diff --git a/.gitignore b/.gitignore
index 2cb7624..57bb59a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-/chrony-4.2.tar.gz
-/chrony-4.2-tar-gz-asc.txt
-/clknetsim-824c48.tar.gz
+/chrony-4.3.tar.gz
+/chrony-4.3-tar-gz-asc.txt
+/clknetsim-f00531.tar.gz
diff --git a/chrony-nm-dispatcher-dhcp.patch b/chrony-nm-dispatcher-dhcp.patch
index d424737..dd9fc2a 100644
--- a/chrony-nm-dispatcher-dhcp.patch
+++ b/chrony-nm-dispatcher-dhcp.patch
@@ -1,146 +1,3 @@
-commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Mon Feb 7 13:27:25 2022 +0100
-
-    examples: support DHCPv6 NTP servers in NM dispatcher script
-    
-    Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
-    option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
-    scripts.
-    
-    Check for invalid characters (which can come from the FQDN suboption)
-    and include the servers in the interface-specific sources file.
-
-diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
-index 6ea4c370..4454f037 100644
---- a/examples/chrony.nm-dispatcher.dhcp
-+++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -1,8 +1,7 @@
- #!/bin/sh
- # This is a NetworkManager dispatcher script for chronyd to update
--# its NTP sources passed from DHCP options. Note that this script is
--# specific to NetworkManager-dispatcher due to use of the
--# DHCP4_NTP_SERVERS environment variable.
-+# its NTP sources with servers from DHCP options passed by NetworkManager
-+# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
- 
- export LC_ALL=C
- 
-@@ -10,17 +9,19 @@ interface=$1
- action=$2
- 
- chronyc=/usr/bin/chronyc
--default_server_options=iburst
-+server_options=iburst
- server_dir=/var/run/chrony-dhcp
- 
- dhcp_server_file=$server_dir/$interface.sources
--# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
--nm_dhcp_servers=$DHCP4_NTP_SERVERS
-+dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
- 
- add_servers_from_dhcp() {
-     rm -f "$dhcp_server_file"
--    for server in $nm_dhcp_servers; do
--        echo "server $server $default_server_options" >> "$dhcp_server_file"
-+    for server in $dhcp_ntp_servers; do
-+        # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
-+        printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
-+
-+        printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
-     done
-     $chronyc reload sources > /dev/null 2>&1 || :
- }
-@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
- 
- mkdir -p $server_dir
- 
--if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
--    add_servers_from_dhcp
--elif [ "$action" = "down" ]; then
--    clear_servers_from_dhcp
--fi
-+case "$action" in
-+    up|dhcp4-change|dhcp6-change)
-+        add_servers_from_dhcp;;
-+    down)
-+        clear_servers_from_dhcp;;
-+esac
- 
- exit 0
-
-commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Mon Feb 7 13:27:48 2022 +0100
-
-    examples: handle more actions in NM dispatcher script
-    
-    Run the chronyc onoffline command also when the connectivity-change
-    and dhcp6-change actions are reported by the NetworkManager dispatcher.
-    
-    The latter should not be necessary, but there currently doesn't seem to
-    be any action for IPv6 becoming routable after duplicate address
-    detection, so at least in networks using DHCPv6, IPv6 NTP servers should
-    not be stuck in the offline state from a previously reported action.
-
-diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
-index 34cfa0db..01e6fdb1 100644
---- a/examples/chrony.nm-dispatcher.onoffline
-+++ b/examples/chrony.nm-dispatcher.onoffline
-@@ -7,8 +7,18 @@ export LC_ALL=C
- 
- chronyc=/usr/bin/chronyc
- 
--# For NetworkManager consider only up/down events
--[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
-+# For NetworkManager consider only selected events
-+if [ $# -ge 2 ]; then
-+    case "$2" in
-+        up|down|connectivity-change)
-+            ;;
-+        dhcp6-change)
-+            # No other action is reported for routable IPv6
-+            ;;
-+        *)
-+            exit 0;;
-+    esac
-+fi
- 
- # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
- 
-commit fca8966adaaf8376536af86ba2afe02501463588
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Wed Mar 23 15:17:03 2022 +0100
-
-    examples: replace grep command in NM dispatcher script
-    
-    Some grep implementations detect binary data and return success without
-    matching whole line. This might be an issue for the DHCPv6 NTP FQDN
-    check. The GNU grep in the C locale seems to check only for the NUL
-    character, which cannot be passed in an environment variable, but other
-    implementations might behave differently and there doesn't seem to be a
-    portable way to force matching the whole line.
-    
-    Instead of the grep command, check for invalid characters by comparing
-    the length of the input passed through "tr -d -c".
-
-diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
-index 4454f037..547ce83f 100644
---- a/examples/chrony.nm-dispatcher.dhcp
-+++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
-     rm -f "$dhcp_server_file"
-     for server in $dhcp_ntp_servers; do
-         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
--        printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
-+        len1=$(printf '%s' "$server" | wc -c)
-+        len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
-+        if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
-+          continue
-+        fi
- 
-         printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
-     done
 From: Robert Fairley <rfairley@redhat.com>
 Date: Wed, 17 Jun 2020 10:14:19 -0400
 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
diff --git a/chrony-seccomp.patch b/chrony-seccomp.patch
deleted file mode 100644
index 523759c..0000000
--- a/chrony-seccomp.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
-Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
-Date:   Wed Feb 9 09:06:13 2022 +0100
-
-    sys_linux: allow rseq in seccomp filter
-    
-    Libc 2.35 will use rseq syscalls [1][2] by default and thereby
-    break chrony in seccomp isolation.
-    
-    [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
-    [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
-    
-    Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-    Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-    Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
-    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
-
-diff --git a/sys_linux.c b/sys_linux.c
-index 9cab2efa..cc3c9311 100644
---- a/sys_linux.c
-+++ b/sys_linux.c
-@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
-     SCMP_SYS(getrlimit),
-     SCMP_SYS(getuid),
-     SCMP_SYS(getuid32),
-+#ifdef __NR_rseq
-+    SCMP_SYS(rseq),
-+#endif
-     SCMP_SYS(rt_sigaction),
-     SCMP_SYS(rt_sigreturn),
-     SCMP_SYS(rt_sigprocmask),
diff --git a/chrony.spec b/chrony.spec
index 38b63c9..0314be1 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -1,5 +1,5 @@
 %global _hardened_build 1
-%global clknetsim_ver 824c48
+%global clknetsim_ver f00531
 %bcond_without debug
 %bcond_without nts
 
@@ -8,7 +8,7 @@
 %endif
 
 Name:           chrony
-Version:        4.2
+Version:        4.3
 Release:        1%{?dist}
 Summary:        An NTP client/server
 
@@ -23,10 +23,8 @@ Source4:        chrony.sysusers
 Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
 
-# add IPv6 support and distribution-specific bits to DHCP dispatcher
+# add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
-# update seccomp filter for new glibc
-Patch2:         chrony-seccomp.patch
 # revert some hardening options in service files
 Patch3:         chrony-services.patch
 
@@ -60,7 +58,6 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
-%patch2 -p1 -b .seccomp
 %patch3 -p1 -b .services
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
diff --git a/sources b/sources
index d3ac382..f352bac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (chrony-4.2.tar.gz) = 7f946b27de605b3ebea62cf23916dfad77c99e8b2338ba239ede6b8216ce436b3d4d87770f371c8d8e006507c51d5c831b51f067957abd2935adfdec3f5aa67d
-SHA512 (chrony-4.2-tar-gz-asc.txt) = d8ae4b540ce3529a5a72e10c14765a33ca6fc41529b6fdc9928fb171f25bd6fb87f930b7783638892f42f4cbcfaab4cb1064c930bae1d5204a71babad72b6e10
-SHA512 (clknetsim-824c48.tar.gz) = df682f3105c8fbc8da558fa0f17011eb1125c8383179dbc81002a249ca95b7940b46f0dd7562ede44f5ba095be897e6e77d0c99ff2ad7d317217154e1265606f
+SHA512 (chrony-4.3.tar.gz) = 1394bac3ed684352fe89b7fef7da50e61f9f522abee807627ae1fc4c2dde891017bc8e5b13759fced028f3a1e875d5e4e5a4f85de65c63b5f83d0ca03bb4c5df
+SHA512 (chrony-4.3-tar-gz-asc.txt) = 300b06f253ac3727edb86a1b7c337f9529ee752bbb471b266217b6a8ac5183e827264177a3210d436425d746673bf11fbdc41da145673213e28165197c6c76b7
+SHA512 (clknetsim-f00531.tar.gz) = a44f543574519d1d5b5778f91b88fc73a976de511b97011c8ff3bc61a7ebff868fe9c6b46947ff4b58b29bd45520ffa68147934b1d289b1ffada4a329c048df5