt, t.Type)
+			}
+
+			if dt.Index >= len(fp.Params) {
 				return nil, fmt.Errorf("type %s: index %d exceeds params of %s", dt, dt.Index, t)
 			}
 
@@ -1136,7 +1213,7 @@
 // UnderlyingType skips qualifiers and Typedefs.
 func UnderlyingType(typ Type) Type {
 	result := typ
-	for depth := 0; depth <= maxTypeDepth; depth++ {
+	for depth := 0; depth <= maxResolveDepth; depth++ {
 		switch v := (result).(type) {
 		case qualifier:
 			result = v.qualify()
@@ -1155,7 +1232,7 @@
 // Returns the zero value and false if there is no T or if the type is nested
 // too deeply.
 func as[T Type](typ Type) (T, bool) {
-	for depth := 0; depth <= maxTypeDepth; depth++ {
+	for depth := 0; depth <= maxResolveDepth; depth++ {
 		switch v := (typ).(type) {
 		case T:
 			return v, true
diff --git a/vendor/github.com/cilium/ebpf/collection.go b/vendor/github.com/cilium/ebpf/collection.go
index fb720be..a553222 100644
--- a/vendor/github.com/cilium/ebpf/collection.go
+++ b/vendor/github.com/cilium/ebpf/collection.go
@@ -11,6 +11,7 @@
 	"github.com/cilium/ebpf/btf"
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/kconfig"
+	"github.com/cilium/ebpf/internal/sysenc"
 )
 
 // CollectionOptions control loading a collection into the kernel.
@@ -175,12 +176,12 @@
 				return fmt.Errorf("section %s: offset %d(+%d) for variable %s is out of bounds", name, v.Offset, v.Size, vname)
 			}
 
-			b, err := marshalBytes(replacement, int(v.Size))
+			b, err := sysenc.Marshal(replacement, int(v.Size))
 			if err != nil {
 				return fmt.Errorf("marshaling constant replacement %s: %w", vname, err)
 			}
 
-			copy(cpy[v.Offset:v.Offset+v.Size], b)
+			b.CopyTo(cpy[v.Offset : v.Offset+v.Size])
 
 			replaced[vname] = true
 		}
@@ -308,7 +309,7 @@
 	}
 
 	// Populate the requested maps. Has a chance of lazy-loading other dependent maps.
-	if err := loader.populateMaps(); err != nil {
+	if err := loader.populateDeferredMaps(); err != nil {
 		return err
 	}
 
@@ -388,7 +389,7 @@
 
 	// Maps can contain Program and Map stubs, so populate them after
 	// all Maps and Programs have been successfully loaded.
-	if err := loader.populateMaps(); err != nil {
+	if err := loader.populateDeferredMaps(); err != nil {
 		return nil, err
 	}
 
@@ -470,6 +471,15 @@
 		return nil, fmt.Errorf("map %s: %w", mapName, err)
 	}
 
+	// Finalize 'scalar' maps that don't refer to any other eBPF resources
+	// potentially pending creation. This is needed for frozen maps like .rodata
+	// that need to be finalized before invoking the verifier.
+	if !mapSpec.Type.canStoreMapOrProgram() {
+		if err := m.finalize(mapSpec); err != nil {
+			return nil, fmt.Errorf("finalizing map %s: %w", mapName, err)
+		}
+	}
+
 	cl.maps[mapName] = m
 	return m, nil
 }
@@ -527,44 +537,50 @@
 	return prog, nil
 }
 
-func (cl *collectionLoader) populateMaps() error {
+// populateDeferredMaps iterates maps holding programs or other maps and loads
+// any dependencies. Populates all maps in cl and freezes them if specified.
+func (cl *collectionLoader) populateDeferredMaps() error {
 	for mapName, m := range cl.maps {
 		mapSpec, ok := cl.coll.Maps[mapName]
 		if !ok {
 			return fmt.Errorf("missing map spec %s", mapName)
 		}
 
+		// Scalar maps without Map or Program references are finalized during
+		// creation. Don't finalize them again.
+		if !mapSpec.Type.canStoreMapOrProgram() {
+			continue
+		}
+
+		mapSpec = mapSpec.Copy()
+
 		// MapSpecs that refer to inner maps or programs within the same
 		// CollectionSpec do so using strings. These strings are used as the key
 		// to look up the respective object in the Maps or Programs fields.
 		// Resolve those references to actual Map or Program resources that
 		// have been loaded into the kernel.
-		if mapSpec.Type.canStoreMap() || mapSpec.Type.canStoreProgram() {
-			mapSpec = mapSpec.Copy()
+		for i, kv := range mapSpec.Contents {
+			objName, ok := kv.Value.(string)
+			if !ok {
+				continue
+			}
 
-			for i, kv := range mapSpec.Contents {
-				objName, ok := kv.Value.(string)
-				if !ok {
-					continue
+			switch t := mapSpec.Type; {
+			case t.canStoreProgram():
+				// loadProgram is idempotent and could return an existing Program.
+				prog, err := cl.loadProgram(objName)
+				if err != nil {
+					return fmt.Errorf("loading program %s, for map %s: %w", objName, mapName, err)
 				}
+				mapSpec.Contents[i] = MapKV{kv.Key, prog}
 
-				switch t := mapSpec.Type; {
-				case t.canStoreProgram():
-					// loadProgram is idempotent and could return an existing Program.
-					prog, err := cl.loadProgram(objName)
-					if err != nil {
-						return fmt.Errorf("loading program %s, for map %s: %w", objName, mapName, err)
-					}
-					mapSpec.Contents[i] = MapKV{kv.Key, prog}
-
-				case t.canStoreMap():
-					// loadMap is idempotent and could return an existing Map.
-					innerMap, err := cl.loadMap(objName)
-					if err != nil {
-						return fmt.Errorf("loading inner map %s, for map %s: %w", objName, mapName, err)
-					}
-					mapSpec.Contents[i] = MapKV{kv.Key, innerMap}
+			case t.canStoreMap():
+				// loadMap is idempotent and could return an existing Map.
+				innerMap, err := cl.loadMap(objName)
+				if err != nil {
+					return fmt.Errorf("loading inner map %s, for map %s: %w", objName, mapName, err)
 				}
+				mapSpec.Contents[i] = MapKV{kv.Key, innerMap}
 			}
 		}
 
@@ -610,17 +626,20 @@
 			internal.NativeEndian.PutUint32(data[vsi.Offset:], kv.Kernel())
 
 		case "LINUX_HAS_SYSCALL_WRAPPER":
-			if integer, ok := v.Type.(*btf.Int); !ok || integer.Size != 4 {
-				return fmt.Errorf("variable %s must be a 32 bits integer, got %s", n, v.Type)
+			integer, ok := v.Type.(*btf.Int)
+			if !ok {
+				return fmt.Errorf("variable %s must be an integer, got %s", n, v.Type)
 			}
-			var value uint32 = 1
+			var value uint64 = 1
 			if err := haveSyscallWrapper(); errors.Is(err, ErrNotSupported) {
 				value = 0
 			} else if err != nil {
 				return fmt.Errorf("unable to derive a value for LINUX_HAS_SYSCALL_WRAPPER: %w", err)
 			}
 
-			internal.NativeEndian.PutUint32(data[vsi.Offset:], value)
+			if err := kconfig.PutInteger(data[vsi.Offset:], integer, value); err != nil {
+				return fmt.Errorf("set LINUX_HAS_SYSCALL_WRAPPER: %w", err)
+			}
 
 		default: // Catch CONFIG_*.
 			configs[n] = configInfo{
@@ -679,6 +698,71 @@
 	return NewCollection(spec)
 }
 
+// Assign the contents of a Collection to a struct.
+//
+// This function bridges functionality between bpf2go generated
+// code and any functionality better implemented in Collection.
+//
+// 'to' must be a pointer to a struct. A field of the
+// struct is updated with values from Programs or Maps if it
+// has an `ebpf` tag and its type is *Program or *Map.
+// The tag's value specifies the name of the program or map as
+// found in the CollectionSpec.
+//
+//	struct {
+//	    Foo     *ebpf.Program `ebpf:"xdp_foo"`
+//	    Bar     *ebpf.Map     `ebpf:"bar_map"`
+//	    Ignored int
+//	}
+//
+// Returns an error if any of the eBPF objects can't be found, or
+// if the same Map or Program is assigned multiple times.
+//
+// Ownership and Close()ing responsibility is transferred to `to`
+// for any successful assigns. On error `to` is left in an undefined state.
+func (coll *Collection) Assign(to interface{}) error {
+	assignedMaps := make(map[string]bool)
+	assignedProgs := make(map[string]bool)
+
+	// Assign() only transfers already-loaded Maps and Programs. No extra
+	// loading is done.
+	getValue := func(typ reflect.Type, name string) (interface{}, error) {
+		switch typ {
+
+		case reflect.TypeOf((*Program)(nil)):
+			if p := coll.Programs[name]; p != nil {
+				assignedProgs[name] = true
+				return p, nil
+			}
+			return nil, fmt.Errorf("missing program %q", name)
+
+		case reflect.TypeOf((*Map)(nil)):
+			if m := coll.Maps[name]; m != nil {
+				assignedMaps[name] = true
+				return m, nil
+			}
+			return nil, fmt.Errorf("missing map %q", name)
+
+		default:
+			return nil, fmt.Errorf("unsupported type %s", typ)
+		}
+	}
+
+	if err := assignValues(to, getValue); err != nil {
+		return err
+	}
+
+	// Finalize ownership transfer
+	for p := range assignedProgs {
+		delete(coll.Programs, p)
+	}
+	for m := range assignedMaps {
+		delete(coll.Maps, m)
+	}
+
+	return nil
+}
+
 // Close frees all maps and programs associated with the collection.
 //
 // The collection mustn't be used afterwards.
diff --git a/vendor/github.com/cilium/ebpf/elf_reader.go b/vendor/github.com/cilium/ebpf/elf_reader.go
index 8d92672..5a85cbc 100644
--- a/vendor/github.com/cilium/ebpf/elf_reader.go
+++ b/vendor/github.com/cilium/ebpf/elf_reader.go
@@ -81,6 +81,8 @@
 
 	// Collect all the sections we're interested in. This includes relocations
 	// which we parse later.
+	//
+	// Keep the documentation at docs/ebpf/loading/elf-sections.md up-to-date.
 	for i, sec := range f.Sections {
 		idx := elf.SectionIndex(i)
 
@@ -371,7 +373,7 @@
 	r := bufio.NewReader(section.Open())
 
 	// Decode the section's instruction stream.
-	var insns asm.Instructions
+	insns := make(asm.Instructions, 0, section.Size/asm.InstructionSize)
 	if err := insns.Unmarshal(r, ec.ByteOrder); err != nil {
 		return nil, fmt.Errorf("decoding instructions for section %s: %w", section.Name, err)
 	}
@@ -465,10 +467,14 @@
 
 	switch target.kind {
 	case mapSection, btfMapSection:
-		if bind != elf.STB_GLOBAL {
+		if bind == elf.STB_LOCAL {
 			return fmt.Errorf("possible erroneous static qualifier on map definition: found reference to %q", name)
 		}
 
+		if bind != elf.STB_GLOBAL {
+			return fmt.Errorf("map %q: unsupported relocation %s", name, bind)
+		}
+
 		if typ != elf.STT_OBJECT && typ != elf.STT_NOTYPE {
 			// STT_NOTYPE is generated on clang < 8 which doesn't tag
 			// relocations appropriately.
@@ -694,10 +700,6 @@
 				spec.Extra = bytes.NewReader(extra)
 			}
 
-			if err := spec.clampPerfEventArraySize(); err != nil {
-				return fmt.Errorf("map %s: %w", mapName, err)
-			}
-
 			ec.maps[mapName] = &spec
 		}
 	}
@@ -752,7 +754,7 @@
 			}
 
 			// Each Var representing a BTF map definition contains a Struct.
-			mapStruct, ok := v.Type.(*btf.Struct)
+			mapStruct, ok := btf.UnderlyingType(v.Type).(*btf.Struct)
 			if !ok {
 				return fmt.Errorf("expected struct, got %s", v.Type)
 			}
@@ -762,10 +764,6 @@
 				return fmt.Errorf("map %v: %w", name, err)
 			}
 
-			if err := mapSpec.clampPerfEventArraySize(); err != nil {
-				return fmt.Errorf("map %v: %w", name, err)
-			}
-
 			ec.maps[name] = mapSpec
 		}
 
@@ -785,7 +783,7 @@
 
 // mapSpecFromBTF produces a MapSpec based on a btf.Struct def representing
 // a BTF map definition. The name and spec arguments will be copied to the
-// resulting MapSpec, and inner must be true on any resursive invocations.
+// resulting MapSpec, and inner must be true on any recursive invocations.
 func mapSpecFromBTF(es *elfSection, vs *btf.VarSecinfo, def *btf.Struct, spec *btf.Spec, name string, inner bool) (*MapSpec, error) {
 	var (
 		key, value         btf.Type
@@ -1150,7 +1148,7 @@
 		KeySize:    uint32(4),
 		ValueSize:  ds.Size,
 		MaxEntries: 1,
-		Flags:      unix.BPF_F_RDONLY_PROG | unix.BPF_F_MMAPABLE,
+		Flags:      unix.BPF_F_RDONLY_PROG,
 		Freeze:     true,
 		Key:        &btf.Int{Size: 4},
 		Value:      ds,
@@ -1268,6 +1266,7 @@
 		{"seccomp", SocketFilter, AttachNone, 0},
 		{"kprobe.multi", Kprobe, AttachTraceKprobeMulti, 0},
 		{"kretprobe.multi", Kprobe, AttachTraceKprobeMulti, 0},
+		// Document all prefixes in docs/ebpf/concepts/elf-sections.md.
 	}
 
 	for _, t := range types {
diff --git a/vendor/github.com/cilium/ebpf/info.go b/vendor/github.com/cilium/ebpf/info.go
index a02e8a4..79b11c9 100644
--- a/vendor/github.com/cilium/ebpf/info.go
+++ b/vendor/github.com/cilium/ebpf/info.go
@@ -101,6 +101,11 @@
 
 	maps  []MapID
 	insns []byte
+
+	lineInfos    []byte
+	numLineInfos uint32
+	funcInfos    []byte
+	numFuncInfos uint32
 }
 
 func newProgramInfoFromFd(fd *sys.FD) (*ProgramInfo, error) {
@@ -128,10 +133,13 @@
 	// Start with a clean struct for the second call, otherwise we may get EFAULT.
 	var info2 sys.ProgInfo
 
+	makeSecondCall := false
+
 	if info.NrMapIds > 0 {
 		pi.maps = make([]MapID, info.NrMapIds)
 		info2.NrMapIds = info.NrMapIds
 		info2.MapIds = sys.NewPointer(unsafe.Pointer(&pi.maps[0]))
+		makeSecondCall = true
 	} else if haveProgramInfoMapIDs() == nil {
 		// This program really has no associated maps.
 		pi.maps = make([]MapID, 0)
@@ -150,9 +158,28 @@
 		pi.insns = make([]byte, info.XlatedProgLen)
 		info2.XlatedProgLen = info.XlatedProgLen
 		info2.XlatedProgInsns = sys.NewSlicePointer(pi.insns)
+		makeSecondCall = true
 	}
 
-	if info.NrMapIds > 0 || info.XlatedProgLen > 0 {
+	if info.NrLineInfo > 0 {
+		pi.lineInfos = make([]byte, btf.LineInfoSize*info.NrLineInfo)
+		info2.LineInfo = sys.NewSlicePointer(pi.lineInfos)
+		info2.LineInfoRecSize = btf.LineInfoSize
+		info2.NrLineInfo = info.NrLineInfo
+		pi.numLineInfos = info.NrLineInfo
+		makeSecondCall = true
+	}
+
+	if info.NrFuncInfo > 0 {
+		pi.funcInfos = make([]byte, btf.FuncInfoSize*info.NrFuncInfo)
+		info2.FuncInfo = sys.NewSlicePointer(pi.funcInfos)
+		info2.FuncInfoRecSize = btf.FuncInfoSize
+		info2.NrFuncInfo = info.NrFuncInfo
+		pi.numFuncInfos = info.NrFuncInfo
+		makeSecondCall = true
+	}
+
+	if makeSecondCall {
 		if err := sys.ObjInfo(fd, &info2); err != nil {
 			return nil, err
 		}
@@ -245,7 +272,13 @@
 //
 // The first instruction is marked as a symbol using the Program's name.
 //
-// Available from 4.13. Requires CAP_BPF or equivalent.
+// If available, the instructions will be annotated with metadata from the
+// BTF. This includes line information and function information. Reading
+// this metadata requires CAP_SYS_ADMIN or equivalent. If capability is
+// unavailable, the instructions will be returned without metadata.
+//
+// Available from 4.13. Requires CAP_BPF or equivalent for plain instructions.
+// Requires CAP_SYS_ADMIN for instructions with metadata.
 func (pi *ProgramInfo) Instructions() (asm.Instructions, error) {
 	// If the calling process is not BPF-capable or if the kernel doesn't
 	// support getting xlated instructions, the field will be zero.
@@ -259,8 +292,55 @@
 		return nil, fmt.Errorf("unmarshaling instructions: %w", err)
 	}
 
-	// Tag the first instruction with the name of the program, if available.
-	insns[0] = insns[0].WithSymbol(pi.Name)
+	if pi.btf != 0 {
+		btfh, err := btf.NewHandleFromID(pi.btf)
+		if err != nil {
+			// Getting a BTF handle requires CAP_SYS_ADMIN, if not available we get an -EPERM.
+			// Ignore it and fall back to instructions without metadata.
+			if !errors.Is(err, unix.EPERM) {
+				return nil, fmt.Errorf("unable to get BTF handle: %w", err)
+			}
+		}
+
+		// If we have a BTF handle, we can use it to assign metadata to the instructions.
+		if btfh != nil {
+			defer btfh.Close()
+
+			spec, err := btfh.Spec(nil)
+			if err != nil {
+				return nil, fmt.Errorf("unable to get BTF spec: %w", err)
+			}
+
+			lineInfos, err := btf.LoadLineInfos(
+				bytes.NewReader(pi.lineInfos),
+				internal.NativeEndian,
+				pi.numLineInfos,
+				spec,
+			)
+			if err != nil {
+				return nil, fmt.Errorf("parse line info: %w", err)
+			}
+
+			funcInfos, err := btf.LoadFuncInfos(
+				bytes.NewReader(pi.funcInfos),
+				internal.NativeEndian,
+				pi.numFuncInfos,
+				spec,
+			)
+			if err != nil {
+				return nil, fmt.Errorf("parse func info: %w", err)
+			}
+
+			btf.AssignMetadataToInstructions(insns, funcInfos, lineInfos, btf.CORERelocationInfos{})
+		}
+	}
+
+	fn := btf.FuncMetadata(&insns[0])
+	name := pi.Name
+	if fn != nil {
+		name = fn.Name
+	}
+	insns[0] = insns[0].WithSymbol(name)
 
 	return insns, nil
 }
diff --git a/vendor/github.com/cilium/ebpf/internal/endian_be.go b/vendor/github.com/cilium/ebpf/internal/endian_be.go
index 96a2ac0..39f49ba 100644
--- a/vendor/github.com/cilium/ebpf/internal/endian_be.go
+++ b/vendor/github.com/cilium/ebpf/internal/endian_be.go
@@ -6,7 +6,7 @@
 
 // NativeEndian is set to either binary.BigEndian or binary.LittleEndian,
 // depending on the host's endianness.
-var NativeEndian binary.ByteOrder = binary.BigEndian
+var NativeEndian = binary.BigEndian
 
 // ClangEndian is set to either "el" or "eb" depending on the host's endianness.
 const ClangEndian = "eb"
diff --git a/vendor/github.com/cilium/ebpf/internal/endian_le.go b/vendor/github.com/cilium/ebpf/internal/endian_le.go
index fde4c55..9488e30 100644
--- a/vendor/github.com/cilium/ebpf/internal/endian_le.go
+++ b/vendor/github.com/cilium/ebpf/internal/endian_le.go
@@ -6,7 +6,7 @@
 
 // NativeEndian is set to either binary.BigEndian or binary.LittleEndian,
 // depending on the host's endianness.
-var NativeEndian binary.ByteOrder = binary.LittleEndian
+var NativeEndian = binary.LittleEndian
 
 // ClangEndian is set to either "el" or "eb" depending on the host's endianness.
 const ClangEndian = "el"
diff --git a/vendor/github.com/cilium/ebpf/internal/kconfig/kconfig.go b/vendor/github.com/cilium/ebpf/internal/kconfig/kconfig.go
index d95e7eb..fa53085 100644
--- a/vendor/github.com/cilium/ebpf/internal/kconfig/kconfig.go
+++ b/vendor/github.com/cilium/ebpf/internal/kconfig/kconfig.go
@@ -250,7 +250,20 @@
 		return fmt.Errorf("cannot parse value: %w", err)
 	}
 
-	switch size {
+	return PutInteger(data, integer, n)
+}
+
+// PutInteger writes n into data.
+//
+// integer determines how much is written into data and what the valid values
+// are.
+func PutInteger(data []byte, integer *btf.Int, n uint64) error {
+	// This function should match set_kcfg_value_num in libbpf.
+	if integer.Encoding == btf.Bool && n > 1 {
+		return fmt.Errorf("invalid boolean value: %d", n)
+	}
+
+	switch integer.Size {
 	case 1:
 		data[0] = byte(n)
 	case 2:
@@ -260,7 +273,7 @@
 	case 8:
 		internal.NativeEndian.PutUint64(data, uint64(n))
 	default:
-		return fmt.Errorf("size (%d) is not valid, expected: 1, 2, 4 or 8", size)
+		return fmt.Errorf("size (%d) is not valid, expected: 1, 2, 4 or 8", integer.Size)
 	}
 
 	return nil
diff --git a/vendor/github.com/cilium/ebpf/internal/sys/syscall.go b/vendor/github.com/cilium/ebpf/internal/sys/syscall.go
index 4fae04d..088e82e 100644
--- a/vendor/github.com/cilium/ebpf/internal/sys/syscall.go
+++ b/vendor/github.com/cilium/ebpf/internal/sys/syscall.go
@@ -11,7 +11,7 @@
 // ENOTSUPP is a Linux internal error code that has leaked into UAPI.
 //
 // It is not the same as ENOTSUP or EOPNOTSUPP.
-var ENOTSUPP = syscall.Errno(524)
+const ENOTSUPP = syscall.Errno(524)
 
 // BPF wraps SYS_BPF.
 //
@@ -123,7 +123,7 @@
 // MapFlags control map behaviour.
 type MapFlags uint32
 
-//go:generate stringer -type MapFlags
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -type MapFlags
 
 const (
 	BPF_F_NO_PREALLOC MapFlags = 1 << iota
diff --git a/vendor/github.com/cilium/ebpf/internal/sys/types.go b/vendor/github.com/cilium/ebpf/internal/sys/types.go
index 2af7759..51698e0 100644
--- a/vendor/github.com/cilium/ebpf/internal/sys/types.go
+++ b/vendor/github.com/cilium/ebpf/internal/sys/types.go
@@ -59,7 +59,13 @@
 	BPF_SK_REUSEPORT_SELECT_OR_MIGRATE AttachType = 40
 	BPF_PERF_EVENT                     AttachType = 41
 	BPF_TRACE_KPROBE_MULTI             AttachType = 42
-	__MAX_BPF_ATTACH_TYPE              AttachType = 43
+	BPF_LSM_CGROUP                     AttachType = 43
+	BPF_STRUCT_OPS                     AttachType = 44
+	BPF_NETFILTER                      AttachType = 45
+	BPF_TCX_INGRESS                    AttachType = 46
+	BPF_TCX_EGRESS                     AttachType = 47
+	BPF_TRACE_UPROBE_MULTI             AttachType = 48
+	__MAX_BPF_ATTACH_TYPE              AttachType = 49
 )
 
 type Cmd uint32
@@ -311,7 +317,15 @@
 	BPF_FUNC_dynptr_read                    FunctionId = 201
 	BPF_FUNC_dynptr_write                   FunctionId = 202
 	BPF_FUNC_dynptr_data                    FunctionId = 203
-	__BPF_FUNC_MAX_ID                       FunctionId = 204
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv4     FunctionId = 204
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv6     FunctionId = 205
+	BPF_FUNC_tcp_raw_check_syncookie_ipv4   FunctionId = 206
+	BPF_FUNC_tcp_raw_check_syncookie_ipv6   FunctionId = 207
+	BPF_FUNC_ktime_get_tai_ns               FunctionId = 208
+	BPF_FUNC_user_ringbuf_drain             FunctionId = 209
+	BPF_FUNC_cgrp_storage_get               FunctionId = 210
+	BPF_FUNC_cgrp_storage_delete            FunctionId = 211
+	__BPF_FUNC_MAX_ID                       FunctionId = 212
 )
 
 type HdrStartOff uint32
@@ -334,43 +348,49 @@
 	BPF_LINK_TYPE_PERF_EVENT     LinkType = 7
 	BPF_LINK_TYPE_KPROBE_MULTI   LinkType = 8
 	BPF_LINK_TYPE_STRUCT_OPS     LinkType = 9
-	MAX_BPF_LINK_TYPE            LinkType = 10
+	BPF_LINK_TYPE_NETFILTER      LinkType = 10
+	BPF_LINK_TYPE_TCX            LinkType = 11
+	BPF_LINK_TYPE_UPROBE_MULTI   LinkType = 12
+	MAX_BPF_LINK_TYPE            LinkType = 13
 )
 
 type MapType uint32
 
 const (
-	BPF_MAP_TYPE_UNSPEC                MapType = 0
-	BPF_MAP_TYPE_HASH                  MapType = 1
-	BPF_MAP_TYPE_ARRAY                 MapType = 2
-	BPF_MAP_TYPE_PROG_ARRAY            MapType = 3
-	BPF_MAP_TYPE_PERF_EVENT_ARRAY      MapType = 4
-	BPF_MAP_TYPE_PERCPU_HASH           MapType = 5
-	BPF_MAP_TYPE_PERCPU_ARRAY          MapType = 6
-	BPF_MAP_TYPE_STACK_TRACE           MapType = 7
-	BPF_MAP_TYPE_CGROUP_ARRAY          MapType = 8
-	BPF_MAP_TYPE_LRU_HASH              MapType = 9
-	BPF_MAP_TYPE_LRU_PERCPU_HASH       MapType = 10
-	BPF_MAP_TYPE_LPM_TRIE              MapType = 11
-	BPF_MAP_TYPE_ARRAY_OF_MAPS         MapType = 12
-	BPF_MAP_TYPE_HASH_OF_MAPS          MapType = 13
-	BPF_MAP_TYPE_DEVMAP                MapType = 14
-	BPF_MAP_TYPE_SOCKMAP               MapType = 15
-	BPF_MAP_TYPE_CPUMAP                MapType = 16
-	BPF_MAP_TYPE_XSKMAP                MapType = 17
-	BPF_MAP_TYPE_SOCKHASH              MapType = 18
-	BPF_MAP_TYPE_CGROUP_STORAGE        MapType = 19
-	BPF_MAP_TYPE_REUSEPORT_SOCKARRAY   MapType = 20
-	BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE MapType = 21
-	BPF_MAP_TYPE_QUEUE                 MapType = 22
-	BPF_MAP_TYPE_STACK                 MapType = 23
-	BPF_MAP_TYPE_SK_STORAGE            MapType = 24
-	BPF_MAP_TYPE_DEVMAP_HASH           MapType = 25
-	BPF_MAP_TYPE_STRUCT_OPS            MapType = 26
-	BPF_MAP_TYPE_RINGBUF               MapType = 27
-	BPF_MAP_TYPE_INODE_STORAGE         MapType = 28
-	BPF_MAP_TYPE_TASK_STORAGE          MapType = 29
-	BPF_MAP_TYPE_BLOOM_FILTER          MapType = 30
+	BPF_MAP_TYPE_UNSPEC                    MapType = 0
+	BPF_MAP_TYPE_HASH                      MapType = 1
+	BPF_MAP_TYPE_ARRAY                     MapType = 2
+	BPF_MAP_TYPE_PROG_ARRAY                MapType = 3
+	BPF_MAP_TYPE_PERF_EVENT_ARRAY          MapType = 4
+	BPF_MAP_TYPE_PERCPU_HASH               MapType = 5
+	BPF_MAP_TYPE_PERCPU_ARRAY              MapType = 6
+	BPF_MAP_TYPE_STACK_TRACE               MapType = 7
+	BPF_MAP_TYPE_CGROUP_ARRAY              MapType = 8
+	BPF_MAP_TYPE_LRU_HASH                  MapType = 9
+	BPF_MAP_TYPE_LRU_PERCPU_HASH           MapType = 10
+	BPF_MAP_TYPE_LPM_TRIE                  MapType = 11
+	BPF_MAP_TYPE_ARRAY_OF_MAPS             MapType = 12
+	BPF_MAP_TYPE_HASH_OF_MAPS              MapType = 13
+	BPF_MAP_TYPE_DEVMAP                    MapType = 14
+	BPF_MAP_TYPE_SOCKMAP                   MapType = 15
+	BPF_MAP_TYPE_CPUMAP                    MapType = 16
+	BPF_MAP_TYPE_XSKMAP                    MapType = 17
+	BPF_MAP_TYPE_SOCKHASH                  MapType = 18
+	BPF_MAP_TYPE_CGROUP_STORAGE_DEPRECATED MapType = 19
+	BPF_MAP_TYPE_CGROUP_STORAGE            MapType = 19
+	BPF_MAP_TYPE_REUSEPORT_SOCKARRAY       MapType = 20
+	BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE     MapType = 21
+	BPF_MAP_TYPE_QUEUE                     MapType = 22
+	BPF_MAP_TYPE_STACK                     MapType = 23
+	BPF_MAP_TYPE_SK_STORAGE                MapType = 24
+	BPF_MAP_TYPE_DEVMAP_HASH               MapType = 25
+	BPF_MAP_TYPE_STRUCT_OPS                MapType = 26
+	BPF_MAP_TYPE_RINGBUF                   MapType = 27
+	BPF_MAP_TYPE_INODE_STORAGE             MapType = 28
+	BPF_MAP_TYPE_TASK_STORAGE              MapType = 29
+	BPF_MAP_TYPE_BLOOM_FILTER              MapType = 30
+	BPF_MAP_TYPE_USER_RINGBUF              MapType = 31
+	BPF_MAP_TYPE_CGRP_STORAGE              MapType = 32
 )
 
 type ProgType uint32
@@ -408,15 +428,17 @@
 	BPF_PROG_TYPE_LSM                     ProgType = 29
 	BPF_PROG_TYPE_SK_LOOKUP               ProgType = 30
 	BPF_PROG_TYPE_SYSCALL                 ProgType = 31
+	BPF_PROG_TYPE_NETFILTER               ProgType = 32
 )
 
 type RetCode uint32
 
 const (
-	BPF_OK          RetCode = 0
-	BPF_DROP        RetCode = 2
-	BPF_REDIRECT    RetCode = 7
-	BPF_LWT_REROUTE RetCode = 128
+	BPF_OK                      RetCode = 0
+	BPF_DROP                    RetCode = 2
+	BPF_REDIRECT                RetCode = 7
+	BPF_LWT_REROUTE             RetCode = 128
+	BPF_FLOW_DISSECTOR_CONTINUE RetCode = 129
 )
 
 type SkAction uint32
@@ -476,7 +498,7 @@
 	Id     LinkID
 	ProgId uint32
 	_      [4]byte
-	Extra  [16]uint8
+	Extra  [32]uint8
 }
 
 type MapInfo struct {
@@ -521,10 +543,10 @@
 	JitedFuncLens        uint64
 	BtfId                BTFID
 	FuncInfoRecSize      uint32
-	FuncInfo             uint64
+	FuncInfo             Pointer
 	NrFuncInfo           uint32
 	NrLineInfo           uint32
-	LineInfo             uint64
+	LineInfo             Pointer
 	JitedLineInfo        uint64
 	NrJitedLineInfo      uint32
 	LineInfoRecSize      uint32
@@ -535,6 +557,8 @@
 	RunCnt               uint64
 	RecursionMisses      uint64
 	VerifiedInsns        uint32
+	AttachBtfObjId       BTFID
+	AttachBtfId          TypeID
 	_                    [4]byte
 }
 
@@ -583,12 +607,12 @@
 }
 
 type BtfLoadAttr struct {
-	Btf         Pointer
-	BtfLogBuf   Pointer
-	BtfSize     uint32
-	BtfLogSize  uint32
-	BtfLogLevel uint32
-	_           [4]byte
+	Btf            Pointer
+	BtfLogBuf      Pointer
+	BtfSize        uint32
+	BtfLogSize     uint32
+	BtfLogLevel    uint32
+	BtfLogTrueSize uint32
 }
 
 func BtfLoad(attr *BtfLoadAttr) (*FD, error) {
@@ -628,7 +652,7 @@
 	AttachType  AttachType
 	Flags       uint32
 	TargetBtfId TypeID
-	_           [28]byte
+	_           [44]byte
 }
 
 func LinkCreate(attr *LinkCreateAttr) (*FD, error) {
@@ -646,7 +670,7 @@
 	Flags       uint32
 	IterInfo    Pointer
 	IterInfoLen uint32
-	_           [20]byte
+	_           [36]byte
 }
 
 func LinkCreateIter(attr *LinkCreateIterAttr) (*FD, error) {
@@ -667,6 +691,7 @@
 	Syms             Pointer
 	Addrs            Pointer
 	Cookies          Pointer
+	_                [16]byte
 }
 
 func LinkCreateKprobeMulti(attr *LinkCreateKprobeMultiAttr) (*FD, error) {
@@ -683,7 +708,7 @@
 	AttachType AttachType
 	Flags      uint32
 	BpfCookie  uint64
-	_          [24]byte
+	_          [40]byte
 }
 
 func LinkCreatePerfEvent(attr *LinkCreatePerfEventAttr) (*FD, error) {
@@ -702,7 +727,7 @@
 	TargetBtfId BTFID
 	_           [4]byte
 	Cookie      uint64
-	_           [16]byte
+	_           [32]byte
 }
 
 func LinkCreateTracing(attr *LinkCreateTracingAttr) (*FD, error) {
@@ -909,6 +934,8 @@
 	Pathname  Pointer
 	BpfFd     uint32
 	FileFlags uint32
+	PathFd    int32
+	_         [4]byte
 }
 
 func ObjGet(attr *ObjGetAttr) (*FD, error) {
@@ -934,6 +961,8 @@
 	Pathname  Pointer
 	BpfFd     uint32
 	FileFlags uint32
+	PathFd    int32
+	_         [4]byte
 }
 
 func ObjPin(attr *ObjPinAttr) error {
@@ -942,11 +971,13 @@
 }
 
 type ProgAttachAttr struct {
-	TargetFd     uint32
-	AttachBpfFd  uint32
-	AttachType   uint32
-	AttachFlags  uint32
-	ReplaceBpfFd uint32
+	TargetFd         uint32
+	AttachBpfFd      uint32
+	AttachType       uint32
+	AttachFlags      uint32
+	ReplaceBpfFd     uint32
+	RelativeFd       uint32
+	ExpectedRevision uint64
 }
 
 func ProgAttach(attr *ProgAttachAttr) error {
@@ -1022,7 +1053,7 @@
 	FdArray            Pointer
 	CoreRelos          Pointer
 	CoreReloRecSize    uint32
-	_                  [4]byte
+	LogTrueSize        uint32
 }
 
 func ProgLoad(attr *ProgLoadAttr) (*FD, error) {
@@ -1034,13 +1065,17 @@
 }
 
 type ProgQueryAttr struct {
-	TargetFd    uint32
-	AttachType  AttachType
-	QueryFlags  uint32
-	AttachFlags uint32
-	ProgIds     Pointer
-	ProgCount   uint32
-	_           [4]byte
+	TargetFd        uint32
+	AttachType      AttachType
+	QueryFlags      uint32
+	AttachFlags     uint32
+	ProgIds         Pointer
+	ProgCount       uint32
+	_               [4]byte
+	ProgAttachFlags Pointer
+	LinkIds         Pointer
+	LinkAttachFlags Pointer
+	Revision        uint64
 }
 
 func ProgQuery(attr *ProgQueryAttr) error {
diff --git a/vendor/github.com/cilium/ebpf/internal/sysenc/buffer.go b/vendor/github.com/cilium/ebpf/internal/sysenc/buffer.go
new file mode 100644
index 0000000..c6959d9
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/internal/sysenc/buffer.go
@@ -0,0 +1,77 @@
+package sysenc
+
+import (
+	"unsafe"
+
+	"github.com/cilium/ebpf/internal/sys"
+)
+
+type Buffer struct {
+	ptr unsafe.Pointer
+	// Size of the buffer. syscallPointerOnly if created from UnsafeBuffer or when using
+	// zero-copy unmarshaling.
+	size int
+}
+
+const syscallPointerOnly = -1
+
+func newBuffer(buf []byte) Buffer {
+	if len(buf) == 0 {
+		return Buffer{}
+	}
+	return Buffer{unsafe.Pointer(&buf[0]), len(buf)}
+}
+
+// UnsafeBuffer constructs a Buffer for zero-copy unmarshaling.
+//
+// [Pointer] is the only valid method to call on such a Buffer.
+// Use [SyscallBuffer] instead if possible.
+func UnsafeBuffer(ptr unsafe.Pointer) Buffer {
+	return Buffer{ptr, syscallPointerOnly}
+}
+
+// SyscallOutput prepares a Buffer for a syscall to write into.
+//
+// The buffer may point at the underlying memory of dst, in which case [Unmarshal]
+// becomes a no-op.
+//
+// The contents of the buffer are undefined and may be non-zero.
+func SyscallOutput(dst any, size int) Buffer {
+	if dstBuf := unsafeBackingMemory(dst); len(dstBuf) == size {
+		buf := newBuffer(dstBuf)
+		buf.size = syscallPointerOnly
+		return buf
+	}
+
+	return newBuffer(make([]byte, size))
+}
+
+// CopyTo copies the buffer into dst.
+//
+// Returns the number of copied bytes.
+func (b Buffer) CopyTo(dst []byte) int {
+	return copy(dst, b.unsafeBytes())
+}
+
+// Pointer returns the location where a syscall should write.
+func (b Buffer) Pointer() sys.Pointer {
+	// NB: This deliberately ignores b.length to support zero-copy
+	// marshaling / unmarshaling using unsafe.Pointer.
+	return sys.NewPointer(b.ptr)
+}
+
+// Unmarshal the buffer into the provided value.
+func (b Buffer) Unmarshal(data any) error {
+	if b.size == syscallPointerOnly {
+		return nil
+	}
+
+	return Unmarshal(data, b.unsafeBytes())
+}
+
+func (b Buffer) unsafeBytes() []byte {
+	if b.size == syscallPointerOnly {
+		return nil
+	}
+	return unsafe.Slice((*byte)(b.ptr), b.size)
+}
diff --git a/vendor/github.com/cilium/ebpf/internal/sysenc/doc.go b/vendor/github.com/cilium/ebpf/internal/sysenc/doc.go
new file mode 100644
index 0000000..676ad98
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/internal/sysenc/doc.go
@@ -0,0 +1,3 @@
+// Package sysenc provides efficient conversion of Go values to system
+// call interfaces.
+package sysenc
diff --git a/vendor/github.com/cilium/ebpf/internal/sysenc/layout.go b/vendor/github.com/cilium/ebpf/internal/sysenc/layout.go
new file mode 100644
index 0000000..52d111e
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/internal/sysenc/layout.go
@@ -0,0 +1,41 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found at https://go.dev/LICENSE.
+
+package sysenc
+
+import (
+	"reflect"
+	"sync"
+)
+
+var hasUnexportedFieldsCache sync.Map // map[reflect.Type]bool
+
+func hasUnexportedFields(typ reflect.Type) bool {
+	switch typ.Kind() {
+	case reflect.Slice, reflect.Array, reflect.Pointer:
+		return hasUnexportedFields(typ.Elem())
+
+	case reflect.Struct:
+		if unexported, ok := hasUnexportedFieldsCache.Load(typ); ok {
+			return unexported.(bool)
+		}
+
+		unexported := false
+		for i, n := 0, typ.NumField(); i < n; i++ {
+			field := typ.Field(i)
+			// Package binary allows _ fields but always writes zeroes into them.
+			if (!field.IsExported() && field.Name != "_") || hasUnexportedFields(field.Type) {
+				unexported = true
+				break
+			}
+		}
+
+		hasUnexportedFieldsCache.Store(typ, unexported)
+		return unexported
+
+	default:
+		// NB: It's not clear what this means for Chan and so on.
+		return false
+	}
+}
diff --git a/vendor/github.com/cilium/ebpf/internal/sysenc/marshal.go b/vendor/github.com/cilium/ebpf/internal/sysenc/marshal.go
new file mode 100644
index 0000000..5233945
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/internal/sysenc/marshal.go
@@ -0,0 +1,178 @@
+package sysenc
+
+import (
+	"bytes"
+	"encoding"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+	"unsafe"
+
+	"github.com/cilium/ebpf/internal"
+
+	"golang.org/x/exp/slices"
+)
+
+// Marshal turns data into a byte slice using the system's native endianness.
+//
+// If possible, avoids allocations by directly using the backing memory
+// of data. This means that the variable must not be modified for the lifetime
+// of the returned [Buffer].
+//
+// Returns an error if the data can't be turned into a byte slice according to
+// the behaviour of [binary.Write].
+func Marshal(data any, size int) (Buffer, error) {
+	if data == nil {
+		return Buffer{}, errors.New("can't marshal a nil value")
+	}
+
+	var buf []byte
+	var err error
+	switch value := data.(type) {
+	case encoding.BinaryMarshaler:
+		buf, err = value.MarshalBinary()
+	case string:
+		buf = unsafe.Slice(unsafe.StringData(value), len(value))
+	case []byte:
+		buf = value
+	case int16:
+		buf = internal.NativeEndian.AppendUint16(make([]byte, 0, 2), uint16(value))
+	case uint16:
+		buf = internal.NativeEndian.AppendUint16(make([]byte, 0, 2), value)
+	case int32:
+		buf = internal.NativeEndian.AppendUint32(make([]byte, 0, 4), uint32(value))
+	case uint32:
+		buf = internal.NativeEndian.AppendUint32(make([]byte, 0, 4), value)
+	case int64:
+		buf = internal.NativeEndian.AppendUint64(make([]byte, 0, 8), uint64(value))
+	case uint64:
+		buf = internal.NativeEndian.AppendUint64(make([]byte, 0, 8), value)
+	default:
+		if buf := unsafeBackingMemory(data); len(buf) == size {
+			return newBuffer(buf), nil
+		}
+
+		wr := internal.NewBuffer(make([]byte, 0, size))
+		defer internal.PutBuffer(wr)
+
+		err = binary.Write(wr, internal.NativeEndian, value)
+		buf = wr.Bytes()
+	}
+	if err != nil {
+		return Buffer{}, err
+	}
+
+	if len(buf) != size {
+		return Buffer{}, fmt.Errorf("%T doesn't marshal to %d bytes", data, size)
+	}
+
+	return newBuffer(buf), nil
+}
+
+var bytesReaderPool = sync.Pool{
+	New: func() interface{} {
+		return new(bytes.Reader)
+	},
+}
+
+// Unmarshal a byte slice in the system's native endianness into data.
+//
+// Returns an error if buf can't be unmarshalled according to the behaviour
+// of [binary.Read].
+func Unmarshal(data interface{}, buf []byte) error {
+	switch value := data.(type) {
+	case encoding.BinaryUnmarshaler:
+		return value.UnmarshalBinary(buf)
+
+	case *string:
+		*value = string(buf)
+		return nil
+
+	case *[]byte:
+		// Backwards compat: unmarshaling into a slice replaces the whole slice.
+		*value = slices.Clone(buf)
+		return nil
+
+	default:
+		if dataBuf := unsafeBackingMemory(data); len(dataBuf) == len(buf) {
+			copy(dataBuf, buf)
+			return nil
+		}
+
+		rd := bytesReaderPool.Get().(*bytes.Reader)
+		defer bytesReaderPool.Put(rd)
+
+		rd.Reset(buf)
+
+		if err := binary.Read(rd, internal.NativeEndian, value); err != nil {
+			return err
+		}
+
+		if rd.Len() != 0 {
+			return fmt.Errorf("unmarshaling %T doesn't consume all data", data)
+		}
+
+		return nil
+	}
+}
+
+// unsafeBackingMemory returns the backing memory of data if it can be used
+// instead of calling into package binary.
+//
+// Returns nil if the value is not a pointer or a slice, or if it contains
+// padding or unexported fields.
+func unsafeBackingMemory(data any) []byte {
+	if data == nil {
+		return nil
+	}
+
+	value := reflect.ValueOf(data)
+	var valueSize int
+	switch value.Kind() {
+	case reflect.Pointer:
+		if value.IsNil() {
+			return nil
+		}
+
+		if elemType := value.Type().Elem(); elemType.Kind() != reflect.Slice {
+			valueSize = int(elemType.Size())
+			break
+		}
+
+		// We're dealing with a pointer to a slice. Dereference and
+		// handle it like a regular slice.
+		value = value.Elem()
+		fallthrough
+
+	case reflect.Slice:
+		valueSize = int(value.Type().Elem().Size()) * value.Len()
+
+	default:
+		// Prevent Value.UnsafePointer from panicking.
+		return nil
+	}
+
+	// Some nil pointer types currently crash binary.Size. Call it after our own
+	// code so that the panic isn't reachable.
+	// See https://github.com/golang/go/issues/60892
+	if size := binary.Size(data); size == -1 || size != valueSize {
+		// The type contains padding or unsupported types.
+		return nil
+	}
+
+	if hasUnexportedFields(reflect.TypeOf(data)) {
+		return nil
+	}
+
+	// Reinterpret the pointer as a byte slice. This violates the unsafe.Pointer
+	// rules because it's very unlikely that the source data has "an equivalent
+	// memory layout". However, we can make it safe-ish because of the
+	// following reasons:
+	//  - There is no alignment mismatch since we cast to a type with an
+	//    alignment of 1.
+	//  - There are no pointers in the source type so we don't upset the GC.
+	//  - The length is verified at runtime.
+	return unsafe.Slice((*byte)(value.UnsafePointer()), valueSize)
+}
diff --git a/vendor/github.com/cilium/ebpf/internal/tracefs/kprobe.go b/vendor/github.com/cilium/ebpf/internal/tracefs/kprobe.go
index 4059a09..1b45a9a 100644
--- a/vendor/github.com/cilium/ebpf/internal/tracefs/kprobe.go
+++ b/vendor/github.com/cilium/ebpf/internal/tracefs/kprobe.go
@@ -20,7 +20,7 @@
 	ErrInvalidMaxActive = errors.New("can only set maxactive on kretprobes")
 )
 
-//go:generate stringer -type=ProbeType -linecomment
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -type=ProbeType -linecomment
 
 type ProbeType uint8
 
diff --git a/vendor/github.com/cilium/ebpf/internal/unix/types_linux.go b/vendor/github.com/cilium/ebpf/internal/unix/types_linux.go
index 7c97059..51ed7d0 100644
--- a/vendor/github.com/cilium/ebpf/internal/unix/types_linux.go
+++ b/vendor/github.com/cilium/ebpf/internal/unix/types_linux.go
@@ -85,6 +85,8 @@
 	BPF_FS_MAGIC              = linux.BPF_FS_MAGIC
 	TRACEFS_MAGIC             = linux.TRACEFS_MAGIC
 	DEBUGFS_MAGIC             = linux.DEBUGFS_MAGIC
+	BPF_RB_NO_WAKEUP          = linux.BPF_RB_NO_WAKEUP
+	BPF_RB_FORCE_WAKEUP       = linux.BPF_RB_FORCE_WAKEUP
 )
 
 type Statfs_t = linux.Statfs_t
diff --git a/vendor/github.com/cilium/ebpf/internal/unix/types_other.go b/vendor/github.com/cilium/ebpf/internal/unix/types_other.go
index 5e86b50..1760e9e 100644
--- a/vendor/github.com/cilium/ebpf/internal/unix/types_other.go
+++ b/vendor/github.com/cilium/ebpf/internal/unix/types_other.go
@@ -89,6 +89,8 @@
 	BPF_FS_MAGIC
 	TRACEFS_MAGIC
 	DEBUGFS_MAGIC
+	BPF_RB_NO_WAKEUP
+	BPF_RB_FORCE_WAKEUP
 )
 
 type Statfs_t struct {
diff --git a/vendor/github.com/cilium/ebpf/internal/vdso.go b/vendor/github.com/cilium/ebpf/internal/vdso.go
index 10e639b..c444a41 100644
--- a/vendor/github.com/cilium/ebpf/internal/vdso.go
+++ b/vendor/github.com/cilium/ebpf/internal/vdso.go
@@ -8,6 +8,7 @@
 	"io"
 	"math"
 	"os"
+	"unsafe"
 
 	"github.com/cilium/ebpf/internal/unix"
 )
@@ -19,6 +20,8 @@
 // vdsoVersion returns the LINUX_VERSION_CODE embedded in the vDSO library
 // linked into the current process image.
 func vdsoVersion() (uint32, error) {
+	const uintptrIs32bits = unsafe.Sizeof((uintptr)(0)) == 4
+
 	// Read data from the auxiliary vector, which is normally passed directly
 	// to the process. Go does not expose that data, so we must read it from procfs.
 	// https://man7.org/linux/man-pages/man3/getauxval.3.html
@@ -31,7 +34,7 @@
 	}
 	defer av.Close()
 
-	vdsoAddr, err := vdsoMemoryAddress(av)
+	vdsoAddr, err := vdsoMemoryAddress(av, NativeEndian, uintptrIs32bits)
 	if err != nil {
 		return 0, fmt.Errorf("finding vDSO memory address: %w", err)
 	}
@@ -52,9 +55,34 @@
 	return c, nil
 }
 
+type auxvPair32 struct {
+	Tag, Value uint32
+}
+
+type auxvPair64 struct {
+	Tag, Value uint64
+}
+
+func readAuxvPair(r io.Reader, order binary.ByteOrder, uintptrIs32bits bool) (tag, value uint64, _ error) {
+	if uintptrIs32bits {
+		var aux auxvPair32
+		if err := binary.Read(r, order, &aux); err != nil {
+			return 0, 0, fmt.Errorf("reading auxv entry: %w", err)
+		}
+		return uint64(aux.Tag), uint64(aux.Value), nil
+	}
+
+	var aux auxvPair64
+	if err := binary.Read(r, order, &aux); err != nil {
+		return 0, 0, fmt.Errorf("reading auxv entry: %w", err)
+	}
+	return aux.Tag, aux.Value, nil
+}
+
 // vdsoMemoryAddress returns the memory address of the vDSO library
 // linked into the current process image. r is an io.Reader into an auxv blob.
-func vdsoMemoryAddress(r io.Reader) (uint64, error) {
+func vdsoMemoryAddress(r io.Reader, order binary.ByteOrder, uintptrIs32bits bool) (uintptr, error) {
+	// See https://elixir.bootlin.com/linux/v6.5.5/source/include/uapi/linux/auxvec.h
 	const (
 		_AT_NULL         = 0  // End of vector
 		_AT_SYSINFO_EHDR = 33 // Offset to vDSO blob in process image
@@ -62,16 +90,16 @@
 
 	// Loop through all tag/value pairs in auxv until we find `AT_SYSINFO_EHDR`,
 	// the address of a page containing the virtual Dynamic Shared Object (vDSO).
-	aux := struct{ Tag, Val uint64 }{}
 	for {
-		if err := binary.Read(r, NativeEndian, &aux); err != nil {
-			return 0, fmt.Errorf("reading auxv entry: %w", err)
+		tag, value, err := readAuxvPair(r, order, uintptrIs32bits)
+		if err != nil {
+			return 0, err
 		}
 
-		switch aux.Tag {
+		switch tag {
 		case _AT_SYSINFO_EHDR:
-			if aux.Val != 0 {
-				return aux.Val, nil
+			if value != 0 {
+				return uintptr(value), nil
 			}
 			return 0, fmt.Errorf("invalid vDSO address in auxv")
 		// _AT_NULL is always the last tag/val pair in the aux vector
diff --git a/vendor/github.com/cilium/ebpf/link/iter.go b/vendor/github.com/cilium/ebpf/link/iter.go
index d2b32ef..0a39fae 100644
--- a/vendor/github.com/cilium/ebpf/link/iter.go
+++ b/vendor/github.com/cilium/ebpf/link/iter.go
@@ -25,10 +25,6 @@
 
 // AttachIter attaches a BPF seq_file iterator.
 func AttachIter(opts IterOptions) (*Iter, error) {
-	if err := haveBPFLink(); err != nil {
-		return nil, err
-	}
-
 	progFd := opts.Program.FD()
 	if progFd < 0 {
 		return nil, fmt.Errorf("invalid program: %s", sys.ErrClosedFd)
@@ -52,6 +48,9 @@
 
 	fd, err := sys.LinkCreateIter(&attr)
 	if err != nil {
+		if haveFeatErr := haveBPFLink(); haveFeatErr != nil {
+			return nil, haveFeatErr
+		}
 		return nil, fmt.Errorf("can't link iterator: %w", err)
 	}
 
diff --git a/vendor/github.com/cilium/ebpf/link/kprobe_multi.go b/vendor/github.com/cilium/ebpf/link/kprobe_multi.go
index 697c6d7..4d364d8 100644
--- a/vendor/github.com/cilium/ebpf/link/kprobe_multi.go
+++ b/vendor/github.com/cilium/ebpf/link/kprobe_multi.go
@@ -82,10 +82,6 @@
 		return nil, fmt.Errorf("Cookies must be exactly Symbols or Addresses in length: %w", errInvalidInput)
 	}
 
-	if err := haveBPFLinkKprobeMulti(); err != nil {
-		return nil, err
-	}
-
 	attr := &sys.LinkCreateKprobeMultiAttr{
 		ProgFd:           uint32(prog.FD()),
 		AttachType:       sys.BPF_TRACE_KPROBE_MULTI,
@@ -113,7 +109,11 @@
 	if errors.Is(err, unix.EINVAL) {
 		return nil, fmt.Errorf("%w (missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?)", err)
 	}
+
 	if err != nil {
+		if haveFeatErr := haveBPFLinkKprobeMulti(); haveFeatErr != nil {
+			return nil, haveFeatErr
+		}
 		return nil, err
 	}
 
diff --git a/vendor/github.com/cilium/ebpf/link/program.go b/vendor/github.com/cilium/ebpf/link/program.go
index ea31817..053735a 100644
--- a/vendor/github.com/cilium/ebpf/link/program.go
+++ b/vendor/github.com/cilium/ebpf/link/program.go
@@ -25,10 +25,6 @@
 // You should use one of the higher level abstractions available in this
 // package if possible.
 func RawAttachProgram(opts RawAttachProgramOptions) error {
-	if err := haveProgAttach(); err != nil {
-		return err
-	}
-
 	var replaceFd uint32
 	if opts.Replace != nil {
 		replaceFd = uint32(opts.Replace.FD())
@@ -43,8 +39,12 @@
 	}
 
 	if err := sys.ProgAttach(&attr); err != nil {
+		if haveFeatErr := haveProgAttach(); haveFeatErr != nil {
+			return haveFeatErr
+		}
 		return fmt.Errorf("can't attach program: %w", err)
 	}
+
 	return nil
 }
 
@@ -59,16 +59,15 @@
 // You should use one of the higher level abstractions available in this
 // package if possible.
 func RawDetachProgram(opts RawDetachProgramOptions) error {
-	if err := haveProgAttach(); err != nil {
-		return err
-	}
-
 	attr := sys.ProgDetachAttr{
 		TargetFd:    uint32(opts.Target),
 		AttachBpfFd: uint32(opts.Program.FD()),
 		AttachType:  uint32(opts.Attach),
 	}
 	if err := sys.ProgDetach(&attr); err != nil {
+		if haveFeatErr := haveProgAttach(); haveFeatErr != nil {
+			return haveFeatErr
+		}
 		return fmt.Errorf("can't detach program: %w", err)
 	}
 
diff --git a/vendor/github.com/cilium/ebpf/link/syscalls.go b/vendor/github.com/cilium/ebpf/link/syscalls.go
index c9c998c..012970e 100644
--- a/vendor/github.com/cilium/ebpf/link/syscalls.go
+++ b/vendor/github.com/cilium/ebpf/link/syscalls.go
@@ -60,9 +60,11 @@
 			asm.Return(),
 		},
 	})
+
 	if err != nil {
 		return internal.ErrNotSupported
 	}
+
 	defer prog.Close()
 
 	// We know that we have BPF_PROG_ATTACH since we can load CGroupSKB programs.
@@ -113,11 +115,12 @@
 	}
 
 	err := sys.ProgQuery(&attr)
-	if errors.Is(err, unix.EINVAL) {
-		return internal.ErrNotSupported
-	}
+
 	if errors.Is(err, unix.EBADF) {
 		return nil
 	}
-	return err
+	if err != nil {
+		return ErrNotSupported
+	}
+	return errors.New("syscall succeeded unexpectedly")
 })
diff --git a/vendor/github.com/cilium/ebpf/link/uprobe.go b/vendor/github.com/cilium/ebpf/link/uprobe.go
index 272bac4..83977e0 100644
--- a/vendor/github.com/cilium/ebpf/link/uprobe.go
+++ b/vendor/github.com/cilium/ebpf/link/uprobe.go
@@ -18,9 +18,12 @@
 	uprobeRefCtrOffsetShift = 32
 	haveRefCtrOffsetPMU     = internal.NewFeatureTest("RefCtrOffsetPMU", "4.20", func() error {
 		_, err := os.Stat(uprobeRefCtrOffsetPMUPath)
-		if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
 			return internal.ErrNotSupported
 		}
+		if err != nil {
+			return err
+		}
 		return nil
 	})
 
diff --git a/vendor/github.com/cilium/ebpf/linker.go b/vendor/github.com/cilium/ebpf/linker.go
index e0dbfcf..cf5b02d 100644
--- a/vendor/github.com/cilium/ebpf/linker.go
+++ b/vendor/github.com/cilium/ebpf/linker.go
@@ -7,6 +7,8 @@
 	"io"
 	"math"
 
+	"golang.org/x/exp/slices"
+
 	"github.com/cilium/ebpf/asm"
 	"github.com/cilium/ebpf/btf"
 	"github.com/cilium/ebpf/internal"
@@ -40,10 +42,12 @@
 	return fda
 }
 
-func (hs handles) close() {
-	for _, h := range hs {
-		h.Close()
+func (hs *handles) Close() error {
+	var errs []error
+	for _, h := range *hs {
+		errs = append(errs, h.Close())
 	}
+	return errors.Join(errs...)
 }
 
 // splitSymbols splits insns into subsections delimited by Symbol Instructions.
@@ -55,21 +59,33 @@
 		return nil, errors.New("insns is empty")
 	}
 
-	if insns[0].Symbol() == "" {
+	currentSym := insns[0].Symbol()
+	if currentSym == "" {
 		return nil, errors.New("insns must start with a Symbol")
 	}
 
-	var name string
+	start := 0
 	progs := make(map[string]asm.Instructions)
-	for _, ins := range insns {
-		if sym := ins.Symbol(); sym != "" {
-			if progs[sym] != nil {
-				return nil, fmt.Errorf("insns contains duplicate Symbol %s", sym)
-			}
-			name = sym
+	for i, ins := range insns[1:] {
+		i := i + 1
+
+		sym := ins.Symbol()
+		if sym == "" {
+			continue
 		}
 
-		progs[name] = append(progs[name], ins)
+		// New symbol, flush the old one out.
+		progs[currentSym] = slices.Clone(insns[start:i])
+
+		if progs[sym] != nil {
+			return nil, fmt.Errorf("insns contains duplicate Symbol %s", sym)
+		}
+		currentSym = sym
+		start = i
+	}
+
+	if tail := insns[start:]; len(tail) > 0 {
+		progs[currentSym] = slices.Clone(tail)
 	}
 
 	return progs, nil
@@ -231,7 +247,13 @@
 // fixupKfuncs loops over all instructions in search for kfunc calls.
 // If at least one is found, the current kernels BTF and module BTFis are searched to set Instruction.Constant
 // and Instruction.Offset to the correct values.
-func fixupKfuncs(insns asm.Instructions) (handles, error) {
+func fixupKfuncs(insns asm.Instructions) (_ handles, err error) {
+	closeOnError := func(c io.Closer) {
+		if err != nil {
+			c.Close()
+		}
+	}
+
 	iter := insns.Iterate()
 	for iter.Next() {
 		ins := iter.Ins
@@ -250,6 +272,8 @@
 	}
 
 	fdArray := make(handles, 0)
+	defer closeOnError(&fdArray)
+
 	for {
 		ins := iter.Ins
 
@@ -276,6 +300,11 @@
 			return nil, err
 		}
 
+		idx, err := fdArray.add(module)
+		if err != nil {
+			return nil, err
+		}
+
 		if err := btf.CheckTypeCompatibility(kfm.Type, target.(*btf.Func).Type); err != nil {
 			return nil, &incompatibleKfuncError{kfm.Name, err}
 		}
@@ -285,11 +314,6 @@
 			return nil, err
 		}
 
-		idx, err := fdArray.add(module)
-		if err != nil {
-			return nil, err
-		}
-
 		ins.Constant = int64(id)
 		ins.Offset = int16(idx)
 
diff --git a/vendor/github.com/cilium/ebpf/map.go b/vendor/github.com/cilium/ebpf/map.go
index a11664c..ce945ac 100644
--- a/vendor/github.com/cilium/ebpf/map.go
+++ b/vendor/github.com/cilium/ebpf/map.go
@@ -9,12 +9,14 @@
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
 	"time"
 	"unsafe"
 
 	"github.com/cilium/ebpf/btf"
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/sysenc"
 	"github.com/cilium/ebpf/internal/unix"
 )
 
@@ -102,26 +104,55 @@
 	return &cpy
 }
 
-func (ms *MapSpec) clampPerfEventArraySize() error {
-	if ms.Type != PerfEventArray {
-		return nil
+// fixupMagicFields fills fields of MapSpec which are usually
+// left empty in ELF or which depend on runtime information.
+//
+// The method doesn't modify Spec, instead returning a copy.
+// The copy is only performed if fixups are necessary, so callers mustn't mutate
+// the returned spec.
+func (spec *MapSpec) fixupMagicFields() (*MapSpec, error) {
+	switch spec.Type {
+	case ArrayOfMaps, HashOfMaps:
+		if spec.ValueSize != 0 && spec.ValueSize != 4 {
+			return nil, errors.New("ValueSize must be zero or four for map of map")
+		}
+
+		spec = spec.Copy()
+		spec.ValueSize = 4
+
+	case PerfEventArray:
+		if spec.KeySize != 0 && spec.KeySize != 4 {
+			return nil, errors.New("KeySize must be zero or four for perf event array")
+		}
+
+		if spec.ValueSize != 0 && spec.ValueSize != 4 {
+			return nil, errors.New("ValueSize must be zero or four for perf event array")
+		}
+
+		spec = spec.Copy()
+		spec.KeySize = 4
+		spec.ValueSize = 4
+
+		n, err := internal.PossibleCPUs()
+		if err != nil {
+			return nil, fmt.Errorf("fixup perf event array: %w", err)
+		}
+
+		if n := uint32(n); spec.MaxEntries == 0 || spec.MaxEntries > n {
+			// MaxEntries should be zero most of the time, but there is code
+			// out there which hardcodes large constants. Clamp the number
+			// of entries to the number of CPUs at most. Allow creating maps with
+			// less than n items since some kernel selftests relied on this
+			// behaviour in the past.
+			spec.MaxEntries = n
+		}
 	}
 
-	n, err := internal.PossibleCPUs()
-	if err != nil {
-		return fmt.Errorf("perf event array: %w", err)
-	}
-
-	if n := uint32(n); ms.MaxEntries > n {
-		ms.MaxEntries = n
-	}
-
-	return nil
+	return spec, nil
 }
 
 // dataSection returns the contents and BTF Datasec descriptor of the spec.
 func (ms *MapSpec) dataSection() ([]byte, *btf.Datasec, error) {
-
 	if ms.Value == nil {
 		return nil, nil, errMapNoBTFValue
 	}
@@ -155,27 +186,37 @@
 //
 // Returns an error wrapping [ErrMapIncompatible] otherwise.
 func (ms *MapSpec) Compatible(m *Map) error {
-	switch {
-	case m.typ != ms.Type:
-		return fmt.Errorf("expected type %v, got %v: %w", ms.Type, m.typ, ErrMapIncompatible)
-
-	case m.keySize != ms.KeySize:
-		return fmt.Errorf("expected key size %v, got %v: %w", ms.KeySize, m.keySize, ErrMapIncompatible)
-
-	case m.valueSize != ms.ValueSize:
-		return fmt.Errorf("expected value size %v, got %v: %w", ms.ValueSize, m.valueSize, ErrMapIncompatible)
-
-	case !(ms.Type == PerfEventArray && ms.MaxEntries == 0) &&
-		m.maxEntries != ms.MaxEntries:
-		return fmt.Errorf("expected max entries %v, got %v: %w", ms.MaxEntries, m.maxEntries, ErrMapIncompatible)
-
-	// BPF_F_RDONLY_PROG is set unconditionally for devmaps. Explicitly allow
-	// this mismatch.
-	case !((ms.Type == DevMap || ms.Type == DevMapHash) && m.flags^ms.Flags == unix.BPF_F_RDONLY_PROG) &&
-		m.flags != ms.Flags:
-		return fmt.Errorf("expected flags %v, got %v: %w", ms.Flags, m.flags, ErrMapIncompatible)
+	ms, err := ms.fixupMagicFields()
+	if err != nil {
+		return err
 	}
-	return nil
+
+	diffs := []string{}
+	if m.typ != ms.Type {
+		diffs = append(diffs, fmt.Sprintf("Type: %s changed to %s", m.typ, ms.Type))
+	}
+	if m.keySize != ms.KeySize {
+		diffs = append(diffs, fmt.Sprintf("KeySize: %d changed to %d", m.keySize, ms.KeySize))
+	}
+	if m.valueSize != ms.ValueSize {
+		diffs = append(diffs, fmt.Sprintf("ValueSize: %d changed to %d", m.valueSize, ms.ValueSize))
+	}
+	if m.maxEntries != ms.MaxEntries {
+		diffs = append(diffs, fmt.Sprintf("MaxEntries: %d changed to %d", m.maxEntries, ms.MaxEntries))
+	}
+
+	// BPF_F_RDONLY_PROG is set unconditionally for devmaps. Explicitly allow this
+	// mismatch.
+	if !((ms.Type == DevMap || ms.Type == DevMapHash) && m.flags^ms.Flags == unix.BPF_F_RDONLY_PROG) &&
+		m.flags != ms.Flags {
+		diffs = append(diffs, fmt.Sprintf("Flags: %d changed to %d", m.flags, ms.Flags))
+	}
+
+	if len(diffs) == 0 {
+		return nil
+	}
+
+	return fmt.Errorf("%s: %w", strings.Join(diffs, ", "), ErrMapIncompatible)
 }
 
 // Map represents a Map file descriptor.
@@ -350,60 +391,9 @@
 		}
 	}
 
-	switch spec.Type {
-	case ArrayOfMaps, HashOfMaps:
-		if err := haveNestedMaps(); err != nil {
-			return nil, err
-		}
-
-		if spec.ValueSize != 0 && spec.ValueSize != 4 {
-			return nil, errors.New("ValueSize must be zero or four for map of map")
-		}
-
-		spec = spec.Copy()
-		spec.ValueSize = 4
-
-	case PerfEventArray:
-		if spec.KeySize != 0 && spec.KeySize != 4 {
-			return nil, errors.New("KeySize must be zero or four for perf event array")
-		}
-
-		if spec.ValueSize != 0 && spec.ValueSize != 4 {
-			return nil, errors.New("ValueSize must be zero or four for perf event array")
-		}
-
-		spec = spec.Copy()
-		spec.KeySize = 4
-		spec.ValueSize = 4
-
-		if spec.MaxEntries == 0 {
-			n, err := internal.PossibleCPUs()
-			if err != nil {
-				return nil, fmt.Errorf("perf event array: %w", err)
-			}
-			spec.MaxEntries = uint32(n)
-		}
-	}
-
-	if spec.Flags&(unix.BPF_F_RDONLY_PROG|unix.BPF_F_WRONLY_PROG) > 0 || spec.Freeze {
-		if err := haveMapMutabilityModifiers(); err != nil {
-			return nil, fmt.Errorf("map create: %w", err)
-		}
-	}
-	if spec.Flags&unix.BPF_F_MMAPABLE > 0 {
-		if err := haveMmapableMaps(); err != nil {
-			return nil, fmt.Errorf("map create: %w", err)
-		}
-	}
-	if spec.Flags&unix.BPF_F_INNER_MAP > 0 {
-		if err := haveInnerMaps(); err != nil {
-			return nil, fmt.Errorf("map create: %w", err)
-		}
-	}
-	if spec.Flags&unix.BPF_F_NO_PREALLOC > 0 {
-		if err := haveNoPreallocMaps(); err != nil {
-			return nil, fmt.Errorf("map create: %w", err)
-		}
+	spec, err = spec.fixupMagicFields()
+	if err != nil {
+		return nil, err
 	}
 
 	attr := sys.MapCreateAttr{
@@ -440,38 +430,72 @@
 	}
 
 	fd, err := sys.MapCreate(&attr)
+
 	// Some map types don't support BTF k/v in earlier kernel versions.
 	// Remove BTF metadata and retry map creation.
 	if (errors.Is(err, sys.ENOTSUPP) || errors.Is(err, unix.EINVAL)) && attr.BtfFd != 0 {
 		attr.BtfFd, attr.BtfKeyTypeId, attr.BtfValueTypeId = 0, 0, 0
 		fd, err = sys.MapCreate(&attr)
 	}
-
 	if err != nil {
-		if errors.Is(err, unix.EPERM) {
-			return nil, fmt.Errorf("map create: %w (MEMLOCK may be too low, consider rlimit.RemoveMemlock)", err)
-		}
-		if errors.Is(err, unix.EINVAL) && attr.MaxEntries == 0 {
-			return nil, fmt.Errorf("map create: %w (MaxEntries may be incorrectly set to zero)", err)
-		}
-		if errors.Is(err, unix.EINVAL) && spec.Type == UnspecifiedMap {
-			return nil, fmt.Errorf("map create: cannot use type %s", UnspecifiedMap)
-		}
-		if attr.BtfFd == 0 {
-			return nil, fmt.Errorf("map create: %w (without BTF k/v)", err)
-		}
-		return nil, fmt.Errorf("map create: %w", err)
+		return nil, handleMapCreateError(attr, spec, err)
 	}
-	defer closeOnError(fd)
 
+	defer closeOnError(fd)
 	m, err := newMap(fd, spec.Name, spec.Type, spec.KeySize, spec.ValueSize, spec.MaxEntries, spec.Flags)
 	if err != nil {
 		return nil, fmt.Errorf("map create: %w", err)
 	}
-
 	return m, nil
 }
 
+func handleMapCreateError(attr sys.MapCreateAttr, spec *MapSpec, err error) error {
+	if errors.Is(err, unix.EPERM) {
+		return fmt.Errorf("map create: %w (MEMLOCK may be too low, consider rlimit.RemoveMemlock)", err)
+	}
+	if errors.Is(err, unix.EINVAL) && spec.MaxEntries == 0 {
+		return fmt.Errorf("map create: %w (MaxEntries may be incorrectly set to zero)", err)
+	}
+	if errors.Is(err, unix.EINVAL) && spec.Type == UnspecifiedMap {
+		return fmt.Errorf("map create: cannot use type %s", UnspecifiedMap)
+	}
+	if errors.Is(err, unix.EINVAL) && spec.Flags&unix.BPF_F_NO_PREALLOC > 0 {
+		return fmt.Errorf("map create: %w (noPrealloc flag may be incompatible with map type %s)", err, spec.Type)
+	}
+
+	switch spec.Type {
+	case ArrayOfMaps, HashOfMaps:
+		if haveFeatErr := haveNestedMaps(); haveFeatErr != nil {
+			return fmt.Errorf("map create: %w", haveFeatErr)
+		}
+	}
+	if spec.Flags&(unix.BPF_F_RDONLY_PROG|unix.BPF_F_WRONLY_PROG) > 0 || spec.Freeze {
+		if haveFeatErr := haveMapMutabilityModifiers(); haveFeatErr != nil {
+			return fmt.Errorf("map create: %w", haveFeatErr)
+		}
+	}
+	if spec.Flags&unix.BPF_F_MMAPABLE > 0 {
+		if haveFeatErr := haveMmapableMaps(); haveFeatErr != nil {
+			return fmt.Errorf("map create: %w", haveFeatErr)
+		}
+	}
+	if spec.Flags&unix.BPF_F_INNER_MAP > 0 {
+		if haveFeatErr := haveInnerMaps(); haveFeatErr != nil {
+			return fmt.Errorf("map create: %w", haveFeatErr)
+		}
+	}
+	if spec.Flags&unix.BPF_F_NO_PREALLOC > 0 {
+		if haveFeatErr := haveNoPreallocMaps(); haveFeatErr != nil {
+			return fmt.Errorf("map create: %w", haveFeatErr)
+		}
+	}
+	if attr.BtfFd == 0 {
+		return fmt.Errorf("map create: %w (without BTF k/v)", err)
+	}
+
+	return fmt.Errorf("map create: %w", err)
+}
+
 // newMap allocates and returns a new Map structure.
 // Sets the fullValueSize on per-CPU maps.
 func newMap(fd *sys.FD, name string, typ MapType, keySize, valueSize, maxEntries, flags uint32) (*Map, error) {
@@ -568,8 +592,8 @@
 		return m.lookupPerCPU(key, valueOut, flags)
 	}
 
-	valuePtr, valueBytes := makeBuffer(valueOut, m.fullValueSize)
-	if err := m.lookup(key, valuePtr, flags); err != nil {
+	valueBytes := makeMapSyscallOutput(valueOut, m.fullValueSize)
+	if err := m.lookup(key, valueBytes.Pointer(), flags); err != nil {
 		return err
 	}
 
@@ -595,8 +619,8 @@
 		return m.lookupAndDeletePerCPU(key, valueOut, flags)
 	}
 
-	valuePtr, valueBytes := makeBuffer(valueOut, m.fullValueSize)
-	if err := m.lookupAndDelete(key, valuePtr, flags); err != nil {
+	valueBytes := makeMapSyscallOutput(valueOut, m.fullValueSize)
+	if err := m.lookupAndDelete(key, valueBytes.Pointer(), flags); err != nil {
 		return err
 	}
 	return m.unmarshalValue(valueOut, valueBytes)
@@ -764,13 +788,13 @@
 //
 // Returns ErrKeyNotExist if there is no next key.
 func (m *Map) NextKey(key, nextKeyOut interface{}) error {
-	nextKeyPtr, nextKeyBytes := makeBuffer(nextKeyOut, int(m.keySize))
+	nextKeyBytes := makeMapSyscallOutput(nextKeyOut, int(m.keySize))
 
-	if err := m.nextKey(key, nextKeyPtr); err != nil {
+	if err := m.nextKey(key, nextKeyBytes.Pointer()); err != nil {
 		return err
 	}
 
-	if err := m.unmarshalKey(nextKeyOut, nextKeyBytes); err != nil {
+	if err := nextKeyBytes.Unmarshal(nextKeyOut); err != nil {
 		return fmt.Errorf("can't unmarshal next key: %w", err)
 	}
 	return nil
@@ -941,14 +965,14 @@
 	keyPtr := sys.NewSlicePointer(keyBuf)
 	valueBuf := make([]byte, count*int(m.fullValueSize))
 	valuePtr := sys.NewSlicePointer(valueBuf)
-	nextPtr, nextBuf := makeBuffer(nextKeyOut, int(m.keySize))
+	nextBuf := makeMapSyscallOutput(nextKeyOut, int(m.keySize))
 
 	attr := sys.MapLookupBatchAttr{
 		MapFd:    m.fd.Uint(),
 		Keys:     keyPtr,
 		Values:   valuePtr,
 		Count:    uint32(count),
-		OutBatch: nextPtr,
+		OutBatch: nextBuf.Pointer(),
 	}
 
 	if opts != nil {
@@ -958,7 +982,7 @@
 
 	var err error
 	if startKey != nil {
-		attr.InBatch, err = marshalPtr(startKey, int(m.keySize))
+		attr.InBatch, err = marshalMapSyscallInput(startKey, int(m.keySize))
 		if err != nil {
 			return 0, err
 		}
@@ -970,15 +994,15 @@
 		return 0, sysErr
 	}
 
-	err = m.unmarshalKey(nextKeyOut, nextBuf)
+	err = nextBuf.Unmarshal(nextKeyOut)
 	if err != nil {
 		return 0, err
 	}
-	err = unmarshalBytes(keysOut, keyBuf)
+	err = sysenc.Unmarshal(keysOut, keyBuf)
 	if err != nil {
 		return 0, err
 	}
-	err = unmarshalBytes(valuesOut, valueBuf)
+	err = sysenc.Unmarshal(valuesOut, valueBuf)
 	if err != nil {
 		return 0, err
 	}
@@ -991,9 +1015,6 @@
 // "keys" and "values" must be of type slice, a pointer
 // to a slice or buffer will not work.
 func (m *Map) BatchUpdate(keys, values interface{}, opts *BatchOptions) (int, error) {
-	if err := haveBatchAPI(); err != nil {
-		return 0, err
-	}
 	if m.typ.hasPerCPUValue() {
 		return 0, ErrNotSupported
 	}
@@ -1013,11 +1034,11 @@
 	if count != valuesValue.Len() {
 		return 0, fmt.Errorf("keys and values must be the same length")
 	}
-	keyPtr, err := marshalPtr(keys, count*int(m.keySize))
+	keyPtr, err := marshalMapSyscallInput(keys, count*int(m.keySize))
 	if err != nil {
 		return 0, err
 	}
-	valuePtr, err = marshalPtr(values, count*int(m.valueSize))
+	valuePtr, err = marshalMapSyscallInput(values, count*int(m.valueSize))
 	if err != nil {
 		return 0, err
 	}
@@ -1035,6 +1056,9 @@
 
 	err = sys.MapUpdateBatch(&attr)
 	if err != nil {
+		if haveFeatErr := haveBatchAPI(); haveFeatErr != nil {
+			return 0, haveFeatErr
+		}
 		return int(attr.Count), fmt.Errorf("batch update: %w", wrapMapError(err))
 	}
 
@@ -1044,9 +1068,6 @@
 // BatchDelete batch deletes entries in the map by keys.
 // "keys" must be of type slice, a pointer to a slice or buffer will not work.
 func (m *Map) BatchDelete(keys interface{}, opts *BatchOptions) (int, error) {
-	if err := haveBatchAPI(); err != nil {
-		return 0, err
-	}
 	if m.typ.hasPerCPUValue() {
 		return 0, ErrNotSupported
 	}
@@ -1055,7 +1076,7 @@
 		return 0, fmt.Errorf("keys must be a slice")
 	}
 	count := keysValue.Len()
-	keyPtr, err := marshalPtr(keys, count*int(m.keySize))
+	keyPtr, err := marshalMapSyscallInput(keys, count*int(m.keySize))
 	if err != nil {
 		return 0, fmt.Errorf("cannot marshal keys: %v", err)
 	}
@@ -1072,6 +1093,9 @@
 	}
 
 	if err = sys.MapDeleteBatch(&attr); err != nil {
+		if haveFeatErr := haveBatchAPI(); haveFeatErr != nil {
+			return 0, haveFeatErr
+		}
 		return int(attr.Count), fmt.Errorf("batch delete: %w", wrapMapError(err))
 	}
 
@@ -1176,15 +1200,14 @@
 //
 // It makes no changes to kernel-side restrictions.
 func (m *Map) Freeze() error {
-	if err := haveMapMutabilityModifiers(); err != nil {
-		return fmt.Errorf("can't freeze map: %w", err)
-	}
-
 	attr := sys.MapFreezeAttr{
 		MapFd: m.fd.Uint(),
 	}
 
 	if err := sys.MapFreeze(&attr); err != nil {
+		if haveFeatErr := haveMapMutabilityModifiers(); haveFeatErr != nil {
+			return fmt.Errorf("can't freeze map: %w", haveFeatErr)
+		}
 		return fmt.Errorf("can't freeze map: %w", err)
 	}
 	return nil
@@ -1217,16 +1240,7 @@
 		return sys.Pointer{}, errors.New("can't use nil as key of map")
 	}
 
-	return marshalPtr(data, int(m.keySize))
-}
-
-func (m *Map) unmarshalKey(data interface{}, buf []byte) error {
-	if buf == nil {
-		// This is from a makeBuffer call, nothing do do here.
-		return nil
-	}
-
-	return unmarshalBytes(data, buf)
+	return marshalMapSyscallInput(data, int(m.keySize))
 }
 
 func (m *Map) marshalValue(data interface{}) (sys.Pointer, error) {
@@ -1249,7 +1263,7 @@
 		buf, err = marshalProgram(value, int(m.valueSize))
 
 	default:
-		return marshalPtr(data, int(m.valueSize))
+		return marshalMapSyscallInput(data, int(m.valueSize))
 	}
 
 	if err != nil {
@@ -1259,16 +1273,7 @@
 	return sys.NewSlicePointer(buf), nil
 }
 
-func (m *Map) unmarshalValue(value interface{}, buf []byte) error {
-	if buf == nil {
-		// This is from a makeBuffer call, nothing do do here.
-		return nil
-	}
-
-	if m.typ.hasPerCPUValue() {
-		return unmarshalPerCPUValue(value, int(m.valueSize), buf)
-	}
-
+func (m *Map) unmarshalValue(value any, buf sysenc.Buffer) error {
 	switch value := value.(type) {
 	case **Map:
 		if !m.typ.canStoreMap() {
@@ -1315,7 +1320,7 @@
 		return errors.New("require pointer to *Program")
 	}
 
-	return unmarshalBytes(value, buf)
+	return buf.Unmarshal(value)
 }
 
 // LoadPinnedMap loads a Map from a BPF file.
@@ -1337,12 +1342,11 @@
 }
 
 // unmarshalMap creates a map from a map ID encoded in host endianness.
-func unmarshalMap(buf []byte) (*Map, error) {
-	if len(buf) != 4 {
-		return nil, errors.New("map id requires 4 byte value")
+func unmarshalMap(buf sysenc.Buffer) (*Map, error) {
+	var id uint32
+	if err := buf.Unmarshal(&id); err != nil {
+		return nil, err
 	}
-
-	id := internal.NativeEndian.Uint32(buf)
 	return NewMapFromID(MapID(id))
 }
 
@@ -1414,11 +1418,7 @@
 			return false
 		}
 
-		// The user can get access to nextKey since unmarshalBytes
-		// does not copy when unmarshaling into a []byte.
-		// Make a copy to prevent accidental corruption of
-		// iterator state.
-		copy(mi.curKey, nextKey)
+		mi.curKey = nextKey
 
 		mi.count++
 		mi.err = mi.target.Lookup(nextKey, valueOut)
@@ -1438,7 +1438,12 @@
 			return false
 		}
 
-		mi.err = mi.target.unmarshalKey(keyOut, nextKey)
+		if ptr, ok := keyOut.(unsafe.Pointer); ok {
+			copy(unsafe.Slice((*byte)(ptr), len(nextKey)), nextKey)
+		} else {
+			mi.err = sysenc.Unmarshal(keyOut, nextKey)
+		}
+
 		return mi.err == nil
 	}
 
diff --git a/vendor/github.com/cilium/ebpf/marshalers.go b/vendor/github.com/cilium/ebpf/marshalers.go
index a568bff..e89a12f 100644
--- a/vendor/github.com/cilium/ebpf/marshalers.go
+++ b/vendor/github.com/cilium/ebpf/marshalers.go
@@ -1,166 +1,53 @@
 package ebpf
 
 import (
-	"bytes"
 	"encoding"
-	"encoding/binary"
 	"errors"
 	"fmt"
 	"reflect"
-	"runtime"
-	"sync"
 	"unsafe"
 
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/sysenc"
 )
 
-// marshalPtr converts an arbitrary value into a pointer suitable
+// marshalMapSyscallInput converts an arbitrary value into a pointer suitable
 // to be passed to the kernel.
 //
 // As an optimization, it returns the original value if it is an
 // unsafe.Pointer.
-func marshalPtr(data interface{}, length int) (sys.Pointer, error) {
+func marshalMapSyscallInput(data any, length int) (sys.Pointer, error) {
 	if ptr, ok := data.(unsafe.Pointer); ok {
 		return sys.NewPointer(ptr), nil
 	}
 
-	buf, err := marshalBytes(data, length)
+	buf, err := sysenc.Marshal(data, length)
 	if err != nil {
 		return sys.Pointer{}, err
 	}
 
-	return sys.NewSlicePointer(buf), nil
+	return buf.Pointer(), nil
 }
 
-// marshalBytes converts an arbitrary value into a byte buffer.
-//
-// Prefer using Map.marshalKey and Map.marshalValue if possible, since
-// those have special cases that allow more types to be encoded.
-//
-// Returns an error if the given value isn't representable in exactly
-// length bytes.
-func marshalBytes(data interface{}, length int) (buf []byte, err error) {
-	if data == nil {
-		return nil, errors.New("can't marshal a nil value")
-	}
-
-	switch value := data.(type) {
-	case encoding.BinaryMarshaler:
-		buf, err = value.MarshalBinary()
-	case string:
-		buf = []byte(value)
-	case []byte:
-		buf = value
-	case unsafe.Pointer:
-		err = errors.New("can't marshal from unsafe.Pointer")
-	case Map, *Map, Program, *Program:
-		err = fmt.Errorf("can't marshal %T", value)
-	default:
-		wr := internal.NewBuffer(make([]byte, 0, length))
-		defer internal.PutBuffer(wr)
-
-		err = binary.Write(wr, internal.NativeEndian, value)
-		if err != nil {
-			err = fmt.Errorf("encoding %T: %v", value, err)
-		}
-		buf = wr.Bytes()
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	if len(buf) != length {
-		return nil, fmt.Errorf("%T doesn't marshal to %d bytes", data, length)
-	}
-	return buf, nil
-}
-
-func makeBuffer(dst interface{}, length int) (sys.Pointer, []byte) {
+func makeMapSyscallOutput(dst any, length int) sysenc.Buffer {
 	if ptr, ok := dst.(unsafe.Pointer); ok {
-		return sys.NewPointer(ptr), nil
+		return sysenc.UnsafeBuffer(ptr)
 	}
 
-	buf := make([]byte, length)
-	return sys.NewSlicePointer(buf), buf
-}
-
-var bytesReaderPool = sync.Pool{
-	New: func() interface{} {
-		return new(bytes.Reader)
-	},
-}
-
-// unmarshalBytes converts a byte buffer into an arbitrary value.
-//
-// Prefer using Map.unmarshalKey and Map.unmarshalValue if possible, since
-// those have special cases that allow more types to be encoded.
-//
-// The common int32 and int64 types are directly handled to avoid
-// unnecessary heap allocations as happening in the default case.
-func unmarshalBytes(data interface{}, buf []byte) error {
-	switch value := data.(type) {
-	case unsafe.Pointer:
-		dst := unsafe.Slice((*byte)(value), len(buf))
-		copy(dst, buf)
-		runtime.KeepAlive(value)
-		return nil
-	case Map, *Map, Program, *Program:
-		return fmt.Errorf("can't unmarshal into %T", value)
-	case encoding.BinaryUnmarshaler:
-		return value.UnmarshalBinary(buf)
-	case *string:
-		*value = string(buf)
-		return nil
-	case *[]byte:
-		*value = buf
-		return nil
-	case *int32:
-		if len(buf) < 4 {
-			return errors.New("int32 requires 4 bytes")
-		}
-		*value = int32(internal.NativeEndian.Uint32(buf))
-		return nil
-	case *uint32:
-		if len(buf) < 4 {
-			return errors.New("uint32 requires 4 bytes")
-		}
-		*value = internal.NativeEndian.Uint32(buf)
-		return nil
-	case *int64:
-		if len(buf) < 8 {
-			return errors.New("int64 requires 8 bytes")
-		}
-		*value = int64(internal.NativeEndian.Uint64(buf))
-		return nil
-	case *uint64:
-		if len(buf) < 8 {
-			return errors.New("uint64 requires 8 bytes")
-		}
-		*value = internal.NativeEndian.Uint64(buf)
-		return nil
-	case string:
-		return errors.New("require pointer to string")
-	case []byte:
-		return errors.New("require pointer to []byte")
-	default:
-		rd := bytesReaderPool.Get().(*bytes.Reader)
-		rd.Reset(buf)
-		defer bytesReaderPool.Put(rd)
-		if err := binary.Read(rd, internal.NativeEndian, value); err != nil {
-			return fmt.Errorf("decoding %T: %v", value, err)
-		}
-		return nil
+	_, ok := dst.(encoding.BinaryUnmarshaler)
+	if ok {
+		return sysenc.SyscallOutput(nil, length)
 	}
+
+	return sysenc.SyscallOutput(dst, length)
 }
 
 // marshalPerCPUValue encodes a slice containing one value per
 // possible CPU into a buffer of bytes.
 //
 // Values are initialized to zero if the slice has less elements than CPUs.
-//
-// slice must have a type like []elementType.
-func marshalPerCPUValue(slice interface{}, elemLength int) (sys.Pointer, error) {
+func marshalPerCPUValue(slice any, elemLength int) (sys.Pointer, error) {
 	sliceType := reflect.TypeOf(slice)
 	if sliceType.Kind() != reflect.Slice {
 		return sys.Pointer{}, errors.New("per-CPU value requires slice")
@@ -182,13 +69,13 @@
 
 	for i := 0; i < sliceLen; i++ {
 		elem := sliceValue.Index(i).Interface()
-		elemBytes, err := marshalBytes(elem, elemLength)
+		elemBytes, err := sysenc.Marshal(elem, elemLength)
 		if err != nil {
 			return sys.Pointer{}, err
 		}
 
 		offset := i * alignedElemLength
-		copy(buf[offset:offset+elemLength], elemBytes)
+		elemBytes.CopyTo(buf[offset : offset+elemLength])
 	}
 
 	return sys.NewSlicePointer(buf), nil
@@ -197,8 +84,8 @@
 // unmarshalPerCPUValue decodes a buffer into a slice containing one value per
 // possible CPU.
 //
-// valueOut must have a type like *[]elementType
-func unmarshalPerCPUValue(slicePtr interface{}, elemLength int, buf []byte) error {
+// slicePtr must be a pointer to a slice.
+func unmarshalPerCPUValue(slicePtr any, elemLength int, buf []byte) error {
 	slicePtrType := reflect.TypeOf(slicePtr)
 	if slicePtrType.Kind() != reflect.Ptr || slicePtrType.Elem().Kind() != reflect.Slice {
 		return fmt.Errorf("per-cpu value requires pointer to slice")
@@ -218,12 +105,9 @@
 		sliceElemType = sliceElemType.Elem()
 	}
 
-	step := len(buf) / possibleCPUs
-	if step < elemLength {
-		return fmt.Errorf("per-cpu element length is larger than available data")
-	}
+	stride := internal.Align(elemLength, 8)
 	for i := 0; i < possibleCPUs; i++ {
-		var elem interface{}
+		var elem any
 		if sliceElemIsPointer {
 			newElem := reflect.New(sliceElemType)
 			slice.Index(i).Set(newElem)
@@ -232,16 +116,12 @@
 			elem = slice.Index(i).Addr().Interface()
 		}
 
-		// Make a copy, since unmarshal can hold on to itemBytes
-		elemBytes := make([]byte, elemLength)
-		copy(elemBytes, buf[:elemLength])
-
-		err := unmarshalBytes(elem, elemBytes)
+		err := sysenc.Unmarshal(elem, buf[:elemLength])
 		if err != nil {
 			return fmt.Errorf("cpu %d: %w", i, err)
 		}
 
-		buf = buf[step:]
+		buf = buf[stride:]
 	}
 
 	reflect.ValueOf(slicePtr).Elem().Set(slice)
diff --git a/vendor/github.com/cilium/ebpf/netlify.toml b/vendor/github.com/cilium/ebpf/netlify.toml
new file mode 100644
index 0000000..67c83f3
--- /dev/null
+++ b/vendor/github.com/cilium/ebpf/netlify.toml
@@ -0,0 +1,4 @@
+[build]
+  base = "docs/"
+  publish = "site/"
+  command = "mkdocs build"
diff --git a/vendor/github.com/cilium/ebpf/prog.go b/vendor/github.com/cilium/ebpf/prog.go
index 70aaef5..6d46a04 100644
--- a/vendor/github.com/cilium/ebpf/prog.go
+++ b/vendor/github.com/cilium/ebpf/prog.go
@@ -16,6 +16,7 @@
 	"github.com/cilium/ebpf/btf"
 	"github.com/cilium/ebpf/internal"
 	"github.com/cilium/ebpf/internal/sys"
+	"github.com/cilium/ebpf/internal/sysenc"
 	"github.com/cilium/ebpf/internal/unix"
 )
 
@@ -277,7 +278,7 @@
 	if err != nil {
 		return nil, fmt.Errorf("fixing up kfuncs: %w", err)
 	}
-	defer handles.close()
+	defer handles.Close()
 
 	if len(handles) > 0 {
 		fdArray := handles.fdArray()
@@ -763,14 +764,14 @@
 	return attr.Retval, total, nil
 }
 
-func unmarshalProgram(buf []byte) (*Program, error) {
-	if len(buf) != 4 {
-		return nil, errors.New("program id requires 4 byte value")
+func unmarshalProgram(buf sysenc.Buffer) (*Program, error) {
+	var id uint32
+	if err := buf.Unmarshal(&id); err != nil {
+		return nil, err
 	}
 
 	// Looking up an entry in a nested map or prog array returns an id,
 	// not an fd.
-	id := internal.NativeEndian.Uint32(buf)
 	return NewProgramFromID(ProgramID(id))
 }
 
@@ -921,7 +922,12 @@
 	}
 
 	id, err := spec.TypeID(target)
-	return module, id, err
+	if err != nil {
+		module.Close()
+		return nil, 0, err
+	}
+
+	return module, id, nil
 }
 
 // findTargetInKernel attempts to find a named type in the current kernel.
@@ -999,7 +1005,9 @@
 
 	var typeName string
 	switch (match{progType, attachType}) {
-	case match{Extension, AttachNone}:
+	case match{Extension, AttachNone},
+		match{Tracing, AttachTraceFEntry},
+		match{Tracing, AttachTraceFExit}:
 		typeName = name
 	default:
 		return 0, errUnrecognizedAttachType
diff --git a/vendor/github.com/cilium/ebpf/run-tests.sh b/vendor/github.com/cilium/ebpf/run-tests.sh
index 1d1490a..629a069 100644
--- a/vendor/github.com/cilium/ebpf/run-tests.sh
+++ b/vendor/github.com/cilium/ebpf/run-tests.sh
@@ -14,6 +14,21 @@
 script="$(realpath "$0")"
 readonly script
 
+quote_env() {
+  for var in "$@"; do
+    if [ -v "$var" ]; then
+      printf "%s=%q " "$var" "${!var}"
+    fi
+  done
+}
+
+declare -a preserved_env=(
+  PATH
+  CI_MAX_KERNEL_VERSION
+  TEST_SEED
+  KERNEL_VERSION
+)
+
 # This script is a bit like a Matryoshka doll since it keeps re-executing itself
 # in various different contexts:
 #
@@ -51,11 +66,11 @@
   fi
 
   for ((i = 0; i < 3; i++)); do
-    if ! $sudo virtme-run --kimg "${input}/bzImage" --memory 768M --pwd \
+    if ! $sudo virtme-run --kimg "${input}/boot/vmlinuz" --memory 768M --pwd \
       --rwdir="${testdir}=${testdir}" \
       --rodir=/run/input="${input}" \
       --rwdir=/run/output="${output}" \
-      --script-sh "PATH=\"$PATH\" CI_MAX_KERNEL_VERSION="${CI_MAX_KERNEL_VERSION:-}" \"$script\" --exec-test $cmd" \
+      --script-sh "$(quote_env "${preserved_env[@]}") \"$script\" --exec-test $cmd" \
       --kopt possible_cpus=2; then # need at least two CPUs for some tests
       exit 23
     fi
@@ -85,8 +100,8 @@
     export KERNEL_SELFTESTS="/run/input/bpf"
   fi
 
-  if [[ -f "/run/input/bpf/bpf_testmod/bpf_testmod.ko" ]]; then
-    insmod "/run/input/bpf/bpf_testmod/bpf_testmod.ko"
+  if [[ -d "/run/input/lib/modules" ]]; then
+    find /run/input/lib/modules -type f -name bpf_testmod.ko -exec insmod {} \;
   fi
 
   dmesg --clear
@@ -114,6 +129,9 @@
     return $ret
 }
 
+machine="$(uname -m)"
+readonly machine
+
 if [[ -f "${1}" ]]; then
   readonly kernel="${1}"
   cp "${1}" "${input}/bzImage"
@@ -121,16 +139,24 @@
 # LINUX_VERSION_CODE test compares this to discovered value.
   export KERNEL_VERSION="${1}"
 
-  readonly kernel="linux-${1}.bz"
-  readonly selftests="linux-${1}-selftests-bpf.tgz"
+  if [ "${machine}" = "x86_64" ]; then
+    readonly kernel="linux-${1}-amd64.tgz"
+    readonly selftests="linux-${1}-amd64-selftests-bpf.tgz"
+  elif [ "${machine}" = "aarch64" ]; then
+    readonly kernel="linux-${1}-arm64.tgz"
+    readonly selftests=""
+  else
+    echo "Arch ${machine} is not supported"
+    exit 1
+  fi
 
   fetch "${kernel}"
-  cp "${tmp_dir}/${kernel}" "${input}/bzImage"
+  tar xf "${tmp_dir}/${kernel}" -C "${input}"
 
-  if fetch "${selftests}"; then
+  if [ -n "${selftests}" ] && fetch "${selftests}"; then
     echo "Decompressing selftests"
     mkdir "${input}/bpf"
-    tar --strip-components=4 -xf "${tmp_dir}/${selftests}" -C "${input}/bpf"
+    tar --strip-components=5 -xf "${tmp_dir}/${selftests}" -C "${input}/bpf"
   else
     echo "No selftests found, disabling"
   fi
diff --git a/vendor/github.com/cilium/ebpf/syscalls.go b/vendor/github.com/cilium/ebpf/syscalls.go
index fd21dea..cdf1fcf 100644
--- a/vendor/github.com/cilium/ebpf/syscalls.go
+++ b/vendor/github.com/cilium/ebpf/syscalls.go
@@ -119,6 +119,7 @@
 		MaxEntries: 1,
 		MapFlags:   unix.BPF_F_INNER_MAP,
 	})
+
 	if err != nil {
 		return internal.ErrNotSupported
 	}
@@ -135,6 +136,7 @@
 		MaxEntries: 1,
 		MapFlags:   unix.BPF_F_NO_PREALLOC,
 	})
+
 	if err != nil {
 		return internal.ErrNotSupported
 	}
@@ -223,8 +225,8 @@
 
 	keys := []uint32{1, 2}
 	values := []uint32{3, 4}
-	kp, _ := marshalPtr(keys, 8)
-	vp, _ := marshalPtr(values, 8)
+	kp, _ := marshalMapSyscallInput(keys, 8)
+	vp, _ := marshalMapSyscallInput(values, 8)
 
 	err = sys.MapUpdateBatch(&sys.MapUpdateBatchAttr{
 		MapFd:  fd.Uint(),
@@ -265,11 +267,8 @@
 	}
 
 	fd, err := progLoad(insns, SocketFilter, "MIT")
-	if errors.Is(err, unix.EINVAL) {
-		return internal.ErrNotSupported
-	}
 	if err != nil {
-		return err
+		return internal.ErrNotSupported
 	}
 	_ = fd.Close()
 	return nil
diff --git a/vendor/github.com/cilium/ebpf/types.go b/vendor/github.com/cilium/ebpf/types.go
index 35927e2..e921551 100644
--- a/vendor/github.com/cilium/ebpf/types.go
+++ b/vendor/github.com/cilium/ebpf/types.go
@@ -5,7 +5,7 @@
 	"github.com/cilium/ebpf/internal/unix"
 )
 
-//go:generate stringer -output types_string.go -type=MapType,ProgramType,PinType
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -output types_string.go -type=MapType,ProgramType,PinType
 
 // MapType indicates the type map structure
 // that will be initialized in the kernel.
@@ -44,7 +44,7 @@
 	// if an skb is from a socket belonging to a specific cgroup
 	CGroupArray
 	// LRUHash - This allows you to create a small hash structure that will purge the
-	// least recently used items rather than thow an error when you run out of memory
+	// least recently used items rather than throw an error when you run out of memory
 	LRUHash
 	// LRUCPUHash - This is NOT like PerCPUHash, this structure is shared among the CPUs,
 	// it has more to do with including the CPU id with the LRU calculation so that if a
@@ -102,6 +102,12 @@
 	return mt == PerCPUHash || mt == PerCPUArray || mt == LRUCPUHash || mt == PerCPUCGroupStorage
 }
 
+// canStoreMapOrProgram returns true if the Map stores references to another Map
+// or Program.
+func (mt MapType) canStoreMapOrProgram() bool {
+	return mt.canStoreMap() || mt.canStoreProgram()
+}
+
 // canStoreMap returns true if the map type accepts a map fd
 // for update and returns a map id for lookup.
 func (mt MapType) canStoreMap() bool {
@@ -158,7 +164,7 @@
 // Will cause invalid argument (EINVAL) at program load time if set incorrectly.
 type AttachType uint32
 
-//go:generate stringer -type AttachType -trimprefix Attach
+//go:generate go run golang.org/x/tools/cmd/stringer@latest -type AttachType -trimprefix Attach
 
 // AttachNone is an alias for AttachCGroupInetIngress for readability reasons.
 const AttachNone AttachType = 0
@@ -213,7 +219,7 @@
 type AttachFlags uint32
 
 // PinType determines whether a map is pinned into a BPFFS.
-type PinType int
+type PinType uint32
 
 // Valid pin types.
 //
diff --git a/vendor/github.com/cilium/ebpf/types_string.go b/vendor/github.com/cilium/ebpf/types_string.go
index 5679f22..e20c37a 100644
--- a/vendor/github.com/cilium/ebpf/types_string.go
+++ b/vendor/github.com/cilium/ebpf/types_string.go
@@ -111,7 +111,7 @@
 var _PinType_index = [...]uint8{0, 7, 16}
 
 func (i PinType) String() string {
-	if i < 0 || i >= PinType(len(_PinType_index)-1) {
+	if i >= PinType(len(_PinType_index)-1) {
 		return "PinType(" + strconv.FormatInt(int64(i), 10) + ")"
 	}
 	return _PinType_name[_PinType_index[i]:_PinType_index[i+1]]
diff --git a/vendor/github.com/containerd/containerd/RELEASES.md b/vendor/github.com/containerd/containerd/RELEASES.md
index 26855b2..f2968c4 100644
--- a/vendor/github.com/containerd/containerd/RELEASES.md
+++ b/vendor/github.com/containerd/containerd/RELEASES.md
@@ -394,6 +394,9 @@
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `auths`                      | containerd v1.3     | containerd v2.0            | Use [`ImagePullSecrets`](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). See also [#8228](https://github.com/containerd/containerd/issues/8228). |
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `configs`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
 |`[plugins."io.containerd.grpc.v1.cri".registry]`                      | `mirrors`                    | containerd v1.5     | containerd v2.0            | Use [`config_path`](./docs/hosts.md)            |
+|`[plugins."io.containerd.tracing.processor.v1.otlp"]`                 | `endpoint`, `protocol`, `insecure` | containerd v1.6.29 | containerd v2.0       | Use [OTLP environment variables](https://opentelemetry.io/docs/specs/otel/protocol/exporter/), e.g. OTEL_EXPORTER_OTLP_TRACES_ENDPOINT, OTEL_EXPORTER_OTLP_PROTOCOL, OTEL_SDK_DISABLED    |
+|`[plugins."io.containerd.internal.v1.tracing"]`                       | `service_name`, `sampling_ratio`   | containerd v1.6.29 | containerd v2.0       | Instead use [OTel environment variables](https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/), e.g. OTEL_SERVICE_NAME, OTEL_TRACES_SAMPLER*  |
+
 
 > **Note**
 >
diff --git a/vendor/github.com/containerd/containerd/Vagrantfile b/vendor/github.com/containerd/containerd/Vagrantfile
index 9631d97..e153035 100644
--- a/vendor/github.com/containerd/containerd/Vagrantfile
+++ b/vendor/github.com/containerd/containerd/Vagrantfile
@@ -102,7 +102,7 @@
   config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
     sh.upload_path = "/tmp/vagrant-install-golang"
     sh.env = {
-        'GO_VERSION': ENV['GO_VERSION'] || "1.21.8",
+        'GO_VERSION': ENV['GO_VERSION'] || "1.21.9",
     }
     sh.inline = <<~SHELL
         #!/usr/bin/env bash
diff --git a/vendor/github.com/containerd/containerd/images/archive/exporter.go b/vendor/github.com/containerd/containerd/images/archive/exporter.go
index 1f17a3c..8513e9a 100644
--- a/vendor/github.com/containerd/containerd/images/archive/exporter.go
+++ b/vendor/github.com/containerd/containerd/images/archive/exporter.go
@@ -471,6 +471,7 @@
 		Versioned: ocispecs.Versioned{
 			SchemaVersion: 2,
 		},
+		MediaType: ocispec.MediaTypeImageIndex,
 		Manifests: manifests,
 	}
 
diff --git a/vendor/github.com/containerd/containerd/pkg/deprecation/deprecation.go b/vendor/github.com/containerd/containerd/pkg/deprecation/deprecation.go
index 3d87b01..06fda06 100644
--- a/vendor/github.com/containerd/containerd/pkg/deprecation/deprecation.go
+++ b/vendor/github.com/containerd/containerd/pkg/deprecation/deprecation.go
@@ -53,6 +53,10 @@
 	RuntimeRuncV1 Warning = Prefix + "runtime-runc-v1"
 	// CRICRIUPath is a warning for the use of the `CriuPath` property
 	CRICRIUPath Warning = Prefix + "cri-criu-path"
+	// OTLPTracingConfig is a warning for the use of the `otlp` property
+	TracingOTLPConfig Warning = Prefix + "tracing-processor-config"
+	// TracingServiceConfig is a warning for the use of the `tracing` property
+	TracingServiceConfig Warning = Prefix + "tracing-service-config"
 )
 
 var messages = map[Warning]string{
@@ -82,6 +86,10 @@
 	RuntimeRuncV1:   "The `io.containerd.runc.v1` runtime is deprecated since containerd v1.4 and removed in containerd v2.0. Use the `io.containerd.runc.v2` runtime instead.",
 	CRICRIUPath: "The `CriuPath` property of `[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.*.options]` is deprecated since containerd v1.7 and will be removed in containerd v2.0. " +
 		"Use a criu binary in $PATH instead.",
+	TracingOTLPConfig: "The `otlp` property of `[plugins.\"io.containerd.tracing.processor.v1\".otlp]` is deprecated since containerd v1.6 and will be removed in containerd v2.0." +
+		"Use OTLP environment variables instead: https://opentelemetry.io/docs/specs/otel/protocol/exporter/",
+	TracingServiceConfig: "The `tracing` property of `[plugins.\"io.containerd.internal.v1\".tracing]` is deprecated since containerd v1.6 and will be removed in containerd v2.0." +
+		"Use OTEL environment variables instead: https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/",
 }
 
 // Valid checks whether a given Warning is valid
diff --git a/vendor/github.com/containerd/containerd/plugin/plugin.go b/vendor/github.com/containerd/containerd/plugin/plugin.go
index f1be877..7c854fd 100644
--- a/vendor/github.com/containerd/containerd/plugin/plugin.go
+++ b/vendor/github.com/containerd/containerd/plugin/plugin.go
@@ -104,6 +104,10 @@
 	DeprecationsPlugin = "deprecations"
 )
 
+const (
+	SnapshotterRootDir = "root"
+)
+
 // Registration contains information for registering a plugin
 type Registration struct {
 	// Type of the plugin
diff --git a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
index 9b3663c..ebd69c1 100644
--- a/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/authorizer.go
@@ -148,9 +148,11 @@
 	defer a.mu.Unlock()
 	for _, c := range auth.ParseAuthHeader(last.Header) {
 		if c.Scheme == auth.BearerAuth {
-			if err := invalidAuthorization(c, responses); err != nil {
+			if retry, err := invalidAuthorization(ctx, c, responses); err != nil {
 				delete(a.handlers, host)
 				return err
+			} else if retry {
+				delete(a.handlers, host)
 			}
 
 			// reuse existing handler
@@ -328,18 +330,24 @@
 	return resp.Token, resp.RefreshToken, nil
 }
 
-func invalidAuthorization(c auth.Challenge, responses []*http.Response) error {
+func invalidAuthorization(ctx context.Context, c auth.Challenge, responses []*http.Response) (retry bool, _ error) {
 	errStr := c.Parameters["error"]
 	if errStr == "" {
-		return nil
+		return retry, nil
 	}
 
 	n := len(responses)
 	if n == 1 || (n > 1 && !sameRequest(responses[n-2].Request, responses[n-1].Request)) {
-		return nil
+		limitedErr := errStr
+		errLenghLimit := 64
+		if len(limitedErr) > errLenghLimit {
+			limitedErr = limitedErr[:errLenghLimit] + "..."
+		}
+		log.G(ctx).WithField("error", limitedErr).Debug("authorization error using bearer token, retrying")
+		return true, nil
 	}
 
-	return fmt.Errorf("server message: %s: %w", errStr, ErrInvalidAuthorization)
+	return retry, fmt.Errorf("server message: %s: %w", errStr, ErrInvalidAuthorization)
 }
 
 func sameRequest(r1, r2 *http.Request) bool {
diff --git a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
index cca4ca6..ce1f646 100644
--- a/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
+++ b/vendor/github.com/containerd/containerd/remotes/docker/resolver.go
@@ -704,9 +704,71 @@
 	return ip.IsLoopback()
 }
 
+// NewHTTPFallback returns http.RoundTripper which allows fallback from https to
+// http for registry endpoints with configurations for both http and TLS,
+// such as defaulted localhost endpoints.
+func NewHTTPFallback(transport http.RoundTripper) http.RoundTripper {
+	return &httpFallback{
+		super: transport,
+	}
+}
+
+type httpFallback struct {
+	super http.RoundTripper
+	host  string
+}
+
+func (f *httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
+	// only fall back if the same host had previously fell back
+	if f.host != r.URL.Host {
+		resp, err := f.super.RoundTrip(r)
+		if !isTLSError(err) {
+			return resp, err
+		}
+	}
+
+	plainHTTPUrl := *r.URL
+	plainHTTPUrl.Scheme = "http"
+
+	plainHTTPRequest := *r
+	plainHTTPRequest.URL = &plainHTTPUrl
+
+	if f.host != r.URL.Host {
+		f.host = r.URL.Host
+
+		// update body on the second attempt
+		if r.Body != nil && r.GetBody != nil {
+			body, err := r.GetBody()
+			if err != nil {
+				return nil, err
+			}
+			plainHTTPRequest.Body = body
+		}
+	}
+
+	return f.super.RoundTrip(&plainHTTPRequest)
+}
+
+func isTLSError(err error) bool {
+	if err == nil {
+		return false
+	}
+	var tlsErr tls.RecordHeaderError
+	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+		return true
+	}
+	if strings.Contains(err.Error(), "TLS handshake timeout") {
+		return true
+	}
+
+	return false
+}
+
 // HTTPFallback is an http.RoundTripper which allows fallback from https to http
 // for registry endpoints with configurations for both http and TLS, such as
 // defaulted localhost endpoints.
+//
+// Deprecated: Use NewHTTPFallback instead.
 type HTTPFallback struct {
 	http.RoundTripper
 }
@@ -722,6 +784,14 @@
 		plainHTTPRequest := *r
 		plainHTTPRequest.URL = &plainHTTPUrl
 
+		if r.Body != nil && r.GetBody != nil {
+			body, err := r.GetBody()
+			if err != nil {
+				return nil, err
+			}
+			plainHTTPRequest.Body = body
+		}
+
 		return f.RoundTripper.RoundTrip(&plainHTTPRequest)
 	}
 
diff --git a/vendor/github.com/containerd/containerd/services/server/config/config.go b/vendor/github.com/containerd/containerd/services/server/config/config.go
index 9a6f39d..9b4b046 100644
--- a/vendor/github.com/containerd/containerd/services/server/config/config.go
+++ b/vendor/github.com/containerd/containerd/services/server/config/config.go
@@ -164,8 +164,10 @@
 
 // ProxyPlugin provides a proxy plugin configuration
 type ProxyPlugin struct {
-	Type    string `toml:"type"`
-	Address string `toml:"address"`
+	Type     string            `toml:"type"`
+	Address  string            `toml:"address"`
+	Platform string            `toml:"platform"`
+	Exports  map[string]string `toml:"exports"`
 }
 
 // Decode unmarshals a plugin specific configuration by plugin id
@@ -251,13 +253,18 @@
 }
 
 // resolveImports resolves import strings list to absolute paths list:
-// - If path contains *, glob pattern matching applied
 // - Non abs path is relative to parent config file directory
+// - If path contains *, glob pattern matching applied
 // - Abs paths returned as is
 func resolveImports(parent string, imports []string) ([]string, error) {
 	var out []string
 
 	for _, path := range imports {
+		path := filepath.Clean(path)
+		if !filepath.IsAbs(path) {
+			path = filepath.Join(filepath.Dir(parent), path)
+		}
+
 		if strings.Contains(path, "*") {
 			matches, err := filepath.Glob(path)
 			if err != nil {
@@ -266,11 +273,6 @@
 
 			out = append(out, matches...)
 		} else {
-			path = filepath.Clean(path)
-			if !filepath.IsAbs(path) {
-				path = filepath.Join(filepath.Dir(parent), path)
-			}
-
 			out = append(out, path)
 		}
 	}
diff --git a/vendor/github.com/containerd/containerd/version/version.go b/vendor/github.com/containerd/containerd/version/version.go
index a5dac0e..8a9eb5d 100644
--- a/vendor/github.com/containerd/containerd/version/version.go
+++ b/vendor/github.com/containerd/containerd/version/version.go
@@ -23,7 +23,7 @@
 	Package = "github.com/containerd/containerd"
 
 	// Version holds the complete version number. Filled in at linking time.
-	Version = "1.7.14+unknown"
+	Version = "1.7.16+unknown"
 
 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.
diff --git a/vendor/github.com/moby/swarmkit/v2/api/api.pb.txt b/vendor/github.com/moby/swarmkit/v2/api/api.pb.txt
index 80c9eee..aa53182 100644
--- a/vendor/github.com/moby/swarmkit/v2/api/api.pb.txt
+++ b/vendor/github.com/moby/swarmkit/v2/api/api.pb.txt
@@ -2729,6 +2729,16 @@
         type_name: ".docker.swarmkit.v1.Driver"
         json_name: "driverConfig"
       }
+      field {
+        name: "subpath"
+        number: 4
+        label: LABEL_OPTIONAL
+        type: TYPE_STRING
+        options {
+          65004: "Subpath"
+        }
+        json_name: "subpath"
+      }
       nested_type {
         name: "LabelsEntry"
         field {
diff --git a/vendor/github.com/moby/swarmkit/v2/api/types.pb.go b/vendor/github.com/moby/swarmkit/v2/api/types.pb.go
index 61a544a..8fe2107 100644
--- a/vendor/github.com/moby/swarmkit/v2/api/types.pb.go
+++ b/vendor/github.com/moby/swarmkit/v2/api/types.pb.go
@@ -1756,6 +1756,8 @@
 	//
 	// If this is empty, no volume will be created if the volume is missing.
 	DriverConfig *Driver `protobuf:"bytes,3,opt,name=driver_config,json=driverConfig,proto3" json:"driver_config,omitempty"`
+	// subpath inside the volume to mount.
+	Subpath string `protobuf:"bytes,4,opt,name=subpath,proto3" json:"subpath,omitempty"`
 }
 
 func (m *Mount_VolumeOptions) Reset()      { *m = Mount_VolumeOptions{} }
@@ -5159,418 +5161,419 @@
 }
 
 var fileDescriptor_0b5eafd0404ded3d = []byte{
-	// 6575 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x7b, 0x5d, 0x6c, 0x24, 0x47,
-	0x7a, 0x18, 0xe7, 0x97, 0x33, 0xdf, 0x0c, 0xc9, 0xde, 0x22, 0x45, 0x71, 0x47, 0x2b, 0x92, 0x6a,
-	0x69, 0x4f, 0xab, 0x95, 0x8e, 0xbb, 0x5a, 0xe9, 0x94, 0x95, 0x74, 0x3a, 0xed, 0xfc, 0x71, 0x39,
-	0x5a, 0x72, 0x66, 0x50, 0x33, 0xdc, 0x3d, 0x1d, 0x90, 0xeb, 0x34, 0xbb, 0x8b, 0xc3, 0xd6, 0xf6,
-	0x74, 0x77, 0xba, 0x7b, 0xc8, 0x65, 0x2e, 0x41, 0xf4, 0x94, 0x0b, 0x08, 0x04, 0x49, 0x10, 0xe0,
-	0x72, 0x41, 0x42, 0x24, 0x48, 0x2e, 0x40, 0x80, 0x7b, 0xc8, 0x43, 0x1e, 0x02, 0x1b, 0x7e, 0x90,
-	0x01, 0xc3, 0x38, 0x3f, 0xf9, 0xce, 0x67, 0xd8, 0x87, 0xb3, 0x41, 0xfb, 0x78, 0x2f, 0x7e, 0x31,
-	0xec, 0x17, 0xc3, 0x7e, 0xf0, 0x83, 0x51, 0x7f, 0xdd, 0x3d, 0xdc, 0x21, 0xb9, 0x7b, 0x3a, 0xbf,
-	0x90, 0x5d, 0xdf, 0x5f, 0x55, 0x7d, 0x55, 0xf5, 0xd5, 0xf7, 0x7d, 0xf5, 0x0d, 0xdc, 0x1c, 0x58,
-	0xe1, 0xde, 0x68, 0x67, 0xcd, 0x70, 0x87, 0xb7, 0x4c, 0xd7, 0x78, 0x4c, 0xfc, 0x5b, 0xc1, 0x81,
-	0xee, 0x0f, 0x1f, 0x5b, 0xe1, 0x2d, 0xdd, 0xb3, 0x6e, 0x85, 0x87, 0x1e, 0x09, 0xd6, 0x3c, 0xdf,
-	0x0d, 0x5d, 0x84, 0x38, 0xc1, 0x9a, 0x24, 0x58, 0xdb, 0x7f, 0xbb, 0xb2, 0x32, 0x70, 0xdd, 0x81,
-	0x4d, 0x6e, 0x31, 0x8a, 0x9d, 0xd1, 0xee, 0xad, 0xd0, 0x1a, 0x92, 0x20, 0xd4, 0x87, 0x1e, 0x67,
-	0xaa, 0x2c, 0x9f, 0x25, 0x30, 0x47, 0xbe, 0x1e, 0x5a, 0xae, 0x73, 0x1e, 0xfe, 0xc0, 0xd7, 0x3d,
-	0x8f, 0xf8, 0xa2, 0xd3, 0xca, 0xc2, 0xc0, 0x1d, 0xb8, 0xec, 0xf3, 0x16, 0xfd, 0xe2, 0x50, 0x75,
-	0x05, 0xa6, 0x1f, 0x12, 0x3f, 0xb0, 0x5c, 0x07, 0x2d, 0x40, 0xce, 0x72, 0x4c, 0xf2, 0x64, 0x29,
-	0xb5, 0x9a, 0xba, 0x91, 0xc5, 0xbc, 0xa1, 0xde, 0x06, 0x68, 0xd1, 0x8f, 0xa6, 0x13, 0xfa, 0x87,
-	0x48, 0x81, 0xcc, 0x63, 0x72, 0xc8, 0x28, 0x8a, 0x98, 0x7e, 0x52, 0xc8, 0xbe, 0x6e, 0x2f, 0xa5,
-	0x39, 0x64, 0x5f, 0xb7, 0xd5, 0x5f, 0xa4, 0xa0, 0x54, 0x75, 0x1c, 0x37, 0x64, 0xa3, 0x0b, 0x10,
-	0x82, 0xac, 0xa3, 0x0f, 0x89, 0x60, 0x62, 0xdf, 0xa8, 0x0e, 0x79, 0x5b, 0xdf, 0x21, 0x76, 0xb0,
-	0x94, 0x5e, 0xcd, 0xdc, 0x28, 0xdd, 0x79, 0x73, 0xed, 0x69, 0x95, 0xac, 0x25, 0x84, 0xac, 0x6d,
-	0x32, 0x6a, 0x36, 0x08, 0x2c, 0x58, 0xd1, 0x37, 0x60, 0xda, 0x72, 0x4c, 0xcb, 0x20, 0xc1, 0x52,
-	0x96, 0x49, 0x59, 0x9e, 0x24, 0x25, 0x1e, 0x7d, 0x2d, 0xfb, 0xa3, 0x93, 0x95, 0x29, 0x2c, 0x99,
-	0x2a, 0xef, 0x43, 0x29, 0x21, 0x76, 0xc2, 0xdc, 0x16, 0x20, 0xb7, 0xaf, 0xdb, 0x23, 0x22, 0x66,
-	0xc7, 0x1b, 0x1f, 0xa4, 0xef, 0xa6, 0xd4, 0x7b, 0xb0, 0xd0, 0xd6, 0x87, 0xc4, 0xbc, 0x4f, 0x1c,
-	0xe2, 0x5b, 0x06, 0x26, 0x81, 0x3b, 0xf2, 0x0d, 0x42, 0xe7, 0xfa, 0xd8, 0x72, 0x4c, 0x39, 0x57,
-	0xfa, 0x3d, 0x59, 0x8a, 0x5a, 0x87, 0x17, 0x1b, 0x56, 0x60, 0xf8, 0x24, 0x24, 0xcf, 0x2d, 0x24,
-	0x23, 0x85, 0x9c, 0xa4, 0x60, 0xee, 0x2c, 0xf7, 0xb7, 0x60, 0x9e, 0xaa, 0xd8, 0xd4, 0x7c, 0x01,
-	0xd1, 0x02, 0x8f, 0x18, 0x4c, 0x58, 0xe9, 0xce, 0x8d, 0x49, 0x1a, 0x9a, 0x34, 0x93, 0x8d, 0x29,
-	0x7c, 0x85, 0x89, 0x91, 0x80, 0x9e, 0x47, 0x0c, 0x64, 0xc0, 0xa2, 0x29, 0x06, 0x7d, 0x46, 0x7c,
-	0x9a, 0x89, 0x9f, 0xb8, 0x8c, 0xe7, 0x4c, 0x73, 0x63, 0x0a, 0x2f, 0x48, 0x61, 0xc9, 0x4e, 0x6a,
-	0x00, 0x05, 0x29, 0x5b, 0xfd, 0x7e, 0x0a, 0x8a, 0x12, 0x19, 0xa0, 0x37, 0xa0, 0xe8, 0xe8, 0x8e,
-	0xab, 0x19, 0xde, 0x28, 0x60, 0x13, 0xca, 0xd4, 0xca, 0xa7, 0x27, 0x2b, 0x85, 0xb6, 0xee, 0xb8,
-	0xf5, 0xee, 0x76, 0x80, 0x0b, 0x14, 0x5d, 0xf7, 0x46, 0x01, 0x7a, 0x05, 0xca, 0x43, 0x32, 0x74,
-	0xfd, 0x43, 0x6d, 0xe7, 0x30, 0x24, 0x81, 0x50, 0x5b, 0x89, 0xc3, 0x6a, 0x14, 0x84, 0x3e, 0x82,
-	0xe9, 0x01, 0x1f, 0xd2, 0x52, 0x86, 0x6d, 0x9f, 0x57, 0x27, 0x8d, 0xfe, 0xcc, 0xa8, 0xb1, 0xe4,
-	0x51, 0xbf, 0x97, 0x86, 0x85, 0x08, 0x4a, 0xfe, 0xf9, 0xc8, 0xf2, 0xc9, 0x90, 0x38, 0x61, 0x80,
-	0xbe, 0x06, 0x79, 0xdb, 0x1a, 0x5a, 0x61, 0x20, 0x74, 0xfe, 0xf2, 0x24, 0xb1, 0xd1, 0xa4, 0xb0,
-	0x20, 0x46, 0x55, 0x28, 0xfb, 0x24, 0x20, 0xfe, 0x3e, 0xdf, 0xf1, 0x42, 0xa3, 0x97, 0x30, 0x8f,
-	0xb1, 0xa0, 0x0f, 0x00, 0x82, 0x03, 0xdd, 0x13, 0x53, 0xce, 0x30, 0x01, 0x2f, 0xad, 0x71, 0xbb,
-	0xb0, 0x26, 0xed, 0xc2, 0x5a, 0xcb, 0x09, 0xdf, 0x7b, 0xf7, 0x21, 0xdd, 0x3f, 0xb8, 0x48, 0xc9,
-	0xb9, 0x36, 0x36, 0xe0, 0x8a, 0x50, 0x18, 0x85, 0x79, 0x96, 0x43, 0x02, 0x7a, 0xac, 0x2e, 0x15,
-	0xa1, 0x70, 0xae, 0x5e, 0xc4, 0xa4, 0xae, 0x43, 0xa1, 0x6b, 0xeb, 0xe1, 0xae, 0xeb, 0x0f, 0x91,
-	0x0a, 0x65, 0xdd, 0x37, 0xf6, 0xac, 0x90, 0x18, 0xe1, 0xc8, 0x97, 0x36, 0x60, 0x0c, 0x86, 0x16,
-	0x21, 0xed, 0xf2, 0xe9, 0x16, 0x6b, 0xf9, 0xd3, 0x93, 0x95, 0x74, 0xa7, 0x87, 0xd3, 0x6e, 0xa0,
-	0x7e, 0x08, 0x57, 0xba, 0xf6, 0x68, 0x60, 0x39, 0x0d, 0x12, 0x18, 0xbe, 0xe5, 0xd1, 0x39, 0xd2,
-	0xb3, 0x41, 0x2d, 0xa9, 0x3c, 0x1b, 0xf4, 0x3b, 0x32, 0x30, 0xe9, 0xd8, 0xc0, 0xa8, 0xdf, 0x4d,
-	0xc3, 0x95, 0xa6, 0x33, 0xb0, 0x1c, 0x92, 0xe4, 0xbe, 0x0e, 0xb3, 0x84, 0x01, 0xb5, 0x7d, 0x6e,
-	0xf4, 0x84, 0x9c, 0x19, 0x0e, 0x95, 0x96, 0xb0, 0x75, 0xc6, 0x3a, 0xbd, 0x3d, 0x69, 0x11, 0x9e,
-	0x92, 0x3e, 0xd1, 0x46, 0x35, 0x61, 0xda, 0x63, 0x93, 0x08, 0xc4, 0x26, 0xbb, 0x3e, 0x49, 0xd6,
-	0x53, 0xf3, 0x94, 0xa6, 0x4a, 0xf0, 0x7e, 0x19, 0x53, 0xf5, 0x9f, 0x32, 0x30, 0xd7, 0x76, 0xcd,
-	0x31, 0x3d, 0x54, 0xa0, 0xb0, 0xe7, 0x06, 0x61, 0xc2, 0x2c, 0x47, 0x6d, 0x74, 0x17, 0x0a, 0x9e,
-	0x58, 0x3e, 0xb1, 0x07, 0xaf, 0x4d, 0x1e, 0x32, 0xa7, 0xc1, 0x11, 0x35, 0xfa, 0x10, 0x8a, 0xf2,
-	0xe0, 0xca, 0xdd, 0x77, 0xc9, 0xf6, 0x8d, 0xe9, 0xd1, 0x47, 0x90, 0xe7, 0x8b, 0x20, 0x36, 0xdd,
-	0xf5, 0x67, 0xd2, 0x39, 0x16, 0x4c, 0xe8, 0x3e, 0x14, 0x42, 0x3b, 0xd0, 0x2c, 0x67, 0xd7, 0x5d,
-	0xca, 0x31, 0x01, 0x2b, 0x13, 0x4d, 0x9d, 0x6b, 0x92, 0xfe, 0x66, 0xaf, 0xe5, 0xec, 0xba, 0xb5,
-	0xd2, 0xe9, 0xc9, 0xca, 0xb4, 0x68, 0xe0, 0xe9, 0xd0, 0x0e, 0xe8, 0x07, 0xba, 0x06, 0xd9, 0x5d,
-	0xcb, 0x0b, 0x96, 0xf2, 0xab, 0xa9, 0x1b, 0x85, 0x5a, 0xe1, 0xf4, 0x64, 0x25, 0xbb, 0xde, 0xea,
-	0xf6, 0x30, 0x83, 0xd2, 0x6e, 0x8c, 0xc0, 0xe2, 0xdd, 0x4c, 0xb3, 0xf5, 0x3c, 0xb7, 0x9b, 0x7a,
-	0xaf, 0x15, 0x77, 0x23, 0x1a, 0x78, 0xda, 0x08, 0x2c, 0xfa, 0xa1, 0xfe, 0xc7, 0x14, 0x94, 0x12,
-	0x83, 0x41, 0x2f, 0x03, 0x84, 0xfe, 0x28, 0x08, 0x35, 0xdf, 0x75, 0x43, 0xb6, 0x26, 0x65, 0x5c,
-	0x64, 0x10, 0xec, 0xba, 0x21, 0x5a, 0x83, 0x79, 0x83, 0xf8, 0xa1, 0x66, 0x05, 0xc1, 0x88, 0xf8,
-	0x5a, 0x30, 0xda, 0xf9, 0x8c, 0x18, 0x21, 0x5b, 0x9f, 0x32, 0xbe, 0x42, 0x51, 0x2d, 0x86, 0xe9,
-	0x71, 0x04, 0x7a, 0x07, 0x16, 0x93, 0xf4, 0xde, 0x68, 0xc7, 0xb6, 0x0c, 0x8d, 0xee, 0x99, 0x0c,
-	0x63, 0x99, 0x8f, 0x59, 0xba, 0x0c, 0xf7, 0x80, 0x1c, 0xaa, 0x3f, 0x15, 0x63, 0x12, 0x83, 0x45,
-	0x2b, 0x50, 0xe2, 0xfb, 0x4f, 0x4b, 0x6c, 0x14, 0xe0, 0x20, 0x7a, 0x67, 0xa0, 0x57, 0x61, 0xda,
-	0x71, 0x4d, 0xa2, 0x59, 0xa6, 0x38, 0xbe, 0x70, 0x7a, 0xb2, 0x92, 0xa7, 0x22, 0x5a, 0x0d, 0x9c,
-	0xa7, 0xa8, 0x96, 0x89, 0x6e, 0xc1, 0xc2, 0x50, 0x7f, 0xa2, 0xed, 0xbb, 0xf6, 0x68, 0x48, 0x02,
-	0xcd, 0x23, 0xbe, 0x46, 0x31, 0x6c, 0x20, 0x19, 0x7c, 0x65, 0xa8, 0x3f, 0x79, 0xc8, 0x51, 0x5d,
-	0xe2, 0x53, 0x56, 0xb4, 0x05, 0xf3, 0xba, 0x61, 0x90, 0x20, 0xb0, 0x76, 0x6c, 0xa2, 0x85, 0xae,
-	0xe7, 0xda, 0xee, 0xe0, 0x50, 0x6c, 0x8b, 0x89, 0x7b, 0xb1, 0x2f, 0x68, 0x30, 0x8a, 0x19, 0x25,
-	0x4c, 0xfd, 0x59, 0x0a, 0x14, 0xac, 0xef, 0x86, 0x5b, 0x64, 0xb8, 0x43, 0xfc, 0x5e, 0xa8, 0x87,
-	0xa3, 0x00, 0x2d, 0x42, 0xde, 0x26, 0xba, 0x49, 0x7c, 0x36, 0xab, 0x02, 0x16, 0x2d, 0xb4, 0x4d,
-	0x8d, 0xb0, 0x6e, 0xec, 0xe9, 0x3b, 0x96, 0x6d, 0x85, 0x87, 0x6c, 0x5a, 0xb3, 0x93, 0xcf, 0xff,
-	0x59, 0x99, 0x6b, 0x38, 0xc1, 0x88, 0xc7, 0xc4, 0xa0, 0x25, 0x98, 0x1e, 0x92, 0x20, 0xd0, 0x07,
-	0x7c, 0xda, 0x45, 0x2c, 0x9b, 0xea, 0x87, 0x50, 0x4e, 0xf2, 0xa1, 0x12, 0x4c, 0x6f, 0xb7, 0x1f,
-	0xb4, 0x3b, 0x8f, 0xda, 0xca, 0x14, 0x9a, 0x83, 0xd2, 0x76, 0x1b, 0x37, 0xab, 0xf5, 0x8d, 0x6a,
-	0x6d, 0xb3, 0xa9, 0xa4, 0xd0, 0x0c, 0x14, 0xe3, 0x66, 0x5a, 0xfd, 0x7f, 0x29, 0x00, 0xaa, 0x32,
-	0x31, 0xa9, 0x0f, 0x20, 0x17, 0x84, 0x7a, 0xc8, 0x57, 0x6a, 0xf6, 0xce, 0x6b, 0xe7, 0xed, 0x4c,
-	0x31, 0x5e, 0xfa, 0x8f, 0x60, 0xce, 0x92, 0x1c, 0x61, 0x7a, 0x6c, 0x84, 0xd4, 0xba, 0xea, 0xa6,
-	0xe9, 0x8b, 0x81, 0xb3, 0x6f, 0xf5, 0x43, 0xc8, 0x31, 0xee, 0xf1, 0xe1, 0x16, 0x20, 0xdb, 0xa0,
-	0x5f, 0x29, 0x54, 0x84, 0x1c, 0x6e, 0x56, 0x1b, 0x9f, 0x2a, 0x69, 0xa4, 0x40, 0xb9, 0xd1, 0xea,
-	0xd5, 0x3b, 0xed, 0x76, 0xb3, 0xde, 0x6f, 0x36, 0x94, 0x8c, 0x7a, 0x1d, 0x72, 0xad, 0x21, 0x95,
-	0x7c, 0x8d, 0xda, 0x8b, 0x5d, 0xe2, 0x13, 0xc7, 0x90, 0xbb, 0x2b, 0x06, 0xa8, 0x7f, 0x31, 0x0b,
-	0xb9, 0x2d, 0x77, 0xe4, 0x84, 0xe8, 0x4e, 0xc2, 0xe6, 0xcf, 0x4e, 0x76, 0xf2, 0x18, 0xe1, 0x5a,
-	0xff, 0xd0, 0x23, 0xe2, 0x4e, 0x58, 0x84, 0x3c, 0xb7, 0x2c, 0x62, 0x3a, 0xa2, 0x45, 0xe1, 0xa1,
-	0xee, 0x0f, 0x48, 0x28, 0xe6, 0x23, 0x5a, 0xe8, 0x06, 0x75, 0x3a, 0x74, 0xd3, 0x75, 0x6c, 0xbe,
-	0xd3, 0x0a, 0xdc, 0xb3, 0xc0, 0x44, 0x37, 0x3b, 0x8e, 0x7d, 0x88, 0x23, 0x2c, 0xba, 0x0f, 0x25,
-	0xc3, 0x75, 0x02, 0x2b, 0x08, 0x89, 0x63, 0x1c, 0x2e, 0x15, 0xd8, 0xa0, 0xae, 0x9f, 0x3f, 0xa8,
-	0x7a, 0x4c, 0x8c, 0x93, 0x9c, 0x68, 0x03, 0xca, 0x3b, 0x96, 0x63, 0x6a, 0xae, 0xc7, 0x2f, 0xfc,
-	0xdc, 0xf9, 0x76, 0x8f, 0x4b, 0xaa, 0x59, 0x8e, 0xd9, 0xe1, 0xc4, 0xb8, 0xb4, 0x13, 0x37, 0x50,
-	0x1b, 0x66, 0xf9, 0xf1, 0x8a, 0x64, 0xe5, 0x99, 0xac, 0xd7, 0xcf, 0x97, 0xc5, 0xcf, 0x9c, 0x94,
-	0x36, 0xb3, 0x9f, 0x6c, 0xa2, 0x07, 0x30, 0x13, 0x0e, 0xbd, 0xdd, 0x20, 0x12, 0x37, 0xcd, 0xc4,
-	0x7d, 0xe5, 0x02, 0xcd, 0x53, 0x72, 0x29, 0xad, 0x1c, 0x26, 0x5a, 0x95, 0xff, 0x96, 0x83, 0x52,
-	0x62, 0xe4, 0xa8, 0x07, 0x25, 0xcf, 0x77, 0x3d, 0x7d, 0xc0, 0x9c, 0x16, 0xb1, 0xa8, 0x6f, 0x3f,
-	0xd3, 0xac, 0xd7, 0xba, 0x31, 0x23, 0x4e, 0x4a, 0x41, 0xef, 0x42, 0xd9, 0x71, 0x1d, 0x9f, 0x18,
-	0x23, 0x3f, 0xb0, 0xf6, 0xf9, 0xa2, 0x17, 0x6a, 0xca, 0xe9, 0xc9, 0x4a, 0xb9, 0xed, 0x3a, 0x58,
-	0xc2, 0xf1, 0x18, 0x15, 0xba, 0x07, 0x8a, 0xe1, 0x13, 0x3d, 0x24, 0x43, 0xda, 0x93, 0xe7, 0x5a,
-	0x0e, 0xdf, 0x16, 0x85, 0xda, 0xc2, 0xe9, 0xc9, 0x8a, 0x52, 0x67, 0xb8, 0xad, 0x08, 0x87, 0x9f,
-	0xa2, 0x46, 0x9b, 0xb0, 0x20, 0x37, 0xc6, 0x58, 0xff, 0x7c, 0x0b, 0x2d, 0x9d, 0x9e, 0xac, 0x2c,
-	0xc8, 0x2d, 0x34, 0x36, 0x8e, 0x89, 0x5c, 0x08, 0xc3, 0xa2, 0x84, 0xef, 0xba, 0xbe, 0x41, 0x62,
-	0x79, 0x39, 0x26, 0xaf, 0x72, 0x7a, 0xb2, 0xb2, 0x28, 0xe5, 0xad, 0xbb, 0xcc, 0xf1, 0x94, 0x12,
-	0xcf, 0xe1, 0x54, 0x8f, 0xd3, 0x50, 0x4a, 0xa8, 0x0d, 0xdd, 0x84, 0x02, 0xee, 0xe2, 0xd6, 0xc3,
-	0x6a, 0xbf, 0xa9, 0x4c, 0x55, 0xae, 0x1d, 0x1d, 0xaf, 0x2e, 0xb1, 0x19, 0x26, 0x55, 0xdb, 0xf5,
-	0xad, 0x7d, 0x7a, 0xba, 0x6f, 0xc0, 0xb4, 0x24, 0x4d, 0x55, 0x5e, 0x3a, 0x3a, 0x5e, 0x7d, 0xf1,
-	0x2c, 0x69, 0x82, 0x12, 0xf7, 0x36, 0xaa, 0xb8, 0xd9, 0x50, 0xd2, 0x93, 0x29, 0x71, 0x6f, 0x4f,
-	0xf7, 0x89, 0x89, 0xbe, 0x02, 0x79, 0x41, 0x98, 0xa9, 0x54, 0x8e, 0x8e, 0x57, 0x17, 0xcf, 0x12,
-	0xc6, 0x74, 0xb8, 0xb7, 0x59, 0x7d, 0xd8, 0x54, 0xb2, 0x93, 0xe9, 0x70, 0xcf, 0xd6, 0xf7, 0x09,
-	0x7a, 0x0d, 0x72, 0x9c, 0x2c, 0x57, 0xb9, 0x7a, 0x74, 0xbc, 0xfa, 0xc2, 0x53, 0xe2, 0x28, 0x55,
-	0x65, 0xe9, 0xdf, 0xfe, 0xaf, 0xe5, 0xa9, 0xdf, 0xfc, 0xc1, 0xb2, 0x72, 0x16, 0x5d, 0xf9, 0xfb,
-	0x14, 0xcc, 0x8c, 0x1d, 0x06, 0xa4, 0x42, 0xde, 0x71, 0x0d, 0xd7, 0xe3, 0xfe, 0x55, 0x41, 0x5e,
-	0x6a, 0x75, 0xd7, 0x3b, 0xc4, 0x02, 0x83, 0x1e, 0x9c, 0xf1, 0x10, 0xdf, 0x79, 0xc6, 0x93, 0x36,
-	0xd1, 0x47, 0xfc, 0x18, 0x66, 0x4c, 0xdf, 0xda, 0x27, 0xbe, 0x66, 0xb8, 0xce, 0xae, 0x35, 0x10,
-	0xbe, 0x53, 0x65, 0x62, 0x30, 0xc5, 0x08, 0x71, 0x99, 0x33, 0xd4, 0x19, 0xfd, 0x97, 0xf0, 0x0e,
-	0x2b, 0x1e, 0x94, 0x93, 0x67, 0x97, 0xfa, 0x21, 0x81, 0xf5, 0x2f, 0x88, 0x08, 0x21, 0x58, 0x8c,
-	0x85, 0x8b, 0x14, 0xc2, 0xa3, 0x84, 0xd7, 0x21, 0x3b, 0xa4, 0x97, 0x37, 0x95, 0x33, 0x53, 0x9b,
-	0xa7, 0x4e, 0xea, 0xcf, 0x4f, 0x56, 0x4a, 0x6e, 0xb0, 0xb6, 0x6e, 0xd9, 0x64, 0xcb, 0x35, 0x09,
-	0x66, 0x04, 0xf4, 0x3e, 0x91, 0xc6, 0x43, 0xdc, 0x78, 0xa2, 0xa9, 0xfe, 0x56, 0x0a, 0xb2, 0xd4,
-	0x50, 0xa3, 0x97, 0x20, 0x5b, 0x6b, 0xb5, 0x1b, 0xca, 0x54, 0xe5, 0xca, 0xd1, 0xf1, 0xea, 0x0c,
-	0xd3, 0x16, 0x45, 0xd0, 0x03, 0x8f, 0x56, 0x20, 0xff, 0xb0, 0xb3, 0xb9, 0xbd, 0x45, 0x77, 0xde,
-	0xfc, 0xd1, 0xf1, 0xea, 0x5c, 0x84, 0xe6, 0xfa, 0x44, 0x2f, 0x43, 0xae, 0xbf, 0xd5, 0x5d, 0xef,
-	0x29, 0xe9, 0x0a, 0x3a, 0x3a, 0x5e, 0x9d, 0x8d, 0xf0, 0x6c, 0x3a, 0xe8, 0x15, 0xc8, 0xb5, 0xbb,
-	0xad, 0x6e, 0x53, 0xc9, 0x54, 0x16, 0x8f, 0x8e, 0x57, 0x51, 0x84, 0x66, 0xc1, 0x6e, 0xd7, 0xf2,
-	0x08, 0x7a, 0x05, 0xa6, 0xeb, 0x9b, 0xdb, 0xbd, 0x7e, 0x13, 0x2b, 0xd9, 0xca, 0xc2, 0xd1, 0xf1,
-	0xaa, 0x12, 0x11, 0xd5, 0xed, 0x51, 0x10, 0x12, 0xbf, 0x72, 0x45, 0x6c, 0x9b, 0x62, 0x84, 0x51,
-	0x7f, 0x92, 0x82, 0x52, 0xc2, 0xa4, 0xd3, 0x9d, 0xdf, 0x68, 0xae, 0x57, 0xb7, 0x37, 0xfb, 0xca,
-	0x54, 0x62, 0xe7, 0x27, 0x48, 0x1a, 0x64, 0x57, 0x1f, 0xd9, 0xf4, 0x8a, 0x81, 0x7a, 0xa7, 0xdd,
-	0x6b, 0xf5, 0xfa, 0xcd, 0x76, 0x5f, 0x49, 0x55, 0x96, 0x8e, 0x8e, 0x57, 0x17, 0xce, 0x12, 0xaf,
-	0x8f, 0x6c, 0x9b, 0xee, 0xfd, 0x7a, 0xb5, 0xbe, 0xc1, 0x0e, 0x53, 0xbc, 0xf7, 0x13, 0x54, 0x75,
-	0xdd, 0xd8, 0x23, 0x26, 0x7a, 0x0b, 0x8a, 0x8d, 0xe6, 0x66, 0xf3, 0x7e, 0x95, 0x5d, 0xac, 0x95,
-	0x97, 0x8f, 0x8e, 0x57, 0xaf, 0x3e, 0xdd, 0xbb, 0x4d, 0x06, 0x7a, 0x48, 0xcc, 0x33, 0x67, 0x20,
-	0x41, 0xa2, 0xfe, 0x4d, 0x1a, 0x66, 0x30, 0x09, 0x42, 0xdd, 0x0f, 0xbb, 0xae, 0x6d, 0x19, 0x87,
-	0xa8, 0x0b, 0x45, 0xc3, 0x75, 0x4c, 0x2b, 0x61, 0xa2, 0xef, 0x9c, 0xe3, 0xca, 0xc7, 0x5c, 0xb2,
-	0x55, 0x97, 0x9c, 0x38, 0x16, 0x82, 0x6e, 0x41, 0xce, 0x24, 0xb6, 0x7e, 0x28, 0x62, 0x8a, 0xab,
-	0x4f, 0xc5, 0x94, 0x0d, 0x91, 0xce, 0xc2, 0x9c, 0x8e, 0x45, 0xf0, 0xfa, 0x13, 0x4d, 0x0f, 0x43,
-	0x32, 0xf4, 0x42, 0xbe, 0x8d, 0xb2, 0xb8, 0x34, 0xd4, 0x9f, 0x54, 0x05, 0x08, 0xbd, 0x0d, 0xf9,
-	0x03, 0xcb, 0x31, 0xdd, 0x03, 0xe1, 0x1c, 0x5e, 0x20, 0x54, 0x10, 0xaa, 0x47, 0xd4, 0x1b, 0x3c,
-	0x33, 0x4c, 0xba, 0x13, 0xdb, 0x9d, 0x76, 0x53, 0xee, 0x44, 0x81, 0xef, 0x38, 0x6d, 0xd7, 0xa1,
-	0x06, 0x06, 0x3a, 0x6d, 0x6d, 0xbd, 0xda, 0xda, 0xdc, 0xc6, 0x74, 0x37, 0xb2, 0x9d, 0x12, 0x91,
-	0xac, 0xeb, 0x96, 0x4d, 0x83, 0xd8, 0xab, 0x90, 0xa9, 0xb6, 0x3f, 0x55, 0xd2, 0x15, 0xe5, 0xe8,
-	0x78, 0xb5, 0x1c, 0xa1, 0xab, 0xce, 0x61, 0xac, 0xf7, 0xb3, 0xfd, 0xaa, 0xbf, 0x9f, 0x81, 0xf2,
-	0xb6, 0x67, 0xea, 0x21, 0xe1, 0x07, 0x19, 0xad, 0x42, 0xc9, 0xd3, 0x7d, 0xdd, 0xb6, 0x89, 0x6d,
-	0x05, 0x43, 0x91, 0x88, 0x4b, 0x82, 0xd0, 0xfb, 0xcf, 0xaa, 0xc6, 0x5a, 0x81, 0x1e, 0xce, 0xef,
-	0xff, 0xd9, 0x4a, 0x4a, 0x2a, 0x74, 0x1b, 0x66, 0x77, 0xf9, 0x68, 0x35, 0xdd, 0x60, 0x0b, 0x9b,
-	0x61, 0x0b, 0xbb, 0x36, 0x69, 0x61, 0x93, 0xc3, 0x5a, 0x13, 0x93, 0xac, 0x32, 0x2e, 0x3c, 0xb3,
-	0x9b, 0x6c, 0xa2, 0x77, 0x60, 0x7a, 0xe8, 0x3a, 0x56, 0xe8, 0xfa, 0x97, 0xaf, 0x82, 0xa4, 0x44,
-	0x37, 0x81, 0x3a, 0xfe, 0x9a, 0x1c, 0x0f, 0x43, 0xb3, 0x4b, 0x2e, 0x8d, 0xe7, 0x86, 0xfa, 0x13,
-	0xd1, 0x21, 0xa6, 0x60, 0x54, 0x83, 0x9c, 0xeb, 0x53, 0x57, 0x3d, 0xcf, 0x86, 0xfb, 0xd6, 0xa5,
-	0xc3, 0xe5, 0x8d, 0x0e, 0xe5, 0xc1, 0x9c, 0x55, 0x7d, 0x0f, 0x66, 0xc6, 0x26, 0x41, 0x3d, 0xd4,
-	0x6e, 0x75, 0xbb, 0xd7, 0x54, 0xa6, 0x50, 0x19, 0x0a, 0xf5, 0x4e, 0xbb, 0xdf, 0x6a, 0x6f, 0x53,
-	0x17, 0xbb, 0x0c, 0x05, 0xdc, 0xd9, 0xdc, 0xac, 0x55, 0xeb, 0x0f, 0x94, 0xb4, 0xba, 0x06, 0xa5,
-	0x84, 0x34, 0x34, 0x0b, 0xd0, 0xeb, 0x77, 0xba, 0xda, 0x7a, 0x0b, 0xf7, 0xfa, 0xdc, 0x41, 0xef,
-	0xf5, 0xab, 0xb8, 0x2f, 0x00, 0x29, 0xf5, 0xaf, 0xd2, 0x72, 0x45, 0x85, 0x4f, 0x5e, 0x1b, 0xf7,
-	0xc9, 0x2f, 0x18, 0xbc, 0xf0, 0xca, 0xe3, 0x46, 0xe4, 0x9b, 0xbf, 0x0f, 0xc0, 0x36, 0x0e, 0x31,
-	0x35, 0x3d, 0x14, 0x0b, 0x5f, 0x79, 0x4a, 0xc9, 0x7d, 0x99, 0x2f, 0xc6, 0x45, 0x41, 0x5d, 0x0d,
-	0xd1, 0x47, 0x50, 0x36, 0xdc, 0xa1, 0x67, 0x13, 0xc1, 0x9c, 0xb9, 0x94, 0xb9, 0x14, 0xd1, 0x57,
-	0xc3, 0x64, 0x54, 0x90, 0x1d, 0x8f, 0x5b, 0xfe, 0x4d, 0x4a, 0x6a, 0x66, 0x42, 0x20, 0x50, 0x86,
-	0xc2, 0x76, 0xb7, 0x51, 0xed, 0xb7, 0xda, 0xf7, 0x95, 0x14, 0x02, 0xc8, 0x33, 0x55, 0x37, 0x94,
-	0x34, 0x0d, 0x60, 0xea, 0x9d, 0xad, 0xee, 0x66, 0x93, 0x59, 0x2c, 0xb4, 0x00, 0x8a, 0x54, 0xb6,
-	0xc6, 0x14, 0xd9, 0x6c, 0x28, 0x59, 0x34, 0x0f, 0x73, 0x11, 0x54, 0x70, 0xe6, 0xd0, 0x22, 0xa0,
-	0x08, 0x18, 0x8b, 0xc8, 0xab, 0xff, 0x0a, 0xe6, 0xea, 0xae, 0x13, 0xea, 0x96, 0x13, 0x05, 0x77,
-	0x77, 0xe8, 0xa4, 0x05, 0x88, 0xc6, 0xa6, 0xec, 0x22, 0xac, 0xcd, 0x9d, 0x9e, 0xac, 0x94, 0x22,
-	0xd2, 0x56, 0x83, 0x39, 0xe3, 0xa2, 0x61, 0xd2, 0xf3, 0xeb, 0x89, 0x30, 0x36, 0x57, 0x9b, 0x3e,
-	0x3d, 0x59, 0xc9, 0x74, 0x5b, 0x0d, 0x4c, 0x61, 0xe8, 0x25, 0x28, 0x92, 0x27, 0x56, 0xa8, 0x19,
-	0x32, 0x6a, 0xcd, 0xe1, 0x02, 0x05, 0xd4, 0x5d, 0x93, 0xa8, 0x35, 0x80, 0xae, 0xeb, 0x87, 0xa2,
-	0xe7, 0x77, 0x21, 0xe7, 0xb9, 0x3e, 0xcb, 0xfc, 0x9d, 0x9b, 0x8f, 0xa6, 0xe4, 0x7c, 0xa3, 0x62,
-	0x4e, 0xac, 0xfe, 0x97, 0x0c, 0x40, 0x5f, 0x0f, 0x1e, 0x0b, 0x21, 0x77, 0xa1, 0x18, 0xe5, 0xfe,
-	0x45, 0x0a, 0xf1, 0xc2, 0xd5, 0x8e, 0x88, 0xd1, 0x3b, 0x72, 0xb3, 0xf1, 0xb0, 0x75, 0x62, 0xf2,
-	0x45, 0x76, 0x34, 0x29, 0xf2, 0x1b, 0x8f, 0x4d, 0xa9, 0x1f, 0x41, 0x7c, 0x5f, 0xac, 0x3c, 0xfd,
-	0x44, 0x75, 0x76, 0x2d, 0x70, 0xa5, 0x89, 0x78, 0x65, 0x62, 0xd2, 0xf4, 0xcc, 0x8a, 0x6c, 0x4c,
-	0xe1, 0x98, 0x0f, 0x7d, 0x0c, 0x25, 0x3a, 0x6f, 0x2d, 0x60, 0x38, 0x11, 0xaa, 0x9c, 0xab, 0x2a,
-	0x2e, 0x01, 0x83, 0x17, 0x6b, 0xf9, 0x65, 0x00, 0xdd, 0xf3, 0x6c, 0x8b, 0x98, 0xda, 0xce, 0x21,
-	0x8b, 0x4d, 0x8a, 0xb8, 0x28, 0x20, 0xb5, 0x43, 0x7a, 0x5c, 0x24, 0x5a, 0x0f, 0x59, 0x7c, 0x76,
-	0x89, 0x02, 0x05, 0x75, 0x35, 0xac, 0x29, 0x30, 0xeb, 0x8f, 0x1c, 0xaa, 0x50, 0x31, 0x3a, 0xf5,
-	0xff, 0xa6, 0xe1, 0xc5, 0x36, 0x09, 0x0f, 0x5c, 0xff, 0x71, 0x35, 0x0c, 0x75, 0x63, 0x6f, 0x48,
-	0x1c, 0xb1, 0x7c, 0x89, 0x58, 0x32, 0x35, 0x16, 0x4b, 0x2e, 0xc1, 0xb4, 0x6e, 0x5b, 0x7a, 0x40,
-	0xb8, 0x77, 0x58, 0xc4, 0xb2, 0x49, 0x23, 0x5e, 0x1a, 0x3f, 0x93, 0x20, 0x20, 0x3c, 0x1f, 0x48,
-	0x07, 0x2e, 0x01, 0xe8, 0x3b, 0xb0, 0x28, 0xfc, 0x40, 0x3d, 0xea, 0x8a, 0x86, 0x60, 0xf2, 0x79,
-	0xa3, 0x39, 0x31, 0xa0, 0x9f, 0x3c, 0x38, 0xe1, 0x28, 0xc6, 0xe0, 0x8e, 0x17, 0x0a, 0xb7, 0x73,
-	0xc1, 0x9c, 0x80, 0xaa, 0xdc, 0x87, 0xab, 0xe7, 0xb2, 0x3c, 0x57, 0xbe, 0xf1, 0xa7, 0x69, 0x80,
-	0x56, 0xb7, 0xba, 0x25, 0x94, 0xd4, 0x80, 0xfc, 0xae, 0x3e, 0xb4, 0xec, 0xc3, 0x8b, 0x2c, 0x60,
-	0x4c, 0xbf, 0x56, 0xe5, 0xea, 0x58, 0x67, 0x3c, 0x58, 0xf0, 0xb2, 0x70, 0x7e, 0xb4, 0xe3, 0x90,
-	0x30, 0x0a, 0xe7, 0x59, 0x8b, 0x0e, 0xc3, 0xd7, 0x9d, 0x68, 0xeb, 0xf2, 0x06, 0x5d, 0x00, 0xea,
-	0xf2, 0x1c, 0xe8, 0x87, 0xd2, 0x6c, 0x89, 0x26, 0xda, 0x60, 0x6f, 0x0b, 0xc4, 0xdf, 0x27, 0xe6,
-	0x52, 0x8e, 0x29, 0xf5, 0xb2, 0xf1, 0x60, 0x41, 0xce, 0x75, 0x17, 0x71, 0x57, 0x3e, 0x64, 0x2e,
-	0x53, 0x8c, 0x7a, 0x2e, 0x1d, 0xdd, 0x86, 0x99, 0xb1, 0x79, 0x3e, 0x95, 0x47, 0x69, 0x75, 0x1f,
-	0xbe, 0xab, 0x64, 0xc5, 0xd7, 0x7b, 0x4a, 0x5e, 0xfd, 0xdd, 0x0c, 0x37, 0x34, 0x42, 0xab, 0x93,
-	0xdf, 0xd4, 0x0a, 0x6c, 0x77, 0x1b, 0xae, 0x2d, 0x0c, 0xc0, 0xeb, 0x17, 0xdb, 0x1f, 0x1a, 0x4e,
-	0x33, 0x72, 0x1c, 0x31, 0xa2, 0x15, 0x28, 0xf1, 0x5d, 0xac, 0xd1, 0x03, 0xc7, 0xd4, 0x3a, 0x83,
-	0x81, 0x83, 0x28, 0x27, 0xba, 0x0e, 0xb3, 0x2c, 0x9b, 0x18, 0xec, 0x11, 0x93, 0xd3, 0x64, 0x19,
-	0xcd, 0x4c, 0x04, 0x65, 0x64, 0x5b, 0x50, 0x16, 0x00, 0x8d, 0x05, 0x0c, 0x39, 0x36, 0xa0, 0x9b,
-	0x97, 0x0d, 0x88, 0xb3, 0xb0, 0x38, 0xa2, 0xe4, 0xc5, 0x0d, 0xf5, 0x9f, 0x41, 0x41, 0x0e, 0x16,
-	0x2d, 0x41, 0xa6, 0x5f, 0xef, 0x2a, 0x53, 0x95, 0xb9, 0xa3, 0xe3, 0xd5, 0x92, 0x04, 0xf7, 0xeb,
-	0x5d, 0x8a, 0xd9, 0x6e, 0x74, 0x95, 0xd4, 0x38, 0x66, 0xbb, 0xd1, 0x45, 0x15, 0xc8, 0xf6, 0xea,
-	0xfd, 0xae, 0xf4, 0xcf, 0x24, 0x8a, 0xc2, 0x2a, 0x59, 0xea, 0x9f, 0xa9, 0xbb, 0x50, 0x4a, 0xf4,
-	0x8e, 0x5e, 0x85, 0xe9, 0x56, 0xfb, 0x3e, 0x6e, 0xf6, 0x7a, 0xca, 0x14, 0x8f, 0x20, 0x12, 0xd8,
-	0x96, 0x33, 0xa0, 0x6b, 0x87, 0x5e, 0x86, 0xec, 0x46, 0x87, 0xde, 0xfb, 0x3c, 0x44, 0x49, 0x50,
-	0x6c, 0xb8, 0x41, 0x58, 0x99, 0x17, 0x8e, 0x5f, 0x52, 0xb0, 0xfa, 0x5f, 0x53, 0x90, 0xe7, 0x07,
-	0x6d, 0xe2, 0x22, 0x56, 0xe3, 0xb8, 0x89, 0x47, 0x96, 0xaf, 0x9f, 0x1f, 0x05, 0xae, 0x89, 0xa0,
-	0x8d, 0x6f, 0x4d, 0xc9, 0x57, 0xf9, 0x00, 0xca, 0x49, 0xc4, 0x73, 0x6d, 0xcc, 0xef, 0x40, 0x89,
-	0xee, 0x7d, 0x19, 0x0d, 0xde, 0x81, 0x3c, 0x37, 0x16, 0xd1, 0x3d, 0x74, 0x7e, 0x48, 0x2a, 0x28,
-	0xd1, 0x5d, 0x98, 0xe6, 0x61, 0xac, 0x7c, 0xf1, 0x58, 0xbe, 0xf8, 0x84, 0x61, 0x49, 0xae, 0x7e,
-	0x0c, 0xd9, 0x2e, 0x21, 0x7e, 0x32, 0xad, 0x9c, 0x3a, 0x37, 0xad, 0x2c, 0xd3, 0x92, 0xe9, 0x44,
-	0x5a, 0xb2, 0x0f, 0xe5, 0x47, 0xc4, 0x1a, 0xec, 0x85, 0xc4, 0x64, 0x82, 0xde, 0x82, 0xac, 0x47,
-	0xa2, 0xc1, 0x2f, 0x4d, 0xdc, 0x7c, 0x84, 0xf8, 0x98, 0x51, 0x51, 0x1b, 0x73, 0xc0, 0xb8, 0xc5,
-	0x63, 0xa1, 0x68, 0xa9, 0x7f, 0x90, 0x86, 0xd9, 0x56, 0x10, 0x8c, 0x74, 0xc7, 0x90, 0x5e, 0xdd,
-	0x37, 0xc6, 0xbd, 0xba, 0x89, 0xaf, 0xaa, 0xe3, 0x2c, 0xe3, 0xd9, 0x56, 0x71, 0xb3, 0xa6, 0xa3,
-	0x9b, 0x55, 0xfd, 0xcb, 0x94, 0x4c, 0xa9, 0x5e, 0x4f, 0x98, 0x02, 0x1e, 0x23, 0x26, 0x25, 0x91,
-	0x6d, 0xe7, 0xb1, 0xe3, 0x1e, 0x38, 0x34, 0xc0, 0xc5, 0xcd, 0x76, 0xf3, 0x91, 0x92, 0xe2, 0xdb,
-	0x73, 0x8c, 0x08, 0x13, 0x87, 0x1c, 0x50, 0x49, 0xdd, 0x66, 0xbb, 0x41, 0xbd, 0xb0, 0xf4, 0x04,
-	0x49, 0x5d, 0xe2, 0x98, 0x96, 0x33, 0x40, 0xaf, 0x42, 0xbe, 0xd5, 0xeb, 0x6d, 0xb3, 0x10, 0xf2,
-	0xc5, 0xa3, 0xe3, 0xd5, 0xf9, 0x31, 0x2a, 0xf6, 0x48, 0x60, 0x52, 0x22, 0x1a, 0x02, 0x51, 0xff,
-	0x6c, 0x02, 0x11, 0xf5, 0xad, 0x39, 0x11, 0xee, 0xf4, 0xab, 0xfd, 0xa6, 0x92, 0x9b, 0x40, 0x84,
-	0x5d, 0xfa, 0x57, 0x1c, 0xb7, 0x3f, 0x49, 0x83, 0x52, 0x35, 0x0c, 0xe2, 0x85, 0x14, 0x2f, 0xa2,
-	0xce, 0x3e, 0x14, 0x3c, 0xfa, 0x65, 0x11, 0xe9, 0x41, 0xdd, 0x9d, 0x58, 0x17, 0x70, 0x86, 0x6f,
-	0x0d, 0xbb, 0x36, 0xa9, 0x9a, 0x43, 0x2b, 0x08, 0x2c, 0xd7, 0xe1, 0x30, 0x1c, 0x49, 0xaa, 0xfc,
-	0x75, 0x0a, 0xe6, 0x27, 0x50, 0xa0, 0xdb, 0x90, 0xf5, 0x5d, 0x5b, 0xae, 0xe1, 0xb5, 0xf3, 0xb2,
-	0xe5, 0x94, 0x15, 0x33, 0x4a, 0xb4, 0x0c, 0xa0, 0x8f, 0x42, 0x57, 0x67, 0xfd, 0xf3, 0x1c, 0x23,
-	0x4e, 0x40, 0xd0, 0x23, 0xc8, 0x07, 0xc4, 0xf0, 0x89, 0xf4, 0xb3, 0x3f, 0xfe, 0x55, 0x47, 0xbf,
-	0xd6, 0x63, 0x62, 0xb0, 0x10, 0x57, 0x59, 0x83, 0x3c, 0x87, 0xd0, 0x6d, 0x6f, 0xea, 0xa1, 0x2e,
-	0x5e, 0x88, 0xd8, 0x37, 0xdd, 0x4d, 0xba, 0x3d, 0x90, 0xbb, 0x49, 0xb7, 0x07, 0xea, 0xef, 0xa4,
-	0x01, 0x9a, 0x4f, 0x42, 0xe2, 0x3b, 0xba, 0x5d, 0xaf, 0xa2, 0x66, 0xe2, 0x66, 0xe0, 0xb3, 0x7d,
-	0x63, 0xe2, 0xeb, 0x5a, 0xc4, 0xb1, 0x56, 0xaf, 0x4e, 0xb8, 0x1b, 0xae, 0x42, 0x66, 0xe4, 0x8b,
-	0x52, 0x0f, 0xee, 0x23, 0x6f, 0xe3, 0x4d, 0x4c, 0x61, 0xa8, 0x99, 0x4c, 0xf7, 0x9c, 0x5b, 0xd0,
-	0x91, 0xe8, 0x60, 0xa2, 0xe9, 0xa2, 0x27, 0xdf, 0xd0, 0x35, 0x83, 0x88, 0x5b, 0xa5, 0xcc, 0x4f,
-	0x7e, 0xbd, 0x5a, 0x27, 0x7e, 0x88, 0xf3, 0x86, 0x4e, 0xff, 0x7f, 0x29, 0xfb, 0xf6, 0x16, 0x40,
-	0x3c, 0x35, 0xb4, 0x0c, 0xb9, 0xfa, 0x7a, 0xaf, 0xb7, 0xa9, 0x4c, 0x71, 0x03, 0x1e, 0xa3, 0x18,
-	0x58, 0xfd, 0x8d, 0x34, 0x14, 0xea, 0x55, 0x71, 0xe5, 0xd6, 0x41, 0x61, 0x56, 0x89, 0xbd, 0xab,
-	0x91, 0x27, 0x9e, 0xe5, 0x1f, 0x0a, 0xc3, 0x72, 0x41, 0xc0, 0x3b, 0x4b, 0x59, 0xe8, 0xa8, 0x9b,
-	0x8c, 0x01, 0x61, 0x28, 0x13, 0xa1, 0x04, 0xcd, 0xd0, 0xa5, 0x8d, 0x5f, 0xbe, 0x58, 0x59, 0x3c,
-	0x74, 0x89, 0xdb, 0x01, 0x2e, 0x49, 0x21, 0x75, 0x3d, 0x40, 0xef, 0xc3, 0x5c, 0x60, 0x0d, 0x1c,
-	0xcb, 0x19, 0x68, 0x52, 0x79, 0xec, 0x91, 0xaf, 0x76, 0xe5, 0xf4, 0x64, 0x65, 0xa6, 0xc7, 0x51,
-	0x42, 0x87, 0x33, 0x82, 0xb2, 0xce, 0x54, 0x89, 0xde, 0x83, 0xd9, 0x04, 0x2b, 0xd5, 0x22, 0x57,
-	0x3b, 0x4b, 0x9c, 0x47, 0x9c, 0x0f, 0xc8, 0x21, 0x2e, 0x47, 0x8c, 0x0f, 0x08, 0xcb, 0xcd, 0xb0,
-	0x34, 0xb3, 0xe6, 0xb3, 0x33, 0xcd, 0x6e, 0xf7, 0x2c, 0x2e, 0x31, 0x18, 0x3f, 0xe6, 0xea, 0x43,
-	0x98, 0xef, 0xf8, 0xc6, 0x1e, 0x09, 0x42, 0xae, 0x0a, 0xa1, 0xc5, 0x8f, 0xe1, 0x5a, 0xa8, 0x07,
-	0x8f, 0xb5, 0x3d, 0x2b, 0x08, 0x5d, 0xff, 0x50, 0xf3, 0x49, 0x48, 0x1c, 0x8a, 0xd7, 0x58, 0x19,
-	0x84, 0xc8, 0x38, 0x5e, 0xa5, 0x34, 0x1b, 0x9c, 0x04, 0x4b, 0x8a, 0x4d, 0x4a, 0xa0, 0xb6, 0xa0,
-	0x4c, 0x43, 0x18, 0x91, 0x54, 0xa3, 0xb3, 0x07, 0xdb, 0x1d, 0x68, 0xcf, 0x7c, 0x4d, 0x15, 0x6d,
-	0x77, 0xc0, 0x3f, 0xd5, 0x6f, 0x82, 0xd2, 0xb0, 0x02, 0x4f, 0x0f, 0x8d, 0x3d, 0x99, 0x4a, 0x45,
-	0x0d, 0x50, 0xf6, 0x88, 0xee, 0x87, 0x3b, 0x44, 0x0f, 0x35, 0x8f, 0xf8, 0x96, 0x6b, 0x5e, 0xbe,
-	0xca, 0x73, 0x11, 0x4b, 0x97, 0x71, 0xa8, 0x7f, 0x9b, 0x02, 0xc0, 0xfa, 0xae, 0xf4, 0xd6, 0xde,
-	0x84, 0x2b, 0x81, 0xa3, 0x7b, 0xc1, 0x9e, 0x1b, 0x6a, 0x96, 0x13, 0x12, 0x7f, 0x5f, 0xb7, 0x45,
-	0x72, 0x47, 0x91, 0x88, 0x96, 0x80, 0xa3, 0xb7, 0x00, 0x3d, 0x26, 0xc4, 0xd3, 0x5c, 0xdb, 0xd4,
-	0x24, 0x92, 0x97, 0x47, 0x64, 0xb1, 0x42, 0x31, 0x1d, 0xdb, 0xec, 0x49, 0x38, 0xaa, 0xc1, 0x32,
-	0x9d, 0x3e, 0x71, 0x42, 0xdf, 0x22, 0x81, 0xb6, 0xeb, 0xfa, 0x5a, 0x60, 0xbb, 0x07, 0xda, 0xae,
-	0x6b, 0xdb, 0xee, 0x01, 0xf1, 0x65, 0xde, 0xac, 0x62, 0xbb, 0x83, 0x26, 0x27, 0x5a, 0x77, 0xfd,
-	0x9e, 0xed, 0x1e, 0xac, 0x4b, 0x0a, 0xea, 0xd2, 0xc5, 0x73, 0x0e, 0x2d, 0xe3, 0xb1, 0x74, 0xe9,
-	0x22, 0x68, 0xdf, 0x32, 0x1e, 0xa3, 0x57, 0x61, 0x86, 0xd8, 0x84, 0xa5, 0x4f, 0x38, 0x55, 0x8e,
-	0x51, 0x95, 0x25, 0x90, 0x12, 0xa9, 0xf7, 0x40, 0x69, 0x3a, 0x86, 0x7f, 0xe8, 0x25, 0xd6, 0xfc,
-	0x2d, 0x40, 0xd4, 0x48, 0x6a, 0xb6, 0x6b, 0x3c, 0xd6, 0x86, 0xba, 0xa3, 0x0f, 0xe8, 0xb8, 0xf8,
-	0xc3, 0xab, 0x42, 0x31, 0x9b, 0xae, 0xf1, 0x78, 0x4b, 0xc0, 0xd5, 0xf7, 0x01, 0x7a, 0x9e, 0x4f,
-	0x74, 0xb3, 0x43, 0xbd, 0x09, 0xaa, 0x3a, 0xd6, 0xd2, 0x4c, 0xf1, 0xea, 0xef, 0xfa, 0xe2, 0xa8,
-	0x2b, 0x1c, 0xd1, 0x88, 0xe0, 0xea, 0x3f, 0x85, 0xf9, 0xae, 0xad, 0x1b, 0xac, 0x0e, 0xa7, 0x1b,
-	0xbd, 0x24, 0xa2, 0xbb, 0x90, 0xe7, 0xa4, 0x62, 0x25, 0x27, 0x1e, 0xb7, 0xb8, 0xcf, 0x8d, 0x29,
-	0x2c, 0xe8, 0x6b, 0x65, 0x80, 0x58, 0x8e, 0xfa, 0xc7, 0x29, 0x28, 0x46, 0xf2, 0xd1, 0x2a, 0x7f,
-	0x07, 0x0c, 0x7d, 0xdd, 0x72, 0x44, 0xc4, 0x5f, 0xc4, 0x49, 0x10, 0x6a, 0x41, 0xc9, 0x8b, 0xb8,
-	0x2f, 0xf4, 0xe7, 0x26, 0x8c, 0x1a, 0x27, 0x79, 0xd1, 0x07, 0x50, 0x94, 0x65, 0x16, 0xd2, 0xc2,
-	0x5e, 0x5c, 0x95, 0x11, 0x93, 0xcb, 0x44, 0xaa, 0x4f, 0x3c, 0xdb, 0xa2, 0x36, 0x27, 0x1b, 0x25,
-	0x52, 0xb1, 0x00, 0xa9, 0xdf, 0x00, 0xf8, 0xc4, 0xb5, 0x9c, 0xbe, 0xfb, 0x98, 0x38, 0xec, 0x71,
-	0x9c, 0x86, 0x94, 0x44, 0x2a, 0x5a, 0xb4, 0x58, 0xa6, 0x80, 0xaf, 0x52, 0xf4, 0x46, 0xcc, 0x9b,
-	0xea, 0x6f, 0xa7, 0x21, 0x8f, 0x5d, 0x37, 0xac, 0x57, 0xd1, 0x2a, 0xe4, 0x85, 0x29, 0x61, 0x57,
-	0x54, 0xad, 0x78, 0x7a, 0xb2, 0x92, 0xe3, 0x36, 0x24, 0x67, 0x30, 0xe3, 0x91, 0x30, 0xf2, 0xe9,
-	0xf3, 0x8c, 0x3c, 0xba, 0x0d, 0x65, 0x41, 0xa4, 0xed, 0xe9, 0xc1, 0x1e, 0x8f, 0xef, 0x6a, 0xb3,
-	0xa7, 0x27, 0x2b, 0xc0, 0x29, 0x37, 0xf4, 0x60, 0x0f, 0x03, 0xa7, 0xa6, 0xdf, 0xa8, 0x09, 0xa5,
-	0xcf, 0x5c, 0xcb, 0xd1, 0x42, 0x36, 0x09, 0x91, 0x8b, 0x9c, 0xb8, 0xd4, 0xf1, 0x54, 0x45, 0x99,
-	0x0d, 0x7c, 0x16, 0x4f, 0xbe, 0x09, 0x33, 0xbe, 0xeb, 0x86, 0xdc, 0xb2, 0x59, 0xae, 0x23, 0xd2,
-	0x1c, 0xab, 0x13, 0xb3, 0xdf, 0xae, 0x1b, 0x62, 0x41, 0x87, 0xcb, 0x7e, 0xa2, 0x85, 0x6e, 0xc3,
-	0x82, 0xad, 0x07, 0xa1, 0xc6, 0x4c, 0xa2, 0x19, 0x4b, 0xcb, 0x33, 0xe5, 0x23, 0x8a, 0x63, 0x0f,
-	0x78, 0xa6, 0xe4, 0x50, 0xff, 0x28, 0x05, 0x25, 0x3a, 0x19, 0x6b, 0xd7, 0x32, 0xa8, 0x1f, 0xf8,
-	0xfc, 0xee, 0xc9, 0x55, 0xc8, 0x18, 0x81, 0x2f, 0x94, 0xca, 0xee, 0xe7, 0x7a, 0x0f, 0x63, 0x0a,
-	0x43, 0xf7, 0x20, 0x2f, 0xd2, 0x2d, 0xdc, 0x33, 0x51, 0x2f, 0xf7, 0x58, 0x85, 0x6e, 0x04, 0x1f,
-	0xdb, 0xee, 0xf1, 0xe8, 0xf8, 0x3d, 0x81, 0x93, 0x20, 0xb4, 0x08, 0x69, 0x83, 0xab, 0x4b, 0xd4,
-	0x71, 0xd5, 0xdb, 0x38, 0x6d, 0x38, 0xea, 0x4f, 0x52, 0x30, 0x13, 0xdb, 0x04, 0xba, 0x03, 0xae,
-	0x41, 0x31, 0x18, 0xed, 0x04, 0x87, 0x41, 0x48, 0x86, 0xf2, 0xe1, 0x3f, 0x02, 0xa0, 0x16, 0x14,
-	0x75, 0x7b, 0xe0, 0xfa, 0x56, 0xb8, 0x37, 0x14, 0x81, 0xec, 0x64, 0x6f, 0x22, 0x29, 0x73, 0xad,
-	0x2a, 0x59, 0x70, 0xcc, 0x2d, 0x5d, 0x03, 0x5e, 0xf3, 0xc2, 0x5c, 0x83, 0x57, 0xa0, 0x6c, 0xeb,
-	0x43, 0x96, 0x7f, 0x0a, 0xad, 0x21, 0x91, 0x87, 0x41, 0xc0, 0xfa, 0xd6, 0x90, 0xa8, 0x2a, 0x14,
-	0x23, 0x61, 0x68, 0x0e, 0x4a, 0xd5, 0x66, 0x4f, 0x7b, 0xfb, 0xce, 0x5d, 0xed, 0x7e, 0x7d, 0x4b,
-	0x99, 0x12, 0xee, 0xeb, 0xff, 0x4f, 0xc1, 0x8c, 0xb0, 0x58, 0x22, 0x24, 0x78, 0x15, 0xa6, 0x7d,
-	0x7d, 0x37, 0x94, 0x41, 0x4b, 0x96, 0xef, 0x6a, 0x7a, 0x09, 0xd0, 0xa0, 0x85, 0xa2, 0x26, 0x07,
-	0x2d, 0x89, 0x52, 0x94, 0xcc, 0x85, 0xa5, 0x28, 0xd9, 0x5f, 0x4b, 0x29, 0x8a, 0xfa, 0xaf, 0x01,
-	0xd6, 0x2d, 0x9b, 0xf4, 0x79, 0xaa, 0x6a, 0x52, 0x08, 0x4a, 0xdd, 0xbc, 0xa8, 0xa2, 0x87, 0xbb,
-	0x79, 0xad, 0x06, 0xa6, 0x30, 0x8a, 0x1a, 0x58, 0xa6, 0x38, 0x8c, 0x0c, 0x75, 0x9f, 0xa2, 0x06,
-	0x96, 0x19, 0xbd, 0x0c, 0x66, 0x2f, 0x79, 0x19, 0x54, 0xe7, 0x60, 0x06, 0xf3, 0x1c, 0x1b, 0x1f,
-	0x83, 0x7a, 0x9c, 0x82, 0x39, 0xe1, 0xef, 0x46, 0x26, 0xfb, 0x0d, 0x28, 0x72, 0xd7, 0x37, 0x0e,
-	0x02, 0x59, 0x3d, 0x06, 0xa7, 0x6b, 0x35, 0x70, 0x81, 0xa3, 0x5b, 0x26, 0x5a, 0x81, 0x92, 0x20,
-	0x4d, 0x14, 0x01, 0x02, 0x07, 0xb1, 0x2a, 0xa5, 0x77, 0x21, 0xbb, 0x6b, 0xd9, 0x44, 0xec, 0xfc,
-	0x89, 0x16, 0x21, 0xd6, 0xc8, 0xc6, 0x14, 0x66, 0xd4, 0xb5, 0x82, 0x4c, 0xee, 0xa9, 0x7f, 0x9a,
-	0x62, 0x29, 0x66, 0x1a, 0xaa, 0x26, 0xc7, 0xc7, 0xa3, 0xd6, 0x33, 0xe3, 0xe3, 0x74, 0x74, 0x7c,
-	0x1c, 0xcd, 0xc7, 0x27, 0x48, 0x93, 0xe3, 0xe3, 0xa0, 0x5f, 0x7d, 0x7c, 0xe8, 0x23, 0x98, 0x16,
-	0xa9, 0x4a, 0x61, 0xea, 0x5e, 0x99, 0xb8, 0x33, 0x92, 0x9a, 0xde, 0x98, 0xc2, 0x92, 0x27, 0x31,
-	0xbd, 0x4d, 0x58, 0xac, 0xd9, 0xba, 0xf1, 0xd8, 0xb6, 0x82, 0x90, 0x98, 0x49, 0x0b, 0x74, 0x07,
-	0xf2, 0x63, 0x7e, 0xee, 0x45, 0x49, 0x54, 0x41, 0xa9, 0xfe, 0x9f, 0x34, 0x94, 0x37, 0x88, 0x6e,
-	0x87, 0x7b, 0x71, 0xa6, 0x2a, 0x24, 0x41, 0x28, 0xee, 0x47, 0xf6, 0x8d, 0xbe, 0x06, 0x85, 0xc8,
-	0x0d, 0xba, 0xf4, 0x39, 0x30, 0x22, 0x45, 0xef, 0xc0, 0x34, 0x1d, 0xbb, 0x3b, 0x92, 0xf1, 0xd5,
-	0x45, 0x2f, 0x4d, 0x82, 0x92, 0x5e, 0x5a, 0x3e, 0x61, 0x7e, 0x0f, 0xd3, 0x53, 0x0e, 0xcb, 0x26,
-	0xfa, 0x3a, 0x94, 0xd9, 0x43, 0x89, 0x74, 0xf3, 0x72, 0x97, 0xc9, 0x2c, 0xf1, 0xb7, 0x4e, 0x46,
-	0x8d, 0xee, 0xc1, 0x2c, 0xe7, 0x8e, 0x66, 0x92, 0xbf, 0x8c, 0x7f, 0x86, 0x31, 0x48, 0x47, 0x4f,
-	0xfd, 0x61, 0x1a, 0x16, 0xb6, 0xf4, 0xc3, 0x1d, 0x22, 0x0c, 0x19, 0x31, 0x31, 0x31, 0x5c, 0xdf,
-	0x44, 0xdd, 0xa4, 0x01, 0xbc, 0xe0, 0xf1, 0x75, 0x12, 0xf3, 0x64, 0x3b, 0x28, 0xa3, 0xc6, 0x74,
-	0x22, 0x6a, 0x5c, 0x80, 0x9c, 0xe3, 0x3a, 0x06, 0x11, 0xd6, 0x91, 0x37, 0xd4, 0xef, 0xa5, 0x92,
-	0xd6, 0xaf, 0x12, 0x3d, 0x8c, 0xb2, 0xb4, 0x59, 0xdb, 0x0d, 0xa3, 0xee, 0xd0, 0x3d, 0xa8, 0xf4,
-	0x9a, 0x75, 0xdc, 0xec, 0xd7, 0x3a, 0xdf, 0xd4, 0x7a, 0xd5, 0xcd, 0x5e, 0xf5, 0xce, 0x6d, 0xad,
-	0xdb, 0xd9, 0xfc, 0xf4, 0xed, 0x77, 0x6e, 0x7f, 0x4d, 0x49, 0x55, 0x56, 0x8f, 0x8e, 0x57, 0xaf,
-	0xb5, 0xab, 0xf5, 0x4d, 0x7e, 0x66, 0x77, 0xdc, 0x27, 0x3d, 0xdd, 0x0e, 0xf4, 0x3b, 0xb7, 0xbb,
-	0xae, 0x7d, 0x48, 0x69, 0xd0, 0x9b, 0x80, 0xd6, 0x9b, 0xb8, 0xdd, 0xec, 0x6b, 0xd2, 0xc4, 0xd6,
-	0x6b, 0x75, 0x25, 0xcd, 0x63, 0xb1, 0x75, 0xe2, 0x3b, 0x24, 0xac, 0x36, 0x7b, 0x6f, 0xdf, 0xb9,
-	0x5b, 0xaf, 0xd5, 0xa9, 0x95, 0x28, 0x27, 0xef, 0xdb, 0xa4, 0x1b, 0x91, 0x3a, 0xd7, 0x8d, 0x88,
-	0xbd, 0x91, 0xf4, 0x39, 0xde, 0xc8, 0x3a, 0x2c, 0x18, 0xbe, 0x1b, 0x04, 0x1a, 0x0d, 0x70, 0x88,
-	0x79, 0x26, 0x84, 0x7a, 0xe1, 0xf4, 0x64, 0xe5, 0x4a, 0x9d, 0xe2, 0x7b, 0x0c, 0x2d, 0xc4, 0x5f,
-	0x31, 0x12, 0x20, 0xd6, 0x93, 0xfa, 0xc3, 0x69, 0xea, 0x2b, 0x5a, 0xfb, 0x96, 0x4d, 0x06, 0x24,
-	0x40, 0x0f, 0x61, 0xce, 0xf0, 0x89, 0x49, 0x23, 0x17, 0xdd, 0x4e, 0x56, 0xe0, 0x7f, 0x75, 0xa2,
-	0xdb, 0x16, 0x31, 0xae, 0xd5, 0x23, 0xae, 0x9e, 0x47, 0x0c, 0x3c, 0x6b, 0x8c, 0xb5, 0xd1, 0x67,
-	0x30, 0x17, 0x10, 0xdb, 0x72, 0x46, 0x4f, 0x34, 0xc3, 0x75, 0x42, 0xf2, 0x44, 0x3e, 0x08, 0x5e,
-	0x26, 0xb7, 0xd7, 0xdc, 0xa4, 0x5c, 0x75, 0xce, 0x54, 0x43, 0xa7, 0x27, 0x2b, 0xb3, 0xe3, 0x30,
-	0x3c, 0x2b, 0x24, 0x8b, 0x36, 0x6a, 0xc0, 0x74, 0x40, 0x0c, 0xc3, 0x1d, 0x7a, 0xe2, 0xbc, 0xdd,
-	0xbc, 0xac, 0x0f, 0x4e, 0xdd, 0xf1, 0xc2, 0x00, 0x4b, 0x56, 0x74, 0x1f, 0x0a, 0xba, 0xe7, 0xe9,
-	0xfe, 0x30, 0x7a, 0x20, 0x7e, 0xf3, 0x12, 0x31, 0x55, 0xcf, 0xab, 0x52, 0x72, 0x26, 0x27, 0x62,
-	0x46, 0x37, 0xe1, 0x8a, 0xe3, 0x6a, 0x0e, 0x39, 0xd0, 0xbc, 0x88, 0x96, 0x17, 0x46, 0xe1, 0x39,
-	0xc7, 0x6d, 0x93, 0x83, 0x58, 0x44, 0x65, 0x0f, 0x66, 0xc7, 0x15, 0x89, 0x16, 0x84, 0x95, 0x65,
-	0xc6, 0x3a, 0xb2, 0xa2, 0xd7, 0xa0, 0xe0, 0x93, 0x81, 0x15, 0x84, 0x3e, 0xdf, 0x21, 0x14, 0x13,
-	0x41, 0xd0, 0x12, 0xe4, 0x13, 0x15, 0x39, 0x14, 0x27, 0xda, 0xd4, 0x7c, 0xf2, 0x82, 0xc2, 0xca,
-	0xbf, 0x84, 0x33, 0x6a, 0xa4, 0x16, 0xc7, 0xb4, 0x02, 0x7d, 0x47, 0x74, 0x56, 0xc0, 0xb2, 0x49,
-	0x8f, 0xe1, 0x28, 0x88, 0xbc, 0x67, 0xf6, 0x4d, 0x61, 0xcc, 0xcd, 0x13, 0xe5, 0x95, 0xcc, 0x91,
-	0x93, 0x45, 0xee, 0xd9, 0x44, 0x91, 0xfb, 0x02, 0xe4, 0x6c, 0xb2, 0x4f, 0x6c, 0xee, 0x60, 0x61,
-	0xde, 0xa8, 0xfc, 0x30, 0x05, 0xa5, 0x84, 0xd6, 0xd1, 0x27, 0xe2, 0x16, 0xe6, 0x56, 0xe3, 0xbd,
-	0x67, 0x5f, 0x2f, 0xf9, 0x3d, 0x5e, 0xc2, 0xe3, 0xf9, 0x2e, 0x53, 0x1a, 0xb7, 0x1b, 0xb2, 0xa9,
-	0xbe, 0x17, 0x75, 0xca, 0x72, 0xe5, 0xa5, 0x44, 0x09, 0x0c, 0x9a, 0x05, 0xd8, 0x6e, 0xd7, 0x3b,
-	0xed, 0xf5, 0x56, 0xbb, 0xd9, 0xe0, 0xaf, 0xbf, 0xf5, 0xed, 0x5e, 0xbf, 0xb3, 0xa5, 0xa4, 0x2b,
-	0xdf, 0x4d, 0x41, 0x39, 0xb9, 0xb8, 0x68, 0x73, 0x6c, 0xb8, 0x77, 0x9f, 0x63, 0x5f, 0x44, 0x8d,
-	0x84, 0x67, 0xf1, 0x46, 0x2c, 0xfd, 0xe9, 0x71, 0x95, 0xa1, 0xd0, 0x68, 0xf5, 0xaa, 0xb5, 0x4d,
-	0x3a, 0x2a, 0x66, 0xe6, 0x3e, 0x71, 0x77, 0x84, 0xef, 0xb6, 0x0e, 0x33, 0x9f, 0xb9, 0x3b, 0x9a,
-	0x15, 0x12, 0x3f, 0x2e, 0x4a, 0x2c, 0xdd, 0x79, 0x69, 0xd2, 0x78, 0xc4, 0x6f, 0x04, 0x84, 0x77,
-	0x5c, 0xfe, 0xcc, 0xdd, 0x69, 0x49, 0x36, 0x54, 0x85, 0x59, 0xe6, 0xf4, 0x93, 0x27, 0xc4, 0x18,
-	0x31, 0x41, 0x97, 0x3f, 0xd6, 0xcf, 0x50, 0x8e, 0xa6, 0x64, 0x50, 0x7f, 0x90, 0x03, 0x85, 0x57,
-	0x38, 0x55, 0x59, 0x29, 0x33, 0x9b, 0xc8, 0x3d, 0xc8, 0x05, 0x86, 0x1b, 0x55, 0xc0, 0x4e, 0x3c,
-	0x86, 0x67, 0x99, 0xd6, 0x7a, 0x94, 0x03, 0x73, 0x46, 0xb4, 0x0e, 0xd3, 0xc1, 0x9e, 0xee, 0x5b,
-	0xce, 0x40, 0x78, 0xd4, 0x6f, 0x3d, 0x9b, 0x0c, 0xce, 0x83, 0x25, 0x33, 0xda, 0x80, 0xdc, 0x0e,
-	0x0d, 0xe3, 0x85, 0x41, 0xb8, 0xfd, 0x4c, 0x52, 0x6a, 0x94, 0x83, 0x43, 0x37, 0xa6, 0x30, 0x17,
-	0x40, 0x25, 0xb1, 0x3a, 0x4a, 0x61, 0x13, 0x9e, 0x4d, 0x12, 0xab, 0x5c, 0x8a, 0x25, 0x31, 0x01,
-	0x95, 0x19, 0x28, 0x25, 0x7a, 0xa8, 0xdc, 0x87, 0x52, 0x82, 0x0c, 0xbd, 0x08, 0xd3, 0xbb, 0x81,
-	0x96, 0xf8, 0xcd, 0x48, 0x7e, 0x37, 0x60, 0xe5, 0x67, 0x2b, 0x50, 0x62, 0xfc, 0xda, 0xae, 0xad,
-	0x0f, 0xe4, 0x4b, 0x2d, 0x30, 0xd0, 0x3a, 0x85, 0xa8, 0x06, 0xe4, 0x98, 0x0e, 0xd1, 0x4d, 0x28,
-	0xf5, 0x5a, 0xed, 0xfb, 0x9b, 0x4d, 0xad, 0xdd, 0x69, 0xd0, 0xcb, 0x90, 0x15, 0x1a, 0x72, 0xf9,
-	0x8c, 0xa2, 0x67, 0x39, 0x03, 0x9b, 0xb0, 0xe2, 0xf5, 0x1b, 0x00, 0x5b, 0xdb, 0x9b, 0xfd, 0x16,
-	0x27, 0x15, 0x45, 0x5e, 0x09, 0xd2, 0xad, 0x91, 0x1d, 0x5a, 0x94, 0x52, 0x04, 0x12, 0xff, 0x3b,
-	0x05, 0xd3, 0x42, 0xcb, 0x68, 0x25, 0xba, 0x6d, 0x5f, 0x38, 0x3a, 0x5e, 0xbd, 0x22, 0xb8, 0x38,
-	0x92, 0x95, 0x22, 0xdd, 0x60, 0xe5, 0xdf, 0x0d, 0xad, 0xd3, 0xde, 0xfc, 0x54, 0x49, 0x8d, 0x0d,
-	0x43, 0x2c, 0x94, 0xa8, 0x0d, 0x45, 0x37, 0x01, 0x3a, 0xed, 0xa6, 0xf6, 0x08, 0xb7, 0xfa, 0x4d,
-	0x2c, 0xab, 0xc8, 0xc6, 0x48, 0x3b, 0x0e, 0x79, 0xe4, 0xd3, 0x1d, 0x8f, 0x5e, 0x86, 0x4c, 0x75,
-	0x73, 0x53, 0xc9, 0xf0, 0xca, 0xa6, 0x31, 0xa2, 0xaa, 0x6d, 0xf3, 0x71, 0xd6, 0x66, 0xa0, 0xc4,
-	0x6b, 0xeb, 0x99, 0x2a, 0xd5, 0xbb, 0x50, 0x16, 0x84, 0x3c, 0x2d, 0xfd, 0x74, 0x0e, 0x76, 0x31,
-	0xca, 0x85, 0xcb, 0x17, 0x5b, 0xd6, 0x52, 0xff, 0x67, 0x06, 0xe6, 0x39, 0xab, 0x78, 0x15, 0x8b,
-	0xe3, 0xa7, 0xcb, 0x1f, 0x7d, 0xea, 0xe3, 0x05, 0x0e, 0x5f, 0x3d, 0x7f, 0xd3, 0x8c, 0x09, 0x1f,
-	0x7f, 0x7c, 0x31, 0x61, 0x4e, 0x3e, 0x4d, 0xca, 0x2b, 0x94, 0x67, 0x54, 0x3e, 0x7c, 0x56, 0x71,
-	0xa2, 0x25, 0x0c, 0x3e, 0xcf, 0x61, 0xcb, 0x57, 0xd1, 0xc4, 0x2d, 0x20, 0xcb, 0x2a, 0x72, 0x63,
-	0x65, 0x15, 0x95, 0x2a, 0xcc, 0x4f, 0x10, 0xf0, 0x5c, 0x69, 0xec, 0x6f, 0xcb, 0xc7, 0xa2, 0x79,
-	0x98, 0x13, 0x4f, 0x3c, 0x5a, 0x77, 0xbb, 0xb6, 0xd9, 0xea, 0x6d, 0x28, 0x53, 0x68, 0x06, 0x8a,
-	0xa2, 0xc1, 0x2c, 0x70, 0x05, 0x16, 0x25, 0x0d, 0xdd, 0x94, 0xda, 0x76, 0x5b, 0x92, 0xa6, 0xd1,
-	0x0b, 0x70, 0x45, 0xe2, 0x62, 0x70, 0x46, 0xfd, 0xbd, 0x34, 0x00, 0x9f, 0x38, 0xfb, 0x21, 0xc8,
-	0x75, 0x98, 0x35, 0x74, 0x4f, 0x37, 0xac, 0xf0, 0x70, 0xac, 0x30, 0x74, 0x46, 0x42, 0x79, 0x71,
-	0xe8, 0x37, 0xa3, 0x32, 0xf4, 0xd8, 0x35, 0x39, 0xf7, 0xe7, 0x53, 0xb1, 0x78, 0xf1, 0x39, 0xa6,
-	0x4d, 0x51, 0x90, 0x2e, 0x95, 0xf9, 0x06, 0x14, 0x85, 0xe4, 0x28, 0xfa, 0x64, 0xe1, 0x96, 0x10,
-	0xd2, 0xc0, 0x05, 0x8e, 0x6e, 0x99, 0xe7, 0xff, 0x7a, 0x24, 0xf3, 0xab, 0xfc, 0x7a, 0xa4, 0x72,
-	0x0f, 0xd0, 0xd3, 0xc3, 0x7b, 0xae, 0xb5, 0x7a, 0x04, 0x33, 0x75, 0xa1, 0x26, 0xcc, 0xaa, 0x13,
-	0xae, 0xc3, 0xac, 0xcf, 0x7f, 0x2f, 0x68, 0x8e, 0x6b, 0x53, 0x42, 0xb9, 0x36, 0x57, 0xa0, 0xc4,
-	0x52, 0xe2, 0x63, 0x3f, 0x60, 0x04, 0x06, 0x62, 0x04, 0xea, 0x1f, 0x66, 0xa3, 0xab, 0x22, 0xa0,
-	0xce, 0x2b, 0xcb, 0x4a, 0x2e, 0x42, 0x3a, 0x3a, 0x41, 0x2c, 0x09, 0xd3, 0x6a, 0xe0, 0xb4, 0x65,
-	0x8e, 0x6b, 0x30, 0x7d, 0xa1, 0x06, 0xe3, 0x47, 0xdf, 0xcc, 0x33, 0x3f, 0xfa, 0x7e, 0xfb, 0xa9,
-	0xa5, 0xe7, 0x0a, 0xff, 0x27, 0x17, 0x98, 0xf5, 0x68, 0xd0, 0xcf, 0xb0, 0x01, 0xf4, 0xa7, 0xcf,
-	0x6c, 0xee, 0xfc, 0x07, 0xc2, 0xa7, 0x3a, 0x78, 0x96, 0x03, 0xdb, 0x8c, 0x2c, 0x1c, 0x73, 0x49,
-	0x78, 0x34, 0xf7, 0xda, 0xb3, 0x5c, 0x4b, 0x18, 0xf4, 0xf8, 0xae, 0xfe, 0x80, 0x39, 0xcd, 0x3e,
-	0x09, 0x03, 0xf1, 0x03, 0xb1, 0xd5, 0xf3, 0x45, 0x88, 0xac, 0x87, 0x64, 0xf8, 0xf2, 0x9b, 0xed,
-	0xd7, 0x61, 0x5b, 0xbe, 0x15, 0xed, 0xaa, 0xa8, 0x10, 0xe8, 0xdc, 0x5d, 0xf5, 0x9c, 0xbf, 0xb2,
-	0x51, 0xff, 0x5d, 0x0a, 0xe6, 0xa3, 0xe3, 0x16, 0xff, 0x66, 0x16, 0x7d, 0x00, 0x45, 0xb6, 0xf9,
-	0x03, 0x8b, 0xbd, 0xa9, 0x5f, 0x7e, 0x54, 0x63, 0x72, 0x96, 0x1a, 0x67, 0x99, 0x72, 0x9f, 0x98,
-	0xc2, 0xe0, 0x5c, 0xc2, 0x1b, 0x91, 0xab, 0xff, 0x3e, 0x05, 0x05, 0x09, 0x47, 0xeb, 0x50, 0x08,
-	0xc8, 0x80, 0xfd, 0x86, 0x57, 0x8c, 0xe1, 0xe6, 0x45, 0x72, 0xd6, 0x7a, 0x82, 0x58, 0x54, 0x06,
-	0x49, 0xde, 0xca, 0x87, 0x30, 0x33, 0x86, 0x7a, 0x2e, 0xed, 0xff, 0x3c, 0x3a, 0xd4, 0xd4, 0x68,
-	0x88, 0x1f, 0x85, 0x45, 0x5e, 0x57, 0xea, 0x32, 0x5f, 0x29, 0x66, 0xba, 0xc4, 0xeb, 0x4a, 0x3f,
-	0x87, 0xa4, 0x49, 0x5e, 0x17, 0xea, 0x8e, 0x1f, 0x17, 0x6e, 0x2a, 0x6e, 0x3d, 0x93, 0xbc, 0xc9,
-	0x27, 0xe7, 0x1f, 0xcb, 0x8f, 0xab, 0xfc, 0x5d, 0x0a, 0x20, 0xe1, 0x4c, 0x6f, 0x8c, 0xc5, 0x1c,
-	0xef, 0x3e, 0xe7, 0x88, 0xd7, 0x12, 0xf1, 0xc6, 0x7f, 0x4f, 0x41, 0x56, 0x06, 0x1a, 0x71, 0xf5,
-	0xd6, 0x22, 0xa0, 0x84, 0xb7, 0x28, 0x5d, 0xb0, 0x14, 0x7a, 0x09, 0x5e, 0x4c, 0xc2, 0xa9, 0x23,
-	0xd7, 0xc4, 0xdc, 0x95, 0x4b, 0xd3, 0x3b, 0x3a, 0x76, 0x1b, 0xc7, 0x70, 0x19, 0x74, 0x0d, 0x96,
-	0x12, 0x38, 0x21, 0x43, 0x88, 0xcd, 0x52, 0xb1, 0x09, 0x2c, 0xff, 0x14, 0xc8, 0xdc, 0x19, 0xaf,
-	0xed, 0xe6, 0xd7, 0xa1, 0x2c, 0x7f, 0x7b, 0xcb, 0x54, 0x57, 0x80, 0x6c, 0xbf, 0xda, 0x7b, 0xa0,
-	0x4c, 0xd1, 0x28, 0x8d, 0x27, 0x73, 0x44, 0xc4, 0x46, 0xe3, 0xb7, 0xfb, 0x4a, 0x9a, 0x7e, 0x8b,
-	0x9f, 0x61, 0x64, 0x6e, 0xfe, 0xe7, 0x2c, 0x14, 0xa3, 0xea, 0x51, 0x74, 0x15, 0x32, 0xed, 0xe6,
-	0x23, 0x99, 0x19, 0x8a, 0xe0, 0x6d, 0x72, 0x80, 0x5e, 0x89, 0xeb, 0x4e, 0xee, 0x71, 0xa7, 0x32,
-	0x42, 0xcb, 0x9a, 0x93, 0xd7, 0xa0, 0x50, 0xed, 0xf5, 0x5a, 0xf7, 0x69, 0x8c, 0xf8, 0x45, 0x8a,
-	0xfb, 0xbb, 0x11, 0x11, 0x37, 0xdc, 0xc4, 0x64, 0x54, 0xf5, 0x7a, 0xb3, 0xdb, 0x6f, 0x36, 0x94,
-	0xcf, 0xd3, 0x67, 0xa9, 0x58, 0x1d, 0x05, 0xfb, 0xa5, 0x50, 0xb1, 0x8b, 0x9b, 0xdd, 0x2a, 0xa6,
-	0x1d, 0x7e, 0x91, 0xe6, 0xe5, 0x30, 0x71, 0x8f, 0x3e, 0xf1, 0xb8, 0x7b, 0xbd, 0x2c, 0x7f, 0x94,
-	0xf8, 0x79, 0x86, 0xff, 0x64, 0x24, 0x2e, 0x85, 0x25, 0xba, 0x79, 0x48, 0x7b, 0x63, 0x35, 0xc8,
-	0x4c, 0x4c, 0xe6, 0x4c, 0x6f, 0xbd, 0x50, 0xf7, 0x43, 0x2a, 0x45, 0x85, 0x69, 0xbc, 0xdd, 0x6e,
-	0x53, 0xa2, 0xcf, 0xb3, 0x67, 0x66, 0x87, 0x47, 0x8e, 0x43, 0x69, 0xae, 0x43, 0x41, 0x96, 0x28,
-	0x2b, 0x5f, 0x64, 0xcf, 0x0c, 0xa8, 0x2e, 0xeb, 0xab, 0x59, 0x87, 0x1b, 0xdb, 0x7d, 0xf6, 0x9b,
-	0xc9, 0xcf, 0x73, 0x67, 0x3b, 0xdc, 0x1b, 0x85, 0xa6, 0x7b, 0xe0, 0xa0, 0xd5, 0xa8, 0xf2, 0xe6,
-	0x8b, 0x1c, 0x4f, 0x8d, 0x45, 0x34, 0xa2, 0xec, 0xe6, 0x35, 0x28, 0xe0, 0xe6, 0x27, 0xfc, 0xe7,
-	0x95, 0x9f, 0xe7, 0xcf, 0xc8, 0xc1, 0xe4, 0x33, 0x62, 0xd0, 0xde, 0x56, 0x21, 0x8f, 0x9b, 0x5b,
-	0x9d, 0x87, 0x4d, 0xe5, 0x7f, 0xe4, 0xcf, 0xc8, 0xc1, 0x64, 0xe8, 0xb2, 0x9f, 0x52, 0x15, 0x3a,
-	0xb8, 0xbb, 0x51, 0x65, 0x8b, 0x72, 0x56, 0x4e, 0xc7, 0xf7, 0xf6, 0x74, 0x87, 0x98, 0xf1, 0x6f,
-	0x62, 0x22, 0xd4, 0xcd, 0x6f, 0x43, 0x41, 0x3e, 0x45, 0xa1, 0x65, 0xc8, 0x3f, 0xea, 0xe0, 0x07,
-	0x4d, 0xac, 0x4c, 0x71, 0x2d, 0x4b, 0xcc, 0x23, 0xfe, 0x88, 0xb8, 0x0a, 0xd3, 0x5b, 0xd5, 0x76,
-	0xf5, 0x3e, 0x3d, 0x13, 0x7c, 0x18, 0x92, 0x40, 0xbc, 0xa7, 0x54, 0x14, 0xd1, 0x41, 0x24, 0xb3,
-	0xf6, 0xda, 0x8f, 0x7e, 0xb1, 0x3c, 0xf5, 0xb3, 0x5f, 0x2c, 0x4f, 0x7d, 0x7e, 0xba, 0x9c, 0xfa,
-	0xd1, 0xe9, 0x72, 0xea, 0xc7, 0xa7, 0xcb, 0xa9, 0x3f, 0x3f, 0x5d, 0x4e, 0xfd, 0x87, 0x5f, 0x2e,
-	0x4f, 0xfd, 0xf8, 0x97, 0xcb, 0x53, 0x3f, 0xfb, 0xe5, 0xf2, 0xd4, 0x4e, 0x9e, 0x45, 0xd7, 0xef,
-	0xfc, 0x43, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf3, 0x73, 0xce, 0x0b, 0x8a, 0x45, 0x00, 0x00,
+	// 6589 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x7b, 0x5d, 0x6c, 0x24, 0xc7,
+	0x99, 0x18, 0xe7, 0x97, 0x33, 0xdf, 0x0c, 0xc9, 0xde, 0x22, 0x45, 0x71, 0x47, 0x2b, 0x92, 0x6a,
+	0x69, 0xad, 0xd5, 0x4a, 0xe6, 0xae, 0x56, 0xb2, 0xb2, 0x92, 0x2c, 0x6b, 0xe7, 0x8f, 0xcb, 0xd1,
+	0x92, 0x33, 0x83, 0x9a, 0xe1, 0xae, 0x65, 0x20, 0xee, 0x34, 0xbb, 0x8b, 0xc3, 0xd6, 0xf6, 0x74,
+	0x77, 0xba, 0x7b, 0xc8, 0x65, 0x9c, 0x20, 0x7a, 0x8a, 0x03, 0x02, 0x81, 0x13, 0x04, 0x70, 0x1c,
+	0x24, 0x44, 0x82, 0xd8, 0x01, 0x02, 0xf8, 0x21, 0x0f, 0x79, 0x08, 0x12, 0xdc, 0x83, 0x0e, 0x38,
+	0x1c, 0x7c, 0x4f, 0x67, 0x9f, 0x0f, 0x77, 0x86, 0xef, 0xc0, 0x3b, 0xd3, 0xcf, 0x87, 0xbb, 0x97,
+	0xc3, 0xdd, 0xe3, 0xa1, 0xfe, 0xba, 0x7b, 0xb8, 0x43, 0x72, 0xd7, 0xf2, 0xbd, 0x90, 0x5d, 0xdf,
+	0x5f, 0x55, 0x7d, 0x55, 0xf5, 0xd5, 0xf7, 0x7d, 0xf5, 0x0d, 0xdc, 0x1c, 0x58, 0xe1, 0xde, 0x68,
+	0x67, 0xcd, 0x70, 0x87, 0xb7, 0x4c, 0xd7, 0x78, 0x4c, 0xfc, 0x5b, 0xc1, 0x81, 0xee, 0x0f, 0x1f,
+	0x5b, 0xe1, 0x2d, 0xdd, 0xb3, 0x6e, 0x85, 0x87, 0x1e, 0x09, 0xd6, 0x3c, 0xdf, 0x0d, 0x5d, 0x84,
+	0x38, 0xc1, 0x9a, 0x24, 0x58, 0xdb, 0x7f, 0xbb, 0xb2, 0x32, 0x70, 0xdd, 0x81, 0x4d, 0x6e, 0x31,
+	0x8a, 0x9d, 0xd1, 0xee, 0xad, 0xd0, 0x1a, 0x92, 0x20, 0xd4, 0x87, 0x1e, 0x67, 0xaa, 0x2c, 0x9f,
+	0x25, 0x30, 0x47, 0xbe, 0x1e, 0x5a, 0xae, 0x73, 0x1e, 0xfe, 0xc0, 0xd7, 0x3d, 0x8f, 0xf8, 0xa2,
+	0xd3, 0xca, 0xc2, 0xc0, 0x1d, 0xb8, 0xec, 0xf3, 0x16, 0xfd, 0xe2, 0x50, 0x75, 0x05, 0xa6, 0x1f,
+	0x12, 0x3f, 0xb0, 0x5c, 0x07, 0x2d, 0x40, 0xce, 0x72, 0x4c, 0xf2, 0x64, 0x29, 0xb5, 0x9a, 0xba,
+	0x91, 0xc5, 0xbc, 0xa1, 0xde, 0x06, 0x68, 0xd1, 0x8f, 0xa6, 0x13, 0xfa, 0x87, 0x48, 0x81, 0xcc,
+	0x63, 0x72, 0xc8, 0x28, 0x8a, 0x98, 0x7e, 0x52, 0xc8, 0xbe, 0x6e, 0x2f, 0xa5, 0x39, 0x64, 0x5f,
+	0xb7, 0xd5, 0x5f, 0xa5, 0xa0, 0x54, 0x75, 0x1c, 0x37, 0x64, 0xa3, 0x0b, 0x10, 0x82, 0xac, 0xa3,
+	0x0f, 0x89, 0x60, 0x62, 0xdf, 0xa8, 0x0e, 0x79, 0x5b, 0xdf, 0x21, 0x76, 0xb0, 0x94, 0x5e, 0xcd,
+	0xdc, 0x28, 0xdd, 0x79, 0x73, 0xed, 0x69, 0x95, 0xac, 0x25, 0x84, 0xac, 0x6d, 0x32, 0x6a, 0x36,
+	0x08, 0x2c, 0x58, 0xd1, 0x37, 0x60, 0xda, 0x72, 0x4c, 0xcb, 0x20, 0xc1, 0x52, 0x96, 0x49, 0x59,
+	0x9e, 0x24, 0x25, 0x1e, 0x7d, 0x2d, 0xfb, 0x93, 0x93, 0x95, 0x29, 0x2c, 0x99, 0x2a, 0xef, 0x43,
+	0x29, 0x21, 0x76, 0xc2, 0xdc, 0x16, 0x20, 0xb7, 0xaf, 0xdb, 0x23, 0x22, 0x66, 0xc7, 0x1b, 0x1f,
+	0xa4, 0xef, 0xa6, 0xd4, 0x7b, 0xb0, 0xd0, 0xd6, 0x87, 0xc4, 0xbc, 0x4f, 0x1c, 0xe2, 0x5b, 0x06,
+	0x26, 0x81, 0x3b, 0xf2, 0x0d, 0x42, 0xe7, 0xfa, 0xd8, 0x72, 0x4c, 0x39, 0x57, 0xfa, 0x3d, 0x59,
+	0x8a, 0x5a, 0x87, 0x17, 0x1b, 0x56, 0x60, 0xf8, 0x24, 0x24, 0xcf, 0x2d, 0x24, 0x23, 0x85, 0x9c,
+	0xa4, 0x60, 0xee, 0x2c, 0xf7, 0xb7, 0x60, 0x9e, 0xaa, 0xd8, 0xd4, 0x7c, 0x01, 0xd1, 0x02, 0x8f,
+	0x18, 0x4c, 0x58, 0xe9, 0xce, 0x8d, 0x49, 0x1a, 0x9a, 0x34, 0x93, 0x8d, 0x29, 0x7c, 0x85, 0x89,
+	0x91, 0x80, 0x9e, 0x47, 0x0c, 0x64, 0xc0, 0xa2, 0x29, 0x06, 0x7d, 0x46, 0x7c, 0x9a, 0x89, 0x9f,
+	0xb8, 0x8c, 0xe7, 0x4c, 0x73, 0x63, 0x0a, 0x2f, 0x48, 0x61, 0xc9, 0x4e, 0x6a, 0x00, 0x05, 0x29,
+	0x5b, 0xfd, 0x41, 0x0a, 0x8a, 0x12, 0x19, 0xa0, 0x37, 0xa0, 0xe8, 0xe8, 0x8e, 0xab, 0x19, 0xde,
+	0x28, 0x60, 0x13, 0xca, 0xd4, 0xca, 0xa7, 0x27, 0x2b, 0x85, 0xb6, 0xee, 0xb8, 0xf5, 0xee, 0x76,
+	0x80, 0x0b, 0x14, 0x5d, 0xf7, 0x46, 0x01, 0x7a, 0x05, 0xca, 0x43, 0x32, 0x74, 0xfd, 0x43, 0x6d,
+	0xe7, 0x30, 0x24, 0x81, 0x50, 0x5b, 0x89, 0xc3, 0x6a, 0x14, 0x84, 0x3e, 0x82, 0xe9, 0x01, 0x1f,
+	0xd2, 0x52, 0x86, 0x6d, 0x9f, 0x57, 0x27, 0x8d, 0xfe, 0xcc, 0xa8, 0xb1, 0xe4, 0x51, 0xbf, 0x9f,
+	0x86, 0x85, 0x08, 0x4a, 0xfe, 0xf9, 0xc8, 0xf2, 0xc9, 0x90, 0x38, 0x61, 0x80, 0xbe, 0x06, 0x79,
+	0xdb, 0x1a, 0x5a, 0x61, 0x20, 0x74, 0xfe, 0xf2, 0x24, 0xb1, 0xd1, 0xa4, 0xb0, 0x20, 0x46, 0x55,
+	0x28, 0xfb, 0x24, 0x20, 0xfe, 0x3e, 0xdf, 0xf1, 0x42, 0xa3, 0x97, 0x30, 0x8f, 0xb1, 0xa0, 0x0f,
+	0x00, 0x82, 0x03, 0xdd, 0x13, 0x53, 0xce, 0x30, 0x01, 0x2f, 0xad, 0x71, 0xbb, 0xb0, 0x26, 0xed,
+	0xc2, 0x5a, 0xcb, 0x09, 0xdf, 0x7b, 0xf7, 0x21, 0xdd, 0x3f, 0xb8, 0x48, 0xc9, 0xb9, 0x36, 0x36,
+	0xe0, 0x8a, 0x50, 0x18, 0x85, 0x79, 0x96, 0x43, 0x02, 0x7a, 0xac, 0x2e, 0x15, 0xa1, 0x70, 0xae,
+	0x5e, 0xc4, 0xa4, 0xae, 0x43, 0xa1, 0x6b, 0xeb, 0xe1, 0xae, 0xeb, 0x0f, 0x91, 0x0a, 0x65, 0xdd,
+	0x37, 0xf6, 0xac, 0x90, 0x18, 0xe1, 0xc8, 0x97, 0x36, 0x60, 0x0c, 0x86, 0x16, 0x21, 0xed, 0xf2,
+	0xe9, 0x16, 0x6b, 0xf9, 0xd3, 0x93, 0x95, 0x74, 0xa7, 0x87, 0xd3, 0x6e, 0xa0, 0x7e, 0x08, 0x57,
+	0xba, 0xf6, 0x68, 0x60, 0x39, 0x0d, 0x12, 0x18, 0xbe, 0xe5, 0xd1, 0x39, 0xd2, 0xb3, 0x41, 0x2d,
+	0xa9, 0x3c, 0x1b, 0xf4, 0x3b, 0x32, 0x30, 0xe9, 0xd8, 0xc0, 0xa8, 0xdf, 0x4d, 0xc3, 0x95, 0xa6,
+	0x33, 0xb0, 0x1c, 0x92, 0xe4, 0xbe, 0x0e, 0xb3, 0x84, 0x01, 0xb5, 0x7d, 0x6e, 0xf4, 0x84, 0x9c,
+	0x19, 0x0e, 0x95, 0x96, 0xb0, 0x75, 0xc6, 0x3a, 0xbd, 0x3d, 0x69, 0x11, 0x9e, 0x92, 0x3e, 0xd1,
+	0x46, 0x35, 0x61, 0xda, 0x63, 0x93, 0x08, 0xc4, 0x26, 0xbb, 0x3e, 0x49, 0xd6, 0x53, 0xf3, 0x94,
+	0xa6, 0x4a, 0xf0, 0x7e, 0x19, 0x53, 0xf5, 0x1f, 0x33, 0x30, 0xd7, 0x76, 0xcd, 0x31, 0x3d, 0x54,
+	0xa0, 0xb0, 0xe7, 0x06, 0x61, 0xc2, 0x2c, 0x47, 0x6d, 0x74, 0x17, 0x0a, 0x9e, 0x58, 0x3e, 0xb1,
+	0x07, 0xaf, 0x4d, 0x1e, 0x32, 0xa7, 0xc1, 0x11, 0x35, 0xfa, 0x10, 0x8a, 0xf2, 0xe0, 0xca, 0xdd,
+	0x77, 0xc9, 0xf6, 0x8d, 0xe9, 0xd1, 0x47, 0x90, 0xe7, 0x8b, 0x20, 0x36, 0xdd, 0xf5, 0x67, 0xd2,
+	0x39, 0x16, 0x4c, 0xe8, 0x3e, 0x14, 0x42, 0x3b, 0xd0, 0x2c, 0x67, 0xd7, 0x5d, 0xca, 0x31, 0x01,
+	0x2b, 0x13, 0x4d, 0x9d, 0x6b, 0x92, 0xfe, 0x66, 0xaf, 0xe5, 0xec, 0xba, 0xb5, 0xd2, 0xe9, 0xc9,
+	0xca, 0xb4, 0x68, 0xe0, 0xe9, 0xd0, 0x0e, 0xe8, 0x07, 0xba, 0x06, 0xd9, 0x5d, 0xcb, 0x0b, 0x96,
+	0xf2, 0xab, 0xa9, 0x1b, 0x85, 0x5a, 0xe1, 0xf4, 0x64, 0x25, 0xbb, 0xde, 0xea, 0xf6, 0x30, 0x83,
+	0xd2, 0x6e, 0x8c, 0xc0, 0xe2, 0xdd, 0x4c, 0xb3, 0xf5, 0x3c, 0xb7, 0x9b, 0x7a, 0xaf, 0x15, 0x77,
+	0x23, 0x1a, 0x78, 0xda, 0x08, 0x2c, 0xfa, 0xa1, 0xfe, 0x87, 0x14, 0x94, 0x12, 0x83, 0x41, 0x2f,
+	0x03, 0x84, 0xfe, 0x28, 0x08, 0x35, 0xdf, 0x75, 0x43, 0xb6, 0x26, 0x65, 0x5c, 0x64, 0x10, 0xec,
+	0xba, 0x21, 0x5a, 0x83, 0x79, 0x83, 0xf8, 0xa1, 0x66, 0x05, 0xc1, 0x88, 0xf8, 0x5a, 0x30, 0xda,
+	0xf9, 0x8c, 0x18, 0x21, 0x5b, 0x9f, 0x32, 0xbe, 0x42, 0x51, 0x2d, 0x86, 0xe9, 0x71, 0x04, 0x7a,
+	0x07, 0x16, 0x93, 0xf4, 0xde, 0x68, 0xc7, 0xb6, 0x0c, 0x8d, 0xee, 0x99, 0x0c, 0x63, 0x99, 0x8f,
+	0x59, 0xba, 0x0c, 0xf7, 0x80, 0x1c, 0xaa, 0x3f, 0x17, 0x63, 0x12, 0x83, 0x45, 0x2b, 0x50, 0xe2,
+	0xfb, 0x4f, 0x4b, 0x6c, 0x14, 0xe0, 0x20, 0x7a, 0x67, 0xa0, 0x57, 0x61, 0xda, 0x71, 0x4d, 0xa2,
+	0x59, 0xa6, 0x38, 0xbe, 0x70, 0x7a, 0xb2, 0x92, 0xa7, 0x22, 0x5a, 0x0d, 0x9c, 0xa7, 0xa8, 0x96,
+	0x89, 0x6e, 0xc1, 0xc2, 0x50, 0x7f, 0xa2, 0xed, 0xbb, 0xf6, 0x68, 0x48, 0x02, 0xcd, 0x23, 0xbe,
+	0x46, 0x31, 0x6c, 0x20, 0x19, 0x7c, 0x65, 0xa8, 0x3f, 0x79, 0xc8, 0x51, 0x5d, 0xe2, 0x53, 0x56,
+	0xb4, 0x05, 0xf3, 0xba, 0x61, 0x90, 0x20, 0xb0, 0x76, 0x6c, 0xa2, 0x85, 0xae, 0xe7, 0xda, 0xee,
+	0xe0, 0x50, 0x6c, 0x8b, 0x89, 0x7b, 0xb1, 0x2f, 0x68, 0x30, 0x8a, 0x19, 0x25, 0x4c, 0xfd, 0x45,
+	0x0a, 0x14, 0xac, 0xef, 0x86, 0x5b, 0x64, 0xb8, 0x43, 0xfc, 0x5e, 0xa8, 0x87, 0xa3, 0x00, 0x2d,
+	0x42, 0xde, 0x26, 0xba, 0x49, 0x7c, 0x36, 0xab, 0x02, 0x16, 0x2d, 0xb4, 0x4d, 0x8d, 0xb0, 0x6e,
+	0xec, 0xe9, 0x3b, 0x96, 0x6d, 0x85, 0x87, 0x6c, 0x5a, 0xb3, 0x93, 0xcf, 0xff, 0x59, 0x99, 0x6b,
+	0x38, 0xc1, 0x88, 0xc7, 0xc4, 0xa0, 0x25, 0x98, 0x1e, 0x92, 0x20, 0xd0, 0x07, 0x7c, 0xda, 0x45,
+	0x2c, 0x9b, 0xea, 0x87, 0x50, 0x4e, 0xf2, 0xa1, 0x12, 0x4c, 0x6f, 0xb7, 0x1f, 0xb4, 0x3b, 0x8f,
+	0xda, 0xca, 0x14, 0x9a, 0x83, 0xd2, 0x76, 0x1b, 0x37, 0xab, 0xf5, 0x8d, 0x6a, 0x6d, 0xb3, 0xa9,
+	0xa4, 0xd0, 0x0c, 0x14, 0xe3, 0x66, 0x5a, 0xfd, 0x3f, 0x29, 0x00, 0xaa, 0x32, 0x31, 0xa9, 0x0f,
+	0x20, 0x17, 0x84, 0x7a, 0xc8, 0x57, 0x6a, 0xf6, 0xce, 0x6b, 0xe7, 0xed, 0x4c, 0x31, 0x5e, 0xfa,
+	0x8f, 0x60, 0xce, 0x92, 0x1c, 0x61, 0x7a, 0x6c, 0x84, 0xd4, 0xba, 0xea, 0xa6, 0xe9, 0x8b, 0x81,
+	0xb3, 0x6f, 0xf5, 0x43, 0xc8, 0x31, 0xee, 0xf1, 0xe1, 0x16, 0x20, 0xdb, 0xa0, 0x5f, 0x29, 0x54,
+	0x84, 0x1c, 0x6e, 0x56, 0x1b, 0x9f, 0x2a, 0x69, 0xa4, 0x40, 0xb9, 0xd1, 0xea, 0xd5, 0x3b, 0xed,
+	0x76, 0xb3, 0xde, 0x6f, 0x36, 0x94, 0x8c, 0x7a, 0x1d, 0x72, 0xad, 0x21, 0x95, 0x7c, 0x8d, 0xda,
+	0x8b, 0x5d, 0xe2, 0x13, 0xc7, 0x90, 0xbb, 0x2b, 0x06, 0xa8, 0xdf, 0x9b, 0x83, 0xdc, 0x96, 0x3b,
+	0x72, 0x42, 0x74, 0x27, 0x61, 0xf3, 0x67, 0x27, 0x3b, 0x79, 0x8c, 0x70, 0xad, 0x7f, 0xe8, 0x11,
+	0x71, 0x27, 0x2c, 0x42, 0x9e, 0x5b, 0x16, 0x31, 0x1d, 0xd1, 0xa2, 0xf0, 0x50, 0xf7, 0x07, 0x24,
+	0x14, 0xf3, 0x11, 0x2d, 0x74, 0x83, 0x3a, 0x1d, 0xba, 0xe9, 0x3a, 0x36, 0xdf, 0x69, 0x05, 0xee,
+	0x59, 0x60, 0xa2, 0x9b, 0x1d, 0xc7, 0x3e, 0xc4, 0x11, 0x16, 0xdd, 0x87, 0x92, 0xe1, 0x3a, 0x81,
+	0x15, 0x84, 0xc4, 0x31, 0x0e, 0x97, 0x0a, 0x6c, 0x50, 0xd7, 0xcf, 0x1f, 0x54, 0x3d, 0x26, 0xc6,
+	0x49, 0x4e, 0xb4, 0x01, 0xe5, 0x1d, 0xcb, 0x31, 0x35, 0xd7, 0xe3, 0x17, 0x7e, 0xee, 0x7c, 0xbb,
+	0xc7, 0x25, 0xd5, 0x2c, 0xc7, 0xec, 0x70, 0x62, 0x5c, 0xda, 0x89, 0x1b, 0xa8, 0x0d, 0xb3, 0xfc,
+	0x78, 0x45, 0xb2, 0xf2, 0x4c, 0xd6, 0xeb, 0xe7, 0xcb, 0xe2, 0x67, 0x4e, 0x4a, 0x9b, 0xd9, 0x4f,
+	0x36, 0xd1, 0x03, 0x98, 0x09, 0x87, 0xde, 0x6e, 0x10, 0x89, 0x9b, 0x66, 0xe2, 0xbe, 0x72, 0x81,
+	0xe6, 0x29, 0xb9, 0x94, 0x56, 0x0e, 0x13, 0xad, 0xca, 0x7f, 0xcd, 0x41, 0x29, 0x31, 0x72, 0xd4,
+	0x83, 0x92, 0xe7, 0xbb, 0x9e, 0x3e, 0x60, 0x4e, 0x8b, 0x58, 0xd4, 0xb7, 0x9f, 0x69, 0xd6, 0x6b,
+	0xdd, 0x98, 0x11, 0x27, 0xa5, 0xa0, 0x77, 0xa1, 0xec, 0xb8, 0x8e, 0x4f, 0x8c, 0x91, 0x1f, 0x58,
+	0xfb, 0x7c, 0xd1, 0x0b, 0x35, 0xe5, 0xf4, 0x64, 0xa5, 0xdc, 0x76, 0x1d, 0x2c, 0xe1, 0x78, 0x8c,
+	0x0a, 0xdd, 0x03, 0xc5, 0xf0, 0x89, 0x1e, 0x92, 0x21, 0xed, 0xc9, 0x73, 0x2d, 0x87, 0x6f, 0x8b,
+	0x42, 0x6d, 0xe1, 0xf4, 0x64, 0x45, 0xa9, 0x33, 0xdc, 0x56, 0x84, 0xc3, 0x4f, 0x51, 0xa3, 0x4d,
+	0x58, 0x90, 0x1b, 0x63, 0xac, 0x7f, 0xbe, 0x85, 0x96, 0x4e, 0x4f, 0x56, 0x16, 0xe4, 0x16, 0x1a,
+	0x1b, 0xc7, 0x44, 0x2e, 0x84, 0x61, 0x51, 0xc2, 0x77, 0x5d, 0xdf, 0x20, 0xb1, 0xbc, 0x1c, 0x93,
+	0x57, 0x39, 0x3d, 0x59, 0x59, 0x94, 0xf2, 0xd6, 0x5d, 0xe6, 0x78, 0x4a, 0x89, 0xe7, 0x70, 0xaa,
+	0xc7, 0x69, 0x28, 0x25, 0xd4, 0x86, 0x6e, 0x42, 0x01, 0x77, 0x71, 0xeb, 0x61, 0xb5, 0xdf, 0x54,
+	0xa6, 0x2a, 0xd7, 0x8e, 0x8e, 0x57, 0x97, 0xd8, 0x0c, 0x93, 0xaa, 0xed, 0xfa, 0xd6, 0x3e, 0x3d,
+	0xdd, 0x37, 0x60, 0x5a, 0x92, 0xa6, 0x2a, 0x2f, 0x1d, 0x1d, 0xaf, 0xbe, 0x78, 0x96, 0x34, 0x41,
+	0x89, 0x7b, 0x1b, 0x55, 0xdc, 0x6c, 0x28, 0xe9, 0xc9, 0x94, 0xb8, 0xb7, 0xa7, 0xfb, 0xc4, 0x44,
+	0x5f, 0x81, 0xbc, 0x20, 0xcc, 0x54, 0x2a, 0x47, 0xc7, 0xab, 0x8b, 0x67, 0x09, 0x63, 0x3a, 0xdc,
+	0xdb, 0xac, 0x3e, 0x6c, 0x2a, 0xd9, 0xc9, 0x74, 0xb8, 0x67, 0xeb, 0xfb, 0x04, 0xbd, 0x06, 0x39,
+	0x4e, 0x96, 0xab, 0x5c, 0x3d, 0x3a, 0x5e, 0x7d, 0xe1, 0x29, 0x71, 0x94, 0xaa, 0xb2, 0xf4, 0x6f,
+	0x7f, 0xb8, 0x3c, 0xf5, 0xff, 0x7f, 0xb4, 0xac, 0x9c, 0x45, 0x57, 0x7e, 0x98, 0x86, 0x99, 0xb1,
+	0xc3, 0x80, 0x54, 0xc8, 0x3b, 0xae, 0xe1, 0x7a, 0xdc, 0xbf, 0x2a, 0xc8, 0x4b, 0xad, 0xee, 0x7a,
+	0x87, 0x58, 0x60, 0xd0, 0x83, 0x33, 0x1e, 0xe2, 0x3b, 0xcf, 0x78, 0xd2, 0x26, 0xfa, 0x88, 0x1f,
+	0xc3, 0x8c, 0xe9, 0x5b, 0xfb, 0xc4, 0xd7, 0x0c, 0xd7, 0xd9, 0xb5, 0x06, 0xc2, 0x77, 0xaa, 0x4c,
+	0x0c, 0xa6, 0x18, 0x21, 0x2e, 0x73, 0x86, 0x3a, 0xa3, 0x47, 0xd7, 0x61, 0x3a, 0x18, 0xed, 0x78,
+	0x7a, 0xb8, 0xc7, 0x36, 0x5e, 0x91, 0xfb, 0x1c, 0x3d, 0x0e, 0xc2, 0x12, 0xf7, 0x25, 0x9c, 0xc8,
+	0x8a, 0x07, 0xe5, 0xe4, 0x11, 0xa7, 0xee, 0x4a, 0x60, 0xfd, 0x0b, 0x22, 0x22, 0x0d, 0x16, 0x8a,
+	0xe1, 0x22, 0x85, 0xf0, 0x60, 0xe2, 0x75, 0xc8, 0x0e, 0xe9, 0x1d, 0x4f, 0xe5, 0xcc, 0xd4, 0xe6,
+	0xa9, 0x2f, 0xfb, 0xcb, 0x93, 0x95, 0x92, 0x1b, 0xac, 0xad, 0x5b, 0x36, 0xd9, 0x72, 0x4d, 0x82,
+	0x19, 0x01, 0xbd, 0x76, 0xa4, 0x8d, 0x11, 0x17, 0xa3, 0x68, 0xaa, 0xbf, 0x93, 0x82, 0x2c, 0xb5,
+	0xe7, 0xe8, 0x25, 0xc8, 0xd6, 0x5a, 0xed, 0x86, 0x32, 0x55, 0xb9, 0x72, 0x74, 0xbc, 0x3a, 0xc3,
+	0x94, 0x4a, 0x11, 0xd4, 0x2e, 0xa0, 0x15, 0xc8, 0x3f, 0xec, 0x6c, 0x6e, 0x6f, 0xd1, 0x0d, 0x3a,
+	0x7f, 0x74, 0xbc, 0x3a, 0x17, 0xa1, 0xb9, 0xda, 0xd1, 0xcb, 0x90, 0xeb, 0x6f, 0x75, 0xd7, 0x7b,
+	0x4a, 0xba, 0x82, 0x8e, 0x8e, 0x57, 0x67, 0x23, 0x3c, 0x9b, 0x0e, 0x7a, 0x05, 0x72, 0xed, 0x6e,
+	0xab, 0xdb, 0x54, 0x32, 0x95, 0xc5, 0xa3, 0xe3, 0x55, 0x14, 0xa1, 0x59, 0x4c, 0xdc, 0xb5, 0x3c,
+	0x82, 0x5e, 0x81, 0xe9, 0xfa, 0xe6, 0x76, 0xaf, 0xdf, 0xc4, 0x4a, 0xb6, 0xb2, 0x70, 0x74, 0xbc,
+	0xaa, 0x44, 0x44, 0x75, 0x7b, 0x14, 0x84, 0xc4, 0xaf, 0x5c, 0x11, 0xbb, 0xab, 0x18, 0x61, 0xd4,
+	0x9f, 0xa5, 0xa0, 0x94, 0xb0, 0xfc, 0xf4, 0x80, 0x34, 0x9a, 0xeb, 0xd5, 0xed, 0xcd, 0xbe, 0x32,
+	0x95, 0x38, 0x20, 0x09, 0x92, 0x06, 0xd9, 0xd5, 0x47, 0x36, 0xbd, 0x89, 0xa0, 0xde, 0x69, 0xf7,
+	0x5a, 0xbd, 0x7e, 0xb3, 0xdd, 0x57, 0x52, 0x95, 0xa5, 0xa3, 0xe3, 0xd5, 0x85, 0xb3, 0xc4, 0xeb,
+	0x23, 0xdb, 0xa6, 0x47, 0xa4, 0x5e, 0xad, 0x6f, 0xb0, 0x33, 0x17, 0x1f, 0x91, 0x04, 0x55, 0x5d,
+	0x37, 0xf6, 0x88, 0x89, 0xde, 0x82, 0x62, 0xa3, 0xb9, 0xd9, 0xbc, 0x5f, 0x65, 0xf7, 0x6f, 0xe5,
+	0xe5, 0xa3, 0xe3, 0xd5, 0xab, 0x4f, 0xf7, 0x6e, 0x93, 0x81, 0x1e, 0x12, 0xf3, 0xcc, 0x51, 0x49,
+	0x90, 0xa8, 0x7f, 0x9b, 0x86, 0x19, 0x4c, 0x82, 0x50, 0xf7, 0xc3, 0xae, 0x6b, 0x5b, 0xc6, 0x21,
+	0xea, 0x42, 0xd1, 0x70, 0x1d, 0xd3, 0x4a, 0x58, 0xf2, 0x3b, 0xe7, 0x78, 0xfc, 0x31, 0x97, 0x6c,
+	0xd5, 0x25, 0x27, 0x8e, 0x85, 0xa0, 0x5b, 0x90, 0x33, 0x89, 0xad, 0x1f, 0x8a, 0xd0, 0xe3, 0xea,
+	0x53, 0xa1, 0x67, 0x43, 0x64, 0xbd, 0x30, 0xa7, 0x63, 0x81, 0xbe, 0xfe, 0x44, 0xd3, 0xc3, 0x90,
+	0x0c, 0xbd, 0x90, 0x6f, 0xa3, 0x2c, 0x2e, 0x0d, 0xf5, 0x27, 0x55, 0x01, 0x42, 0x6f, 0x43, 0xfe,
+	0xc0, 0x72, 0x4c, 0xf7, 0x40, 0xf8, 0x90, 0x17, 0x08, 0x15, 0x84, 0xea, 0x11, 0x75, 0x1a, 0xcf,
+	0x0c, 0x93, 0xee, 0xc4, 0x76, 0xa7, 0xdd, 0x94, 0x3b, 0x51, 0xe0, 0x3b, 0x4e, 0xdb, 0x75, 0xa8,
+	0x1d, 0x82, 0x4e, 0x5b, 0x5b, 0xaf, 0xb6, 0x36, 0xb7, 0x31, 0xdd, 0x8d, 0x6c, 0xa7, 0x44, 0x24,
+	0xeb, 0xba, 0x65, 0xd3, 0x58, 0xf7, 0x2a, 0x64, 0xaa, 0xed, 0x4f, 0x95, 0x74, 0x45, 0x39, 0x3a,
+	0x5e, 0x2d, 0x47, 0xe8, 0xaa, 0x73, 0x18, 0xeb, 0xfd, 0x6c, 0xbf, 0xea, 0x1f, 0x66, 0xa0, 0xbc,
+	0xed, 0x99, 0x7a, 0x48, 0xc4, 0x79, 0x5f, 0x85, 0x92, 0xa7, 0xfb, 0xba, 0x6d, 0x13, 0xdb, 0x0a,
+	0x86, 0x22, 0x5f, 0x97, 0x04, 0xa1, 0xf7, 0x9f, 0x55, 0x8d, 0xb5, 0x02, 0x3d, 0x9c, 0x3f, 0xf8,
+	0x8b, 0x95, 0x94, 0x54, 0xe8, 0x36, 0xcc, 0xee, 0xf2, 0xd1, 0x6a, 0xba, 0xc1, 0x16, 0x36, 0xc3,
+	0x16, 0x76, 0x6d, 0xd2, 0xc2, 0x26, 0x87, 0xb5, 0x26, 0x26, 0x59, 0x65, 0x5c, 0x78, 0x66, 0x37,
+	0xd9, 0x44, 0xef, 0xc0, 0xf4, 0xd0, 0x75, 0xac, 0xd0, 0xf5, 0x2f, 0x5f, 0x05, 0x49, 0x89, 0x6e,
+	0x02, 0x8d, 0x0f, 0x34, 0x39, 0x1e, 0x86, 0x66, 0x77, 0x61, 0x1a, 0xcf, 0x0d, 0xf5, 0x27, 0xa2,
+	0x43, 0x4c, 0xc1, 0xa8, 0x06, 0x39, 0xd7, 0xa7, 0x1e, 0x7d, 0x9e, 0x0d, 0xf7, 0xad, 0x4b, 0x87,
+	0xcb, 0x1b, 0x1d, 0xca, 0x83, 0x39, 0xab, 0xfa, 0x1e, 0xcc, 0x8c, 0x4d, 0x82, 0x3a, 0xb2, 0xdd,
+	0xea, 0x76, 0xaf, 0xa9, 0x4c, 0xa1, 0x32, 0x14, 0xea, 0x9d, 0x76, 0xbf, 0xd5, 0xde, 0xa6, 0x9e,
+	0x78, 0x19, 0x0a, 0xb8, 0xb3, 0xb9, 0x59, 0xab, 0xd6, 0x1f, 0x28, 0x69, 0x75, 0x0d, 0x4a, 0x09,
+	0x69, 0x68, 0x16, 0xa0, 0xd7, 0xef, 0x74, 0xb5, 0xf5, 0x16, 0xee, 0xf5, 0xb9, 0x1f, 0xdf, 0xeb,
+	0x57, 0x71, 0x5f, 0x00, 0x52, 0xea, 0x5f, 0xa7, 0xe5, 0x8a, 0x0a, 0xd7, 0xbd, 0x36, 0xee, 0xba,
+	0x5f, 0x30, 0x78, 0xe1, 0xbc, 0xc7, 0x8d, 0xc8, 0x85, 0x7f, 0x1f, 0x80, 0x6d, 0x1c, 0x62, 0x6a,
+	0x7a, 0x28, 0x16, 0xbe, 0xf2, 0x94, 0x92, 0xfb, 0x32, 0xad, 0x8c, 0x8b, 0x82, 0xba, 0x1a, 0xa2,
+	0x8f, 0xa0, 0x6c, 0xb8, 0x43, 0xcf, 0x26, 0x82, 0x39, 0x73, 0x29, 0x73, 0x29, 0xa2, 0xaf, 0x86,
+	0xc9, 0xe0, 0x21, 0x3b, 0x1e, 0xde, 0xfc, 0x9b, 0x94, 0xd4, 0xcc, 0x84, 0x78, 0xa1, 0x0c, 0x85,
+	0xed, 0x6e, 0xa3, 0xda, 0x6f, 0xb5, 0xef, 0x2b, 0x29, 0x04, 0x90, 0x67, 0xaa, 0x6e, 0x28, 0x69,
+	0x1a, 0xe7, 0xd4, 0x3b, 0x5b, 0xdd, 0xcd, 0x26, 0xb3, 0x58, 0x68, 0x01, 0x14, 0xa9, 0x6c, 0x8d,
+	0x29, 0xb2, 0xd9, 0x50, 0xb2, 0x68, 0x1e, 0xe6, 0x22, 0xa8, 0xe0, 0xcc, 0xa1, 0x45, 0x40, 0x11,
+	0x30, 0x16, 0x91, 0x57, 0xff, 0x15, 0xcc, 0xd5, 0x5d, 0x27, 0xd4, 0x2d, 0x27, 0x8a, 0x01, 0xef,
+	0xd0, 0x49, 0x0b, 0x10, 0x0d, 0x61, 0xd9, 0x45, 0x58, 0x9b, 0x3b, 0x3d, 0x59, 0x29, 0x45, 0xa4,
+	0xad, 0x06, 0xf3, 0xd9, 0x45, 0xc3, 0xa4, 0xe7, 0xd7, 0x13, 0xd1, 0x6e, 0xae, 0x36, 0x7d, 0x7a,
+	0xb2, 0x92, 0xe9, 0xb6, 0x1a, 0x98, 0xc2, 0xd0, 0x4b, 0x50, 0x24, 0x4f, 0xac, 0x50, 0x33, 0x64,
+	0x70, 0x9b, 0xc3, 0x05, 0x0a, 0xa8, 0xbb, 0x26, 0x51, 0x6b, 0x00, 0x5d, 0xd7, 0x0f, 0x45, 0xcf,
+	0xef, 0x42, 0xce, 0x73, 0x7d, 0x96, 0x20, 0x3c, 0x37, 0x6d, 0x4d, 0xc9, 0xf9, 0x46, 0xc5, 0x9c,
+	0x58, 0xfd, 0xcf, 0x19, 0x80, 0xbe, 0x1e, 0x3c, 0x16, 0x42, 0xee, 0x42, 0x31, 0x7a, 0x22, 0x10,
+	0x99, 0xc6, 0x0b, 0x57, 0x3b, 0x22, 0x46, 0xef, 0xc8, 0xcd, 0xc6, 0xa3, 0xdb, 0x89, 0x39, 0x1a,
+	0xd9, 0xd1, 0xa4, 0x00, 0x71, 0x3c, 0x84, 0xa5, 0x7e, 0x04, 0xf1, 0x7d, 0xb1, 0xf2, 0xf4, 0x13,
+	0xd5, 0xd9, 0xb5, 0xc0, 0x95, 0x26, 0xc2, 0x9a, 0x89, 0xb9, 0xd5, 0x33, 0x2b, 0xb2, 0x31, 0x85,
+	0x63, 0x3e, 0xf4, 0x31, 0x94, 0xe8, 0xbc, 0xb5, 0x80, 0xe1, 0x44, 0x44, 0x73, 0xae, 0xaa, 0xb8,
+	0x04, 0x0c, 0x5e, 0xac, 0xe5, 0x97, 0x01, 0x74, 0xcf, 0xb3, 0x2d, 0x62, 0x6a, 0x3b, 0x87, 0x2c,
+	0x84, 0x29, 0xe2, 0xa2, 0x80, 0xd4, 0x0e, 0xe9, 0x71, 0x91, 0x68, 0x3d, 0x64, 0x61, 0xdc, 0x25,
+	0x0a, 0x14, 0xd4, 0xd5, 0xb0, 0xa6, 0xc0, 0xac, 0x3f, 0x72, 0xa8, 0x42, 0xc5, 0xe8, 0xd4, 0xff,
+	0x9d, 0x86, 0x17, 0xdb, 0x24, 0x3c, 0x70, 0xfd, 0xc7, 0xd5, 0x30, 0xd4, 0x8d, 0xbd, 0x21, 0x71,
+	0xc4, 0xf2, 0x25, 0x42, 0xce, 0xd4, 0x58, 0xc8, 0xb9, 0x04, 0xd3, 0xba, 0x6d, 0xe9, 0x01, 0xe1,
+	0x4e, 0x64, 0x11, 0xcb, 0x26, 0x0d, 0x8c, 0x69, 0x98, 0x4d, 0x82, 0x80, 0xf0, 0xb4, 0x21, 0x1d,
+	0xb8, 0x04, 0xa0, 0xef, 0xc0, 0xa2, 0x70, 0x17, 0xf5, 0xa8, 0x2b, 0x1a, 0xa9, 0xc9, 0x57, 0x90,
+	0xe6, 0xc4, 0xb8, 0x7f, 0xf2, 0xe0, 0x84, 0x3f, 0x19, 0x83, 0x3b, 0x5e, 0x28, 0xbc, 0xd3, 0x05,
+	0x73, 0x02, 0xaa, 0x72, 0x1f, 0xae, 0x9e, 0xcb, 0xf2, 0x5c, 0x69, 0xc9, 0x9f, 0xa7, 0x01, 0x5a,
+	0xdd, 0xea, 0x96, 0x50, 0x52, 0x03, 0xf2, 0xbb, 0xfa, 0xd0, 0xb2, 0x0f, 0x2f, 0xb2, 0x80, 0x31,
+	0xfd, 0x5a, 0x95, 0xab, 0x63, 0x9d, 0xf1, 0x60, 0xc1, 0xcb, 0xa2, 0xfe, 0xd1, 0x8e, 0x43, 0xc2,
+	0x28, 0xea, 0x67, 0x2d, 0x3a, 0x0c, 0x5f, 0x77, 0xa2, 0xad, 0xcb, 0x1b, 0x74, 0x01, 0xa8, 0xcb,
+	0x73, 0xa0, 0x1f, 0x4a, 0xb3, 0x25, 0x9a, 0x68, 0x83, 0x3d, 0x41, 0x10, 0x7f, 0x9f, 0x98, 0x4b,
+	0x39, 0xa6, 0xd4, 0xcb, 0xc6, 0x83, 0x05, 0x39, 0xd7, 0x5d, 0xc4, 0x5d, 0xf9, 0x90, 0xb9, 0x4c,
+	0x31, 0xea, 0xb9, 0x74, 0x74, 0x1b, 0x66, 0xc6, 0xe6, 0xf9, 0x54, 0xba, 0xa5, 0xd5, 0x7d, 0xf8,
+	0xae, 0x92, 0x15, 0x5f, 0xef, 0x29, 0x79, 0xf5, 0xf7, 0x33, 0xdc, 0xd0, 0x08, 0xad, 0x4e, 0x7e,
+	0x7a, 0x2b, 0xb0, 0xdd, 0x6d, 0xb8, 0xb6, 0x30, 0x00, 0xaf, 0x5f, 0x6c, 0x7f, 0x68, 0xd4, 0xcd,
+	0xc8, 0x71, 0xc4, 0x88, 0x56, 0xa0, 0xc4, 0x77, 0xb1, 0x46, 0x0f, 0x1c, 0x53, 0xeb, 0x0c, 0x06,
+	0x0e, 0xa2, 0x9c, 0xe8, 0x3a, 0xcc, 0xb2, 0xa4, 0x63, 0xb0, 0x47, 0x4c, 0x4e, 0x93, 0x65, 0x34,
+	0x33, 0x11, 0x94, 0x91, 0x6d, 0x41, 0x59, 0x00, 0x34, 0x16, 0x30, 0xe4, 0xd8, 0x80, 0x6e, 0x5e,
+	0x36, 0x20, 0xce, 0xc2, 0xe2, 0x88, 0x92, 0x17, 0x37, 0xd4, 0x7f, 0x06, 0x05, 0x39, 0x58, 0xb4,
+	0x04, 0x99, 0x7e, 0xbd, 0xab, 0x4c, 0x55, 0xe6, 0x8e, 0x8e, 0x57, 0x4b, 0x12, 0xdc, 0xaf, 0x77,
+	0x29, 0x66, 0xbb, 0xd1, 0x55, 0x52, 0xe3, 0x98, 0xed, 0x46, 0x17, 0x55, 0x20, 0xdb, 0xab, 0xf7,
+	0xbb, 0xd2, 0x3f, 0x93, 0x28, 0x0a, 0xab, 0x64, 0xa9, 0x7f, 0xa6, 0xee, 0x42, 0x29, 0xd1, 0x3b,
+	0x7a, 0x15, 0xa6, 0x5b, 0xed, 0xfb, 0xb8, 0xd9, 0xeb, 0x29, 0x53, 0x3c, 0x82, 0x48, 0x60, 0x5b,
+	0xce, 0x80, 0xae, 0x1d, 0x7a, 0x19, 0xb2, 0x1b, 0x1d, 0x7a, 0xef, 0xf3, 0x10, 0x25, 0x41, 0xb1,
+	0xe1, 0x06, 0x61, 0x65, 0x5e, 0x38, 0x7e, 0x49, 0xc1, 0xea, 0x7f, 0x49, 0x41, 0x9e, 0x1f, 0xb4,
+	0x89, 0x8b, 0x58, 0x8d, 0xe3, 0x26, 0x1e, 0x80, 0xbe, 0x7e, 0x7e, 0xb0, 0xb8, 0x26, 0x82, 0x36,
+	0xbe, 0x35, 0x25, 0x5f, 0xe5, 0x03, 0x28, 0x27, 0x11, 0xcf, 0xb5, 0x31, 0xbf, 0x03, 0x25, 0xba,
+	0xf7, 0x65, 0x34, 0x78, 0x07, 0xf2, 0xdc, 0x58, 0x44, 0xf7, 0xd0, 0xf9, 0x91, 0xab, 0xa0, 0x44,
+	0x77, 0x61, 0x9a, 0x47, 0xbb, 0xf2, 0x61, 0x64, 0xf9, 0xe2, 0x13, 0x86, 0x25, 0xb9, 0xfa, 0x31,
+	0x64, 0xbb, 0x84, 0xf8, 0xc9, 0xec, 0x73, 0xea, 0xdc, 0xec, 0xb3, 0xcc, 0x5e, 0xa6, 0x13, 0xd9,
+	0xcb, 0x3e, 0x94, 0x1f, 0x11, 0x6b, 0xb0, 0x17, 0x12, 0x93, 0x09, 0x7a, 0x0b, 0xb2, 0x1e, 0x89,
+	0x06, 0xbf, 0x34, 0x71, 0xf3, 0x11, 0xe2, 0x63, 0x46, 0x45, 0x6d, 0xcc, 0x01, 0xe3, 0x16, 0x6f,
+	0x8a, 0xa2, 0xa5, 0xfe, 0x51, 0x1a, 0x66, 0x5b, 0x41, 0x30, 0xd2, 0x1d, 0x43, 0x7a, 0x75, 0xdf,
+	0x18, 0xf7, 0xea, 0x26, 0x3e, 0xbe, 0x8e, 0xb3, 0x8c, 0x27, 0x65, 0xc5, 0xcd, 0x9a, 0x8e, 0x6e,
+	0x56, 0xf5, 0xaf, 0x52, 0x32, 0xf3, 0x7a, 0x3d, 0x61, 0x0a, 0x78, 0x8c, 0x98, 0x94, 0x44, 0xb6,
+	0x9d, 0xc7, 0x8e, 0x7b, 0xe0, 0xd0, 0x00, 0x17, 0x37, 0xdb, 0xcd, 0x47, 0x4a, 0x8a, 0x6f, 0xcf,
+	0x31, 0x22, 0x4c, 0x1c, 0x72, 0x40, 0x25, 0x75, 0x9b, 0xed, 0x06, 0xf5, 0xc2, 0xd2, 0x13, 0x24,
+	0x75, 0x89, 0x63, 0x5a, 0xce, 0x00, 0xbd, 0x0a, 0xf9, 0x56, 0xaf, 0xb7, 0xcd, 0x42, 0xc8, 0x17,
+	0x8f, 0x8e, 0x57, 0xe7, 0xc7, 0xa8, 0xd8, 0x5b, 0x82, 0x49, 0x89, 0x68, 0x08, 0x44, 0xfd, 0xb3,
+	0x09, 0x44, 0xd4, 0xb7, 0xe6, 0x44, 0xb8, 0xd3, 0xaf, 0xf6, 0x9b, 0x4a, 0x6e, 0x02, 0x11, 0x76,
+	0xe9, 0x5f, 0x71, 0xdc, 0xfe, 0x2c, 0x0d, 0x4a, 0xd5, 0x30, 0x88, 0x17, 0x52, 0xbc, 0x88, 0x3a,
+	0xfb, 0x50, 0xf0, 0xe8, 0x97, 0x45, 0xa4, 0x07, 0x75, 0x77, 0x62, 0xf9, 0xc0, 0x19, 0xbe, 0x35,
+	0xec, 0xda, 0xa4, 0x6a, 0x0e, 0xad, 0x20, 0xb0, 0x5c, 0x87, 0xc3, 0x70, 0x24, 0xa9, 0xf2, 0x37,
+	0x29, 0x98, 0x9f, 0x40, 0x81, 0x6e, 0x43, 0xd6, 0x77, 0x6d, 0xb9, 0x86, 0xd7, 0xce, 0x4b, 0xaa,
+	0x53, 0x56, 0xcc, 0x28, 0xd1, 0x32, 0x80, 0x3e, 0x0a, 0x5d, 0x9d, 0xf5, 0xcf, 0x53, 0x91, 0x38,
+	0x01, 0x41, 0x8f, 0x20, 0x1f, 0x10, 0xc3, 0x27, 0xd2, 0xcf, 0xfe, 0xf8, 0x37, 0x1d, 0xfd, 0x5a,
+	0x8f, 0x89, 0xc1, 0x42, 0x5c, 0x65, 0x0d, 0xf2, 0x1c, 0x42, 0xb7, 0xbd, 0xa9, 0x87, 0xba, 0x78,
+	0x48, 0x62, 0xdf, 0x74, 0x37, 0xe9, 0xf6, 0x40, 0xee, 0x26, 0xdd, 0x1e, 0xa8, 0xbf, 0x97, 0x06,
+	0x68, 0x3e, 0x09, 0x89, 0xef, 0xe8, 0x76, 0xbd, 0x8a, 0x9a, 0x89, 0x9b, 0x81, 0xcf, 0xf6, 0x8d,
+	0x89, 0x8f, 0x70, 0x11, 0xc7, 0x5a, 0xbd, 0x3a, 0xe1, 0x6e, 0xb8, 0x0a, 0x99, 0x91, 0x2f, 0x2a,
+	0x42, 0xb8, 0x8f, 0xbc, 0x8d, 0x37, 0x31, 0x85, 0xa1, 0x66, 0x32, 0xdd, 0x73, 0x6e, 0xdd, 0x47,
+	0xa2, 0x83, 0x89, 0xa6, 0x8b, 0x9e, 0x7c, 0x43, 0xd7, 0x0c, 0x22, 0x6e, 0x95, 0x32, 0x3f, 0xf9,
+	0xf5, 0x6a, 0x9d, 0xf8, 0x21, 0xce, 0x1b, 0x3a, 0xfd, 0xff, 0xa5, 0xec, 0xdb, 0x5b, 0x00, 0xf1,
+	0xd4, 0xd0, 0x32, 0xe4, 0xea, 0xeb, 0xbd, 0xde, 0xa6, 0x32, 0xc5, 0x0d, 0x78, 0x8c, 0x62, 0x60,
+	0xf5, 0xff, 0xa5, 0xa1, 0x50, 0xaf, 0x8a, 0x2b, 0xb7, 0x0e, 0x0a, 0xb3, 0x4a, 0xec, 0xf9, 0x8d,
+	0x3c, 0xf1, 0x2c, 0xff, 0x50, 0x18, 0x96, 0x0b, 0x02, 0xde, 0x59, 0xca, 0x42, 0x47, 0xdd, 0x64,
+	0x0c, 0x08, 0x43, 0x99, 0x08, 0x25, 0x68, 0x86, 0x2e, 0x6d, 0xfc, 0xf2, 0xc5, 0xca, 0xe2, 0xa1,
+	0x4b, 0xdc, 0x0e, 0x70, 0x49, 0x0a, 0xa9, 0xeb, 0x01, 0x7a, 0x1f, 0xe6, 0x02, 0x6b, 0xe0, 0x58,
+	0xce, 0x40, 0x93, 0xca, 0x63, 0x6f, 0x81, 0xb5, 0x2b, 0xa7, 0x27, 0x2b, 0x33, 0x3d, 0x8e, 0x12,
+	0x3a, 0x9c, 0x11, 0x94, 0x75, 0xa6, 0x4a, 0xf4, 0x1e, 0xcc, 0x26, 0x58, 0xa9, 0x16, 0xb9, 0xda,
+	0x59, 0x7e, 0x3d, 0xe2, 0x7c, 0x40, 0x0e, 0x71, 0x39, 0x62, 0x7c, 0x40, 0x58, 0x6e, 0x86, 0x65,
+	0xa3, 0x35, 0x9f, 0x9d, 0x69, 0x76, 0xbb, 0x67, 0x71, 0x89, 0xc1, 0xf8, 0x31, 0x57, 0x1f, 0xc2,
+	0x7c, 0xc7, 0x37, 0xf6, 0x48, 0x10, 0x72, 0x55, 0x08, 0x2d, 0x7e, 0x0c, 0xd7, 0x42, 0x3d, 0x78,
+	0xac, 0xed, 0x59, 0x41, 0xe8, 0xfa, 0x87, 0x9a, 0x4f, 0x42, 0xe2, 0x50, 0xbc, 0xc6, 0xaa, 0x25,
+	0x44, 0xc6, 0xf1, 0x2a, 0xa5, 0xd9, 0xe0, 0x24, 0x58, 0x52, 0x6c, 0x52, 0x02, 0xb5, 0x05, 0x65,
+	0x1a, 0xc2, 0x88, 0xa4, 0x1a, 0x9d, 0x3d, 0xd8, 0xee, 0x40, 0x7b, 0xe6, 0x6b, 0xaa, 0x68, 0xbb,
+	0x03, 0xfe, 0xa9, 0x7e, 0x13, 0x94, 0x86, 0x15, 0x78, 0x7a, 0x68, 0xec, 0x45, 0x19, 0xd7, 0x06,
+	0x28, 0x7b, 0x44, 0xf7, 0xc3, 0x1d, 0xa2, 0x87, 0x9a, 0x47, 0x7c, 0xcb, 0x35, 0x2f, 0x5f, 0xe5,
+	0xb9, 0x88, 0xa5, 0xcb, 0x38, 0xd4, 0xbf, 0x4b, 0x01, 0x60, 0x7d, 0x57, 0x7a, 0x6b, 0x6f, 0xc2,
+	0x95, 0xc0, 0xd1, 0xbd, 0x60, 0xcf, 0x0d, 0x35, 0xcb, 0x09, 0x89, 0xbf, 0xaf, 0xdb, 0x22, 0xb9,
+	0xa3, 0x48, 0x44, 0x4b, 0xc0, 0xd1, 0x5b, 0x80, 0x1e, 0x13, 0xe2, 0x69, 0xae, 0x6d, 0x6a, 0x12,
+	0xc9, 0xab, 0x28, 0xb2, 0x58, 0xa1, 0x98, 0x8e, 0x6d, 0xf6, 0x24, 0x1c, 0xd5, 0x60, 0x99, 0x4e,
+	0x9f, 0x38, 0xa1, 0x6f, 0x91, 0x40, 0xdb, 0x75, 0x7d, 0x2d, 0xb0, 0xdd, 0x03, 0x6d, 0xd7, 0xb5,
+	0x6d, 0xf7, 0x80, 0xf8, 0x32, 0x6f, 0x56, 0xb1, 0xdd, 0x41, 0x93, 0x13, 0xad, 0xbb, 0x7e, 0xcf,
+	0x76, 0x0f, 0xd6, 0x25, 0x05, 0x75, 0xe9, 0xe2, 0x39, 0x87, 0x96, 0xf1, 0x58, 0xba, 0x74, 0x11,
+	0xb4, 0x6f, 0x19, 0x8f, 0xd1, 0xab, 0x30, 0x43, 0x6c, 0xc2, 0xd2, 0x27, 0x9c, 0x2a, 0xc7, 0xa8,
+	0xca, 0x12, 0x48, 0x89, 0xd4, 0x7b, 0xa0, 0x34, 0x1d, 0xc3, 0x3f, 0xf4, 0x12, 0x6b, 0xfe, 0x16,
+	0x20, 0x6a, 0x24, 0x35, 0xdb, 0x35, 0x1e, 0x6b, 0x43, 0xdd, 0xd1, 0x07, 0x74, 0x5c, 0xfc, 0x7d,
+	0x56, 0xa1, 0x98, 0x4d, 0xd7, 0x78, 0xbc, 0x25, 0xe0, 0xea, 0xfb, 0x00, 0x3d, 0xcf, 0x27, 0xba,
+	0xd9, 0xa1, 0xde, 0x04, 0x55, 0x1d, 0x6b, 0x69, 0xa6, 0x28, 0x0e, 0x70, 0x7d, 0x71, 0xd4, 0x15,
+	0x8e, 0x68, 0x44, 0x70, 0xf5, 0x9f, 0xc2, 0x7c, 0xd7, 0xd6, 0x0d, 0x56, 0xae, 0xd3, 0x8d, 0x1e,
+	0x1c, 0xd1, 0x5d, 0xc8, 0x73, 0x52, 0xb1, 0x92, 0x13, 0x8f, 0x5b, 0xdc, 0xe7, 0xc6, 0x14, 0x16,
+	0xf4, 0xb5, 0x32, 0x40, 0x2c, 0x47, 0xfd, 0xd3, 0x14, 0x14, 0x23, 0xf9, 0x68, 0x95, 0x3f, 0x17,
+	0x86, 0xbe, 0x6e, 0x39, 0x22, 0xe2, 0x2f, 0xe2, 0x24, 0x08, 0xb5, 0xa0, 0xe4, 0x45, 0xdc, 0x17,
+	0xfa, 0x73, 0x13, 0x46, 0x8d, 0x93, 0xbc, 0xe8, 0x03, 0x28, 0xca, 0x6a, 0x0c, 0x69, 0x61, 0x2f,
+	0x2e, 0xde, 0x88, 0xc9, 0x65, 0x22, 0xd5, 0x27, 0x9e, 0x6d, 0x51, 0x9b, 0x93, 0x8d, 0x12, 0xa9,
+	0x58, 0x80, 0xd4, 0x6f, 0x00, 0x7c, 0xe2, 0x5a, 0x4e, 0xdf, 0x7d, 0x4c, 0x1c, 0xf6, 0x86, 0x4e,
+	0x43, 0x4a, 0x22, 0x15, 0x2d, 0x5a, 0x2c, 0x53, 0xc0, 0x57, 0x29, 0x7a, 0x4a, 0xe6, 0x4d, 0xf5,
+	0x77, 0xd3, 0x90, 0xc7, 0xae, 0x1b, 0xd6, 0xab, 0x68, 0x15, 0xf2, 0xc2, 0x94, 0xb0, 0x2b, 0xaa,
+	0x56, 0x3c, 0x3d, 0x59, 0xc9, 0x71, 0x1b, 0x92, 0x33, 0x98, 0xf1, 0x48, 0x18, 0xf9, 0xf4, 0x79,
+	0x46, 0x1e, 0xdd, 0x86, 0xb2, 0x20, 0xd2, 0xf6, 0xf4, 0x60, 0x8f, 0xc7, 0x77, 0xb5, 0xd9, 0xd3,
+	0x93, 0x15, 0xe0, 0x94, 0x1b, 0x7a, 0xb0, 0x87, 0x81, 0x53, 0xd3, 0x6f, 0xd4, 0x84, 0xd2, 0x67,
+	0xae, 0xe5, 0x68, 0x21, 0x9b, 0x84, 0xc8, 0x45, 0x4e, 0x5c, 0xea, 0x78, 0xaa, 0xa2, 0x1a, 0x07,
+	0x3e, 0x8b, 0x27, 0xdf, 0x84, 0x19, 0xdf, 0x75, 0x43, 0x6e, 0xd9, 0x2c, 0xd7, 0x11, 0x69, 0x8e,
+	0xd5, 0x89, 0xd9, 0x6f, 0xd7, 0x0d, 0xb1, 0xa0, 0xc3, 0x65, 0x3f, 0xd1, 0x42, 0xb7, 0x61, 0xc1,
+	0xd6, 0x83, 0x50, 0x63, 0x26, 0xd1, 0x8c, 0xa5, 0xe5, 0x99, 0xf2, 0x11, 0xc5, 0xb1, 0x77, 0x3e,
+	0x53, 0x72, 0xa8, 0x7f, 0x92, 0x82, 0x12, 0x9d, 0x8c, 0xb5, 0x6b, 0x19, 0xd4, 0x0f, 0x7c, 0x7e,
+	0xf7, 0xe4, 0x2a, 0x64, 0x8c, 0xc0, 0x17, 0x4a, 0x65, 0xf7, 0x73, 0xbd, 0x87, 0x31, 0x85, 0xa1,
+	0x7b, 0x90, 0x17, 0xe9, 0x16, 0xee, 0x99, 0xa8, 0x97, 0x7b, 0xac, 0x42, 0x37, 0x82, 0x8f, 0x6d,
+	0xf7, 0x78, 0x74, 0xfc, 0x9e, 0xc0, 0x49, 0x10, 0x5a, 0x84, 0xb4, 0xc1, 0xd5, 0x25, 0xca, 0xbd,
+	0xea, 0x6d, 0x9c, 0x36, 0x1c, 0xf5, 0x67, 0x29, 0x98, 0x89, 0x6d, 0x02, 0xdd, 0x01, 0xd7, 0xa0,
+	0x18, 0x8c, 0x76, 0x82, 0xc3, 0x20, 0x24, 0x43, 0x59, 0x1f, 0x10, 0x01, 0x50, 0x0b, 0x8a, 0xba,
+	0x3d, 0x70, 0x7d, 0x2b, 0xdc, 0x1b, 0x8a, 0x40, 0x76, 0xb2, 0x37, 0x91, 0x94, 0xb9, 0x56, 0x95,
+	0x2c, 0x38, 0xe6, 0x96, 0xae, 0x01, 0x2f, 0x8d, 0x61, 0xae, 0xc1, 0x2b, 0x50, 0xb6, 0xf5, 0x21,
+	0xcb, 0x3f, 0x85, 0xd6, 0x90, 0xc8, 0xc3, 0x20, 0x60, 0x7d, 0x6b, 0x48, 0x54, 0x15, 0x8a, 0x91,
+	0x30, 0x34, 0x07, 0xa5, 0x6a, 0xb3, 0xa7, 0xbd, 0x7d, 0xe7, 0xae, 0x76, 0xbf, 0xbe, 0xa5, 0x4c,
+	0x09, 0xf7, 0xf5, 0xff, 0xa6, 0x60, 0x46, 0x58, 0x2c, 0x11, 0x12, 0xbc, 0x0a, 0xd3, 0xbe, 0xbe,
+	0x1b, 0xca, 0xa0, 0x25, 0xcb, 0x77, 0x35, 0xbd, 0x04, 0x68, 0xd0, 0x42, 0x51, 0x93, 0x83, 0x96,
+	0x44, 0xc5, 0x4a, 0xe6, 0xc2, 0x8a, 0x95, 0xec, 0x6f, 0xa5, 0x62, 0x45, 0xfd, 0xd7, 0x00, 0xeb,
+	0x96, 0x4d, 0xfa, 0x3c, 0x55, 0x35, 0x29, 0x04, 0xa5, 0x6e, 0x5e, 0x54, 0xf8, 0xc3, 0xdd, 0xbc,
+	0x56, 0x03, 0x53, 0x18, 0x45, 0x0d, 0x2c, 0x53, 0x1c, 0x46, 0x86, 0xba, 0x4f, 0x51, 0x03, 0xcb,
+	0x8c, 0x5e, 0x06, 0xb3, 0x97, 0xbc, 0x0c, 0xaa, 0x73, 0x30, 0x83, 0x79, 0x8e, 0x8d, 0x8f, 0x41,
+	0x3d, 0x4e, 0xc1, 0x9c, 0xf0, 0x77, 0x23, 0x93, 0xfd, 0x06, 0x14, 0xb9, 0xeb, 0x1b, 0x07, 0x81,
+	0xac, 0x6c, 0x83, 0xd3, 0xb5, 0x1a, 0xb8, 0xc0, 0xd1, 0x2d, 0x13, 0xad, 0x40, 0x49, 0x90, 0x26,
+	0x6a, 0x05, 0x81, 0x83, 0x58, 0x31, 0xd3, 0xbb, 0x90, 0xdd, 0xb5, 0x6c, 0x22, 0x76, 0xfe, 0x44,
+	0x8b, 0x10, 0x6b, 0x64, 0x63, 0x0a, 0x33, 0xea, 0x5a, 0x41, 0x26, 0xf7, 0xd4, 0x3f, 0x4f, 0xb1,
+	0x14, 0x33, 0x0d, 0x55, 0x93, 0xe3, 0xe3, 0x51, 0xeb, 0x99, 0xf1, 0x71, 0x3a, 0x3a, 0x3e, 0x8e,
+	0xe6, 0xe3, 0x13, 0xa4, 0xc9, 0xf1, 0x71, 0xd0, 0x6f, 0x3e, 0x3e, 0xf4, 0x11, 0x4c, 0x8b, 0x54,
+	0xa5, 0x30, 0x75, 0xaf, 0x4c, 0xdc, 0x19, 0x49, 0x4d, 0x6f, 0x4c, 0x61, 0xc9, 0x93, 0x98, 0xde,
+	0x26, 0x2c, 0xd6, 0x6c, 0xdd, 0x78, 0x6c, 0x5b, 0x41, 0x48, 0xcc, 0xa4, 0x05, 0xba, 0x03, 0xf9,
+	0x31, 0x3f, 0xf7, 0xa2, 0x24, 0xaa, 0xa0, 0x54, 0xff, 0x57, 0x1a, 0xca, 0x1b, 0x44, 0xb7, 0xc3,
+	0xbd, 0x38, 0x53, 0x15, 0x92, 0x20, 0x14, 0xf7, 0x23, 0xfb, 0x46, 0x5f, 0x83, 0x42, 0xe4, 0x06,
+	0x5d, 0xfa, 0x1c, 0x18, 0x91, 0xa2, 0x77, 0x60, 0x9a, 0x8e, 0xdd, 0x1d, 0xc9, 0xf8, 0xea, 0xa2,
+	0x97, 0x26, 0x41, 0x49, 0x2f, 0x2d, 0x9f, 0x30, 0xbf, 0x87, 0xe9, 0x29, 0x87, 0x65, 0x13, 0x7d,
+	0x1d, 0xca, 0xec, 0xa1, 0x44, 0xba, 0x79, 0xb9, 0xcb, 0x64, 0x96, 0xf8, 0x5b, 0x27, 0xa3, 0x46,
+	0xf7, 0x60, 0x96, 0x73, 0x47, 0x33, 0xc9, 0x5f, 0xc6, 0x3f, 0xc3, 0x18, 0xa4, 0xa3, 0xa7, 0xfe,
+	0x38, 0x0d, 0x0b, 0x5b, 0xfa, 0xe1, 0x0e, 0x11, 0x86, 0x8c, 0x98, 0x98, 0x18, 0xae, 0x6f, 0xa2,
+	0x6e, 0xd2, 0x00, 0x5e, 0xf0, 0xf8, 0x3a, 0x89, 0x79, 0xb2, 0x1d, 0x94, 0x51, 0x63, 0x3a, 0x11,
+	0x35, 0x2e, 0x40, 0xce, 0x71, 0x1d, 0x83, 0x08, 0xeb, 0xc8, 0x1b, 0xea, 0xf7, 0x53, 0x49, 0xeb,
+	0x57, 0x89, 0x1e, 0x46, 0x59, 0xda, 0xac, 0xed, 0x86, 0x51, 0x77, 0xe8, 0x1e, 0x54, 0x7a, 0xcd,
+	0x3a, 0x6e, 0xf6, 0x6b, 0x9d, 0x6f, 0x6a, 0xbd, 0xea, 0x66, 0xaf, 0x7a, 0xe7, 0xb6, 0xd6, 0xed,
+	0x6c, 0x7e, 0xfa, 0xf6, 0x3b, 0xb7, 0xbf, 0xa6, 0xa4, 0x2a, 0xab, 0x47, 0xc7, 0xab, 0xd7, 0xda,
+	0xd5, 0xfa, 0x26, 0x3f, 0xb3, 0x3b, 0xee, 0x93, 0x9e, 0x6e, 0x07, 0xfa, 0x9d, 0xdb, 0x5d, 0xd7,
+	0x3e, 0xa4, 0x34, 0xe8, 0x4d, 0x40, 0xeb, 0x4d, 0xdc, 0x6e, 0xf6, 0x35, 0x69, 0x62, 0xeb, 0xb5,
+	0xba, 0x92, 0xe6, 0xb1, 0xd8, 0x3a, 0xf1, 0x1d, 0x12, 0x56, 0x9b, 0xbd, 0xb7, 0xef, 0xdc, 0xad,
+	0xd7, 0xea, 0xd4, 0x4a, 0x94, 0x93, 0xf7, 0x6d, 0xd2, 0x8d, 0x48, 0x9d, 0xeb, 0x46, 0xc4, 0xde,
+	0x48, 0xfa, 0x1c, 0x6f, 0x64, 0x1d, 0x16, 0x0c, 0xdf, 0x0d, 0x02, 0x8d, 0x06, 0x38, 0xc4, 0x3c,
+	0x13, 0x42, 0xbd, 0x70, 0x7a, 0xb2, 0x72, 0xa5, 0x4e, 0xf1, 0x3d, 0x86, 0x16, 0xe2, 0xaf, 0x18,
+	0x09, 0x10, 0xeb, 0x49, 0xfd, 0xf1, 0x34, 0xf5, 0x15, 0xad, 0x7d, 0xcb, 0x26, 0x03, 0x12, 0xa0,
+	0x87, 0x30, 0x67, 0xf8, 0xc4, 0xa4, 0x91, 0x8b, 0x6e, 0x27, 0x0b, 0xf5, 0xbf, 0x3a, 0xd1, 0x6d,
+	0x8b, 0x18, 0xd7, 0xea, 0x11, 0x57, 0xcf, 0x23, 0x06, 0x9e, 0x35, 0xc6, 0xda, 0xe8, 0x33, 0x98,
+	0x0b, 0x88, 0x6d, 0x39, 0xa3, 0x27, 0x9a, 0xe1, 0x3a, 0x21, 0x79, 0x22, 0x1f, 0x04, 0x2f, 0x93,
+	0xdb, 0x6b, 0x6e, 0x52, 0xae, 0x3a, 0x67, 0xaa, 0xa1, 0xd3, 0x93, 0x95, 0xd9, 0x71, 0x18, 0x9e,
+	0x15, 0x92, 0x45, 0x1b, 0x35, 0x60, 0x3a, 0x20, 0x86, 0xe1, 0x0e, 0x3d, 0x71, 0xde, 0x6e, 0x5e,
+	0xd6, 0x07, 0xa7, 0xee, 0x78, 0x61, 0x80, 0x25, 0x2b, 0xba, 0x0f, 0x05, 0xdd, 0xf3, 0x74, 0x7f,
+	0x18, 0x3d, 0x10, 0xbf, 0x79, 0x89, 0x98, 0xaa, 0xe7, 0x55, 0x29, 0x39, 0x93, 0x13, 0x31, 0xa3,
+	0x9b, 0x70, 0xc5, 0x71, 0x35, 0x87, 0x1c, 0x68, 0x5e, 0x44, 0xcb, 0xeb, 0xa7, 0xf0, 0x9c, 0xe3,
+	0xb6, 0xc9, 0x41, 0x2c, 0xa2, 0xb2, 0x07, 0xb3, 0xe3, 0x8a, 0x44, 0x0b, 0xc2, 0xca, 0x32, 0x63,
+	0x1d, 0x59, 0xd1, 0x6b, 0x50, 0xf0, 0xc9, 0xc0, 0x0a, 0x42, 0x9f, 0xef, 0x10, 0x8a, 0x89, 0x20,
+	0x68, 0x09, 0xf2, 0x89, 0xc2, 0x1d, 0x8a, 0x13, 0x6d, 0x6a, 0x3e, 0x79, 0xdd, 0x61, 0xe5, 0x5f,
+	0xc2, 0x19, 0x35, 0x52, 0x8b, 0x63, 0x5a, 0x81, 0xbe, 0x23, 0x3a, 0x2b, 0x60, 0xd9, 0xa4, 0xc7,
+	0x70, 0x14, 0x44, 0xde, 0x33, 0xfb, 0xa6, 0x30, 0xe6, 0xe6, 0x89, 0x2a, 0x4c, 0xe6, 0xc8, 0xc9,
+	0x5a, 0xf8, 0x6c, 0xa2, 0x16, 0x7e, 0x01, 0x72, 0x36, 0xd9, 0x27, 0x36, 0x77, 0xb0, 0x30, 0x6f,
+	0x54, 0x7e, 0x9c, 0x82, 0x52, 0x42, 0xeb, 0xe8, 0x13, 0x71, 0x0b, 0x73, 0xab, 0xf1, 0xde, 0xb3,
+	0xaf, 0x97, 0xfc, 0x1e, 0x2f, 0xe1, 0xf1, 0x7c, 0x97, 0x29, 0x8d, 0xdb, 0x0d, 0xd9, 0x54, 0xdf,
+	0x8b, 0x3a, 0x65, 0xb9, 0xf2, 0x52, 0xa2, 0x04, 0x06, 0xcd, 0x02, 0x6c, 0xb7, 0xeb, 0x9d, 0xf6,
+	0x7a, 0xab, 0xdd, 0x6c, 0xf0, 0xd7, 0xdf, 0xfa, 0x76, 0xaf, 0xdf, 0xd9, 0x52, 0xd2, 0x95, 0xef,
+	0xa6, 0xa0, 0x9c, 0x5c, 0x5c, 0xb4, 0x39, 0x36, 0xdc, 0xbb, 0xcf, 0xb1, 0x2f, 0xa2, 0x46, 0xc2,
+	0xb3, 0x78, 0x23, 0x96, 0xfe, 0xf4, 0xb8, 0xca, 0x50, 0x68, 0xb4, 0x7a, 0xd5, 0xda, 0x26, 0x1d,
+	0x15, 0x33, 0x73, 0x9f, 0xb8, 0x3b, 0xc2, 0x77, 0x5b, 0x87, 0x99, 0xcf, 0xdc, 0x1d, 0xcd, 0x0a,
+	0x89, 0x1f, 0xd7, 0x2e, 0x96, 0xee, 0xbc, 0x34, 0x69, 0x3c, 0xe2, 0xa7, 0x04, 0xc2, 0x3b, 0x2e,
+	0x7f, 0xe6, 0xee, 0xb4, 0x24, 0x1b, 0xaa, 0xc2, 0x2c, 0x73, 0xfa, 0xc9, 0x13, 0x62, 0x8c, 0x98,
+	0xa0, 0xcb, 0x1f, 0xeb, 0x67, 0x28, 0x47, 0x53, 0x32, 0xa8, 0x3f, 0xca, 0x81, 0xc2, 0x2b, 0x9c,
+	0xaa, 0xac, 0xe2, 0x99, 0x4d, 0xe4, 0x1e, 0xe4, 0x02, 0xc3, 0x8d, 0x0a, 0x65, 0x27, 0x1e, 0xc3,
+	0xb3, 0x4c, 0x6b, 0x3d, 0xca, 0x81, 0x39, 0x23, 0x5a, 0x87, 0xe9, 0x60, 0x4f, 0xf7, 0x2d, 0x67,
+	0x20, 0x3c, 0xea, 0xb7, 0x9e, 0x4d, 0x06, 0xe7, 0xc1, 0x92, 0x19, 0x6d, 0x40, 0x6e, 0x87, 0x86,
+	0xf1, 0xc2, 0x20, 0xdc, 0x7e, 0x26, 0x29, 0x35, 0xca, 0xc1, 0xa1, 0x1b, 0x53, 0x98, 0x0b, 0xa0,
+	0x92, 0x58, 0xb9, 0xa5, 0xb0, 0x09, 0xcf, 0x26, 0x89, 0x55, 0x2e, 0xc5, 0x92, 0x98, 0x80, 0xca,
+	0x0c, 0x94, 0x12, 0x3d, 0x54, 0xee, 0x43, 0x29, 0x41, 0x86, 0x5e, 0x84, 0xe9, 0xdd, 0x40, 0x4b,
+	0xfc, 0xb4, 0x24, 0xbf, 0x1b, 0xb0, 0xf2, 0xb3, 0x15, 0x28, 0x31, 0x7e, 0x6d, 0xd7, 0xd6, 0x07,
+	0xf2, 0xa5, 0x16, 0x18, 0x68, 0x9d, 0x42, 0x54, 0x03, 0x72, 0x4c, 0x87, 0xe8, 0x26, 0x94, 0x7a,
+	0xad, 0xf6, 0xfd, 0xcd, 0xa6, 0xd6, 0xee, 0x34, 0xe8, 0x65, 0xc8, 0xea, 0x11, 0xb9, 0x7c, 0x46,
+	0xd1, 0xb3, 0x9c, 0x81, 0x4d, 0x58, 0x8d, 0xfb, 0x0d, 0x80, 0xad, 0xed, 0xcd, 0x7e, 0x8b, 0x93,
+	0x8a, 0x22, 0xaf, 0x04, 0xe9, 0xd6, 0xc8, 0x0e, 0x2d, 0x4a, 0x29, 0x02, 0x89, 0xff, 0x99, 0x82,
+	0x69, 0xa1, 0x65, 0xb4, 0x12, 0xdd, 0xb6, 0x2f, 0x1c, 0x1d, 0xaf, 0x5e, 0x11, 0x5c, 0x1c, 0xc9,
+	0x4a, 0x91, 0x6e, 0xb0, 0x2a, 0xf1, 0x86, 0xd6, 0x69, 0x6f, 0x7e, 0xaa, 0xa4, 0xc6, 0x86, 0x21,
+	0x16, 0x4a, 0x94, 0x90, 0xa2, 0x9b, 0x00, 0x9d, 0x76, 0x53, 0x7b, 0x84, 0x5b, 0xfd, 0x26, 0x96,
+	0x55, 0x64, 0x63, 0xa4, 0x1d, 0x87, 0x3c, 0xf2, 0xe9, 0x8e, 0x47, 0x2f, 0x43, 0xa6, 0xba, 0xb9,
+	0xa9, 0x64, 0x78, 0x65, 0xd3, 0x18, 0x51, 0xd5, 0xb6, 0xf9, 0x38, 0x6b, 0x33, 0x50, 0xe2, 0x25,
+	0xf8, 0x4c, 0x95, 0xea, 0x5d, 0x28, 0x0b, 0x42, 0x9e, 0x96, 0x7e, 0x3a, 0x07, 0xbb, 0x18, 0xe5,
+	0xc2, 0xe5, 0x8b, 0x2d, 0x6b, 0xa9, 0xff, 0x23, 0x03, 0xf3, 0x9c, 0x55, 0xbc, 0x8a, 0xc5, 0xf1,
+	0xd3, 0xe5, 0x8f, 0x3e, 0xf5, 0xf1, 0x02, 0x87, 0xaf, 0x9e, 0xbf, 0x69, 0xc6, 0x84, 0x8f, 0x3f,
+	0xbe, 0x98, 0x30, 0x27, 0x9f, 0x26, 0xe5, 0x15, 0xca, 0x33, 0x2a, 0x1f, 0x3e, 0xab, 0x38, 0xd1,
+	0x12, 0x06, 0x9f, 0xe7, 0xb0, 0xe5, 0xab, 0x68, 0xe2, 0x16, 0x90, 0x65, 0x15, 0xb9, 0xb1, 0xb2,
+	0x8a, 0x4a, 0x15, 0xe6, 0x27, 0x08, 0x78, 0xae, 0x34, 0xf6, 0xb7, 0xe5, 0x63, 0xd1, 0x3c, 0xcc,
+	0x89, 0x27, 0x1e, 0xad, 0xbb, 0x5d, 0xdb, 0x6c, 0xf5, 0x36, 0x94, 0x29, 0x34, 0x03, 0x45, 0xd1,
+	0x60, 0x16, 0xb8, 0x02, 0x8b, 0x92, 0x86, 0x6e, 0x4a, 0x6d, 0xbb, 0x2d, 0x49, 0xd3, 0xe8, 0x05,
+	0xb8, 0x22, 0x71, 0x31, 0x38, 0xa3, 0xfe, 0x41, 0x1a, 0x80, 0x4f, 0x9c, 0xfd, 0x5e, 0xe4, 0x3a,
+	0xcc, 0x1a, 0xba, 0xa7, 0x1b, 0x56, 0x78, 0x38, 0x56, 0x18, 0x3a, 0x23, 0xa1, 0xbc, 0x38, 0xf4,
+	0x9b, 0x51, 0xb5, 0x7a, 0xec, 0x9a, 0x9c, 0xfb, 0x2b, 0xab, 0x58, 0xbc, 0xf8, 0x1c, 0xd3, 0xa6,
+	0xa8, 0x5b, 0x97, 0xca, 0x7c, 0x03, 0x8a, 0x42, 0x72, 0x14, 0x7d, 0xb2, 0x70, 0x4b, 0x08, 0x69,
+	0xe0, 0x02, 0x47, 0xb7, 0xcc, 0xf3, 0x7f, 0x64, 0x92, 0xf9, 0x4d, 0x7e, 0x64, 0x52, 0xb9, 0x07,
+	0xe8, 0xe9, 0xe1, 0x3d, 0xd7, 0x5a, 0x3d, 0x82, 0x99, 0xba, 0x50, 0x13, 0x66, 0xd5, 0x09, 0xd7,
+	0x61, 0xd6, 0xe7, 0x3f, 0x2b, 0x34, 0xc7, 0xb5, 0x29, 0xa1, 0x5c, 0x9b, 0x2b, 0x50, 0x62, 0x29,
+	0xf1, 0xb1, 0xdf, 0x39, 0x02, 0x03, 0x31, 0x02, 0xf5, 0x8f, 0xb3, 0xd1, 0x55, 0x11, 0x50, 0xe7,
+	0x95, 0x65, 0x25, 0x17, 0x21, 0x1d, 0x9d, 0x20, 0x96, 0x84, 0x69, 0x35, 0x70, 0xda, 0x32, 0xc7,
+	0x35, 0x98, 0xbe, 0x50, 0x83, 0xf1, 0xa3, 0x6f, 0xe6, 0x99, 0x1f, 0x7d, 0xbf, 0xfd, 0xd4, 0xd2,
+	0x73, 0x85, 0xff, 0x93, 0x0b, 0xcc, 0x7a, 0x34, 0xe8, 0x67, 0xd8, 0x00, 0xfa, 0xd3, 0x67, 0x36,
+	0x77, 0xfe, 0x03, 0xe1, 0x53, 0x1d, 0x3c, 0xcb, 0x81, 0x6d, 0x46, 0x16, 0x8e, 0xb9, 0x24, 0x3c,
+	0x9a, 0x7b, 0xed, 0x59, 0xae, 0x25, 0x0c, 0x7a, 0x7c, 0x57, 0x7f, 0xc0, 0x9c, 0x66, 0x9f, 0x84,
+	0x81, 0xf8, 0x1d, 0xd9, 0xea, 0xf9, 0x22, 0x44, 0xd6, 0x43, 0x32, 0x7c, 0xf9, 0xcd, 0xf6, 0xdb,
+	0xb0, 0x2d, 0xdf, 0x8a, 0x76, 0x55, 0x54, 0x08, 0x74, 0xee, 0xae, 0x7a, 0xce, 0x1f, 0xe3, 0xa8,
+	0xff, 0x2e, 0x05, 0xf3, 0xd1, 0x71, 0x8b, 0x7f, 0x5a, 0x8b, 0x3e, 0x80, 0x22, 0xdb, 0xfc, 0x81,
+	0xc5, 0xde, 0xd4, 0x2f, 0x3f, 0xaa, 0x31, 0x39, 0x4b, 0x8d, 0xb3, 0x4c, 0xb9, 0x4f, 0x4c, 0x61,
+	0x70, 0x2e, 0xe1, 0x8d, 0xc8, 0xd5, 0xef, 0xa5, 0xa0, 0x20, 0xe1, 0x68, 0x1d, 0x0a, 0x01, 0x19,
+	0xb0, 0x9f, 0xfa, 0x8a, 0x31, 0xdc, 0xbc, 0x48, 0xce, 0x5a, 0x4f, 0x10, 0x8b, 0xca, 0x20, 0xc9,
+	0x5b, 0xf9, 0x10, 0x66, 0xc6, 0x50, 0xcf, 0xa5, 0xfd, 0x5f, 0x46, 0x87, 0x9a, 0x1a, 0x0d, 0xf1,
+	0xdb, 0xb1, 0xc8, 0xeb, 0x4a, 0x5d, 0xe6, 0x2b, 0xc5, 0x4c, 0x97, 0x78, 0x5d, 0xe9, 0xe7, 0x90,
+	0x34, 0xc9, 0xeb, 0x42, 0xdd, 0xf1, 0xe3, 0xc2, 0x4d, 0xc5, 0xad, 0x67, 0x92, 0x37, 0xf9, 0xe4,
+	0xfc, 0x63, 0xf9, 0x71, 0x95, 0xbf, 0x4f, 0x01, 0x24, 0x9c, 0xe9, 0x8d, 0xb1, 0x98, 0xe3, 0xdd,
+	0xe7, 0x1c, 0xf1, 0x5a, 0x22, 0xde, 0xf8, 0x6f, 0x29, 0xc8, 0xca, 0x40, 0x23, 0xae, 0xde, 0x5a,
+	0x04, 0x94, 0xf0, 0x16, 0xa5, 0x0b, 0x96, 0x42, 0x2f, 0xc1, 0x8b, 0x49, 0x38, 0x75, 0xe4, 0x9a,
+	0x98, 0xbb, 0x72, 0x69, 0x7a, 0x47, 0xc7, 0x6e, 0xe3, 0x18, 0x2e, 0x83, 0xae, 0xc1, 0x52, 0x02,
+	0x27, 0x64, 0x08, 0xb1, 0x59, 0x2a, 0x36, 0x81, 0xe5, 0x9f, 0x02, 0x99, 0x3b, 0xe3, 0xb5, 0xdd,
+	0xfc, 0x3a, 0x94, 0xe5, 0x4f, 0x74, 0x99, 0xea, 0x0a, 0x90, 0xed, 0x57, 0x7b, 0x0f, 0x94, 0x29,
+	0x1a, 0xa5, 0xf1, 0x64, 0x8e, 0x88, 0xd8, 0x68, 0xfc, 0x76, 0x5f, 0x49, 0xd3, 0x6f, 0xf1, 0x33,
+	0x8c, 0xcc, 0xcd, 0xff, 0x94, 0x85, 0x62, 0x54, 0x3d, 0x8a, 0xae, 0x42, 0xa6, 0xdd, 0x7c, 0x24,
+	0x33, 0x43, 0x11, 0xbc, 0x4d, 0x0e, 0xd0, 0x2b, 0x71, 0xdd, 0xc9, 0x3d, 0xee, 0x54, 0x46, 0x68,
+	0x59, 0x73, 0xf2, 0x1a, 0x14, 0xaa, 0xbd, 0x5e, 0xeb, 0x3e, 0x8d, 0x11, 0xbf, 0x48, 0x71, 0x7f,
+	0x37, 0x22, 0xe2, 0x86, 0x9b, 0x98, 0x8c, 0xaa, 0x5e, 0x6f, 0x76, 0xfb, 0xcd, 0x86, 0xf2, 0x79,
+	0xfa, 0x2c, 0x15, 0xab, 0xa3, 0x60, 0x3f, 0x28, 0x2a, 0x76, 0x71, 0xb3, 0x5b, 0xc5, 0xb4, 0xc3,
+	0x2f, 0xd2, 0xbc, 0x1c, 0x26, 0xee, 0xd1, 0x27, 0x1e, 0x77, 0xaf, 0x97, 0xe5, 0x6f, 0x17, 0x3f,
+	0xcf, 0xf0, 0x9f, 0x8c, 0xc4, 0xa5, 0xb0, 0x44, 0x37, 0x0f, 0x69, 0x6f, 0xac, 0x06, 0x99, 0x89,
+	0xc9, 0x9c, 0xe9, 0xad, 0x17, 0xea, 0x7e, 0x48, 0xa5, 0xa8, 0x30, 0x8d, 0xb7, 0xdb, 0x6d, 0x4a,
+	0xf4, 0x79, 0xf6, 0xcc, 0xec, 0xf0, 0xc8, 0x71, 0x28, 0xcd, 0x75, 0x28, 0xc8, 0x12, 0x65, 0xe5,
+	0x8b, 0xec, 0x99, 0x01, 0xd5, 0x65, 0x7d, 0x35, 0xeb, 0x70, 0x63, 0xbb, 0xcf, 0x7e, 0x5a, 0xf9,
+	0x79, 0xee, 0x6c, 0x87, 0x7b, 0xa3, 0xd0, 0x74, 0x0f, 0x1c, 0xb4, 0x1a, 0x55, 0xde, 0x7c, 0x91,
+	0xe3, 0xa9, 0xb1, 0x88, 0x46, 0x94, 0xdd, 0xbc, 0x06, 0x05, 0xdc, 0xfc, 0x84, 0xff, 0x0a, 0xf3,
+	0xf3, 0xfc, 0x19, 0x39, 0x98, 0x7c, 0x46, 0x0c, 0xda, 0xdb, 0x2a, 0xe4, 0x71, 0x73, 0xab, 0xf3,
+	0xb0, 0xa9, 0xfc, 0xf7, 0xfc, 0x19, 0x39, 0x98, 0x0c, 0x5d, 0xf6, 0x8b, 0xab, 0x42, 0x07, 0x77,
+	0x37, 0xaa, 0x6c, 0x51, 0xce, 0xca, 0xe9, 0xf8, 0xde, 0x9e, 0xee, 0x10, 0x33, 0xfe, 0x4d, 0x4c,
+	0x84, 0xba, 0xf9, 0x6d, 0x28, 0xc8, 0xa7, 0x28, 0xb4, 0x0c, 0xf9, 0x47, 0x1d, 0xfc, 0xa0, 0x89,
+	0x95, 0x29, 0xae, 0x65, 0x89, 0x79, 0xc4, 0x1f, 0x11, 0x57, 0x61, 0x7a, 0xab, 0xda, 0xae, 0xde,
+	0xa7, 0x67, 0x82, 0x0f, 0x43, 0x12, 0x88, 0xf7, 0x94, 0x8a, 0x22, 0x3a, 0x88, 0x64, 0xd6, 0x5e,
+	0xfb, 0xc9, 0xaf, 0x96, 0xa7, 0x7e, 0xf1, 0xab, 0xe5, 0xa9, 0xcf, 0x4f, 0x97, 0x53, 0x3f, 0x39,
+	0x5d, 0x4e, 0xfd, 0xf4, 0x74, 0x39, 0xf5, 0x97, 0xa7, 0xcb, 0xa9, 0x7f, 0xff, 0xeb, 0xe5, 0xa9,
+	0x9f, 0xfe, 0x7a, 0x79, 0xea, 0x17, 0xbf, 0x5e, 0x9e, 0xda, 0xc9, 0xb3, 0xe8, 0xfa, 0x9d, 0x7f,
+	0x08, 0x00, 0x00, 0xff, 0xff, 0x17, 0xf6, 0x52, 0x33, 0xb1, 0x45, 0x00, 0x00,
 }
 
 func (m *Version) Copy() *Version {
@@ -8400,6 +8403,13 @@
 	_ = i
 	var l int
 	_ = l
+	if len(m.Subpath) > 0 {
+		i -= len(m.Subpath)
+		copy(dAtA[i:], m.Subpath)
+		i = encodeVarintTypes(dAtA, i, uint64(len(m.Subpath)))
+		i--
+		dAtA[i] = 0x22
+	}
 	if m.DriverConfig != nil {
 		{
 			size, err := m.DriverConfig.MarshalToSizedBuffer(dAtA[:i])
@@ -12084,6 +12094,10 @@
 		l = m.DriverConfig.Size()
 		n += 1 + l + sovTypes(uint64(l))
 	}
+	l = len(m.Subpath)
+	if l > 0 {
+		n += 1 + l + sovTypes(uint64(l))
+	}
 	return n
 }
 
@@ -13810,6 +13824,7 @@
 		`NoCopy:` + fmt.Sprintf("%v", this.NoCopy) + `,`,
 		`Labels:` + mapStringForLabels + `,`,
 		`DriverConfig:` + strings.Replace(this.DriverConfig.String(), "Driver", "Driver", 1) + `,`,
+		`Subpath:` + fmt.Sprintf("%v", this.Subpath) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -17944,6 +17959,38 @@
 				return err
 			}
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Subpath", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowTypes
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthTypes
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthTypes
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Subpath = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipTypes(dAtA[iNdEx:])
diff --git a/vendor/github.com/moby/swarmkit/v2/api/types.proto b/vendor/github.com/moby/swarmkit/v2/api/types.proto
index 49cf6a9..5ad4a5f 100644
--- a/vendor/github.com/moby/swarmkit/v2/api/types.proto
+++ b/vendor/github.com/moby/swarmkit/v2/api/types.proto
@@ -311,6 +311,9 @@
 		//
 		// If this is empty, no volume will be created if the volume is missing.
 		Driver driver_config = 3;
+
+		// subpath inside the volume to mount.
+		string subpath = 4 [(gogoproto.customname) = "Subpath"];
 	}
 
 	message TmpfsOptions {
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 4e7717d..d1236ba 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -187,6 +187,10 @@
 type Hooks struct {
 	// Prestart is Deprecated. Prestart is a list of hooks to be run before the container process is executed.
 	// It is called in the Runtime Namespace
+	//
+	// Deprecated: use [Hooks.CreateRuntime], [Hooks.CreateContainer], and
+	// [Hooks.StartContainer] instead, which allow more granular hook control
+	// during the create and start phase.
 	Prestart []Hook `json:"prestart,omitempty"`
 	// CreateRuntime is a list of hooks to be run after the container has been created but before pivot_root or any equivalent operation has been called
 	// It is called in the Runtime Namespace
@@ -371,6 +375,12 @@
 	// Total memory limit (memory + swap).
 	Swap *int64 `json:"swap,omitempty"`
 	// Kernel memory limit (in bytes).
+	//
+	// Deprecated: kernel-memory limits are not supported in cgroups v2, and
+	// were obsoleted in [kernel v5.4]. This field should no longer be used,
+	// as it may be ignored by runtimes.
+	//
+	// [kernel v5.4]: https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0
 	Kernel *int64 `json:"kernel,omitempty"`
 	// Kernel memory limit for tcp (in bytes)
 	KernelTCP *int64 `json:"kernelTCP,omitempty"`
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
index 230e88f..949f532 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go
@@ -24,6 +24,12 @@
 	// Annotations contains implementation-specific annotation strings,
 	// such as the implementation version, and third-party extensions.
 	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// PotentiallyUnsafeConfigAnnotations the list of the potential unsafe annotations
+	// that may appear in `config.json`.
+	//
+	// A value that ends with "." is interpreted as a prefix of annotations.
+	PotentiallyUnsafeConfigAnnotations []string `json:"potentiallyUnsafeConfigAnnotations,omitempty"`
 }
 
 // Linux is specific to Linux.
@@ -36,11 +42,12 @@
 	// Nil value means "unknown", not "no support for any capability".
 	Capabilities []string `json:"capabilities,omitempty"`
 
-	Cgroup   *Cgroup   `json:"cgroup,omitempty"`
-	Seccomp  *Seccomp  `json:"seccomp,omitempty"`
-	Apparmor *Apparmor `json:"apparmor,omitempty"`
-	Selinux  *Selinux  `json:"selinux,omitempty"`
-	IntelRdt *IntelRdt `json:"intelRdt,omitempty"`
+	Cgroup          *Cgroup          `json:"cgroup,omitempty"`
+	Seccomp         *Seccomp         `json:"seccomp,omitempty"`
+	Apparmor        *Apparmor        `json:"apparmor,omitempty"`
+	Selinux         *Selinux         `json:"selinux,omitempty"`
+	IntelRdt        *IntelRdt        `json:"intelRdt,omitempty"`
+	MountExtensions *MountExtensions `json:"mountExtensions,omitempty"`
 }
 
 // Cgroup represents the "cgroup" field.
@@ -123,3 +130,16 @@
 	// Nil value means "unknown", not "false".
 	Enabled *bool `json:"enabled,omitempty"`
 }
+
+// MountExtensions represents the "mountExtensions" field.
+type MountExtensions struct {
+	// IDMap represents the status of idmap mounts support.
+	IDMap *IDMap `json:"idmap,omitempty"`
+}
+
+type IDMap struct {
+	// Enabled represents whether idmap mounts supports is compiled in.
+	// Unrelated to whether the host supports it or not.
+	// Nil value means "unknown", not "false".
+	Enabled *bool `json:"enabled,omitempty"`
+}
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
index b3fca34..503971e 100644
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/version.go
@@ -6,7 +6,7 @@
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 1
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 1
+	VersionMinor = 2
 	// VersionPatch is for backwards-compatible bug fixes
 	VersionPatch = 0
 
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/bits_compat.go b/vendor/golang.org/x/crypto/internal/poly1305/bits_compat.go
deleted file mode 100644
index d33c889..0000000
--- a/vendor/golang.org/x/crypto/internal/poly1305/bits_compat.go
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.13
-
-package poly1305
-
-// Generic fallbacks for the math/bits intrinsics, copied from
-// src/math/bits/bits.go. They were added in Go 1.12, but Add64 and Sum64 had
-// variable time fallbacks until Go 1.13.
-
-func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
-	sum = x + y + carry
-	carryOut = ((x & y) | ((x | y) &^ sum)) >> 63
-	return
-}
-
-func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
-	diff = x - y - borrow
-	borrowOut = ((^x & y) | (^(x ^ y) & diff)) >> 63
-	return
-}
-
-func bitsMul64(x, y uint64) (hi, lo uint64) {
-	const mask32 = 1<<32 - 1
-	x0 := x & mask32
-	x1 := x >> 32
-	y0 := y & mask32
-	y1 := y >> 32
-	w0 := x0 * y0
-	t := x1*y0 + w0>>32
-	w1 := t & mask32
-	w2 := t >> 32
-	w1 += x0 * y1
-	hi = x1*y1 + w2 + w1>>32
-	lo = x * y
-	return
-}
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go b/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
deleted file mode 100644
index 495c1fa..0000000
--- a/vendor/golang.org/x/crypto/internal/poly1305/bits_go1.13.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.13
-
-package poly1305
-
-import "math/bits"
-
-func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
-	return bits.Add64(x, y, carry)
-}
-
-func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
-	return bits.Sub64(x, y, borrow)
-}
-
-func bitsMul64(x, y uint64) (hi, lo uint64) {
-	return bits.Mul64(x, y)
-}
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
index e041da5..ec2202b 100644
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
@@ -7,7 +7,10 @@
 
 package poly1305
 
-import "encoding/binary"
+import (
+	"encoding/binary"
+	"math/bits"
+)
 
 // Poly1305 [RFC 7539] is a relatively simple algorithm: the authentication tag
 // for a 64 bytes message is approximately
@@ -114,13 +117,13 @@
 }
 
 func mul64(a, b uint64) uint128 {
-	hi, lo := bitsMul64(a, b)
+	hi, lo := bits.Mul64(a, b)
 	return uint128{lo, hi}
 }
 
 func add128(a, b uint128) uint128 {
-	lo, c := bitsAdd64(a.lo, b.lo, 0)
-	hi, c := bitsAdd64(a.hi, b.hi, c)
+	lo, c := bits.Add64(a.lo, b.lo, 0)
+	hi, c := bits.Add64(a.hi, b.hi, c)
 	if c != 0 {
 		panic("poly1305: unexpected overflow")
 	}
@@ -155,8 +158,8 @@
 		// hide leading zeroes. For full chunks, that's 1 << 128, so we can just
 		// add 1 to the most significant (2¹²⁸) limb, h2.
 		if len(msg) >= TagSize {
-			h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0)
-			h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(msg[8:16]), c)
+			h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0)
+			h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(msg[8:16]), c)
 			h2 += c + 1
 
 			msg = msg[TagSize:]
@@ -165,8 +168,8 @@
 			copy(buf[:], msg)
 			buf[len(msg)] = 1
 
-			h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0)
-			h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(buf[8:16]), c)
+			h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0)
+			h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(buf[8:16]), c)
 			h2 += c
 
 			msg = nil
@@ -219,9 +222,9 @@
 		m3 := h2r1
 
 		t0 := m0.lo
-		t1, c := bitsAdd64(m1.lo, m0.hi, 0)
-		t2, c := bitsAdd64(m2.lo, m1.hi, c)
-		t3, _ := bitsAdd64(m3.lo, m2.hi, c)
+		t1, c := bits.Add64(m1.lo, m0.hi, 0)
+		t2, c := bits.Add64(m2.lo, m1.hi, c)
+		t3, _ := bits.Add64(m3.lo, m2.hi, c)
 
 		// Now we have the result as 4 64-bit limbs, and we need to reduce it
 		// modulo 2¹³⁰ - 5. The special shape of this Crandall prime lets us do
@@ -243,14 +246,14 @@
 
 		// To add c * 5 to h, we first add cc = c * 4, and then add (cc >> 2) = c.
 
-		h0, c = bitsAdd64(h0, cc.lo, 0)
-		h1, c = bitsAdd64(h1, cc.hi, c)
+		h0, c = bits.Add64(h0, cc.lo, 0)
+		h1, c = bits.Add64(h1, cc.hi, c)
 		h2 += c
 
 		cc = shiftRightBy2(cc)
 
-		h0, c = bitsAdd64(h0, cc.lo, 0)
-		h1, c = bitsAdd64(h1, cc.hi, c)
+		h0, c = bits.Add64(h0, cc.lo, 0)
+		h1, c = bits.Add64(h1, cc.hi, c)
 		h2 += c
 
 		// h2 is at most 3 + 1 + 1 = 5, making the whole of h at most
@@ -287,9 +290,9 @@
 	// in constant time, we compute t = h - (2¹³⁰ - 5), and select h as the
 	// result if the subtraction underflows, and t otherwise.
 
-	hMinusP0, b := bitsSub64(h0, p0, 0)
-	hMinusP1, b := bitsSub64(h1, p1, b)
-	_, b = bitsSub64(h2, p2, b)
+	hMinusP0, b := bits.Sub64(h0, p0, 0)
+	hMinusP1, b := bits.Sub64(h1, p1, b)
+	_, b = bits.Sub64(h2, p2, b)
 
 	// h = h if h < p else h - p
 	h0 = select64(b, h0, hMinusP0)
@@ -301,8 +304,8 @@
 	//
 	// by just doing a wide addition with the 128 low bits of h and discarding
 	// the overflow.
-	h0, c := bitsAdd64(h0, s[0], 0)
-	h1, _ = bitsAdd64(h1, s[1], c)
+	h0, c := bits.Add64(h0, s[0], 0)
+	h1, _ = bits.Add64(h1, s[1], c)
 
 	binary.LittleEndian.PutUint64(out[0:8], h0)
 	binary.LittleEndian.PutUint64(out[8:16], h1)
diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s b/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s
index d2ca5de..b3c1699 100644
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64le.s
@@ -19,15 +19,14 @@
 
 #define POLY1305_MUL(h0, h1, h2, r0, r1, t0, t1, t2, t3, t4, t5) \
 	MULLD  r0, h0, t0;  \
-	MULLD  r0, h1, t4;  \
 	MULHDU r0, h0, t1;  \
+	MULLD  r0, h1, t4;  \
 	MULHDU r0, h1, t5;  \
 	ADDC   t4, t1, t1;  \
 	MULLD  r0, h2, t2;  \
-	ADDZE  t5;          \
 	MULHDU r1, h0, t4;  \
 	MULLD  r1, h0, h0;  \
-	ADD    t5, t2, t2;  \
+	ADDE   t5, t2, t2;  \
 	ADDC   h0, t1, t1;  \
 	MULLD  h2, r1, t3;  \
 	ADDZE  t4, h0;      \
@@ -37,13 +36,11 @@
 	ADDE   t5, t3, t3;  \
 	ADDC   h0, t2, t2;  \
 	MOVD   $-4, t4;     \
-	MOVD   t0, h0;      \
-	MOVD   t1, h1;      \
 	ADDZE  t3;          \
-	ANDCC  $3, t2, h2;  \
-	AND    t2, t4, t0;  \
+	RLDICL $0, t2, $62, h2; \
+	AND    t2, t4, h0;  \
 	ADDC   t0, h0, h0;  \
-	ADDE   t3, h1, h1;  \
+	ADDE   t3, t1, h1;  \
 	SLD    $62, t3, t4; \
 	SRD    $2, t2;      \
 	ADDZE  h2;          \
@@ -75,6 +72,7 @@
 loop:
 	POLY1305_ADD(R4, R8, R9, R10, R20, R21, R22)
 
+	PCALIGN $16
 multiply:
 	POLY1305_MUL(R8, R9, R10, R11, R12, R16, R17, R18, R14, R20, R21)
 	ADD $-16, R5
diff --git a/vendor/golang.org/x/crypto/ocsp/ocsp.go b/vendor/golang.org/x/crypto/ocsp/ocsp.go
index 4269ed1..bf22595 100644
--- a/vendor/golang.org/x/crypto/ocsp/ocsp.go
+++ b/vendor/golang.org/x/crypto/ocsp/ocsp.go
@@ -279,21 +279,22 @@
 
 // This is the exposed reflection of the internal OCSP structures.
 
-// The status values that can be expressed in OCSP.  See RFC 6960.
+// The status values that can be expressed in OCSP. See RFC 6960.
+// These are used for the Response.Status field.
 const (
 	// Good means that the certificate is valid.
-	Good = iota
+	Good = 0
 	// Revoked means that the certificate has been deliberately revoked.
-	Revoked
+	Revoked = 1
 	// Unknown means that the OCSP responder doesn't know about the certificate.
-	Unknown
+	Unknown = 2
 	// ServerFailed is unused and was never used (see
 	// https://go-review.googlesource.com/#/c/18944). ParseResponse will
 	// return a ResponseError when an error response is parsed.
-	ServerFailed
+	ServerFailed = 3
 )
 
-// The enumerated reasons for revoking a certificate.  See RFC 5280.
+// The enumerated reasons for revoking a certificate. See RFC 5280.
 const (
 	Unspecified          = 0
 	KeyCompromise        = 1
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
index c1f6b90..43557ab 100644
--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
@@ -1510,13 +1510,12 @@
 }
 
 func (fr *Framer) maxHeaderStringLen() int {
-	v := fr.maxHeaderListSize()
-	if uint32(int(v)) == v {
-		return int(v)
+	v := int(fr.maxHeaderListSize())
+	if v < 0 {
+		// If maxHeaderListSize overflows an int, use no limit (0).
+		return 0
 	}
-	// They had a crazy big number for MaxHeaderBytes anyway,
-	// so give them unlimited header lengths:
-	return 0
+	return v
 }
 
 // readMetaFrame returns 0 or more CONTINUATION frames from fr and
@@ -1565,6 +1564,7 @@
 		if size > remainSize {
 			hdec.SetEmitEnabled(false)
 			mh.Truncated = true
+			remainSize = 0
 			return
 		}
 		remainSize -= size
@@ -1577,6 +1577,36 @@
 	var hc headersOrContinuation = hf
 	for {
 		frag := hc.HeaderBlockFragment()
+
+		// Avoid parsing large amounts of headers that we will then discard.
+		// If the sender exceeds the max header list size by too much,
+		// skip parsing the fragment and close the connection.
+		//
+		// "Too much" is either any CONTINUATION frame after we've already
+		// exceeded the max header list size (in which case remainSize is 0),
+		// or a frame whose encoded size is more than twice the remaining
+		// header list bytes we're willing to accept.
+		if int64(len(frag)) > int64(2*remainSize) {
+			if VerboseLogs {
+				log.Printf("http2: header list too large")
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the structure of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
+		// Also close the connection after any CONTINUATION frame following an
+		// invalid header, since we stop tracking the size of the headers after
+		// an invalid one.
+		if invalid != nil {
+			if VerboseLogs {
+				log.Printf("http2: invalid header: %v", invalid)
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the structure of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
 		if _, err := hdec.Write(frag); err != nil {
 			return nil, ConnectionError(ErrCodeCompression)
 		}
diff --git a/vendor/golang.org/x/net/http2/pipe.go b/vendor/golang.org/x/net/http2/pipe.go
index 684d984..3b9f06b 100644
--- a/vendor/golang.org/x/net/http2/pipe.go
+++ b/vendor/golang.org/x/net/http2/pipe.go
@@ -77,7 +77,10 @@
 	}
 }
 
-var errClosedPipeWrite = errors.New("write on closed buffer")
+var (
+	errClosedPipeWrite        = errors.New("write on closed buffer")
+	errUninitializedPipeWrite = errors.New("write on uninitialized buffer")
+)
 
 // Write copies bytes from p into the buffer and wakes a reader.
 // It is an error to write more data than the buffer can hold.
@@ -91,6 +94,12 @@
 	if p.err != nil || p.breakErr != nil {
 		return 0, errClosedPipeWrite
 	}
+	// pipe.setBuffer is never invoked, leaving the buffer uninitialized.
+	// We shouldn't try to write to an uninitialized pipe,
+	// but returning an error is better than panicking.
+	if p.b == nil {
+		return 0, errUninitializedPipeWrite
+	}
 	return p.b.Write(d)
 }
 
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index ae94c64..ce2e8b4 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -124,6 +124,7 @@
 	// IdleTimeout specifies how long until idle clients should be
 	// closed with a GOAWAY frame. PING frames are not considered
 	// activity for the purposes of IdleTimeout.
+	// If zero or negative, there is no timeout.
 	IdleTimeout time.Duration
 
 	// MaxUploadBufferPerConnection is the size of the initial flow
@@ -434,7 +435,7 @@
 	// passes the connection off to us with the deadline already set.
 	// Write deadlines are set per stream in serverConn.newStream.
 	// Disarm the net.Conn write deadline here.
-	if sc.hs.WriteTimeout != 0 {
+	if sc.hs.WriteTimeout > 0 {
 		sc.conn.SetWriteDeadline(time.Time{})
 	}
 
@@ -924,7 +925,7 @@
 	sc.setConnState(http.StateActive)
 	sc.setConnState(http.StateIdle)
 
-	if sc.srv.IdleTimeout != 0 {
+	if sc.srv.IdleTimeout > 0 {
 		sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
 		defer sc.idleTimer.Stop()
 	}
@@ -1637,7 +1638,7 @@
 	delete(sc.streams, st.id)
 	if len(sc.streams) == 0 {
 		sc.setConnState(http.StateIdle)
-		if sc.srv.IdleTimeout != 0 {
+		if sc.srv.IdleTimeout > 0 {
 			sc.idleTimer.Reset(sc.srv.IdleTimeout)
 		}
 		if h1ServerKeepAlivesDisabled(sc.hs) {
@@ -2017,7 +2018,7 @@
 	// similar to how the http1 server works. Here it's
 	// technically more like the http1 Server's ReadHeaderTimeout
 	// (in Go 1.8), though. That's a more sane option anyway.
-	if sc.hs.ReadTimeout != 0 {
+	if sc.hs.ReadTimeout > 0 {
 		sc.conn.SetReadDeadline(time.Time{})
 		st.readDeadline = time.AfterFunc(sc.hs.ReadTimeout, st.onReadTimeout)
 	}
@@ -2038,7 +2039,7 @@
 
 	// Disable any read deadline set by the net/http package
 	// prior to the upgrade.
-	if sc.hs.ReadTimeout != 0 {
+	if sc.hs.ReadTimeout > 0 {
 		sc.conn.SetReadDeadline(time.Time{})
 	}
 
@@ -2116,7 +2117,7 @@
 	st.flow.conn = &sc.flow // link to conn-level counter
 	st.flow.add(sc.initialStreamSendWindowSize)
 	st.inflow.init(sc.srv.initialStreamRecvWindowSize())
-	if sc.hs.WriteTimeout != 0 {
+	if sc.hs.WriteTimeout > 0 {
 		st.writeDeadline = time.AfterFunc(sc.hs.WriteTimeout, st.onWriteTimeout)
 	}
 
diff --git a/vendor/golang.org/x/net/http2/testsync.go b/vendor/golang.org/x/net/http2/testsync.go
new file mode 100644
index 0000000..61075bd
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/testsync.go
@@ -0,0 +1,331 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+package http2
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// testSyncHooks coordinates goroutines in tests.
+//
+// For example, a call to ClientConn.RoundTrip involves several goroutines, including:
+//   - the goroutine running RoundTrip;
+//   - the clientStream.doRequest goroutine, which writes the request; and
+//   - the clientStream.readLoop goroutine, which reads the response.
+//
+// Using testSyncHooks, a test can start a RoundTrip and identify when all these goroutines
+// are blocked waiting for some condition such as reading the Request.Body or waiting for
+// flow control to become available.
+//
+// The testSyncHooks also manage timers and synthetic time in tests.
+// This permits us to, for example, start a request and cause it to time out waiting for
+// response headers without resorting to time.Sleep calls.
+type testSyncHooks struct {
+	// active/inactive act as a mutex and condition variable.
+	//
+	//  - neither chan contains a value: testSyncHooks is locked.
+	//  - active contains a value: unlocked, and at least one goroutine is not blocked
+	//  - inactive contains a value: unlocked, and all goroutines are blocked
+	active   chan struct{}
+	inactive chan struct{}
+
+	// goroutine counts
+	total    int                     // total goroutines
+	condwait map[*sync.Cond]int      // blocked in sync.Cond.Wait
+	blocked  []*testBlockedGoroutine // otherwise blocked
+
+	// fake time
+	now    time.Time
+	timers []*fakeTimer
+
+	// Transport testing: Report various events.
+	newclientconn func(*ClientConn)
+	newstream     func(*clientStream)
+}
+
+// testBlockedGoroutine is a blocked goroutine.
+type testBlockedGoroutine struct {
+	f  func() bool   // blocked until f returns true
+	ch chan struct{} // closed when unblocked
+}
+
+func newTestSyncHooks() *testSyncHooks {
+	h := &testSyncHooks{
+		active:   make(chan struct{}, 1),
+		inactive: make(chan struct{}, 1),
+		condwait: map[*sync.Cond]int{},
+	}
+	h.inactive <- struct{}{}
+	h.now = time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
+	return h
+}
+
+// lock acquires the testSyncHooks mutex.
+func (h *testSyncHooks) lock() {
+	select {
+	case <-h.active:
+	case <-h.inactive:
+	}
+}
+
+// waitInactive waits for all goroutines to become inactive.
+func (h *testSyncHooks) waitInactive() {
+	for {
+		<-h.inactive
+		if !h.unlock() {
+			break
+		}
+	}
+}
+
+// unlock releases the testSyncHooks mutex.
+// It reports whether any goroutines are active.
+func (h *testSyncHooks) unlock() (active bool) {
+	// Look for a blocked goroutine which can be unblocked.
+	blocked := h.blocked[:0]
+	unblocked := false
+	for _, b := range h.blocked {
+		if !unblocked && b.f() {
+			unblocked = true
+			close(b.ch)
+		} else {
+			blocked = append(blocked, b)
+		}
+	}
+	h.blocked = blocked
+
+	// Count goroutines blocked on condition variables.
+	condwait := 0
+	for _, count := range h.condwait {
+		condwait += count
+	}
+
+	if h.total > condwait+len(blocked) {
+		h.active <- struct{}{}
+		return true
+	} else {
+		h.inactive <- struct{}{}
+		return false
+	}
+}
+
+// goRun starts a new goroutine.
+func (h *testSyncHooks) goRun(f func()) {
+	h.lock()
+	h.total++
+	h.unlock()
+	go func() {
+		defer func() {
+			h.lock()
+			h.total--
+			h.unlock()
+		}()
+		f()
+	}()
+}
+
+// blockUntil indicates that a goroutine is blocked waiting for some condition to become true.
+// It waits until f returns true before proceeding.
+//
+// Example usage:
+//
+//	h.blockUntil(func() bool {
+//		// Is the context done yet?
+//		select {
+//		case <-ctx.Done():
+//		default:
+//			return false
+//		}
+//		return true
+//	})
+//	// Wait for the context to become done.
+//	<-ctx.Done()
+//
+// The function f passed to blockUntil must be non-blocking and idempotent.
+func (h *testSyncHooks) blockUntil(f func() bool) {
+	if f() {
+		return
+	}
+	ch := make(chan struct{})
+	h.lock()
+	h.blocked = append(h.blocked, &testBlockedGoroutine{
+		f:  f,
+		ch: ch,
+	})
+	h.unlock()
+	<-ch
+}
+
+// broadcast is sync.Cond.Broadcast.
+func (h *testSyncHooks) condBroadcast(cond *sync.Cond) {
+	h.lock()
+	delete(h.condwait, cond)
+	h.unlock()
+	cond.Broadcast()
+}
+
+// broadcast is sync.Cond.Wait.
+func (h *testSyncHooks) condWait(cond *sync.Cond) {
+	h.lock()
+	h.condwait[cond]++
+	h.unlock()
+}
+
+// newTimer creates a new fake timer.
+func (h *testSyncHooks) newTimer(d time.Duration) timer {
+	h.lock()
+	defer h.unlock()
+	t := &fakeTimer{
+		hooks: h,
+		when:  h.now.Add(d),
+		c:     make(chan time.Time),
+	}
+	h.timers = append(h.timers, t)
+	return t
+}
+
+// afterFunc creates a new fake AfterFunc timer.
+func (h *testSyncHooks) afterFunc(d time.Duration, f func()) timer {
+	h.lock()
+	defer h.unlock()
+	t := &fakeTimer{
+		hooks: h,
+		when:  h.now.Add(d),
+		f:     f,
+	}
+	h.timers = append(h.timers, t)
+	return t
+}
+
+func (h *testSyncHooks) contextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc) {
+	ctx, cancel := context.WithCancel(ctx)
+	t := h.afterFunc(d, cancel)
+	return ctx, func() {
+		t.Stop()
+		cancel()
+	}
+}
+
+func (h *testSyncHooks) timeUntilEvent() time.Duration {
+	h.lock()
+	defer h.unlock()
+	var next time.Time
+	for _, t := range h.timers {
+		if next.IsZero() || t.when.Before(next) {
+			next = t.when
+		}
+	}
+	if d := next.Sub(h.now); d > 0 {
+		return d
+	}
+	return 0
+}
+
+// advance advances time and causes synthetic timers to fire.
+func (h *testSyncHooks) advance(d time.Duration) {
+	h.lock()
+	defer h.unlock()
+	h.now = h.now.Add(d)
+	timers := h.timers[:0]
+	for _, t := range h.timers {
+		t := t // remove after go.mod depends on go1.22
+		t.mu.Lock()
+		switch {
+		case t.when.After(h.now):
+			timers = append(timers, t)
+		case t.when.IsZero():
+			// stopped timer
+		default:
+			t.when = time.Time{}
+			if t.c != nil {
+				close(t.c)
+			}
+			if t.f != nil {
+				h.total++
+				go func() {
+					defer func() {
+						h.lock()
+						h.total--
+						h.unlock()
+					}()
+					t.f()
+				}()
+			}
+		}
+		t.mu.Unlock()
+	}
+	h.timers = timers
+}
+
+// A timer wraps a time.Timer, or a synthetic equivalent in tests.
+// Unlike time.Timer, timer is single-use: The timer channel is closed when the timer expires.
+type timer interface {
+	C() <-chan time.Time
+	Stop() bool
+	Reset(d time.Duration) bool
+}
+
+// timeTimer implements timer using real time.
+type timeTimer struct {
+	t *time.Timer
+	c chan time.Time
+}
+
+// newTimeTimer creates a new timer using real time.
+func newTimeTimer(d time.Duration) timer {
+	ch := make(chan time.Time)
+	t := time.AfterFunc(d, func() {
+		close(ch)
+	})
+	return &timeTimer{t, ch}
+}
+
+// newTimeAfterFunc creates an AfterFunc timer using real time.
+func newTimeAfterFunc(d time.Duration, f func()) timer {
+	return &timeTimer{
+		t: time.AfterFunc(d, f),
+	}
+}
+
+func (t timeTimer) C() <-chan time.Time        { return t.c }
+func (t timeTimer) Stop() bool                 { return t.t.Stop() }
+func (t timeTimer) Reset(d time.Duration) bool { return t.t.Reset(d) }
+
+// fakeTimer implements timer using fake time.
+type fakeTimer struct {
+	hooks *testSyncHooks
+
+	mu   sync.Mutex
+	when time.Time      // when the timer will fire
+	c    chan time.Time // closed when the timer fires; mutually exclusive with f
+	f    func()         // called when the timer fires; mutually exclusive with c
+}
+
+func (t *fakeTimer) C() <-chan time.Time { return t.c }
+
+func (t *fakeTimer) Stop() bool {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	stopped := t.when.IsZero()
+	t.when = time.Time{}
+	return stopped
+}
+
+func (t *fakeTimer) Reset(d time.Duration) bool {
+	if t.c != nil || t.f == nil {
+		panic("fakeTimer only supports Reset on AfterFunc timers")
+	}
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	t.hooks.lock()
+	defer t.hooks.unlock()
+	active := !t.when.IsZero()
+	t.when = t.hooks.now.Add(d)
+	if !active {
+		t.hooks.timers = append(t.hooks.timers, t)
+	}
+	return active
+}
diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
index df578b8..ce375c8 100644
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@@ -147,6 +147,12 @@
 	// waiting for their turn.
 	StrictMaxConcurrentStreams bool
 
+	// IdleConnTimeout is the maximum amount of time an idle
+	// (keep-alive) connection will remain idle before closing
+	// itself.
+	// Zero means no limit.
+	IdleConnTimeout time.Duration
+
 	// ReadIdleTimeout is the timeout after which a health check using ping
 	// frame will be carried out if no frame is received on the connection.
 	// Note that a ping response will is considered a received frame, so if
@@ -178,6 +184,8 @@
 
 	connPoolOnce  sync.Once
 	connPoolOrDef ClientConnPool // non-nil version of ConnPool
+
+	syncHooks *testSyncHooks
 }
 
 func (t *Transport) maxHeaderListSize() uint32 {
@@ -302,7 +310,7 @@
 	readerErr  error         // set before readerDone is closed
 
 	idleTimeout time.Duration // or 0 for never
-	idleTimer   *time.Timer
+	idleTimer   timer
 
 	mu              sync.Mutex // guards following
 	cond            *sync.Cond // hold mu; broadcast on flow/closed changes
@@ -344,6 +352,60 @@
 	werr error        // first write error that has occurred
 	hbuf bytes.Buffer // HPACK encoder writes into this
 	henc *hpack.Encoder
+
+	syncHooks *testSyncHooks // can be nil
+}
+
+// Hook points used for testing.
+// Outside of tests, cc.syncHooks is nil and these all have minimal implementations.
+// Inside tests, see the testSyncHooks function docs.
+
+// goRun starts a new goroutine.
+func (cc *ClientConn) goRun(f func()) {
+	if cc.syncHooks != nil {
+		cc.syncHooks.goRun(f)
+		return
+	}
+	go f()
+}
+
+// condBroadcast is cc.cond.Broadcast.
+func (cc *ClientConn) condBroadcast() {
+	if cc.syncHooks != nil {
+		cc.syncHooks.condBroadcast(cc.cond)
+	}
+	cc.cond.Broadcast()
+}
+
+// condWait is cc.cond.Wait.
+func (cc *ClientConn) condWait() {
+	if cc.syncHooks != nil {
+		cc.syncHooks.condWait(cc.cond)
+	}
+	cc.cond.Wait()
+}
+
+// newTimer creates a new time.Timer, or a synthetic timer in tests.
+func (cc *ClientConn) newTimer(d time.Duration) timer {
+	if cc.syncHooks != nil {
+		return cc.syncHooks.newTimer(d)
+	}
+	return newTimeTimer(d)
+}
+
+// afterFunc creates a new time.AfterFunc timer, or a synthetic timer in tests.
+func (cc *ClientConn) afterFunc(d time.Duration, f func()) timer {
+	if cc.syncHooks != nil {
+		return cc.syncHooks.afterFunc(d, f)
+	}
+	return newTimeAfterFunc(d, f)
+}
+
+func (cc *ClientConn) contextWithTimeout(ctx context.Context, d time.Duration) (context.Context, context.CancelFunc) {
+	if cc.syncHooks != nil {
+		return cc.syncHooks.contextWithTimeout(ctx, d)
+	}
+	return context.WithTimeout(ctx, d)
 }
 
 // clientStream is the state for a single HTTP/2 stream. One of these
@@ -425,7 +487,7 @@
 	// TODO(dneil): Clean up tests where cs.cc.cond is nil.
 	if cs.cc.cond != nil {
 		// Wake up writeRequestBody if it is waiting on flow control.
-		cs.cc.cond.Broadcast()
+		cs.cc.condBroadcast()
 	}
 }
 
@@ -435,7 +497,7 @@
 	defer cc.mu.Unlock()
 	if cs.reqBody != nil && cs.reqBodyClosed == nil {
 		cs.closeReqBodyLocked()
-		cc.cond.Broadcast()
+		cc.condBroadcast()
 	}
 }
 
@@ -445,10 +507,10 @@
 	}
 	cs.reqBodyClosed = make(chan struct{})
 	reqBodyClosed := cs.reqBodyClosed
-	go func() {
+	cs.cc.goRun(func() {
 		cs.reqBody.Close()
 		close(reqBodyClosed)
-	}()
+	})
 }
 
 type stickyErrWriter struct {
@@ -537,15 +599,6 @@
 	return net.JoinHostPort(host, port)
 }
 
-var retryBackoffHook func(time.Duration) *time.Timer
-
-func backoffNewTimer(d time.Duration) *time.Timer {
-	if retryBackoffHook != nil {
-		return retryBackoffHook(d)
-	}
-	return time.NewTimer(d)
-}
-
 // RoundTripOpt is like RoundTrip, but takes options.
 func (t *Transport) RoundTripOpt(req *http.Request, opt RoundTripOpt) (*http.Response, error) {
 	if !(req.URL.Scheme == "https" || (req.URL.Scheme == "http" && t.AllowHTTP)) {
@@ -573,13 +626,27 @@
 				backoff := float64(uint(1) << (uint(retry) - 1))
 				backoff += backoff * (0.1 * mathrand.Float64())
 				d := time.Second * time.Duration(backoff)
-				timer := backoffNewTimer(d)
+				var tm timer
+				if t.syncHooks != nil {
+					tm = t.syncHooks.newTimer(d)
+					t.syncHooks.blockUntil(func() bool {
+						select {
+						case <-tm.C():
+						case <-req.Context().Done():
+						default:
+							return false
+						}
+						return true
+					})
+				} else {
+					tm = newTimeTimer(d)
+				}
 				select {
-				case <-timer.C:
+				case <-tm.C():
 					t.vlogf("RoundTrip retrying after failure: %v", roundTripErr)
 					continue
 				case <-req.Context().Done():
-					timer.Stop()
+					tm.Stop()
 					err = req.Context().Err()
 				}
 			}
@@ -658,6 +725,9 @@
 }
 
 func (t *Transport) dialClientConn(ctx context.Context, addr string, singleUse bool) (*ClientConn, error) {
+	if t.syncHooks != nil {
+		return t.newClientConn(nil, singleUse, t.syncHooks)
+	}
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
@@ -666,7 +736,7 @@
 	if err != nil {
 		return nil, err
 	}
-	return t.newClientConn(tconn, singleUse)
+	return t.newClientConn(tconn, singleUse, nil)
 }
 
 func (t *Transport) newTLSConfig(host string) *tls.Config {
@@ -732,10 +802,10 @@
 }
 
 func (t *Transport) NewClientConn(c net.Conn) (*ClientConn, error) {
-	return t.newClientConn(c, t.disableKeepAlives())
+	return t.newClientConn(c, t.disableKeepAlives(), nil)
 }
 
-func (t *Transport) newClientConn(c net.Conn, singleUse bool) (*ClientConn, error) {
+func (t *Transport) newClientConn(c net.Conn, singleUse bool, hooks *testSyncHooks) (*ClientConn, error) {
 	cc := &ClientConn{
 		t:                     t,
 		tconn:                 c,
@@ -750,10 +820,15 @@
 		wantSettingsAck:       true,
 		pings:                 make(map[[8]byte]chan struct{}),
 		reqHeaderMu:           make(chan struct{}, 1),
+		syncHooks:             hooks,
+	}
+	if hooks != nil {
+		hooks.newclientconn(cc)
+		c = cc.tconn
 	}
 	if d := t.idleConnTimeout(); d != 0 {
 		cc.idleTimeout = d
-		cc.idleTimer = time.AfterFunc(d, cc.onIdleTimeout)
+		cc.idleTimer = cc.afterFunc(d, cc.onIdleTimeout)
 	}
 	if VerboseLogs {
 		t.vlogf("http2: Transport creating client conn %p to %v", cc, c.RemoteAddr())
@@ -818,7 +893,7 @@
 		return nil, cc.werr
 	}
 
-	go cc.readLoop()
+	cc.goRun(cc.readLoop)
 	return cc, nil
 }
 
@@ -826,7 +901,7 @@
 	pingTimeout := cc.t.pingTimeout()
 	// We don't need to periodically ping in the health check, because the readLoop of ClientConn will
 	// trigger the healthCheck again if there is no frame received.
-	ctx, cancel := context.WithTimeout(context.Background(), pingTimeout)
+	ctx, cancel := cc.contextWithTimeout(context.Background(), pingTimeout)
 	defer cancel()
 	cc.vlogf("http2: Transport sending health check")
 	err := cc.Ping(ctx)
@@ -1056,7 +1131,7 @@
 	// Wait for all in-flight streams to complete or connection to close
 	done := make(chan struct{})
 	cancelled := false // guarded by cc.mu
-	go func() {
+	cc.goRun(func() {
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
 		for {
@@ -1068,9 +1143,9 @@
 			if cancelled {
 				break
 			}
-			cc.cond.Wait()
+			cc.condWait()
 		}
-	}()
+	})
 	shutdownEnterWaitStateHook()
 	select {
 	case <-done:
@@ -1080,7 +1155,7 @@
 		cc.mu.Lock()
 		// Free the goroutine above
 		cancelled = true
-		cc.cond.Broadcast()
+		cc.condBroadcast()
 		cc.mu.Unlock()
 		return ctx.Err()
 	}
@@ -1118,7 +1193,7 @@
 	for _, cs := range cc.streams {
 		cs.abortStreamLocked(err)
 	}
-	cc.cond.Broadcast()
+	cc.condBroadcast()
 	cc.mu.Unlock()
 	cc.closeConn()
 }
@@ -1215,6 +1290,10 @@
 }
 
 func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
+	return cc.roundTrip(req, nil)
+}
+
+func (cc *ClientConn) roundTrip(req *http.Request, streamf func(*clientStream)) (*http.Response, error) {
 	ctx := req.Context()
 	cs := &clientStream{
 		cc:                   cc,
@@ -1229,9 +1308,23 @@
 		respHeaderRecv:       make(chan struct{}),
 		donec:                make(chan struct{}),
 	}
-	go cs.doRequest(req)
+	cc.goRun(func() {
+		cs.doRequest(req)
+	})
 
 	waitDone := func() error {
+		if cc.syncHooks != nil {
+			cc.syncHooks.blockUntil(func() bool {
+				select {
+				case <-cs.donec:
+				case <-ctx.Done():
+				case <-cs.reqCancel:
+				default:
+					return false
+				}
+				return true
+			})
+		}
 		select {
 		case <-cs.donec:
 			return nil
@@ -1292,7 +1385,24 @@
 		return err
 	}
 
+	if streamf != nil {
+		streamf(cs)
+	}
+
 	for {
+		if cc.syncHooks != nil {
+			cc.syncHooks.blockUntil(func() bool {
+				select {
+				case <-cs.respHeaderRecv:
+				case <-cs.abort:
+				case <-ctx.Done():
+				case <-cs.reqCancel:
+				default:
+					return false
+				}
+				return true
+			})
+		}
 		select {
 		case <-cs.respHeaderRecv:
 			return handleResponseHeaders()
@@ -1348,6 +1458,21 @@
 	if cc.reqHeaderMu == nil {
 		panic("RoundTrip on uninitialized ClientConn") // for tests
 	}
+	var newStreamHook func(*clientStream)
+	if cc.syncHooks != nil {
+		newStreamHook = cc.syncHooks.newstream
+		cc.syncHooks.blockUntil(func() bool {
+			select {
+			case cc.reqHeaderMu <- struct{}{}:
+				<-cc.reqHeaderMu
+			case <-cs.reqCancel:
+			case <-ctx.Done():
+			default:
+				return false
+			}
+			return true
+		})
+	}
 	select {
 	case cc.reqHeaderMu <- struct{}{}:
 	case <-cs.reqCancel:
@@ -1372,6 +1497,10 @@
 	}
 	cc.mu.Unlock()
 
+	if newStreamHook != nil {
+		newStreamHook(cs)
+	}
+
 	// TODO(bradfitz): this is a copy of the logic in net/http. Unify somewhere?
 	if !cc.t.disableCompression() &&
 		req.Header.Get("Accept-Encoding") == "" &&
@@ -1452,15 +1581,30 @@
 	var respHeaderTimer <-chan time.Time
 	var respHeaderRecv chan struct{}
 	if d := cc.responseHeaderTimeout(); d != 0 {
-		timer := time.NewTimer(d)
+		timer := cc.newTimer(d)
 		defer timer.Stop()
-		respHeaderTimer = timer.C
+		respHeaderTimer = timer.C()
 		respHeaderRecv = cs.respHeaderRecv
 	}
 	// Wait until the peer half-closes its end of the stream,
 	// or until the request is aborted (via context, error, or otherwise),
 	// whichever comes first.
 	for {
+		if cc.syncHooks != nil {
+			cc.syncHooks.blockUntil(func() bool {
+				select {
+				case <-cs.peerClosed:
+				case <-respHeaderTimer:
+				case <-respHeaderRecv:
+				case <-cs.abort:
+				case <-ctx.Done():
+				case <-cs.reqCancel:
+				default:
+					return false
+				}
+				return true
+			})
+		}
 		select {
 		case <-cs.peerClosed:
 			return nil
@@ -1609,7 +1753,7 @@
 			return nil
 		}
 		cc.pendingRequests++
-		cc.cond.Wait()
+		cc.condWait()
 		cc.pendingRequests--
 		select {
 		case <-cs.abort:
@@ -1871,10 +2015,26 @@
 			cs.flow.take(take)
 			return take, nil
 		}
-		cc.cond.Wait()
+		cc.condWait()
 	}
 }
 
+func validateHeaders(hdrs http.Header) string {
+	for k, vv := range hdrs {
+		if !httpguts.ValidHeaderFieldName(k) {
+			return fmt.Sprintf("name %q", k)
+		}
+		for _, v := range vv {
+			if !httpguts.ValidHeaderFieldValue(v) {
+				// Don't include the value in the error,
+				// because it may be sensitive.
+				return fmt.Sprintf("value for header %q", k)
+			}
+		}
+	}
+	return ""
+}
+
 var errNilRequestURL = errors.New("http2: Request.URI is nil")
 
 // requires cc.wmu be held.
@@ -1912,19 +2072,14 @@
 		}
 	}
 
-	// Check for any invalid headers and return an error before we
+	// Check for any invalid headers+trailers and return an error before we
 	// potentially pollute our hpack state. (We want to be able to
 	// continue to reuse the hpack encoder for future requests)
-	for k, vv := range req.Header {
-		if !httpguts.ValidHeaderFieldName(k) {
-			return nil, fmt.Errorf("invalid HTTP header name %q", k)
-		}
-		for _, v := range vv {
-			if !httpguts.ValidHeaderFieldValue(v) {
-				// Don't include the value in the error, because it may be sensitive.
-				return nil, fmt.Errorf("invalid HTTP header value for header %q", k)
-			}
-		}
+	if err := validateHeaders(req.Header); err != "" {
+		return nil, fmt.Errorf("invalid HTTP header %s", err)
+	}
+	if err := validateHeaders(req.Trailer); err != "" {
+		return nil, fmt.Errorf("invalid HTTP trailer %s", err)
 	}
 
 	enumerateHeaders := func(f func(name, value string)) {
@@ -2143,7 +2298,7 @@
 	}
 	// Wake up writeRequestBody via clientStream.awaitFlowControl and
 	// wake up RoundTrip if there is a pending request.
-	cc.cond.Broadcast()
+	cc.condBroadcast()
 
 	closeOnIdle := cc.singleUse || cc.doNotReuse || cc.t.disableKeepAlives() || cc.goAway != nil
 	if closeOnIdle && cc.streamsReserved == 0 && len(cc.streams) == 0 {
@@ -2231,7 +2386,7 @@
 			cs.abortStreamLocked(err)
 		}
 	}
-	cc.cond.Broadcast()
+	cc.condBroadcast()
 	cc.mu.Unlock()
 }
 
@@ -2266,10 +2421,9 @@
 	cc := rl.cc
 	gotSettings := false
 	readIdleTimeout := cc.t.ReadIdleTimeout
-	var t *time.Timer
+	var t timer
 	if readIdleTimeout != 0 {
-		t = time.AfterFunc(readIdleTimeout, cc.healthCheck)
-		defer t.Stop()
+		t = cc.afterFunc(readIdleTimeout, cc.healthCheck)
 	}
 	for {
 		f, err := cc.fr.ReadFrame()
@@ -2684,7 +2838,7 @@
 		})
 		return nil
 	}
-	if !cs.firstByte {
+	if !cs.pastHeaders {
 		cc.logf("protocol error: received DATA before a HEADERS frame")
 		rl.endStreamError(cs, StreamError{
 			StreamID: f.StreamID,
@@ -2867,7 +3021,7 @@
 			for _, cs := range cc.streams {
 				cs.flow.add(delta)
 			}
-			cc.cond.Broadcast()
+			cc.condBroadcast()
 
 			cc.initialWindowSize = s.Val
 		case SettingHeaderTableSize:
@@ -2911,9 +3065,18 @@
 		fl = &cs.flow
 	}
 	if !fl.add(int32(f.Increment)) {
+		// For stream, the sender sends RST_STREAM with an error code of FLOW_CONTROL_ERROR
+		if cs != nil {
+			rl.endStreamError(cs, StreamError{
+				StreamID: f.StreamID,
+				Code:     ErrCodeFlowControl,
+			})
+			return nil
+		}
+
 		return ConnectionError(ErrCodeFlowControl)
 	}
-	cc.cond.Broadcast()
+	cc.condBroadcast()
 	return nil
 }
 
@@ -2955,24 +3118,38 @@
 		}
 		cc.mu.Unlock()
 	}
-	errc := make(chan error, 1)
-	go func() {
+	var pingError error
+	errc := make(chan struct{})
+	cc.goRun(func() {
 		cc.wmu.Lock()
 		defer cc.wmu.Unlock()
-		if err := cc.fr.WritePing(false, p); err != nil {
-			errc <- err
+		if pingError = cc.fr.WritePing(false, p); pingError != nil {
+			close(errc)
 			return
 		}
-		if err := cc.bw.Flush(); err != nil {
-			errc <- err
+		if pingError = cc.bw.Flush(); pingError != nil {
+			close(errc)
 			return
 		}
-	}()
+	})
+	if cc.syncHooks != nil {
+		cc.syncHooks.blockUntil(func() bool {
+			select {
+			case <-c:
+			case <-errc:
+			case <-ctx.Done():
+			case <-cc.readerDone:
+			default:
+				return false
+			}
+			return true
+		})
+	}
 	select {
 	case <-c:
 		return nil
-	case err := <-errc:
-		return err
+	case <-errc:
+		return pingError
 	case <-ctx.Done():
 		return ctx.Err()
 	case <-cc.readerDone:
@@ -3141,9 +3318,17 @@
 }
 
 func (t *Transport) idleConnTimeout() time.Duration {
+	// to keep things backwards compatible, we use non-zero values of
+	// IdleConnTimeout, followed by using the IdleConnTimeout on the underlying
+	// http1 transport, followed by 0
+	if t.IdleConnTimeout != 0 {
+		return t.IdleConnTimeout
+	}
+
 	if t.t1 != nil {
 		return t.t1.IdleConnTimeout
 	}
+
 	return 0
 }
 
diff --git a/vendor/golang.org/x/net/websocket/client.go b/vendor/golang.org/x/net/websocket/client.go
index 69a4ac7..1e64157 100644
--- a/vendor/golang.org/x/net/websocket/client.go
+++ b/vendor/golang.org/x/net/websocket/client.go
@@ -6,10 +6,12 @@
 
 import (
 	"bufio"
+	"context"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
+	"time"
 )
 
 // DialError is an error that occurs while dialling a websocket server.
@@ -79,28 +81,59 @@
 
 // DialConfig opens a new client connection to a WebSocket with a config.
 func DialConfig(config *Config) (ws *Conn, err error) {
-	var client net.Conn
+	return config.DialContext(context.Background())
+}
+
+// DialContext opens a new client connection to a WebSocket, with context support for timeouts/cancellation.
+func (config *Config) DialContext(ctx context.Context) (*Conn, error) {
 	if config.Location == nil {
 		return nil, &DialError{config, ErrBadWebSocketLocation}
 	}
 	if config.Origin == nil {
 		return nil, &DialError{config, ErrBadWebSocketOrigin}
 	}
+
 	dialer := config.Dialer
 	if dialer == nil {
 		dialer = &net.Dialer{}
 	}
-	client, err = dialWithDialer(dialer, config)
-	if err != nil {
-		goto Error
-	}
-	ws, err = NewClient(config, client)
-	if err != nil {
-		client.Close()
-		goto Error
-	}
-	return
 
-Error:
-	return nil, &DialError{config, err}
+	client, err := dialWithDialer(ctx, dialer, config)
+	if err != nil {
+		return nil, &DialError{config, err}
+	}
+
+	// Cleanup the connection if we fail to create the websocket successfully
+	success := false
+	defer func() {
+		if !success {
+			_ = client.Close()
+		}
+	}()
+
+	var ws *Conn
+	var wsErr error
+	doneConnecting := make(chan struct{})
+	go func() {
+		defer close(doneConnecting)
+		ws, err = NewClient(config, client)
+		if err != nil {
+			wsErr = &DialError{config, err}
+		}
+	}()
+
+	// The websocket.NewClient() function can block indefinitely, make sure that we
+	// respect the deadlines specified by the context.
+	select {
+	case <-ctx.Done():
+		// Force the pending operations to fail, terminating the pending connection attempt
+		_ = client.SetDeadline(time.Now())
+		<-doneConnecting // Wait for the goroutine that tries to establish the connection to finish
+		return nil, &DialError{config, ctx.Err()}
+	case <-doneConnecting:
+		if wsErr == nil {
+			success = true // Disarm the deferred connection cleanup
+		}
+		return ws, wsErr
+	}
 }
diff --git a/vendor/golang.org/x/net/websocket/dial.go b/vendor/golang.org/x/net/websocket/dial.go
index 2dab943..8a2d83c 100644
--- a/vendor/golang.org/x/net/websocket/dial.go
+++ b/vendor/golang.org/x/net/websocket/dial.go
@@ -5,18 +5,23 @@
 package websocket
 
 import (
+	"context"
 	"crypto/tls"
 	"net"
 )
 
-func dialWithDialer(dialer *net.Dialer, config *Config) (conn net.Conn, err error) {
+func dialWithDialer(ctx context.Context, dialer *net.Dialer, config *Config) (conn net.Conn, err error) {
 	switch config.Location.Scheme {
 	case "ws":
-		conn, err = dialer.Dial("tcp", parseAuthority(config.Location))
+		conn, err = dialer.DialContext(ctx, "tcp", parseAuthority(config.Location))
 
 	case "wss":
-		conn, err = tls.DialWithDialer(dialer, "tcp", parseAuthority(config.Location), config.TlsConfig)
+		tlsDialer := &tls.Dialer{
+			NetDialer: dialer,
+			Config:    config.TlsConfig,
+		}
 
+		conn, err = tlsDialer.DialContext(ctx, "tcp", parseAuthority(config.Location))
 	default:
 		err = ErrBadScheme
 	}
diff --git a/vendor/golang.org/x/sys/execabs/execabs.go b/vendor/golang.org/x/sys/execabs/execabs.go
deleted file mode 100644
index 3bf40fd..0000000
--- a/vendor/golang.org/x/sys/execabs/execabs.go
+++ /dev/null
@@ -1,102 +0,0 @@
-// Copyright 2020 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package execabs is a drop-in replacement for os/exec
-// that requires PATH lookups to find absolute paths.
-// That is, execabs.Command("cmd") runs the same PATH lookup
-// as exec.Command("cmd"), but if the result is a path
-// which is relative, the Run and Start methods will report
-// an error instead of running the executable.
-//
-// See https://blog.golang.org/path-security for more information
-// about when it may be necessary or appropriate to use this package.
-package execabs
-
-import (
-	"context"
-	"fmt"
-	"os/exec"
-	"path/filepath"
-	"reflect"
-	"unsafe"
-)
-
-// ErrNotFound is the error resulting if a path search failed to find an executable file.
-// It is an alias for exec.ErrNotFound.
-var ErrNotFound = exec.ErrNotFound
-
-// Cmd represents an external command being prepared or run.
-// It is an alias for exec.Cmd.
-type Cmd = exec.Cmd
-
-// Error is returned by LookPath when it fails to classify a file as an executable.
-// It is an alias for exec.Error.
-type Error = exec.Error
-
-// An ExitError reports an unsuccessful exit by a command.
-// It is an alias for exec.ExitError.
-type ExitError = exec.ExitError
-
-func relError(file, path string) error {
-	return fmt.Errorf("%s resolves to executable in current directory (.%c%s)", file, filepath.Separator, path)
-}
-
-// LookPath searches for an executable named file in the directories
-// named by the PATH environment variable. If file contains a slash,
-// it is tried directly and the PATH is not consulted. The result will be
-// an absolute path.
-//
-// LookPath differs from exec.LookPath in its handling of PATH lookups,
-// which are used for file names without slashes. If exec.LookPath's
-// PATH lookup would have returned an executable from the current directory,
-// LookPath instead returns an error.
-func LookPath(file string) (string, error) {
-	path, err := exec.LookPath(file)
-	if err != nil && !isGo119ErrDot(err) {
-		return "", err
-	}
-	if filepath.Base(file) == file && !filepath.IsAbs(path) {
-		return "", relError(file, path)
-	}
-	return path, nil
-}
-
-func fixCmd(name string, cmd *exec.Cmd) {
-	if filepath.Base(name) == name && !filepath.IsAbs(cmd.Path) && !isGo119ErrFieldSet(cmd) {
-		// exec.Command was called with a bare binary name and
-		// exec.LookPath returned a path which is not absolute.
-		// Set cmd.lookPathErr and clear cmd.Path so that it
-		// cannot be run.
-		lookPathErr := (*error)(unsafe.Pointer(reflect.ValueOf(cmd).Elem().FieldByName("lookPathErr").Addr().Pointer()))
-		if *lookPathErr == nil {
-			*lookPathErr = relError(name, cmd.Path)
-		}
-		cmd.Path = ""
-	}
-}
-
-// CommandContext is like Command but includes a context.
-//
-// The provided context is used to kill the process (by calling os.Process.Kill)
-// if the context becomes done before the command completes on its own.
-func CommandContext(ctx context.Context, name string, arg ...string) *exec.Cmd {
-	cmd := exec.CommandContext(ctx, name, arg...)
-	fixCmd(name, cmd)
-	return cmd
-
-}
-
-// Command returns the Cmd struct to execute the named program with the given arguments.
-// See exec.Command for most details.
-//
-// Command differs from exec.Command in its handling of PATH lookups,
-// which are used when the program name contains no slashes.
-// If exec.Command would have returned an exec.Cmd configured to run an
-// executable from the current directory, Command instead
-// returns an exec.Cmd that will return an error from Start or Run.
-func Command(name string, arg ...string) *exec.Cmd {
-	cmd := exec.Command(name, arg...)
-	fixCmd(name, cmd)
-	return cmd
-}
diff --git a/vendor/golang.org/x/sys/execabs/execabs_go118.go b/vendor/golang.org/x/sys/execabs/execabs_go118.go
deleted file mode 100644
index 5627d70..0000000
--- a/vendor/golang.org/x/sys/execabs/execabs_go118.go
+++ /dev/null
@@ -1,17 +0,0 @@
-// Copyright 2022 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.19
-
-package execabs
-
-import "os/exec"
-
-func isGo119ErrDot(err error) bool {
-	return false
-}
-
-func isGo119ErrFieldSet(cmd *exec.Cmd) bool {
-	return false
-}
diff --git a/vendor/golang.org/x/sys/execabs/execabs_go119.go b/vendor/golang.org/x/sys/execabs/execabs_go119.go
deleted file mode 100644
index d60ab1b..0000000
--- a/vendor/golang.org/x/sys/execabs/execabs_go119.go
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2022 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.19
-
-package execabs
-
-import (
-	"errors"
-	"os/exec"
-)
-
-func isGo119ErrDot(err error) bool {
-	return errors.Is(err, exec.ErrDot)
-}
-
-func isGo119ErrFieldSet(cmd *exec.Cmd) bool {
-	return cmd.Err != nil
-}
diff --git a/vendor/golang.org/x/tools/cmd/stringer/stringer.go b/vendor/golang.org/x/tools/cmd/stringer/stringer.go
deleted file mode 100644
index 2b19c93..0000000
--- a/vendor/golang.org/x/tools/cmd/stringer/stringer.go
+++ /dev/null
@@ -1,660 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Stringer is a tool to automate the creation of methods that satisfy the fmt.Stringer
-// interface. Given the name of a (signed or unsigned) integer type T that has constants
-// defined, stringer will create a new self-contained Go source file implementing
-//
-//	func (t T) String() string
-//
-// The file is created in the same package and directory as the package that defines T.
-// It has helpful defaults designed for use with go generate.
-//
-// Stringer works best with constants that are consecutive values such as created using iota,
-// but creates good code regardless. In the future it might also provide custom support for
-// constant sets that are bit patterns.
-//
-// For example, given this snippet,
-//
-//	package painkiller
-//
-//	type Pill int
-//
-//	const (
-//		Placebo Pill = iota
-//		Aspirin
-//		Ibuprofen
-//		Paracetamol
-//		Acetaminophen = Paracetamol
-//	)
-//
-// running this command
-//
-//	stringer -type=Pill
-//
-// in the same directory will create the file pill_string.go, in package painkiller,
-// containing a definition of
-//
-//	func (Pill) String() string
-//
-// That method will translate the value of a Pill constant to the string representation
-// of the respective constant name, so that the call fmt.Print(painkiller.Aspirin) will
-// print the string "Aspirin".
-//
-// Typically this process would be run using go generate, like this:
-//
-//	//go:generate stringer -type=Pill
-//
-// If multiple constants have the same value, the lexically first matching name will
-// be used (in the example, Acetaminophen will print as "Paracetamol").
-//
-// With no arguments, it processes the package in the current directory.
-// Otherwise, the arguments must name a single directory holding a Go package
-// or a set of Go source files that represent a single Go package.
-//
-// The -type flag accepts a comma-separated list of types so a single run can
-// generate methods for multiple types. The default output file is t_string.go,
-// where t is the lower-cased name of the first type listed. It can be overridden
-// with the -output flag.
-//
-// The -linecomment flag tells stringer to generate the text of any line comment, trimmed
-// of leading spaces, instead of the constant name. For instance, if the constants above had a
-// Pill prefix, one could write
-//
-//	PillAspirin // Aspirin
-//
-// to suppress it in the output.
-package main // import "golang.org/x/tools/cmd/stringer"
-
-import (
-	"bytes"
-	"flag"
-	"fmt"
-	"go/ast"
-	"go/constant"
-	"go/format"
-	"go/token"
-	"go/types"
-	"log"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-
-	"golang.org/x/tools/go/packages"
-)
-
-var (
-	typeNames   = flag.String("type", "", "comma-separated list of type names; must be set")
-	output      = flag.String("output", "", "output file name; default srcdir/<type>_string.go")
-	trimprefix  = flag.String("trimprefix", "", "trim the `prefix` from the generated constant names")
-	linecomment = flag.Bool("linecomment", false, "use line comment text as printed text when present")
-	buildTags   = flag.String("tags", "", "comma-separated list of build tags to apply")
-)
-
-// Usage is a replacement usage function for the flags package.
-func Usage() {
-	fmt.Fprintf(os.Stderr, "Usage of stringer:\n")
-	fmt.Fprintf(os.Stderr, "\tstringer [flags] -type T [directory]\n")
-	fmt.Fprintf(os.Stderr, "\tstringer [flags] -type T files... # Must be a single package\n")
-	fmt.Fprintf(os.Stderr, "For more information, see:\n")
-	fmt.Fprintf(os.Stderr, "\thttps://pkg.go.dev/golang.org/x/tools/cmd/stringer\n")
-	fmt.Fprintf(os.Stderr, "Flags:\n")
-	flag.PrintDefaults()
-}
-
-func main() {
-	log.SetFlags(0)
-	log.SetPrefix("stringer: ")
-	flag.Usage = Usage
-	flag.Parse()
-	if len(*typeNames) == 0 {
-		flag.Usage()
-		os.Exit(2)
-	}
-	types := strings.Split(*typeNames, ",")
-	var tags []string
-	if len(*buildTags) > 0 {
-		tags = strings.Split(*buildTags, ",")
-	}
-
-	// We accept either one directory or a list of files. Which do we have?
-	args := flag.Args()
-	if len(args) == 0 {
-		// Default: process whole package in current directory.
-		args = []string{"."}
-	}
-
-	// Parse the package once.
-	var dir string
-	g := Generator{
-		trimPrefix:  *trimprefix,
-		lineComment: *linecomment,
-	}
-	// TODO(suzmue): accept other patterns for packages (directories, list of files, import paths, etc).
-	if len(args) == 1 && isDirectory(args[0]) {
-		dir = args[0]
-	} else {
-		if len(tags) != 0 {
-			log.Fatal("-tags option applies only to directories, not when files are specified")
-		}
-		dir = filepath.Dir(args[0])
-	}
-
-	g.parsePackage(args, tags)
-
-	// Print the header and package clause.
-	g.Printf("// Code generated by \"stringer %s\"; DO NOT EDIT.\n", strings.Join(os.Args[1:], " "))
-	g.Printf("\n")
-	g.Printf("package %s", g.pkg.name)
-	g.Printf("\n")
-	g.Printf("import \"strconv\"\n") // Used by all methods.
-
-	// Run generate for each type.
-	for _, typeName := range types {
-		g.generate(typeName)
-	}
-
-	// Format the output.
-	src := g.format()
-
-	// Write to file.
-	outputName := *output
-	if outputName == "" {
-		baseName := fmt.Sprintf("%s_string.go", types[0])
-		outputName = filepath.Join(dir, strings.ToLower(baseName))
-	}
-	err := os.WriteFile(outputName, src, 0644)
-	if err != nil {
-		log.Fatalf("writing output: %s", err)
-	}
-}
-
-// isDirectory reports whether the named file is a directory.
-func isDirectory(name string) bool {
-	info, err := os.Stat(name)
-	if err != nil {
-		log.Fatal(err)
-	}
-	return info.IsDir()
-}
-
-// Generator holds the state of the analysis. Primarily used to buffer
-// the output for format.Source.
-type Generator struct {
-	buf bytes.Buffer // Accumulated output.
-	pkg *Package     // Package we are scanning.
-
-	trimPrefix  string
-	lineComment bool
-
-	logf func(format string, args ...interface{}) // test logging hook; nil when not testing
-}
-
-func (g *Generator) Printf(format string, args ...interface{}) {
-	fmt.Fprintf(&g.buf, format, args...)
-}
-
-// File holds a single parsed file and associated data.
-type File struct {
-	pkg  *Package  // Package to which this file belongs.
-	file *ast.File // Parsed AST.
-	// These fields are reset for each type being generated.
-	typeName string  // Name of the constant type.
-	values   []Value // Accumulator for constant values of that type.
-
-	trimPrefix  string
-	lineComment bool
-}
-
-type Package struct {
-	name  string
-	defs  map[*ast.Ident]types.Object
-	files []*File
-}
-
-// parsePackage analyzes the single package constructed from the patterns and tags.
-// parsePackage exits if there is an error.
-func (g *Generator) parsePackage(patterns []string, tags []string) {
-	cfg := &packages.Config{
-		Mode: packages.NeedName | packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax,
-		// TODO: Need to think about constants in test files. Maybe write type_string_test.go
-		// in a separate pass? For later.
-		Tests:      false,
-		BuildFlags: []string{fmt.Sprintf("-tags=%s", strings.Join(tags, " "))},
-		Logf:       g.logf,
-	}
-	pkgs, err := packages.Load(cfg, patterns...)
-	if err != nil {
-		log.Fatal(err)
-	}
-	if len(pkgs) != 1 {
-		log.Fatalf("error: %d packages matching %v", len(pkgs), strings.Join(patterns, " "))
-	}
-	g.addPackage(pkgs[0])
-}
-
-// addPackage adds a type checked Package and its syntax files to the generator.
-func (g *Generator) addPackage(pkg *packages.Package) {
-	g.pkg = &Package{
-		name:  pkg.Name,
-		defs:  pkg.TypesInfo.Defs,
-		files: make([]*File, len(pkg.Syntax)),
-	}
-
-	for i, file := range pkg.Syntax {
-		g.pkg.files[i] = &File{
-			file:        file,
-			pkg:         g.pkg,
-			trimPrefix:  g.trimPrefix,
-			lineComment: g.lineComment,
-		}
-	}
-}
-
-// generate produces the String method for the named type.
-func (g *Generator) generate(typeName string) {
-	values := make([]Value, 0, 100)
-	for _, file := range g.pkg.files {
-		// Set the state for this run of the walker.
-		file.typeName = typeName
-		file.values = nil
-		if file.file != nil {
-			ast.Inspect(file.file, file.genDecl)
-			values = append(values, file.values...)
-		}
-	}
-
-	if len(values) == 0 {
-		log.Fatalf("no values defined for type %s", typeName)
-	}
-	// Generate code that will fail if the constants change value.
-	g.Printf("func _() {\n")
-	g.Printf("\t// An \"invalid array index\" compiler error signifies that the constant values have changed.\n")
-	g.Printf("\t// Re-run the stringer command to generate them again.\n")
-	g.Printf("\tvar x [1]struct{}\n")
-	for _, v := range values {
-		g.Printf("\t_ = x[%s - %s]\n", v.originalName, v.str)
-	}
-	g.Printf("}\n")
-	runs := splitIntoRuns(values)
-	// The decision of which pattern to use depends on the number of
-	// runs in the numbers. If there's only one, it's easy. For more than
-	// one, there's a tradeoff between complexity and size of the data
-	// and code vs. the simplicity of a map. A map takes more space,
-	// but so does the code. The decision here (crossover at 10) is
-	// arbitrary, but considers that for large numbers of runs the cost
-	// of the linear scan in the switch might become important, and
-	// rather than use yet another algorithm such as binary search,
-	// we punt and use a map. In any case, the likelihood of a map
-	// being necessary for any realistic example other than bitmasks
-	// is very low. And bitmasks probably deserve their own analysis,
-	// to be done some other day.
-	switch {
-	case len(runs) == 1:
-		g.buildOneRun(runs, typeName)
-	case len(runs) <= 10:
-		g.buildMultipleRuns(runs, typeName)
-	default:
-		g.buildMap(runs, typeName)
-	}
-}
-
-// splitIntoRuns breaks the values into runs of contiguous sequences.
-// For example, given 1,2,3,5,6,7 it returns {1,2,3},{5,6,7}.
-// The input slice is known to be non-empty.
-func splitIntoRuns(values []Value) [][]Value {
-	// We use stable sort so the lexically first name is chosen for equal elements.
-	sort.Stable(byValue(values))
-	// Remove duplicates. Stable sort has put the one we want to print first,
-	// so use that one. The String method won't care about which named constant
-	// was the argument, so the first name for the given value is the only one to keep.
-	// We need to do this because identical values would cause the switch or map
-	// to fail to compile.
-	j := 1
-	for i := 1; i < len(values); i++ {
-		if values[i].value != values[i-1].value {
-			values[j] = values[i]
-			j++
-		}
-	}
-	values = values[:j]
-	runs := make([][]Value, 0, 10)
-	for len(values) > 0 {
-		// One contiguous sequence per outer loop.
-		i := 1
-		for i < len(values) && values[i].value == values[i-1].value+1 {
-			i++
-		}
-		runs = append(runs, values[:i])
-		values = values[i:]
-	}
-	return runs
-}
-
-// format returns the gofmt-ed contents of the Generator's buffer.
-func (g *Generator) format() []byte {
-	src, err := format.Source(g.buf.Bytes())
-	if err != nil {
-		// Should never happen, but can arise when developing this code.
-		// The user can compile the output to see the error.
-		log.Printf("warning: internal error: invalid Go generated: %s", err)
-		log.Printf("warning: compile the package to analyze the error")
-		return g.buf.Bytes()
-	}
-	return src
-}
-
-// Value represents a declared constant.
-type Value struct {
-	originalName string // The name of the constant.
-	name         string // The name with trimmed prefix.
-	// The value is stored as a bit pattern alone. The boolean tells us
-	// whether to interpret it as an int64 or a uint64; the only place
-	// this matters is when sorting.
-	// Much of the time the str field is all we need; it is printed
-	// by Value.String.
-	value  uint64 // Will be converted to int64 when needed.
-	signed bool   // Whether the constant is a signed type.
-	str    string // The string representation given by the "go/constant" package.
-}
-
-func (v *Value) String() string {
-	return v.str
-}
-
-// byValue lets us sort the constants into increasing order.
-// We take care in the Less method to sort in signed or unsigned order,
-// as appropriate.
-type byValue []Value
-
-func (b byValue) Len() int      { return len(b) }
-func (b byValue) Swap(i, j int) { b[i], b[j] = b[j], b[i] }
-func (b byValue) Less(i, j int) bool {
-	if b[i].signed {
-		return int64(b[i].value) < int64(b[j].value)
-	}
-	return b[i].value < b[j].value
-}
-
-// genDecl processes one declaration clause.
-func (f *File) genDecl(node ast.Node) bool {
-	decl, ok := node.(*ast.GenDecl)
-	if !ok || decl.Tok != token.CONST {
-		// We only care about const declarations.
-		return true
-	}
-	// The name of the type of the constants we are declaring.
-	// Can change if this is a multi-element declaration.
-	typ := ""
-	// Loop over the elements of the declaration. Each element is a ValueSpec:
-	// a list of names possibly followed by a type, possibly followed by values.
-	// If the type and value are both missing, we carry down the type (and value,
-	// but the "go/types" package takes care of that).
-	for _, spec := range decl.Specs {
-		vspec := spec.(*ast.ValueSpec) // Guaranteed to succeed as this is CONST.
-		if vspec.Type == nil && len(vspec.Values) > 0 {
-			// "X = 1". With no type but a value. If the constant is untyped,
-			// skip this vspec and reset the remembered type.
-			typ = ""
-
-			// If this is a simple type conversion, remember the type.
-			// We don't mind if this is actually a call; a qualified call won't
-			// be matched (that will be SelectorExpr, not Ident), and only unusual
-			// situations will result in a function call that appears to be
-			// a type conversion.
-			ce, ok := vspec.Values[0].(*ast.CallExpr)
-			if !ok {
-				continue
-			}
-			id, ok := ce.Fun.(*ast.Ident)
-			if !ok {
-				continue
-			}
-			typ = id.Name
-		}
-		if vspec.Type != nil {
-			// "X T". We have a type. Remember it.
-			ident, ok := vspec.Type.(*ast.Ident)
-			if !ok {
-				continue
-			}
-			typ = ident.Name
-		}
-		if typ != f.typeName {
-			// This is not the type we're looking for.
-			continue
-		}
-		// We now have a list of names (from one line of source code) all being
-		// declared with the desired type.
-		// Grab their names and actual values and store them in f.values.
-		for _, name := range vspec.Names {
-			if name.Name == "_" {
-				continue
-			}
-			// This dance lets the type checker find the values for us. It's a
-			// bit tricky: look up the object declared by the name, find its
-			// types.Const, and extract its value.
-			obj, ok := f.pkg.defs[name]
-			if !ok {
-				log.Fatalf("no value for constant %s", name)
-			}
-			info := obj.Type().Underlying().(*types.Basic).Info()
-			if info&types.IsInteger == 0 {
-				log.Fatalf("can't handle non-integer constant type %s", typ)
-			}
-			value := obj.(*types.Const).Val() // Guaranteed to succeed as this is CONST.
-			if value.Kind() != constant.Int {
-				log.Fatalf("can't happen: constant is not an integer %s", name)
-			}
-			i64, isInt := constant.Int64Val(value)
-			u64, isUint := constant.Uint64Val(value)
-			if !isInt && !isUint {
-				log.Fatalf("internal error: value of %s is not an integer: %s", name, value.String())
-			}
-			if !isInt {
-				u64 = uint64(i64)
-			}
-			v := Value{
-				originalName: name.Name,
-				value:        u64,
-				signed:       info&types.IsUnsigned == 0,
-				str:          value.String(),
-			}
-			if c := vspec.Comment; f.lineComment && c != nil && len(c.List) == 1 {
-				v.name = strings.TrimSpace(c.Text())
-			} else {
-				v.name = strings.TrimPrefix(v.originalName, f.trimPrefix)
-			}
-			f.values = append(f.values, v)
-		}
-	}
-	return false
-}
-
-// Helpers
-
-// usize returns the number of bits of the smallest unsigned integer
-// type that will hold n. Used to create the smallest possible slice of
-// integers to use as indexes into the concatenated strings.
-func usize(n int) int {
-	switch {
-	case n < 1<<8:
-		return 8
-	case n < 1<<16:
-		return 16
-	default:
-		// 2^32 is enough constants for anyone.
-		return 32
-	}
-}
-
-// declareIndexAndNameVars declares the index slices and concatenated names
-// strings representing the runs of values.
-func (g *Generator) declareIndexAndNameVars(runs [][]Value, typeName string) {
-	var indexes, names []string
-	for i, run := range runs {
-		index, name := g.createIndexAndNameDecl(run, typeName, fmt.Sprintf("_%d", i))
-		if len(run) != 1 {
-			indexes = append(indexes, index)
-		}
-		names = append(names, name)
-	}
-	g.Printf("const (\n")
-	for _, name := range names {
-		g.Printf("\t%s\n", name)
-	}
-	g.Printf(")\n\n")
-
-	if len(indexes) > 0 {
-		g.Printf("var (")
-		for _, index := range indexes {
-			g.Printf("\t%s\n", index)
-		}
-		g.Printf(")\n\n")
-	}
-}
-
-// declareIndexAndNameVar is the single-run version of declareIndexAndNameVars
-func (g *Generator) declareIndexAndNameVar(run []Value, typeName string) {
-	index, name := g.createIndexAndNameDecl(run, typeName, "")
-	g.Printf("const %s\n", name)
-	g.Printf("var %s\n", index)
-}
-
-// createIndexAndNameDecl returns the pair of declarations for the run. The caller will add "const" and "var".
-func (g *Generator) createIndexAndNameDecl(run []Value, typeName string, suffix string) (string, string) {
-	b := new(bytes.Buffer)
-	indexes := make([]int, len(run))
-	for i := range run {
-		b.WriteString(run[i].name)
-		indexes[i] = b.Len()
-	}
-	nameConst := fmt.Sprintf("_%s_name%s = %q", typeName, suffix, b.String())
-	nameLen := b.Len()
-	b.Reset()
-	fmt.Fprintf(b, "_%s_index%s = [...]uint%d{0, ", typeName, suffix, usize(nameLen))
-	for i, v := range indexes {
-		if i > 0 {
-			fmt.Fprintf(b, ", ")
-		}
-		fmt.Fprintf(b, "%d", v)
-	}
-	fmt.Fprintf(b, "}")
-	return b.String(), nameConst
-}
-
-// declareNameVars declares the concatenated names string representing all the values in the runs.
-func (g *Generator) declareNameVars(runs [][]Value, typeName string, suffix string) {
-	g.Printf("const _%s_name%s = \"", typeName, suffix)
-	for _, run := range runs {
-		for i := range run {
-			g.Printf("%s", run[i].name)
-		}
-	}
-	g.Printf("\"\n")
-}
-
-// buildOneRun generates the variables and String method for a single run of contiguous values.
-func (g *Generator) buildOneRun(runs [][]Value, typeName string) {
-	values := runs[0]
-	g.Printf("\n")
-	g.declareIndexAndNameVar(values, typeName)
-	// The generated code is simple enough to write as a Printf format.
-	lessThanZero := ""
-	if values[0].signed {
-		lessThanZero = "i < 0 || "
-	}
-	if values[0].value == 0 { // Signed or unsigned, 0 is still 0.
-		g.Printf(stringOneRun, typeName, usize(len(values)), lessThanZero)
-	} else {
-		g.Printf(stringOneRunWithOffset, typeName, values[0].String(), usize(len(values)), lessThanZero)
-	}
-}
-
-// Arguments to format are:
-//
-//	[1]: type name
-//	[2]: size of index element (8 for uint8 etc.)
-//	[3]: less than zero check (for signed types)
-const stringOneRun = `func (i %[1]s) String() string {
-	if %[3]si >= %[1]s(len(_%[1]s_index)-1) {
-		return "%[1]s(" + strconv.FormatInt(int64(i), 10) + ")"
-	}
-	return _%[1]s_name[_%[1]s_index[i]:_%[1]s_index[i+1]]
-}
-`
-
-// Arguments to format are:
-//	[1]: type name
-//	[2]: lowest defined value for type, as a string
-//	[3]: size of index element (8 for uint8 etc.)
-//	[4]: less than zero check (for signed types)
-/*
- */
-const stringOneRunWithOffset = `func (i %[1]s) String() string {
-	i -= %[2]s
-	if %[4]si >= %[1]s(len(_%[1]s_index)-1) {
-		return "%[1]s(" + strconv.FormatInt(int64(i + %[2]s), 10) + ")"
-	}
-	return _%[1]s_name[_%[1]s_index[i] : _%[1]s_index[i+1]]
-}
-`
-
-// buildMultipleRuns generates the variables and String method for multiple runs of contiguous values.
-// For this pattern, a single Printf format won't do.
-func (g *Generator) buildMultipleRuns(runs [][]Value, typeName string) {
-	g.Printf("\n")
-	g.declareIndexAndNameVars(runs, typeName)
-	g.Printf("func (i %s) String() string {\n", typeName)
-	g.Printf("\tswitch {\n")
-	for i, values := range runs {
-		if len(values) == 1 {
-			g.Printf("\tcase i == %s:\n", &values[0])
-			g.Printf("\t\treturn _%s_name_%d\n", typeName, i)
-			continue
-		}
-		if values[0].value == 0 && !values[0].signed {
-			// For an unsigned lower bound of 0, "0 <= i" would be redundant.
-			g.Printf("\tcase i <= %s:\n", &values[len(values)-1])
-		} else {
-			g.Printf("\tcase %s <= i && i <= %s:\n", &values[0], &values[len(values)-1])
-		}
-		if values[0].value != 0 {
-			g.Printf("\t\ti -= %s\n", &values[0])
-		}
-		g.Printf("\t\treturn _%s_name_%d[_%s_index_%d[i]:_%s_index_%d[i+1]]\n",
-			typeName, i, typeName, i, typeName, i)
-	}
-	g.Printf("\tdefault:\n")
-	g.Printf("\t\treturn \"%s(\" + strconv.FormatInt(int64(i), 10) + \")\"\n", typeName)
-	g.Printf("\t}\n")
-	g.Printf("}\n")
-}
-
-// buildMap handles the case where the space is so sparse a map is a reasonable fallback.
-// It's a rare situation but has simple code.
-func (g *Generator) buildMap(runs [][]Value, typeName string) {
-	g.Printf("\n")
-	g.declareNameVars(runs, typeName, "")
-	g.Printf("\nvar _%s_map = map[%s]string{\n", typeName, typeName)
-	n := 0
-	for _, values := range runs {
-		for _, value := range values {
-			g.Printf("\t%s: _%s_name[%d:%d],\n", &value, typeName, n, n+len(value.name))
-			n += len(value.name)
-		}
-	}
-	g.Printf("}\n\n")
-	g.Printf(stringMap, typeName)
-}
-
-// Argument to format is the type name.
-const stringMap = `func (i %[1]s) String() string {
-	if str, ok := _%[1]s_map[i]; ok {
-		return str
-	}
-	return "%[1]s(" + strconv.FormatInt(int64(i), 10) + ")"
-}
-`
diff --git a/vendor/golang.org/x/tools/go/internal/packagesdriver/sizes.go b/vendor/golang.org/x/tools/go/internal/packagesdriver/sizes.go
index 0454cdd..333676b 100644
--- a/vendor/golang.org/x/tools/go/internal/packagesdriver/sizes.go
+++ b/vendor/golang.org/x/tools/go/internal/packagesdriver/sizes.go
@@ -13,16 +13,17 @@
 	"golang.org/x/tools/internal/gocommand"
 )
 
-var debug = false
-
 func GetSizesForArgsGolist(ctx context.Context, inv gocommand.Invocation, gocmdRunner *gocommand.Runner) (string, string, error) {
 	inv.Verb = "list"
 	inv.Args = []string{"-f", "{{context.GOARCH}} {{context.Compiler}}", "--", "unsafe"}
 	stdout, stderr, friendlyErr, rawErr := gocmdRunner.RunRaw(ctx, inv)
 	var goarch, compiler string
 	if rawErr != nil {
-		if rawErrMsg := rawErr.Error(); strings.Contains(rawErrMsg, "cannot find main module") || strings.Contains(rawErrMsg, "go.mod file not found") {
-			// User's running outside of a module. All bets are off. Get GOARCH and guess compiler is gc.
+		rawErrMsg := rawErr.Error()
+		if strings.Contains(rawErrMsg, "cannot find main module") ||
+			strings.Contains(rawErrMsg, "go.mod file not found") {
+			// User's running outside of a module.
+			// All bets are off. Get GOARCH and guess compiler is gc.
 			// TODO(matloob): Is this a problem in practice?
 			inv.Verb = "env"
 			inv.Args = []string{"GOARCH"}
@@ -32,8 +33,12 @@
 			}
 			goarch = strings.TrimSpace(envout.String())
 			compiler = "gc"
-		} else {
+		} else if friendlyErr != nil {
 			return "", "", friendlyErr
+		} else {
+			// This should be unreachable, but be defensive
+			// in case RunRaw's error results are inconsistent.
+			return "", "", rawErr
 		}
 	} else {
 		fields := strings.Fields(stdout.String())
diff --git a/vendor/golang.org/x/tools/go/packages/external.go b/vendor/golang.org/x/tools/go/packages/external.go
index 7242a0a..7db1d12 100644
--- a/vendor/golang.org/x/tools/go/packages/external.go
+++ b/vendor/golang.org/x/tools/go/packages/external.go
@@ -12,8 +12,8 @@
 	"bytes"
 	"encoding/json"
 	"fmt"
-	exec "golang.org/x/sys/execabs"
 	"os"
+	"os/exec"
 	"strings"
 )
 
diff --git a/vendor/golang.org/x/tools/go/packages/golist.go b/vendor/golang.org/x/tools/go/packages/golist.go
index 1f1eade..cd375fb 100644
--- a/vendor/golang.org/x/tools/go/packages/golist.go
+++ b/vendor/golang.org/x/tools/go/packages/golist.go
@@ -11,6 +11,7 @@
 	"fmt"
 	"log"
 	"os"
+	"os/exec"
 	"path"
 	"path/filepath"
 	"reflect"
@@ -20,7 +21,6 @@
 	"sync"
 	"unicode"
 
-	exec "golang.org/x/sys/execabs"
 	"golang.org/x/tools/go/internal/packagesdriver"
 	"golang.org/x/tools/internal/gocommand"
 	"golang.org/x/tools/internal/packagesinternal"
@@ -208,62 +208,6 @@
 		}
 	}
 
-	// Only use go/packages' overlay processing if we're using a Go version
-	// below 1.16. Otherwise, go list handles it.
-	if goVersion, err := state.getGoVersion(); err == nil && goVersion < 16 {
-		modifiedPkgs, needPkgs, err := state.processGolistOverlay(response)
-		if err != nil {
-			return nil, err
-		}
-
-		var containsCandidates []string
-		if len(containFiles) > 0 {
-			containsCandidates = append(containsCandidates, modifiedPkgs...)
-			containsCandidates = append(containsCandidates, needPkgs...)
-		}
-		if err := state.addNeededOverlayPackages(response, needPkgs); err != nil {
-			return nil, err
-		}
-		// Check candidate packages for containFiles.
-		if len(containFiles) > 0 {
-			for _, id := range containsCandidates {
-				pkg, ok := response.seenPackages[id]
-				if !ok {
-					response.addPackage(&Package{
-						ID: id,
-						Errors: []Error{{
-							Kind: ListError,
-							Msg:  fmt.Sprintf("package %s expected but not seen", id),
-						}},
-					})
-					continue
-				}
-				for _, f := range containFiles {
-					for _, g := range pkg.GoFiles {
-						if sameFile(f, g) {
-							response.addRoot(id)
-						}
-					}
-				}
-			}
-		}
-		// Add root for any package that matches a pattern. This applies only to
-		// packages that are modified by overlays, since they are not added as
-		// roots automatically.
-		for _, pattern := range restPatterns {
-			match := matchPattern(pattern)
-			for _, pkgID := range modifiedPkgs {
-				pkg, ok := response.seenPackages[pkgID]
-				if !ok {
-					continue
-				}
-				if match(pkg.PkgPath) {
-					response.addRoot(pkg.ID)
-				}
-			}
-		}
-	}
-
 	sizeswg.Wait()
 	if sizeserr != nil {
 		return nil, sizeserr
@@ -271,24 +215,6 @@
 	return response.dr, nil
 }
 
-func (state *golistState) addNeededOverlayPackages(response *responseDeduper, pkgs []string) error {
-	if len(pkgs) == 0 {
-		return nil
-	}
-	dr, err := state.createDriverResponse(pkgs...)
-	if err != nil {
-		return err
-	}
-	for _, pkg := range dr.Packages {
-		response.addPackage(pkg)
-	}
-	_, needPkgs, err := state.processGolistOverlay(response)
-	if err != nil {
-		return err
-	}
-	return state.addNeededOverlayPackages(response, needPkgs)
-}
-
 func (state *golistState) runContainsQueries(response *responseDeduper, queries []string) error {
 	for _, query := range queries {
 		// TODO(matloob): Do only one query per directory.
diff --git a/vendor/golang.org/x/tools/go/packages/golist_overlay.go b/vendor/golang.org/x/tools/go/packages/golist_overlay.go
index 9576b47..d823c47 100644
--- a/vendor/golang.org/x/tools/go/packages/golist_overlay.go
+++ b/vendor/golang.org/x/tools/go/packages/golist_overlay.go
@@ -6,314 +6,11 @@
 
 import (
 	"encoding/json"
-	"fmt"
-	"go/parser"
-	"go/token"
-	"os"
 	"path/filepath"
-	"regexp"
-	"sort"
-	"strconv"
-	"strings"
 
 	"golang.org/x/tools/internal/gocommand"
 )
 
-// processGolistOverlay provides rudimentary support for adding
-// files that don't exist on disk to an overlay. The results can be
-// sometimes incorrect.
-// TODO(matloob): Handle unsupported cases, including the following:
-// - determining the correct package to add given a new import path
-func (state *golistState) processGolistOverlay(response *responseDeduper) (modifiedPkgs, needPkgs []string, err error) {
-	havePkgs := make(map[string]string) // importPath -> non-test package ID
-	needPkgsSet := make(map[string]bool)
-	modifiedPkgsSet := make(map[string]bool)
-
-	pkgOfDir := make(map[string][]*Package)
-	for _, pkg := range response.dr.Packages {
-		// This is an approximation of import path to id. This can be
-		// wrong for tests, vendored packages, and a number of other cases.
-		havePkgs[pkg.PkgPath] = pkg.ID
-		dir, err := commonDir(pkg.GoFiles)
-		if err != nil {
-			return nil, nil, err
-		}
-		if dir != "" {
-			pkgOfDir[dir] = append(pkgOfDir[dir], pkg)
-		}
-	}
-
-	// If no new imports are added, it is safe to avoid loading any needPkgs.
-	// Otherwise, it's hard to tell which package is actually being loaded
-	// (due to vendoring) and whether any modified package will show up
-	// in the transitive set of dependencies (because new imports are added,
-	// potentially modifying the transitive set of dependencies).
-	var overlayAddsImports bool
-
-	// If both a package and its test package are created by the overlay, we
-	// need the real package first. Process all non-test files before test
-	// files, and make the whole process deterministic while we're at it.
-	var overlayFiles []string
-	for opath := range state.cfg.Overlay {
-		overlayFiles = append(overlayFiles, opath)
-	}
-	sort.Slice(overlayFiles, func(i, j int) bool {
-		iTest := strings.HasSuffix(overlayFiles[i], "_test.go")
-		jTest := strings.HasSuffix(overlayFiles[j], "_test.go")
-		if iTest != jTest {
-			return !iTest // non-tests are before tests.
-		}
-		return overlayFiles[i] < overlayFiles[j]
-	})
-	for _, opath := range overlayFiles {
-		contents := state.cfg.Overlay[opath]
-		base := filepath.Base(opath)
-		dir := filepath.Dir(opath)
-		var pkg *Package           // if opath belongs to both a package and its test variant, this will be the test variant
-		var testVariantOf *Package // if opath is a test file, this is the package it is testing
-		var fileExists bool
-		isTestFile := strings.HasSuffix(opath, "_test.go")
-		pkgName, ok := extractPackageName(opath, contents)
-		if !ok {
-			// Don't bother adding a file that doesn't even have a parsable package statement
-			// to the overlay.
-			continue
-		}
-		// If all the overlay files belong to a different package, change the
-		// package name to that package.
-		maybeFixPackageName(pkgName, isTestFile, pkgOfDir[dir])
-	nextPackage:
-		for _, p := range response.dr.Packages {
-			if pkgName != p.Name && p.ID != "command-line-arguments" {
-				continue
-			}
-			for _, f := range p.GoFiles {
-				if !sameFile(filepath.Dir(f), dir) {
-					continue
-				}
-				// Make sure to capture information on the package's test variant, if needed.
-				if isTestFile && !hasTestFiles(p) {
-					// TODO(matloob): Are there packages other than the 'production' variant
-					// of a package that this can match? This shouldn't match the test main package
-					// because the file is generated in another directory.
-					testVariantOf = p
-					continue nextPackage
-				} else if !isTestFile && hasTestFiles(p) {
-					// We're examining a test variant, but the overlaid file is
-					// a non-test file. Because the overlay implementation
-					// (currently) only adds a file to one package, skip this
-					// package, so that we can add the file to the production
-					// variant of the package. (https://golang.org/issue/36857
-					// tracks handling overlays on both the production and test
-					// variant of a package).
-					continue nextPackage
-				}
-				if pkg != nil && p != pkg && pkg.PkgPath == p.PkgPath {
-					// We have already seen the production version of the
-					// for which p is a test variant.
-					if hasTestFiles(p) {
-						testVariantOf = pkg
-					}
-				}
-				pkg = p
-				if filepath.Base(f) == base {
-					fileExists = true
-				}
-			}
-		}
-		// The overlay could have included an entirely new package or an
-		// ad-hoc package. An ad-hoc package is one that we have manually
-		// constructed from inadequate `go list` results for a file= query.
-		// It will have the ID command-line-arguments.
-		if pkg == nil || pkg.ID == "command-line-arguments" {
-			// Try to find the module or gopath dir the file is contained in.
-			// Then for modules, add the module opath to the beginning.
-			pkgPath, ok, err := state.getPkgPath(dir)
-			if err != nil {
-				return nil, nil, err
-			}
-			if !ok {
-				break
-			}
-			var forTest string // only set for x tests
-			isXTest := strings.HasSuffix(pkgName, "_test")
-			if isXTest {
-				forTest = pkgPath
-				pkgPath += "_test"
-			}
-			id := pkgPath
-			if isTestFile {
-				if isXTest {
-					id = fmt.Sprintf("%s [%s.test]", pkgPath, forTest)
-				} else {
-					id = fmt.Sprintf("%s [%s.test]", pkgPath, pkgPath)
-				}
-			}
-			if pkg != nil {
-				// TODO(rstambler): We should change the package's path and ID
-				// here. The only issue is that this messes with the roots.
-			} else {
-				// Try to reclaim a package with the same ID, if it exists in the response.
-				for _, p := range response.dr.Packages {
-					if reclaimPackage(p, id, opath, contents) {
-						pkg = p
-						break
-					}
-				}
-				// Otherwise, create a new package.
-				if pkg == nil {
-					pkg = &Package{
-						PkgPath: pkgPath,
-						ID:      id,
-						Name:    pkgName,
-						Imports: make(map[string]*Package),
-					}
-					response.addPackage(pkg)
-					havePkgs[pkg.PkgPath] = id
-					// Add the production package's sources for a test variant.
-					if isTestFile && !isXTest && testVariantOf != nil {
-						pkg.GoFiles = append(pkg.GoFiles, testVariantOf.GoFiles...)
-						pkg.CompiledGoFiles = append(pkg.CompiledGoFiles, testVariantOf.CompiledGoFiles...)
-						// Add the package under test and its imports to the test variant.
-						pkg.forTest = testVariantOf.PkgPath
-						for k, v := range testVariantOf.Imports {
-							pkg.Imports[k] = &Package{ID: v.ID}
-						}
-					}
-					if isXTest {
-						pkg.forTest = forTest
-					}
-				}
-			}
-		}
-		if !fileExists {
-			pkg.GoFiles = append(pkg.GoFiles, opath)
-			// TODO(matloob): Adding the file to CompiledGoFiles can exhibit the wrong behavior
-			// if the file will be ignored due to its build tags.
-			pkg.CompiledGoFiles = append(pkg.CompiledGoFiles, opath)
-			modifiedPkgsSet[pkg.ID] = true
-		}
-		imports, err := extractImports(opath, contents)
-		if err != nil {
-			// Let the parser or type checker report errors later.
-			continue
-		}
-		for _, imp := range imports {
-			// TODO(rstambler): If the package is an x test and the import has
-			// a test variant, make sure to replace it.
-			if _, found := pkg.Imports[imp]; found {
-				continue
-			}
-			overlayAddsImports = true
-			id, ok := havePkgs[imp]
-			if !ok {
-				var err error
-				id, err = state.resolveImport(dir, imp)
-				if err != nil {
-					return nil, nil, err
-				}
-			}
-			pkg.Imports[imp] = &Package{ID: id}
-			// Add dependencies to the non-test variant version of this package as well.
-			if testVariantOf != nil {
-				testVariantOf.Imports[imp] = &Package{ID: id}
-			}
-		}
-	}
-
-	// toPkgPath guesses the package path given the id.
-	toPkgPath := func(sourceDir, id string) (string, error) {
-		if i := strings.IndexByte(id, ' '); i >= 0 {
-			return state.resolveImport(sourceDir, id[:i])
-		}
-		return state.resolveImport(sourceDir, id)
-	}
-
-	// Now that new packages have been created, do another pass to determine
-	// the new set of missing packages.
-	for _, pkg := range response.dr.Packages {
-		for _, imp := range pkg.Imports {
-			if len(pkg.GoFiles) == 0 {
-				return nil, nil, fmt.Errorf("cannot resolve imports for package %q with no Go files", pkg.PkgPath)
-			}
-			pkgPath, err := toPkgPath(filepath.Dir(pkg.GoFiles[0]), imp.ID)
-			if err != nil {
-				return nil, nil, err
-			}
-			if _, ok := havePkgs[pkgPath]; !ok {
-				needPkgsSet[pkgPath] = true
-			}
-		}
-	}
-
-	if overlayAddsImports {
-		needPkgs = make([]string, 0, len(needPkgsSet))
-		for pkg := range needPkgsSet {
-			needPkgs = append(needPkgs, pkg)
-		}
-	}
-	modifiedPkgs = make([]string, 0, len(modifiedPkgsSet))
-	for pkg := range modifiedPkgsSet {
-		modifiedPkgs = append(modifiedPkgs, pkg)
-	}
-	return modifiedPkgs, needPkgs, err
-}
-
-// resolveImport finds the ID of a package given its import path.
-// In particular, it will find the right vendored copy when in GOPATH mode.
-func (state *golistState) resolveImport(sourceDir, importPath string) (string, error) {
-	env, err := state.getEnv()
-	if err != nil {
-		return "", err
-	}
-	if env["GOMOD"] != "" {
-		return importPath, nil
-	}
-
-	searchDir := sourceDir
-	for {
-		vendorDir := filepath.Join(searchDir, "vendor")
-		exists, ok := state.vendorDirs[vendorDir]
-		if !ok {
-			info, err := os.Stat(vendorDir)
-			exists = err == nil && info.IsDir()
-			state.vendorDirs[vendorDir] = exists
-		}
-
-		if exists {
-			vendoredPath := filepath.Join(vendorDir, importPath)
-			if info, err := os.Stat(vendoredPath); err == nil && info.IsDir() {
-				// We should probably check for .go files here, but shame on anyone who fools us.
-				path, ok, err := state.getPkgPath(vendoredPath)
-				if err != nil {
-					return "", err
-				}
-				if ok {
-					return path, nil
-				}
-			}
-		}
-
-		// We know we've hit the top of the filesystem when we Dir / and get /,
-		// or C:\ and get C:\, etc.
-		next := filepath.Dir(searchDir)
-		if next == searchDir {
-			break
-		}
-		searchDir = next
-	}
-	return importPath, nil
-}
-
-func hasTestFiles(p *Package) bool {
-	for _, f := range p.GoFiles {
-		if strings.HasSuffix(f, "_test.go") {
-			return true
-		}
-	}
-	return false
-}
-
 // determineRootDirs returns a mapping from absolute directories that could
 // contain code to their corresponding import path prefixes.
 func (state *golistState) determineRootDirs() (map[string]string, error) {
@@ -384,192 +81,3 @@
 	}
 	return m, nil
 }
-
-func extractImports(filename string, contents []byte) ([]string, error) {
-	f, err := parser.ParseFile(token.NewFileSet(), filename, contents, parser.ImportsOnly) // TODO(matloob): reuse fileset?
-	if err != nil {
-		return nil, err
-	}
-	var res []string
-	for _, imp := range f.Imports {
-		quotedPath := imp.Path.Value
-		path, err := strconv.Unquote(quotedPath)
-		if err != nil {
-			return nil, err
-		}
-		res = append(res, path)
-	}
-	return res, nil
-}
-
-// reclaimPackage attempts to reuse a package that failed to load in an overlay.
-//
-// If the package has errors and has no Name, GoFiles, or Imports,
-// then it's possible that it doesn't yet exist on disk.
-func reclaimPackage(pkg *Package, id string, filename string, contents []byte) bool {
-	// TODO(rstambler): Check the message of the actual error?
-	// It differs between $GOPATH and module mode.
-	if pkg.ID != id {
-		return false
-	}
-	if len(pkg.Errors) != 1 {
-		return false
-	}
-	if pkg.Name != "" || pkg.ExportFile != "" {
-		return false
-	}
-	if len(pkg.GoFiles) > 0 || len(pkg.CompiledGoFiles) > 0 || len(pkg.OtherFiles) > 0 {
-		return false
-	}
-	if len(pkg.Imports) > 0 {
-		return false
-	}
-	pkgName, ok := extractPackageName(filename, contents)
-	if !ok {
-		return false
-	}
-	pkg.Name = pkgName
-	pkg.Errors = nil
-	return true
-}
-
-func extractPackageName(filename string, contents []byte) (string, bool) {
-	// TODO(rstambler): Check the message of the actual error?
-	// It differs between $GOPATH and module mode.
-	f, err := parser.ParseFile(token.NewFileSet(), filename, contents, parser.PackageClauseOnly) // TODO(matloob): reuse fileset?
-	if err != nil {
-		return "", false
-	}
-	return f.Name.Name, true
-}
-
-// commonDir returns the directory that all files are in, "" if files is empty,
-// or an error if they aren't in the same directory.
-func commonDir(files []string) (string, error) {
-	seen := make(map[string]bool)
-	for _, f := range files {
-		seen[filepath.Dir(f)] = true
-	}
-	if len(seen) > 1 {
-		return "", fmt.Errorf("files (%v) are in more than one directory: %v", files, seen)
-	}
-	for k := range seen {
-		// seen has only one element; return it.
-		return k, nil
-	}
-	return "", nil // no files
-}
-
-// It is possible that the files in the disk directory dir have a different package
-// name from newName, which is deduced from the overlays. If they all have a different
-// package name, and they all have the same package name, then that name becomes
-// the package name.
-// It returns true if it changes the package name, false otherwise.
-func maybeFixPackageName(newName string, isTestFile bool, pkgsOfDir []*Package) {
-	names := make(map[string]int)
-	for _, p := range pkgsOfDir {
-		names[p.Name]++
-	}
-	if len(names) != 1 {
-		// some files are in different packages
-		return
-	}
-	var oldName string
-	for k := range names {
-		oldName = k
-	}
-	if newName == oldName {
-		return
-	}
-	// We might have a case where all of the package names in the directory are
-	// the same, but the overlay file is for an x test, which belongs to its
-	// own package. If the x test does not yet exist on disk, we may not yet
-	// have its package name on disk, but we should not rename the packages.
-	//
-	// We use a heuristic to determine if this file belongs to an x test:
-	// The test file should have a package name whose package name has a _test
-	// suffix or looks like "newName_test".
-	maybeXTest := strings.HasPrefix(oldName+"_test", newName) || strings.HasSuffix(newName, "_test")
-	if isTestFile && maybeXTest {
-		return
-	}
-	for _, p := range pkgsOfDir {
-		p.Name = newName
-	}
-}
-
-// This function is copy-pasted from
-// https://github.com/golang/go/blob/9706f510a5e2754595d716bd64be8375997311fb/src/cmd/go/internal/search/search.go#L360.
-// It should be deleted when we remove support for overlays from go/packages.
-//
-// NOTE: This does not handle any ./... or ./ style queries, as this function
-// doesn't know the working directory.
-//
-// matchPattern(pattern)(name) reports whether
-// name matches pattern. Pattern is a limited glob
-// pattern in which '...' means 'any string' and there
-// is no other special syntax.
-// Unfortunately, there are two special cases. Quoting "go help packages":
-//
-// First, /... at the end of the pattern can match an empty string,
-// so that net/... matches both net and packages in its subdirectories, like net/http.
-// Second, any slash-separated pattern element containing a wildcard never
-// participates in a match of the "vendor" element in the path of a vendored
-// package, so that ./... does not match packages in subdirectories of
-// ./vendor or ./mycode/vendor, but ./vendor/... and ./mycode/vendor/... do.
-// Note, however, that a directory named vendor that itself contains code
-// is not a vendored package: cmd/vendor would be a command named vendor,
-// and the pattern cmd/... matches it.
-func matchPattern(pattern string) func(name string) bool {
-	// Convert pattern to regular expression.
-	// The strategy for the trailing /... is to nest it in an explicit ? expression.
-	// The strategy for the vendor exclusion is to change the unmatchable
-	// vendor strings to a disallowed code point (vendorChar) and to use
-	// "(anything but that codepoint)*" as the implementation of the ... wildcard.
-	// This is a bit complicated but the obvious alternative,
-	// namely a hand-written search like in most shell glob matchers,
-	// is too easy to make accidentally exponential.
-	// Using package regexp guarantees linear-time matching.
-
-	const vendorChar = "\x00"
-
-	if strings.Contains(pattern, vendorChar) {
-		return func(name string) bool { return false }
-	}
-
-	re := regexp.QuoteMeta(pattern)
-	re = replaceVendor(re, vendorChar)
-	switch {
-	case strings.HasSuffix(re, `/`+vendorChar+`/\.\.\.`):
-		re = strings.TrimSuffix(re, `/`+vendorChar+`/\.\.\.`) + `(/vendor|/` + vendorChar + `/\.\.\.)`
-	case re == vendorChar+`/\.\.\.`:
-		re = `(/vendor|/` + vendorChar + `/\.\.\.)`
-	case strings.HasSuffix(re, `/\.\.\.`):
-		re = strings.TrimSuffix(re, `/\.\.\.`) + `(/\.\.\.)?`
-	}
-	re = strings.ReplaceAll(re, `\.\.\.`, `[^`+vendorChar+`]*`)
-
-	reg := regexp.MustCompile(`^` + re + `$`)
-
-	return func(name string) bool {
-		if strings.Contains(name, vendorChar) {
-			return false
-		}
-		return reg.MatchString(replaceVendor(name, vendorChar))
-	}
-}
-
-// replaceVendor returns the result of replacing
-// non-trailing vendor path elements in x with repl.
-func replaceVendor(x, repl string) string {
-	if !strings.Contains(x, "vendor") {
-		return x
-	}
-	elem := strings.Split(x, "/")
-	for i := 0; i < len(elem)-1; i++ {
-		if elem[i] == "vendor" {
-			elem[i] = repl
-		}
-	}
-	return strings.Join(elem, "/")
-}
diff --git a/vendor/golang.org/x/tools/go/packages/packages.go b/vendor/golang.org/x/tools/go/packages/packages.go
index ece0e7c..bd79efc 100644
--- a/vendor/golang.org/x/tools/go/packages/packages.go
+++ b/vendor/golang.org/x/tools/go/packages/packages.go
@@ -29,6 +29,7 @@
 	"golang.org/x/tools/internal/packagesinternal"
 	"golang.org/x/tools/internal/typeparams"
 	"golang.org/x/tools/internal/typesinternal"
+	"golang.org/x/tools/internal/versions"
 )
 
 // A LoadMode controls the amount of detail to return when loading.
@@ -258,31 +259,52 @@
 // proceeding with further analysis. The PrintErrors function is
 // provided for convenient display of all errors.
 func Load(cfg *Config, patterns ...string) ([]*Package, error) {
-	l := newLoader(cfg)
-	response, err := defaultDriver(&l.Config, patterns...)
+	ld := newLoader(cfg)
+	response, external, err := defaultDriver(&ld.Config, patterns...)
 	if err != nil {
 		return nil, err
 	}
-	l.sizes = types.SizesFor(response.Compiler, response.Arch)
-	return l.refine(response)
+
+	ld.sizes = types.SizesFor(response.Compiler, response.Arch)
+	if ld.sizes == nil && ld.Config.Mode&(NeedTypes|NeedTypesSizes|NeedTypesInfo) != 0 {
+		// Type size information is needed but unavailable.
+		if external {
+			// An external driver may fail to populate the Compiler/GOARCH fields,
+			// especially since they are relatively new (see #63700).
+			// Provide a sensible fallback in this case.
+			ld.sizes = types.SizesFor("gc", runtime.GOARCH)
+			if ld.sizes == nil { // gccgo-only arch
+				ld.sizes = types.SizesFor("gc", "amd64")
+			}
+		} else {
+			// Go list should never fail to deliver accurate size information.
+			// Reject the whole Load since the error is the same for every package.
+			return nil, fmt.Errorf("can't determine type sizes for compiler %q on GOARCH %q",
+				response.Compiler, response.Arch)
+		}
+	}
+
+	return ld.refine(response)
 }
 
 // defaultDriver is a driver that implements go/packages' fallback behavior.
 // It will try to request to an external driver, if one exists. If there's
 // no external driver, or the driver returns a response with NotHandled set,
 // defaultDriver will fall back to the go list driver.
-func defaultDriver(cfg *Config, patterns ...string) (*driverResponse, error) {
-	driver := findExternalDriver(cfg)
-	if driver == nil {
-		driver = goListDriver
+// The boolean result indicates that an external driver handled the request.
+func defaultDriver(cfg *Config, patterns ...string) (*driverResponse, bool, error) {
+	if driver := findExternalDriver(cfg); driver != nil {
+		response, err := driver(cfg, patterns...)
+		if err != nil {
+			return nil, false, err
+		} else if !response.NotHandled {
+			return response, true, nil
+		}
+		// (fall through)
 	}
-	response, err := driver(cfg, patterns...)
-	if err != nil {
-		return response, err
-	} else if response.NotHandled {
-		return goListDriver(cfg, patterns...)
-	}
-	return response, nil
+
+	response, err := goListDriver(cfg, patterns...)
+	return response, false, err
 }
 
 // A Package describes a loaded Go package.
@@ -411,12 +433,6 @@
 	packagesinternal.GetDepsErrors = func(p interface{}) []*packagesinternal.PackageError {
 		return p.(*Package).depsErrors
 	}
-	packagesinternal.GetGoCmdRunner = func(config interface{}) *gocommand.Runner {
-		return config.(*Config).gocmdRunner
-	}
-	packagesinternal.SetGoCmdRunner = func(config interface{}, runner *gocommand.Runner) {
-		config.(*Config).gocmdRunner = runner
-	}
 	packagesinternal.SetModFile = func(config interface{}, value string) {
 		config.(*Config).modFile = value
 	}
@@ -553,7 +569,7 @@
 type loader struct {
 	pkgs map[string]*loaderPackage
 	Config
-	sizes        types.Sizes
+	sizes        types.Sizes // non-nil if needed by mode
 	parseCache   map[string]*parseValue
 	parseCacheMu sync.Mutex
 	exportMu     sync.Mutex // enforces mutual exclusion of exportdata operations
@@ -678,39 +694,38 @@
 		}
 	}
 
-	// Materialize the import graph.
+	if ld.Mode&NeedImports != 0 {
+		// Materialize the import graph.
 
-	const (
-		white = 0 // new
-		grey  = 1 // in progress
-		black = 2 // complete
-	)
+		const (
+			white = 0 // new
+			grey  = 1 // in progress
+			black = 2 // complete
+		)
 
-	// visit traverses the import graph, depth-first,
-	// and materializes the graph as Packages.Imports.
-	//
-	// Valid imports are saved in the Packages.Import map.
-	// Invalid imports (cycles and missing nodes) are saved in the importErrors map.
-	// Thus, even in the presence of both kinds of errors, the Import graph remains a DAG.
-	//
-	// visit returns whether the package needs src or has a transitive
-	// dependency on a package that does. These are the only packages
-	// for which we load source code.
-	var stack []*loaderPackage
-	var visit func(lpkg *loaderPackage) bool
-	var srcPkgs []*loaderPackage
-	visit = func(lpkg *loaderPackage) bool {
-		switch lpkg.color {
-		case black:
-			return lpkg.needsrc
-		case grey:
-			panic("internal error: grey node")
-		}
-		lpkg.color = grey
-		stack = append(stack, lpkg) // push
-		stubs := lpkg.Imports       // the structure form has only stubs with the ID in the Imports
-		// If NeedImports isn't set, the imports fields will all be zeroed out.
-		if ld.Mode&NeedImports != 0 {
+		// visit traverses the import graph, depth-first,
+		// and materializes the graph as Packages.Imports.
+		//
+		// Valid imports are saved in the Packages.Import map.
+		// Invalid imports (cycles and missing nodes) are saved in the importErrors map.
+		// Thus, even in the presence of both kinds of errors,
+		// the Import graph remains a DAG.
+		//
+		// visit returns whether the package needs src or has a transitive
+		// dependency on a package that does. These are the only packages
+		// for which we load source code.
+		var stack []*loaderPackage
+		var visit func(lpkg *loaderPackage) bool
+		visit = func(lpkg *loaderPackage) bool {
+			switch lpkg.color {
+			case black:
+				return lpkg.needsrc
+			case grey:
+				panic("internal error: grey node")
+			}
+			lpkg.color = grey
+			stack = append(stack, lpkg) // push
+			stubs := lpkg.Imports       // the structure form has only stubs with the ID in the Imports
 			lpkg.Imports = make(map[string]*Package, len(stubs))
 			for importPath, ipkg := range stubs {
 				var importErr error
@@ -734,40 +749,39 @@
 				}
 				lpkg.Imports[importPath] = imp.Package
 			}
-		}
-		if lpkg.needsrc {
-			srcPkgs = append(srcPkgs, lpkg)
-		}
-		if ld.Mode&NeedTypesSizes != 0 {
-			lpkg.TypesSizes = ld.sizes
-		}
-		stack = stack[:len(stack)-1] // pop
-		lpkg.color = black
 
-		return lpkg.needsrc
-	}
+			// Complete type information is required for the
+			// immediate dependencies of each source package.
+			if lpkg.needsrc && ld.Mode&NeedTypes != 0 {
+				for _, ipkg := range lpkg.Imports {
+					ld.pkgs[ipkg.ID].needtypes = true
+				}
+			}
 
-	if ld.Mode&NeedImports == 0 {
-		// We do this to drop the stub import packages that we are not even going to try to resolve.
-		for _, lpkg := range initial {
-			lpkg.Imports = nil
+			// NeedTypeSizes causes TypeSizes to be set even
+			// on packages for which types aren't needed.
+			if ld.Mode&NeedTypesSizes != 0 {
+				lpkg.TypesSizes = ld.sizes
+			}
+			stack = stack[:len(stack)-1] // pop
+			lpkg.color = black
+
+			return lpkg.needsrc
 		}
-	} else {
+
 		// For each initial package, create its import DAG.
 		for _, lpkg := range initial {
 			visit(lpkg)
 		}
-	}
-	if ld.Mode&NeedImports != 0 && ld.Mode&NeedTypes != 0 {
-		for _, lpkg := range srcPkgs {
-			// Complete type information is required for the
-			// immediate dependencies of each source package.
-			for _, ipkg := range lpkg.Imports {
-				imp := ld.pkgs[ipkg.ID]
-				imp.needtypes = true
-			}
+
+	} else {
+		// !NeedImports: drop the stub (ID-only) import packages
+		// that we are not even going to try to resolve.
+		for _, lpkg := range initial {
+			lpkg.Imports = nil
 		}
 	}
+
 	// Load type data and syntax if needed, starting at
 	// the initial packages (roots of the import DAG).
 	if ld.Mode&NeedTypes != 0 || ld.Mode&NeedSyntax != 0 {
@@ -1005,6 +1019,7 @@
 		Selections: make(map[*ast.SelectorExpr]*types.Selection),
 	}
 	typeparams.InitInstanceInfo(lpkg.TypesInfo)
+	versions.InitFileVersions(lpkg.TypesInfo)
 	lpkg.TypesSizes = ld.sizes
 
 	importer := importerFunc(func(path string) (*types.Package, error) {
@@ -1042,7 +1057,7 @@
 		IgnoreFuncBodies: ld.Mode&NeedDeps == 0 && !lpkg.initial,
 
 		Error: appendError,
-		Sizes: ld.sizes,
+		Sizes: ld.sizes, // may be nil
 	}
 	if lpkg.Module != nil && lpkg.Module.GoVersion != "" {
 		typesinternal.SetGoVersion(tc, "go"+lpkg.Module.GoVersion)
diff --git a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
index fa5834b..e742ecc 100644
--- a/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
+++ b/vendor/golang.org/x/tools/go/types/objectpath/objectpath.go
@@ -26,13 +26,10 @@
 import (
 	"fmt"
 	"go/types"
-	"sort"
 	"strconv"
 	"strings"
-	_ "unsafe"
 
 	"golang.org/x/tools/internal/typeparams"
-	"golang.org/x/tools/internal/typesinternal"
 )
 
 // A Path is an opaque name that identifies a types.Object
@@ -123,20 +120,7 @@
 // An Encoder amortizes the cost of encoding the paths of multiple objects.
 // The zero value of an Encoder is ready to use.
 type Encoder struct {
-	scopeMemo         map[*types.Scope][]types.Object // memoization of scopeObjects
-	namedMethodsMemo  map[*types.Named][]*types.Func  // memoization of namedMethods()
-	skipMethodSorting bool
-}
-
-// Expose back doors so that gopls can avoid method sorting, which can dominate
-// analysis on certain repositories.
-//
-// TODO(golang/go#61443): remove this.
-func init() {
-	typesinternal.SkipEncoderMethodSorting = func(enc interface{}) {
-		enc.(*Encoder).skipMethodSorting = true
-	}
-	typesinternal.ObjectpathObject = object
+	scopeMemo map[*types.Scope][]types.Object // memoization of scopeObjects
 }
 
 // For returns the path to an object relative to its package,
@@ -328,31 +312,18 @@
 		// Inspect declared methods of defined types.
 		if T, ok := o.Type().(*types.Named); ok {
 			path = append(path, opType)
-			if !enc.skipMethodSorting {
-				// Note that method index here is always with respect
-				// to canonical ordering of methods, regardless of how
-				// they appear in the underlying type.
-				for i, m := range enc.namedMethods(T) {
-					path2 := appendOpArg(path, opMethod, i)
-					if m == obj {
-						return Path(path2), nil // found declared method
-					}
-					if r := find(obj, m.Type(), append(path2, opType), nil); r != nil {
-						return Path(r), nil
-					}
+			// The method index here is always with respect
+			// to the underlying go/types data structures,
+			// which ultimately derives from source order
+			// and must be preserved by export data.
+			for i := 0; i < T.NumMethods(); i++ {
+				m := T.Method(i)
+				path2 := appendOpArg(path, opMethod, i)
+				if m == obj {
+					return Path(path2), nil // found declared method
 				}
-			} else {
-				// This branch must match the logic in the branch above, using go/types
-				// APIs without sorting.
-				for i := 0; i < T.NumMethods(); i++ {
-					m := T.Method(i)
-					path2 := appendOpArg(path, opMethod, i)
-					if m == obj {
-						return Path(path2), nil // found declared method
-					}
-					if r := find(obj, m.Type(), append(path2, opType), nil); r != nil {
-						return Path(r), nil
-					}
+				if r := find(obj, m.Type(), append(path2, opType), nil); r != nil {
+					return Path(r), nil
 				}
 			}
 		}
@@ -448,22 +419,13 @@
 	path = append(path, name...)
 	path = append(path, opType)
 
-	if !enc.skipMethodSorting {
-		for i, m := range enc.namedMethods(named) {
-			if m == meth {
-				path = appendOpArg(path, opMethod, i)
-				return Path(path), true
-			}
-		}
-	} else {
-		// This branch must match the logic of the branch above, using go/types
-		// APIs without sorting.
-		for i := 0; i < named.NumMethods(); i++ {
-			m := named.Method(i)
-			if m == meth {
-				path = appendOpArg(path, opMethod, i)
-				return Path(path), true
-			}
+	// Method indices are w.r.t. the go/types data structures,
+	// ultimately deriving from source order,
+	// which is preserved by export data.
+	for i := 0; i < named.NumMethods(); i++ {
+		if named.Method(i) == meth {
+			path = appendOpArg(path, opMethod, i)
+			return Path(path), true
 		}
 	}
 
@@ -576,12 +538,7 @@
 
 // Object returns the object denoted by path p within the package pkg.
 func Object(pkg *types.Package, p Path) (types.Object, error) {
-	return object(pkg, string(p), false)
-}
-
-// Note: the skipMethodSorting parameter must match the value of
-// Encoder.skipMethodSorting used during encoding.
-func object(pkg *types.Package, pathstr string, skipMethodSorting bool) (types.Object, error) {
+	pathstr := string(p)
 	if pathstr == "" {
 		return nil, fmt.Errorf("empty path")
 	}
@@ -747,12 +704,7 @@
 				if index >= t.NumMethods() {
 					return nil, fmt.Errorf("method index %d out of range [0-%d)", index, t.NumMethods())
 				}
-				if skipMethodSorting {
-					obj = t.Method(index)
-				} else {
-					methods := namedMethods(t) // (unmemoized)
-					obj = methods[index]       // Id-ordered
-				}
+				obj = t.Method(index)
 
 			default:
 				return nil, fmt.Errorf("cannot apply %q to %s (got %T, want interface or named)", code, t, t)
@@ -779,33 +731,6 @@
 	return obj, nil // success
 }
 
-// namedMethods returns the methods of a Named type in ascending Id order.
-func namedMethods(named *types.Named) []*types.Func {
-	methods := make([]*types.Func, named.NumMethods())
-	for i := range methods {
-		methods[i] = named.Method(i)
-	}
-	sort.Slice(methods, func(i, j int) bool {
-		return methods[i].Id() < methods[j].Id()
-	})
-	return methods
-}
-
-// namedMethods is a memoization of the namedMethods function. Callers must not modify the result.
-func (enc *Encoder) namedMethods(named *types.Named) []*types.Func {
-	m := enc.namedMethodsMemo
-	if m == nil {
-		m = make(map[*types.Named][]*types.Func)
-		enc.namedMethodsMemo = m
-	}
-	methods, ok := m[named]
-	if !ok {
-		methods = namedMethods(named) // allocates and sorts
-		m[named] = methods
-	}
-	return methods
-}
-
 // scopeObjects is a memoization of scope objects.
 // Callers must not modify the result.
 func (enc *Encoder) scopeObjects(scope *types.Scope) []types.Object {
diff --git a/vendor/golang.org/x/tools/internal/gocommand/invoke.go b/vendor/golang.org/x/tools/internal/gocommand/invoke.go
index 53cf66d..5531252 100644
--- a/vendor/golang.org/x/tools/internal/gocommand/invoke.go
+++ b/vendor/golang.org/x/tools/internal/gocommand/invoke.go
@@ -13,6 +13,7 @@
 	"io"
 	"log"
 	"os"
+	"os/exec"
 	"reflect"
 	"regexp"
 	"runtime"
@@ -21,8 +22,6 @@
 	"sync"
 	"time"
 
-	exec "golang.org/x/sys/execabs"
-
 	"golang.org/x/tools/internal/event"
 	"golang.org/x/tools/internal/event/keys"
 	"golang.org/x/tools/internal/event/label"
@@ -85,6 +84,7 @@
 
 // RunRaw runs the invocation, serializing requests only if they fight over
 // go.mod changes.
+// Postcondition: both error results have same nilness.
 func (runner *Runner) RunRaw(ctx context.Context, inv Invocation) (*bytes.Buffer, *bytes.Buffer, error, error) {
 	ctx, done := event.Start(ctx, "gocommand.Runner.RunRaw", invLabels(inv)...)
 	defer done()
@@ -95,23 +95,24 @@
 	stdout, stderr, friendlyErr, err := runner.runConcurrent(ctx, inv)
 
 	// If we encounter a load concurrency error, we need to retry serially.
-	if friendlyErr == nil || !modConcurrencyError.MatchString(friendlyErr.Error()) {
-		return stdout, stderr, friendlyErr, err
-	}
-	event.Error(ctx, "Load concurrency error, will retry serially", err)
+	if friendlyErr != nil && modConcurrencyError.MatchString(friendlyErr.Error()) {
+		event.Error(ctx, "Load concurrency error, will retry serially", err)
 
-	// Run serially by calling runPiped.
-	stdout.Reset()
-	stderr.Reset()
-	friendlyErr, err = runner.runPiped(ctx, inv, stdout, stderr)
+		// Run serially by calling runPiped.
+		stdout.Reset()
+		stderr.Reset()
+		friendlyErr, err = runner.runPiped(ctx, inv, stdout, stderr)
+	}
+
 	return stdout, stderr, friendlyErr, err
 }
 
+// Postcondition: both error results have same nilness.
 func (runner *Runner) runConcurrent(ctx context.Context, inv Invocation) (*bytes.Buffer, *bytes.Buffer, error, error) {
 	// Wait for 1 worker to become available.
 	select {
 	case <-ctx.Done():
-		return nil, nil, nil, ctx.Err()
+		return nil, nil, ctx.Err(), ctx.Err()
 	case runner.inFlight <- struct{}{}:
 		defer func() { <-runner.inFlight }()
 	}
@@ -121,6 +122,7 @@
 	return stdout, stderr, friendlyErr, err
 }
 
+// Postcondition: both error results have same nilness.
 func (runner *Runner) runPiped(ctx context.Context, inv Invocation, stdout, stderr io.Writer) (error, error) {
 	// Make sure the runner is always initialized.
 	runner.initialize()
@@ -129,7 +131,7 @@
 	// runPiped commands.
 	select {
 	case <-ctx.Done():
-		return nil, ctx.Err()
+		return ctx.Err(), ctx.Err()
 	case runner.serialized <- struct{}{}:
 		defer func() { <-runner.serialized }()
 	}
@@ -139,7 +141,7 @@
 	for i := 0; i < maxInFlight; i++ {
 		select {
 		case <-ctx.Done():
-			return nil, ctx.Err()
+			return ctx.Err(), ctx.Err()
 		case runner.inFlight <- struct{}{}:
 			// Make sure we always "return" any workers we took.
 			defer func() { <-runner.inFlight }()
@@ -172,6 +174,7 @@
 	Logf       func(format string, args ...interface{})
 }
 
+// Postcondition: both error results have same nilness.
 func (i *Invocation) runWithFriendlyError(ctx context.Context, stdout, stderr io.Writer) (friendlyError error, rawError error) {
 	rawError = i.run(ctx, stdout, stderr)
 	if rawError != nil {
diff --git a/vendor/golang.org/x/tools/internal/packagesinternal/packages.go b/vendor/golang.org/x/tools/internal/packagesinternal/packages.go
index d9950b1..44719de 100644
--- a/vendor/golang.org/x/tools/internal/packagesinternal/packages.go
+++ b/vendor/golang.org/x/tools/internal/packagesinternal/packages.go
@@ -5,10 +5,6 @@
 // Package packagesinternal exposes internal-only fields from go/packages.
 package packagesinternal
 
-import (
-	"golang.org/x/tools/internal/gocommand"
-)
-
 var GetForTest = func(p interface{}) string { return "" }
 var GetDepsErrors = func(p interface{}) []*PackageError { return nil }
 
@@ -18,10 +14,6 @@
 	Err         string   // the error itself
 }
 
-var GetGoCmdRunner = func(config interface{}) *gocommand.Runner { return nil }
-
-var SetGoCmdRunner = func(config interface{}, runner *gocommand.Runner) {}
-
 var TypecheckCgo int
 var DepsErrors int // must be set as a LoadMode to call GetDepsErrors
 var ForTest int    // must be set as a LoadMode to call GetForTest
diff --git a/vendor/golang.org/x/tools/internal/typesinternal/objectpath.go b/vendor/golang.org/x/tools/internal/typesinternal/objectpath.go
deleted file mode 100644
index 5e96e89..0000000
--- a/vendor/golang.org/x/tools/internal/typesinternal/objectpath.go
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package typesinternal
-
-import "go/types"
-
-// This file contains back doors that allow gopls to avoid method sorting when
-// using the objectpath package.
-//
-// This is performance-critical in certain repositories, but changing the
-// behavior of the objectpath package is still being discussed in
-// golang/go#61443. If we decide to remove the sorting in objectpath we can
-// simply delete these back doors. Otherwise, we should add a new API to
-// objectpath that allows controlling the sorting.
-
-// SkipEncoderMethodSorting marks enc (which must be an *objectpath.Encoder) as
-// not requiring sorted methods.
-var SkipEncoderMethodSorting func(enc interface{})
-
-// ObjectpathObject is like objectpath.Object, but allows suppressing method
-// sorting.
-var ObjectpathObject func(pkg *types.Package, p string, skipMethodSorting bool) (types.Object, error)
diff --git a/vendor/golang.org/x/tools/internal/versions/gover.go b/vendor/golang.org/x/tools/internal/versions/gover.go
new file mode 100644
index 0000000..bbabcd2
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/gover.go
@@ -0,0 +1,172 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This is a fork of internal/gover for use by x/tools until
+// go1.21 and earlier are no longer supported by x/tools.
+
+package versions
+
+import "strings"
+
+// A gover is a parsed Go gover: major[.Minor[.Patch]][kind[pre]]
+// The numbers are the original decimal strings to avoid integer overflows
+// and since there is very little actual math. (Probably overflow doesn't matter in practice,
+// but at the time this code was written, there was an existing test that used
+// go1.99999999999, which does not fit in an int on 32-bit platforms.
+// The "big decimal" representation avoids the problem entirely.)
+type gover struct {
+	major string // decimal
+	minor string // decimal or ""
+	patch string // decimal or ""
+	kind  string // "", "alpha", "beta", "rc"
+	pre   string // decimal or ""
+}
+
+// compare returns -1, 0, or +1 depending on whether
+// x < y, x == y, or x > y, interpreted as toolchain versions.
+// The versions x and y must not begin with a "go" prefix: just "1.21" not "go1.21".
+// Malformed versions compare less than well-formed versions and equal to each other.
+// The language version "1.21" compares less than the release candidate and eventual releases "1.21rc1" and "1.21.0".
+func compare(x, y string) int {
+	vx := parse(x)
+	vy := parse(y)
+
+	if c := cmpInt(vx.major, vy.major); c != 0 {
+		return c
+	}
+	if c := cmpInt(vx.minor, vy.minor); c != 0 {
+		return c
+	}
+	if c := cmpInt(vx.patch, vy.patch); c != 0 {
+		return c
+	}
+	if c := strings.Compare(vx.kind, vy.kind); c != 0 { // "" < alpha < beta < rc
+		return c
+	}
+	if c := cmpInt(vx.pre, vy.pre); c != 0 {
+		return c
+	}
+	return 0
+}
+
+// lang returns the Go language version. For example, lang("1.2.3") == "1.2".
+func lang(x string) string {
+	v := parse(x)
+	if v.minor == "" || v.major == "1" && v.minor == "0" {
+		return v.major
+	}
+	return v.major + "." + v.minor
+}
+
+// isValid reports whether the version x is valid.
+func isValid(x string) bool {
+	return parse(x) != gover{}
+}
+
+// parse parses the Go version string x into a version.
+// It returns the zero version if x is malformed.
+func parse(x string) gover {
+	var v gover
+
+	// Parse major version.
+	var ok bool
+	v.major, x, ok = cutInt(x)
+	if !ok {
+		return gover{}
+	}
+	if x == "" {
+		// Interpret "1" as "1.0.0".
+		v.minor = "0"
+		v.patch = "0"
+		return v
+	}
+
+	// Parse . before minor version.
+	if x[0] != '.' {
+		return gover{}
+	}
+
+	// Parse minor version.
+	v.minor, x, ok = cutInt(x[1:])
+	if !ok {
+		return gover{}
+	}
+	if x == "" {
+		// Patch missing is same as "0" for older versions.
+		// Starting in Go 1.21, patch missing is different from explicit .0.
+		if cmpInt(v.minor, "21") < 0 {
+			v.patch = "0"
+		}
+		return v
+	}
+
+	// Parse patch if present.
+	if x[0] == '.' {
+		v.patch, x, ok = cutInt(x[1:])
+		if !ok || x != "" {
+			// Note that we are disallowing prereleases (alpha, beta, rc) for patch releases here (x != "").
+			// Allowing them would be a bit confusing because we already have:
+			//	1.21 < 1.21rc1
+			// But a prerelease of a patch would have the opposite effect:
+			//	1.21.3rc1 < 1.21.3
+			// We've never needed them before, so let's not start now.
+			return gover{}
+		}
+		return v
+	}
+
+	// Parse prerelease.
+	i := 0
+	for i < len(x) && (x[i] < '0' || '9' < x[i]) {
+		if x[i] < 'a' || 'z' < x[i] {
+			return gover{}
+		}
+		i++
+	}
+	if i == 0 {
+		return gover{}
+	}
+	v.kind, x = x[:i], x[i:]
+	if x == "" {
+		return v
+	}
+	v.pre, x, ok = cutInt(x)
+	if !ok || x != "" {
+		return gover{}
+	}
+
+	return v
+}
+
+// cutInt scans the leading decimal number at the start of x to an integer
+// and returns that value and the rest of the string.
+func cutInt(x string) (n, rest string, ok bool) {
+	i := 0
+	for i < len(x) && '0' <= x[i] && x[i] <= '9' {
+		i++
+	}
+	if i == 0 || x[0] == '0' && i != 1 { // no digits or unnecessary leading zero
+		return "", "", false
+	}
+	return x[:i], x[i:], true
+}
+
+// cmpInt returns cmp.Compare(x, y) interpreting x and y as decimal numbers.
+// (Copied from golang.org/x/mod/semver's compareInt.)
+func cmpInt(x, y string) int {
+	if x == y {
+		return 0
+	}
+	if len(x) < len(y) {
+		return -1
+	}
+	if len(x) > len(y) {
+		return +1
+	}
+	if x < y {
+		return -1
+	} else {
+		return +1
+	}
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/types.go b/vendor/golang.org/x/tools/internal/versions/types.go
new file mode 100644
index 0000000..562eef2
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/types.go
@@ -0,0 +1,19 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package versions
+
+import (
+	"go/types"
+)
+
+// GoVersion returns the Go version of the type package.
+// It returns zero if no version can be determined.
+func GoVersion(pkg *types.Package) string {
+	// TODO(taking): x/tools can call GoVersion() [from 1.21] after 1.25.
+	if pkg, ok := any(pkg).(interface{ GoVersion() string }); ok {
+		return pkg.GoVersion()
+	}
+	return ""
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/types_go121.go b/vendor/golang.org/x/tools/internal/versions/types_go121.go
new file mode 100644
index 0000000..a7b7920
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/types_go121.go
@@ -0,0 +1,20 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.22
+// +build !go1.22
+
+package versions
+
+import (
+	"go/ast"
+	"go/types"
+)
+
+// FileVersions always reports the a file's Go version as the
+// zero version at this Go version.
+func FileVersions(info *types.Info, file *ast.File) string { return "" }
+
+// InitFileVersions is a noop at this Go version.
+func InitFileVersions(*types.Info) {}
diff --git a/vendor/golang.org/x/tools/internal/versions/types_go122.go b/vendor/golang.org/x/tools/internal/versions/types_go122.go
new file mode 100644
index 0000000..7b9ba89
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/types_go122.go
@@ -0,0 +1,24 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.22
+// +build go1.22
+
+package versions
+
+import (
+	"go/ast"
+	"go/types"
+)
+
+// FileVersions maps a file to the file's semantic Go version.
+// The reported version is the zero version if a version cannot be determined.
+func FileVersions(info *types.Info, file *ast.File) string {
+	return info.FileVersions[file]
+}
+
+// InitFileVersions initializes info to record Go versions for Go files.
+func InitFileVersions(info *types.Info) {
+	info.FileVersions = make(map[*ast.File]string)
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/versions_go121.go b/vendor/golang.org/x/tools/internal/versions/versions_go121.go
new file mode 100644
index 0000000..cf4a7d0
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/versions_go121.go
@@ -0,0 +1,49 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !go1.22
+// +build !go1.22
+
+package versions
+
+// Lang returns the Go language version for version x.
+// If x is not a valid version, Lang returns the empty string.
+// For example:
+//
+//	Lang("go1.21rc2") = "go1.21"
+//	Lang("go1.21.2") = "go1.21"
+//	Lang("go1.21") = "go1.21"
+//	Lang("go1") = "go1"
+//	Lang("bad") = ""
+//	Lang("1.21") = ""
+func Lang(x string) string {
+	v := lang(stripGo(x))
+	if v == "" {
+		return ""
+	}
+	return x[:2+len(v)] // "go"+v without allocation
+}
+
+// Compare returns -1, 0, or +1 depending on whether
+// x < y, x == y, or x > y, interpreted as Go versions.
+// The versions x and y must begin with a "go" prefix: "go1.21" not "1.21".
+// Invalid versions, including the empty string, compare less than
+// valid versions and equal to each other.
+// The language version "go1.21" compares less than the
+// release candidate and eventual releases "go1.21rc1" and "go1.21.0".
+// Custom toolchain suffixes are ignored during comparison:
+// "go1.21.0" and "go1.21.0-bigcorp" are equal.
+func Compare(x, y string) int { return compare(stripGo(x), stripGo(y)) }
+
+// IsValid reports whether the version x is valid.
+func IsValid(x string) bool { return isValid(stripGo(x)) }
+
+// stripGo converts from a "go1.21" version to a "1.21" version.
+// If v does not start with "go", stripGo returns the empty string (a known invalid version).
+func stripGo(v string) string {
+	if len(v) < 2 || v[:2] != "go" {
+		return ""
+	}
+	return v[2:]
+}
diff --git a/vendor/golang.org/x/tools/internal/versions/versions_go122.go b/vendor/golang.org/x/tools/internal/versions/versions_go122.go
new file mode 100644
index 0000000..c1c1814
--- /dev/null
+++ b/vendor/golang.org/x/tools/internal/versions/versions_go122.go
@@ -0,0 +1,38 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.22
+// +build go1.22
+
+package versions
+
+import (
+	"go/version"
+)
+
+// Lang returns the Go language version for version x.
+// If x is not a valid version, Lang returns the empty string.
+// For example:
+//
+//	Lang("go1.21rc2") = "go1.21"
+//	Lang("go1.21.2") = "go1.21"
+//	Lang("go1.21") = "go1.21"
+//	Lang("go1") = "go1"
+//	Lang("bad") = ""
+//	Lang("1.21") = ""
+func Lang(x string) string { return version.Lang(x) }
+
+// Compare returns -1, 0, or +1 depending on whether
+// x < y, x == y, or x > y, interpreted as Go versions.
+// The versions x and y must begin with a "go" prefix: "go1.21" not "1.21".
+// Invalid versions, including the empty string, compare less than
+// valid versions and equal to each other.
+// The language version "go1.21" compares less than the
+// release candidate and eventual releases "go1.21rc1" and "go1.21.0".
+// Custom toolchain suffixes are ignored during comparison:
+// "go1.21.0" and "go1.21.0-bigcorp" are equal.
+func Compare(x, y string) int { return version.Compare(x, y) }
+
+// IsValid reports whether the version x is valid.
+func IsValid(x string) bool { return version.IsValid(x) }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 50e7d49..af7bdd9 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -38,8 +38,8 @@
 # github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0
 ## explicit
 github.com/Graylog2/go-gelf/gelf
-# github.com/Microsoft/go-winio v0.6.1
-## explicit; go 1.17
+# github.com/Microsoft/go-winio v0.6.2
+## explicit; go 1.21
 github.com/Microsoft/go-winio
 github.com/Microsoft/go-winio/backuptar
 github.com/Microsoft/go-winio/internal/fs
@@ -216,14 +216,15 @@
 # github.com/cespare/xxhash/v2 v2.2.0
 ## explicit; go 1.11
 github.com/cespare/xxhash/v2
-# github.com/cilium/ebpf v0.11.0
-## explicit; go 1.19
+# github.com/cilium/ebpf v0.12.3
+## explicit; go 1.20
 github.com/cilium/ebpf
 github.com/cilium/ebpf/asm
 github.com/cilium/ebpf/btf
 github.com/cilium/ebpf/internal
 github.com/cilium/ebpf/internal/kconfig
 github.com/cilium/ebpf/internal/sys
+github.com/cilium/ebpf/internal/sysenc
 github.com/cilium/ebpf/internal/tracefs
 github.com/cilium/ebpf/internal/unix
 github.com/cilium/ebpf/link
@@ -260,7 +261,7 @@
 # github.com/containerd/console v1.0.4
 ## explicit; go 1.13
 github.com/containerd/console
-# github.com/containerd/containerd v1.7.14
+# github.com/containerd/containerd v1.7.16
 ## explicit; go 1.21
 github.com/containerd/containerd
 github.com/containerd/containerd/api/events
@@ -880,7 +881,7 @@
 # github.com/moby/pubsub v1.0.0
 ## explicit; go 1.19
 github.com/moby/pubsub
-# github.com/moby/swarmkit/v2 v2.0.0-20240227173239-911c97650f2e
+# github.com/moby/swarmkit/v2 v2.0.0-20240412154004-f3ffc0881d0e
 ## explicit; go 1.18
 github.com/moby/swarmkit/v2/agent
 github.com/moby/swarmkit/v2/agent/configs
@@ -993,7 +994,7 @@
 github.com/opencontainers/runc/libcontainer/user
 github.com/opencontainers/runc/libcontainer/userns
 github.com/opencontainers/runc/libcontainer/utils
-# github.com/opencontainers/runtime-spec v1.1.0
+# github.com/opencontainers/runtime-spec v1.2.0
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
 github.com/opencontainers/runtime-spec/specs-go/features
@@ -1295,7 +1296,7 @@
 go.uber.org/zap/internal/color
 go.uber.org/zap/internal/exit
 go.uber.org/zap/zapcore
-# golang.org/x/crypto v0.17.0
+# golang.org/x/crypto v0.21.0
 ## explicit; go 1.18
 golang.org/x/crypto/blowfish
 golang.org/x/crypto/chacha20
@@ -1322,12 +1323,12 @@
 golang.org/x/exp/constraints
 golang.org/x/exp/maps
 golang.org/x/exp/slices
-# golang.org/x/mod v0.13.0
+# golang.org/x/mod v0.17.0
 ## explicit; go 1.18
 golang.org/x/mod/internal/lazyregexp
 golang.org/x/mod/module
 golang.org/x/mod/semver
-# golang.org/x/net v0.18.0
+# golang.org/x/net v0.23.0
 ## explicit; go 1.18
 golang.org/x/net/bpf
 golang.org/x/net/context
@@ -1360,7 +1361,6 @@
 # golang.org/x/sys v0.18.0
 ## explicit; go 1.18
 golang.org/x/sys/cpu
-golang.org/x/sys/execabs
 golang.org/x/sys/unix
 golang.org/x/sys/windows
 golang.org/x/sys/windows/registry
@@ -1383,9 +1383,8 @@
 # golang.org/x/time v0.3.0
 ## explicit
 golang.org/x/time/rate
-# golang.org/x/tools v0.14.0
+# golang.org/x/tools v0.16.0
 ## explicit; go 1.18
-golang.org/x/tools/cmd/stringer
 golang.org/x/tools/go/gcexportdata
 golang.org/x/tools/go/internal/packagesdriver
 golang.org/x/tools/go/packages
@@ -1402,6 +1401,7 @@
 golang.org/x/tools/internal/tokeninternal
 golang.org/x/tools/internal/typeparams
 golang.org/x/tools/internal/typesinternal
+golang.org/x/tools/internal/versions
 # google.golang.org/api v0.128.0
 ## explicit; go 1.19
 google.golang.org/api/googleapi
@@ -1600,13 +1600,12 @@
 # sigs.k8s.io/yaml v1.3.0
 ## explicit; go 1.12
 sigs.k8s.io/yaml
-# tags.cncf.io/container-device-interface v0.6.2
-## explicit; go 1.19
-tags.cncf.io/container-device-interface/internal/multierror
+# tags.cncf.io/container-device-interface v0.7.2
+## explicit; go 1.20
 tags.cncf.io/container-device-interface/internal/validation
 tags.cncf.io/container-device-interface/internal/validation/k8s
 tags.cncf.io/container-device-interface/pkg/cdi
 tags.cncf.io/container-device-interface/pkg/parser
-# tags.cncf.io/container-device-interface/specs-go v0.6.0
+# tags.cncf.io/container-device-interface/specs-go v0.7.0
 ## explicit; go 1.19
 tags.cncf.io/container-device-interface/specs-go
diff --git a/vendor/tags.cncf.io/container-device-interface/internal/multierror/multierror.go b/vendor/tags.cncf.io/container-device-interface/internal/multierror/multierror.go
deleted file mode 100644
index 07aca4a..0000000
--- a/vendor/tags.cncf.io/container-device-interface/internal/multierror/multierror.go
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
-   Copyright © 2022 The CDI Authors
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
-*/
-
-package multierror
-
-import (
-	"strings"
-)
-
-// New combines several errors into a single error. Parameters that are nil are
-// ignored. If no errors are passed in or all parameters are nil, then the
-// result is also nil.
-func New(errors ...error) error {
-	// Filter out nil entries.
-	numErrors := 0
-	for _, err := range errors {
-		if err != nil {
-			errors[numErrors] = err
-			numErrors++
-		}
-	}
-	if numErrors == 0 {
-		return nil
-	}
-	return multiError(errors[0:numErrors])
-}
-
-// multiError is the underlying implementation used by New.
-//
-// Beware that a null multiError is not the same as a nil error.
-type multiError []error
-
-// multiError returns all individual error strings concatenated with "\n"
-func (e multiError) Error() string {
-	var builder strings.Builder
-	for i, err := range e {
-		if i > 0 {
-			_, _ = builder.WriteString("\n")
-		}
-		_, _ = builder.WriteString(err.Error())
-	}
-	return builder.String()
-}
-
-// Append returns a new multi error all errors concatenated. Errors that are
-// multi errors get flattened, nil is ignored.
-func Append(err error, errors ...error) error {
-	var result multiError
-	if m, ok := err.(multiError); ok {
-		result = m
-	} else if err != nil {
-		result = append(result, err)
-	}
-
-	for _, e := range errors {
-		if e == nil {
-			continue
-		}
-		if m, ok := e.(multiError); ok {
-			result = append(result, m...)
-		} else {
-			result = append(result, e)
-		}
-	}
-	if len(result) == 0 {
-		return nil
-	}
-	return result
-}
diff --git a/vendor/tags.cncf.io/container-device-interface/internal/validation/k8s/objectmeta.go b/vendor/tags.cncf.io/container-device-interface/internal/validation/k8s/objectmeta.go
index 5cf63da..fb86c67 100644
--- a/vendor/tags.cncf.io/container-device-interface/internal/validation/k8s/objectmeta.go
+++ b/vendor/tags.cncf.io/container-device-interface/internal/validation/k8s/objectmeta.go
@@ -20,10 +20,9 @@
 package k8s
 
 import (
+	"errors"
 	"fmt"
 	"strings"
-
-	"tags.cncf.io/container-device-interface/internal/multierror"
 )
 
 // TotalAnnotationSizeLimitB defines the maximum size of all annotations in characters.
@@ -31,17 +30,17 @@
 
 // ValidateAnnotations validates that a set of annotations are correctly defined.
 func ValidateAnnotations(annotations map[string]string, path string) error {
-	errors := multierror.New()
+	errs := []error{}
 	for k := range annotations {
 		// The rule is QualifiedName except that case doesn't matter, so convert to lowercase before checking.
 		for _, msg := range IsQualifiedName(strings.ToLower(k)) {
-			errors = multierror.Append(errors, fmt.Errorf("%v.%v is invalid: %v", path, k, msg))
+			errs = append(errs, fmt.Errorf("%v.%v is invalid: %v", path, k, msg))
 		}
 	}
 	if err := ValidateAnnotationsSize(annotations); err != nil {
-		errors = multierror.Append(errors, fmt.Errorf("%v is too long: %v", path, err))
+		errs = append(errs, fmt.Errorf("%v is too long: %v", path, err))
 	}
-	return errors
+	return errors.Join(errs...)
 }
 
 // ValidateAnnotationsSize validates that a set of annotations is not too large.
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go
index c807b55..c2f7fe3 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/cache.go
@@ -28,12 +28,11 @@
 
 	"github.com/fsnotify/fsnotify"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
-	"tags.cncf.io/container-device-interface/internal/multierror"
 	cdi "tags.cncf.io/container-device-interface/specs-go"
 )
 
 // Option is an option to change some aspect of default CDI behavior.
-type Option func(*Cache) error
+type Option func(*Cache)
 
 // Cache stores CDI Specs loaded from Spec directories.
 type Cache struct {
@@ -54,16 +53,27 @@
 // is detected. This option can be used to disable this behavior when a
 // manually refreshed mode is preferable.
 func WithAutoRefresh(autoRefresh bool) Option {
-	return func(c *Cache) error {
+	return func(c *Cache) {
 		c.autoRefresh = autoRefresh
-		return nil
 	}
 }
 
 // NewCache creates a new CDI Cache. The cache is populated from a set
 // of CDI Spec directories. These can be specified using a WithSpecDirs
 // option. The default set of directories is exposed in DefaultSpecDirs.
+//
+// Note:
+//
+//	The error returned by this function is always nil and it is only
+//	returned to maintain API compatibility with consumers.
 func NewCache(options ...Option) (*Cache, error) {
+	return newCache(options...), nil
+}
+
+// newCache creates a CDI cache with the supplied options.
+// This function allows testing without handling the nil error returned by the
+// NewCache function.
+func newCache(options ...Option) *Cache {
 	c := &Cache{
 		autoRefresh: true,
 		watch:       &watch{},
@@ -73,7 +83,8 @@
 	c.Lock()
 	defer c.Unlock()
 
-	return c, c.configure(options...)
+	c.configure(options...)
+	return c
 }
 
 // Configure applies options to the Cache. Updates and refreshes the
@@ -86,18 +97,16 @@
 	c.Lock()
 	defer c.Unlock()
 
-	return c.configure(options...)
+	c.configure(options...)
+
+	return nil
 }
 
 // Configure the Cache. Start/stop CDI Spec directory watch, refresh
 // the Cache if necessary.
-func (c *Cache) configure(options ...Option) error {
-	var err error
-
+func (c *Cache) configure(options ...Option) {
 	for _, o := range options {
-		if err = o(c); err != nil {
-			return fmt.Errorf("failed to apply cache options: %w", err)
-		}
+		o(c)
 	}
 
 	c.dirErrors = make(map[string]error)
@@ -108,8 +117,6 @@
 		c.watch.start(&c.Mutex, c.refresh, c.dirErrors)
 	}
 	c.refresh()
-
-	return nil
 }
 
 // Refresh rescans the CDI Spec directories and refreshes the Cache.
@@ -125,11 +132,11 @@
 	}
 
 	// collect and return cached errors, much like refresh() does it
-	var result error
-	for _, errors := range c.errors {
-		result = multierror.Append(result, errors...)
+	errs := []error{}
+	for _, specErrs := range c.errors {
+		errs = append(errs, errors.Join(specErrs...))
 	}
-	return result
+	return errors.Join(errs...)
 }
 
 // Refresh the Cache by rescanning CDI Spec directories and files.
@@ -139,12 +146,10 @@
 		devices    = map[string]*Device{}
 		conflicts  = map[string]struct{}{}
 		specErrors = map[string][]error{}
-		result     []error
 	)
 
 	// collect errors per spec file path and once globally
 	collectError := func(err error, paths ...string) {
-		result = append(result, err)
 		for _, path := range paths {
 			specErrors[path] = append(specErrors[path], err)
 		}
@@ -197,7 +202,11 @@
 	c.devices = devices
 	c.errors = specErrors
 
-	return multierror.New(result...)
+	errs := []error{}
+	for _, specErrs := range specErrors {
+		errs = append(errs, errors.Join(specErrs...))
+	}
+	return errors.Join(errs...)
 }
 
 // RefreshIfRequired triggers a refresh if necessary.
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go
index 688ddf7..e5b50db 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/container-edits.go
@@ -144,6 +144,20 @@
 		}
 	}
 
+	if e.IntelRdt != nil {
+		// The specgen is missing functionality to set all parameters so we
+		// just piggy-back on it to initialize all structs and the copy over.
+		specgen.SetLinuxIntelRdtClosID(e.IntelRdt.ClosID)
+		spec.Linux.IntelRdt = e.IntelRdt.ToOCI()
+	}
+
+	for _, additionalGID := range e.AdditionalGIDs {
+		if additionalGID == 0 {
+			continue
+		}
+		specgen.AddProcessAdditionalGid(additionalGID)
+	}
+
 	return nil
 }
 
@@ -171,6 +185,11 @@
 			return err
 		}
 	}
+	if e.IntelRdt != nil {
+		if err := ValidateIntelRdt(e.IntelRdt); err != nil {
+			return err
+		}
+	}
 
 	return nil
 }
@@ -192,6 +211,10 @@
 	e.DeviceNodes = append(e.DeviceNodes, o.DeviceNodes...)
 	e.Hooks = append(e.Hooks, o.Hooks...)
 	e.Mounts = append(e.Mounts, o.Mounts...)
+	if o.IntelRdt != nil {
+		e.IntelRdt = o.IntelRdt
+	}
+	e.AdditionalGIDs = append(e.AdditionalGIDs, o.AdditionalGIDs...)
 
 	return e
 }
@@ -202,7 +225,25 @@
 	if e == nil {
 		return false
 	}
-	return len(e.Env)+len(e.DeviceNodes)+len(e.Hooks)+len(e.Mounts) == 0
+	if len(e.Env) > 0 {
+		return false
+	}
+	if len(e.DeviceNodes) > 0 {
+		return false
+	}
+	if len(e.Hooks) > 0 {
+		return false
+	}
+	if len(e.Mounts) > 0 {
+		return false
+	}
+	if len(e.AdditionalGIDs) > 0 {
+		return false
+	}
+	if e.IntelRdt != nil {
+		return false
+	}
+	return true
 }
 
 // ValidateEnv validates the given environment variables.
@@ -280,6 +321,15 @@
 	return nil
 }
 
+// ValidateIntelRdt validates the IntelRdt configuration.
+func ValidateIntelRdt(i *specs.IntelRdt) error {
+	// ClosID must be a valid Linux filename
+	if len(i.ClosID) >= 4096 || i.ClosID == "." || i.ClosID == ".." || strings.ContainsAny(i.ClosID, "/\n") {
+		return errors.New("invalid ClosID")
+	}
+	return nil
+}
+
 // Ensure OCI Spec hooks are not nil so we can add hooks.
 func ensureOCIHooks(spec *oci.Spec) {
 	if spec.Hooks == nil {
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/default-cache.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/default-cache.go
new file mode 100644
index 0000000..7886ee5
--- /dev/null
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/default-cache.go
@@ -0,0 +1,70 @@
+/*
+   Copyright © 2024 The CDI Authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package cdi
+
+import (
+	"sync"
+
+	oci "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+var (
+	defaultCache   *Cache
+	getDefaultOnce sync.Once
+)
+
+func getOrCreateDefaultCache(options ...Option) (*Cache, bool) {
+	var created bool
+	getDefaultOnce.Do(func() {
+		defaultCache = newCache(options...)
+		created = true
+	})
+	return defaultCache, created
+}
+
+// GetDefaultCache returns the default CDI cache instance.
+func GetDefaultCache() *Cache {
+	cache, _ := getOrCreateDefaultCache()
+	return cache
+}
+
+// Configure applies options to the default CDI cache. Updates and refreshes
+// the default cache if options are not empty.
+func Configure(options ...Option) error {
+	cache, created := getOrCreateDefaultCache(options...)
+	if len(options) == 0 || created {
+		return nil
+	}
+	return cache.Configure(options...)
+}
+
+// Refresh explicitly refreshes the default CDI cache instance.
+func Refresh() error {
+	return GetDefaultCache().Refresh()
+}
+
+// InjectDevices injects the given qualified devices to the given OCI Spec.
+// using the default CDI cache instance to resolve devices.
+func InjectDevices(ociSpec *oci.Spec, devices ...string) ([]string, error) {
+	return GetDefaultCache().InjectDevices(ociSpec, devices...)
+}
+
+// GetErrors returns all errors encountered during the last refresh of
+// the default CDI cache instance.
+func GetErrors() map[string][]error {
+	return GetDefaultCache().GetErrors()
+}
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go
index 1897ef1..0ea0714 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/doc.go
@@ -29,8 +29,22 @@
 // the vast majority of CDI consumers need. The API should be usable both
 // by OCI runtime clients and runtime implementations.
 //
+// # Default CDI Cache
+//
+// There is a default CDI cache instance which is always implicitly
+// available and instantiated the first time it is referenced directly
+// or indirectly. The most frequently used cache functions are available
+// as identically named package level functions which operate on the
+// default cache instance. Moreover, the registry also operates on the
+// same default cache. We plan to deprecate the registry and eventually
+// remove it in a future release.
+//
 // # CDI Registry
 //
+// Note: the Registry and its related interfaces are deprecated and will
+// be removed in a future version. Please use the default cache and its
+// related package-level function instead.
+//
 // The primary interface to interact with CDI devices is the Registry. It
 // is essentially a cache of all Specs and devices discovered in standard
 // CDI directories on the host. The registry has two main functionality,
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/registry.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/registry.go
index 7f12c77..3113a05 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/registry.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/registry.go
@@ -29,6 +29,11 @@
 //
 // The most commonly used Registry functions are for refreshing the
 // registry and injecting CDI devices into an OCI Spec.
+//
+// Deprecated: Registry is deprecated and will be removed in a future
+// version. Please update your code to use the corresponding package-
+// level functions Configure(), Refresh(), InjectDevices(), GetErrors(),
+// and GetDefaultCache().
 type Registry interface {
 	RegistryResolver
 	RegistryRefresher
@@ -54,6 +59,10 @@
 //
 // GetSpecDirErrors returns any errors related to the configured
 // Spec directories.
+//
+// Deprecated: RegistryRefresher is deprecated and will be removed
+// in a future version. Please use the default cache and its related
+// package-level functions instead.
 type RegistryRefresher interface {
 	Configure(...Option) error
 	Refresh() error
@@ -68,6 +77,10 @@
 // InjectDevices takes an OCI Spec and injects into it a set of
 // CDI devices given by qualified name. It returns the names of
 // any unresolved devices and an error if injection fails.
+//
+// Deprecated: RegistryRefresher is deprecated and will be removed
+// in a future version. Please use the default cache and its related
+// package-level functions instead.
 type RegistryResolver interface {
 	InjectDevices(spec *oci.Spec, device ...string) (unresolved []string, err error)
 }
@@ -79,6 +92,12 @@
 //
 // ListDevices returns a slice with the names of qualified device
 // known. The returned slice is sorted.
+//
+// Deprecated: RegistryDeviceDB is deprecated and will be removed
+// in a future version. Please use the default cache and its related
+// package-level functions instead.
+// and will be removed in a future version. Please use the default
+// cache and its related package-level functions instead.
 type RegistryDeviceDB interface {
 	GetDevice(device string) *Device
 	ListDevices() []string
@@ -99,6 +118,10 @@
 //
 // WriteSpec writes the Spec with the given content and name to the
 // last Spec directory.
+//
+// Deprecated: RegistrySpecDB is deprecated and will be removed
+// in a future version. Please use the default cache and its related
+// package-level functions instead.
 type RegistrySpecDB interface {
 	ListVendors() []string
 	ListClasses() []string
@@ -121,30 +144,35 @@
 
 // GetRegistry returns the CDI registry. If any options are given, those
 // are applied to the registry.
+//
+// Deprecated: GetRegistry is deprecated and will be removed in a future
+// version. Please use the default cache and its related package-level
+// functions instead.
 func GetRegistry(options ...Option) Registry {
-	var new bool
 	initOnce.Do(func() {
-		reg, _ = getRegistry(options...)
-		new = true
+		reg = &registry{GetDefaultCache()}
 	})
-	if !new && len(options) > 0 {
-		reg.Configure(options...)
-		reg.Refresh()
+	if len(options) > 0 {
+		// We don't care about errors here
+		_ = reg.Configure(options...)
 	}
 	return reg
 }
 
 // DeviceDB returns the registry interface for querying devices.
+//
+// Deprecated: DeviceDB is deprecated and will be removed in a future
+// version. Please use the default cache and its related package-level
+// functions instead.
 func (r *registry) DeviceDB() RegistryDeviceDB {
 	return r
 }
 
 // SpecDB returns the registry interface for querying Specs.
+//
+// Deprecated: SpecDB is deprecated and will be removed in a future
+// version. Please use the default cache and its related package-level
+// functions instead.
 func (r *registry) SpecDB() RegistrySpecDB {
 	return r
 }
-
-func getRegistry(options ...Option) (*registry, error) {
-	c, err := NewCache(options...)
-	return &registry{c}, err
-}
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec-dirs.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec-dirs.go
index f339349..09005d6 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec-dirs.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec-dirs.go
@@ -44,13 +44,12 @@
 
 // WithSpecDirs returns an option to override the CDI Spec directories.
 func WithSpecDirs(dirs ...string) Option {
-	return func(c *Cache) error {
+	return func(c *Cache) {
 		specDirs := make([]string, len(dirs))
 		for i, dir := range dirs {
 			specDirs[i] = filepath.Clean(dir)
 		}
 		c.specDirs = specDirs
-		return nil
 	}
 }
 
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go
index 8bd63cc..1a0a662 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/spec.go
@@ -19,7 +19,6 @@
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -62,7 +61,7 @@
 // assigned the given priority. If reading or parsing the Spec
 // data fails ReadSpec returns a nil Spec and an error.
 func ReadSpec(path string, priority int) (*Spec, error) {
-	data, err := ioutil.ReadFile(path)
+	data, err := os.ReadFile(path)
 	switch {
 	case os.IsNotExist(err):
 		return nil, err
diff --git a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/version.go b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/version.go
index a617812..e226694 100644
--- a/vendor/tags.cncf.io/container-device-interface/pkg/cdi/version.go
+++ b/vendor/tags.cncf.io/container-device-interface/pkg/cdi/version.go
@@ -39,6 +39,7 @@
 	v040 version = "v0.4.0"
 	v050 version = "v0.5.0"
 	v060 version = "v0.6.0"
+	v070 version = "v0.7.0"
 
 	// vEarliest is the earliest supported version of the CDI specification
 	vEarliest version = v030
@@ -54,6 +55,7 @@
 	v040: requiresV040,
 	v050: requiresV050,
 	v060: requiresV060,
+	v070: requiresV070,
 }
 
 // MinimumRequiredVersion determines the minimum spec version for the input spec.
@@ -118,6 +120,29 @@
 	return minVersion
 }
 
+// requiresV070 returns true if the spec uses v0.7.0 features
+func requiresV070(spec *cdi.Spec) bool {
+	if spec.ContainerEdits.IntelRdt != nil {
+		return true
+	}
+	// The v0.7.0 spec allows additional GIDs to be specified at a spec level.
+	if len(spec.ContainerEdits.AdditionalGIDs) > 0 {
+		return true
+	}
+
+	for _, d := range spec.Devices {
+		if d.ContainerEdits.IntelRdt != nil {
+			return true
+		}
+		// The v0.7.0 spec allows additional GIDs to be specified at a device level.
+		if len(d.ContainerEdits.AdditionalGIDs) > 0 {
+			return true
+		}
+	}
+
+	return false
+}
+
 // requiresV060 returns true if the spec uses v0.6.0 features
 func requiresV060(spec *cdi.Spec) bool {
 	// The v0.6.0 spec allows annotations to be specified at a spec level
diff --git a/vendor/tags.cncf.io/container-device-interface/specs-go/config.go b/vendor/tags.cncf.io/container-device-interface/specs-go/config.go
index 4043b85..a311ffa 100644
--- a/vendor/tags.cncf.io/container-device-interface/specs-go/config.go
+++ b/vendor/tags.cncf.io/container-device-interface/specs-go/config.go
@@ -3,7 +3,7 @@
 import "os"
 
 // CurrentVersion is the current version of the Spec.
-const CurrentVersion = "0.6.0"
+const CurrentVersion = "0.7.0"
 
 // Spec is the base configuration for CDI
 type Spec struct {
@@ -25,10 +25,12 @@
 
 // ContainerEdits are edits a container runtime must make to the OCI spec to expose the device.
 type ContainerEdits struct {
-	Env         []string      `json:"env,omitempty"`
-	DeviceNodes []*DeviceNode `json:"deviceNodes,omitempty"`
-	Hooks       []*Hook       `json:"hooks,omitempty"`
-	Mounts      []*Mount      `json:"mounts,omitempty"`
+	Env            []string      `json:"env,omitempty"`
+	DeviceNodes    []*DeviceNode `json:"deviceNodes,omitempty"`
+	Hooks          []*Hook       `json:"hooks,omitempty"`
+	Mounts         []*Mount      `json:"mounts,omitempty"`
+	IntelRdt       *IntelRdt     `json:"intelRdt,omitempty"`
+	AdditionalGIDs []uint32      `json:"additionalGids,omitempty"`
 }
 
 // DeviceNode represents a device node that needs to be added to the OCI spec.
@@ -60,3 +62,12 @@
 	Env      []string `json:"env,omitempty"`
 	Timeout  *int     `json:"timeout,omitempty"`
 }
+
+// IntelRdt describes the Linux IntelRdt parameters to set in the OCI spec.
+type IntelRdt struct {
+	ClosID        string `json:"closID,omitempty"`
+	L3CacheSchema string `json:"l3CacheSchema,omitempty"`
+	MemBwSchema   string `json:"memBwSchema,omitempty"`
+	EnableCMT     bool   `json:"enableCMT,omitempty"`
+	EnableMBM     bool   `json:"enableMBM,omitempty"`
+}
diff --git a/vendor/tags.cncf.io/container-device-interface/specs-go/oci.go b/vendor/tags.cncf.io/container-device-interface/specs-go/oci.go
index 229ad52..1b4d576 100644
--- a/vendor/tags.cncf.io/container-device-interface/specs-go/oci.go
+++ b/vendor/tags.cncf.io/container-device-interface/specs-go/oci.go
@@ -36,3 +36,14 @@
 		GID:      d.GID,
 	}
 }
+
+// ToOCI returns the opencontainers runtime Spec LinuxIntelRdt for this IntelRdt config.
+func (i *IntelRdt) ToOCI() *spec.LinuxIntelRdt {
+	return &spec.LinuxIntelRdt{
+		ClosID:        i.ClosID,
+		L3CacheSchema: i.L3CacheSchema,
+		MemBwSchema:   i.MemBwSchema,
+		EnableCMT:     i.EnableCMT,
+		EnableMBM:     i.EnableMBM,
+	}
+}