-* add minimal NAT logic to networkd and nspawn. The former should be a simple NAT=yes|no|ipv4|ipv6 and expose a network on all other interfaces as NAT. The latter should get a "--port=" switch or so, which forwards one host port onto the container
+* When RLIMIT_NPROC is set from a unit file it currently always is set
+ for root, not for the user set in User=, which makes it
+ useless. After fixing this, set RLIMIT_NPROC for
+ systemd-journal-xyz, and all other of our services that run under
+ their own user ids, and use User= (but only in a world where userns
+ is ubiquitous since otherwise we cannot invoke those daemons on the
+ host AND in a container anymore). Also, if LimitNPROC= is used
+ without User= we should warn and refuse operation.