diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index b9b5768bf08..79748335547 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -2599,8 +2599,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as Environment = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(sb) EnvironmentFiles = [...];
@@ -2785,8 +2783,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DynamicUser = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) DynamicUserNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b RemoveIPC = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(say) SetCredential = [...];
@@ -3174,8 +3170,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--property EnvironmentFiles is not documented!-->
 
     <!--property PassEnvironment is not documented!-->
@@ -3334,8 +3328,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <!--property DynamicUser is not documented!-->
 
-    <!--property DynamicUserNFTSet is not documented!-->
-
     <!--property RemoveIPC is not documented!-->
 
     <!--property SetCredential is not documented!-->
@@ -3758,8 +3750,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -3944,8 +3934,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -4499,8 +4487,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as Environment = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(sb) EnvironmentFiles = [...];
@@ -4685,8 +4671,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DynamicUser = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) DynamicUserNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b RemoveIPC = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(say) SetCredential = [...];
@@ -5098,8 +5082,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--property EnvironmentFiles is not documented!-->
 
     <!--property PassEnvironment is not documented!-->
@@ -5258,8 +5240,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <!--property DynamicUser is not documented!-->
 
-    <!--property DynamicUserNFTSet is not documented!-->
-
     <!--property RemoveIPC is not documented!-->
 
     <!--property SetCredential is not documented!-->
@@ -5676,8 +5656,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -5862,8 +5840,6 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -6306,8 +6282,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as Environment = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(sb) EnvironmentFiles = [...];
@@ -6492,8 +6466,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DynamicUser = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) DynamicUserNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b RemoveIPC = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(say) SetCredential = [...];
@@ -6833,8 +6805,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--property EnvironmentFiles is not documented!-->
 
     <!--property PassEnvironment is not documented!-->
@@ -6993,8 +6963,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <!--property DynamicUser is not documented!-->
 
-    <!--property DynamicUserNFTSet is not documented!-->
-
     <!--property RemoveIPC is not documented!-->
 
     <!--property SetCredential is not documented!-->
@@ -7329,8 +7297,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -7515,8 +7481,6 @@ node /org/freedesktop/systemd1/unit/home_2emount {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -8086,8 +8050,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly as Environment = ['...', ...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(sb) EnvironmentFiles = [...];
@@ -8272,8 +8234,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b DynamicUser = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) DynamicUserNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly b RemoveIPC = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly a(say) SetCredential = [...];
@@ -8599,8 +8559,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--property EnvironmentFiles is not documented!-->
 
     <!--property PassEnvironment is not documented!-->
@@ -8759,8 +8717,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <!--property DynamicUser is not documented!-->
 
-    <!--property DynamicUserNFTSet is not documented!-->
-
     <!--property RemoveIPC is not documented!-->
 
     <!--property SetCredential is not documented!-->
@@ -9081,8 +9037,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="Environment"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="EnvironmentFiles"/>
@@ -9267,8 +9221,6 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
 
     <variablelist class="dbus-property" generated="True" extra-ref="DynamicUser"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="DynamicUserNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="RemoveIPC"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="SetCredential"/>
@@ -9696,8 +9648,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
       readonly a(iiqq) SocketBindDeny = [...];
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
   };
   interface org.freedesktop.DBus.Peer { ... };
   interface org.freedesktop.DBus.Introspectable { ... };
@@ -9850,8 +9800,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--Autogenerated cross-references for systemd.directives, do not edit-->
 
     <variablelist class="dbus-interface" generated="True" extra-ref="org.freedesktop.systemd1.Unit"/>
@@ -10010,8 +9958,6 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <!--End of Autogenerated section-->
 
     <refsect2>
@@ -10192,8 +10138,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
       @org.freedesktop.DBus.Property.EmitsChangedSignal("false")
       readonly (bas) RestrictNetworkInterfaces = ...;
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
-      readonly a(iss) ControlGroupNFTSet = [...];
-      @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly s KillMode = '...';
       @org.freedesktop.DBus.Property.EmitsChangedSignal("const")
       readonly i KillSignal = ...;
@@ -10363,8 +10307,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <!--property RestrictNetworkInterfaces is not documented!-->
 
-    <!--property ControlGroupNFTSet is not documented!-->
-
     <!--property KillMode is not documented!-->
 
     <!--property KillSignal is not documented!-->
@@ -10551,8 +10493,6 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
 
     <variablelist class="dbus-property" generated="True" extra-ref="RestrictNetworkInterfaces"/>
 
-    <variablelist class="dbus-property" generated="True" extra-ref="ControlGroupNFTSet"/>
-
     <variablelist class="dbus-property" generated="True" extra-ref="KillMode"/>
 
     <variablelist class="dbus-property" generated="True" extra-ref="KillSignal"/>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index c2c36d55e45..e92f615994f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3163,40 +3163,6 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
     </variablelist>
   </refsect1>
 
-  <refsect1>
-    <title>Firewall Integration</title>
-    <variablelist class='unit-directives'>
-
-      <varlistentry>
-        <term><varname>DynamicUserNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
-        <listitem><para>This setting provides a method for integrating <varname>DynamicUser=</varname>
-        configuration into firewall rules with NFT sets. This option expects a whitespace separated list of
-        NFT set definitions. Each definition consists of a colon-separated tuple of NFT address family (one
-        of <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
-        <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
-        and sets must conform to lexical restrictions of NFT table names. When the unit starts, the user ID
-        will be appended to the NFT sets and it will be removed when the unit is stopped. Failures to manage
-        the sets will be ignored.</para>
-
-          <para>Example:
-          <programlisting>[Service]
-DynamicUserNFTSet=inet:filter:u</programlisting>
-          Corresponding NFT rules:
-          <programlisting>table inet filter {
-        set u {
-                typeof meta skuid
-        }
-        chain service_output {
-                meta skuid != @u drop
-                accept
-        }
-}</programlisting>
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsect1>
-
   <refsect1>
     <title>System V Compatibility</title>
     <variablelist class='unit-directives'>
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index d69e63e6b87..c2ce1b1d694 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -1109,71 +1109,6 @@ Table=1234</programlisting></para>
           Defaults to <literal>no</literal>.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><varname>NetLabel=</varname><replaceable>label</replaceable></term>
-        <listitem>
-
-          <para>This setting provides a method for integrating dynamic network configuration into Linux
-          NetLabel subsystem rules, used by Linux security modules (LSMs) for network access control. The
-          option expects a whitespace separated list of NetLabel labels. The labels must conform to lexical
-          restrictions of LSM labels. When an interface is configured with IP addresses, the addresses and
-          subnetwork masks will be appended to the NetLabel Fallback Peer Labeling rules. They will be
-          removed when the interface is deconfigured. Failures to manage the labels will be ignored.</para>
-
-          <para>Warning: Once labeling is enabled for network traffic, a lot of LSM access control points in
-          Linux networking stack go from dormant to active. It is easy for someone not familiar with the LSM
-          per-packet access controls to get into a situation where for example remote connectivity is
-          broken. Also note that additional configuration with <citerefentry
-          project='man-pages'><refentrytitle>netlabelctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>
-          is needed.</para>
-
-          <para>Example:
-          <programlisting>[Address]
-NetLabel=system_u:object_r:localnet_peer_t:s0</programlisting>
-
-          With the example rules applying for interface <literal>eth0</literal>, when the interface is
-          configured with an IPv4 address of 10.0.0.0/8, <command>systemd-networkd</command> performs the
-          equivalent of <command>netlabelctl</command> operation
-
-          <programlisting>netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0</programlisting>
-
-          and the reverse operation when the IPv4 address is deconfigured.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><varname>IPv4NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
-        <term><varname>IPv6NFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
-        <listitem>
-          <para>These settings provide a method for integrating dynamic network configuration into firewall
-          rules with NFT sets. These options expect a whitespace separated list of NFT set definitions. Each
-          definition consists of a colon-separated tuple of NFT address family (one of
-          <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
-          <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
-          and sets must conform to lexical restrictions of NFT table names. When an interface is configured
-          with IP addresses, the addresses and subnetwork masks will be appended to the NFT sets. They will
-          be removed when the interface is deconfigured. Failures to manage the sets will be ignored.</para>
-
-          <para>Example:
-          <programlisting>[Address]
-IPv4NFTSet=netdev:filter:eth_ipv4_address
-IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
-          Corresponding NFT rules:
-          <programlisting>table netdev filter {
-        set eth_ipv4_address {
-                type ipv4_addr
-                flags interval
-        }
-        chain eth_ingress {
-                type filter hook ingress device "eth0" priority filter; policy drop;
-                ip daddr != @eth_ipv4_address drop
-                accept
-        }
-}</programlisting>
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -2115,21 +2050,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
           <ulink url="https://tools.ietf.org/html/rfc5227">RFC 5227</ulink>. Defaults to false.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><varname>NetLabel=</varname></term>
-        <listitem>
-          <para>As in [Address] section.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><varname>NFTSet=</varname></term>
-        <listitem>
-          <para>As in [Address] section. The type in NFT set definition must be
-          <literal>ipv4_addr</literal>.</para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -2243,20 +2163,11 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
         <term><varname>UseNTP=</varname></term>
         <term><varname>UseHostname=</varname></term>
         <term><varname>UseDomains=</varname></term>
-        <term><varname>NetLabel=</varname></term>
         <listitem>
           <para>As in the [DHCPv4] section.</para>
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><varname>NFTSet=</varname></term>
-        <listitem>
-          <para>As in [DHCPv4] section. The type in NFT set definition must be
-          <literal>ipv6_addr</literal>.</para>
-        </listitem>
-      </varlistentry>
-
       <!-- How to communicate with the server -->
 
       <varlistentry>
@@ -2353,21 +2264,6 @@ IPv6NFTSet=netdev:filter:eth_ipv6_address</programlisting>
           </para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><varname>NetLabel=</varname></term>
-        <listitem>
-          <para>As in [Address] section.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><varname>NFTSet=</varname></term>
-        <listitem>
-          <para>As in [DHCPv6] section. The type in NFT set definition must be
-          <literal>ipv6_addr</literal>.</para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -2625,20 +2521,6 @@ Token=prefixstable:2002:da8:1::</programlisting></para>
           specified. Defaults to true.</para>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><varname>NetLabel=</varname></term>
-        <listitem>
-          <para>As in [Address] section.</para>
-        </listitem>
-      </varlistentry>
-      <varlistentry>
-        <term><varname>NFTSet=</varname></term>
-        <listitem>
-          <para>As in [DHCPv6] section. The type in NFT set definition must be
-          <literal>ipv6_addr</literal>.</para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index 23b2d0f3908..1397b886c5c 100644
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -1173,35 +1173,6 @@ DeviceAllow=/dev/loop-control
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term><varname>ControlGroupNFTSet=</varname><replaceable>family</replaceable>:<replaceable>table</replaceable>:<replaceable>set</replaceable></term>
-        <listitem>
-          <para>This setting provides a method for integrating dynamic cgroup IDs into firewall rules with
-          NFT sets. This option expects a whitespace separated list of NFT set definitions. Each definition
-          consists of a colon-separated tuple of NFT address family (one of <literal>arp</literal>,
-          <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>, <literal>ip6</literal>,
-          or <literal>netdev</literal>), table name and set name. The names of tables and sets must conform
-          to lexical restrictions of NFT table names. When a control group for a unit is realized, the cgroup
-          ID will be appended to the NFT sets and it will be be removed when the control group is
-          removed. Failures to manage the sets will be ignored.</para>
-
-          <para>Example:
-          <programlisting>[Unit]
-ControlGroupNFTSet=inet:filter:my_service
-</programlisting>
-          Corresponding NFT rules:
-          <programlisting>table inet filter {
-        set my_service {
-                type cgroupsv2
-        }
-        chain x {
-                socket cgroupv2 level 2 @my_service accept
-                drop
-        }
-}</programlisting>
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c
index 53b310d391e..6f8ffaf2596 100644
--- a/src/basic/in-addr-util.c
+++ b/src/basic/in-addr-util.c
@@ -585,45 +585,6 @@ struct in_addr* in4_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned cha
         return addr;
 }
 
-struct in6_addr* in6_addr_prefixlen_to_netmask(struct in6_addr *addr, unsigned char prefixlen) {
-        assert(addr);
-        assert(prefixlen <= 128);
-
-        for (unsigned int i = 0; i < 16; i++) {
-                uint8_t mask;
-
-                if (prefixlen >= 8) {
-                        mask = 0xFF;
-                        prefixlen -= 8;
-                } else if (prefixlen > 0) {
-                        mask = 0xFF << (8 - prefixlen);
-                        prefixlen = 0;
-                } else {
-                        assert(prefixlen == 0);
-                        mask = 0;
-                }
-
-                addr->s6_addr[i] = mask;
-        }
-
-        return addr;
-}
-
-int in_addr_prefixlen_to_netmask(int family, union in_addr_union *addr, unsigned char prefixlen) {
-        assert(addr);
-
-        switch (family) {
-        case AF_INET:
-                in4_addr_prefixlen_to_netmask(&addr->in, prefixlen);
-                return 0;
-        case AF_INET6:
-                in6_addr_prefixlen_to_netmask(&addr->in6, prefixlen);
-                return 0;
-        default:
-                return -EAFNOSUPPORT;
-        }
-}
-
 int in4_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen) {
         uint8_t msb_octet = *(uint8_t*) addr;
 
diff --git a/src/basic/in-addr-util.h b/src/basic/in-addr-util.h
index 1710069b64a..c1e7ef965da 100644
--- a/src/basic/in-addr-util.h
+++ b/src/basic/in-addr-util.h
@@ -137,8 +137,6 @@ int in_addr_from_string_auto(const char *s, int *ret_family, union in_addr_union
 
 unsigned char in4_addr_netmask_to_prefixlen(const struct in_addr *addr);
 struct in_addr* in4_addr_prefixlen_to_netmask(struct in_addr *addr, unsigned char prefixlen);
-struct in6_addr* in6_addr_prefixlen_to_netmask(struct in6_addr *addr, unsigned char prefixlen);
-int in_addr_prefixlen_to_netmask(int family, union in_addr_union *addr, unsigned char prefixlen);
 int in4_addr_default_prefixlen(const struct in_addr *addr, unsigned char *prefixlen);
 int in4_addr_default_subnet_mask(const struct in_addr *addr, struct in_addr *mask);
 int in4_addr_mask(struct in_addr *addr, unsigned char prefixlen);
diff --git a/src/basic/missing_network.h b/src/basic/missing_network.h
index 776c7c83757..6e71b26afd0 100644
--- a/src/basic/missing_network.h
+++ b/src/basic/missing_network.h
@@ -49,35 +49,3 @@
 #ifndef IEEE80211_MAX_SSID_LEN
 #define IEEE80211_MAX_SSID_LEN 32
 #endif
-
-/* Not exposed but defined in include/net/netlabel.h */
-#ifndef NETLBL_NLTYPE_UNLABELED_NAME
-#define NETLBL_NLTYPE_UNLABELED_NAME "NLBL_UNLBL"
-#endif
-
-/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
-enum {
-        NLBL_UNLABEL_C_UNSPEC,
-        NLBL_UNLABEL_C_ACCEPT,
-        NLBL_UNLABEL_C_LIST,
-        NLBL_UNLABEL_C_STATICADD,
-        NLBL_UNLABEL_C_STATICREMOVE,
-        NLBL_UNLABEL_C_STATICLIST,
-        NLBL_UNLABEL_C_STATICADDDEF,
-        NLBL_UNLABEL_C_STATICREMOVEDEF,
-        NLBL_UNLABEL_C_STATICLISTDEF,
-        __NLBL_UNLABEL_C_MAX,
-};
-
-/* Not exposed but defined in net/netlabel/netlabel_unlabeled.h */
-enum {
-        NLBL_UNLABEL_A_UNSPEC,
-        NLBL_UNLABEL_A_ACPTFLG,
-        NLBL_UNLABEL_A_IPV6ADDR,
-        NLBL_UNLABEL_A_IPV6MASK,
-        NLBL_UNLABEL_A_IPV4ADDR,
-        NLBL_UNLABEL_A_IPV4MASK,
-        NLBL_UNLABEL_A_IFACE,
-        NLBL_UNLABEL_A_SECCTX,
-        __NLBL_UNLABEL_A_MAX,
-};
diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c
index 0c7c562d17e..35fbb5ec6ad 100644
--- a/src/basic/parse-util.c
+++ b/src/basic/parse-util.c
@@ -750,38 +750,3 @@ int parse_loadavg_fixed_point(const char *s, loadavg_t *ret) {
 
         return store_loadavg_fixed_point(i, f, ret);
 }
-
-static bool nft_first_char_bad(const char c) {
-        if ((c >= 'a' && c <= 'z') ||
-            (c >= 'A' && c <= 'Z'))
-                return false;
-        return true;
-}
-
-static bool nft_next_char_bad(const char c) {
-        if ((c >= 'a' && c <= 'z') ||
-            (c >= 'A' && c <= 'Z') ||
-            (c >= '0' && c <= '9') ||
-            c == '/' || c == '\\' || c == '_' || c == '.')
-                return false;
-        return true;
-}
-
-/* Limitations are described in https://www.netfilter.org/projects/nftables/manpage.html and
- * https://bugzilla.netfilter.org/show_bug.cgi?id=1175 */
-bool nft_identifier_bad(const char *id) {
-        assert(id);
-
-        size_t len;
-        len = strlen(id);
-        if (len == 0 || len > 31)
-                return true;
-
-        if (nft_first_char_bad(id[0]))
-                return true;
-
-        for (size_t i = 1; i < len; i++)
-                if (nft_next_char_bad(id[i]))
-                        return true;
-        return false;
-}
diff --git a/src/basic/parse-util.h b/src/basic/parse-util.h
index 8530ad1c497..f2222dcffb0 100644
--- a/src/basic/parse-util.h
+++ b/src/basic/parse-util.h
@@ -146,5 +146,3 @@ int parse_oom_score_adjust(const char *s, int *ret);
  * to a loadavg_t. */
 int store_loadavg_fixed_point(unsigned long i, unsigned long f, loadavg_t *ret);
 int parse_loadavg_fixed_point(const char *s, loadavg_t *ret);
-
-bool nft_identifier_bad(const char *id);
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index a3fb44fcb8a..25707fce642 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -19,7 +19,6 @@
 #include "devnum-util.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "inotify-util.h"
 #include "io-util.h"
@@ -280,8 +279,6 @@ void cgroup_context_done(CGroupContext *c) {
         cpu_set_reset(&c->startup_cpuset_cpus);
         cpu_set_reset(&c->cpuset_mems);
         cpu_set_reset(&c->startup_cpuset_mems);
-
-        c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts);
 }
 
 static int unit_get_kernel_memory_limit(Unit *u, const char *file, uint64_t *ret) {
@@ -612,11 +609,6 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) {
                 SET_FOREACH(iface, c->restrict_network_interfaces)
                         fprintf(f, "%sRestrictNetworkInterfaces: %s\n", prefix, iface);
         }
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++)
-                fprintf(f, "%sControlGroupNFTSet: %s:%s:%s\n", prefix,
-                        nfproto_to_string(c->nft_set_context[i].nfproto),
-                        c->nft_set_context[i].table, c->nft_set_context[i].set);
 }
 
 void cgroup_context_dump_socket_bind_item(const CGroupSocketBindItem *item, FILE *f) {
@@ -1226,46 +1218,6 @@ static void cgroup_apply_firewall(Unit *u) {
         (void) bpf_firewall_install(u);
 }
 
-static void cgroup_apply_nft_set(Unit *u) {
-        int r;
-        CGroupContext *c;
-
-        assert(u);
-
-        assert_se(c = unit_get_cgroup_context(u));
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->nft_set_context[i];
-                r = nft_set_element_add_uint64(s, u->cgroup_id);
-                if (r < 0)
-                        log_warning_errno(r, "Adding NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
-                                 nfproto_to_string(s->nfproto),
-                                 s->table,
-                                 s->set,
-                                 u->cgroup_id);
-        }
-}
-
-static void cgroup_delete_nft_set(Unit *u) {
-        int r;
-        CGroupContext *c;
-
-        assert(u);
-
-        assert_se(c = unit_get_cgroup_context(u));
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->nft_set_context[i];
-                r = nft_set_element_del_uint64(s, u->cgroup_id);
-                if (r < 0)
-                        log_warning_errno(r, "Deleting NFT family %s table %s set %s cgroup %" PRIu64 " failed, ignoring: %m",
-                                 nfproto_to_string(s->nfproto),
-                                 s->table,
-                                 s->set,
-                                 u->cgroup_id);
-        }
-}
-
 static void cgroup_apply_socket_bind(Unit *u) {
         assert(u);
 
@@ -1698,8 +1650,6 @@ static void cgroup_context_apply(
 
         if (apply_mask & CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES)
                 cgroup_apply_restrict_network_interfaces(u);
-
-        cgroup_apply_nft_set(u);
 }
 
 static bool unit_get_needs_bpf_firewall(Unit *u) {
@@ -2849,8 +2799,6 @@ void unit_prune_cgroup(Unit *u) {
         (void) lsm_bpf_cleanup(u); /* Remove cgroup from the global LSM BPF map */
 #endif
 
-        cgroup_delete_nft_set(u);
-
         is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE);
 
         r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice);
diff --git a/src/core/cgroup.h b/src/core/cgroup.h
index 6ac28d7ca71..4413eeaaa0a 100644
--- a/src/core/cgroup.h
+++ b/src/core/cgroup.h
@@ -6,7 +6,6 @@
 #include "bpf-lsm.h"
 #include "cgroup-util.h"
 #include "cpu-set-util.h"
-#include "firewall-util.h"
 #include "list.h"
 #include "time-util.h"
 
@@ -195,9 +194,6 @@ struct CGroupContext {
         ManagedOOMMode moom_mem_pressure;
         uint32_t moom_mem_pressure_limit; /* Normalized to 2^32-1 == 100% */
         ManagedOOMPreference moom_preference;
-
-        NFTSetContext *nft_set_context;
-        size_t n_nft_set_contexts;
 };
 
 /* Used when querying IP accounting data */
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index 82072da9e43..607370d7bfe 100644
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -15,7 +15,6 @@
 #include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "in-addr-prefix-util.h"
 #include "ip-protocol-list.h"
 #include "limits-util.h"
@@ -444,36 +443,6 @@ static int property_get_restrict_network_interfaces(
         return sd_bus_message_close_container(reply);
 }
 
-static int property_get_cgroup_nft_set(
-                sd_bus *bus,
-                const char *path,
-                const char *interface,
-                const char *property,
-                sd_bus_message *reply,
-                void *userdata,
-                sd_bus_error *error) {
-        int r;
-        CGroupContext *c = userdata;
-
-        assert(bus);
-        assert(reply);
-        assert(c);
-
-        r = sd_bus_message_open_container(reply, 'a', "(iss)");
-        if (r < 0)
-                return r;
-
-        for (size_t i = 0; i < c->n_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->nft_set_context[i];
-
-                r = sd_bus_message_append(reply, "(iss)", s->nfproto, s->table, s->set);
-                if (r < 0)
-                        return r;
-        }
-
-        return sd_bus_message_close_container(reply);
-}
-
 const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_VTABLE_START(0),
         SD_BUS_PROPERTY("Delegate", "b", bus_property_get_bool, offsetof(CGroupContext, delegate), 0),
@@ -531,7 +500,6 @@ const sd_bus_vtable bus_cgroup_vtable[] = {
         SD_BUS_PROPERTY("SocketBindAllow", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_allow), 0),
         SD_BUS_PROPERTY("SocketBindDeny", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_deny), 0),
         SD_BUS_PROPERTY("RestrictNetworkInterfaces", "(bas)", property_get_restrict_network_interfaces, 0, 0),
-        SD_BUS_PROPERTY("ControlGroupNFTSet", "a(iss)", property_get_cgroup_nft_set, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_VTABLE_END
 };
 
@@ -2085,58 +2053,5 @@ int bus_cgroup_set_property(
         if (streq(name, "DisableControllers") || (u->transient && u->load_state == UNIT_STUB))
                 return bus_cgroup_set_transient_property(u, c, name, message, flags, error);
 
-        if (streq(name, "ControlGroupNFTSet")) {
-                int nfproto;
-                const char *table, *set;
-                bool empty = true;
-
-                r = sd_bus_message_enter_container(message, 'a', "(iss)");
-                if (r < 0)
-                        return r;
-
-                while ((r = sd_bus_message_read(message, "(iss)", &nfproto, &table, &set)) > 0) {
-                        const char *nfproto_name;
-
-                        nfproto_name = nfproto_to_string(nfproto);
-                        if (!nfproto_name)
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid protocol %d.", nfproto);
-
-                        if (nft_identifier_bad(table))
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT table name %s.", table);
-
-                        if (nft_identifier_bad(set))
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT set name %s.", set);
-
-                        if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
-                                r = nft_set_context_add(&c->nft_set_context, &c->n_nft_set_contexts, nfproto, table, set);
-                                if (r < 0)
-                                        return r;
-
-                                unit_write_settingf(
-                                                u, flags|UNIT_ESCAPE_SPECIFIERS, name,
-                                                "%s=%s:%s:%s",
-                                                name,
-                                                nfproto_name,
-                                                table,
-                                                set);
-                        }
-
-                        empty = false;
-                }
-                if (r < 0)
-                        return r;
-
-                r = sd_bus_message_exit_container(message);
-                if (r < 0)
-                        return r;
-
-                if (empty) {
-                        c->nft_set_context = nft_set_context_free_many(c->nft_set_context, &c->n_nft_set_contexts);
-                        unit_write_settingf(u, flags, name, "%s=", name);
-                }
-
-                return 1;
-        }
-
         return 0;
 }
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 0b28d4f6032..1a9e5da6350 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -22,7 +22,6 @@
 #include "execute.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "hexdecoct.h"
 #include "io-util.h"
 #include "ioprio-util.h"
@@ -1143,37 +1142,6 @@ static int bus_property_get_exec_dir_symlink(
         return sd_bus_message_close_container(reply);
 }
 
-static int property_get_dynamic_user_nft_set(
-                sd_bus *bus,
-                const char *path,
-                const char *interface,
-                const char *property,
-                sd_bus_message *reply,
-                void *userdata,
-                sd_bus_error *error) {
-
-        ExecContext *c = userdata;
-        int r;
-
-        assert(bus);
-        assert(reply);
-        assert(c);
-
-        r = sd_bus_message_open_container(reply, 'a', "(iss)");
-        if (r < 0)
-                return r;
-
-        for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->dynamic_user_nft_set_context[i];
-
-                r = sd_bus_message_append(reply, "(iss)", s->nfproto, s->table, s->set);
-                if (r < 0)
-                        return r;
-        }
-
-        return sd_bus_message_close_container(reply);
-}
-
 const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_VTABLE_START(0),
         SD_BUS_PROPERTY("Environment", "as", NULL, offsetof(ExecContext, environment), SD_BUS_VTABLE_PROPERTY_CONST),
@@ -1268,7 +1236,6 @@ const sd_bus_vtable bus_exec_vtable[] = {
         SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("DynamicUser", "b", bus_property_get_bool, offsetof(ExecContext, dynamic_user), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("DynamicUserNFTSet", "a(iss)", property_get_dynamic_user_nft_set, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("RemoveIPC", "b", bus_property_get_bool, offsetof(ExecContext, remove_ipc), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SetCredential", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SetCredentialEncrypted", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@@ -3540,58 +3507,6 @@ int bus_exec_context_set_transient_property(
 
                 return 1;
 
-        } else if (streq(name, "DynamicUserNFTSet")) {
-                int nfproto;
-                const char *table, *set;
-                bool empty = true;
-
-                r = sd_bus_message_enter_container(message, 'a', "(iss)");
-                if (r < 0)
-                        return r;
-
-                while ((r = sd_bus_message_read(message, "(iss)", &nfproto, &table, &set)) > 0) {
-                        const char *nfproto_name;
-
-                        nfproto_name = nfproto_to_string(nfproto);
-                        if (!nfproto_name)
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid protocol %d.", nfproto);
-
-                        if (nft_identifier_bad(table))
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT table name %s.", table);
-
-                        if (nft_identifier_bad(set))
-                                return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT set name %s.", set);
-
-                        if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
-                                r = nft_set_context_add(&c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts, nfproto, table, set);
-                                if (r < 0)
-                                        return r;
-
-                                unit_write_settingf(
-                                                u, flags|UNIT_ESCAPE_SPECIFIERS, name,
-                                                "%s=%s:%s:%s",
-                                                name,
-                                                nfproto_name,
-                                                table,
-                                                set);
-                        }
-
-                        empty = false;
-                }
-                if (r < 0)
-                        return r;
-
-                r = sd_bus_message_exit_container(message);
-                if (r < 0)
-                        return r;
-
-                if (empty) {
-                        c->dynamic_user_nft_set_context = nft_set_context_free_many(c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts);
-                        unit_write_settingf(u, flags, name, "%s=", name);
-                }
-
-                return 1;
-
         } else if ((suffix = startswith(name, "Limit"))) {
                 const char *soft = NULL;
                 int ri;
diff --git a/src/core/execute.c b/src/core/execute.c
index f128a45f546..05fc00ca1ce 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4083,43 +4083,6 @@ static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int fd, int
         return 1;
 }
 
-static void exec_op_dynamic_user_nft_set(bool add, const ExecContext *c, uid_t uid) {
-        int r;
-
-        assert(c);
-
-        for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++) {
-                NFTSetContext *s = &c->dynamic_user_nft_set_context[i];
-                if (add)
-                        r = nft_set_element_add_uint32(s, uid);
-                else
-                        r = nft_set_element_del_uint32(s, uid);
-                if (r < 0)
-                        log_warning_errno(r, "%s NFT family %s table %s set %s UID " UID_FMT " failed, ignoring: %m",
-                                          add? "Adding" : "Deleting", nfproto_to_string(s->nfproto), s->table, s->set, uid);
-        }
-}
-
-static void exec_add_dynamic_user_nft_set(const ExecContext *c, uid_t uid) {
-        exec_op_dynamic_user_nft_set(true, c, uid);
-}
-
-void exec_delete_dynamic_user_nft_set(const ExecContext *c, DynamicUser *d) {
-        int r;
-        uid_t uid;
-
-        if (!d)
-                return;
-
-        r = dynamic_user_current(d, &uid);
-        if (r < 0) {
-                log_warning_errno(r, "Can't get current dynamic user, ignoring: %m");
-                return;
-        }
-
-        exec_op_dynamic_user_nft_set(false, c, uid);
-}
-
 static int exec_child(
                 Unit *unit,
                 const ExecCommand *command,
@@ -4321,8 +4284,6 @@ static int exec_child(
                 if (dcreds->user)
                         username = dcreds->user->name;
 
-                exec_add_dynamic_user_nft_set(context, uid);
-
         } else {
                 r = get_fixed_user(context, &username, &uid, &gid, &home, &shell);
                 if (r < 0) {
@@ -5385,8 +5346,6 @@ void exec_context_done(ExecContext *c) {
         c->user = mfree(c->user);
         c->group = mfree(c->group);
 
-        c->dynamic_user_nft_set_context = nft_set_context_free_many(c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts);
-
         c->supplementary_groups = strv_free(c->supplementary_groups);
 
         c->pam_name = mfree(c->pam_name);
@@ -6061,11 +6020,6 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
                 fprintf(f, "%sGroup: %s\n", prefix, c->group);
 
         fprintf(f, "%sDynamicUser: %s\n", prefix, yes_no(c->dynamic_user));
-        for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++)
-                fprintf(f, "%sDynamicUserNFTSet: %s:%s:%s\n", prefix,
-                        nfproto_to_string(c->dynamic_user_nft_set_context[i].nfproto),
-                        c->dynamic_user_nft_set_context[i].table,
-                        c->dynamic_user_nft_set_context[i].set);
 
         strv_dump(f, prefix, "SupplementaryGroups", c->supplementary_groups);
 
diff --git a/src/core/execute.h b/src/core/execute.h
index b3516c29fc0..904e7943f32 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -18,7 +18,6 @@ typedef struct Manager Manager;
 #include "cpu-set-util.h"
 #include "exec-util.h"
 #include "fdset.h"
-#include "firewall-util.h"
 #include "list.h"
 #include "missing_resource.h"
 #include "namespace.h"
@@ -314,9 +313,6 @@ struct ExecContext {
         bool mount_apivfs;
 
         bool dynamic_user;
-        size_t n_dynamic_user_nft_set_contexts;
-        NFTSetContext *dynamic_user_nft_set_context;
-
         bool remove_ipc;
 
         bool memory_deny_write_execute;
@@ -526,5 +522,3 @@ const char* exec_resource_type_to_string(ExecDirectoryType i) _const_;
 ExecDirectoryType exec_resource_type_from_string(const char *s) _pure_;
 
 bool exec_needs_mount_namespace(const ExecContext *context, const ExecParameters *params, const ExecRuntime *runtime);
-
-void exec_delete_dynamic_user_nft_set(const ExecContext *c, DynamicUser *d);
diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in
index facda69d0dd..7817c20c0ba 100644
--- a/src/core/load-fragment-gperf.gperf.in
+++ b/src/core/load-fragment-gperf.gperf.in
@@ -32,7 +32,6 @@
 {{type}}.PassEnvironment,                  config_parse_pass_environ,                   0,                                  offsetof({{type}}, exec_context.pass_environment)
 {{type}}.UnsetEnvironment,                 config_parse_unset_environ,                  0,                                  offsetof({{type}}, exec_context.unset_environment)
 {{type}}.DynamicUser,                      config_parse_bool,                           true,                               offsetof({{type}}, exec_context.dynamic_user)
-{{type}}.DynamicUserNFTSet,                config_parse_dynamic_user_nft_set,           0,                                  offsetof({{type}}, exec_context)
 {{type}}.RemoveIPC,                        config_parse_bool,                           0,                                  offsetof({{type}}, exec_context.remove_ipc)
 {{type}}.StandardInput,                    config_parse_exec_input,                     0,                                  offsetof({{type}}, exec_context)
 {{type}}.StandardOutput,                   config_parse_exec_output,                    0,                                  offsetof({{type}}, exec_context)
@@ -242,7 +241,6 @@
 {{type}}.SocketBindAllow,                  config_parse_cgroup_socket_bind,             0,                                  offsetof({{type}}, cgroup_context.socket_bind_allow)
 {{type}}.SocketBindDeny,                   config_parse_cgroup_socket_bind,             0,                                  offsetof({{type}}, cgroup_context.socket_bind_deny)
 {{type}}.RestrictNetworkInterfaces,        config_parse_restrict_network_interfaces,    0,                                  offsetof({{type}}, cgroup_context)
-{{type}}.ControlGroupNFTSet,               config_parse_cgroup_nft_set,                 0,                                  offsetof({{type}}, cgroup_context)
 {%- endmacro -%}
 
 %{
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 8c136b14027..3ff6eae8fce 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -35,10 +35,8 @@
 #include "env-util.h"
 #include "errno-list.h"
 #include "escape.h"
-#include "execute.h"
 #include "fd-util.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "fs-util.h"
 #include "hexdecoct.h"
 #include "io-util.h"
@@ -6522,105 +6520,3 @@ int config_parse_tty_size(
 
         return config_parse_unsigned(unit, filename, line, section, section_line, lvalue, ltype, rvalue, data, userdata);
 }
-
-static int config_parse_nft_set(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                NFTSetContext **c,
-                size_t *n,
-                Unit *u) {
-        _cleanup_free_ char *family_str = NULL, *table = NULL, *set = NULL, *table_resolved = NULL, *set_resolved = NULL;
-        int nfproto, r;
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(u);
-
-        if (isempty(rvalue)) {
-                /* Empty assignment resets the list */
-                *c = nft_set_context_free_many(*c, n);
-                return 0;
-        }
-
-        for (const char *p = rvalue;;) {
-                r = extract_many_words(&p, ":", EXTRACT_CUNESCAPE, &family_str, &table, &set, NULL);
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r == 0)
-                        break;
-                if (r != 3) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse NFT set, ignoring: %s", p);
-                        return 0;
-                }
-
-                nfproto = nfproto_from_string(family_str);
-                if (nfproto < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown NFT protocol family, ignoring: %s", family_str);
-                        return 0;
-                }
-
-                r = unit_path_printf(u, table, &table_resolved);
-                if (r < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", table);
-                        return 0;
-                }
-
-                if (nft_identifier_bad(table_resolved))
-                        return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid table name %s, ignoring", table);
-
-                r = unit_path_printf(u, set, &set_resolved);
-                if (r < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", set);
-                        return 0;
-                }
-
-                if (nft_identifier_bad(set_resolved))
-                        return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid set name %s, ignoring", set);
-
-                r = nft_set_context_add(c, n, nfproto, table_resolved, set_resolved);
-                if (r < 0)
-                        return log_oom();
-        }
-
-        return 0;
-}
-
-int config_parse_cgroup_nft_set(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        CGroupContext *c = data;
-        Unit *u = userdata;
-
-        return config_parse_nft_set(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &c->nft_set_context, &c->n_nft_set_contexts, u);
-}
-
-int config_parse_dynamic_user_nft_set(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        ExecContext *c = data;
-        Unit *u = userdata;
-
-        return config_parse_nft_set(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts, u);
-}
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
index c250e468461..26b8de28f7a 100644
--- a/src/core/load-fragment.h
+++ b/src/core/load-fragment.h
@@ -150,8 +150,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_socket_bind);
 CONFIG_PARSER_PROTOTYPE(config_parse_restrict_network_interfaces);
 CONFIG_PARSER_PROTOTYPE(config_parse_watchdog_sec);
 CONFIG_PARSER_PROTOTYPE(config_parse_tty_size);
-CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_nft_set);
-CONFIG_PARSER_PROTOTYPE(config_parse_dynamic_user_nft_set);
 
 /* gperf prototypes */
 const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
diff --git a/src/core/service.c b/src/core/service.c
index f8d751e32fc..5f1a218bb5b 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1877,9 +1877,6 @@ static void service_enter_dead(Service *s, ServiceResult f, bool allow_restart)
         /* Get rid of the IPC bits of the user */
         unit_unref_uid_gid(UNIT(s), true);
 
-        /* Delete DynamicUserNFTSet= */
-        exec_delete_dynamic_user_nft_set(&s->exec_context, s->dynamic_creds.user);
-
         /* Release the user, and destroy it if we are the only remaining owner */
         dynamic_creds_destroy(&s->dynamic_creds);
 
diff --git a/src/libsystemd/sd-netlink/netlink-types-genl.c b/src/libsystemd/sd-netlink/netlink-types-genl.c
index 149b4479e3f..bdd5700c6e2 100644
--- a/src/libsystemd/sd-netlink/netlink-types-genl.c
+++ b/src/libsystemd/sd-netlink/netlink-types-genl.c
@@ -221,26 +221,15 @@ static const NLType genl_wireguard_types[] = {
         [WGDEVICE_A_PEERS]       = { .type = NETLINK_TYPE_NESTED, .type_system = &genl_wireguard_peer_type_system },
 };
 
-/***************** genl NetLabel type systems *****************/
-static const NLType genl_netlabel_types[] = {
-        [NLBL_UNLABEL_A_IPV4ADDR] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in_addr) },
-        [NLBL_UNLABEL_A_IPV4MASK] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in_addr) },
-        [NLBL_UNLABEL_A_IPV6ADDR] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in6_addr) },
-        [NLBL_UNLABEL_A_IPV6MASK] = { .type = NETLINK_TYPE_IN_ADDR, .size = sizeof(struct in6_addr) },
-        [NLBL_UNLABEL_A_IFACE]    = { .type = NETLINK_TYPE_STRING, .size = IFNAMSIZ-1 },
-        [NLBL_UNLABEL_A_SECCTX]   = { .type = NETLINK_TYPE_STRING },
-};
-
 /***************** genl families *****************/
 static const NLTypeSystemUnionElement genl_type_systems[] = {
-        { .name = CTRL_GENL_NAME,               .type_system = TYPE_SYSTEM_FROM_TYPE(genl_ctrl),      },
-        { .name = BATADV_NL_NAME,               .type_system = TYPE_SYSTEM_FROM_TYPE(genl_batadv),    },
-        { .name = FOU_GENL_NAME,                .type_system = TYPE_SYSTEM_FROM_TYPE(genl_fou),       },
-        { .name = L2TP_GENL_NAME,               .type_system = TYPE_SYSTEM_FROM_TYPE(genl_l2tp),      },
-        { .name = MACSEC_GENL_NAME,             .type_system = TYPE_SYSTEM_FROM_TYPE(genl_macsec),    },
-        { .name = NL80211_GENL_NAME,            .type_system = TYPE_SYSTEM_FROM_TYPE(genl_nl80211),   },
-        { .name = WG_GENL_NAME,                 .type_system = TYPE_SYSTEM_FROM_TYPE(genl_wireguard), },
-        { .name = NETLBL_NLTYPE_UNLABELED_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_netlabel),  },
+        { .name = CTRL_GENL_NAME,    .type_system = TYPE_SYSTEM_FROM_TYPE(genl_ctrl),      },
+        { .name = BATADV_NL_NAME,    .type_system = TYPE_SYSTEM_FROM_TYPE(genl_batadv),    },
+        { .name = FOU_GENL_NAME,     .type_system = TYPE_SYSTEM_FROM_TYPE(genl_fou),       },
+        { .name = L2TP_GENL_NAME,    .type_system = TYPE_SYSTEM_FROM_TYPE(genl_l2tp),      },
+        { .name = MACSEC_GENL_NAME,  .type_system = TYPE_SYSTEM_FROM_TYPE(genl_macsec),    },
+        { .name = NL80211_GENL_NAME, .type_system = TYPE_SYSTEM_FROM_TYPE(genl_nl80211),   },
+        { .name = WG_GENL_NAME,      .type_system = TYPE_SYSTEM_FROM_TYPE(genl_wireguard), },
 };
 
 /* This is the root type system union, so match_attribute is not necessary. */
diff --git a/src/libsystemd/sd-netlink/test-netlink.c b/src/libsystemd/sd-netlink/test-netlink.c
index 97085b84a77..fbc3ef06094 100644
--- a/src/libsystemd/sd-netlink/test-netlink.c
+++ b/src/libsystemd/sd-netlink/test-netlink.c
@@ -657,8 +657,6 @@ static void test_genl(void) {
         (void) sd_genl_message_new(genl, MACSEC_GENL_NAME, 0, &m);
         m = sd_netlink_message_unref(m);
         (void) sd_genl_message_new(genl, NL80211_GENL_NAME, 0, &m);
-        m = sd_netlink_message_unref(m);
-        (void) sd_genl_message_new(genl, NETLBL_NLTYPE_UNLABELED_NAME, 0, &m);
 
         for (;;) {
                 r = sd_event_run(event, 500 * USEC_PER_MSEC);
diff --git a/src/network/meson.build b/src/network/meson.build
index e4def6bc51e..2315b56a333 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -115,8 +115,6 @@ sources = files(
         'networkd-ndisc.h',
         'networkd-neighbor.c',
         'networkd-neighbor.h',
-        'networkd-netlabel.c',
-        'networkd-netlabel.h',
         'networkd-network-bus.c',
         'networkd-network-bus.h',
         'networkd-network.c',
diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
index fb9273934ed..8e8d5f77816 100644
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@@ -12,7 +12,6 @@
 #include "networkd-dhcp-server.h"
 #include "networkd-ipv4acd.h"
 #include "networkd-manager.h"
-#include "networkd-netlabel.h"
 #include "networkd-network.h"
 #include "networkd-queue.h"
 #include "networkd-route-util.h"
@@ -138,9 +137,6 @@ Address *address_free(Address *address) {
 
         config_section_free(address->section);
         free(address->label);
-        set_free(address->netlabels);
-        nft_set_context_free_many(address->ipv4_nft_set_context, &address->n_ipv4_nft_set_contexts);
-        nft_set_context_free_many(address->ipv6_nft_set_context, &address->n_ipv6_nft_set_contexts);
         return mfree(address);
 }
 
@@ -452,91 +448,6 @@ static int address_set_masquerade(Address *address, bool add) {
         return 0;
 }
 
-static void address_add_nft_set_context(const Address *address, const NFTSetContext *nft_set_context, size_t n_nft_set_contexts) {
-        int r;
-
-        assert(address);
-
-        for (size_t i = 0; i < n_nft_set_contexts; i++) {
-                r = nft_set_element_add_in_addr(&nft_set_context[i], address->family,
-                                                &address->in_addr, address->prefixlen);
-                if (r < 0)
-                        log_warning_errno(r, "Adding NFT family %s table %s set %s for IP address %s failed, ignoring",
-                                          nfproto_to_string(nft_set_context[i].nfproto),
-                                          nft_set_context[i].table,
-                                          nft_set_context[i].set,
-                                          IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
-        }
-}
-
-static void address_del_nft_set_context(const Address *address, const NFTSetContext *nft_set_context, size_t n_nft_set_contexts) {
-        int r;
-
-        assert(address);
-
-        for (size_t i = 0; i < n_nft_set_contexts; i++) {
-                r = nft_set_element_del_in_addr(&nft_set_context[i], address->family,
-                                                &address->in_addr, address->prefixlen);
-                if (r < 0)
-                        log_warning_errno(r, "Deleting NFT family %s table %s set %s for IP address %s failed, ignoring",
-                                          nfproto_to_string(nft_set_context[i].nfproto),
-                                          nft_set_context[i].table,
-                                          nft_set_context[i].set,
-                                          IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));               }
-}
-
-static void address_add_nft_set(const Address *address) {
-        assert(address);
-        assert(address->link);
-
-        if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
-                return;
-
-        switch (address->source) {
-        case NETWORK_CONFIG_SOURCE_DHCP4:
-                return address_add_nft_set_context(address, address->link->network->dhcp_nft_set_context, address->link->network->n_dhcp_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_DHCP6:
-                return address_add_nft_set_context(address, address->link->network->dhcp6_nft_set_context, address->link->network->n_dhcp6_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_DHCP_PD:
-                return address_add_nft_set_context(address, address->link->network->dhcp_pd_nft_set_context, address->link->network->n_dhcp_pd_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_NDISC:
-                return address_add_nft_set_context(address, address->link->network->ndisc_nft_set_context, address->link->network->n_ndisc_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_STATIC:
-                if (address->family == AF_INET)
-                        return address_add_nft_set_context(address, address->ipv4_nft_set_context, address->n_ipv4_nft_set_contexts);
-                else
-                        return address_add_nft_set_context(address, address->ipv6_nft_set_context, address->n_ipv6_nft_set_contexts);
-        default:
-                return;
-        }
-}
-
-static void address_del_nft_set(const Address *address) {
-        assert(address);
-        assert(address->link);
-
-        if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
-                return;
-
-        switch (address->source) {
-        case NETWORK_CONFIG_SOURCE_DHCP4:
-                return address_del_nft_set_context(address, address->link->network->dhcp_nft_set_context, address->link->network->n_dhcp_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_DHCP6:
-                return address_del_nft_set_context(address, address->link->network->dhcp6_nft_set_context, address->link->network->n_dhcp6_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_DHCP_PD:
-                return address_del_nft_set_context(address, address->link->network->dhcp_pd_nft_set_context, address->link->network->n_dhcp_pd_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_NDISC:
-                return address_del_nft_set_context(address, address->link->network->ndisc_nft_set_context, address->link->network->n_ndisc_nft_set_contexts);
-        case NETWORK_CONFIG_SOURCE_STATIC:
-                if (address->family == AF_INET)
-                        return address_del_nft_set_context(address, address->ipv4_nft_set_context, address->n_ipv4_nft_set_contexts);
-                else
-                        return address_del_nft_set_context(address, address->ipv6_nft_set_context, address->n_ipv6_nft_set_contexts);
-        default:
-                return;
-        }
-}
-
 static int address_add(Link *link, Address *address) {
         int r;
 
@@ -581,10 +492,6 @@ static int address_update(Address *address) {
         if (r < 0)
                 return log_link_warning_errno(link, r, "Could not enable IP masquerading: %m");
 
-        address_add_netlabel(address);
-
-        address_add_nft_set(address);
-
         if (address_is_ready(address) && address->callback) {
                 r = address->callback(address);
                 if (r < 0)
@@ -611,10 +518,6 @@ static int address_drop(Address *address) {
         if (r < 0)
                 log_link_warning_errno(link, r, "Failed to disable IP masquerading, ignoring: %m");
 
-        address_del_nft_set(address);
-
-        address_del_netlabel(address);
-
         if (address->state == 0)
                 address_free(address);
 
@@ -2034,41 +1937,6 @@ int config_parse_duplicate_address_detection(
         return 0;
 }
 
-int config_parse_address_netlabel(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-
-        Network *network = userdata;
-        _cleanup_(address_free_or_set_invalidp) Address *n = NULL;
-        int r;
-
-        assert(filename);
-        assert(section);
-        assert(lvalue);
-        assert(rvalue);
-        assert(data);
-        assert(network);
-
-        r = address_new_static(network, filename, section_line, &n);
-        if (r == -ENOMEM)
-                return log_oom();
-        if (r < 0) {
-                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed to allocate new address, ignoring assignment: %m");
-                return 0;
-        }
-
-        return config_parse_netlabel(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->netlabels, network);
-}
-
 static int address_section_verify(Address *address) {
         if (section_is_invalid(address->section))
                 return -EINVAL;
@@ -2172,71 +2040,3 @@ int network_drop_invalid_addresses(Network *network) {
 
         return 0;
 }
-
-int config_parse_address_ipv4_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-        _cleanup_(address_free_or_set_invalidp) Address *n = NULL;
-        int r;
-
-        assert(filename);
-        assert(section);
-        assert(lvalue);
-        assert(rvalue);
-        assert(data);
-        assert(network);
-
-        r = address_new_static(network, filename, section_line, &n);
-        if (r == -ENOMEM)
-                return log_oom();
-        if (r < 0) {
-                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed to allocate new address, ignoring assignment: %m");
-                return 0;
-        }
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->ipv4_nft_set_context, &n->n_ipv4_nft_set_contexts);
-}
-
-int config_parse_address_ipv6_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-        _cleanup_(address_free_or_set_invalidp) Address *n = NULL;
-        int r;
-
-        assert(filename);
-        assert(section);
-        assert(lvalue);
-        assert(rvalue);
-        assert(data);
-        assert(network);
-
-        r = address_new_static(network, filename, section_line, &n);
-        if (r == -ENOMEM)
-                return log_oom();
-        if (r < 0) {
-                log_syntax(unit, LOG_WARNING, filename, line, r,
-                           "Failed to allocate new address, ignoring assignment: %m");
-                return 0;
-        }
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &n->ipv6_nft_set_context, &n->n_ipv6_nft_set_contexts);
-}
diff --git a/src/network/networkd-address.h b/src/network/networkd-address.h
index c7746f931c5..0237c1cb98c 100644
--- a/src/network/networkd-address.h
+++ b/src/network/networkd-address.h
@@ -8,7 +8,6 @@
 #include "sd-ipv4acd.h"
 
 #include "conf-parser.h"
-#include "firewall-util.h"
 #include "in-addr-util.h"
 #include "networkd-link.h"
 #include "networkd-util.h"
@@ -62,12 +61,6 @@ struct Address {
 
         /* Called when address become ready */
         address_ready_callback_t callback;
-
-        /* NetLabel */
-        Set *netlabels;
-
-        NFTSetContext *ipv4_nft_set_context, *ipv6_nft_set_context;
-        size_t n_ipv4_nft_set_contexts, n_ipv6_nft_set_contexts;
 };
 
 const char* format_lifetime(char *buf, size_t l, usec_t lifetime_usec) _warn_unused_result_;
@@ -142,6 +135,3 @@ CONFIG_PARSER_PROTOTYPE(config_parse_address_flags);
 CONFIG_PARSER_PROTOTYPE(config_parse_address_scope);
 CONFIG_PARSER_PROTOTYPE(config_parse_address_route_metric);
 CONFIG_PARSER_PROTOTYPE(config_parse_duplicate_address_detection);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_netlabel);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_ipv4_nft_set_context);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_ipv6_nft_set_context);
diff --git a/src/network/networkd-netlabel.c b/src/network/networkd-netlabel.c
deleted file mode 100644
index 5df41ea470d..00000000000
--- a/src/network/networkd-netlabel.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include "netlink-util.h"
-#include "networkd-address.h"
-#include "networkd-link.h"
-#include "networkd-manager.h"
-#include "networkd-netlabel.h"
-#include "networkd-network.h"
-
-static int netlabel_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) {
-        int r;
-
-        assert_se(rtnl);
-        assert_se(m);
-        assert_se(link);
-
-        r = sd_netlink_message_get_errno(m);
-        if (r < 0) {
-                log_link_message_warning_errno(link, m, r, "NetLabel operation failed, ignoring");
-                return 1;
-        }
-
-        log_link_debug(link, "NetLabel operation successful");
-
-        return 1;
-}
-
-static int netlabel_command(uint16_t command, const char *label, const Address *address) {
-        _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
-        int r;
-
-        assert(address);
-        assert(address->link);
-        assert(address->link->manager);
-        assert(address->link->manager->genl);
-        assert(address->link->network);
-        assert(IN_SET(address->family, AF_INET, AF_INET6));
-
-        r = sd_genl_message_new(address->link->manager->genl, NETLBL_NLTYPE_UNLABELED_NAME, command, &m);
-        if (r < 0)
-                return r;
-
-        r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_IFACE, address->link->ifname);
-        if (r < 0)
-                return r;
-
-        if (command == NLBL_UNLABEL_C_STATICADD) {
-                assert(label);
-                r = sd_netlink_message_append_string(m, NLBL_UNLABEL_A_SECCTX, label);
-                if (r < 0)
-                        return r;
-        }
-
-        union in_addr_union netmask;
-
-        r = in_addr_prefixlen_to_netmask(address->family, &netmask, address->prefixlen);
-        if (r < 0)
-                return r;
-
-        if (address->family == AF_INET) {
-                r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4ADDR, &address->in_addr.in);
-                if (r < 0)
-                        return r;
-
-                r = sd_netlink_message_append_in_addr(m, NLBL_UNLABEL_A_IPV4MASK, &netmask.in);
-        } else if (address->family == AF_INET6) {
-                r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6ADDR, &address->in_addr.in6);
-                if (r < 0)
-                        return r;
-
-                r = sd_netlink_message_append_in6_addr(m, NLBL_UNLABEL_A_IPV6MASK, &netmask.in6);
-        }
-        if (r < 0)
-                return r;
-
-        r = netlink_call_async(address->link->manager->genl, NULL, m, netlabel_handler, link_netlink_destroy_callback,
-                               address->link);
-        if (r < 0)
-                return r;
-
-        link_ref(address->link);
-        return 0;
-}
-
-static void address_add_netlabel_set(const Address *address, Set *labels) {
-        const char *label;
-        int r;
-
-        SET_FOREACH(label, labels) {
-                r = netlabel_command(NLBL_UNLABEL_C_STATICADD, label, address);
-                if (r < 0)
-                        log_link_warning_errno(address->link, r, "Adding NetLabel %s for IP address %s failed, ignoring",
-                                               label,
-                                               IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
-                else
-                        log_link_debug(address->link, "Adding NetLabel %s for IP address %s", label,
-                                       IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
-        }
-}
-
-void address_add_netlabel(const Address *address) {
-        assert(address);
-        assert(address->link);
-
-        if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
-                return;
-
-        switch (address->source) {
-        case NETWORK_CONFIG_SOURCE_DHCP4:
-                return address_add_netlabel_set(address, address->link->network->dhcp_netlabels);
-        case NETWORK_CONFIG_SOURCE_DHCP6:
-                return address_add_netlabel_set(address, address->link->network->dhcp6_netlabels);
-        case NETWORK_CONFIG_SOURCE_DHCP_PD:
-                return address_add_netlabel_set(address, address->link->network->dhcp_pd_netlabels);
-        case NETWORK_CONFIG_SOURCE_NDISC:
-                return address_add_netlabel_set(address, address->link->network->ndisc_netlabels);
-        case NETWORK_CONFIG_SOURCE_STATIC:
-                return address_add_netlabel_set(address, address->netlabels);
-        default:
-                return;
-        }
-}
-
-void address_del_netlabel(const Address *address) {
-        int r;
-
-        assert(address);
-        assert(address->link);
-
-        if (!address->link->network || !IN_SET(address->family, AF_INET, AF_INET6))
-                return;
-
-        r = netlabel_command(NLBL_UNLABEL_C_STATICREMOVE, NULL, address);
-        if (r < 0)
-                log_link_warning_errno(address->link, r, "Deleting NetLabels for IP address %s failed, ignoring",
-                                       IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
-        else
-                log_link_debug(address->link, "Deleting NetLabels for IP address %s",
-                               IN_ADDR_PREFIX_TO_STRING(address->family, &address->in_addr, address->prefixlen));
-}
-
-int config_parse_netlabel(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        int r;
-        Set **set = data;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(set);
-
-        if (isempty(rvalue)) {
-                *set = set_free(*set);
-                return 0;
-        }
-
-        for (const char *p = rvalue;;) {
-                _cleanup_free_ char *w = NULL;
-
-                r = extract_first_word(&p, &w, NULL, 0);
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r,
-                                   "Failed to extract NetLabel label, ignoring: %s", rvalue);
-                        return 0;
-                }
-                if (r == 0)
-                        return 0;
-
-                /* Label semantics depend on LSM but let's do basic checks */
-                if (!string_is_safe(w)) {
-                        log_syntax(unit, LOG_WARNING, filename, line, 0,
-                                   "Bad NetLabel label, ignoring: %s", w);
-                        continue;
-                }
-
-                r = set_ensure_consume(set, &string_hash_ops_free, TAKE_PTR(w));
-                if (r < 0)
-                        return log_oom();
-        }
-}
diff --git a/src/network/networkd-netlabel.h b/src/network/networkd-netlabel.h
deleted file mode 100644
index 92f614fc73a..00000000000
--- a/src/network/networkd-netlabel.h
+++ /dev/null
@@ -1,7 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-void address_add_netlabel(const Address *address);
-void address_del_netlabel(const Address *address);
-
-CONFIG_PARSER_PROTOTYPE(config_parse_netlabel);
diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf
index faa9aa61b47..ceaaa6a0f7c 100644
--- a/src/network/networkd-network-gperf.gperf
+++ b/src/network/networkd-network-gperf.gperf
@@ -25,7 +25,6 @@ _Pragma("GCC diagnostic ignored \"-Wimplicit-fallthrough\"")
 #include "networkd-ipv6ll.h"
 #include "networkd-lldp-tx.h"
 #include "networkd-ndisc.h"
-#include "networkd-netlabel.h"
 #include "networkd-network.h"
 #include "networkd-neighbor.h"
 #include "networkd-nexthop.h"
@@ -157,9 +156,6 @@ Address.AutoJoin,                            config_parse_address_flags,
 Address.DuplicateAddressDetection,           config_parse_duplicate_address_detection,                 0,                             0
 Address.Scope,                               config_parse_address_scope,                               0,                             0
 Address.RouteMetric,                         config_parse_address_route_metric,                        0,                             0
-Address.NetLabel,                            config_parse_address_netlabel,                            0,                             0
-Address.IPv4NFTSet,                          config_parse_address_ipv4_nft_set_context,                0,                             0
-Address.IPv6NFTSet,                          config_parse_address_ipv6_nft_set_context,                0,                             0
 IPv6AddressLabel.Prefix,                     config_parse_address_label_prefix,                        0,                             0
 IPv6AddressLabel.Label,                      config_parse_address_label,                               0,                             0
 Neighbor.Address,                            config_parse_neighbor_address,                            0,                             0
@@ -247,8 +243,6 @@ DHCPv4.SendVendorOption,                     config_parse_dhcp_send_option,
 DHCPv4.RouteMTUBytes,                        config_parse_mtu,                                         AF_INET,                       offsetof(Network, dhcp_route_mtu)
 DHCPv4.FallbackLeaseLifetimeSec,             config_parse_dhcp_fallback_lease_lifetime,                0,                             0
 DHCPv4.Use6RD,                               config_parse_bool,                                        0,                             offsetof(Network, dhcp_use_6rd)
-DHCPv4.NetLabel,                             config_parse_netlabel,                                    0,                             offsetof(Network, dhcp_netlabels)
-DHCPv4.NFTSet,                               config_parse_dhcp_nft_set_context,                        0,                             0
 DHCPv6.UseAddress,                           config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_address)
 DHCPv6.UseDelegatedPrefix,                   config_parse_bool,                                        0,                             offsetof(Network, dhcp6_use_pd_prefix)
 DHCPv6.UseDNS,                               config_parse_dhcp_use_dns,                                AF_INET6,                      0
@@ -266,8 +260,6 @@ DHCPv6.SendOption,                           config_parse_dhcp_send_option,
 DHCPv6.IAID,                                 config_parse_iaid,                                        AF_INET6,                      0
 DHCPv6.DUIDType,                             config_parse_duid_type,                                   0,                             offsetof(Network, dhcp6_duid)
 DHCPv6.DUIDRawData,                          config_parse_duid_rawdata,                                0,                             offsetof(Network, dhcp6_duid)
-DHCPv6.NetLabel,                             config_parse_netlabel,                                    0,                             offsetof(Network, dhcp6_netlabels)
-DHCPv6.NFTSet,                               config_parse_dhcp6_nft_set_context,                       0,                             0
 IPv6AcceptRA.UseGateway,                     config_parse_bool,                                        0,                             offsetof(Network, ipv6_accept_ra_use_gateway)
 IPv6AcceptRA.UseRoutePrefix,                 config_parse_bool,                                        0,                             offsetof(Network, ipv6_accept_ra_use_route_prefix)
 IPv6AcceptRA.UseAutonomousPrefix,            config_parse_bool,                                        0,                             offsetof(Network, ipv6_accept_ra_use_autonomous_prefix)
@@ -285,8 +277,6 @@ IPv6AcceptRA.PrefixDenyList,                 config_parse_in_addr_prefixes,
 IPv6AcceptRA.RouteAllowList,                 config_parse_in_addr_prefixes,                            AF_INET6,                      offsetof(Network, ndisc_allow_listed_route_prefix)
 IPv6AcceptRA.RouteDenyList,                  config_parse_in_addr_prefixes,                            AF_INET6,                      offsetof(Network, ndisc_deny_listed_route_prefix)
 IPv6AcceptRA.Token,                          config_parse_address_generation_type,                     0,                             offsetof(Network, ndisc_tokens)
-IPv6AcceptRA.NetLabel,                       config_parse_netlabel,                                    0,                             offsetof(Network, ndisc_netlabels)
-IPv6AcceptRA.NFTSet,                         config_parse_ndisc_nft_set_context,                       0,                             0
 DHCPServer.ServerAddress,                    config_parse_dhcp_server_address,                         0,                             0
 DHCPServer.UplinkInterface,                  config_parse_uplink,                                      0,                             0
 DHCPServer.RelayTarget,                      config_parse_in_addr_non_null,                            AF_INET,                       offsetof(Network, dhcp_server_relay_target)
@@ -353,8 +343,6 @@ DHCPPrefixDelegation.Assign,                 config_parse_bool,
 DHCPPrefixDelegation.ManageTemporaryAddress, config_parse_bool,                                        0,                             offsetof(Network, dhcp_pd_manage_temporary_address)
 DHCPPrefixDelegation.Token,                  config_parse_address_generation_type,                     0,                             offsetof(Network, dhcp_pd_tokens)
 DHCPPrefixDelegation.RouteMetric,            config_parse_uint32,                                      0,                             offsetof(Network, dhcp_pd_route_metric)
-DHCPPrefixDelegation.NetLabel,               config_parse_netlabel,                                    0,                             offsetof(Network, dhcp_pd_netlabels)
-DHCPPrefixDelegation.NFTSet,                 config_parse_dhcp_pd_nft_set_context,                     0,                             0
 IPv6SendRA.RouterLifetimeSec,                config_parse_router_lifetime,                             0,                             offsetof(Network, router_lifetime_usec)
 IPv6SendRA.Managed,                          config_parse_bool,                                        0,                             offsetof(Network, router_managed)
 IPv6SendRA.OtherInformation,                 config_parse_bool,                                        0,                             offsetof(Network, router_other_information)
diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c
index 494e87e1265..39ea4eddd08 100644
--- a/src/network/networkd-network.c
+++ b/src/network/networkd-network.c
@@ -688,10 +688,6 @@ static Network *network_free(Network *network) {
         free(network->dhcp6_mudurl);
         strv_free(network->dhcp6_user_class);
         strv_free(network->dhcp6_vendor_class);
-        set_free(network->dhcp_netlabels);
-        set_free(network->dhcp6_netlabels);
-        nft_set_context_free_many(network->dhcp_nft_set_context, &network->n_dhcp_nft_set_contexts);
-        nft_set_context_free_many(network->dhcp6_nft_set_context, &network->n_dhcp6_nft_set_contexts);
 
         strv_free(network->ntp);
         for (unsigned i = 0; i < network->n_dns; i++)
@@ -758,10 +754,6 @@ static Network *network_free(Network *network) {
         ordered_hashmap_free(network->dhcp6_client_send_vendor_options);
         set_free(network->dhcp_pd_tokens);
         set_free(network->ndisc_tokens);
-        set_free(network->dhcp_pd_netlabels);
-        set_free(network->ndisc_netlabels);
-        nft_set_context_free_many(network->dhcp_pd_nft_set_context, &network->n_dhcp_pd_nft_set_contexts);
-        nft_set_context_free_many(network->ndisc_nft_set_context, &network->n_ndisc_nft_set_contexts);
 
         return mfree(network);
 }
@@ -1306,90 +1298,6 @@ int config_parse_ignore_carrier_loss(
         return 0;
 }
 
-int config_parse_dhcp_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(network);
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp_nft_set_context, &network->n_dhcp_nft_set_contexts);
-}
-
-int config_parse_dhcp6_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(network);
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp6_nft_set_context, &network->n_dhcp6_nft_set_contexts);
-}
-
-int config_parse_dhcp_pd_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(network);
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->dhcp_pd_nft_set_context, &network->n_dhcp_pd_nft_set_contexts);
-}
-
-int config_parse_ndisc_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                void *data,
-                void *userdata) {
-        Network *network = userdata;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(network);
-
-        return config_parse_nft_set_context(unit, filename, line, section, section_line, lvalue, ltype, rvalue, &network->ndisc_nft_set_context, &network->n_ndisc_nft_set_contexts);
-}
-
 DEFINE_CONFIG_PARSE_ENUM(config_parse_required_family_for_online, link_required_address_family, AddressFamily,
                          "Failed to parse RequiredFamilyForOnline= setting");
 
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 6d0748aedcf..98e6159040e 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -10,7 +10,6 @@
 #include "bridge.h"
 #include "condition.h"
 #include "conf-parser.h"
-#include "firewall-util.h"
 #include "hashmap.h"
 #include "ipoib.h"
 #include "net-condition.h"
@@ -156,9 +155,6 @@ struct Network {
         Set *dhcp_request_options;
         OrderedHashmap *dhcp_client_send_options;
         OrderedHashmap *dhcp_client_send_vendor_options;
-        Set *dhcp_netlabels;
-        NFTSetContext *dhcp_nft_set_context;
-        size_t n_dhcp_nft_set_contexts;
 
         /* DHCPv6 Client support */
         bool dhcp6_use_address;
@@ -183,9 +179,6 @@ struct Network {
         OrderedHashmap *dhcp6_client_send_options;
         OrderedHashmap *dhcp6_client_send_vendor_options;
         Set *dhcp6_request_options;
-        Set *dhcp6_netlabels;
-        NFTSetContext *dhcp6_nft_set_context;
-        size_t n_dhcp6_nft_set_contexts;
 
         /* DHCP Server Support */
         bool dhcp_server;
@@ -242,9 +235,6 @@ struct Network {
         Set *dhcp_pd_tokens;
         int dhcp_pd_uplink_index;
         char *dhcp_pd_uplink_name;
-        Set *dhcp_pd_netlabels;
-        NFTSetContext *dhcp_pd_nft_set_context;
-        size_t n_dhcp_pd_nft_set_contexts;
 
         /* Bridge Support */
         int use_bpdu;
@@ -329,9 +319,6 @@ struct Network {
         Set *ndisc_deny_listed_route_prefix;
         Set *ndisc_allow_listed_route_prefix;
         Set *ndisc_tokens;
-        Set *ndisc_netlabels;
-        NFTSetContext *ndisc_nft_set_context;
-        size_t n_ndisc_nft_set_contexts;
 
         /* LLDP support */
         LLDPMode lldp_mode; /* LLDP reception */
@@ -397,10 +384,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_keep_configuration);
 CONFIG_PARSER_PROTOTYPE(config_parse_activation_policy);
 CONFIG_PARSER_PROTOTYPE(config_parse_link_group);
 CONFIG_PARSER_PROTOTYPE(config_parse_ignore_carrier_loss);
-CONFIG_PARSER_PROTOTYPE(config_parse_dhcp_nft_set_context);
-CONFIG_PARSER_PROTOTYPE(config_parse_dhcp6_nft_set_context);
-CONFIG_PARSER_PROTOTYPE(config_parse_dhcp_pd_nft_set_context);
-CONFIG_PARSER_PROTOTYPE(config_parse_ndisc_nft_set_context);
 
 const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
 
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index 1ffdcf384fc..a326ca30a9a 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -16,7 +16,6 @@
 #include "exec-util.h"
 #include "exit-status.h"
 #include "fileio.h"
-#include "firewall-util.h"
 #include "hexdecoct.h"
 #include "hostname-util.h"
 #include "in-addr-util.h"
@@ -435,91 +434,6 @@ static int bus_append_ip_address_access(sd_bus_message *m, int family, const uni
         return sd_bus_message_close_container(m);
 }
 
-static int bus_append_nft_set(sd_bus_message *m, const char *field, const char *eq) {
-        int r;
-
-        assert(m);
-
-        if (isempty(eq)) {
-                r = sd_bus_message_append(m, "(sv)", field, "a(iss)", 0);
-                if (r < 0)
-                        return bus_log_create_error(r);
-
-                return 1;
-        }
-
-        r = sd_bus_message_open_container(m, SD_BUS_TYPE_STRUCT, "sv");
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        r = sd_bus_message_append_basic(m, SD_BUS_TYPE_STRING, field);
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        r = sd_bus_message_open_container(m, 'v', "a(iss)");
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        r = sd_bus_message_open_container(m, 'a', "(iss)");
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        for (;;) {
-                _cleanup_free_ char *word = NULL;
-                int family;
-
-                r = extract_first_word(&eq, &word, ":", 0);
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r < 0)
-                        return log_error_errno(r, "Failed to parse %s: %m", field);
-                if (isempty(word)) {
-                        log_error("Failed to parse %s", field);
-                        return 0;
-                }
-
-                family = nfproto_from_string(word);
-                if (family < 0)
-                        return log_error_errno(family, "Failed to parse %s: %m", field);
-
-                r = extract_first_word(&eq, &word, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS);
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r < 0)
-                        return log_error_errno(r, "Failed to parse %s: %m", field);
-                if (isempty(word) || isempty(eq)) {
-                        log_error("Failed to parse %s", field);
-                        return 0;
-                }
-
-                _cleanup_free_ char *unescaped = NULL;
-                ssize_t l;
-
-                l = cunescape(eq, 0, &unescaped);
-                if (l < 0)
-                        return log_error_errno(l, "Failed to unescape %s= value: %s", field, eq);
-
-                r = sd_bus_message_append(m, "(iss)", family, word, eq);
-
-                r = sd_bus_message_close_container(m);
-                if (r < 0)
-                        return bus_log_create_error(r);
-        }
-        r = sd_bus_message_close_container(m);
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        r = sd_bus_message_close_container(m);
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        r = sd_bus_message_close_container(m);
-        if (r < 0)
-                return bus_log_create_error(r);
-
-        return 1;
-}
-
 static int bus_append_cgroup_property(sd_bus_message *m, const char *field, const char *eq) {
         int r;
 
@@ -977,9 +891,6 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons
                 return 1;
         }
 
-        if (streq(field, "ControlGroupNFTSet"))
-                return bus_append_nft_set(m, field, eq);
-
         return 0;
 }
 
@@ -2137,9 +2048,6 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                 return 1;
         }
 
-        if (STR_IN_SET(field, "DynamicUserNFTSet"))
-                return bus_append_nft_set(m, field, eq);
-
         return 0;
 }
 
diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c
index 331aaf3f0b4..2f98e791c21 100644
--- a/src/shared/firewall-util-nft.c
+++ b/src/shared/firewall-util-nft.c
@@ -14,13 +14,11 @@
 #include "sd-netlink.h"
 
 #include "alloc-util.h"
-#include "extract-word.h"
 #include "firewall-util.h"
 #include "firewall-util-private.h"
 #include "in-addr-util.h"
 #include "macro.h"
 #include "socket-util.h"
-#include "string-table.h"
 #include "time-util.h"
 
 #define NFT_SYSTEMD_DNAT_MAP_NAME "map_port_ipport"
@@ -850,12 +848,9 @@ static int nft_message_add_setelem_ip6range(
 
 #define NFT_MASQ_MSGS   3
 
-static int nft_set_element_op_in_addr(
-                sd_netlink *nfnl,
-                const char *table,
-                const char *set,
+static int fw_nftables_add_masquerade_internal(
+                FirewallContext *ctx,
                 bool add,
-                int nfproto,
                 int af,
                 const union in_addr_union *source,
                 unsigned int source_prefixlen) {
@@ -870,14 +865,14 @@ static int nft_set_element_op_in_addr(
         if (af == AF_INET6 && source_prefixlen < 8)
                 return -EINVAL;
 
-        r = sd_nfnl_message_batch_begin(nfnl, &transaction[0]);
+        r = sd_nfnl_message_batch_begin(ctx->nfnl, &transaction[0]);
         if (r < 0)
                 return r;
         tsize = 1;
         if (add)
-                r = sd_nfnl_nft_message_new_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
+                r = sd_nfnl_nft_message_new_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
         else
-                r = sd_nfnl_nft_message_del_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
+                r = sd_nfnl_nft_message_del_setelems_begin(ctx->nfnl, &transaction[tsize], af, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME);
         if (r < 0)
                 goto out_unref;
 
@@ -890,12 +885,12 @@ static int nft_set_element_op_in_addr(
 
         ++tsize;
         assert(tsize < NFT_MASQ_MSGS);
-        r = sd_nfnl_message_batch_end(nfnl, &transaction[tsize]);
+        r = sd_nfnl_message_batch_end(ctx->nfnl, &transaction[tsize]);
         if (r < 0)
                 return r;
 
         ++tsize;
-        r = nfnl_netlink_sendv(nfnl, transaction, tsize);
+        r = nfnl_netlink_sendv(ctx->nfnl, transaction, tsize);
 
 out_unref:
         while (tsize > 0)
@@ -903,65 +898,6 @@ out_unref:
         return r < 0 ? r : 0;
 }
 
-static int nft_set_element_op_in_addr_open(
-                bool add,
-                const NFTSetContext *nft_set_context,
-                int af,
-                const union in_addr_union *address,
-                unsigned int prefixlen) {
-
-        _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
-        const char *table, *set;
-        int r, nfproto;
-
-        assert(nft_set_context);
-        nfproto = nft_set_context->nfproto;
-        table = nft_set_context->table;
-        assert(table);
-        set = nft_set_context->set;
-        assert(set);
-
-        r = sd_nfnl_socket_open(&nfnl);
-        if (r < 0)
-                return r;
-
-        r = nft_set_element_op_in_addr(nfnl, table, set,
-                                       add, nfproto, af, address, prefixlen);
-
-        log_debug("%s NFT family %s table %s set %s IP address %s",
-                  add ? "Added" : "Deleted",
-                  nfproto_to_string(nfproto), table, set,
-                  IN_ADDR_PREFIX_TO_STRING(af, address, prefixlen));
-
-        return r;
-}
-
-int nft_set_element_add_in_addr(
-                const NFTSetContext *nft_set_context,
-                int af,
-                const union in_addr_union *address,
-                unsigned int prefixlen) {
-        return nft_set_element_op_in_addr_open(true, nft_set_context, af, address, prefixlen);
-}
-
-int nft_set_element_del_in_addr(
-                const NFTSetContext *nft_set_context,
-                int af,
-                const union in_addr_union *address,
-                unsigned int prefixlen) {
-        return nft_set_element_op_in_addr_open(false, nft_set_context, af, address, prefixlen);
-}
-
-static int fw_nftables_add_masquerade_internal(
-                FirewallContext *ctx,
-                bool add,
-                int af,
-                const union in_addr_union *source,
-                unsigned int source_prefixlen) {
-        return nft_set_element_op_in_addr(ctx->nfnl, NFT_SYSTEMD_TABLE_NAME, NFT_SYSTEMD_MASQ_SET_NAME,
-                                          add, af, af, source, source_prefixlen);
-}
-
 int fw_nftables_add_masquerade(
                 FirewallContext *ctx,
                 bool add,
@@ -1135,222 +1071,3 @@ int fw_nftables_add_local_dnat(
         /* table created anew; previous address already gone */
         return fw_nftables_add_local_dnat_internal(ctx, add, af, protocol, local_port, remote, remote_port, NULL);
 }
-
-static const char *const nfproto_table[] = {
-        [NFPROTO_ARP] = "arp",
-        [NFPROTO_BRIDGE] = "bridge",
-        [NFPROTO_INET] = "inet",
-        [NFPROTO_IPV4] = "ip",
-        [NFPROTO_IPV6] = "ip6",
-        [NFPROTO_NETDEV] = "netdev",
-};
-
-DEFINE_STRING_TABLE_LOOKUP(nfproto, int);
-
-#define NFT_SET_MSGS 3
-
-static int nft_set_element_op(bool add, const NFTSetContext *nft_set_context, void *element, size_t element_size) {
-        _cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
-        sd_netlink_message *transaction[NFT_SET_MSGS] = {};
-        _cleanup_free_ uint32_t *serial = NULL;
-        size_t tsize;
-        int r, nfproto;
-        const char *table, *set;
-
-        assert(nft_set_context);
-        nfproto = nft_set_context->nfproto;
-        table = nft_set_context->table;
-        assert(table);
-        set = nft_set_context->set;
-        assert(set);
-        assert(element);
-
-        r = sd_nfnl_socket_open(&nfnl);
-        if (r < 0)
-                return r;
-
-        r = sd_nfnl_message_batch_begin(nfnl, &transaction[0]);
-        if (r < 0)
-                return r;
-        tsize = 1;
-
-        if (add)
-                r = sd_nfnl_nft_message_new_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
-        else
-                r = sd_nfnl_nft_message_del_setelems_begin(nfnl, &transaction[tsize], nfproto, table, set);
-        if (r < 0)
-                goto out_unref;
-
-        r = sd_nfnl_nft_message_add_setelem(transaction[tsize], 0, element, element_size, NULL, 0);
-        if (r < 0)
-                return r;
-
-        r = sd_nfnl_nft_message_add_setelem_end(transaction[tsize]);
-        if (r < 0)
-                return r;
-        ++tsize;
-        assert(tsize < ELEMENTSOF(transaction));
-        r = sd_nfnl_message_batch_end(nfnl, &transaction[tsize]);
-        if (r < 0)
-                return r;
-
-        ++tsize;
-        r = sd_netlink_sendv(nfnl, transaction, tsize, &serial);
-
-out_unref:
-        while (tsize > 0)
-                sd_netlink_message_unref(transaction[--tsize]);
-        return r < 0 ? r : 0;
-}
-
-int nft_set_element_add_uint32(const NFTSetContext *nft_set_context, uint32_t element) {
-        int r;
-
-        assert(nft_set_context);
-        r = nft_set_element_op(true, nft_set_context, &element, sizeof(element));
-        if (r == 0)
-                log_debug("Added NFT family %s table %s set %s element %d",
-                          nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
-        return r;
-}
-
-int nft_set_element_del_uint32(const NFTSetContext *nft_set_context, uint32_t element) {
-        int r;
-
-        assert(nft_set_context);
-        r = nft_set_element_op(false, nft_set_context, &element, sizeof(element));
-        if (r == 0)
-                log_debug("Deleted NFT family %s table %s set %s element %d",
-                          nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
-        return r;
-}
-
-int nft_set_element_add_uint64(const NFTSetContext *nft_set_context, uint64_t element) {
-        int r;
-
-        assert(nft_set_context);
-        r = nft_set_element_op(true, nft_set_context, &element, sizeof(element));
-        if (r == 0)
-                log_debug("Added NFT family %s table %s set %s element %"PRIu64,
-                          nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
-        return r;
-}
-
-int nft_set_element_del_uint64(const NFTSetContext *nft_set_context, uint64_t element) {
-        int r;
-
-        assert(nft_set_context);
-        r = nft_set_element_op(false, nft_set_context, &element, sizeof(element));
-        if (r == 0)
-                log_debug("Deleted NFT family %s table %s set %s element %"PRIu64,
-                          nfproto_to_string(nft_set_context->nfproto), nft_set_context->table, nft_set_context->set, element);
-        return r;
-}
-
-NFTSetContext* nft_set_context_free_many(NFTSetContext *s, size_t *n) {
-        assert(n);
-        assert(s || *n == 0);
-
-        for (size_t i = 0; i < *n; i++) {
-                free(s[i].table);
-                free(s[i].set);
-        }
-
-        free(s);
-        *n = 0;
-        return NULL;
-}
-
-int nft_set_context_add(NFTSetContext **s, size_t *n, int nfproto, const char *table, const char *set) {
-        _cleanup_free_ char *table_dup = NULL, *set_dup = NULL;
-        assert(s);
-        assert(n);
-
-        table_dup = strdup(table);
-        if (!table_dup)
-                return -ENOMEM;
-
-        set_dup = strdup(set);
-        if (!set_dup)
-                return -ENOMEM;
-
-        NFTSetContext *c;
-        c = reallocarray(*s, *n + 1, sizeof(NFTSetContext));
-        if (!c)
-                return -ENOMEM;
-
-        *s = c;
-
-        c[(*n) ++] = (NFTSetContext) {
-                .nfproto = nfproto,
-                .table = TAKE_PTR(table_dup),
-                .set = TAKE_PTR(set_dup),
-        };
-
-        return 0;
-}
-
-int config_parse_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                NFTSetContext **nft_set_context,
-                size_t *n) {
-        _cleanup_free_ char *family_str = NULL, *table = NULL, *set = NULL;
-        int nfproto, r;
-
-        assert(filename);
-        assert(lvalue);
-        assert(rvalue);
-        assert(nft_set_context);
-
-        if (isempty(rvalue)) {
-                nft_set_context_free_many(*nft_set_context, n);
-
-                return 0;
-        }
-
-        for (const char *p = rvalue;;) {
-                r = extract_many_words(&p, ":" WHITESPACE, EXTRACT_CUNESCAPE, &family_str, &table, &set, NULL);
-                if (r == -ENOMEM)
-                        return log_oom();
-                if (r == 0)
-                        return 0;
-                if (r != 3) {
-                        log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse IPvxNFT set, ignoring: %s", rvalue);
-                        return 0;
-                }
-
-                nfproto = nfproto_from_string(family_str);
-                if (nfproto < 0) {
-                        log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown NFT protocol family, ignoring: %s", family_str);
-                        return 0;
-                }
-
-                if (nft_identifier_bad(table))
-                        return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid table name %s, ignoring", table);
-
-                if (nft_identifier_bad(set))
-                        return log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid set name %s, ignoring", set);
-
-                NFTSetContext *c;
-                c = reallocarray(*nft_set_context, *n + 1, sizeof(NFTSetContext));
-                if (!c)
-                        return -ENOMEM;
-
-                *nft_set_context = c;
-
-                c[(*n) ++] = (NFTSetContext) {
-                        .nfproto = nfproto,
-                        .table = TAKE_PTR(table),
-                        .set = TAKE_PTR(set),
-                };
-        }
-
-        return 0;
-}
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h
index 3cea144ab94..7725a5e58df 100644
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@@ -29,43 +29,3 @@ int fw_add_local_dnat(
                 const union in_addr_union *remote,
                 uint16_t remote_port,
                 const union in_addr_union *previous_remote);
-
-struct NFTSetContext {
-        int nfproto;
-        char *table;
-        char *set;
-};
-typedef struct NFTSetContext NFTSetContext;
-
-int nft_set_context_add(NFTSetContext **s, size_t *n, int nfproto, const char *table, const char *set);
-NFTSetContext* nft_set_context_free_many(NFTSetContext *s, size_t *n);
-int config_parse_nft_set_context(
-                const char *unit,
-                const char *filename,
-                unsigned line,
-                const char *section,
-                unsigned section_line,
-                const char *lvalue,
-                int ltype,
-                const char *rvalue,
-                NFTSetContext **nft_set_context,
-                size_t *n);
-
-const char *nfproto_to_string(int i) _const_;
-int nfproto_from_string(const char *s) _pure_;
-
-int nft_set_element_add_in_addr(
-                const NFTSetContext *nft_set_context,
-                int af,
-                const union in_addr_union *address,
-                unsigned int prefixlen);
-int nft_set_element_del_in_addr(
-                const NFTSetContext *nft_set_context,
-                int af,
-                const union in_addr_union *address,
-                unsigned int prefixlen);
-
-int nft_set_element_add_uint32(const NFTSetContext *nft_set_context, uint32_t element);
-int nft_set_element_del_uint32(const NFTSetContext *nft_set_context, uint32_t element);
-int nft_set_element_add_uint64(const NFTSetContext *nft_set_context, uint64_t element);
-int nft_set_element_del_uint64(const NFTSetContext *nft_set_context, uint64_t element);
diff --git a/src/test/meson.build b/src/test/meson.build
index 081d79feeed..cc590f4f3d9 100644
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -672,9 +672,6 @@ tests += [
         [files('test-hmac.c')],
 
         [files('test-sha256.c')],
-
-        [files('test-nft-set.c'),
-         [], [], [], '', 'manual'],
 ]
 
 ############################################################
diff --git a/src/test/test-in-addr-util.c b/src/test/test-in-addr-util.c
index 623e9f831ed..f5dcad65d54 100644
--- a/src/test/test-in-addr-util.c
+++ b/src/test/test-in-addr-util.c
@@ -364,35 +364,4 @@ TEST(in_addr_to_string) {
         test_in_addr_to_string_one(AF_INET6, "fe80::");
 }
 
-TEST(in_addr_prefixlen_to_netmask) {
-        union in_addr_union addr;
-        static const char *const ipv4_netmasks[] = {
-                "0.0.0.0", "128.0.0.0", "192.0.0.0", "224.0.0.0", "240.0.0.0",
-                "248.0.0.0", "252.0.0.0", "254.0.0.0", "255.0.0.0",
-                "255.128.0.0", "255.192.0.0", "255.224.0.0", "255.240.0.0",
-                "255.248.0.0", "255.252.0.0", "255.254.0.0", "255.255.0.0",
-                "255.255.128.0", "255.255.192.0", "255.255.224.0", "255.255.240.0",
-                "255.255.248.0", "255.255.252.0", "255.255.254.0", "255.255.255.0",
-                "255.255.255.128", "255.255.255.192", "255.255.255.224", "255.255.255.240",
-                "255.255.255.248", "255.255.255.252", "255.255.255.254", "255.255.255.255",
-        };
-
-        for (unsigned char prefixlen = 0; prefixlen <= 32; prefixlen++) {
-                _cleanup_free_ char *r = NULL;
-
-                assert_se(in_addr_prefixlen_to_netmask(AF_INET, &addr, prefixlen) >= 0);
-                assert_se(in_addr_to_string(AF_INET, &addr, &r) >= 0);
-                printf("test_in_addr_prefixlen_to_netmask: %s == %s\n", ipv4_netmasks[prefixlen], r);
-                assert_se(streq(ipv4_netmasks[prefixlen], r));
-        }
-
-        for (unsigned char prefixlen = 0; prefixlen <= 128; prefixlen++) {
-                _cleanup_free_ char *r = NULL;
-
-                assert_se(in_addr_prefixlen_to_netmask(AF_INET6, &addr, prefixlen) >= 0);
-                assert_se(in_addr_to_string(AF_INET6, &addr, &r) >= 0);
-                printf("test_in_addr_prefixlen_to_netmask: %s\n", r);
-        }
-}
-
 DEFINE_TEST_MAIN(LOG_DEBUG);
diff --git a/src/test/test-nft-set.c b/src/test/test-nft-set.c
deleted file mode 100644
index df5322b4b21..00000000000
--- a/src/test/test-nft-set.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include <assert.h>
-#include <unistd.h>
-
-#include "firewall-util.h"
-#include "in-addr-util.h"
-#include "log.h"
-#include "parse-util.h"
-#include "string-util.h"
-#include "tests.h"
-
-int main(int argc, char **argv) {
-        int r;
-
-        assert_se(argc == 7);
-
-        test_setup_logging(LOG_DEBUG);
-
-        if (getuid() != 0)
-                return log_tests_skipped("not root");
-
-        int nfproto;
-        nfproto = nfproto_from_string(argv[2]);
-        assert_se(nfproto > 0);
-
-        const NFTSetContext nft_set_context = {
-                .nfproto = nfproto,
-                .table = argv[3],
-                .set = argv[4],
-        };
-
-        if (streq(argv[5], "uint32")) {
-                uint32_t element;
-                r = safe_atou32(argv[6], &element);
-                assert_se(r == 0);
-
-                if (streq(argv[1], "add"))
-                        r = nft_set_element_add_uint32(&nft_set_context, element);
-                else
-                        r = nft_set_element_del_uint32(&nft_set_context, element);
-                assert_se(r == 0);
-        } else if (streq(argv[5], "uint64")) {
-                uint64_t element;
-                r = safe_atou64(argv[6], &element);
-                assert_se(r == 0);
-
-                if (streq(argv[1], "add"))
-                        r = nft_set_element_add_uint64(&nft_set_context, element);
-                else
-                        r = nft_set_element_del_uint64(&nft_set_context, element);
-                assert_se(r == 0);
-        } else {
-                union in_addr_union addr;
-                int af;
-                unsigned char prefixlen;
-
-                r = in_addr_prefix_from_string_auto(argv[6], &af, &addr, &prefixlen);
-                assert_se(r == 0);
-
-                if (streq(argv[1], "add"))
-                        r = nft_set_element_add_in_addr(&nft_set_context, af, &addr, prefixlen);
-                else
-                        r = nft_set_element_del_in_addr(&nft_set_context, af, &addr, prefixlen);
-                assert_se(r == 0);
-        }
-
-        return 0;
-}
diff --git a/test/fuzz/fuzz-network-parser/directives b/test/fuzz/fuzz-network-parser/directives
index 803f0d19695..276f3c93076 100644
--- a/test/fuzz/fuzz-network-parser/directives
+++ b/test/fuzz/fuzz-network-parser/directives
@@ -131,8 +131,6 @@ MUDURL=
 RouteMTUBytes=
 FallbackLeaseLifetimeSec=
 Use6RD=
-NetLabel=
-NFTSet=
 [DHCPv6]
 UseAddress=
 UseDelegatedPrefix=
@@ -154,8 +152,6 @@ RouteMetric=
 IAID=
 DUIDType=
 DUIDRawData=
-NetLabel=
-NFTSet=
 [DHCPv6PrefixDelegation]
 SubnetId=
 Announce=
@@ -163,7 +159,6 @@ Assign=
 ManageTemporaryAddress=
 Token=
 RouteMetric=
-NetLabel=
 [DHCPPrefixDelegation]
 UplinkInterface=
 SubnetId=
@@ -172,8 +167,6 @@ Assign=
 ManageTemporaryAddress=
 Token=
 RouteMetric=
-NetLabel=
-NFTSet=
 [Route]
 Destination=
 Protocol=
@@ -260,8 +253,6 @@ DHCPv6PrefixDelegation=
 DHCPPrefixDelegation=
 BatmanAdvanced=
 IPoIB=
-IPv4NFTSet=
-IPv6NFTSet=
 [IPv6Prefix]
 Prefix=
 OnLink=
@@ -352,8 +343,6 @@ EmitDomains=
 Managed=
 OtherInformation=
 UplinkInterface=
-NetLabel=
-NFTSet=
 [IPv6PrefixDelegation]
 RouterPreference=
 DNSLifetimeSec=
diff --git a/test/fuzz/fuzz-unit-file/directives.mount b/test/fuzz/fuzz-unit-file/directives.mount
index 16d2138a04c..0a44328e5c6 100644
--- a/test/fuzz/fuzz-unit-file/directives.mount
+++ b/test/fuzz/fuzz-unit-file/directives.mount
@@ -28,7 +28,6 @@ Capabilities=
 CapabilityBoundingSet=
 ConfigurationDirectory=
 ConfigurationDirectoryMode=
-ControlGroupNFTSet=
 CoredumpFilter=
 DefaultMemoryLow=
 DefaultMemoryMin=
@@ -38,7 +37,6 @@ DevicePolicy=
 DirectoryMode=
 DisableControllers=
 DynamicUser=
-DynamicUserNFTSet=
 Environment=
 EnvironmentFile=
 ExecPaths=
diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope
index c4d579065a6..4552d0b403d 100644
--- a/test/fuzz/fuzz-unit-file/directives.scope
+++ b/test/fuzz/fuzz-unit-file/directives.scope
@@ -8,7 +8,6 @@ BlockIODeviceWeight=
 BlockIOReadBandwidth=
 BlockIOWeight=
 BlockIOWriteBandwidth=
-ControlGroupNFTSet=
 CPUAccounting=
 CPUQuota=
 CPUQuotaPeriodSec=
diff --git a/test/fuzz/fuzz-unit-file/directives.service b/test/fuzz/fuzz-unit-file/directives.service
index 511c2f6b4fb..3c33d947fe2 100644
--- a/test/fuzz/fuzz-unit-file/directives.service
+++ b/test/fuzz/fuzz-unit-file/directives.service
@@ -72,7 +72,6 @@ ConditionSecurity=
 ConditionUser=
 ConditionVirtualization=
 Conflicts=
-ControlGroupNFTSet=
 DefaultDependencies=
 Description=
 Documentation=
@@ -160,7 +159,6 @@ DeviceAllow=
 DevicePolicy=
 DisableControllers=
 DynamicUser=
-DynamicUserNFTSet=
 Environment=
 EnvironmentFile=
 ExecCondition=
diff --git a/test/fuzz/fuzz-unit-file/directives.slice b/test/fuzz/fuzz-unit-file/directives.slice
index 749f1795e3d..ab77070c5ea 100644
--- a/test/fuzz/fuzz-unit-file/directives.slice
+++ b/test/fuzz/fuzz-unit-file/directives.slice
@@ -8,7 +8,6 @@ BlockIODeviceWeight=
 BlockIOReadBandwidth=
 BlockIOWeight=
 BlockIOWriteBandwidth=
-ControlGroupNFTSet=
 CPUAccounting=
 CPUQuota=
 CPUQuotaPeriodSec=
diff --git a/test/fuzz/fuzz-unit-file/directives.socket b/test/fuzz/fuzz-unit-file/directives.socket
index b9ad5e5f84e..90358fc11aa 100644
--- a/test/fuzz/fuzz-unit-file/directives.socket
+++ b/test/fuzz/fuzz-unit-file/directives.socket
@@ -33,7 +33,6 @@ Capabilities=
 CapabilityBoundingSet=
 ConfigurationDirectory=
 ConfigurationDirectoryMode=
-ControlGroupNFTSet=
 CoredumpFilter=
 DefaultMemoryLow=
 DefaultMemoryMin=
@@ -44,7 +43,6 @@ DevicePolicy=
 DirectoryMode=
 DisableControllers=
 DynamicUser=
-DynamicUserNFTSet=
 Environment=
 EnvironmentFile=
 ExecPaths=
diff --git a/test/fuzz/fuzz-unit-file/directives.swap b/test/fuzz/fuzz-unit-file/directives.swap
index 4721edce4be..5d057fa6306 100644
--- a/test/fuzz/fuzz-unit-file/directives.swap
+++ b/test/fuzz/fuzz-unit-file/directives.swap
@@ -28,7 +28,6 @@ Capabilities=
 CapabilityBoundingSet=
 ConfigurationDirectory=
 ConfigurationDirectoryMode=
-ControlGroupNFTSet=
 CoredumpFilter=
 DefaultMemoryLow=
 DefaultMemoryMin=
@@ -37,7 +36,6 @@ DeviceAllow=
 DevicePolicy=
 DisableControllers=
 DynamicUser=
-DynamicUserNFTSet=
 Environment=
 EnvironmentFile=
 ExecPaths=