diff --git a/clients/cloud-setup/nm-cloud-setup.service.in b/clients/cloud-setup/nm-cloud-setup.service.in
index 849f7ea..57f9e93 100644
--- a/clients/cloud-setup/nm-cloud-setup.service.in
+++ b/clients/cloud-setup/nm-cloud-setup.service.in
@@ -23,15 +23,15 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
-#ProtectHostname=yes
-#ProtectKernelLogs=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
-#RestrictSUIDSGID=yes
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service
 
 [Install]
diff --git a/docs/api/html/NetworkManager.conf.html b/docs/api/html/NetworkManager.conf.html
index a2e4481..05250d1 100644
--- a/docs/api/html/NetworkManager.conf.html
+++ b/docs/api/html/NetworkManager.conf.html
@@ -600,7 +600,7 @@ unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth
           are "<code class="literal">syslog</code>" and "<code class="literal">journal</code>".
           When NetworkManager is started with "<code class="literal">--debug</code>"
           in addition all messages will be printed to stderr.
-          If unspecified, the default is "<code class="literal">journal</code>".
+          If unspecified, the default is "<code class="literal">syslog</code>".
           </p></td>
 </tr>
 <tr>
diff --git a/man/NetworkManager.conf.5 b/man/NetworkManager.conf.5
index febc3be..b17ac36 100644
--- a/man/NetworkManager.conf.5
+++ b/man/NetworkManager.conf.5
@@ -626,7 +626,7 @@ INFO\&.
 .PP
 \fIbackend\fR
 .RS 4
-The logging backend\&. Supported values are "syslog" and "journal"\&. When NetworkManager is started with "\-\-debug" in addition all messages will be printed to stderr\&. If unspecified, the default is "journal"\&.
+The logging backend\&. Supported values are "syslog" and "journal"\&. When NetworkManager is started with "\-\-debug" in addition all messages will be printed to stderr\&. If unspecified, the default is "syslog"\&.
 .RE
 .PP
 \fIaudit\fR
diff --git a/src/initrd/nmi-cmdline-reader.c b/src/initrd/nmi-cmdline-reader.c
index 62891fa..7c9982b 100644
--- a/src/initrd/nmi-cmdline-reader.c
+++ b/src/initrd/nmi-cmdline-reader.c
@@ -1154,21 +1154,14 @@ nmi_cmdline_reader_parse(const char *sysfs_dir, const char *const *argv, char **
         NMConnection *  connection;
         NMSettingWired *s_wired;
         const char *    bootif = bootif_val;
-        char            prefix[4];
-
-        if (!nm_utils_hwaddr_valid(bootif, ETH_ALEN)) {
-            strncpy(prefix, bootif, 3);
-            prefix[3] = '\0';
-
-            if (NM_IN_STRSET(prefix, "01-", "01:", "00-", "00:")
-                && nm_utils_hwaddr_valid(&bootif[3], ETH_ALEN)) {
-                /*
-                 * BOOTIF MAC address can be prefixed with a hardware type identifier.
-                 * "01" stays for "wired", "00" is also accepted as it means "undefined".
-                 * No others are known.
-                 */
-                bootif += 3;
-            }
+
+        if (!nm_utils_hwaddr_valid(bootif, ETH_ALEN) && g_str_has_prefix(bootif, "01-")
+            && nm_utils_hwaddr_valid(&bootif[3], ETH_ALEN)) {
+            /*
+             * BOOTIF MAC address can be prefixed with a hardware type identifier.
+             * "01" stays for "wired", no other are known.
+             */
+            bootif += 3;
         }
 
         connection = reader_get_connection(reader, NULL, NM_SETTING_WIRED_SETTING_NAME, FALSE);
diff --git a/src/initrd/tests/test-cmdline-reader.c b/src/initrd/tests/test-cmdline-reader.c
index 0c30146..07faf96 100644
--- a/src/initrd/tests/test-cmdline-reader.c
+++ b/src/initrd/tests/test-cmdline-reader.c
@@ -1951,73 +1951,59 @@ test_bootif_no_ip(void)
 static void
 test_bootif_hwtype(void)
 {
-    const char *const *ARGV0  = NM_MAKE_STRV("ip=eth0:dhcp", "BOOTIF=01-00-53-AB-cd-02-03");
-    const char *const *ARGV1  = NM_MAKE_STRV("ip=eth0:dhcp", "BOOTIF=00-00-53-Ab-cD-02-03");
-    const char *const *ARGV[] = {ARGV0, ARGV1};
-    guint              i;
-
-    for (i = 0; i < G_N_ELEMENTS(ARGV); i++) {
-        gs_unref_hashtable GHashTable *connections = NULL;
-        NMConnection *                 connection;
-        NMSettingWired *               s_wired;
-        NMSettingIPConfig *            s_ip4;
-        NMSettingIPConfig *            s_ip6;
-        gs_free char *                 hostname = NULL;
+    gs_unref_hashtable GHashTable *connections = NULL;
+    const char *const *ARGV = NM_MAKE_STRV("ip=eth0:dhcp", "BOOTIF=01-00-53-AB-cd-02-03");
+    NMConnection *     connection;
+    NMSettingWired *   s_wired;
+    NMSettingIPConfig *s_ip4;
+    NMSettingIPConfig *s_ip6;
+    gs_free char *     hostname = NULL;
 
-        connections = nmi_cmdline_reader_parse(TEST_INITRD_DIR "/sysfs", ARGV[i], &hostname);
-        g_assert(connections);
-        g_assert_cmpint(g_hash_table_size(connections), ==, 2);
-        g_assert_cmpstr(hostname, ==, NULL);
+    connections = nmi_cmdline_reader_parse(TEST_INITRD_DIR "/sysfs", ARGV, &hostname);
+    g_assert(connections);
+    g_assert_cmpint(g_hash_table_size(connections), ==, 2);
+    g_assert_cmpstr(hostname, ==, NULL);
 
-        connection = g_hash_table_lookup(connections, "eth0");
-        g_assert(connection);
-        nmtst_assert_connection_verifies_without_normalization(connection);
-        g_assert_cmpstr(nm_connection_get_id(connection), ==, "eth0");
+    connection = g_hash_table_lookup(connections, "eth0");
+    g_assert(connection);
+    nmtst_assert_connection_verifies_without_normalization(connection);
+    g_assert_cmpstr(nm_connection_get_id(connection), ==, "eth0");
 
-        s_wired = nm_connection_get_setting_wired(connection);
-        g_assert(!nm_setting_wired_get_mac_address(s_wired));
-        g_assert(s_wired);
+    s_wired = nm_connection_get_setting_wired(connection);
+    g_assert(!nm_setting_wired_get_mac_address(s_wired));
+    g_assert(s_wired);
 
-        s_ip4 = nm_connection_get_setting_ip4_config(connection);
-        g_assert(s_ip4);
-        g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip4),
-                        ==,
-                        NM_SETTING_IP4_CONFIG_METHOD_AUTO);
-        g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip4));
-        g_assert(!nm_setting_ip_config_get_may_fail(s_ip4));
+    s_ip4 = nm_connection_get_setting_ip4_config(connection);
+    g_assert(s_ip4);
+    g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip4), ==, NM_SETTING_IP4_CONFIG_METHOD_AUTO);
+    g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip4));
+    g_assert(!nm_setting_ip_config_get_may_fail(s_ip4));
 
-        s_ip6 = nm_connection_get_setting_ip6_config(connection);
-        g_assert(s_ip6);
-        g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip6),
-                        ==,
-                        NM_SETTING_IP6_CONFIG_METHOD_AUTO);
-        g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip6));
+    s_ip6 = nm_connection_get_setting_ip6_config(connection);
+    g_assert(s_ip6);
+    g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip6), ==, NM_SETTING_IP6_CONFIG_METHOD_AUTO);
+    g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip6));
 
-        connection = g_hash_table_lookup(connections, "bootif_connection");
-        g_assert(connection);
-        nmtst_assert_connection_verifies_without_normalization(connection);
-        g_assert_cmpstr(nm_connection_get_id(connection), ==, "BOOTIF Connection");
+    connection = g_hash_table_lookup(connections, "bootif_connection");
+    g_assert(connection);
+    nmtst_assert_connection_verifies_without_normalization(connection);
+    g_assert_cmpstr(nm_connection_get_id(connection), ==, "BOOTIF Connection");
 
-        s_wired = nm_connection_get_setting_wired(connection);
-        g_assert_cmpstr(nm_setting_wired_get_mac_address(s_wired), ==, "00:53:AB:CD:02:03");
-        g_assert(s_wired);
+    s_wired = nm_connection_get_setting_wired(connection);
+    g_assert_cmpstr(nm_setting_wired_get_mac_address(s_wired), ==, "00:53:AB:CD:02:03");
+    g_assert(s_wired);
 
-        s_ip4 = nm_connection_get_setting_ip4_config(connection);
-        g_assert(s_ip4);
-        g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip4),
-                        ==,
-                        NM_SETTING_IP4_CONFIG_METHOD_AUTO);
-        g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip4));
-        g_assert(nm_setting_ip_config_get_may_fail(s_ip4));
+    s_ip4 = nm_connection_get_setting_ip4_config(connection);
+    g_assert(s_ip4);
+    g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip4), ==, NM_SETTING_IP4_CONFIG_METHOD_AUTO);
+    g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip4));
+    g_assert(nm_setting_ip_config_get_may_fail(s_ip4));
 
-        s_ip6 = nm_connection_get_setting_ip6_config(connection);
-        g_assert(s_ip6);
-        g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip6),
-                        ==,
-                        NM_SETTING_IP6_CONFIG_METHOD_AUTO);
-        g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip6));
-        g_assert(nm_setting_ip_config_get_may_fail(s_ip6));
-    }
+    s_ip6 = nm_connection_get_setting_ip6_config(connection);
+    g_assert(s_ip6);
+    g_assert_cmpstr(nm_setting_ip_config_get_method(s_ip6), ==, NM_SETTING_IP6_CONFIG_METHOD_AUTO);
+    g_assert(!nm_setting_ip_config_get_ignore_auto_dns(s_ip6));
+    g_assert(nm_setting_ip_config_get_may_fail(s_ip6));
 }
 
 /* Check that nameservers are assigned to all existing