+* import: support verifiying raw images with gpg
+
+* core/cgroup: support net_cls modules, and support automatically allocating class ids, then add support for making firewall changes depending on it, to implement a per-service firewall
+
+* bus-proxy: reload policy when PID 1 reports a reload
+
+* the dbus1 connection user id is actually the euid, not the uid, and creds should return that
+
+* add minimal NAT logic to networkd and nspawn. The former should be a simple NAT=yes|no|ipv4|ipv6 and expose a network on all other interfaces as NAT. The latter should get a "--port=" switch or so, which forwards one host port onto the container
+
+* introduce systemd-nspawn-ephemeral@.service, and hook it into "machinectl start" with a new --ephemeral switch