diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index 26a5dbbd1e..066793c6e6 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -171,7 +171,10 @@
           <entry>WireGuard Secure Network Tunnel.</entry></row>
 
           <row><entry><varname>netdevsim</varname></entry>
-          <entry> A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces.</entry></row>
+          <entry>A simulator. This simulated networking device is used for testing various networking APIs and at this time is particularly focused on testing hardware offloading related interfaces.</entry></row>
+
+          <row><entry><varname>nlmon</varname></entry>
+          <entry>A Netlink monitor device. Use an nlmon device when you want to monitor system Netlink messages.</entry></row>
 
           <row><entry><varname>fou</varname></entry>
           <entry>Foo-over-UDP tunneling.</entry></row>
diff --git a/src/libsystemd/sd-netlink/netlink-types.c b/src/libsystemd/sd-netlink/netlink-types.c
index 7fd3efbd35..35ca843569 100644
--- a/src/libsystemd/sd-netlink/netlink-types.c
+++ b/src/libsystemd/sd-netlink/netlink-types.c
@@ -357,6 +357,7 @@ static const char* const nl_union_link_info_data_table[] = {
         [NL_UNION_LINK_INFO_DATA_NETDEVSIM] = "netdevsim",
         [NL_UNION_LINK_INFO_DATA_CAN] = "can",
         [NL_UNION_LINK_INFO_DATA_MACSEC] = "macsec",
+        [NL_UNION_LINK_INFO_DATA_NLMON] = "nlmon",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(nl_union_link_info_data, NLUnionLinkInfoData);
diff --git a/src/libsystemd/sd-netlink/netlink-types.h b/src/libsystemd/sd-netlink/netlink-types.h
index 8585280463..fed43ae43c 100644
--- a/src/libsystemd/sd-netlink/netlink-types.h
+++ b/src/libsystemd/sd-netlink/netlink-types.h
@@ -82,6 +82,7 @@ typedef enum NLUnionLinkInfoData {
         NL_UNION_LINK_INFO_DATA_NETDEVSIM,
         NL_UNION_LINK_INFO_DATA_CAN,
         NL_UNION_LINK_INFO_DATA_MACSEC,
+        NL_UNION_LINK_INFO_DATA_NLMON,
         _NL_UNION_LINK_INFO_DATA_MAX,
         _NL_UNION_LINK_INFO_DATA_INVALID = -1
 } NLUnionLinkInfoData;
diff --git a/src/network/meson.build b/src/network/meson.build
index 0bcf7f4a81..feeb98cb07 100644
--- a/src/network/meson.build
+++ b/src/network/meson.build
@@ -13,6 +13,8 @@ sources = files('''
         netdev/macvlan.h
         netdev/netdev.c
         netdev/netdev.h
+        netdev/nlmon.c
+        netdev/nlmon.h
         netdev/tunnel.c
         netdev/tunnel.h
         netdev/tuntap.c
diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
index 1c307a3125..5429237603 100644
--- a/src/network/netdev/netdev.c
+++ b/src/network/netdev/netdev.c
@@ -19,6 +19,7 @@
 #include "netdev/macvlan.h"
 #include "netdev/netdev.h"
 #include "netdev/netdevsim.h"
+#include "netdev/nlmon.h"
 #include "netdev/tunnel.h"
 #include "netdev/tuntap.h"
 #include "netdev/vcan.h"
@@ -70,6 +71,7 @@ const NetDevVTable * const netdev_vtable[_NETDEV_KIND_MAX] = {
         [NETDEV_KIND_ERSPAN] = &erspan_vtable,
         [NETDEV_KIND_L2TP] = &l2tptnl_vtable,
         [NETDEV_KIND_MACSEC] = &macsec_vtable,
+        [NETDEV_KIND_NLMON] = &nlmon_vtable,
 };
 
 static const char* const netdev_kind_table[_NETDEV_KIND_MAX] = {
@@ -104,6 +106,7 @@ static const char* const netdev_kind_table[_NETDEV_KIND_MAX] = {
         [NETDEV_KIND_ERSPAN] = "erspan",
         [NETDEV_KIND_L2TP] = "l2tp",
         [NETDEV_KIND_MACSEC] = "macsec",
+        [NETDEV_KIND_NLMON] = "nlmon",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(netdev_kind, NetDevKind);
diff --git a/src/network/netdev/netdev.h b/src/network/netdev/netdev.h
index 8295ba1966..57fabbef40 100644
--- a/src/network/netdev/netdev.h
+++ b/src/network/netdev/netdev.h
@@ -49,6 +49,7 @@ typedef enum NetDevKind {
         NETDEV_KIND_ERSPAN,
         NETDEV_KIND_L2TP,
         NETDEV_KIND_MACSEC,
+        NETDEV_KIND_NLMON,
         _NETDEV_KIND_MAX,
         _NETDEV_KIND_TUNNEL, /* Used by config_parse_stacked_netdev() */
         _NETDEV_KIND_INVALID = -1
diff --git a/src/network/netdev/nlmon.c b/src/network/netdev/nlmon.c
new file mode 100644
index 0000000000..c58a6b51ca
--- /dev/null
+++ b/src/network/netdev/nlmon.c
@@ -0,0 +1,22 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include "netdev/nlmon.h"
+
+static int netdev_nlmon_verify(NetDev *netdev, const char *filename) {
+        assert(netdev);
+        assert(filename);
+
+        if (netdev->mac) {
+                log_netdev_warning(netdev, "%s: MACAddress= is not supported. Ignoring", filename);
+                netdev->mac = mfree(netdev->mac);
+        }
+
+        return 0;
+}
+
+const NetDevVTable nlmon_vtable = {
+        .object_size = sizeof(NLMon),
+        .sections = "Match\0NetDev\0",
+        .create_type = NETDEV_CREATE_INDEPENDENT,
+        .config_verify = netdev_nlmon_verify,
+};
diff --git a/src/network/netdev/nlmon.h b/src/network/netdev/nlmon.h
new file mode 100644
index 0000000000..590b62d863
--- /dev/null
+++ b/src/network/netdev/nlmon.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+#pragma once
+
+typedef struct NLMon NLMon;
+
+#include "netdev/netdev.h"
+
+struct NLMon {
+        NetDev meta;
+};
+
+DEFINE_NETDEV_CAST(NLMON, NLMon);
+
+extern const NetDevVTable nlmon_vtable;
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 924cc8ce6a..9486329b9a 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -132,7 +132,7 @@ bool link_ipv4ll_enabled(Link *link, AddressFamilyBoolean mask) {
         if (!link->network)
                 return false;
 
-        if (STRPTR_IN_SET(link->kind, "vrf", "wireguard", "ipip", "gre", "ip6gre", "ip6tnl", "sit", "vti", "vti6", "can", "vcan", "vxcan"))
+        if (STRPTR_IN_SET(link->kind, "vrf", "wireguard", "ipip", "gre", "ip6gre", "ip6tnl", "sit", "vti", "vti6", "can", "vcan", "vxcan", "nlmon"))
                 return false;
 
         /* L3 or L3S mode do not support ARP. */
@@ -142,6 +142,9 @@ bool link_ipv4ll_enabled(Link *link, AddressFamilyBoolean mask) {
         if (link->network->bond)
                 return false;
 
+        if (link->network->bond)
+                return false;
+
         return link->network->link_local & mask;
 }
 
@@ -157,7 +160,7 @@ static bool link_ipv6ll_enabled(Link *link) {
         if (!link->network)
                 return false;
 
-        if (STRPTR_IN_SET(link->kind, "vrf", "wireguard", "ipip", "gre", "sit", "vti", "can", "vcan", "vxcan"))
+        if (STRPTR_IN_SET(link->kind, "vrf", "wireguard", "ipip", "gre", "sit", "vti", "can", "vcan", "vxcan", "nlmon"))
                 return false;
 
         if (link->network->bond)