diff --git a/docs/containers.conf.5.md b/docs/containers.conf.5.md
index ec71a827e..39c5cf6ef 100644
--- a/docs/containers.conf.5.md
+++ b/docs/containers.conf.5.md
@@ -459,9 +459,8 @@ and "$graphroot/networks" as rootless.
 
 The firewall driver to be used by netavark.
 The default is empty which means netavark will pick one accordingly. Current supported
-drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
-experimental at the moment and not recommend outside of testing). In the future we are
-planning to add support for a "nftables" driver.
+drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+experimental at the moment and not recommend outside of testing).
 
 **dns_bind_port**=53
 
diff --git a/libimage/manifests/manifests.go b/libimage/manifests/manifests.go
index 64f06350f..2213e7357 100644
--- a/libimage/manifests/manifests.go
+++ b/libimage/manifests/manifests.go
@@ -663,6 +663,9 @@ func (l *list) Add(ctx context.Context, sys *types.SystemContext, ref types.Imag
 		if err != nil {
 			return "", fmt.Errorf("adding instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}
+		if err := l.List.SetArtifactType(instanceInfo.instanceDigest, instanceInfo.ArtifactType); err != nil {
+			return "", fmt.Errorf("setting artifact manifest type for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
+		}
 		if err = l.List.SetURLs(*instanceInfo.instanceDigest, instanceInfo.URLs); err != nil {
 			return "", fmt.Errorf("setting URLs for instance with digest %q: %w", *instanceInfo.instanceDigest, err)
 		}
diff --git a/libimage/manifests/manifests_test.go b/libimage/manifests/manifests_test.go
index e29c90772..859d7c6c7 100644
--- a/libimage/manifests/manifests_test.go
+++ b/libimage/manifests/manifests_test.go
@@ -816,3 +816,24 @@ func TestInstanceByImageAndFiles(t *testing.T) {
 	assert.NoError(t, err)
 	assert.ElementsMatch(t, []string{}, noFiles)
 }
+
+// TestAddIndexOfArtifacts ensures that we don't fail to preserve artifactType
+// fields in artifact manifests when added from one list to another.
+func TestAddIndexOfArtifacts(t *testing.T) {
+	ctx := context.Background()
+
+	absPath, err := filepath.Abs(filepath.Join("..", "..", "pkg", "manifests", "testdata", "artifacts", "index"))
+	require.NoError(t, err)
+	rawPath := "oci:" + absPath
+	ref, err := alltransports.ParseImageName(rawPath)
+	require.NoErrorf(t, err, "ParseImageName(%q)", rawPath)
+
+	cookedList := Create()
+	_, err = cookedList.Add(ctx, sys, ref, true)
+	assert.NoError(t, err, "list.Add()")
+
+	cooked := cookedList.OCIv1()
+	for _, instance := range cooked.Manifests {
+		assert.NotEmpty(t, instance.ArtifactType, "lost the artifactType field")
+	}
+}
diff --git a/libnetwork/cni/network.go b/libnetwork/cni/network.go
index 94d13f7a0..7e001fab0 100644
--- a/libnetwork/cni/network.go
+++ b/libnetwork/cni/network.go
@@ -82,9 +82,23 @@ type InitConfig struct {
 // NewCNINetworkInterface creates the ContainerNetwork interface for the CNI backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.CNIConfigDir, "cni.lock")
 	}
 
@@ -112,14 +126,6 @@ func NewCNINetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	if unshare.IsRootless() {
-		netns, err = rootlessnetns.New(conf.RunDir, rootlessnetns.CNI, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	cni := libcni.NewCNIConfig(conf.Config.Network.CNIPluginDirs.Values, &cniExec{})
 	n := &cniNetwork{
 		cniConfigDir:       conf.CNIConfigDir,
diff --git a/libnetwork/netavark/network.go b/libnetwork/netavark/network.go
index d79fdff43..6ec4a9d15 100644
--- a/libnetwork/netavark/network.go
+++ b/libnetwork/netavark/network.go
@@ -96,9 +96,23 @@ type InitConfig struct {
 // NewNetworkInterface creates the ContainerNetwork interface for the netavark backend.
 // Note: The networks are not loaded from disk until a method is called.
 func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
+	var netns *rootlessnetns.Netns
+	var err error
+	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
+	// IsRootless() also returns true if we are root in a userns which is not what we care about and
+	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
+	val, ok := os.LookupEnv(unshare.UsernsEnvName)
+	useRootlessNetns := ok && val == "done"
+	if useRootlessNetns {
+		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// root needs to use a globally unique lock because there is only one host netns
 	lockPath := defaultRootLockPath
-	if unshare.IsRootless() {
+	if useRootlessNetns {
 		lockPath = filepath.Join(conf.NetworkConfigDir, "netavark.lock")
 	}
 
@@ -134,18 +148,6 @@ func NewNetworkInterface(conf *InitConfig) (types.ContainerNetwork, error) {
 		defaultSubnetPools = config.DefaultSubnetPools
 	}
 
-	var netns *rootlessnetns.Netns
-	// Do not use unshare.IsRootless() here. We only care if we are running re-exec in the userns,
-	// IsRootless() also returns true if we are root in a userns which is not what we care about and
-	// causes issues as this slower more complicated rootless-netns logic should not be used as root.
-	_, useRootlessNetns := os.LookupEnv(unshare.UsernsEnvName)
-	if useRootlessNetns {
-		netns, err = rootlessnetns.New(conf.NetworkRunDir, rootlessnetns.Netavark, conf.Config)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	n := &netavarkNetwork{
 		networkConfigDir:   conf.NetworkConfigDir,
 		networkRunDir:      conf.NetworkRunDir,
diff --git a/pkg/config/config_windows.go b/pkg/config/config_windows.go
index fbe1bb3f1..b2cd751a1 100644
--- a/pkg/config/config_windows.go
+++ b/pkg/config/config_windows.go
@@ -5,7 +5,7 @@ import "os"
 const (
 	// _configPath is the path to the containers/containers.conf
 	// inside a given config directory.
-	_configPath = "containers\\containers.conf"
+	_configPath = "\\containers\\containers.conf"
 
 	// DefaultContainersConfig holds the default containers config path
 	DefaultContainersConfig = ""
diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
index 7d79df07a..c00efecbb 100644
--- a/pkg/config/containers.conf
+++ b/pkg/config/containers.conf
@@ -350,9 +350,9 @@ default_sysctls = [
 
 # The firewall driver to be used by netavark.
 # The default is empty which means netavark will pick one accordingly. Current supported
-# drivers are "iptables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
-# experimental at the moment and not recommend outside of testing). In the future we are
-# planning to add support for a "nftables" driver.
+# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is
+# experimental at the moment and not recommend outside of testing).
+#
 #firewall_driver = ""
 
 
@@ -890,10 +890,10 @@ default_sysctls = [
 [podmansh]
 # Shell to spawn in container. Default: /bin/sh.
 #shell = "/bin/sh"
-# 
+#
 # Name of the container the podmansh user should join.
 #container = "podmansh"
-# 
+#
 # Default timeout in seconds for podmansh logins.
 # Favored over the deprecated "podmansh_timeout" field.
 #timeout = 30
diff --git a/pkg/manifests/testdata/artifacts/index/blobs/sha256/11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981 b/pkg/manifests/testdata/artifacts/index/blobs/sha256/11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981
new file mode 100644
index 000000000..3afcb2357
--- /dev/null
+++ b/pkg/manifests/testdata/artifacts/index/blobs/sha256/11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981
@@ -0,0 +1,15 @@
+{
+  "layers": [
+    {
+      "digest": "sha256:541b3e9daa09b20bf85fa273e5cbd3e80185aa4ec298e765db87742b70138a53",
+      "mediaType": "application/octet-stream",
+      "size": 1000,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "one-thousand"
+      }
+    }
+  ],
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "artifactType": "application/vnd.reproducer+foo",
+  "schemaVersion": 2
+}
diff --git a/pkg/manifests/testdata/artifacts/index/blobs/sha256/25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06 b/pkg/manifests/testdata/artifacts/index/blobs/sha256/25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06
new file mode 100644
index 000000000..81f411c4a
--- /dev/null
+++ b/pkg/manifests/testdata/artifacts/index/blobs/sha256/25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06
@@ -0,0 +1,15 @@
+{
+  "layers": [
+    {
+      "digest": "sha256:e6304a473c65ecd0ccffbd2f5925a8f51c44b11f59b66cfcc055e4bb911b8fa0",
+      "mediaType": "application/octet-stream",
+      "size": 500,
+      "annotations": {
+        "org.opencontainers.image.ref.name": "five-hundred"
+      }
+    }
+  ],
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "artifactType": "application/vnd.reproducer+bar",
+  "schemaVersion": 2
+}
diff --git a/pkg/manifests/testdata/artifacts/index/blobs/sha256/541b3e9daa09b20bf85fa273e5cbd3e80185aa4ec298e765db87742b70138a53 b/pkg/manifests/testdata/artifacts/index/blobs/sha256/541b3e9daa09b20bf85fa273e5cbd3e80185aa4ec298e765db87742b70138a53
new file mode 100644
index 000000000..012b32793
Binary files /dev/null and b/pkg/manifests/testdata/artifacts/index/blobs/sha256/541b3e9daa09b20bf85fa273e5cbd3e80185aa4ec298e765db87742b70138a53 differ
diff --git a/pkg/manifests/testdata/artifacts/index/blobs/sha256/74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6 b/pkg/manifests/testdata/artifacts/index/blobs/sha256/74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6
new file mode 100644
index 000000000..0ea7e13bb
--- /dev/null
+++ b/pkg/manifests/testdata/artifacts/index/blobs/sha256/74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6
@@ -0,0 +1,26 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:25cb16f769a2248cde5556529b88e3cdff322dbe5c71e40cfb24030221e88b06",
+      "size": 417,
+      "platform": {
+        "architecture": "s390x",
+        "os": "linux"
+      },
+      "artifactType": "application/vnd.reproducer+bar"
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:11a1bc9fb43d6791f7f881a0375f88e83b10ea1c040a8d6d986cf799bb56e981",
+      "size": 418,
+      "platform": {
+        "architecture": "ppc64le",
+        "os": "linux"
+      },
+      "artifactType": "application/vnd.reproducer+foo"
+    }
+  ]
+}
diff --git a/pkg/manifests/testdata/artifacts/index/blobs/sha256/e6304a473c65ecd0ccffbd2f5925a8f51c44b11f59b66cfcc055e4bb911b8fa0 b/pkg/manifests/testdata/artifacts/index/blobs/sha256/e6304a473c65ecd0ccffbd2f5925a8f51c44b11f59b66cfcc055e4bb911b8fa0
new file mode 100644
index 000000000..a74751b6e
Binary files /dev/null and b/pkg/manifests/testdata/artifacts/index/blobs/sha256/e6304a473c65ecd0ccffbd2f5925a8f51c44b11f59b66cfcc055e4bb911b8fa0 differ
diff --git a/pkg/manifests/testdata/artifacts/index/index.json b/pkg/manifests/testdata/artifacts/index/index.json
new file mode 100644
index 000000000..3843b4fbf
--- /dev/null
+++ b/pkg/manifests/testdata/artifacts/index/index.json
@@ -0,0 +1,11 @@
+{
+  "schemaVersion": 2,
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.index.v1+json",
+      "digest": "sha256:74c31168f466d846e0e0cf46fc8c14e0c516500558166654fce7555682b1cba6",
+      "size": 760
+    }
+  ]
+}
diff --git a/pkg/manifests/testdata/artifacts/index/oci-layout b/pkg/manifests/testdata/artifacts/index/oci-layout
new file mode 100644
index 000000000..10ff2f3ce
--- /dev/null
+++ b/pkg/manifests/testdata/artifacts/index/oci-layout
@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}