ipam/dhcp: Add broadcast flag

Signed-off-by: Micah Hausler <hausler.m@gmail.com>
vendor: bump libcni
2021-02-05 16:38:32 +01:00 · 2021-02-03 14:38:29 +01:00 · 2021-01-27 17:18:02 +01:00 · 2021-01-27 16:07:17 +00:00 · 2021-01-25 01:13:27 +08:00 · 2021-01-20 17:47:25 +01:00
1456 changed files with 409819 additions and 35320 deletions
--- a/.github/actions/retest-action/Dockerfile
+++ b/.github/actions/retest-action/Dockerfile
@@ -0,0 +1,7 @@
+FROM alpine:3.10
+
+RUN apk add --no-cache curl jq
+
+COPY entrypoint.sh /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/retest-action/action.yml
+++ b/.github/actions/retest-action/action.yml
@@ -0,0 +1,11 @@
+name: 'Re-Test'
+description: 'Re-Runs the last workflow for a PR'
+inputs:
+  token:
+    description: 'GitHub API Token'
+    required: true
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  env:
+    GITHUB_TOKEN: ${{ inputs.token }}
--- a/.github/actions/retest-action/entrypoint.sh
+++ b/.github/actions/retest-action/entrypoint.sh
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -ex
+
+if ! jq -e '.issue.pull_request' ${GITHUB_EVENT_PATH}; then
+    echo "Not a PR... Exiting."
+    exit 0
+fi
+
+if [ "$(jq -r '.comment.body' ${GITHUB_EVENT_PATH})" != "/retest" ]; then
+    echo "Nothing to do... Exiting."
+    exit 0
+fi
+
+PR_URL=$(jq -r '.issue.pull_request.url' ${GITHUB_EVENT_PATH})
+
+curl --request GET \
+    --url "${PR_URL}" \
+    --header "authorization: Bearer ${GITHUB_TOKEN}" \
+    --header "content-type: application/json" > pr.json
+
+ACTOR=$(jq -r '.user.login' pr.json)
+BRANCH=$(jq -r '.head.ref' pr.json)
+
+curl --request GET \
+    --url "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/runs?event=pull_request&actor=${ACTOR}&branch=${BRANCH}" \
+    --header "authorization: Bearer ${GITHUB_TOKEN}" \
+    --header "content-type: application/json" | jq '.workflow_runs | max_by(.run_number)' > run.json
+
+RERUN_URL=$(jq -r '.rerun_url' run.json)
+
+curl --request POST \
+    --url "${RERUN_URL}" \
+    --header "authorization: Bearer ${GITHUB_TOKEN}" \
+    --header "content-type: application/json"
+
+
+REACTION_URL="$(jq -r '.comment.url' ${GITHUB_EVENT_PATH})/reactions"
+
+curl --request POST \
+    --url "${REACTION_URL}" \
+    --header "authorization: Bearer ${GITHUB_TOKEN}" \
+    --header "accept: application/vnd.github.squirrel-girl-preview+json" \
+    --header "content-type: application/json" \
+    --data '{ "content" : "rocket" }'
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -0,0 +1,17 @@
+name: commands
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  retest:
+    if: github.repository == 'containernetworking/plugins'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Re-Test Action
+        uses: ./.github/actions/retest-action
+        with:
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,69 @@
+---
+name: test
+
+on: ["push", "pull_request"]
+
+env:
+  GO_VERSION: "1.15"
+  LINUX_ARCHES: "amd64 386 arm arm64 s390x mips64le ppc64le"
+
+jobs:
+  build:
+    name: Build all linux architectures
+    runs-on: ubuntu-latest
+    steps:
+      - name: setup go
+        uses: actions/setup-go@v1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/checkout@v2
+
+      - name: Build on all supported architectures
+        run: |
+          set -e
+          for arch in ${LINUX_ARCHES}; do
+            echo "Building for arch $arch"
+            GOARCH=$arch ./build_linux.sh
+            rm bin/*
+          done
+
+  test-linux:
+    name: Run tests on Linux amd64
+    runs-on: ubuntu-latest
+    steps:
+      - name: setup go
+        uses: actions/setup-go@v1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/checkout@v2
+
+      - name: Install test binaries
+        env:
+          GO111MODULE: off
+        run: |
+          go get github.com/containernetworking/cni/cnitool
+          go get github.com/mattn/goveralls
+          go get github.com/modocache/gover
+
+      - name: test
+        run: PATH=$PATH:$(go env GOPATH)/bin COVERALLS=1 ./test_linux.sh
+
+      - name: Send coverage to coveralls
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PATH=$PATH:$(go env GOPATH)/bin
+          gover
+          goveralls -coverprofile=gover.coverprofile -service=github
+
+  test-win:
+    name: Build and run tests on Windows
+    runs-on: windows-latest
+    steps:
+      - name: setup go
+        uses: actions/setup-go@v1
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/checkout@v2
+      - name: test
+        run: bash ./test_windows.sh
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,30 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
 bin/
 gopath/
-*.sw[ponm]
+.vagrant
+.idea
+/release-*
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,29 +0,0 @@
-language: go
-sudo: required
-dist: trusty
-
-go:
-  - 1.5.3
-  - 1.6
-  - tip
-
-matrix:
-  allow_failures:
-    - go: tip
-
-env:
-  global:
-    - TOOLS_CMD=golang.org/x/tools/cmd
-    - PATH=$GOROOT/bin:$PATH
-    - GO15VENDOREXPERIMENT=1
-
-install:
- - go get ${TOOLS_CMD}/cover
- - go get github.com/modocache/gover
- - go get github.com/mattn/goveralls
-
-script:
- - ./test
-
-notifications:
-  email: false
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,11 +1,11 @@
 # How to Contribute

-cni is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub
+CNI is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub
 pull requests. This document outlines some of the conventions on development
 workflow, commit message formatting, contact points and other resources to make
 it easier to get your contribution accepted.

-For more information on the policy for accepting contributions, see [POLICY](POLICY.md)
+We gratefully welcome improvements to documentation as well as to code.

 # Certificate of Origin

@@ -16,9 +16,9 @@ contribution. See the [DCO](DCO) file for details.

 # Email and Chat

-The project uses the the cni-dev email list and #appc on Freenode for chat:
+The project uses the the cni-dev email list and IRC chat:
 - Email: [cni-dev](https://groups.google.com/forum/#!forum/cni-dev)
- IRC: #[appc](irc://irc.freenode.org:6667/#appc) IRC channel on freenode.org
+- IRC: #[containernetworking](irc://irc.freenode.org:6667/#containernetworking) channel on freenode.org

 Please avoid emailing maintainers found in the MAINTAINERS file directly. They
 are very busy and read the mailing lists.
@@ -26,21 +26,76 @@ are very busy and read the mailing lists.
 ## Getting Started

 - Fork the repository on GitHub
- Read the [README](README.md) for build and test instructions
- Play with the project, submit bugs, submit patches!
+- Play with the project, submit bugs, submit pull requests!

-## Contribution Flow

-This is a rough outline of what a contributor's workflow looks like:
+## Building

- Create a topic branch from where you want to base your work (usually master).
+Each plugin is compiled simply with `go build`.  Two scripts, `build_linux.sh` and `build_windows.sh`,
+are supplied which will build all the plugins for their respective OS.
+
+## Contribution workflow
+
+This is a rough outline of how to prepare a contribution:
+
+- Create a topic branch from where you want to base your work (usually branched from master).
 - Make commits of logical units.
 - Make sure your commit messages are in the proper format (see below).
 - Push your changes to a topic branch in your fork of the repository.
- Make sure the tests pass, and add any new tests as appropriate.
+- If you changed code:
+   - add automated tests to cover your changes, using the [Ginkgo](http://onsi.github.io/ginkgo/) & [Gomega](http://onsi.github.io/gomega/) style
+   - if the package did not previously have any test coverage, add it to the list
+   of `TESTABLE` packages in the `test.sh` script.
+   - run the full test script and ensure it passes
+- Make sure any new code files have a license header (this is now enforced by automated tests)
 - Submit a pull request to the original repository.

-Thanks for your contributions!
+## How to run the test suite
+We generally require test coverage of any new features or bug fixes.
+
+Here's how you can run the test suite on any system (even Mac or Windows) using
+ [Vagrant](https://www.vagrantup.com/) and a hypervisor of your choice:
+
+First, ensure that you have the [CNI repo](https://github.com/containernetworking/cni) and this repo (plugins) cloned side-by-side:
+```bash
+cd ~/workspace
+git clone https://github.com/containernetworking/cni
+git clone https://github.com/containernetworking/plugins
+```
+
+Next, boot the virtual machine and SSH in to run the tests:
+
+```bash
+cd ~/workspace/plugins
+vagrant up
+vagrant ssh
+# you're now in a shell in a virtual machine
+sudo su
+go get github.com/onsi/ginkgo/ginkgo
+go install github.com/containernetworking/cni/cnitool
+cd /go/src/github.com/containernetworking/plugins
+
+# to run the full test suite
+./test_linux.sh
+
+# to focus on a particular test suite
+cd plugins/main/loopback
+go test
+```
+
+# Acceptance policy
+
+These things will make a PR more likely to be accepted:
+
+ * a well-described requirement
+ * tests for new code
+ * tests for old code!
+ * new code and tests follow the conventions in old code and tests
+ * a good commit message (see below)
+
+In general, we will merge a PR once two maintainers have endorsed it.
+Trivial changes (e.g., corrections to spelling) may get waved through.
+For substantial changes, more people may become involved, and you might get asked to resubmit the PR or divide the changes into more than one PR.

 ### Format of the Commit Message

@@ -71,3 +126,17 @@ The first line is the subject and should be no longer than 70 characters, the
 second line is always blank, and other lines should be wrapped at 80 characters.
 This allows the message to be easier to read on GitHub as well as in various
 git tools.
+
+## 3rd party plugins
+So you've built a CNI plugin.  Where should it live?
+
+Short answer: We'd be happy to link to it from our [list of 3rd party plugins](README.md#3rd-party-plugins).
+But we'd rather you kept the code in your own repo.
+
+Long answer: An advantage of the CNI model is that independent plugins can be
+built, distributed and used without any code changes to this repository.  While
+some widely used plugins (and a few less-popular legacy ones) live in this repo,
+we're reluctant to add more.
+
+If you have a good reason why the CNI maintainers should take custody of your
+plugin, please open an issue or PR.
--- a/Documentation/bridge.md
+++ b/Documentation/bridge.md
@@ -1,37 +0,0 @@
-# bridge plugin
-
-## Overview
-
-With bridge plugin, all containers (on the same host) are plugged into a bridge (virtual switch) that resides in the host network namespace.
-The containers receive one end of the veth pair with the other end connected to the bridge.
-An IP address is only assigned to one end of the veth pair -- one residing in the container.
-The bridge itself can also be assigned an IP address, turning it into a gateway for the containers.
-Alternatively, the bridge can function purely in L2 mode and would need to be bridged to the host network interface (if other than container-to-container communication on the same host is desired).
-
-The network configuration specifies the name of the bridge to be used.
-If the bridge is missing, the plugin will create one on first use and, if gateway mode is used, assign it an IP that was returned by IPAM plugin via the gateway field.
-
-## Example configuration
-```
-{
-	"name": "mynet",
-	"type": "bridge",
-	"bridge": "mynet0",
-	"isGateway": true,
-	"ipMasq": true,
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.10.0.0/16"
-	}
-}
-```
-
-## Network configuration reference
-
-* `name` (string, required): the name of the network.
-* `type` (string, required): "bridge".
-* `bridge` (string, optional): name of the bridge to use/create. Defaults to "cni0".
-* `isGateway` (boolean, optional): assign an IP address to the bridge. Defaults to false.
-* `ipMasq` (boolean, optional): set up IP Masquerade on the host for traffic originating from this network and destined outside of it. Defaults to false.
-* `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to the value chosen by the kernel.
-* `ipam` (dictionary, required): IPAM configuration to be used for this network.
--- a/Documentation/dhcp.md
+++ b/Documentation/dhcp.md
@@ -1,35 +0,0 @@
-# dhcp plugin
-
-## Overview
-
-With dhcp plugin the containers can get an IP allocated by a DHCP server already running on your network.
-This can be especially useful with plugin types such as [macvlan](https://github.com/appc/cni/blob/master/Documentation/macvlan.md).
-Because a DHCP lease must be periodically renewed for the duration of container lifetime, a separate daemon is required to be running.
-The same plugin binary can also be run in the daemon mode.
-
-## Operation
-To use the dhcp IPAM plugin, first launch the dhcp daemon:
-
-```
-# Make sure the unix socket has been removed
-$ rm -f /run/cni/dhcp.sock
-$ ./dhcp daemon
-```
-
-Alternatively, you can use systemd socket activation protocol.
-Be sure that the .socket file uses /run/cni/dhcp.sock as the socket path.
-
-With the daemon running, containers using the dhcp plugin can be launched.
-
-## Example configuration
-
-```
-{
-	"ipam": {
-		"type": "dhcp",
-	}
-}
-
-## Network configuration reference
-
-* `type` (string, required): "dhcp"
--- a/Documentation/flannel.md
+++ b/Documentation/flannel.md
@@ -1,87 +0,0 @@
-# flannel plugin
-
-## Overview
-This plugin is designed to work in conjunction with [flannel](https://github.com/coreos/flannel), a network fabric for containers.
-When flannel daemon is started, it outputs a `/run/flannel/subnet.env` file that looks like this:
-```
-FLANNEL_NETWORK=10.1.0.0/16
-FLANNEL_SUBNET=10.1.17.1/24
-FLANNEL_MTU=1472
-FLANNEL_IPMASQ=true
-```
-
-This information reflects the attributes of flannel network on the host.
-The flannel CNI plugin uses this information to configure another CNI plugin, such as bridge plugin.
-
-## Operation
-Given the following network configuration file and the contents of `/run/flannel/subnet.env` above,
-```
-{
-	"name": "mynet",
-	"type": "flannel"
-}
-```
-the flannel plugin will generate another network configuration file:
-```
-{
-	"name": "mynet",
-	"type": "bridge",
-	"mtu": 1472,
-	"ipMasq": false,
-	"isGateway": true,
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.1.17.0/24"
-	}
-}
-```
-
-It will then invoke the bridge plugin, passing it the generated configuration.
-
-As can be seen from above, the flannel plugin, by default, will delegate to the bridge plugin.
-If additional configuration values need to be passed to the bridge plugin, it can be done so via the `delegate` field:
-```
-{
-	"name": "mynet",
-	"type": "flannel",
-	"delegate": {
-		"bridge": "mynet0",
-		"mtu": 1400
-	}
-}
-```
-
-This supplies a configuration parameter to the bridge plugin -- the created bridge will now be named `mynet0`.
-Notice that `mtu` has also been specified and this value will not be overwritten by flannel plugin.
-
-Additionally, the `delegate` field can be used to select a different kind of plugin altogether.
-To use `ipvlan` instead of `bridge`, the following configuration can be specified:
-
-```
-{
-	"name": "mynet",
-	"type": "flannel",
-	"delegate": {
-		"type": "ipvlan",
-		"master": "eth0"
-	}
-}
-```
-
-## Network configuration reference
-
-* `name` (string, required): the name of the network
-* `type` (string, required): "flannel"
-* `subnetFile` (string, optional): full path to the subnet file written out by flanneld. Defaults to /run/flannel/subnet.env
-* `delegate` (dictionary, optional): specifies configuration options for the delegated plugin.
-
-flannel plugin will always set the following fields in the delegated plugin configuration:
-
-* `name`: value of its "name" field.
-* `ipam`: "host-local" type will be used with "subnet" set to `$FLANNEL_SUBNET`.
-
-flannel plugin will set the following fields in the delegated plugin configuration if they are not present:
-* `ipMasq`: the inverse of `$FLANNEL_IPMASQ`
-* `mtu`: `$FLANNEL_MTU`
-
-Additionally, for the bridge plugin, `isGateway` will be set to `true`, if not present.
--- a/Documentation/host-local.md
+++ b/Documentation/host-local.md
@@ -1,41 +0,0 @@
-# host-local plugin
-
-## Overview
-
-host-local IPAM plugin allocates IPv4 addresses out of a specified address range.
-It stores the state locally on the host filesystem, therefore ensuring uniqueness of IP addresses on a single host.
-
-## Example configuration
-```
-{
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.10.0.0/16",
-		"rangeStart": "10.10.1.20",
-		"rangeEnd": "10.10.3.50",
-		"gateway": "10.10.0.254",
-		"routes": [
-			{ "dst": "0.0.0.0/0" },
-			{ "dst": "192.168.0.0/16", "gw": "10.10.5.1" }
-		]
-	}
-}
-```
-
-## Network configuration reference
-
-* `type` (string, required): "host-local".
-* `subnet` (string, required): CIDR block to allocate out of.
-* `rangeStart` (string, optional): IP inside of "subnet" from which to start allocating addresses. Defaults to ".2" IP inside of the "subnet" block.
-* `rangeEnd` (string, optional): IP inside of "subnet" with which to end allocating addresses. Defaults to ".254" IP inside of the "subnet" block.
-* `gateway` (string, optional): IP inside of "subnet" to designate as the gateway. Defaults to ".1" IP inside of the "subnet" block.
-* `routes` (string, optional): list of routes to add to the container namespace. Each route is a dictionary with "dst" and optional "gw" fields. If "gw" is omitted, value of "gateway" will be used.
-
-## Supported arguments
-The following [CNI_ARGS](https://github.com/appc/cni/blob/master/SPEC.md#parameters) are supported:
-
-* `ip`: request a specific IP address from the subnet. If it's not available, the plugin will exit with an error
-
-## Files
-
-Allocated IP addresses are stored as files in /var/lib/cni/networks/$NETWORK_NAME.
--- a/Documentation/ipvlan.md
+++ b/Documentation/ipvlan.md
@@ -1,40 +0,0 @@
-# ipvlan plugin
-
-## Overview
-
-ipvlan is a new [addition](https://lwn.net/Articles/620087/) to the Linux kernel.
-Like its cousin macvlan, it virtualizes the host interface.
-However unlike macvlan which generates a new MAC address for each interface, ipvlan devices all share the same MAC.
-The kernel driver inspects the IP address of each packet when making a decision about which virtual interface should process the packet.
-
-Because all ipvlan interfaces share the MAC address with the host interface, DHCP can only be used in conjunction with ClientID (currently not supported by DHCP plugin).
-
-## Example configuration
-
-```
-{
-	"name": "mynet",
-	"type": "ipvlan",
-	"master": "eth0",
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.1.2.0/24",
-	}
-}
-```
-
-## Network configuration reference
-
-* `name` (string, required): the name of the network.
-* `type` (string, required): "ipvlan".
-* `master` (string, required): name of the host interface to enslave.
-* `mode` (string, optional): one of "l2", "l3". Defaults to "l2".
-* `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to the value chosen by the kernel.
-* `ipam` (dictionary, required): IPAM configuration to be used for this network.
-
-## Notes
-
-* `ipvlan` does not allow virtual interfaces to communicate with the master interface.
-Therefore the container will not be able to reach the host via `ipvlan` interface.
-Be sure to also have container join a network that provides connectivity to the host (e.g. `ptp`).
-* A single master interface can not be enslaved by both `macvlan` and `ipvlan`.
--- a/Documentation/macvlan.md
+++ b/Documentation/macvlan.md
@@ -1,34 +0,0 @@
-# macvlan plugin
-
-## Overview
-
-[macvlan](http://backreference.org/2014/03/20/some-notes-on-macvlanmacvtap/) functions like a switch that is already connected to the host interface.
-A host interface gets "enslaved" with the virtual interfaces sharing the physical device but having distinct MAC addresses.
-Since each macvlan interface has its own MAC address, it makes it easy to use with existing DHCP servers already present on the network.
-
-## Example configuration
-
-```
-{
-	"name": "mynet",
-	"type": "macvlan",
-	"master": "eth0",
-	"ipam": {
-		"type": "dhcp"
-	}
-}
-```
-
-## Network configuration reference
-
-* `name` (string, required): the name of the network
-* `type` (string, required): "macvlan"
-* `master` (string, required): name of the host interface to enslave
-* `mode` (string, optional): one of "bridge", "private", "vepa", "passthrough". Defaults to "bridge".
-* `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to the value chosen by the kernel.
-* `ipam` (dictionary, required): IPAM configuration to be used for this network.
-
-## Notes
-
-* If are testing on a laptop, please remember that most wireless cards do not support being enslaved by macvlan.
-* A single master interface can not be enslaved by both `macvlan` and `ipvlan`.
--- a/Documentation/ptp.md
+++ b/Documentation/ptp.md
@@ -1,30 +0,0 @@
-# ptp plugin
-
-## Overview
-The ptp plugin creates a point-to-point link between a container and the host by using a veth device.
-One end of the veth pair is placed inside a container and the other end resides on the host.
-The host-local IPAM plugin can be used to allocate an IP address to the container.
-The traffic of the container interface will be routed through the interface of the host.
-
-## Example network configuration
-```
-{
-	"name": "mynet",
-	"type": "ptp",
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.1.1.0/24"
-	},
-	"dns": {
-		"nameservers": [ "10.1.1.1", "8.8.8.8" ]
-	}
-}
-
-## Network configuration reference
-
-* `name` (string, required): the name of the network
-* `type` (string, required): "ptp"
-* `ipMasq` (boolean, optional): set up IP Masquerade on the host for traffic originating from this network and destined outside of it. Defaults to false.
-* `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to value chosen by the kernel.
-* `ipam` (dictionary, required): IPAM configuration to be used for this network.
-* `dns` (dictionary, optional): DNS information to return as described in the [Result](/SPEC.md#result).
--- a/Documentation/tuning.md
+++ b/Documentation/tuning.md
@@ -1,36 +0,0 @@
-# tuning plugin
-
-## Overview
-
-This plugin can change some system controls (sysctls) in the network namespace.
-It does not create any network interfaces and therefore does not bring connectivity by itself.
-It is only useful when used in addition to other plugins.
-
-## Operation
-The following network configuration file
-```
-{
-  "name": "mytuning",
-  "type": "tuning",
-  "sysctl": {
-          "net.core.somaxconn": "500"
-  }
-}
-```
-will set /proc/sys/net/core/somaxconn to 500.
-Other sysctls can be modified as long as they belong to the network namespace (`/proc/sys/net/*`).
-
-A successful result would simply be:
-```
-{
-  "cniVersion": "0.1.0"
-}
-```
-
-## Network sysctls documentation
-
-Some network sysctls are documented in the Linux sources:
-
- [Documentation/sysctl/net.txt](https://www.kernel.org/doc/Documentation/sysctl/net.txt)
- [Documentation/networking/ip-sysctl.txt](https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)
- [Documentation/networking/](https://www.kernel.org/doc/Documentation/networking/)
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -1,184 +0,0 @@
-{
-	"ImportPath": "github.com/appc/cni",
-	"GoVersion": "go1.6",
-	"Packages": [
-		"./..."
-	],
-	"Deps": [
-		{
-			"ImportPath": "github.com/coreos/go-iptables/iptables",
-			"Comment": "v0.1.0",
-			"Rev": "fbb73372b87f6e89951c2b6b31470c2c9d5cfae3"
-		},
-		{
-			"ImportPath": "github.com/coreos/go-systemd/activation",
-			"Comment": "v2-53-g2688e91",
-			"Rev": "2688e91251d9d8e404e86dd8f096e23b2f086958"
-		},
-		{
-			"ImportPath": "github.com/d2g/dhcp4",
-			"Rev": "f0e4d29ff0231dce36e250b2ed9ff08412584bca"
-		},
-		{
-			"ImportPath": "github.com/d2g/dhcp4client",
-			"Rev": "bed07e1bc5b85f69c6f0fd73393aa35ec68ed892"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/config",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/codelocation",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/containernode",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/failer",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/leafnodes",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/remote",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/spec",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/specrunner",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/suite",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/testingtproxy",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/internal/writer",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/reporters",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/reporters/stenographer",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/ginkgo/types",
-			"Comment": "v1.2.0-29-g7f8ab55",
-			"Rev": "7f8ab55aaf3b86885aa55b762e803744d1674700"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/format",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/gbytes",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/gexec",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/internal/assertion",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/internal/asyncassertion",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/internal/oraclematcher",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/internal/testingtsupport",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/matchers",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/matchers/support/goraph/bipartitegraph",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/matchers/support/goraph/edge",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/matchers/support/goraph/node",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/matchers/support/goraph/util",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/onsi/gomega/types",
-			"Comment": "v1.0-71-g2152b45",
-			"Rev": "2152b45fa28a361beba9aab0885972323a444e28"
-		},
-		{
-			"ImportPath": "github.com/vishvananda/netlink",
-			"Rev": "ecf47fd5739b3d2c3daf7c89c4b9715a2605c21b"
-		},
-		{
-			"ImportPath": "github.com/vishvananda/netlink/nl",
-			"Rev": "ecf47fd5739b3d2c3daf7c89c4b9715a2605c21b"
-		},
-		{
-			"ImportPath": "golang.org/x/sys/unix",
-			"Rev": "e11762ca30adc5b39fdbfd8c4250dabeb8e456d3"
-		}
-	]
-}
--- a/Godeps/Readme
+++ b/Godeps/Readme
@@ -1,5 +0,0 @@
-This directory tree is generated automatically by godep.
-
-Please do not edit.
-
-See https://github.com/tools/godep for more information.
--- a/1
+++ b/1
@@ -199,4 +199,3 @@
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-
--- a/3
+++ b/3
@@ -1,3 +0,0 @@
-Michael Bridgen <michael@weave.works> (@squaremo)
-Stefan Junker <stefan.junker@coreos.com> (@steveeJ)
-Zach Gershman <zachgersh@gmail.com> (@zachgersh)
--- a/OWNERS.md
+++ b/OWNERS.md
@@ -0,0 +1,10 @@
+# Owners
+This is the official list of the CNI network plugins owners:
+- Bruce Ma <brucema19901024@gmail.com> (@mars1024)
+- Bryan Boreham <bryan@weave.works> (@bboreham)
+- Casey Callendrello <cdc@redhat.com> (@squeed)
+- Dan Williams <dcbw@redhat.com> (@dcbw)
+- Gabe Rosenhouse <grosenhouse@pivotal.io> (@rosenhouse)
+- Matt Dupre <matt@tigera.io> (@matthewdupre)
+- Michael Cambria <mcambria@redhat.com> (@mccv1r0)
+- Piotr Skarmuk <piotr.skarmuk@gmail.com> (@jellonek)
--- a/README.md
+++ b/README.md
@@ -1,146 +1,42 @@
-[![Build Status](https://travis-ci.org/appc/cni.svg?branch=master)](https://travis-ci.org/appc/cni)
-[![Coverage Status](https://coveralls.io/repos/github/appc/cni/badge.svg?branch=master)](https://coveralls.io/github/appc/cni?branch=master)
+[![Build Status](https://travis-ci.org/containernetworking/plugins.svg?branch=master)](https://travis-ci.org/containernetworking/plugins)

-# CNI - the Container Network Interface
+# plugins
+Some CNI network plugins, maintained by the containernetworking team. For more information, see the [CNI website](https://www.cni.dev).

-## What is CNI?
+Read [CONTRIBUTING](CONTRIBUTING.md) for build and test instructions.

-CNI, the _Container Network Interface_, is a proposed standard for configuring network interfaces for Linux application containers.
-The standard consists of a simple specification for how executable plugins can be used to configure network namespaces; this repository also contains a go library implementing that specification.
+## Plugins supplied:
+### Main: interface-creating
+* `bridge`: Creates a bridge, adds the host and the container to it.
+* `ipvlan`: Adds an [ipvlan](https://www.kernel.org/doc/Documentation/networking/ipvlan.txt) interface in the container.
+* `loopback`: Set the state of loopback interface to up.
+* `macvlan`: Creates a new MAC address, forwards all traffic to that to the container.
+* `ptp`: Creates a veth pair.
+* `vlan`: Allocates a vlan device.
+* `host-device`: Move an already-existing device into a container.
+#### Windows: windows specific
+* `win-bridge`: Creates a bridge, adds the host and the container to it.
+* `win-overlay`: Creates an overlay interface to the container.
+### IPAM: IP address allocation
+* `dhcp`: Runs a daemon on the host to make DHCP requests on behalf of the container
+* `host-local`: Maintains a local database of allocated IPs
+* `static`:  Allocate a static IPv4/IPv6 addresses to container and it's useful in debugging purpose.

-The specification itself is contained in [SPEC.md](SPEC.md).
+### Meta: other plugins
+* `flannel`: Generates an interface corresponding to a flannel config file
+* `tuning`: Tweaks sysctl parameters of an existing interface
+* `portmap`: An iptables-based portmapping plugin. Maps ports from the host's address space to the container.
+* `bandwidth`: Allows bandwidth-limiting through use of traffic control tbf (ingress/egress).
+* `sbr`: A plugin that configures source based routing for an interface (from which it is chained).
+* `firewall`: A firewall plugin which uses iptables or firewalld to add rules to allow traffic to/from the container.

-## Why develop CNI?
-
-Application containers on Linux are a rapidly evolving area, and within this space networking is a particularly unsolved problem, as it is highly environment-specific.
-We believe that every container runtime will seek to solve the same problem of making the network layer pluggable.
-
-To avoid duplication, we think it is prudent to define a common interface between the network plugins and container execution.
-Hence we are proposing this specification, along with an initial set of plugins that can be used by different container runtime systems.
-
-## Who is using CNI?
-
- [rkt - container engine](https://coreos.com/blog/rkt-cni-networking.html)
- [Kurma - container runtime](http://kurma.io/)
- [Kubernetes - a system to simplify container operations](http://kubernetes.io/docs/admin/network-plugins/)
- [Cloud Foundry - a platform for cloud applications](https://github.com/cloudfoundry-incubator/guardian-cni-adapter)
- [Weave - a multi-host Docker network](https://github.com/weaveworks/weave)
- [Project Calico - a layer 3 virtual network](https://github.com/projectcalico/calico-cni)
-
-## Contributing to CNI
-
-We welcome contributions, including [bug reports](https://github.com/appc/cni/issues), and code and documentation improvements.
-If you intend to contribute to code or documentation, please read [CONTRIBUTING.md](CONTRIBUTING.md). Also see the [contact section](#contact) in this README.
-
-## How do I use CNI?
-
-### Requirements
-CNI requires Go 1.5+ to build.
-
-Go 1.5 users will need to set GO15VENDOREXPERIMENT=1 to get vendored
-dependencies. This flag is set by default in 1.6.
-
-### Included Plugins
-This repository includes a number of common plugins in the `plugins/` directory.
-Please see the [Documentation/](Documentation/) directory for documentation about particular plugins.
-
-### Running the plugins
-The scripts/ directory contains two scripts, `priv-net-run.sh` and `docker-run.sh`, that can be used to exercise the plugins.
-
-**note - priv-net-run.sh depends on `jq`**
-
-Start out by creating a netconf file to describe a network:
-
-```bash
-$ mkdir -p /etc/cni/net.d
-$ cat >/etc/cni/net.d/10-mynet.conf <<EOF
-{
-	"name": "mynet",
-	"type": "bridge",
-	"bridge": "cni0",
-	"isGateway": true,
-	"ipMasq": true,
-	"ipam": {
-		"type": "host-local",
-		"subnet": "10.22.0.0/16",
-		"routes": [
-			{ "dst": "0.0.0.0/0" }
-		]
-	}
-}
-EOF
-$ cat >/etc/cni/net.d/99-loopback.conf <<EOF
-{
-	"type": "loopback"
-}
-EOF
-```
-
-The directory `/etc/cni/net.d` is the default location in which the scripts will look for net configurations.
-
-Next, build the plugins:
-
-```bash
-$ ./build
-```
-
-Finally, execute a command (`ifconfig` in this example) in a private network namespace that has joined the `mynet` network:
-
-```bash
-$ CNI_PATH=`pwd`/bin
-$ cd scripts
-$ sudo CNI_PATH=$CNI_PATH ./priv-net-run.sh ifconfig
-eth0      Link encap:Ethernet  HWaddr f2:c2:6f:54:b8:2b  
-          inet addr:10.22.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
-          inet6 addr: fe80::f0c2:6fff:fe54:b82b/64 Scope:Link
-          UP BROADCAST MULTICAST  MTU:1500  Metric:1
-          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
-          TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
-          collisions:0 txqueuelen:0 
-          RX bytes:90 (90.0 B)  TX bytes:0 (0.0 B)
-
-lo        Link encap:Local Loopback  
-          inet addr:127.0.0.1  Mask:255.0.0.0
-          inet6 addr: ::1/128 Scope:Host
-          UP LOOPBACK RUNNING  MTU:65536  Metric:1
-          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-          collisions:0 txqueuelen:0 
-          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
-```
-
-The environment variable `CNI_PATH` tells the scripts and library where to look for plugin executables.
-
-## Running a Docker container with network namespace set up by CNI plugins
-
-Use the instructions in the previous section to define a netconf and build the plugins.
-Next, docker-run.sh script wraps `docker run`, to execute the plugins prior to entering the container:
-
-```bash
-$ CNI_PATH=`pwd`/bin
-$ cd scripts
-$ sudo CNI_PATH=$CNI_PATH ./docker-run.sh --rm busybox:latest ifconfig
-eth0      Link encap:Ethernet  HWaddr fa:60:70:aa:07:d1  
-          inet addr:10.22.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
-          inet6 addr: fe80::f860:70ff:feaa:7d1/64 Scope:Link
-          UP BROADCAST MULTICAST  MTU:1500  Metric:1
-          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
-          TX packets:0 errors:0 dropped:1 overruns:0 carrier:0
-          collisions:0 txqueuelen:0 
-          RX bytes:90 (90.0 B)  TX bytes:0 (0.0 B)
-
-lo        Link encap:Local Loopback  
-          inet addr:127.0.0.1  Mask:255.0.0.0
-          inet6 addr: ::1/128 Scope:Host
-          UP LOOPBACK RUNNING  MTU:65536  Metric:1
-          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-          collisions:0 txqueuelen:0 
-          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
-```
+### Sample
+The sample plugin provides an example for building your own plugin.

 ## Contact

-For any questions about CNI, please reach out on the mailing list or IRC:
+For any questions about CNI, please reach out via:
 - Email: [cni-dev](https://groups.google.com/forum/#!forum/cni-dev)
- IRC: #[appc](irc://irc.freenode.org:6667/#appc) IRC channel on freenode.org
+- Slack: #cni on the [CNCF slack](https://slack.cncf.io/).
+
+If you have a _security_ issue to report, please do so privately to the email addresses listed in the [OWNERS](OWNERS.md) file.
--- a/RELEASING.md
+++ b/RELEASING.md
@@ -0,0 +1,35 @@
+# Release process
+
+## Resulting artifacts
+Creating a new release produces the following artifacts:
+
+- Binaries (stored in the `release-<TAG>` directory) :
+  - `cni-plugins-<PLATFORM>-<VERSION>.tgz` binaries
+  - `cni-plugins-<VERSION>.tgz` binary (copy of amd64 platform binary)
+  - `sha1`, `sha256` and `sha512` files for the above files.
+
+## Preparing for a release
+1. Releases are performed by maintainers and should usually be discussed and planned at a maintainer meeting.
+  - Choose the version number. It should be prefixed with `v`, e.g. `v1.2.3`
+  - Take a quick scan through the PRs and issues to make sure there isn't anything crucial that _must_ be in the next release.
+  - Create a draft of the release note
+  - Discuss the level of testing that's needed and create a test plan if sensible
+  - Check what version of `go` is used in the build container, updating it if there's a new stable release.
+  - Update the vendor directory and Godeps to pin to the corresponding containernetworking/cni release. Create a PR, makes sure it passes CI and get it merged.
+
+## Creating the release artifacts
+1. Make sure you are on the master branch and don't have any local uncommitted changes.
+1. Create a signed tag for the release `git tag -s $VERSION` (Ensure that GPG keys are created and added to GitHub)
+1. Run the release script from the root of the repository
+  - `scripts/release.sh`
+  - The script requires Docker and ensures that a consistent environment is used.
+  - The artifacts will now be present in the `release-<TAG>` directory.
+1. Test these binaries according to the test plan.
+
+## Publishing the release
+1. Push the tag to git `git push origin <TAG>`
+1. Create a release on Github, using the tag which was just pushed.
+1. Attach all the artifacts from the release directory.
+1. Add the release note to the release.
+1. Announce the release on at least the CNI mailing, IRC and Slack.
+
--- a/SPEC.md
+++ b/SPEC.md
@@ -1,257 +0,0 @@
-# Container Networking Interface Proposal
-
-## Overview
-
-This document proposes a generic plugin-based networking solution for application containers on Linux, the _Container Networking Interface_, or _CNI_.
-It is derived from the [rkt Networking Proposal][rkt-networking-proposal], which aimed to satisfy many of the [design considerations][rkt-networking-design] for networking in [rkt][rkt-github].
-
-For the purposes of this proposal, we define two terms very specifically:
- _container_ can be considered synonymous with a [Linux _network namespace_][namespaces]. What unit this corresponds to depends on a particular container runtime implementation: for example, in implementations of the [App Container Spec][appc-github] like rkt, each _pod_ runs in a unique network namespace. In [Docker][docker], on the other hand, network namespaces generally exist for each separate Docker container.
- _network_ refers to a group of entities that are uniquely addressable that can communicate amongst each other. This could be either an individual container (as specified above), a machine, or some other network device (e.g. a router). Containers can be conceptually _added to_ or _removed from_ one or more networks.
-
-[rkt-networking-proposal]: https://docs.google.com/a/coreos.com/document/d/1PUeV68q9muEmkHmRuW10HQ6cHgd4819_67pIxDRVNlM/edit#heading=h.ievko3xsjwxd
-[rkt-networking-design]: 
-https://docs.google.com/a/coreos.com/document/d/1CTAL4gwqRofjxyp4tTkbgHtAwb2YCcP14UEbHNizd8g
-[rkt-github]: https://github.com/coreos/rkt
-[namespaces]: http://man7.org/linux/man-pages/man7/namespaces.7.html 
-[appc-github]: https://github.com/appc/spec
-[docker]: https://docker.com 
-
-## General considerations
-
-The intention is for the container runtime to first create a new network namespace for the container.
-It then determines which networks this container should belong to and for each network, which plugin must be executed.
-The network configuration is in JSON format and can easily be stored in a file.
-The network configuration includes mandatory fields such as "name" and "type" as well as plugin (type) specific ones.
-The container runtime sequentially sets up the networks by executing the corresponding plugin for each network.
-Upon completion of the container lifecycle, the runtime executes the plugins in reverse order (relative to the order in which they were added) to disconnect them from the networks.
-
-## CNI Plugin
-
-### Overview
-
-Each CNI plugin is implemented as an executable that is invoked by the container management system (e.g. rkt or Docker).
-
-A CNI plugin is responsible for inserting a network interface into the container network namespace (e.g. one end of a veth pair) and making any necessary changes on the host (e.g. attaching other end of veth into a bridge).
-It should then assign the IP to the interface and setup the routes consistent with IP Address Management section by invoking appropriate IPAM plugin.
-
-### Parameters
-
-The operations that the CNI plugin needs to support are:
-
-
- Add container to network
-  - Parameters:
-    - **Version**. The version of CNI spec that the caller is using (container management system or the invoking plugin).
-    - **Container ID**. This is optional but recommended, and should be unique across an administrative domain while the container is live (it may be reused in the future). For example, an environment with an IPAM system may require that each container is allocated a unique ID and that each IP allocation can thus be correlated back to a particular container. As another example, in appc implementations this would be the _pod ID_.
-    - **Network namespace path**. This represents the path to the network namespace to be added, i.e. /proc/[pid]/ns/net or a bind-mount/link to it.
-    - **Network configuration**. This is a JSON document describing a network to which a container can be joined. The schema is described below.
-    - **Extra arguments**. This allows granular configuration of CNI plugins on a per-container basis.
-    - **Name of the interface inside the container**. This is the name that should be assigned to the interface created inside the container (network namespace); consequently it must comply with the standard Linux restrictions on interface names.
-  - Result:
-    - **IPs assigned to the interface**. This is either an IPv4 address, an IPv6 address, or both.
-    - **DNS information**. Dictionary that includes DNS information for nameservers, domain, search domains and options.
-
- Delete container from network
-  - Parameters:
-    - **Version**. The version of CNI spec that the caller is using (container management system or the invoking plugin).
-    - **Container ID**, as defined above.
-    - **Network namespace path**, as defined above.
-    - **Network configuration**, as defined above.
-    - **Extra arguments**, as defined above.
-    - **Name of the interface inside the container**, as defined above.
-
-The executable command-line API uses the type of network (see [Network Configuration](#network-configuration) below) as the name of the executable to invoke.
-It will then look for this executable in a list of predefined directories. Once found, it will invoke the executable using the following environment variables for argument passing:
- `CNI_VERSION`:  [Semantic Version 2.0](http://semver.org) of CNI specification. This effectively versions the CNI_XXX environment variables.
- `CNI_COMMAND`: indicates the desired operation; either `ADD` or `DEL`
- `CNI_CONTAINERID`: Container ID
- `CNI_NETNS`: Path to network namespace file
- `CNI_IFNAME`: Interface name to set up
- `CNI_ARGS`: Extra arguments passed in by the user at invocation time. Alphanumeric key-value pairs separated by semicolons; for example, "FOO=BAR;ABC=123"
- `CNI_PATH`: Colon-separated list of paths to search for CNI plugin executables
-
-Network configuration in JSON format is streamed through stdin.
-
-
-### Result
-
-Success is indicated by a return code of zero and the following JSON printed to stdout in the case of the ADD command. This should be the same output as was returned by the IPAM plugin (see [IP Allocation](#ip-allocation) for details).
-
-```
-{
-  "cniVersion": "0.1.0",
-  "ip4": {
-    "ip": <ipv4-and-subnet-in-CIDR>,
-    "gateway": <ipv4-of-the-gateway>,  (optional)
-    "routes": <list-of-ipv4-routes>    (optional)
-  },
-  "ip6": {
-    "ip": <ipv6-and-subnet-in-CIDR>,
-    "gateway": <ipv6-of-the-gateway>,  (optional)
-    "routes": <list-of-ipv6-routes>    (optional)
-  },
-  "dns": {
-    "nameservers": <list-of-nameservers>           (optional)
-    "domain": <name-of-local-domain>               (optional)
-    "search": <list-of-additional-search-domains>  (optional)
-    "options": <list-of-options>                   (optional)
-  }
-}
-```
-
-`cniVersion` specifies a [Semantic Version 2.0](http://semver.org) of CNI specification used by the plugin.
-`dns` field contains a dictionary consisting of common DNS information that this network is aware of.
-The result is returned in the same format as specified in the [configuration](#network-configuration).
-The specification does not declare how this information must be processed by CNI consumers.
-Examples include generating an `/etc/resolv.conf` file to be injected into the container filesystem or running a DNS forwarder on the host.
-
-Errors are indicated by a non-zero return code and the following JSON being printed to stdout:
-```
-{
-  "cniVersion": "0.1.0",
-  "code": <numeric-error-code>,
-  "msg": <short-error-message>,
-  "details": <long-error-message> (optional)
-}
-```
-
-`cniVersion` specifies a [Semantic Version 2.0](http://semver.org) of CNI specification used by the plugin.
-Error codes 0-99 are reserved for well-known errors (see [Well-known Error Codes](#well-known-error-codes) section).
-Values of 100+ can be freely used for plugin specific errors. 
-
-In addition, stderr can be used for unstructured output such as logs.
-
-### Network Configuration
-
-The network configuration is described in JSON form. The configuration can be stored on disk or generated from other sources by the container runtime. The following fields are well-known and have the following meaning:
- `cniVersion` (string): [Semantic Version 2.0](http://semver.org) of CNI specification to which this configuration conforms.
- `name` (string): Network name. This should be unique across all containers on the host (or other administrative domain).
- `type` (string): Refers to the filename of the CNI plugin executable.
- `ipMasq` (boolean): Optional (if supported by the plugin). Set up an IP masquerade on the host for this network. This is necessary if the host will act as a gateway to subnets that are not able to route to the IP assigned to the container.
- `ipam`: Dictionary with IPAM specific values:
-  - `type` (string): Refers to the filename of the IPAM plugin executable.
-  - `routes` (list): List of subnets (in CIDR notation) that the CNI plugin should ensure are reachable by routing them through the network. Each entry is a dictionary containing:
-    - `dst` (string): subnet in CIDR notation
-    - `gw` (string): IP address of the gateway to use. If not specified, the default gateway for the subnet is assumed (as determined by the IPAM plugin).
- `dns`: Dictionary with DNS specific values:
-  - `nameservers` (list of strings): list of a priority-ordered list of DNS nameservers that this network is aware of. Each entry in the list is a string containing either an IPv4 or an IPv6 address.
-  - `domain` (string): the local domain used for short hostname lookups.
-  - `search` (list of strings): list of priority ordered search domains for short hostname lookups. Will be preferred over `domain` by most resolvers.
-  - `options` (list of strings): list of options that can be passed to the resolver
-
-### Example configurations
-
-```json
-{
-  "cniVersion": "0.1.0",
-  "name": "dbnet",
-  "type": "bridge",
-  // type (plugin) specific
-  "bridge": "cni0",
-  "ipam": {
-    "type": "host-local",
-    // ipam specific
-    "subnet": "10.1.0.0/16",
-    "gateway": "10.1.0.1"
-  },
-  "dns": {
-    "nameservers": [ "10.1.0.1" ]
-  }
-}
-```
-
-```json
-{
-  "cniVersion": "0.1.0",
-  "name": "pci",
-  "type": "ovs",
-  // type (plugin) specific
-  "bridge": "ovs0",
-  "vxlanID": 42,
-  "ipam": {
-    "type": "dhcp",
-    "routes": [ { "dst": "10.3.0.0/16" }, { "dst": "10.4.0.0/16" } ]
-  }
-}
-```
-
-```json
-{
-  "cniVersion": "0.1",
-  "name": "wan",
-  "type": "macvlan",
-  // ipam specific
-  "ipam": {
-    "type": "dhcp",
-    "routes": [ { "dst": "10.0.0.0/8", "gw": "10.0.0.1" } ]
-  },
-  "dns": {
-    "nameservers": [ "10.0.0.1" ]
-  }
-}
-```
-
-
-### IP Allocation
-
-As part of its operation, a CNI plugin is expected to assign (and maintain) an IP address to the interface and install any necessary routes relevant for that interface. This gives the CNI plugin great flexibility but also places a large burden on it. Many CNI plugins would need to have the same code to support several IP management schemes that users may desire (e.g. dhcp, host-local). 
-
-To lessen the burden and make IP management strategy be orthogonal to the type of CNI plugin, we define a second type of plugin -- IP Address Management Plugin (IPAM plugin). It is however the responsibility of the CNI plugin to invoke the IPAM plugin at the proper moment in its execution. The IPAM plugin is expected to determine the interface IP/subnet, Gateway and Routes and return this information to the "main" plugin to apply. The IPAM plugin may obtain the information via a protocol (e.g. dhcp), data stored on a local filesystem, the "ipam" section of the Network Configuration file or a combination of the above.
-
-#### IP Address Management (IPAM) Interface
-
-Like CNI plugins, the IPAM plugins are invoked by running an executable. The executable is searched for in a predefined list of paths, indicated to the CNI plugin via `CNI_PATH`. The IPAM Plugin receives all the same environment variables that were passed in to the CNI plugin. Just like the CNI plugin, IPAM receives the network configuration file via stdin.
-
-Success is indicated by a zero return code and the following JSON being printed to stdout (in the case of the ADD command):
-
-```
-{
-  "cniVersion": "0.1.0",
-  "ip4": {
-    "ip": <ipv4-and-subnet-in-CIDR>,
-    "gateway": <ipv4-of-the-gateway>,  (optional)
-    "routes": <list-of-ipv4-routes>    (optional)
-  },
-  "ip6": {
-    "ip": <ipv6-and-subnet-in-CIDR>,
-    "gateway": <ipv6-of-the-gateway>,  (optional)
-    "routes": <list-of-ipv6-routes>    (optional)
-  },
-  "dns": {
-    "nameservers": <list-of-nameservers>           (optional)
-    "domain": <name-of-local-domain>               (optional)
-    "search": <list-of-search-domains>             (optional)
-    "options": <list-of-options>                   (optional)
-  }
-}
-```
-
-`cniVersion` specifies a [Semantic Version 2.0](http://semver.org) of CNI specification used by the plugin.
-`gateway` is the default gateway for this subnet, if one exists.
-It does not instruct the CNI plugin to add any routes with this gateway: routes to add are specified separately via the `routes` field.
-An example use of this value is for the CNI plugin to add this IP address to the linux-bridge to make it a gateway.
-
-Each route entry is a dictionary with the following fields:
- `dst` (string): Destination subnet specified in CIDR notation.
- `gw` (string): IP of the gateway. If omitted, a default gateway is assumed (as determined by the CNI plugin).
-
-The "dns" field contains a dictionary consisting of common DNS information. 
- `nameservers` (list of strings): list of a priority-ordered list of DNS nameservers that this network is aware of. Each entry in the list is a string containing either an IPv4 or an IPv6 address.
- `domain` (string): the local domain used for short hostname lookups.
- `search` (list of strings): list of priority ordered search domains for short hostname lookups. Will be preferred over `domain` by most resolvers.
- `options` (list of strings): list of options that can be passed to the resolver
-See [CNI Plugin Result](#result) section for more information.
-
-Errors and logs are communicated in the same way as the CNI plugin. See [CNI Plugin Result](#result) section for details.
-
-IPAM plugin examples:
- - **host-local**: Select an unused (by other containers on the same host) IP within the specified range.
- - **dhcp**: Use DHCP protocol to acquire and maintain a lease. The DHCP requests will be sent via the created container interface; therefore, the associated network must support broadcast.
-
-#### Notes
- - Routes are expected to be added with a 0 metric.
- - A default route may be specified via "0.0.0.0/0". Since another network might have already configured the default route, the CNI plugin should be prepared to skip over its default route definition.
-
-## Well-known Error Codes
- `1` - Incompatible CNI version
--- a/30
+++ b/30
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-set -xe
-
-ORG_PATH="github.com/appc"
-REPO_PATH="${ORG_PATH}/cni"
-
-if [ ! -h gopath/src/${REPO_PATH} ]; then
-	mkdir -p gopath/src/${ORG_PATH}
-	ln -s ../../../.. gopath/src/${REPO_PATH} || exit 255
-fi
-
-export GO15VENDOREXPERIMENT=1
-export GOBIN=${PWD}/bin
-export GOPATH=${PWD}/gopath
-
-echo "Building API"
-go build "$@" ${REPO_PATH}/libcni
-
-echo "Building reference CLI"
-go install "$@" ${REPO_PATH}/cnitool
-
-echo "Building plugins"
-PLUGINS="plugins/meta/* plugins/main/* plugins/ipam/*"
-for d in $PLUGINS; do
-	if [ -d $d ]; then
-		plugin=$(basename $d)
-		echo "  " $plugin
-		go install "$@" ${REPO_PATH}/$d
-	fi
-done
--- a/build_linux.sh
+++ b/build_linux.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -e
+cd "$(dirname "$0")"
+
+if [ "$(uname)" == "Darwin" ]; then
+	export GOOS="${GOOS:-linux}"
+fi
+
+export GOFLAGS="${GOFLAGS} -mod=vendor"
+
+mkdir -p "${PWD}/bin"
+
+echo "Building plugins ${GOOS}"
+PLUGINS="plugins/meta/* plugins/main/* plugins/ipam/*"
+for d in $PLUGINS; do
+	if [ -d "$d" ]; then
+		plugin="$(basename "$d")"
+		if [ "${plugin}" != "windows" ]; then
+			echo "  $plugin"
+			${GO:-go} build -o "${PWD}/bin/$plugin" "$@" ./"$d"
+		fi
+	fi
+done
--- a/build_windows.sh
+++ b/build_windows.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+cd "$(dirname "$0")"
+
+export GO="${GO:-go}"
+export GOOS=windows
+export GOFLAGS="${GOFLAGS} -mod=vendor"
+echo "$GOFLAGS"
+
+PLUGINS=$(cat plugins/windows_only.txt | dos2unix )
+for d in $PLUGINS; do
+	plugin="$(basename "$d").exe"
+	echo "building $plugin"
+	$GO build -o "${PWD}/bin/$plugin" "$@" ./"${d}"
+done
--- a/cnitool/cni.go
+++ b/cnitool/cni.go
@@ -1,87 +0,0 @@
-// Copyright 2015 CoreOS, Inc.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package main
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/appc/cni/libcni"
-)
-
-const (
-	EnvCNIPath = "CNI_PATH"
-	EnvNetDir  = "NETCONFPATH"
-
-	DefaultNetDir = "/etc/cni/net.d"
-
-	CmdAdd = "add"
-	CmdDel = "del"
-)
-
-func main() {
-	if len(os.Args) < 3 {
-		usage()
-		return
-	}
-
-	netdir := os.Getenv(EnvNetDir)
-	if netdir == "" {
-		netdir = DefaultNetDir
-	}
-	netconf, err := libcni.LoadConf(netdir, os.Args[2])
-	if err != nil {
-		exit(err)
-	}
-
-	netns := os.Args[3]
-
-	cninet := &libcni.CNIConfig{
-		Path: strings.Split(os.Getenv(EnvCNIPath), ":"),
-	}
-
-	rt := &libcni.RuntimeConf{
-		ContainerID: "cni",
-		NetNS:       netns,
-		IfName:      "eth0",
-	}
-
-	switch os.Args[1] {
-	case CmdAdd:
-		_, err := cninet.AddNetwork(netconf, rt)
-		exit(err)
-	case CmdDel:
-		exit(cninet.DelNetwork(netconf, rt))
-	}
-}
-
-func usage() {
-	exe := filepath.Base(os.Args[0])
-
-	fmt.Fprintf(os.Stderr, "%s: Add or remove network interfaces from a network namespace\n", exe)
-	fmt.Fprintf(os.Stderr, "  %s %s <net> <netns>\n", exe, CmdAdd)
-	fmt.Fprintf(os.Stderr, "  %s %s <net> <netns>\n", exe, CmdDel)
-	os.Exit(1)
-}
-
-func exit(err error) {
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "%s\n", err)
-		os.Exit(1)
-	}
-	os.Exit(0)
-}
--- a/go.mod
+++ b/go.mod
@@ -0,0 +1,29 @@
+module github.com/containernetworking/plugins
+
+go 1.14
+
+require (
+	github.com/Microsoft/go-winio v0.4.11 // indirect
+	github.com/Microsoft/hcsshim v0.8.6
+	github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae
+	github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44
+	github.com/containernetworking/cni v0.8.1
+	github.com/coreos/go-iptables v0.5.0
+	github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7
+	github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c
+	github.com/d2g/dhcp4client v1.0.0
+	github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5
+	github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4 // indirect
+	github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c
+	github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56
+	github.com/mattn/go-shellwords v1.0.3
+	github.com/onsi/ginkgo v1.12.1
+	github.com/onsi/gomega v1.10.3
+	github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8
+	github.com/sirupsen/logrus v1.0.6 // indirect
+	github.com/stretchr/testify v1.3.0 // indirect
+	github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852
+	golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637
+	gopkg.in/airbrake/gobrake.v2 v2.0.9 // indirect
+	gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 // indirect
+)
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,109 @@
+github.com/Microsoft/go-winio v0.4.11 h1:zoIOcVf0xPN1tnMVbTtEdI+P8OofVk3NObnwOQ6nK2Q=
+github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
+github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae h1:AMzIhMUqU3jMrZiTuW0zkYeKlKDAFD+DG20IoO421/Y=
+github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
+github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44 h1:y853v6rXx+zefEcjET3JuKAqvhj+FKflQijjeaSv2iA=
+github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
+github.com/containernetworking/cni v0.8.1 h1:7zpDnQ3T3s4ucOuJ/ZCLrYBxzkg0AELFfII3Epo9TmI=
+github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
+github.com/coreos/go-iptables v0.5.0 h1:mw6SAibtHKZcNzAsOxjoHIG0gy5YFHhypWSSNc6EjbQ=
+github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c h1:Xo2rK1pzOm0jO6abTPIQwbAmqBIOj132otexc1mmzFc=
+github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
+github.com/d2g/dhcp4client v1.0.0 h1:suYBsYZIkSlUMEz4TAYCczKf62IA2UWC+O8+KtdOhCo=
+github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
+github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5 h1:+CpLbZIeUn94m02LdEKPcgErLJ347NUwxPKs5u8ieiY=
+github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
+github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4 h1:itqmmf1PFpC4n5JW+j4BU7X4MTfVurhYRTjODoPb2Y8=
+github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c h1:RBUpb2b14UnmRHNd2uHz20ZHLDK+SW5Us/vWF5IHRaY=
+github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56 h1:742eGXur0715JMq73aD95/FU0XpVKXqNuTnEfXsLOYQ=
+github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
+github.com/mattn/go-shellwords v1.0.3 h1:K/VxK7SZ+cvuPgFSLKi5QPI9Vr/ipOf4C1gN+ntueUk=
+github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
+github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1 h1:mFwc4LvZ0xpSvDZ3E+k8Yte0hLOMxXUlP+yXtJqkYfQ=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.3 h1:gph6h/qe9GSUw1NhH1gp+qb+h8rXD8Cy60Z32Qw3ELA=
+github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 h1:2c1EFnZHIPCW8qKWgHMH/fX2PkSabFc5mrVzfUNdg5U=
+github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
+github.com/sirupsen/logrus v1.0.6 h1:hcP1GmhGigz/O7h1WVUM5KklBp1JoNS9FggWKdj/j3s=
+github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852 h1:cPXZWzzG0NllBLdjWoD1nDfaqu98YMv+OneaKc8sPOA=
+github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae h1:4hwBBUfQCFe3Cym0ZtKyq7L16eZUtYKs+BaHDN6mAns=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0 h1:wBouT66WTYFXdxfVdz9sVWARVd/2vfGcmI45D2gj45M=
+golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637 h1:O5hKNaGxIT4A8OTMnuh6UpmBdI3SAPxlZ3g0olDrJVM=
+golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+gopkg.in/airbrake/gobrake.v2 v2.0.9 h1:7z2uVWwn7oVeeugY1DtlPAy5H+KYgB1KeKTnqjNatLo=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2 h1:OAj3g0cR6Dx/R07QgQe8wkA9RNjB2u4i700xBkIT4e0=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/integration/integration_linux_test.go
+++ b/integration/integration_linux_test.go
@@ -0,0 +1,269 @@
+// Copyright 2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package integration_test
+
+import (
+	"fmt"
+	"math/rand"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"bytes"
+	"io"
+	"net"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gbytes"
+	"github.com/onsi/gomega/gexec"
+)
+
+var _ = Describe("Basic PTP using cnitool", func() {
+	var (
+		cnitoolBin string
+		cniPath    string
+	)
+
+	BeforeEach(func() {
+		var err error
+		cniPath, err = filepath.Abs("../bin")
+		Expect(err).NotTo(HaveOccurred())
+		cnitoolBin, err = exec.LookPath("cnitool")
+		Expect(err).NotTo(HaveOccurred(), "expected to find cnitool in your PATH")
+	})
+
+	Context("basic cases", func() {
+		var (
+			env    TestEnv
+			hostNS Namespace
+			contNS Namespace
+		)
+
+		BeforeEach(func() {
+			var err error
+
+			netConfPath, err := filepath.Abs("./testdata")
+			Expect(err).NotTo(HaveOccurred())
+
+			env = TestEnv([]string{
+				"CNI_PATH=" + cniPath,
+				"NETCONFPATH=" + netConfPath,
+				"PATH=" + os.Getenv("PATH"),
+			})
+
+			hostNS = Namespace(fmt.Sprintf("cni-test-host-%x", rand.Int31()))
+			hostNS.Add()
+
+			contNS = Namespace(fmt.Sprintf("cni-test-cont-%x", rand.Int31()))
+			contNS.Add()
+		})
+
+		AfterEach(func() {
+			contNS.Del()
+			hostNS.Del()
+		})
+
+		basicAssertion := func(netName, expectedIPPrefix string) {
+			env.runInNS(hostNS, cnitoolBin, "add", netName, contNS.LongName())
+
+			addrOutput := env.runInNS(contNS, "ip", "addr")
+			Expect(addrOutput).To(ContainSubstring(expectedIPPrefix))
+
+			env.runInNS(hostNS, cnitoolBin, "del", netName, contNS.LongName())
+		}
+
+		It("supports basic network add and del operations", func() {
+			basicAssertion("basic-ptp", "10.1.2.")
+		})
+
+		It("supports add and del with ptp + bandwidth", func() {
+			basicAssertion("chained-ptp-bandwidth", "10.9.2.")
+		})
+	})
+
+	Context("when the bandwidth plugin is chained with a plugin that returns multiple adapters", func() {
+		var (
+			hostNS                                            Namespace
+			contNS1                                           Namespace
+			contNS2                                           Namespace
+			basicBridgeEnv                                    TestEnv
+			chainedBridgeBandwidthEnv                         TestEnv
+			chainedBridgeBandwidthSession, basicBridgeSession *gexec.Session
+		)
+
+		BeforeEach(func() {
+			hostNS = Namespace(fmt.Sprintf("cni-test-host-%x", rand.Int31()))
+			hostNS.Add()
+
+			contNS1 = Namespace(fmt.Sprintf("cni-test-cont1-%x", rand.Int31()))
+			contNS1.Add()
+
+			contNS2 = Namespace(fmt.Sprintf("cni-test-cont2-%x", rand.Int31()))
+			contNS2.Add()
+
+			basicBridgeNetConfPath, err := filepath.Abs("./testdata/basic-bridge")
+			Expect(err).NotTo(HaveOccurred())
+
+			basicBridgeEnv = TestEnv([]string{
+				"CNI_PATH=" + cniPath,
+				"NETCONFPATH=" + basicBridgeNetConfPath,
+				"PATH=" + os.Getenv("PATH"),
+			})
+
+			chainedBridgeBandwidthNetConfPath, err := filepath.Abs("./testdata/chained-bridge-bandwidth")
+			Expect(err).NotTo(HaveOccurred())
+
+			chainedBridgeBandwidthEnv = TestEnv([]string{
+				"CNI_PATH=" + cniPath,
+				"NETCONFPATH=" + chainedBridgeBandwidthNetConfPath,
+				"PATH=" + os.Getenv("PATH"),
+			})
+		})
+
+		AfterEach(func() {
+			if chainedBridgeBandwidthSession != nil {
+				chainedBridgeBandwidthSession.Kill()
+			}
+			if basicBridgeSession != nil {
+				basicBridgeSession.Kill()
+			}
+
+			chainedBridgeBandwidthEnv.runInNS(hostNS, cnitoolBin, "del", "network-chain-test", contNS1.LongName())
+			basicBridgeEnv.runInNS(hostNS, cnitoolBin, "del", "network-chain-test", contNS2.LongName())
+		})
+
+		Measure("limits traffic only on the restricted bandwith veth device", func(b Benchmarker) {
+			ipRegexp := regexp.MustCompile("10\\.1[12]\\.2\\.\\d{1,3}")
+
+			By(fmt.Sprintf("adding %s to %s\n\n", "chained-bridge-bandwidth", contNS1.ShortName()))
+			chainedBridgeBandwidthEnv.runInNS(hostNS, cnitoolBin, "add", "network-chain-test", contNS1.LongName())
+			chainedBridgeIP := ipRegexp.FindString(chainedBridgeBandwidthEnv.runInNS(contNS1, "ip", "addr"))
+			Expect(chainedBridgeIP).To(ContainSubstring("10.12.2."))
+
+			By(fmt.Sprintf("adding %s to %s\n\n", "basic-bridge", contNS2.ShortName()))
+			basicBridgeEnv.runInNS(hostNS, cnitoolBin, "add", "network-chain-test", contNS2.LongName())
+			basicBridgeIP := ipRegexp.FindString(basicBridgeEnv.runInNS(contNS2, "ip", "addr"))
+			Expect(basicBridgeIP).To(ContainSubstring("10.11.2."))
+
+			var chainedBridgeBandwidthPort, basicBridgePort int
+			var err error
+
+			By(fmt.Sprintf("starting echo server in %s\n\n", contNS1.ShortName()))
+			chainedBridgeBandwidthPort, chainedBridgeBandwidthSession, err = startEchoServerInNamespace(contNS1)
+			Expect(err).ToNot(HaveOccurred())
+
+			By(fmt.Sprintf("starting echo server in %s\n\n", contNS2.ShortName()))
+			basicBridgePort, basicBridgeSession, err = startEchoServerInNamespace(contNS2)
+			Expect(err).ToNot(HaveOccurred())
+
+			packetInBytes := 20000 // The shaper needs to 'warm'. Send enough to cause it to throttle,
+			// balanced by run time.
+
+			By(fmt.Sprintf("sending tcp traffic to the chained, bridged, traffic shaped container on ip address '%s:%d'\n\n", chainedBridgeIP, chainedBridgeBandwidthPort))
+			runtimeWithLimit := b.Time("with chained bridge and bandwidth plugins", func() {
+				makeTcpClientInNS(hostNS.ShortName(), chainedBridgeIP, chainedBridgeBandwidthPort, packetInBytes)
+			})
+
+			By(fmt.Sprintf("sending tcp traffic to the basic bridged container on ip address '%s:%d'\n\n", basicBridgeIP, basicBridgePort))
+			runtimeWithoutLimit := b.Time("with basic bridged plugin", func() {
+				makeTcpClientInNS(hostNS.ShortName(), basicBridgeIP, basicBridgePort, packetInBytes)
+			})
+
+			Expect(runtimeWithLimit).To(BeNumerically(">", runtimeWithoutLimit+1000*time.Millisecond))
+		}, 1)
+	})
+})
+
+type TestEnv []string
+
+func (e TestEnv) run(bin string, args ...string) string {
+	cmd := exec.Command(bin, args...)
+	cmd.Env = e
+	session, err := gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
+	Expect(err).NotTo(HaveOccurred())
+	Eventually(session, "5s").Should(gexec.Exit(0))
+	return string(session.Out.Contents())
+}
+
+func (e TestEnv) runInNS(nsShortName Namespace, bin string, args ...string) string {
+	a := append([]string{"netns", "exec", string(nsShortName), bin}, args...)
+	return e.run("ip", a...)
+}
+
+type Namespace string
+
+func (n Namespace) LongName() string {
+	return fmt.Sprintf("/var/run/netns/%s", n)
+}
+
+func (n Namespace) ShortName() string {
+	return string(n)
+}
+
+func (n Namespace) Add() {
+	(TestEnv{}).run("ip", "netns", "add", string(n))
+}
+
+func (n Namespace) Del() {
+	(TestEnv{}).run("ip", "netns", "del", string(n))
+}
+
+func makeTcpClientInNS(netns string, address string, port int, numBytes int) {
+	payload := bytes.Repeat([]byte{'a'}, numBytes)
+	message := string(payload)
+
+	var cmd *exec.Cmd
+	if netns != "" {
+		netns = filepath.Base(netns)
+		cmd = exec.Command("ip", "netns", "exec", netns, echoClientBinaryPath, "--target", fmt.Sprintf("%s:%d", address, port), "--message", message)
+	} else {
+		cmd = exec.Command(echoClientBinaryPath, "--target", fmt.Sprintf("%s:%d", address, port), "--message", message)
+	}
+	cmd.Stdin = bytes.NewBuffer([]byte(message))
+	cmd.Stderr = GinkgoWriter
+	out, err := cmd.Output()
+
+	Expect(err).NotTo(HaveOccurred())
+	Expect(string(out)).To(Equal(message))
+}
+
+func startEchoServerInNamespace(netNS Namespace) (int, *gexec.Session, error) {
+	session, err := startInNetNS(echoServerBinaryPath, netNS)
+	Expect(err).NotTo(HaveOccurred())
+
+	// wait for it to print it's address on stdout
+	Eventually(session.Out).Should(gbytes.Say("\n"))
+	_, portString, err := net.SplitHostPort(strings.TrimSpace(string(session.Out.Contents())))
+	Expect(err).NotTo(HaveOccurred())
+
+	port, err := strconv.Atoi(portString)
+	Expect(err).NotTo(HaveOccurred())
+
+	go func() {
+		// print out echoserver output to ginkgo to capture any errors that might be occurring.
+		io.Copy(GinkgoWriter, io.MultiReader(session.Out, session.Err))
+	}()
+
+	return port, session, nil
+}
+
+func startInNetNS(binPath string, namespace Namespace) (*gexec.Session, error) {
+	cmd := exec.Command("ip", "netns", "exec", namespace.ShortName(), binPath)
+	return gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
+}
--- a/integration/integration_suite_test.go
+++ b/integration/integration_suite_test.go
@@ -0,0 +1,46 @@
+// Copyright 2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package integration_test
+
+import (
+	"strings"
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gexec"
+)
+
+func TestIntegration(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "integration")
+}
+
+var echoServerBinaryPath, echoClientBinaryPath string
+
+var _ = SynchronizedBeforeSuite(func() []byte {
+	serverBinaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echo/server")
+	Expect(err).NotTo(HaveOccurred())
+	clientBinaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echo/client")
+	Expect(err).NotTo(HaveOccurred())
+	return []byte(strings.Join([]string{serverBinaryPath, clientBinaryPath}, ","))
+}, func(data []byte) {
+	binaries := strings.Split(string(data), ",")
+	echoServerBinaryPath = binaries[0]
+	echoClientBinaryPath = binaries[1]
+})
+
+var _ = SynchronizedAfterSuite(func() {}, func() {
+	gexec.CleanupBuildArtifacts()
+})
--- a/integration/testdata/basic-bridge/network-chain-test.json
+++ b/integration/testdata/basic-bridge/network-chain-test.json
@@ -0,0 +1,12 @@
+{
+  "cniVersion": "0.3.1",
+  "name": "network-chain-test",
+  "type": "bridge",
+  "bridge": "test-bridge-0",
+  "isDefaultGateway": true,
+  "ipam": {
+    "type": "host-local",
+    "subnet": "10.11.2.0/24",
+    "dataDir": "/tmp/foo"
+  }
+}
--- a/integration/testdata/basic-ptp.json
+++ b/integration/testdata/basic-ptp.json
@@ -0,0 +1,11 @@
+{
+    "cniVersion": "0.3.0",
+    "name": "basic-ptp",
+    "type": "ptp",
+    "ipMasq": true,
+    "mtu": 512,
+    "ipam": {
+        "type": "host-local",
+        "subnet": "10.1.2.0/24"
+    }
+}
--- a/integration/testdata/chained-bridge-bandwidth/network-chain-test.conflist
+++ b/integration/testdata/chained-bridge-bandwidth/network-chain-test.conflist
@@ -0,0 +1,27 @@
+{
+    "cniVersion": "0.3.1",
+    "name": "network-chain-test",
+    "plugins": [
+        {
+            "type": "bridge",
+            "bridge": "test-bridge-1",
+            "isDefaultGateway": true,
+            "ipam": {
+                "type": "host-local",
+                "subnet": "10.12.2.0/24",
+                "dataDir": "/tmp/bar"
+            }
+        },
+        {
+            "type": "bandwidth",
+            "runtimeConfig": {
+                "bandWidth": {
+                    "ingressRate": 8000,
+                    "ingressBurst": 16000,
+                    "egressRate": 8000,
+                    "egressBurst": 16000
+                }
+            }
+        }
+    ]
+}
--- a/integration/testdata/chained-ptp-bandwidth.conflist
+++ b/integration/testdata/chained-ptp-bandwidth.conflist
@@ -0,0 +1,26 @@
+{
+    "cniVersion": "0.3.1",
+    "name": "chained-ptp-bandwidth",
+    "plugins": [
+        {
+            "type": "ptp",
+            "ipMasq": true,
+            "mtu": 512,
+            "ipam": {
+                "type": "host-local",
+                "subnet": "10.9.2.0/24"
+            }
+        },
+        {
+            "type": "bandwidth",
+            "runtimeConfig": {
+                "bandWidth": {
+                    "ingressRate": 800,
+                    "ingressBurst": 200,
+                    "egressRate": 800,
+                    "egressBurst": 200
+                }
+            }
+        }
+    ]
+}
--- a/libcni/api.go
+++ b/libcni/api.go
@@ -1,73 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package libcni
-
-import (
-	"strings"
-
-	"github.com/appc/cni/pkg/invoke"
-	"github.com/appc/cni/pkg/types"
-)
-
-type RuntimeConf struct {
-	ContainerID string
-	NetNS       string
-	IfName      string
-	Args        [][2]string
-}
-
-type NetworkConfig struct {
-	Network *types.NetConf
-	Bytes   []byte
-}
-
-type CNI interface {
-	AddNetwork(net *NetworkConfig, rt *RuntimeConf) (*types.Result, error)
-	DelNetwork(net *NetworkConfig, rt *RuntimeConf) error
-}
-
-type CNIConfig struct {
-	Path []string
-}
-
-func (c *CNIConfig) AddNetwork(net *NetworkConfig, rt *RuntimeConf) (*types.Result, error) {
-	pluginPath, err := invoke.FindInPath(net.Network.Type, c.Path)
-	if err != nil {
-		return nil, err
-	}
-
-	return invoke.ExecPluginWithResult(pluginPath, net.Bytes, c.args("ADD", rt))
-}
-
-func (c *CNIConfig) DelNetwork(net *NetworkConfig, rt *RuntimeConf) error {
-	pluginPath, err := invoke.FindInPath(net.Network.Type, c.Path)
-	if err != nil {
-		return err
-	}
-
-	return invoke.ExecPluginWithoutResult(pluginPath, net.Bytes, c.args("DEL", rt))
-}
-
-// =====
-func (c *CNIConfig) args(action string, rt *RuntimeConf) *invoke.Args {
-	return &invoke.Args{
-		Command:     action,
-		ContainerID: rt.ContainerID,
-		NetNS:       rt.NetNS,
-		PluginArgs:  rt.Args,
-		IfName:      rt.IfName,
-		Path:        strings.Join(c.Path, ":"),
-	}
-}
--- a/libcni/conf.go
+++ b/libcni/conf.go
@@ -1,85 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package libcni
-
-import (
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"sort"
-)
-
-func ConfFromBytes(bytes []byte) (*NetworkConfig, error) {
-	conf := &NetworkConfig{Bytes: bytes}
-	if err := json.Unmarshal(bytes, &conf.Network); err != nil {
-		return nil, fmt.Errorf("error parsing configuration: %s", err)
-	}
-	return conf, nil
-}
-
-func ConfFromFile(filename string) (*NetworkConfig, error) {
-	bytes, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return nil, fmt.Errorf("error reading %s: %s", filename, err)
-	}
-	return ConfFromBytes(bytes)
-}
-
-func ConfFiles(dir string) ([]string, error) {
-	// In part, adapted from rkt/networking/podenv.go#listFiles
-	files, err := ioutil.ReadDir(dir)
-	switch {
-	case err == nil: // break
-	case os.IsNotExist(err):
-		return nil, nil
-	default:
-		return nil, err
-	}
-
-	confFiles := []string{}
-	for _, f := range files {
-		if f.IsDir() {
-			continue
-		}
-		if filepath.Ext(f.Name()) == ".conf" {
-			confFiles = append(confFiles, filepath.Join(dir, f.Name()))
-		}
-	}
-	return confFiles, nil
-}
-
-func LoadConf(dir, name string) (*NetworkConfig, error) {
-	files, err := ConfFiles(dir)
-	switch {
-	case err != nil:
-		return nil, err
-	case len(files) == 0:
-		return nil, fmt.Errorf("no net configurations found")
-	}
-	sort.Strings(files)
-
-	for _, confFile := range files {
-		conf, err := ConfFromFile(confFile)
-		if err != nil {
-			return nil, err
-		}
-		if conf.Network.Name == name {
-			return conf, nil
-		}
-	}
-	return nil, fmt.Errorf(`no net configuration with name "%s" in %s`, name, dir)
-}
--- a/pkg/errors/errors.go
+++ b/pkg/errors/errors.go
@@ -0,0 +1,37 @@
+// Copyright 2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package errors
+
+import "fmt"
+
+// Annotate is used to add extra context to an existing error. The return will be
+// a new error which carries error message from both context message and existing error.
+func Annotate(err error, message string) error {
+	if err == nil {
+		return nil
+	}
+
+	return fmt.Errorf("%s: %v", message, err)
+}
+
+// Annotatef is used to add extra context with args to an existing error. The return will be
+// a new error which carries error message from both context message and existing error.
+func Annotatef(err error, message string, args ...interface{}) error {
+	if err == nil {
+		return nil
+	}
+
+	return fmt.Errorf("%s: %v", fmt.Sprintf(message, args...), err)
+}
--- a/pkg/errors/errors_test.go
+++ b/pkg/errors/errors_test.go
@@ -0,0 +1,96 @@
+// Copyright 2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package errors
+
+import (
+	"errors"
+	"reflect"
+	"testing"
+)
+
+func TestAnnotate(t *testing.T) {
+	tests := []struct {
+		name           string
+		existingErr    error
+		contextMessage string
+		expectedErr    error
+	}{
+		{
+			"nil error",
+			nil,
+			"context",
+			nil,
+		},
+		{
+			"normal case",
+			errors.New("existing error"),
+			"context",
+			errors.New("context: existing error"),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if !reflect.DeepEqual(Annotatef(test.existingErr, test.contextMessage), test.expectedErr) {
+				t.Errorf("test case %s fails", test.name)
+				return
+			}
+		})
+	}
+}
+
+func TestAnnotatef(t *testing.T) {
+	tests := []struct {
+		name           string
+		existingErr    error
+		contextMessage string
+		contextArgs    []interface{}
+		expectedErr    error
+	}{
+		{
+			"nil error",
+			nil,
+			"context",
+			nil,
+			nil,
+		},
+		{
+			"normal case",
+			errors.New("existing error"),
+			"context",
+			nil,
+			errors.New("context: existing error"),
+		},
+		{
+			"normal case with args",
+			errors.New("existing error"),
+			"context %s %d",
+			[]interface{}{
+				"arg",
+				100,
+			},
+			errors.New("context arg 100: existing error"),
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if !reflect.DeepEqual(Annotatef(test.existingErr, test.contextMessage, test.contextArgs...), test.expectedErr) {
+				t.Errorf("test case %s fails", test.name)
+				return
+			}
+		})
+	}
+}
--- a/pkg/hns/endpoint_windows.go
+++ b/pkg/hns/endpoint_windows.go
@@ -0,0 +1,370 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hns
+
+import (
+	"fmt"
+	"net"
+	"strings"
+
+	"github.com/Microsoft/hcsshim"
+	"github.com/Microsoft/hcsshim/hcn"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/containernetworking/plugins/pkg/errors"
+)
+
+const (
+	pauseContainerNetNS = "none"
+)
+
+type EndpointInfo struct {
+	EndpointName string
+	DNS          types.DNS
+	NetworkName  string
+	NetworkId    string
+	Gateway      net.IP
+	IpAddress    net.IP
+}
+
+// GetSandboxContainerID returns the sandbox ID of this pod
+func GetSandboxContainerID(containerID string, netNs string) string {
+	if len(netNs) != 0 && netNs != pauseContainerNetNS {
+		splits := strings.SplitN(netNs, ":", 2)
+		if len(splits) == 2 {
+			containerID = splits[1]
+		}
+	}
+
+	return containerID
+}
+
+// short function so we know when to return "" for a string
+func GetIpString(ip *net.IP) string {
+	if len(*ip) == 0 {
+		return ""
+	} else {
+		return ip.String()
+	}
+}
+
+func GenerateHnsEndpoint(epInfo *EndpointInfo, n *NetConf) (*hcsshim.HNSEndpoint, error) {
+	// run the IPAM plugin and get back the config to apply
+	hnsEndpoint, err := hcsshim.GetHNSEndpointByName(epInfo.EndpointName)
+	if err != nil && !hcsshim.IsNotExist(err) {
+		return nil, errors.Annotatef(err, "failed to get endpoint %q", epInfo.EndpointName)
+	}
+
+	if hnsEndpoint != nil {
+		if hnsEndpoint.VirtualNetwork != epInfo.NetworkId {
+			_, err = hnsEndpoint.Delete()
+			if err != nil {
+				return nil, errors.Annotatef(err, "failed to delete endpoint %s", epInfo.EndpointName)
+			}
+			hnsEndpoint = nil
+		}
+	}
+
+	if n.LoopbackDSR {
+		n.ApplyLoopbackDSR(&epInfo.IpAddress)
+	}
+	if hnsEndpoint == nil {
+		hnsEndpoint = &hcsshim.HNSEndpoint{
+			Name:           epInfo.EndpointName,
+			VirtualNetwork: epInfo.NetworkId,
+			DNSServerList:  strings.Join(epInfo.DNS.Nameservers, ","),
+			DNSSuffix:      strings.Join(epInfo.DNS.Search, ","),
+			GatewayAddress: GetIpString(&epInfo.Gateway),
+			IPAddress:      epInfo.IpAddress,
+			Policies:       n.MarshalPolicies(),
+		}
+	}
+	return hnsEndpoint, nil
+}
+
+func GenerateHcnEndpoint(epInfo *EndpointInfo, n *NetConf) (*hcn.HostComputeEndpoint, error) {
+	// run the IPAM plugin and get back the config to apply
+	hcnEndpoint, err := hcn.GetEndpointByName(epInfo.EndpointName)
+	if err != nil && !hcn.IsNotFoundError(err) {
+		return nil, errors.Annotatef(err, "failed to get endpoint %q", epInfo.EndpointName)
+	}
+
+	if hcnEndpoint != nil {
+		// If the endpont already exists, then we should return error unless
+		// the endpoint is based on a different network then delete
+		// should that fail return error
+		if !strings.EqualFold(hcnEndpoint.HostComputeNetwork, epInfo.NetworkId) {
+			err = hcnEndpoint.Delete()
+			if err != nil {
+				return nil, errors.Annotatef(err, "failed to delete endpoint %s", epInfo.EndpointName)
+			}
+		} else {
+			return nil, fmt.Errorf("endpoint %q already exits", epInfo.EndpointName)
+		}
+	}
+
+	if hcnEndpoint == nil {
+		routes := []hcn.Route{
+			{
+				NextHop:           GetIpString(&epInfo.Gateway),
+				DestinationPrefix: GetDefaultDestinationPrefix(&epInfo.Gateway),
+			},
+		}
+
+		hcnDns := hcn.Dns{
+			Search:     epInfo.DNS.Search,
+			ServerList: epInfo.DNS.Nameservers,
+		}
+
+		hcnIpConfig := hcn.IpConfig{
+			IpAddress: GetIpString(&epInfo.IpAddress),
+		}
+		ipConfigs := []hcn.IpConfig{hcnIpConfig}
+
+		if n.LoopbackDSR {
+			n.ApplyLoopbackDSR(&epInfo.IpAddress)
+		}
+		hcnEndpoint = &hcn.HostComputeEndpoint{
+			SchemaVersion:      hcn.Version{Major: 2},
+			Name:               epInfo.EndpointName,
+			HostComputeNetwork: epInfo.NetworkId,
+			Dns:                hcnDns,
+			Routes:             routes,
+			IpConfigurations:   ipConfigs,
+			Policies: func() []hcn.EndpointPolicy {
+				if n.HcnPolicyArgs == nil {
+					n.HcnPolicyArgs = []hcn.EndpointPolicy{}
+				}
+				return n.HcnPolicyArgs
+			}(),
+		}
+	}
+	return hcnEndpoint, nil
+}
+
+// ConstructEndpointName constructs enpointId which is used to identify an endpoint from HNS
+// There is a special consideration for netNs name here, which is required for Windows Server 1709
+// containerID is the Id of the container on which the endpoint is worked on
+func ConstructEndpointName(containerID string, netNs string, networkName string) string {
+	return GetSandboxContainerID(containerID, netNs) + "_" + networkName
+}
+
+// DeprovisionEndpoint removes an endpoint from the container by sending a Detach request to HNS
+// For shared endpoint, ContainerDetach is used
+// for removing the endpoint completely, HotDetachEndpoint is used
+func DeprovisionEndpoint(epName string, netns string, containerID string) error {
+	if len(netns) == 0 {
+		return nil
+	}
+
+	hnsEndpoint, err := hcsshim.GetHNSEndpointByName(epName)
+
+	if hcsshim.IsNotExist(err) {
+		return nil
+	} else if err != nil {
+		return errors.Annotatef(err, "failed to find HNSEndpoint %s", epName)
+	}
+
+	if netns != pauseContainerNetNS {
+		// Shared endpoint removal. Do not remove the endpoint.
+		hnsEndpoint.ContainerDetach(containerID)
+		return nil
+	}
+
+	// Do not consider this as failure, else this would leak endpoints
+	hcsshim.HotDetachEndpoint(containerID, hnsEndpoint.Id)
+
+	// Do not return error
+	hnsEndpoint.Delete()
+
+	return nil
+}
+
+type EndpointMakerFunc func() (*hcsshim.HNSEndpoint, error)
+
+// ProvisionEndpoint provisions an endpoint to a container specified by containerID.
+// If an endpoint already exists, the endpoint is reused.
+// This call is idempotent
+func ProvisionEndpoint(epName string, expectedNetworkId string, containerID string, netns string, makeEndpoint EndpointMakerFunc) (*hcsshim.HNSEndpoint, error) {
+	// On the second add call we expect that the endpoint already exists. If it
+	// does not then we should return an error.
+	if netns != pauseContainerNetNS {
+		_, err := hcsshim.GetHNSEndpointByName(epName)
+		if err != nil {
+			return nil, errors.Annotatef(err, "failed to find HNSEndpoint %s", epName)
+		}
+	}
+
+	// check if endpoint already exists
+	createEndpoint := true
+	hnsEndpoint, err := hcsshim.GetHNSEndpointByName(epName)
+	if hnsEndpoint != nil && strings.EqualFold(hnsEndpoint.VirtualNetwork, expectedNetworkId) {
+		createEndpoint = false
+	}
+
+	if createEndpoint {
+		if hnsEndpoint != nil {
+			if _, err = hnsEndpoint.Delete(); err != nil {
+				return nil, errors.Annotate(err, "failed to delete the stale HNSEndpoint")
+			}
+		}
+
+		if hnsEndpoint, err = makeEndpoint(); err != nil {
+			return nil, errors.Annotate(err, "failed to make a new HNSEndpoint")
+		}
+
+		if hnsEndpoint, err = hnsEndpoint.Create(); err != nil {
+			return nil, errors.Annotate(err, "failed to create the new HNSEndpoint")
+		}
+
+	}
+
+	// hot attach
+	if err := hcsshim.HotAttachEndpoint(containerID, hnsEndpoint.Id); err != nil {
+		if createEndpoint {
+			err := DeprovisionEndpoint(epName, netns, containerID)
+			if err != nil {
+				return nil, errors.Annotatef(err, "failed to Deprovsion after HotAttach failure")
+			}
+		}
+		if hcsshim.ErrComputeSystemDoesNotExist == err {
+			return hnsEndpoint, nil
+		}
+		return nil, err
+	}
+
+	return hnsEndpoint, nil
+}
+
+type HcnEndpointMakerFunc func() (*hcn.HostComputeEndpoint, error)
+
+func AddHcnEndpoint(epName string, expectedNetworkId string, namespace string,
+	makeEndpoint HcnEndpointMakerFunc) (*hcn.HostComputeEndpoint, error) {
+
+	hcnEndpoint, err := makeEndpoint()
+	if err != nil {
+		return nil, errors.Annotate(err, "failed to make a new HNSEndpoint")
+	}
+
+	if hcnEndpoint, err = hcnEndpoint.Create(); err != nil {
+		return nil, errors.Annotate(err, "failed to create the new HNSEndpoint")
+	}
+
+	err = hcn.AddNamespaceEndpoint(namespace, hcnEndpoint.Id)
+	if err != nil {
+		err := RemoveHcnEndpoint(epName)
+		if err != nil {
+			return nil, errors.Annotatef(err, "failed to Remove Endpoint after AddNamespaceEndpoint failure")
+		}
+		return nil, errors.Annotate(err, "failed to Add endpoint to namespace")
+	}
+	return hcnEndpoint, nil
+
+}
+
+// ConstructResult constructs the CNI result for the endpoint
+func ConstructResult(hnsNetwork *hcsshim.HNSNetwork, hnsEndpoint *hcsshim.HNSEndpoint) (*current.Result, error) {
+	resultInterface := &current.Interface{
+		Name: hnsEndpoint.Name,
+		Mac:  hnsEndpoint.MacAddress,
+	}
+	_, ipSubnet, err := net.ParseCIDR(hnsNetwork.Subnets[0].AddressPrefix)
+	if err != nil {
+		return nil, errors.Annotatef(err, "failed to parse CIDR from %s", hnsNetwork.Subnets[0].AddressPrefix)
+	}
+
+	var ipVersion string
+	if ipv4 := hnsEndpoint.IPAddress.To4(); ipv4 != nil {
+		ipVersion = "4"
+	} else if ipv6 := hnsEndpoint.IPAddress.To16(); ipv6 != nil {
+		ipVersion = "6"
+	} else {
+		return nil, fmt.Errorf("IPAddress of HNSEndpoint %s isn't a valid ipv4 or ipv6 Address", hnsEndpoint.Name)
+	}
+
+	resultIPConfig := &current.IPConfig{
+		Version: ipVersion,
+		Address: net.IPNet{
+			IP:   hnsEndpoint.IPAddress,
+			Mask: ipSubnet.Mask},
+		Gateway: net.ParseIP(hnsEndpoint.GatewayAddress),
+	}
+	result := &current.Result{}
+	result.Interfaces = []*current.Interface{resultInterface}
+	result.IPs = []*current.IPConfig{resultIPConfig}
+	result.DNS = types.DNS{
+		Search:      strings.Split(hnsEndpoint.DNSSuffix, ","),
+		Nameservers: strings.Split(hnsEndpoint.DNSServerList, ","),
+	}
+
+	return result, nil
+}
+
+// This version follows the v2 workflow of removing the endpoint from the namespace and deleting it
+func RemoveHcnEndpoint(epName string) error {
+	hcnEndpoint, err := hcn.GetEndpointByName(epName)
+	if hcn.IsNotFoundError(err) {
+		return nil
+	} else if err != nil {
+		_ = fmt.Errorf("[win-cni] Failed to find endpoint %v, err:%v", epName, err)
+		return err
+	}
+	if hcnEndpoint != nil {
+		err = hcnEndpoint.Delete()
+		if err != nil {
+			return fmt.Errorf("[win-cni] Failed to delete endpoint %v, err:%v", epName, err)
+		}
+	}
+	return nil
+}
+
+func ConstructHcnResult(hcnNetwork *hcn.HostComputeNetwork, hcnEndpoint *hcn.HostComputeEndpoint) (*current.Result, error) {
+	resultInterface := &current.Interface{
+		Name: hcnEndpoint.Name,
+		Mac:  hcnEndpoint.MacAddress,
+	}
+	_, ipSubnet, err := net.ParseCIDR(hcnNetwork.Ipams[0].Subnets[0].IpAddressPrefix)
+	if err != nil {
+		return nil, err
+	}
+
+	var ipVersion string
+	ipAddress := net.ParseIP(hcnEndpoint.IpConfigurations[0].IpAddress)
+	if ipv4 := ipAddress.To4(); ipv4 != nil {
+		ipVersion = "4"
+	} else if ipv6 := ipAddress.To16(); ipv6 != nil {
+		ipVersion = "6"
+	} else {
+		return nil, fmt.Errorf("[win-cni] The IPAddress of hnsEndpoint isn't a valid ipv4 or ipv6 Address.")
+	}
+
+	resultIPConfig := &current.IPConfig{
+		Version: ipVersion,
+		Address: net.IPNet{
+			IP:   ipAddress,
+			Mask: ipSubnet.Mask},
+		Gateway: net.ParseIP(hcnEndpoint.Routes[0].NextHop),
+	}
+	result := &current.Result{}
+	result.Interfaces = []*current.Interface{resultInterface}
+	result.IPs = []*current.IPConfig{resultIPConfig}
+	result.DNS = types.DNS{
+		Search:      hcnEndpoint.Dns.Search,
+		Nameservers: hcnEndpoint.Dns.ServerList,
+	}
+
+	return result, nil
+}
--- a/pkg/hns/netconf_suite_windows_test.go
+++ b/pkg/hns/netconf_suite_windows_test.go
@@ -0,0 +1,26 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package hns
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestHns(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "HNS NetConf Suite")
+}
--- a/pkg/hns/netconf_windows.go
+++ b/pkg/hns/netconf_windows.go
@@ -0,0 +1,236 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hns
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net"
+
+	"strings"
+
+	"github.com/Microsoft/hcsshim/hcn"
+	"github.com/buger/jsonparser"
+	"github.com/containernetworking/cni/pkg/types"
+)
+
+// NetConf is the CNI spec
+type NetConf struct {
+	types.NetConf
+	// ApiVersion is either 1 or 2, which specifies which hns APIs to call
+	ApiVersion int `json:"ApiVersion"`
+	// V2 Api Policies
+	HcnPolicyArgs []hcn.EndpointPolicy `json:"HcnPolicyArgs,omitempty"`
+	// V1 Api Policies
+	Policies []policy `json:"policies,omitempty"`
+	// Options to be passed in by the runtime
+	RuntimeConfig RuntimeConfig `json:"runtimeConfig"`
+	// If true, adds a policy to endpoints to support loopback direct server return
+	LoopbackDSR bool `json:"loopbackDSR"`
+}
+
+type RuntimeDNS struct {
+	Nameservers []string `json:"servers,omitempty"`
+	Search      []string `json:"searches,omitempty"`
+}
+
+type PortMapEntry struct {
+	HostPort      int    `json:"hostPort"`
+	ContainerPort int    `json:"containerPort"`
+	Protocol      string `json:"protocol"`
+	HostIP        string `json:"hostIP,omitempty"`
+}
+
+type RuntimeConfig struct {
+	DNS      RuntimeDNS     `json:"dns"`
+	PortMaps []PortMapEntry `json:"portMappings,omitempty"`
+}
+
+type policy struct {
+	Name  string          `json:"name"`
+	Value json.RawMessage `json:"value"`
+}
+
+func GetDefaultDestinationPrefix(ip *net.IP) string {
+	destinationPrefix := "0.0.0.0/0"
+	if ipv6 := ip.To4(); ipv6 == nil {
+		destinationPrefix = "::/0"
+	}
+	return destinationPrefix
+}
+
+func (n *NetConf) ApplyLoopbackDSR(ip *net.IP) {
+	value := fmt.Sprintf(`"Destinations" : ["%s"]`, ip.String())
+	if n.ApiVersion == 2 {
+		hcnLoopbackRoute := hcn.EndpointPolicy{
+			Type:     "OutBoundNAT",
+			Settings: []byte(fmt.Sprintf("{%s}", value)),
+		}
+		n.HcnPolicyArgs = append(n.HcnPolicyArgs, hcnLoopbackRoute)
+	} else {
+		hnsLoopbackRoute := policy{
+			Name:  "EndpointPolicy",
+			Value: []byte(fmt.Sprintf(`{"Type": "OutBoundNAT", %s}`, value)),
+		}
+		n.Policies = append(n.Policies, hnsLoopbackRoute)
+	}
+}
+
+// If runtime dns values are there use that else use cni conf supplied dns
+func (n *NetConf) GetDNS() types.DNS {
+	dnsResult := n.DNS
+	if len(n.RuntimeConfig.DNS.Nameservers) > 0 {
+		dnsResult.Nameservers = n.RuntimeConfig.DNS.Nameservers
+	}
+	if len(n.RuntimeConfig.DNS.Search) > 0 {
+		dnsResult.Search = n.RuntimeConfig.DNS.Search
+	}
+	return dnsResult
+}
+
+// MarshalPolicies converts the Endpoint policies in Policies
+// to HNS specific policies as Json raw bytes
+func (n *NetConf) MarshalPolicies() []json.RawMessage {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	result := make([]json.RawMessage, 0, len(n.Policies))
+	for _, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		result = append(result, p.Value)
+	}
+
+	return result
+}
+
+// ApplyOutboundNatPolicy applies NAT Policy in VFP using HNS
+// Simultaneously an exception is added for the network that has to be Nat'd
+func (n *NetConf) ApplyOutboundNatPolicy(nwToNat string) {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	nwToNatBytes := []byte(nwToNat)
+
+	for i, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		typeValue, err := jsonparser.GetUnsafeString(p.Value, "Type")
+		if err != nil || len(typeValue) == 0 {
+			continue
+		}
+
+		if !strings.EqualFold(typeValue, "OutBoundNAT") {
+			continue
+		}
+
+		exceptionListValue, dt, _, _ := jsonparser.Get(p.Value, "ExceptionList")
+		// OutBoundNAT must with ExceptionList, so don't need to judge jsonparser.NotExist
+		if dt == jsonparser.Array {
+			buf := bytes.Buffer{}
+			buf.WriteString(`{"Type": "OutBoundNAT", "ExceptionList": [`)
+
+			jsonparser.ArrayEach(exceptionListValue, func(value []byte, dataType jsonparser.ValueType, offset int, err error) {
+				if dataType == jsonparser.String && len(value) != 0 {
+					if bytes.Compare(value, nwToNatBytes) != 0 {
+						buf.WriteByte('"')
+						buf.Write(value)
+						buf.WriteByte('"')
+						buf.WriteByte(',')
+					}
+				}
+			})
+
+			buf.WriteString(`"` + nwToNat + `"]}`)
+
+			n.Policies[i] = policy{
+				Name:  "EndpointPolicy",
+				Value: buf.Bytes(),
+			}
+		} else {
+			n.Policies[i] = policy{
+				Name:  "EndpointPolicy",
+				Value: []byte(`{"Type": "OutBoundNAT", "ExceptionList": ["` + nwToNat + `"]}`),
+			}
+		}
+
+		return
+	}
+
+	// didn't find the policyArg, add it
+	n.Policies = append(n.Policies, policy{
+		Name:  "EndpointPolicy",
+		Value: []byte(`{"Type": "OutBoundNAT", "ExceptionList": ["` + nwToNat + `"]}`),
+	})
+}
+
+// ApplyDefaultPAPolicy is used to configure a endpoint PA policy in HNS
+func (n *NetConf) ApplyDefaultPAPolicy(paAddress string) {
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	// if its already present, leave untouched
+	for i, p := range n.Policies {
+		if !strings.EqualFold(p.Name, "EndpointPolicy") {
+			continue
+		}
+
+		paValue, dt, _, _ := jsonparser.Get(p.Value, "PA")
+		if dt == jsonparser.NotExist {
+			continue
+		} else if dt == jsonparser.String && len(paValue) != 0 {
+			// found it, don't override
+			return
+		}
+
+		n.Policies[i] = policy{
+			Name:  "EndpointPolicy",
+			Value: []byte(`{"Type": "PA", "PA": "` + paAddress + `"}`),
+		}
+		return
+	}
+
+	// didn't find the policyArg, add it
+	n.Policies = append(n.Policies, policy{
+		Name:  "EndpointPolicy",
+		Value: []byte(`{"Type": "PA", "PA": "` + paAddress + `"}`),
+	})
+}
+
+// ApplyPortMappingPolicy is used to configure HostPort<>ContainerPort mapping in HNS
+func (n *NetConf) ApplyPortMappingPolicy(portMappings []PortMapEntry) {
+	if portMappings == nil {
+		return
+	}
+
+	if n.Policies == nil {
+		n.Policies = make([]policy, 0)
+	}
+
+	for _, portMapping := range portMappings {
+		n.Policies = append(n.Policies, policy{
+			Name:  "EndpointPolicy",
+			Value: []byte(fmt.Sprintf(`{"Type": "NAT", "InternalPort": %d, "ExternalPort": %d, "Protocol": "%s"}`, portMapping.ContainerPort, portMapping.HostPort, portMapping.Protocol)),
+		})
+	}
+}
--- a/pkg/hns/netconf_windows_test.go
+++ b/pkg/hns/netconf_windows_test.go
@@ -0,0 +1,236 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package hns
+
+import (
+	"encoding/json"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("HNS NetConf", func() {
+	Describe("ApplyOutBoundNATPolicy", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				// apply it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(1))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("appends exceptions to the existing policy", func() {
+				// first set it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				// then attempt to update it
+				n.ApplyOutboundNatPolicy("10.244.0.0/16")
+
+				// it should be unchanged!
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				var value map[string]interface{}
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(2))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+				Expect(exceptionList[1].(string)).Should(Equal("10.244.0.0/16"))
+			})
+		})
+	})
+
+	Describe("ApplyDefaultPAPolicy", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				n := NetConf{}
+				n.ApplyDefaultPAPolicy("192.168.0.1")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value["Type"]).Should(Equal("PA"))
+
+				paAddress := value["PA"].(string)
+				Expect(paAddress).Should(Equal("192.168.0.1"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("does not override", func() {
+				n := NetConf{}
+				n.ApplyDefaultPAPolicy("192.168.0.1")
+				n.ApplyDefaultPAPolicy("192.168.0.2")
+
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value["Type"]).Should(Equal("PA"))
+
+				paAddress := value["PA"].(string)
+				Expect(paAddress).Should(Equal("192.168.0.1"))
+				Expect(paAddress).ShouldNot(Equal("192.168.0.2"))
+			})
+		})
+	})
+
+	Describe("ApplyPortMappingPolicy", func() {
+		Context("when portMappings not activated", func() {
+			It("does nothing", func() {
+				n := NetConf{}
+				n.ApplyPortMappingPolicy(nil)
+				Expect(n.Policies).Should(BeNil())
+
+				n.ApplyPortMappingPolicy([]PortMapEntry{})
+				Expect(n.Policies).Should(HaveLen(0))
+			})
+		})
+
+		Context("when portMappings is activated", func() {
+			It("creates NAT policies", func() {
+				n := NetConf{}
+				n.ApplyPortMappingPolicy([]PortMapEntry{
+					{
+						ContainerPort: 80,
+						HostPort:      8080,
+						Protocol:      "TCP",
+						HostIP:        "ignored",
+					},
+				})
+
+				Expect(n.Policies).Should(HaveLen(1))
+
+				policy := n.Policies[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				value := make(map[string]interface{})
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value["Type"]).Should(Equal("NAT"))
+
+				Expect(value).Should(HaveKey("InternalPort"))
+				Expect(value["InternalPort"]).Should(Equal(float64(80)))
+
+				Expect(value).Should(HaveKey("ExternalPort"))
+				Expect(value["ExternalPort"]).Should(Equal(float64(8080)))
+
+				Expect(value).Should(HaveKey("Protocol"))
+				Expect(value["Protocol"]).Should(Equal("TCP"))
+			})
+		})
+	})
+
+	Describe("MarshalPolicies", func() {
+		Context("when not set by user", func() {
+			It("sets it by adding a policy", func() {
+
+				n := NetConf{
+					Policies: []policy{
+						{
+							Name:  "EndpointPolicy",
+							Value: []byte(`{"someKey": "someValue"}`),
+						},
+						{
+							Name:  "someOtherType",
+							Value: []byte(`{"someOtherKey": "someOtherValue"}`),
+						},
+					},
+				}
+
+				result := n.MarshalPolicies()
+				Expect(len(result)).To(Equal(1))
+
+				policy := make(map[string]interface{})
+				err := json.Unmarshal(result[0], &policy)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(policy).Should(HaveKey("someKey"))
+				Expect(policy["someKey"]).To(Equal("someValue"))
+			})
+		})
+
+		Context("when set by user", func() {
+			It("appends exceptions to the existing policy", func() {
+				// first set it
+				n := NetConf{}
+				n.ApplyOutboundNatPolicy("192.168.0.0/16")
+
+				// then attempt to update it
+				n.ApplyOutboundNatPolicy("10.244.0.0/16")
+
+				// it should be unchanged!
+				addlArgs := n.Policies
+				Expect(addlArgs).Should(HaveLen(1))
+
+				policy := addlArgs[0]
+				Expect(policy.Name).Should(Equal("EndpointPolicy"))
+
+				var value map[string]interface{}
+				json.Unmarshal(policy.Value, &value)
+
+				Expect(value).Should(HaveKey("Type"))
+				Expect(value).Should(HaveKey("ExceptionList"))
+				Expect(value["Type"]).Should(Equal("OutBoundNAT"))
+
+				exceptionList := value["ExceptionList"].([]interface{})
+				Expect(exceptionList).Should(HaveLen(2))
+				Expect(exceptionList[0].(string)).Should(Equal("192.168.0.0/16"))
+				Expect(exceptionList[1].(string)).Should(Equal("10.244.0.0/16"))
+			})
+		})
+	})
+})
--- a/pkg/invoke/delegate.go
+++ b/pkg/invoke/delegate.go
@@ -1,39 +0,0 @@
-package invoke
-
-import (
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/appc/cni/pkg/types"
-)
-
-func DelegateAdd(delegatePlugin string, netconf []byte) (*types.Result, error) {
-	if os.Getenv("CNI_COMMAND") != "ADD" {
-		return nil, fmt.Errorf("CNI_COMMAND is not ADD")
-	}
-
-	paths := strings.Split(os.Getenv("CNI_PATH"), ":")
-
-	pluginPath, err := FindInPath(delegatePlugin, paths)
-	if err != nil {
-		return nil, err
-	}
-
-	return ExecPluginWithResult(pluginPath, netconf, ArgsFromEnv())
-}
-
-func DelegateDel(delegatePlugin string, netconf []byte) error {
-	if os.Getenv("CNI_COMMAND") != "DEL" {
-		return fmt.Errorf("CNI_COMMAND is not DEL")
-	}
-
-	paths := strings.Split(os.Getenv("CNI_PATH"), ":")
-
-	pluginPath, err := FindInPath(delegatePlugin, paths)
-	if err != nil {
-		return err
-	}
-
-	return ExecPluginWithoutResult(pluginPath, netconf, ArgsFromEnv())
-}
--- a/pkg/invoke/exec.go
+++ b/pkg/invoke/exec.go
@@ -1,75 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package invoke
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-
-	"github.com/appc/cni/pkg/types"
-)
-
-func pluginErr(err error, output []byte) error {
-	if _, ok := err.(*exec.ExitError); ok {
-		emsg := types.Error{}
-		if perr := json.Unmarshal(output, &emsg); perr != nil {
-			return fmt.Errorf("netplugin failed but error parsing its diagnostic message %q: %v", string(output), perr)
-		}
-		details := ""
-		if emsg.Details != "" {
-			details = fmt.Sprintf("; %v", emsg.Details)
-		}
-		return fmt.Errorf("%v%v", emsg.Msg, details)
-	}
-
-	return err
-}
-
-func ExecPluginWithResult(pluginPath string, netconf []byte, args CNIArgs) (*types.Result, error) {
-	stdoutBytes, err := execPlugin(pluginPath, netconf, args)
-	if err != nil {
-		return nil, err
-	}
-
-	res := &types.Result{}
-	err = json.Unmarshal(stdoutBytes, res)
-	return res, err
-}
-
-func ExecPluginWithoutResult(pluginPath string, netconf []byte, args CNIArgs) error {
-	_, err := execPlugin(pluginPath, netconf, args)
-	return err
-}
-
-func execPlugin(pluginPath string, netconf []byte, args CNIArgs) ([]byte, error) {
-	stdout := &bytes.Buffer{}
-
-	c := exec.Cmd{
-		Env:    args.AsEnv(),
-		Path:   pluginPath,
-		Args:   []string{pluginPath},
-		Stdin:  bytes.NewBuffer(netconf),
-		Stdout: stdout,
-		Stderr: os.Stderr,
-	}
-	if err := c.Run(); err != nil {
-		return nil, pluginErr(err, stdout.Bytes())
-	}
-
-	return stdout.Bytes(), nil
-}
--- a/pkg/invoke/find_test.go
+++ b/pkg/invoke/find_test.go
@@ -1,64 +0,0 @@
-package invoke_test
-
-import (
-	"fmt"
-	"io/ioutil"
-	"path/filepath"
-
-	"github.com/appc/cni/pkg/invoke"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-)
-
-var _ = Describe("FindInPath", func() {
-	var (
-		multiplePaths  []string
-		pluginName     string
-		pluginDir      string
-		anotherTempDir string
-	)
-
-	BeforeEach(func() {
-		tempDir, err := ioutil.TempDir("", "cni-find")
-		Expect(err).NotTo(HaveOccurred())
-
-		plugin, err := ioutil.TempFile(tempDir, "a-cni-plugin")
-
-		anotherTempDir, err = ioutil.TempDir("", "nothing-here")
-
-		multiplePaths = []string{anotherTempDir, tempDir}
-		pluginDir, pluginName = filepath.Split(plugin.Name())
-	})
-
-	Context("when multiple paths are provided", func() {
-		It("returns only the path to the plugin", func() {
-			pluginPath, err := invoke.FindInPath(pluginName, multiplePaths)
-			Expect(err).NotTo(HaveOccurred())
-			Expect(pluginPath).To(Equal(filepath.Join(pluginDir, pluginName)))
-		})
-	})
-
-	Context("when an error occurs", func() {
-		Context("when no paths are provided", func() {
-			It("returns an error noting no paths were provided", func() {
-				_, err := invoke.FindInPath(pluginName, []string{})
-				Expect(err).To(MatchError("no paths provided"))
-			})
-		})
-
-		Context("when no plugin is provided", func() {
-			It("returns an error noting the plugin name wasn't found", func() {
-				_, err := invoke.FindInPath("", multiplePaths)
-				Expect(err).To(MatchError("no plugin name provided"))
-			})
-		})
-
-		Context("when the plugin cannot be found", func() {
-			It("returns an error noting the path", func() {
-				pathsWithNothing := []string{anotherTempDir}
-				_, err := invoke.FindInPath(pluginName, pathsWithNothing)
-				Expect(err).To(MatchError(fmt.Sprintf("failed to find plugin %q in path %s", pluginName, pathsWithNothing)))
-			})
-		})
-	})
-})
--- a/pkg/invoke/invoke_suite_test.go
+++ b/pkg/invoke/invoke_suite_test.go
@@ -1,13 +0,0 @@
-package invoke_test
-
-import (
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-
-	"testing"
-)
-
-func TestInvoke(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Invoke Suite")
-}
--- a/pkg/ip/addr_linux.go
+++ b/pkg/ip/addr_linux.go
@@ -0,0 +1,68 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"syscall"
+	"time"
+
+	"github.com/vishvananda/netlink"
+)
+
+const SETTLE_INTERVAL = 50 * time.Millisecond
+
+// SettleAddresses waits for all addresses on a link to leave tentative state.
+// This is particularly useful for ipv6, where all addresses need to do DAD.
+// There is no easy way to wait for this as an event, so just loop until the
+// addresses are no longer tentative.
+// If any addresses are still tentative after timeout seconds, then error.
+func SettleAddresses(ifName string, timeout int) error {
+	link, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve link: %v", err)
+	}
+
+	deadline := time.Now().Add(time.Duration(timeout) * time.Second)
+	for {
+		addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		if err != nil {
+			return fmt.Errorf("could not list addresses: %v", err)
+		}
+
+		if len(addrs) == 0 {
+			return nil
+		}
+
+		ok := true
+		for _, addr := range addrs {
+			if addr.Flags&(syscall.IFA_F_TENTATIVE|syscall.IFA_F_DADFAILED) > 0 {
+				ok = false
+				break // Break out of the `range addrs`, not the `for`
+			}
+		}
+
+		if ok {
+			return nil
+		}
+		if time.Now().After(deadline) {
+			return fmt.Errorf("link %s still has tentative addresses after %d seconds",
+				ifName,
+				timeout)
+		}
+
+		time.Sleep(SETTLE_INTERVAL)
+	}
+}
--- a/pkg/ip/cidr.go
+++ b/pkg/ip/cidr.go
@@ -31,6 +31,16 @@ func PrevIP(ip net.IP) net.IP {
 	return intToIP(i.Sub(i, big.NewInt(1)))
 }

+// Cmp compares two IPs, returning the usual ordering:
+// a < b : -1
+// a == b : 0
+// a > b : 1
+func Cmp(a, b net.IP) int {
+	aa := ipToInt(a)
+	bb := ipToInt(b)
+	return aa.Cmp(bb)
+}
+
 func ipToInt(ip net.IP) *big.Int {
 	if v := ip.To4(); v != nil {
 		return big.NewInt(0).SetBytes(v)
--- a/pkg/ip/ip_suite_test.go
+++ b/pkg/ip/ip_suite_test.go
@@ -0,0 +1,27 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestIp(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "pkg/ip")
+}
--- a/pkg/ip/ipforward_linux.go
+++ b/pkg/ip/ipforward_linux.go
@@ -0,0 +1,61 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"bytes"
+	"io/ioutil"
+
+	"github.com/containernetworking/cni/pkg/types/current"
+)
+
+func EnableIP4Forward() error {
+	return echo1("/proc/sys/net/ipv4/ip_forward")
+}
+
+func EnableIP6Forward() error {
+	return echo1("/proc/sys/net/ipv6/conf/all/forwarding")
+}
+
+// EnableForward will enable forwarding for all configured
+// address families
+func EnableForward(ips []*current.IPConfig) error {
+	v4 := false
+	v6 := false
+
+	for _, ip := range ips {
+		if ip.Version == "4" && !v4 {
+			if err := EnableIP4Forward(); err != nil {
+				return err
+			}
+			v4 = true
+		} else if ip.Version == "6" && !v6 {
+			if err := EnableIP6Forward(); err != nil {
+				return err
+			}
+			v6 = true
+		}
+	}
+	return nil
+}
+
+func echo1(f string) error {
+	if content, err := ioutil.ReadFile(f); err == nil {
+		if bytes.Equal(bytes.TrimSpace(content), []byte("1")) {
+			return nil
+		}
+	}
+	return ioutil.WriteFile(f, []byte("1"), 0644)
+}
--- a/pkg/ip/ipforward_linux_test.go
+++ b/pkg/ip/ipforward_linux_test.go
@@ -0,0 +1,32 @@
+package ip
+
+import (
+	"io/ioutil"
+	"os"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("IpforwardLinux", func() {
+	It("echo1 must not write the file if content is 1", func() {
+		file, err := ioutil.TempFile(os.TempDir(), "containernetworking")
+		Expect(err).NotTo(HaveOccurred())
+		defer os.Remove(file.Name())
+		err = echo1(file.Name())
+		Expect(err).NotTo(HaveOccurred())
+		statBefore, err := file.Stat()
+		Expect(err).NotTo(HaveOccurred())
+
+		// take a duration here, otherwise next file modification operation time
+		// will be same as previous one.
+		time.Sleep(100 * time.Millisecond)
+
+		err = echo1(file.Name())
+		Expect(err).NotTo(HaveOccurred())
+		statAfter, err := file.Stat()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(statBefore.ModTime()).To(Equal(statAfter.ModTime()))
+	})
+})
--- a/pkg/ip/ipmasq.go
+++ b/pkg/ip/ipmasq.go
@@ -1,66 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ip
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/coreos/go-iptables/iptables"
-)
-
-// SetupIPMasq installs iptables rules to masquerade traffic
-// coming from ipn and going outside of it
-func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
-	ipt, err := iptables.New()
-	if err != nil {
-		return fmt.Errorf("failed to locate iptables: %v", err)
-	}
-
-	if err = ipt.NewChain("nat", chain); err != nil {
-		if err.(*iptables.Error).ExitStatus() != 1 {
-			// TODO(eyakubovich): assumes exit status 1 implies chain exists
-			return err
-		}
-	}
-
-	if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
-		return err
-	}
-
-	if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
-		return err
-	}
-
-	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
-}
-
-// TeardownIPMasq undoes the effects of SetupIPMasq
-func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
-	ipt, err := iptables.New()
-	if err != nil {
-		return fmt.Errorf("failed to locate iptables: %v", err)
-	}
-
-	if err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment); err != nil {
-		return err
-	}
-
-	if err = ipt.ClearChain("nat", chain); err != nil {
-		return err
-	}
-
-	return ipt.DeleteChain("nat", chain)
-}
--- a/pkg/ip/ipmasq_linux.go
+++ b/pkg/ip/ipmasq_linux.go
@@ -0,0 +1,126 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/coreos/go-iptables/iptables"
+)
+
+// SetupIPMasq installs iptables rules to masquerade traffic
+// coming from ip of ipn and going outside of ipn
+func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+	var multicastNet string
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+		multicastNet = "ff00::/8"
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+		multicastNet = "224.0.0.0/4"
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	// Create chain if doesn't exist
+	exists := false
+	chains, err := ipt.ListChains("nat")
+	if err != nil {
+		return fmt.Errorf("failed to list chains: %v", err)
+	}
+	for _, ch := range chains {
+		if ch == chain {
+			exists = true
+			break
+		}
+	}
+	if !exists {
+		if err = ipt.NewChain("nat", chain); err != nil {
+			return err
+		}
+	}
+
+	// Packets to this network should not be touched
+	if err := ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Don't masquerade multicast - pods should be able to talk to other pods
+	// on the local network via multicast.
+	if err := ipt.AppendUnique("nat", chain, "!", "-d", multicastNet, "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Packets from the specific IP of this network will hit the chain
+	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+}
+
+// TeardownIPMasq undoes the effects of SetupIPMasq
+func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	// for downward compatibility
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	err = ipt.ClearChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+
+	}
+
+	err = ipt.DeleteChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+// isNotExist returnst true if the error is from iptables indicating
+// that the target does not exist.
+func isNotExist(err error) bool {
+	e, ok := err.(*iptables.Error)
+	if !ok {
+		return false
+	}
+	return e.IsNotExist()
+}
--- a/pkg/ip/link.go
+++ b/pkg/ip/link.go
@@ -1,153 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ip
-
-import (
-	"crypto/rand"
-	"fmt"
-	"net"
-	"os"
-
-	"github.com/appc/cni/pkg/ns"
-	"github.com/vishvananda/netlink"
-)
-
-func makeVethPair(name, peer string, mtu int) (netlink.Link, error) {
-	veth := &netlink.Veth{
-		LinkAttrs: netlink.LinkAttrs{
-			Name:  name,
-			Flags: net.FlagUp,
-			MTU:   mtu,
-		},
-		PeerName: peer,
-	}
-	if err := netlink.LinkAdd(veth); err != nil {
-		return nil, err
-	}
-
-	return veth, nil
-}
-
-func makeVeth(name string, mtu int) (peerName string, veth netlink.Link, err error) {
-	for i := 0; i < 10; i++ {
-		peerName, err = RandomVethName()
-		if err != nil {
-			return
-		}
-
-		veth, err = makeVethPair(name, peerName, mtu)
-		switch {
-		case err == nil:
-			return
-
-		case os.IsExist(err):
-			continue
-
-		default:
-			err = fmt.Errorf("failed to make veth pair: %v", err)
-			return
-		}
-	}
-
-	// should really never be hit
-	err = fmt.Errorf("failed to find a unique veth name")
-	return
-}
-
-// RandomVethName returns string "veth" with random prefix (hashed from entropy)
-func RandomVethName() (string, error) {
-	entropy := make([]byte, 4)
-	_, err := rand.Reader.Read(entropy)
-	if err != nil {
-		return "", fmt.Errorf("failed to generate random veth name: %v", err)
-	}
-
-	// NetworkManager (recent versions) will ignore veth devices that start with "veth"
-	return fmt.Sprintf("veth%x", entropy), nil
-}
-
-// SetupVeth sets up a virtual ethernet link.
-// Should be in container netns, and will switch back to hostNS to set the host
-// veth end up.
-func SetupVeth(contVethName string, mtu int, hostNS *os.File) (hostVeth, contVeth netlink.Link, err error) {
-	var hostVethName string
-	hostVethName, contVeth, err = makeVeth(contVethName, mtu)
-	if err != nil {
-		return
-	}
-
-	if err = netlink.LinkSetUp(contVeth); err != nil {
-		err = fmt.Errorf("failed to set %q up: %v", contVethName, err)
-		return
-	}
-
-	hostVeth, err = netlink.LinkByName(hostVethName)
-	if err != nil {
-		err = fmt.Errorf("failed to lookup %q: %v", hostVethName, err)
-		return
-	}
-
-	if err = netlink.LinkSetNsFd(hostVeth, int(hostNS.Fd())); err != nil {
-		err = fmt.Errorf("failed to move veth to host netns: %v", err)
-		return
-	}
-
-	err = ns.WithNetNS(hostNS, false, func(_ *os.File) error {
-		hostVeth, err := netlink.LinkByName(hostVethName)
-		if err != nil {
-			return fmt.Errorf("failed to lookup %q in %q: %v", hostVethName, hostNS.Name(), err)
-		}
-
-		if err = netlink.LinkSetUp(hostVeth); err != nil {
-			return fmt.Errorf("failed to set %q up: %v", hostVethName, err)
-		}
-		return nil
-	})
-	return
-}
-
-// DelLinkByName removes an interface link.
-func DelLinkByName(ifName string) error {
-	iface, err := netlink.LinkByName(ifName)
-	if err != nil {
-		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
-	}
-
-	if err = netlink.LinkDel(iface); err != nil {
-		return fmt.Errorf("failed to delete %q: %v", ifName, err)
-	}
-
-	return nil
-}
-
-// DelLinkByNameAddr remove an interface returns its IP address
-// of the specified family
-func DelLinkByNameAddr(ifName string, family int) (*net.IPNet, error) {
-	iface, err := netlink.LinkByName(ifName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to lookup %q: %v", ifName, err)
-	}
-
-	addrs, err := netlink.AddrList(iface, family)
-	if err != nil || len(addrs) == 0 {
-		return nil, fmt.Errorf("failed to get IP addresses for %q: %v", ifName, err)
-	}
-
-	if err = netlink.LinkDel(iface); err != nil {
-		return nil, fmt.Errorf("failed to delete %q: %v", ifName, err)
-	}
-
-	return addrs[0].IPNet, nil
-}
--- a/pkg/ip/link_linux.go
+++ b/pkg/ip/link_linux.go
@@ -0,0 +1,293 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/safchain/ethtool"
+	"github.com/vishvananda/netlink"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/utils/hwaddr"
+	"github.com/containernetworking/plugins/pkg/utils/sysctl"
+)
+
+var (
+	ErrLinkNotFound = errors.New("link not found")
+)
+
+func makeVethPair(name, peer string, mtu int) (netlink.Link, error) {
+	veth := &netlink.Veth{
+		LinkAttrs: netlink.LinkAttrs{
+			Name:  name,
+			Flags: net.FlagUp,
+			MTU:   mtu,
+		},
+		PeerName: peer,
+	}
+	if err := netlink.LinkAdd(veth); err != nil {
+		return nil, err
+	}
+	// Re-fetch the link to get its creation-time parameters, e.g. index and mac
+	veth2, err := netlink.LinkByName(name)
+	if err != nil {
+		netlink.LinkDel(veth) // try and clean up the link if possible.
+		return nil, err
+	}
+
+	return veth2, nil
+}
+
+func peerExists(name string) bool {
+	if _, err := netlink.LinkByName(name); err != nil {
+		return false
+	}
+	return true
+}
+
+func makeVeth(name, vethPeerName string, mtu int) (peerName string, veth netlink.Link, err error) {
+	for i := 0; i < 10; i++ {
+		if vethPeerName != "" {
+			peerName = vethPeerName
+		} else {
+			peerName, err = RandomVethName()
+			if err != nil {
+				return
+			}
+		}
+
+		veth, err = makeVethPair(name, peerName, mtu)
+		switch {
+		case err == nil:
+			return
+
+		case os.IsExist(err):
+			if peerExists(peerName) && vethPeerName == "" {
+				continue
+			}
+			err = fmt.Errorf("container veth name provided (%v) already exists", name)
+			return
+
+		default:
+			err = fmt.Errorf("failed to make veth pair: %v", err)
+			return
+		}
+	}
+
+	// should really never be hit
+	err = fmt.Errorf("failed to find a unique veth name")
+	return
+}
+
+// RandomVethName returns string "veth" with random prefix (hashed from entropy)
+func RandomVethName() (string, error) {
+	entropy := make([]byte, 4)
+	_, err := rand.Reader.Read(entropy)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate random veth name: %v", err)
+	}
+
+	// NetworkManager (recent versions) will ignore veth devices that start with "veth"
+	return fmt.Sprintf("veth%x", entropy), nil
+}
+
+func RenameLink(curName, newName string) error {
+	link, err := netlink.LinkByName(curName)
+	if err == nil {
+		err = netlink.LinkSetName(link, newName)
+	}
+	return err
+}
+
+func ifaceFromNetlinkLink(l netlink.Link) net.Interface {
+	a := l.Attrs()
+	return net.Interface{
+		Index:        a.Index,
+		MTU:          a.MTU,
+		Name:         a.Name,
+		HardwareAddr: a.HardwareAddr,
+		Flags:        a.Flags,
+	}
+}
+
+// SetupVethWithName sets up a pair of virtual ethernet devices.
+// Call SetupVethWithName from inside the container netns.  It will create both veth
+// devices and move the host-side veth into the provided hostNS namespace.
+// hostVethName: If hostVethName is not specified, the host-side veth name will use a random string.
+// On success, SetupVethWithName returns (hostVeth, containerVeth, nil)
+func SetupVethWithName(contVethName, hostVethName string, mtu int, hostNS ns.NetNS) (net.Interface, net.Interface, error) {
+	hostVethName, contVeth, err := makeVeth(contVethName, hostVethName, mtu)
+	if err != nil {
+		return net.Interface{}, net.Interface{}, err
+	}
+
+	if err = netlink.LinkSetUp(contVeth); err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to set %q up: %v", contVethName, err)
+	}
+
+	hostVeth, err := netlink.LinkByName(hostVethName)
+	if err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to lookup %q: %v", hostVethName, err)
+	}
+
+	if err = netlink.LinkSetNsFd(hostVeth, int(hostNS.Fd())); err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to move veth to host netns: %v", err)
+	}
+
+	err = hostNS.Do(func(_ ns.NetNS) error {
+		hostVeth, err = netlink.LinkByName(hostVethName)
+		if err != nil {
+			return fmt.Errorf("failed to lookup %q in %q: %v", hostVethName, hostNS.Path(), err)
+		}
+
+		if err = netlink.LinkSetUp(hostVeth); err != nil {
+			return fmt.Errorf("failed to set %q up: %v", hostVethName, err)
+		}
+
+		// we want to own the routes for this interface
+		_, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", hostVethName), "0")
+		return nil
+	})
+	if err != nil {
+		return net.Interface{}, net.Interface{}, err
+	}
+	return ifaceFromNetlinkLink(hostVeth), ifaceFromNetlinkLink(contVeth), nil
+}
+
+// SetupVeth sets up a pair of virtual ethernet devices.
+// Call SetupVeth from inside the container netns.  It will create both veth
+// devices and move the host-side veth into the provided hostNS namespace.
+// On success, SetupVeth returns (hostVeth, containerVeth, nil)
+func SetupVeth(contVethName string, mtu int, hostNS ns.NetNS) (net.Interface, net.Interface, error) {
+	return SetupVethWithName(contVethName, "", mtu, hostNS)
+}
+
+// DelLinkByName removes an interface link.
+func DelLinkByName(ifName string) error {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			return ErrLinkNotFound
+		}
+		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	if err = netlink.LinkDel(iface); err != nil {
+		return fmt.Errorf("failed to delete %q: %v", ifName, err)
+	}
+
+	return nil
+}
+
+// DelLinkByNameAddr remove an interface and returns its addresses
+func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			return nil, ErrLinkNotFound
+		}
+		return nil, fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	addrs, err := netlink.AddrList(iface, netlink.FAMILY_ALL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get IP addresses for %q: %v", ifName, err)
+	}
+
+	if err = netlink.LinkDel(iface); err != nil {
+		return nil, fmt.Errorf("failed to delete %q: %v", ifName, err)
+	}
+
+	out := []*net.IPNet{}
+	for _, addr := range addrs {
+		if addr.IP.IsGlobalUnicast() {
+			out = append(out, addr.IPNet)
+		}
+	}
+
+	return out, nil
+}
+
+func SetHWAddrByIP(ifName string, ip4 net.IP, ip6 net.IP) error {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	switch {
+	case ip4 == nil && ip6 == nil:
+		return fmt.Errorf("neither ip4 or ip6 specified")
+
+	case ip4 != nil:
+		{
+			hwAddr, err := hwaddr.GenerateHardwareAddr4(ip4, hwaddr.PrivateMACPrefix)
+			if err != nil {
+				return fmt.Errorf("failed to generate hardware addr: %v", err)
+			}
+			if err = netlink.LinkSetHardwareAddr(iface, hwAddr); err != nil {
+				return fmt.Errorf("failed to add hardware addr to %q: %v", ifName, err)
+			}
+		}
+	case ip6 != nil:
+		// TODO: IPv6
+	}
+
+	return nil
+}
+
+// GetVethPeerIfindex returns the veth link object, the peer ifindex of the
+// veth, or an error. This peer ifindex will only be valid in the peer's
+// network namespace.
+func GetVethPeerIfindex(ifName string) (netlink.Link, int, error) {
+	link, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return nil, -1, fmt.Errorf("could not look up %q: %v", ifName, err)
+	}
+	if _, ok := link.(*netlink.Veth); !ok {
+		return nil, -1, fmt.Errorf("interface %q was not a veth interface", ifName)
+	}
+
+	// veth supports IFLA_LINK (what vishvananda/netlink calls ParentIndex)
+	// on 4.1 and higher kernels
+	peerIndex := link.Attrs().ParentIndex
+	if peerIndex <= 0 {
+		// Fall back to ethtool for 4.0 and earlier kernels
+		e, err := ethtool.NewEthtool()
+		if err != nil {
+			return nil, -1, fmt.Errorf("failed to initialize ethtool: %v", err)
+		}
+		defer e.Close()
+
+		stats, err := e.Stats(link.Attrs().Name)
+		if err != nil {
+			return nil, -1, fmt.Errorf("failed to request ethtool stats: %v", err)
+		}
+		n, ok := stats["peer_ifindex"]
+		if !ok {
+			return nil, -1, fmt.Errorf("failed to find 'peer_ifindex' in ethtool stats")
+		}
+		if n > 32767 || n == 0 {
+			return nil, -1, fmt.Errorf("invalid 'peer_ifindex' %d", n)
+		}
+		peerIndex = int(n)
+	}
+
+	return link, peerIndex, nil
+}
--- a/pkg/ip/link_linux_test.go
+++ b/pkg/ip/link_linux_test.go
@@ -0,0 +1,310 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip_test
+
+import (
+	"bytes"
+	"crypto/rand"
+	"fmt"
+	"net"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"github.com/containernetworking/plugins/pkg/ip"
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+
+	"github.com/vishvananda/netlink"
+)
+
+func getHwAddr(linkname string) string {
+	veth, err := netlink.LinkByName(linkname)
+	Expect(err).NotTo(HaveOccurred())
+	return fmt.Sprintf("%s", veth.Attrs().HardwareAddr)
+}
+
+var _ = Describe("Link", func() {
+	const (
+		ifaceFormatString string = "i%d"
+		mtu               int    = 1400
+		ip4onehwaddr             = "0a:58:01:01:01:01"
+	)
+	var (
+		hostNetNS         ns.NetNS
+		containerNetNS    ns.NetNS
+		ifaceCounter      int = 0
+		hostVeth          net.Interface
+		containerVeth     net.Interface
+		hostVethName      string
+		containerVethName string
+
+		ip4one             = net.ParseIP("1.1.1.1")
+		ip4two             = net.ParseIP("1.1.1.2")
+		originalRandReader = rand.Reader
+	)
+
+	BeforeEach(func() {
+		var err error
+
+		hostNetNS, err = testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		containerNetNS, err = testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		fakeBytes := make([]byte, 20)
+		//to be reset in AfterEach block
+		rand.Reader = bytes.NewReader(fakeBytes)
+
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			hostVeth, containerVeth, err = ip.SetupVeth(fmt.Sprintf(ifaceFormatString, ifaceCounter), mtu, hostNetNS)
+			if err != nil {
+				return err
+			}
+			Expect(err).NotTo(HaveOccurred())
+
+			hostVethName = hostVeth.Name
+			containerVethName = containerVeth.Name
+
+			return nil
+		})
+	})
+
+	AfterEach(func() {
+		Expect(containerNetNS.Close()).To(Succeed())
+		Expect(hostNetNS.Close()).To(Succeed())
+		ifaceCounter++
+		rand.Reader = originalRandReader
+	})
+
+	Describe("GetVethPeerIfindex", func() {
+		It("returns the link and peer index of the named interface", func() {
+			By("looking up the container veth index using the host veth name")
+			_ = hostNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				gotHostLink, gotContainerIndex, err := ip.GetVethPeerIfindex(hostVethName)
+				Expect(err).NotTo(HaveOccurred())
+
+				By("checking we got back the host link")
+				attrs := gotHostLink.Attrs()
+				Expect(attrs.Index).To(Equal(hostVeth.Index))
+				Expect(attrs.Name).To(Equal(hostVeth.Name))
+
+				By("checking we got back the container veth index")
+				Expect(gotContainerIndex).To(Equal(containerVeth.Index))
+
+				return nil
+			})
+
+			By("looking up the host veth index using the container veth name")
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				gotContainerLink, gotHostIndex, err := ip.GetVethPeerIfindex(containerVethName)
+				Expect(err).NotTo(HaveOccurred())
+
+				By("checking we got back the container link")
+				attrs := gotContainerLink.Attrs()
+				Expect(attrs.Index).To(Equal(containerVeth.Index))
+				Expect(attrs.Name).To(Equal(containerVeth.Name))
+
+				By("checking we got back the host veth index")
+				Expect(gotHostIndex).To(Equal(hostVeth.Index))
+
+				return nil
+			})
+		})
+	})
+
+	It("SetupVeth must put the veth endpoints into the separate namespaces", func() {
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			containerVethFromName, err := netlink.LinkByName(containerVethName)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(containerVethFromName.Attrs().Index).To(Equal(containerVeth.Index))
+
+			return nil
+		})
+
+		_ = hostNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			hostVethFromName, err := netlink.LinkByName(hostVethName)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(hostVethFromName.Attrs().Index).To(Equal(hostVeth.Index))
+
+			return nil
+		})
+	})
+
+	Context("when container already has an interface with the same name", func() {
+		It("returns useful error", func() {
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				_, _, err := ip.SetupVeth(containerVethName, mtu, hostNetNS)
+				Expect(err.Error()).To(Equal(fmt.Sprintf("container veth name provided (%s) already exists", containerVethName)))
+
+				return nil
+			})
+		})
+	})
+
+	Context("deleting an non-existent device", func() {
+		It("returns known error", func() {
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				// This string should match the expected error codes in the cmdDel functions of some of the plugins
+				_, err := ip.DelLinkByNameAddr("THIS_DONT_EXIST")
+				Expect(err).To(Equal(ip.ErrLinkNotFound))
+
+				return nil
+			})
+		})
+	})
+
+	Context("when there is no name available for the host-side", func() {
+		BeforeEach(func() {
+			//adding different interface to container ns
+			containerVethName += "0"
+		})
+		It("returns useful error", func() {
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+				_, _, err := ip.SetupVeth(containerVethName, mtu, hostNetNS)
+				Expect(err.Error()).To(HavePrefix("failed to move veth to host netns: "))
+
+				return nil
+			})
+		})
+	})
+
+	Context("when there is no name conflict for the host or container interfaces", func() {
+		BeforeEach(func() {
+			//adding different interface to container and host ns
+			containerVethName += "0"
+			rand.Reader = originalRandReader
+		})
+		It("successfully creates the second veth pair", func() {
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				hostVeth, _, err := ip.SetupVeth(containerVethName, mtu, hostNetNS)
+				Expect(err).NotTo(HaveOccurred())
+				hostVethName = hostVeth.Name
+				return nil
+			})
+
+			//verify veths are in different namespaces
+			_ = containerNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				_, err := netlink.LinkByName(containerVethName)
+				Expect(err).NotTo(HaveOccurred())
+
+				return nil
+			})
+
+			_ = hostNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				_, err := netlink.LinkByName(hostVethName)
+				Expect(err).NotTo(HaveOccurred())
+
+				return nil
+			})
+		})
+
+	})
+
+	It("DelLinkByName must delete the veth endpoints", func() {
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			// this will delete the host endpoint too
+			err := ip.DelLinkByName(containerVethName)
+			Expect(err).NotTo(HaveOccurred())
+
+			_, err = netlink.LinkByName(containerVethName)
+			Expect(err).To(HaveOccurred())
+
+			return nil
+		})
+
+		_ = hostNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			_, err := netlink.LinkByName(hostVethName)
+			Expect(err).To(HaveOccurred())
+
+			return nil
+		})
+	})
+
+	It("DelLinkByNameAddr should return no IPs when no IPs are configured", func() {
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			// this will delete the host endpoint too
+			addr, err := ip.DelLinkByNameAddr(containerVethName)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(addr).To(HaveLen(0))
+			return nil
+		})
+	})
+
+	It("SetHWAddrByIP must change the interface hwaddr and be predictable", func() {
+
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			var err error
+			hwaddrBefore := getHwAddr(containerVethName)
+
+			err = ip.SetHWAddrByIP(containerVethName, ip4one, nil)
+			Expect(err).NotTo(HaveOccurred())
+			hwaddrAfter1 := getHwAddr(containerVethName)
+
+			Expect(hwaddrBefore).NotTo(Equal(hwaddrAfter1))
+			Expect(hwaddrAfter1).To(Equal(ip4onehwaddr))
+
+			return nil
+		})
+	})
+
+	It("SetHWAddrByIP must be injective", func() {
+
+		_ = containerNetNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			err := ip.SetHWAddrByIP(containerVethName, ip4one, nil)
+			Expect(err).NotTo(HaveOccurred())
+			hwaddrAfter1 := getHwAddr(containerVethName)
+
+			err = ip.SetHWAddrByIP(containerVethName, ip4two, nil)
+			Expect(err).NotTo(HaveOccurred())
+			hwaddrAfter2 := getHwAddr(containerVethName)
+
+			Expect(hwaddrAfter1).NotTo(Equal(hwaddrAfter2))
+			return nil
+		})
+	})
+})
--- a/pkg/ip/route_linux.go
+++ b/pkg/ip/route_linux.go
@@ -1,4 +1,4 @@
-// Copyright 2015 CNI authors
+// Copyright 2015-2017 CNI authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -20,12 +20,6 @@ import (
 	"github.com/vishvananda/netlink"
 )

-// AddDefaultRoute sets the default route on the given gateway.
-func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
-	_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
-	return AddRoute(defNet, gw, dev)
-}
-
 // AddRoute adds a universally-scoped route to a device.
 func AddRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
 	return netlink.RouteAdd(&netlink.Route{
@@ -45,3 +39,9 @@ func AddHostRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
 		Gw:        gw,
 	})
 }
+
+// AddDefaultRoute sets the default route on the given gateway.
+func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
+	_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
+	return AddRoute(defNet, gw, dev)
+}
--- a/pkg/ip/utils_linux.go
+++ b/pkg/ip/utils_linux.go
@@ -0,0 +1,120 @@
+// +build linux
+
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/vishvananda/netlink"
+)
+
+func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig) error {
+
+	// Ensure ips
+	for _, ips := range resultIPs {
+		ourAddr := netlink.Addr{IPNet: &ips.Address}
+		match := false
+
+		link, err := netlink.LinkByName(ifName)
+		if err != nil {
+			return fmt.Errorf("Cannot find container link %v", ifName)
+		}
+
+		addrList, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		if err != nil {
+			return fmt.Errorf("Cannot obtain List of IP Addresses")
+		}
+
+		for _, addr := range addrList {
+			if addr.Equal(ourAddr) {
+				match = true
+				break
+			}
+		}
+		if match == false {
+			return fmt.Errorf("Failed to match addr %v on interface %v", ourAddr, ifName)
+		}
+
+		// Convert the host/prefixlen to just prefix for route lookup.
+		_, ourPrefix, err := net.ParseCIDR(ourAddr.String())
+
+		findGwy := &netlink.Route{Dst: ourPrefix}
+		routeFilter := netlink.RT_FILTER_DST
+		var family int
+
+		switch {
+		case ips.Version == "4":
+			family = netlink.FAMILY_V4
+		case ips.Version == "6":
+			family = netlink.FAMILY_V6
+		default:
+			return fmt.Errorf("Invalid IP Version %v for interface %v", ips.Version, ifName)
+		}
+
+		gwy, err := netlink.RouteListFiltered(family, findGwy, routeFilter)
+		if err != nil {
+			return fmt.Errorf("Error %v trying to find Gateway %v for interface %v", err, ips.Gateway, ifName)
+		}
+		if gwy == nil {
+			return fmt.Errorf("Failed to find Gateway %v for interface %v", ips.Gateway, ifName)
+		}
+	}
+
+	return nil
+}
+
+func ValidateExpectedRoute(resultRoutes []*types.Route) error {
+
+	// Ensure that each static route in prevResults is found in the routing table
+	for _, route := range resultRoutes {
+		find := &netlink.Route{Dst: &route.Dst, Gw: route.GW}
+		routeFilter := netlink.RT_FILTER_DST | netlink.RT_FILTER_GW
+		var family int
+
+		switch {
+		case route.Dst.IP.To4() != nil:
+			family = netlink.FAMILY_V4
+			// Default route needs Dst set to nil
+			if route.Dst.String() == "0.0.0.0/0" {
+				find = &netlink.Route{Dst: nil, Gw: route.GW}
+				routeFilter = netlink.RT_FILTER_DST
+			}
+		case len(route.Dst.IP) == net.IPv6len:
+			family = netlink.FAMILY_V6
+			// Default route needs Dst set to nil
+			if route.Dst.String() == "::/0" {
+				find = &netlink.Route{Dst: nil, Gw: route.GW}
+				routeFilter = netlink.RT_FILTER_DST
+			}
+		default:
+			return fmt.Errorf("Invalid static route found %v", route)
+		}
+
+		wasFound, err := netlink.RouteListFiltered(family, find, routeFilter)
+		if err != nil {
+			return fmt.Errorf("Expected Route %v not route table lookup error %v", route, err)
+		}
+		if wasFound == nil {
+			return fmt.Errorf("Expected Route %v not found in routing table", route)
+		}
+	}
+
+	return nil
+}
--- a/pkg/ipam/ipam.go
+++ b/pkg/ipam/ipam.go
@@ -15,54 +15,19 @@
 package ipam

 import (
-	"fmt"
-	"os"
-
-	"github.com/appc/cni/pkg/invoke"
-	"github.com/appc/cni/pkg/ip"
-	"github.com/appc/cni/pkg/types"
-
-	"github.com/vishvananda/netlink"
+	"context"
+	"github.com/containernetworking/cni/pkg/invoke"
+	"github.com/containernetworking/cni/pkg/types"
 )

-func ExecAdd(plugin string, netconf []byte) (*types.Result, error) {
-	return invoke.DelegateAdd(plugin, netconf)
+func ExecAdd(plugin string, netconf []byte) (types.Result, error) {
+	return invoke.DelegateAdd(context.TODO(), plugin, netconf, nil)
+}
+
+func ExecCheck(plugin string, netconf []byte) error {
+	return invoke.DelegateCheck(context.TODO(), plugin, netconf, nil)
 }

 func ExecDel(plugin string, netconf []byte) error {
-	return invoke.DelegateDel(plugin, netconf)
-}
-
-// ConfigureIface takes the result of IPAM plugin and
-// applies to the ifName interface
-func ConfigureIface(ifName string, res *types.Result) error {
-	link, err := netlink.LinkByName(ifName)
-	if err != nil {
-		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
-	}
-
-	if err := netlink.LinkSetUp(link); err != nil {
-		return fmt.Errorf("failed to set %q UP: %v", ifName, err)
-	}
-
-	// TODO(eyakubovich): IPv6
-	addr := &netlink.Addr{IPNet: &res.IP4.IP, Label: ""}
-	if err = netlink.AddrAdd(link, addr); err != nil {
-		return fmt.Errorf("failed to add IP addr to %q: %v", ifName, err)
-	}
-
-	for _, r := range res.IP4.Routes {
-		gw := r.GW
-		if gw == nil {
-			gw = res.IP4.Gateway
-		}
-		if err = ip.AddRoute(&r.Dst, gw, link); err != nil {
-			// we skip over duplicate routes as we assume the first one wins
-			if !os.IsExist(err) {
-				return fmt.Errorf("failed to add route '%v via %v dev %v': %v", r.Dst, gw, ifName, err)
-			}
-		}
-	}
-
-	return nil
+	return invoke.DelegateDel(context.TODO(), plugin, netconf, nil)
 }
--- a/pkg/ipam/ipam_linux.go
+++ b/pkg/ipam/ipam_linux.go
@@ -0,0 +1,121 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ipam
+
+import (
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/containernetworking/plugins/pkg/ip"
+	"github.com/containernetworking/plugins/pkg/utils/sysctl"
+
+	"github.com/vishvananda/netlink"
+)
+
+const (
+	DisableIPv6SysctlTemplate = "net.ipv6.conf.%s.disable_ipv6"
+)
+
+// ConfigureIface takes the result of IPAM plugin and
+// applies to the ifName interface
+func ConfigureIface(ifName string, res *current.Result) error {
+	if len(res.Interfaces) == 0 {
+		return fmt.Errorf("no interfaces to configure")
+	}
+
+	link, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	if err := netlink.LinkSetUp(link); err != nil {
+		return fmt.Errorf("failed to set %q UP: %v", ifName, err)
+	}
+
+	var v4gw, v6gw net.IP
+	var has_enabled_ipv6 bool = false
+	for _, ipc := range res.IPs {
+		if ipc.Interface == nil {
+			continue
+		}
+		intIdx := *ipc.Interface
+		if intIdx < 0 || intIdx >= len(res.Interfaces) || res.Interfaces[intIdx].Name != ifName {
+			// IP address is for a different interface
+			return fmt.Errorf("failed to add IP addr %v to %q: invalid interface index", ipc, ifName)
+		}
+
+		// Make sure sysctl "disable_ipv6" is 0 if we are about to add
+		// an IPv6 address to the interface
+		if !has_enabled_ipv6 && ipc.Version == "6" {
+			// Enabled IPv6 for loopback "lo" and the interface
+			// being configured
+			for _, iface := range [2]string{"lo", ifName} {
+				ipv6SysctlValueName := fmt.Sprintf(DisableIPv6SysctlTemplate, iface)
+
+				// Read current sysctl value
+				value, err := sysctl.Sysctl(ipv6SysctlValueName)
+				if err != nil || value == "0" {
+					// FIXME: log warning if unable to read sysctl value
+					continue
+				}
+
+				// Write sysctl to enable IPv6
+				_, err = sysctl.Sysctl(ipv6SysctlValueName, "0")
+				if err != nil {
+					return fmt.Errorf("failed to enable IPv6 for interface %q (%s=%s): %v", iface, ipv6SysctlValueName, value, err)
+				}
+			}
+			has_enabled_ipv6 = true
+		}
+
+		addr := &netlink.Addr{IPNet: &ipc.Address, Label: ""}
+		if err = netlink.AddrAdd(link, addr); err != nil {
+			return fmt.Errorf("failed to add IP addr %v to %q: %v", ipc, ifName, err)
+		}
+
+		gwIsV4 := ipc.Gateway.To4() != nil
+		if gwIsV4 && v4gw == nil {
+			v4gw = ipc.Gateway
+		} else if !gwIsV4 && v6gw == nil {
+			v6gw = ipc.Gateway
+		}
+	}
+
+	if v6gw != nil {
+		ip.SettleAddresses(ifName, 10)
+	}
+
+	for _, r := range res.Routes {
+		routeIsV4 := r.Dst.IP.To4() != nil
+		gw := r.GW
+		if gw == nil {
+			if routeIsV4 && v4gw != nil {
+				gw = v4gw
+			} else if !routeIsV4 && v6gw != nil {
+				gw = v6gw
+			}
+		}
+		if err = ip.AddRoute(&r.Dst, gw, link); err != nil {
+			// we skip over duplicate routes as we assume the first one wins
+			if !os.IsExist(err) {
+				return fmt.Errorf("failed to add route '%v via %v dev %v': %v", r.Dst, gw, ifName, err)
+			}
+		}
+	}
+
+	return nil
+}
--- a/pkg/ipam/ipam_linux_test.go
+++ b/pkg/ipam/ipam_linux_test.go
@@ -0,0 +1,300 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ipam
+
+import (
+	"net"
+	"syscall"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+
+	"github.com/vishvananda/netlink"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const LINK_NAME = "eth0"
+
+func ipNetEqual(a, b *net.IPNet) bool {
+	aPrefix, aBits := a.Mask.Size()
+	bPrefix, bBits := b.Mask.Size()
+	if aPrefix != bPrefix || aBits != bBits {
+		return false
+	}
+	return a.IP.Equal(b.IP)
+}
+
+var _ = Describe("ConfigureIface", func() {
+	var originalNS ns.NetNS
+	var ipv4, ipv6, routev4, routev6 *net.IPNet
+	var ipgw4, ipgw6, routegwv4, routegwv6 net.IP
+	var result *current.Result
+
+	BeforeEach(func() {
+		// Create a new NetNS so we don't modify the host
+		var err error
+		originalNS, err = testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		err = originalNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			// Add master
+			err = netlink.LinkAdd(&netlink.Dummy{
+				LinkAttrs: netlink.LinkAttrs{
+					Name: LINK_NAME,
+				},
+			})
+			Expect(err).NotTo(HaveOccurred())
+			_, err = netlink.LinkByName(LINK_NAME)
+			Expect(err).NotTo(HaveOccurred())
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		ipv4, err = types.ParseCIDR("1.2.3.30/24")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ipv4).NotTo(BeNil())
+
+		_, routev4, err = net.ParseCIDR("15.5.6.8/24")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(routev4).NotTo(BeNil())
+		routegwv4 = net.ParseIP("1.2.3.5")
+		Expect(routegwv4).NotTo(BeNil())
+
+		ipgw4 = net.ParseIP("1.2.3.1")
+		Expect(ipgw4).NotTo(BeNil())
+
+		ipv6, err = types.ParseCIDR("abcd:1234:ffff::cdde/64")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ipv6).NotTo(BeNil())
+
+		_, routev6, err = net.ParseCIDR("1111:dddd::aaaa/80")
+		Expect(err).NotTo(HaveOccurred())
+		Expect(routev6).NotTo(BeNil())
+		routegwv6 = net.ParseIP("abcd:1234:ffff::10")
+		Expect(routegwv6).NotTo(BeNil())
+
+		ipgw6 = net.ParseIP("abcd:1234:ffff::1")
+		Expect(ipgw6).NotTo(BeNil())
+
+		result = &current.Result{
+			Interfaces: []*current.Interface{
+				{
+					Name:    "eth0",
+					Mac:     "00:11:22:33:44:55",
+					Sandbox: "/proc/3553/ns/net",
+				},
+				{
+					Name:    "fake0",
+					Mac:     "00:33:44:55:66:77",
+					Sandbox: "/proc/1234/ns/net",
+				},
+			},
+			IPs: []*current.IPConfig{
+				{
+					Version:   "4",
+					Interface: current.Int(0),
+					Address:   *ipv4,
+					Gateway:   ipgw4,
+				},
+				{
+					Version:   "6",
+					Interface: current.Int(0),
+					Address:   *ipv6,
+					Gateway:   ipgw6,
+				},
+			},
+			Routes: []*types.Route{
+				{Dst: *routev4, GW: routegwv4},
+				{Dst: *routev6, GW: routegwv6},
+			},
+		}
+	})
+
+	AfterEach(func() {
+		Expect(originalNS.Close()).To(Succeed())
+	})
+
+	It("configures a link with addresses and routes", func() {
+		err := originalNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			err := ConfigureIface(LINK_NAME, result)
+			Expect(err).NotTo(HaveOccurred())
+
+			link, err := netlink.LinkByName(LINK_NAME)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(link.Attrs().Name).To(Equal(LINK_NAME))
+
+			v4addrs, err := netlink.AddrList(link, syscall.AF_INET)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(len(v4addrs)).To(Equal(1))
+			Expect(ipNetEqual(v4addrs[0].IPNet, ipv4)).To(Equal(true))
+
+			v6addrs, err := netlink.AddrList(link, syscall.AF_INET6)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(len(v6addrs)).To(Equal(2))
+
+			var found bool
+			for _, a := range v6addrs {
+				if ipNetEqual(a.IPNet, ipv6) {
+					found = true
+					break
+				}
+			}
+			Expect(found).To(Equal(true))
+
+			// Ensure the v4 route, v6 route, and subnet route
+			routes, err := netlink.RouteList(link, 0)
+			Expect(err).NotTo(HaveOccurred())
+
+			var v4found, v6found bool
+			for _, route := range routes {
+				isv4 := route.Dst.IP.To4() != nil
+				if isv4 && ipNetEqual(route.Dst, routev4) && route.Gw.Equal(routegwv4) {
+					v4found = true
+				}
+				if !isv4 && ipNetEqual(route.Dst, routev6) && route.Gw.Equal(routegwv6) {
+					v6found = true
+				}
+
+				if v4found && v6found {
+					break
+				}
+			}
+			Expect(v4found).To(Equal(true))
+			Expect(v6found).To(Equal(true))
+
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("configures a link with routes using address gateways", func() {
+		result.Routes[0].GW = nil
+		result.Routes[1].GW = nil
+		err := originalNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			err := ConfigureIface(LINK_NAME, result)
+			Expect(err).NotTo(HaveOccurred())
+
+			link, err := netlink.LinkByName(LINK_NAME)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(link.Attrs().Name).To(Equal(LINK_NAME))
+
+			// Ensure the v4 route, v6 route, and subnet route
+			routes, err := netlink.RouteList(link, 0)
+			Expect(err).NotTo(HaveOccurred())
+
+			var v4found, v6found bool
+			for _, route := range routes {
+				isv4 := route.Dst.IP.To4() != nil
+				if isv4 && ipNetEqual(route.Dst, routev4) && route.Gw.Equal(ipgw4) {
+					v4found = true
+				}
+				if !isv4 && ipNetEqual(route.Dst, routev6) && route.Gw.Equal(ipgw6) {
+					v6found = true
+				}
+
+				if v4found && v6found {
+					break
+				}
+			}
+			Expect(v4found).To(Equal(true))
+			Expect(v6found).To(Equal(true))
+
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("returns an error when the interface index doesn't match the link name", func() {
+		result.IPs[0].Interface = current.Int(1)
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface(LINK_NAME, result)
+		})
+		Expect(err).To(HaveOccurred())
+	})
+
+	It("returns an error when the interface index is too big", func() {
+		result.IPs[0].Interface = current.Int(2)
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface(LINK_NAME, result)
+		})
+		Expect(err).To(HaveOccurred())
+	})
+
+	It("returns an error when the interface index is too small", func() {
+		result.IPs[0].Interface = current.Int(-1)
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface(LINK_NAME, result)
+		})
+		Expect(err).To(HaveOccurred())
+	})
+
+	It("returns an error when there are no interfaces to configure", func() {
+		result.Interfaces = []*current.Interface{}
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface(LINK_NAME, result)
+		})
+		Expect(err).To(HaveOccurred())
+	})
+
+	It("returns an error when configuring the wrong interface", func() {
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface("asdfasdf", result)
+		})
+		Expect(err).To(HaveOccurred())
+	})
+
+	It("does not panic when interface is not specified", func() {
+		result = &current.Result{
+			Interfaces: []*current.Interface{
+				{
+					Name:    "eth0",
+					Mac:     "00:11:22:33:44:55",
+					Sandbox: "/proc/3553/ns/net",
+				},
+				{
+					Name:    "fake0",
+					Mac:     "00:33:44:55:66:77",
+					Sandbox: "/proc/1234/ns/net",
+				},
+			},
+			IPs: []*current.IPConfig{
+				{
+					Version: "4",
+					Address: *ipv4,
+					Gateway: ipgw4,
+				},
+				{
+					Version: "6",
+					Address: *ipv6,
+					Gateway: ipgw6,
+				},
+			},
+		}
+		err := originalNS.Do(func(ns.NetNS) error {
+			return ConfigureIface(LINK_NAME, result)
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+})
--- a/pkg/ipam/ipam_suite_test.go
+++ b/pkg/ipam/ipam_suite_test.go
@@ -0,0 +1,27 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ipam_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestIpam(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "pkg/ipam")
+}
--- a/pkg/ns/README.md
+++ b/pkg/ns/README.md
@@ -0,0 +1,41 @@
+### Namespaces, Threads, and Go
+On Linux each OS thread can have a different network namespace.  Go's thread scheduling model switches goroutines between OS threads based on OS thread load and whether the goroutine would block other goroutines.  This can result in a goroutine switching network namespaces without notice and lead to errors in your code.
+
+### Namespace Switching
+Switching namespaces with the `ns.Set()` method is not recommended without additional strategies to prevent unexpected namespace changes when your goroutines switch OS threads.
+
+Go provides the `runtime.LockOSThread()` function to ensure a specific goroutine executes on its current OS thread and prevents any other goroutine from running in that thread until the locked one exits.  Careful usage of `LockOSThread()` and goroutines can provide good control over which network namespace a given goroutine executes in.
+
+For example, you cannot rely on the `ns.Set()` namespace being the current namespace after the `Set()` call unless you do two things.  First, the goroutine calling `Set()` must have previously called `LockOSThread()`.  Second, you must ensure `runtime.UnlockOSThread()` is not called somewhere in-between.  You also cannot rely on the initial network namespace remaining the current network namespace if any other code in your program switches namespaces, unless you have already called `LockOSThread()` in that goroutine.  Note that `LockOSThread()` prevents the Go scheduler from optimally scheduling goroutines for best performance, so `LockOSThread()` should only be used in small, isolated goroutines that release the lock quickly.
+
+### Do() The Recommended Thing
+The `ns.Do()` method provides **partial** control over network namespaces for you by implementing these strategies. All code dependent on a particular network namespace (including the root namespace) should be wrapped in the `ns.Do()` method to ensure the correct namespace is selected for the duration of your code.  For example:
+
+```go
+err = targetNs.Do(func(hostNs ns.NetNS) error {
+	dummy := &netlink.Dummy{
+		LinkAttrs: netlink.LinkAttrs{
+			Name: "dummy0",
+		},
+	}
+	return netlink.LinkAdd(dummy)
+})
+```
+
+Note this requirement to wrap every network call is very onerous - any libraries you call might call out to network services such as DNS, and all such calls need to be protected after you call `ns.Do()`. All goroutines spawned from within the `ns.Do` will not inherit the new namespace. The CNI plugins all exit very soon after calling `ns.Do()` which helps to minimize the problem.
+
+When a new thread is spawned in Linux, it inherits the namespace of its parent. In versions of go **prior to 1.10**, if the runtime spawns a new OS thread, it picks the parent randomly. If the chosen parent thread has been moved to a new namespace (even temporarily), the new OS thread will be permanently "stuck in the wrong namespace", and goroutines will non-deterministically switch namespaces as they are rescheduled.
+
+In short, **there was no safe way to change network namespaces, even temporarily, from within a long-lived, multithreaded Go process**. If you wish to do this, you must use go 1.10 or greater. 
+
+
+### Creating network namespaces
+Earlier versions of this library managed namespace creation, but as CNI does not actually utilize this feature (and it was essentially unmaintained), it was removed. If you're writing a container runtime, you should implement namespace management yourself. However, there are some gotchas when doing so, especially around handling `/var/run/netns`. A reasonably correct reference implementation, borrowed from `rkt`, can be found in `pkg/testutils/netns_linux.go` if you're in need of a source of inspiration.
+
+
+### Further Reading
+ - https://github.com/golang/go/wiki/LockOSThread
+ - http://morsmachine.dk/go-scheduler
+ - https://github.com/containernetworking/cni/issues/262
+ - https://golang.org/pkg/runtime/
+ - https://www.weave.works/blog/linux-namespaces-and-go-don-t-mix
--- a/pkg/ns/ns.go
+++ b/pkg/ns/ns.go
@@ -1,93 +0,0 @@
-// Copyright 2015 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package ns
-
-import (
-	"fmt"
-	"os"
-	"runtime"
-	"syscall"
-)
-
-var setNsMap = map[string]uintptr{
-	"386":   346,
-	"amd64": 308,
-	"arm":   374,
-}
-
-// SetNS sets the network namespace on a target file.
-func SetNS(f *os.File, flags uintptr) error {
-	if runtime.GOOS != "linux" {
-		return fmt.Errorf("unsupported OS: %s", runtime.GOOS)
-	}
-
-	trap, ok := setNsMap[runtime.GOARCH]
-	if !ok {
-		return fmt.Errorf("unsupported arch: %s", runtime.GOARCH)
-	}
-
-	_, _, err := syscall.RawSyscall(trap, f.Fd(), flags, 0)
-	if err != 0 {
-		return err
-	}
-
-	return nil
-}
-
-// WithNetNSPath executes the passed closure under the given network
-// namespace, restoring the original namespace afterwards.
-// Changing namespaces must be done on a goroutine that has been
-// locked to an OS thread. If lockThread arg is true, this function
-// locks the goroutine prior to change namespace and unlocks before
-// returning
-func WithNetNSPath(nspath string, lockThread bool, f func(*os.File) error) error {
-	ns, err := os.Open(nspath)
-	if err != nil {
-		return fmt.Errorf("Failed to open %v: %v", nspath, err)
-	}
-	defer ns.Close()
-	return WithNetNS(ns, lockThread, f)
-}
-
-// WithNetNS executes the passed closure under the given network
-// namespace, restoring the original namespace afterwards.
-// Changing namespaces must be done on a goroutine that has been
-// locked to an OS thread. If lockThread arg is true, this function
-// locks the goroutine prior to change namespace and unlocks before
-// returning.  If the closure returns an error, WithNetNS attempts to
-// restore the original namespace before returning.
-func WithNetNS(ns *os.File, lockThread bool, f func(*os.File) error) error {
-	if lockThread {
-		runtime.LockOSThread()
-		defer runtime.UnlockOSThread()
-	}
-	// save a handle to current (host) network namespace
-	thisNS, err := os.Open("/proc/self/ns/net")
-	if err != nil {
-		return fmt.Errorf("Failed to open /proc/self/ns/net: %v", err)
-	}
-	defer thisNS.Close()
-
-	if err = SetNS(ns, syscall.CLONE_NEWNET); err != nil {
-		return fmt.Errorf("Error switching to ns %v: %v", ns.Name(), err)
-	}
-	defer SetNS(thisNS, syscall.CLONE_NEWNET) // switch back
-
-	if err = f(thisNS); err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/pkg/ns/ns_linux.go
+++ b/pkg/ns/ns_linux.go
@@ -0,0 +1,234 @@
+// Copyright 2015-2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ns
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"sync"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// Returns an object representing the current OS thread's network namespace
+func GetCurrentNS() (NetNS, error) {
+	// Lock the thread in case other goroutine executes in it and changes its
+	// network namespace after getCurrentThreadNetNSPath(), otherwise it might
+	// return an unexpected network namespace.
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+	return GetNS(getCurrentThreadNetNSPath())
+}
+
+func getCurrentThreadNetNSPath() string {
+	// /proc/self/ns/net returns the namespace of the main thread, not
+	// of whatever thread this goroutine is running on.  Make sure we
+	// use the thread's net namespace since the thread is switching around
+	return fmt.Sprintf("/proc/%d/task/%d/ns/net", os.Getpid(), unix.Gettid())
+}
+
+func (ns *netNS) Close() error {
+	if err := ns.errorIfClosed(); err != nil {
+		return err
+	}
+
+	if err := ns.file.Close(); err != nil {
+		return fmt.Errorf("Failed to close %q: %v", ns.file.Name(), err)
+	}
+	ns.closed = true
+
+	return nil
+}
+
+func (ns *netNS) Set() error {
+	if err := ns.errorIfClosed(); err != nil {
+		return err
+	}
+
+	if err := unix.Setns(int(ns.Fd()), unix.CLONE_NEWNET); err != nil {
+		return fmt.Errorf("Error switching to ns %v: %v", ns.file.Name(), err)
+	}
+
+	return nil
+}
+
+type NetNS interface {
+	// Executes the passed closure in this object's network namespace,
+	// attempting to restore the original namespace before returning.
+	// However, since each OS thread can have a different network namespace,
+	// and Go's thread scheduling is highly variable, callers cannot
+	// guarantee any specific namespace is set unless operations that
+	// require that namespace are wrapped with Do().  Also, no code called
+	// from Do() should call runtime.UnlockOSThread(), or the risk
+	// of executing code in an incorrect namespace will be greater.  See
+	// https://github.com/golang/go/wiki/LockOSThread for further details.
+	Do(toRun func(NetNS) error) error
+
+	// Sets the current network namespace to this object's network namespace.
+	// Note that since Go's thread scheduling is highly variable, callers
+	// cannot guarantee the requested namespace will be the current namespace
+	// after this function is called; to ensure this wrap operations that
+	// require the namespace with Do() instead.
+	Set() error
+
+	// Returns the filesystem path representing this object's network namespace
+	Path() string
+
+	// Returns a file descriptor representing this object's network namespace
+	Fd() uintptr
+
+	// Cleans up this instance of the network namespace; if this instance
+	// is the last user the namespace will be destroyed
+	Close() error
+}
+
+type netNS struct {
+	file   *os.File
+	closed bool
+}
+
+// netNS implements the NetNS interface
+var _ NetNS = &netNS{}
+
+const (
+	// https://github.com/torvalds/linux/blob/master/include/uapi/linux/magic.h
+	NSFS_MAGIC   = 0x6e736673
+	PROCFS_MAGIC = 0x9fa0
+)
+
+type NSPathNotExistErr struct{ msg string }
+
+func (e NSPathNotExistErr) Error() string { return e.msg }
+
+type NSPathNotNSErr struct{ msg string }
+
+func (e NSPathNotNSErr) Error() string { return e.msg }
+
+func IsNSorErr(nspath string) error {
+	stat := syscall.Statfs_t{}
+	if err := syscall.Statfs(nspath, &stat); err != nil {
+		if os.IsNotExist(err) {
+			err = NSPathNotExistErr{msg: fmt.Sprintf("failed to Statfs %q: %v", nspath, err)}
+		} else {
+			err = fmt.Errorf("failed to Statfs %q: %v", nspath, err)
+		}
+		return err
+	}
+
+	switch stat.Type {
+	case PROCFS_MAGIC, NSFS_MAGIC:
+		return nil
+	default:
+		return NSPathNotNSErr{msg: fmt.Sprintf("unknown FS magic on %q: %x", nspath, stat.Type)}
+	}
+}
+
+// Returns an object representing the namespace referred to by @path
+func GetNS(nspath string) (NetNS, error) {
+	err := IsNSorErr(nspath)
+	if err != nil {
+		return nil, err
+	}
+
+	fd, err := os.Open(nspath)
+	if err != nil {
+		return nil, err
+	}
+
+	return &netNS{file: fd}, nil
+}
+
+func (ns *netNS) Path() string {
+	return ns.file.Name()
+}
+
+func (ns *netNS) Fd() uintptr {
+	return ns.file.Fd()
+}
+
+func (ns *netNS) errorIfClosed() error {
+	if ns.closed {
+		return fmt.Errorf("%q has already been closed", ns.file.Name())
+	}
+	return nil
+}
+
+func (ns *netNS) Do(toRun func(NetNS) error) error {
+	if err := ns.errorIfClosed(); err != nil {
+		return err
+	}
+
+	containedCall := func(hostNS NetNS) error {
+		threadNS, err := GetCurrentNS()
+		if err != nil {
+			return fmt.Errorf("failed to open current netns: %v", err)
+		}
+		defer threadNS.Close()
+
+		// switch to target namespace
+		if err = ns.Set(); err != nil {
+			return fmt.Errorf("error switching to ns %v: %v", ns.file.Name(), err)
+		}
+		defer func() {
+			err := threadNS.Set() // switch back
+			if err == nil {
+				// Unlock the current thread only when we successfully switched back
+				// to the original namespace; otherwise leave the thread locked which
+				// will force the runtime to scrap the current thread, that is maybe
+				// not as optimal but at least always safe to do.
+				runtime.UnlockOSThread()
+			}
+		}()
+
+		return toRun(hostNS)
+	}
+
+	// save a handle to current network namespace
+	hostNS, err := GetCurrentNS()
+	if err != nil {
+		return fmt.Errorf("Failed to open current namespace: %v", err)
+	}
+	defer hostNS.Close()
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	// Start the callback in a new green thread so that if we later fail
+	// to switch the namespace back to the original one, we can safely
+	// leave the thread locked to die without a risk of the current thread
+	// left lingering with incorrect namespace.
+	var innerError error
+	go func() {
+		defer wg.Done()
+		runtime.LockOSThread()
+		innerError = containedCall(hostNS)
+	}()
+	wg.Wait()
+
+	return innerError
+}
+
+// WithNetNSPath executes the passed closure under the given network
+// namespace, restoring the original namespace afterwards.
+func WithNetNSPath(nspath string, toRun func(NetNS) error) error {
+	ns, err := GetNS(nspath)
+	if err != nil {
+		return err
+	}
+	defer ns.Close()
+	return ns.Do(toRun)
+}
--- a/pkg/ns/ns_linux_test.go
+++ b/pkg/ns/ns_linux_test.go
@@ -0,0 +1,292 @@
+// Copyright 2016-2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ns_test
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"golang.org/x/sys/unix"
+)
+
+func getInodeCurNetNS() (uint64, error) {
+	curNS, err := ns.GetCurrentNS()
+	if err != nil {
+		return 0, err
+	}
+	defer curNS.Close()
+	return getInodeNS(curNS)
+}
+
+func getInodeNS(netns ns.NetNS) (uint64, error) {
+	return getInodeFd(int(netns.Fd()))
+}
+
+func getInode(path string) (uint64, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return 0, err
+	}
+	defer file.Close()
+	return getInodeFd(int(file.Fd()))
+}
+
+func getInodeFd(fd int) (uint64, error) {
+	stat := &unix.Stat_t{}
+	err := unix.Fstat(fd, stat)
+	return stat.Ino, err
+}
+
+var _ = Describe("Linux namespace operations", func() {
+	Describe("WithNetNS", func() {
+		var (
+			originalNetNS ns.NetNS
+			targetNetNS   ns.NetNS
+		)
+
+		BeforeEach(func() {
+			var err error
+
+			originalNetNS, err = testutils.NewNS()
+			Expect(err).NotTo(HaveOccurred())
+
+			targetNetNS, err = testutils.NewNS()
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		AfterEach(func() {
+			targetNetNS.Close()
+			originalNetNS.Close()
+
+			Expect(testutils.UnmountNS(targetNetNS)).To(Succeed())
+			Expect(testutils.UnmountNS(originalNetNS)).To(Succeed())
+		})
+
+		It("executes the callback within the target network namespace", func() {
+			expectedInode, err := getInodeNS(targetNetNS)
+			Expect(err).NotTo(HaveOccurred())
+
+			err = targetNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				actualInode, err := getInodeCurNetNS()
+				Expect(err).NotTo(HaveOccurred())
+				Expect(actualInode).To(Equal(expectedInode))
+				return nil
+			})
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("provides the original namespace as the argument to the callback", func() {
+			// Ensure we start in originalNetNS
+			err := originalNetNS.Do(func(ns.NetNS) error {
+				defer GinkgoRecover()
+
+				origNSInode, err := getInodeNS(originalNetNS)
+				Expect(err).NotTo(HaveOccurred())
+
+				err = targetNetNS.Do(func(hostNS ns.NetNS) error {
+					defer GinkgoRecover()
+
+					hostNSInode, err := getInodeNS(hostNS)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(hostNSInode).To(Equal(origNSInode))
+					return nil
+				})
+				Expect(err).NotTo(HaveOccurred())
+				return nil
+			})
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		Context("when called concurrently", func() {
+			It("provides the original namespace as the argument to the callback", func() {
+				concurrency := 200
+				origNS, err := ns.GetCurrentNS()
+				Expect(err).NotTo(HaveOccurred())
+				origNSInode, err := getInodeNS(origNS)
+				Expect(err).NotTo(HaveOccurred())
+
+				var wg sync.WaitGroup
+				wg.Add(concurrency)
+				for i := 0; i < concurrency; i++ {
+					go func() {
+						defer wg.Done()
+						targetNetNS.Do(func(hostNS ns.NetNS) error {
+							defer GinkgoRecover()
+
+							hostNSInode, err := getInodeNS(hostNS)
+							Expect(err).NotTo(HaveOccurred())
+							Expect(hostNSInode).To(Equal(origNSInode))
+							return nil
+						})
+					}()
+				}
+				wg.Wait()
+			})
+		})
+
+		Context("when the callback returns an error", func() {
+			It("restores the calling thread to the original namespace before returning", func() {
+				err := originalNetNS.Do(func(ns.NetNS) error {
+					defer GinkgoRecover()
+
+					preTestInode, err := getInodeCurNetNS()
+					Expect(err).NotTo(HaveOccurred())
+
+					_ = targetNetNS.Do(func(ns.NetNS) error {
+						return errors.New("potato")
+					})
+
+					postTestInode, err := getInodeCurNetNS()
+					Expect(err).NotTo(HaveOccurred())
+					Expect(postTestInode).To(Equal(preTestInode))
+					return nil
+				})
+				Expect(err).NotTo(HaveOccurred())
+			})
+
+			It("returns the error from the callback", func() {
+				err := targetNetNS.Do(func(ns.NetNS) error {
+					return errors.New("potato")
+				})
+				Expect(err).To(MatchError("potato"))
+			})
+		})
+
+		Describe("validating inode mapping to namespaces", func() {
+			It("checks that different namespaces have different inodes", func() {
+				origNSInode, err := getInodeNS(originalNetNS)
+				Expect(err).NotTo(HaveOccurred())
+
+				testNsInode, err := getInodeNS(targetNetNS)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(testNsInode).NotTo(Equal(0))
+				Expect(testNsInode).NotTo(Equal(origNSInode))
+			})
+
+			It("should not leak a closed netns onto any threads in the process", func() {
+				By("creating a new netns")
+				createdNetNS, err := testutils.NewNS()
+				Expect(err).NotTo(HaveOccurred())
+
+				By("discovering the inode of the created netns")
+				createdNetNSInode, err := getInodeNS(createdNetNS)
+				Expect(err).NotTo(HaveOccurred())
+				createdNetNS.Close()
+				Expect(testutils.UnmountNS(createdNetNS)).NotTo(HaveOccurred())
+
+				By("comparing against the netns inode of every thread in the process")
+				for _, netnsPath := range allNetNSInCurrentProcess() {
+					netnsInode, err := getInode(netnsPath)
+					if !os.IsNotExist(err) {
+						Expect(err).NotTo(HaveOccurred())
+					}
+					Expect(netnsInode).NotTo(Equal(createdNetNSInode))
+				}
+			})
+
+			It("fails when the path is not a namespace", func() {
+				tempFile, err := ioutil.TempFile("", "nstest")
+				Expect(err).NotTo(HaveOccurred())
+				defer tempFile.Close()
+
+				nspath := tempFile.Name()
+				defer os.Remove(nspath)
+
+				_, err = ns.GetNS(nspath)
+				Expect(err).To(HaveOccurred())
+				Expect(err).To(BeAssignableToTypeOf(ns.NSPathNotNSErr{}))
+				Expect(err).NotTo(BeAssignableToTypeOf(ns.NSPathNotExistErr{}))
+			})
+		})
+
+		Describe("closing a network namespace", func() {
+			It("should prevent further operations", func() {
+				createdNetNS, err := testutils.NewNS()
+				defer testutils.UnmountNS(createdNetNS)
+				Expect(err).NotTo(HaveOccurred())
+
+				err = createdNetNS.Close()
+				Expect(err).NotTo(HaveOccurred())
+
+				err = createdNetNS.Do(func(ns.NetNS) error { return nil })
+				Expect(err).To(HaveOccurred())
+
+				err = createdNetNS.Set()
+				Expect(err).To(HaveOccurred())
+			})
+
+			It("should only work once", func() {
+				createdNetNS, err := testutils.NewNS()
+				Expect(err).NotTo(HaveOccurred())
+				defer testutils.UnmountNS(createdNetNS)
+
+				err = createdNetNS.Close()
+				Expect(err).NotTo(HaveOccurred())
+
+				err = createdNetNS.Close()
+				Expect(err).To(HaveOccurred())
+			})
+		})
+	})
+
+	Describe("IsNSorErr", func() {
+		It("should detect a namespace", func() {
+			createdNetNS, err := testutils.NewNS()
+			Expect(err).NotTo(HaveOccurred())
+			defer testutils.UnmountNS(createdNetNS)
+			err = ns.IsNSorErr(createdNetNS.Path())
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should refuse other paths", func() {
+			tempFile, err := ioutil.TempFile("", "nstest")
+			Expect(err).NotTo(HaveOccurred())
+			defer tempFile.Close()
+
+			nspath := tempFile.Name()
+			defer os.Remove(nspath)
+
+			err = ns.IsNSorErr(nspath)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(BeAssignableToTypeOf(ns.NSPathNotNSErr{}))
+			Expect(err).NotTo(BeAssignableToTypeOf(ns.NSPathNotExistErr{}))
+		})
+
+		It("should error on non-existing paths", func() {
+			err := ns.IsNSorErr("/tmp/IDoNotExist")
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(BeAssignableToTypeOf(ns.NSPathNotExistErr{}))
+			Expect(err).NotTo(BeAssignableToTypeOf(ns.NSPathNotNSErr{}))
+		})
+	})
+})
+
+func allNetNSInCurrentProcess() []string {
+	pid := unix.Getpid()
+	paths, err := filepath.Glob(fmt.Sprintf("/proc/%d/task/*/ns/net", pid))
+	Expect(err).NotTo(HaveOccurred())
+	return paths
+}
--- a/pkg/ns/ns_suite_test.go
+++ b/pkg/ns/ns_suite_test.go
@@ -1,3 +1,17 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package ns_test

 import (
@@ -16,5 +30,5 @@ func TestNs(t *testing.T) {
 	runtime.LockOSThread()

 	RegisterFailHandler(Fail)
-	RunSpecs(t, "pkg/ns Suite")
+	RunSpecs(t, "pkg/ns")
 }
--- a/pkg/ns/ns_test.go
+++ b/pkg/ns/ns_test.go
@@ -1,153 +0,0 @@
-package ns_test
-
-import (
-	"errors"
-	"fmt"
-	"math/rand"
-	"os"
-	"os/exec"
-	"path/filepath"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/appc/cni/pkg/ns"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-)
-
-func getInode(path string) (uint64, error) {
-	file, err := os.Open(path)
-	if err != nil {
-		return 0, err
-	}
-	defer file.Close()
-	return getInodeF(file)
-}
-
-func getInodeF(file *os.File) (uint64, error) {
-	stat := &unix.Stat_t{}
-	err := unix.Fstat(int(file.Fd()), stat)
-	return stat.Ino, err
-}
-
-const CurrentNetNS = "/proc/self/ns/net"
-
-var _ = Describe("Linux namespace operations", func() {
-	Describe("WithNetNS", func() {
-		var (
-			originalNetNS *os.File
-
-			targetNetNSName string
-			targetNetNSPath string
-			targetNetNS     *os.File
-		)
-
-		BeforeEach(func() {
-			var err error
-			originalNetNS, err = os.Open(CurrentNetNS)
-			Expect(err).NotTo(HaveOccurred())
-
-			targetNetNSName = fmt.Sprintf("test-netns-%d", rand.Int())
-
-			err = exec.Command("ip", "netns", "add", targetNetNSName).Run()
-			Expect(err).NotTo(HaveOccurred())
-
-			targetNetNSPath = filepath.Join("/var/run/netns/", targetNetNSName)
-			targetNetNS, err = os.Open(targetNetNSPath)
-			Expect(err).NotTo(HaveOccurred())
-		})
-
-		AfterEach(func() {
-			Expect(targetNetNS.Close()).To(Succeed())
-
-			err := exec.Command("ip", "netns", "del", targetNetNSName).Run()
-			Expect(err).NotTo(HaveOccurred())
-
-			Expect(originalNetNS.Close()).To(Succeed())
-		})
-
-		It("executes the callback within the target network namespace", func() {
-			expectedInode, err := getInode(targetNetNSPath)
-			Expect(err).NotTo(HaveOccurred())
-
-			var actualInode uint64
-			var innerErr error
-			err = ns.WithNetNS(targetNetNS, false, func(*os.File) error {
-				actualInode, innerErr = getInode(CurrentNetNS)
-				return nil
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			Expect(innerErr).NotTo(HaveOccurred())
-			Expect(actualInode).To(Equal(expectedInode))
-		})
-
-		It("provides the original namespace as the argument to the callback", func() {
-			hostNSInode, err := getInode(CurrentNetNS)
-			Expect(err).NotTo(HaveOccurred())
-
-			var inputNSInode uint64
-			var innerErr error
-			err = ns.WithNetNS(targetNetNS, false, func(inputNS *os.File) error {
-				inputNSInode, err = getInodeF(inputNS)
-				return nil
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			Expect(innerErr).NotTo(HaveOccurred())
-			Expect(inputNSInode).To(Equal(hostNSInode))
-		})
-
-		It("restores the calling thread to the original network namespace", func() {
-			preTestInode, err := getInode(CurrentNetNS)
-			Expect(err).NotTo(HaveOccurred())
-
-			err = ns.WithNetNS(targetNetNS, false, func(*os.File) error {
-				return nil
-			})
-			Expect(err).NotTo(HaveOccurred())
-
-			postTestInode, err := getInode(CurrentNetNS)
-			Expect(err).NotTo(HaveOccurred())
-
-			Expect(postTestInode).To(Equal(preTestInode))
-		})
-
-		Context("when the callback returns an error", func() {
-			It("restores the calling thread to the original namespace before returning", func() {
-				preTestInode, err := getInode(CurrentNetNS)
-				Expect(err).NotTo(HaveOccurred())
-
-				_ = ns.WithNetNS(targetNetNS, false, func(*os.File) error {
-					return errors.New("potato")
-				})
-
-				postTestInode, err := getInode(CurrentNetNS)
-				Expect(err).NotTo(HaveOccurred())
-
-				Expect(postTestInode).To(Equal(preTestInode))
-			})
-
-			It("returns the error from the callback", func() {
-				err := ns.WithNetNS(targetNetNS, false, func(*os.File) error {
-					return errors.New("potato")
-				})
-				Expect(err).To(MatchError("potato"))
-			})
-		})
-
-		Describe("validating inode mapping to namespaces", func() {
-			It("checks that different namespaces have different inodes", func() {
-				hostNSInode, err := getInode(CurrentNetNS)
-				Expect(err).NotTo(HaveOccurred())
-
-				testNsInode, err := getInode(targetNetNSPath)
-				Expect(err).NotTo(HaveOccurred())
-
-				Expect(hostNSInode).NotTo(Equal(0))
-				Expect(testNsInode).NotTo(Equal(0))
-				Expect(testNsInode).NotTo(Equal(hostNSInode))
-			})
-		})
-	})
-})
--- a/pkg/skel/skel.go
+++ b/pkg/skel/skel.go
@@ -1,117 +0,0 @@
-// Copyright 2014 CNI authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Package skel provides skeleton code for a CNI plugin.
-// In particular, it implements argument parsing and validation.
-package skel
-
-import (
-	"fmt"
-	"io/ioutil"
-	"log"
-	"os"
-
-	"github.com/appc/cni/pkg/types"
-)
-
-// CmdArgs captures all the arguments passed in to the plugin
-// via both env vars and stdin
-type CmdArgs struct {
-	ContainerID string
-	Netns       string
-	IfName      string
-	Args        string
-	Path        string
-	StdinData   []byte
-}
-
-// PluginMain is the "main" for a plugin. It accepts
-// two callback functions for add and del commands.
-func PluginMain(cmdAdd, cmdDel func(_ *CmdArgs) error) {
-	var cmd, contID, netns, ifName, args, path string
-
-	vars := []struct {
-		name string
-		val  *string
-		req  bool
-	}{
-		{"CNI_COMMAND", &cmd, true},
-		{"CNI_CONTAINERID", &contID, false},
-		{"CNI_NETNS", &netns, true},
-		{"CNI_IFNAME", &ifName, true},
-		{"CNI_ARGS", &args, false},
-		{"CNI_PATH", &path, true},
-	}
-
-	argsMissing := false
-	for _, v := range vars {
-		*v.val = os.Getenv(v.name)
-		if v.req && *v.val == "" {
-			log.Printf("%v env variable missing", v.name)
-			argsMissing = true
-		}
-	}
-
-	if argsMissing {
-		dieMsg("required env variables missing")
-	}
-
-	stdinData, err := ioutil.ReadAll(os.Stdin)
-	if err != nil {
-		dieMsg("error reading from stdin: %v", err)
-	}
-
-	cmdArgs := &CmdArgs{
-		ContainerID: contID,
-		Netns:       netns,
-		IfName:      ifName,
-		Args:        args,
-		Path:        path,
-		StdinData:   stdinData,
-	}
-
-	switch cmd {
-	case "ADD":
-		err = cmdAdd(cmdArgs)
-
-	case "DEL":
-		err = cmdDel(cmdArgs)
-
-	default:
-		dieMsg("unknown CNI_COMMAND: %v", cmd)
-	}
-
-	if err != nil {
-		if e, ok := err.(*types.Error); ok {
-			// don't wrap Error in Error
-			dieErr(e)
-		}
-		dieMsg(err.Error())
-	}
-}
-
-func dieMsg(f string, args ...interface{}) {
-	e := &types.Error{
-		Code: 100,
-		Msg:  fmt.Sprintf(f, args...),
-	}
-	dieErr(e)
-}
-
-func dieErr(e *types.Error) {
-	if err := e.Print(); err != nil {
-		log.Print("Error writing error JSON to stdout: ", err)
-	}
-	os.Exit(1)
-}
--- a/pkg/skel/skel_suite_test.go
+++ b/pkg/skel/skel_suite_test.go
@@ -1,13 +0,0 @@
-package skel
-
-import (
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-
-	"testing"
-)
-
-func TestSkel(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Skel Suite")
-}
--- a/pkg/skel/skel_test.go
+++ b/pkg/skel/skel_test.go
@@ -1,61 +0,0 @@
-package skel
-
-import (
-	"os"
-
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-)
-
-var _ = Describe("Skel", func() {
-	var (
-		fNoop = func(_ *CmdArgs) error { return nil }
-		// fErr    = func(_ *CmdArgs) error { return errors.New("dummy") }
-		envVars = []struct {
-			name string
-			val  string
-		}{
-			{"CNI_CONTAINERID", "dummy"},
-			{"CNI_NETNS", "dummy"},
-			{"CNI_IFNAME", "dummy"},
-			{"CNI_ARGS", "dummy"},
-			{"CNI_PATH", "dummy"},
-		}
-	)
-
-	It("Must be possible to set the env vars", func() {
-		for _, v := range envVars {
-			err := os.Setenv(v.name, v.val)
-			Expect(err).NotTo(HaveOccurred())
-		}
-	})
-
-	Context("When dummy environment variables are passed", func() {
-
-		It("should not fail with ADD and noop callback", func() {
-			err := os.Setenv("CNI_COMMAND", "ADD")
-			Expect(err).NotTo(HaveOccurred())
-			PluginMain(fNoop, nil)
-		})
-
-		// TODO: figure out howto mock printing and os.Exit()
-		// It("should fail with ADD and error callback", func() {
-		// 	err := os.Setenv("CNI_COMMAND", "ADD")
-		// 	Expect(err).NotTo(HaveOccurred())
-		// 	PluginMain(fErr, nil)
-		// })
-
-		It("should not fail with DEL and noop callback", func() {
-			err := os.Setenv("CNI_COMMAND", "DEL")
-			Expect(err).NotTo(HaveOccurred())
-			PluginMain(nil, fNoop)
-		})
-
-		// TODO: figure out howto mock printing and os.Exit()
-		// It("should fail with DEL and error callback", func() {
-		// 	err := os.Setenv("CNI_COMMAND", "DEL")
-		// 	Expect(err).NotTo(HaveOccurred())
-		// 	PluginMain(fErr, nil)
-		// })
-	})
-})
--- a/pkg/testutils/bad_reader.go
+++ b/pkg/testutils/bad_reader.go
@@ -0,0 +1,33 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import "errors"
+
+// BadReader is an io.Reader which always errors
+type BadReader struct {
+	Error error
+}
+
+func (r *BadReader) Read(buffer []byte) (int, error) {
+	if r.Error != nil {
+		return 0, r.Error
+	}
+	return 0, errors.New("banana")
+}
+
+func (r *BadReader) Close() error {
+	return nil
+}
--- a/pkg/testutils/cmd.go
+++ b/pkg/testutils/cmd.go
@@ -0,0 +1,112 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import (
+	"io/ioutil"
+	"os"
+
+	"github.com/containernetworking/cni/pkg/skel"
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/version"
+)
+
+func envCleanup() {
+	os.Unsetenv("CNI_COMMAND")
+	os.Unsetenv("CNI_PATH")
+	os.Unsetenv("CNI_NETNS")
+	os.Unsetenv("CNI_IFNAME")
+	os.Unsetenv("CNI_CONTAINERID")
+}
+
+func CmdAdd(cniNetns, cniContainerID, cniIfname string, conf []byte, f func() error) (types.Result, []byte, error) {
+	os.Setenv("CNI_COMMAND", "ADD")
+	os.Setenv("CNI_PATH", os.Getenv("PATH"))
+	os.Setenv("CNI_NETNS", cniNetns)
+	os.Setenv("CNI_IFNAME", cniIfname)
+	os.Setenv("CNI_CONTAINERID", cniContainerID)
+	defer envCleanup()
+
+	// Redirect stdout to capture plugin result
+	oldStdout := os.Stdout
+	r, w, err := os.Pipe()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	os.Stdout = w
+	err = f()
+	w.Close()
+
+	var out []byte
+	if err == nil {
+		out, err = ioutil.ReadAll(r)
+	}
+	os.Stdout = oldStdout
+
+	// Return errors after restoring stdout so Ginkgo will correctly
+	// emit verbose error information on stdout
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Plugin must return result in same version as specified in netconf
+	versionDecoder := &version.ConfigDecoder{}
+	confVersion, err := versionDecoder.Decode(conf)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	result, err := version.NewResult(confVersion, out)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return result, out, nil
+}
+
+func CmdAddWithArgs(args *skel.CmdArgs, f func() error) (types.Result, []byte, error) {
+	return CmdAdd(args.Netns, args.ContainerID, args.IfName, args.StdinData, f)
+}
+
+func CmdCheck(cniNetns, cniContainerID, cniIfname string, conf []byte, f func() error) error {
+	os.Setenv("CNI_COMMAND", "CHECK")
+	os.Setenv("CNI_PATH", os.Getenv("PATH"))
+	os.Setenv("CNI_NETNS", cniNetns)
+	os.Setenv("CNI_IFNAME", cniIfname)
+	os.Setenv("CNI_CONTAINERID", cniContainerID)
+	defer envCleanup()
+
+	return f()
+}
+
+func CmdCheckWithArgs(args *skel.CmdArgs, f func() error) error {
+	return CmdCheck(args.Netns, args.ContainerID, args.IfName, args.StdinData, f)
+}
+
+func CmdDel(cniNetns, cniContainerID, cniIfname string, f func() error) error {
+	os.Setenv("CNI_COMMAND", "DEL")
+	os.Setenv("CNI_PATH", os.Getenv("PATH"))
+	os.Setenv("CNI_NETNS", cniNetns)
+	os.Setenv("CNI_IFNAME", cniIfname)
+	os.Setenv("CNI_CONTAINERID", cniContainerID)
+	defer envCleanup()
+
+	return f()
+}
+
+func CmdDelWithArgs(args *skel.CmdArgs, f func() error) error {
+	return CmdDel(args.Netns, args.ContainerID, args.IfName, f)
+}
--- a/pkg/testutils/dns.go
+++ b/pkg/testutils/dns.go
@@ -0,0 +1,60 @@
+// Copyright 2019 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/containernetworking/cni/pkg/types"
+)
+
+// TmpResolvConf will create a temporary file and write the provided DNS settings to
+// it in the resolv.conf format. It returns the path of the created temporary file or
+// an error if any occurs while creating/writing the file. It is the caller's
+// responsibility to remove the file.
+func TmpResolvConf(dnsConf types.DNS) (string, error) {
+	f, err := ioutil.TempFile("", "cni_test_resolv.conf")
+	if err != nil {
+		return "", fmt.Errorf("failed to get temp file for CNI test resolv.conf: %v", err)
+	}
+	defer f.Close()
+
+	path := f.Name()
+	defer func() {
+		if err != nil {
+			os.RemoveAll(path)
+		}
+	}()
+
+	// see "man 5 resolv.conf" for the format of resolv.conf
+	var resolvConfLines []string
+	for _, nameserver := range dnsConf.Nameservers {
+		resolvConfLines = append(resolvConfLines, fmt.Sprintf("nameserver %s", nameserver))
+	}
+	resolvConfLines = append(resolvConfLines, fmt.Sprintf("domain %s", dnsConf.Domain))
+	resolvConfLines = append(resolvConfLines, fmt.Sprintf("search %s", strings.Join(dnsConf.Search, " ")))
+	resolvConfLines = append(resolvConfLines, fmt.Sprintf("options %s", strings.Join(dnsConf.Options, " ")))
+
+	resolvConf := strings.Join(resolvConfLines, "\n")
+	_, err = f.Write([]byte(resolvConf))
+	if err != nil {
+		return "", fmt.Errorf("failed to write temp resolv.conf for CNI test: %v", err)
+	}
+
+	return path, err
+}
--- a/pkg/testutils/echo/client/client.go
+++ b/pkg/testutils/echo/client/client.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"net"
+)
+
+func main() {
+	target := flag.String("target", "", "the server address")
+	payload := flag.String("message", "", "the message to send to the server")
+	protocol := flag.String("protocol", "tcp", "the protocol to use with the server [udp,tcp], default tcp")
+	flag.Parse()
+
+	if *target == "" || *payload == "" {
+		flag.Usage()
+		panic("invalid arguments")
+	}
+
+	switch *protocol {
+	case "tcp":
+		connectTCP(*target, *payload)
+	case "udp":
+		connectUDP(*target, *payload)
+	default:
+		panic("invalid protocol")
+	}
+}
+
+func connectTCP(target, payload string) {
+	conn, err := net.Dial("tcp", target)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to open connection to [%s] %v", target, err))
+	}
+	defer conn.Close()
+
+	_, err = conn.Write([]byte(payload))
+	if err != nil {
+		panic("Failed to send payload")
+	}
+	_, err = conn.Write([]byte("\n"))
+	if err != nil {
+		panic("Failed to send payload")
+	}
+	buf := make([]byte, 1024)
+	for {
+		n, err := conn.Read(buf)
+		fmt.Print(string(buf[:n]))
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			panic("Failed to read from socket")
+		}
+	}
+}
+
+// UDP uses a constant source port to trigger conntrack problems
+func connectUDP(target, payload string) {
+	LocalAddr, err := net.ResolveUDPAddr("udp", ":54321")
+	if err != nil {
+		panic(fmt.Sprintf("Failed to resolve UDP local address on port 54321 %v", err))
+	}
+	RemoteAddr, err := net.ResolveUDPAddr("udp", target)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to resolve UDP remote address [%s] %v", target, err))
+	}
+	conn, err := net.DialUDP("udp", LocalAddr, RemoteAddr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to open connection to [%s] %v", target, err))
+	}
+	defer conn.Close()
+
+	_, err = conn.Write([]byte(payload))
+	if err != nil {
+		panic("Failed to send payload")
+	}
+	_, err = conn.Write([]byte("\n"))
+	if err != nil {
+		panic("Failed to send payload")
+	}
+
+	buf := make([]byte, 1024)
+	n, err := conn.Read(buf)
+	if err != nil {
+		panic("Failed to read from socket")
+	}
+	fmt.Print(string(buf[:n]))
+}
--- a/pkg/testutils/echo/echo_test.go
+++ b/pkg/testutils/echo/echo_test.go
@@ -0,0 +1,98 @@
+package main_test
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"os/exec"
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gbytes"
+	"github.com/onsi/gomega/gexec"
+)
+
+var serverBinaryPath, clientBinaryPath string
+
+var _ = SynchronizedBeforeSuite(func() []byte {
+	serverBinaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echo/server")
+	Expect(err).NotTo(HaveOccurred())
+	clientBinaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echo/client")
+	Expect(err).NotTo(HaveOccurred())
+	return []byte(strings.Join([]string{serverBinaryPath, clientBinaryPath}, ","))
+}, func(data []byte) {
+	binaries := strings.Split(string(data), ",")
+	serverBinaryPath = binaries[0]
+	clientBinaryPath = binaries[1]
+})
+
+var _ = SynchronizedAfterSuite(func() {}, func() {
+	gexec.CleanupBuildArtifacts()
+})
+
+var _ = Describe("Echosvr", func() {
+	var session *gexec.Session
+	BeforeEach(func() {
+		var err error
+		cmd := exec.Command(serverBinaryPath)
+		session, err = gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		session.Kill().Wait()
+	})
+
+	Context("Server test", func() {
+		It("starts and doesn't terminate immediately", func() {
+			Consistently(session).ShouldNot(gexec.Exit())
+		})
+
+		tryConnect := func() (net.Conn, error) {
+			programOutput := session.Out.Contents()
+			addr := strings.TrimSpace(string(programOutput))
+
+			conn, err := net.Dial("tcp", addr)
+			if err != nil {
+				return nil, err
+			}
+			return conn, err
+		}
+
+		It("prints its listening address to stdout", func() {
+			Eventually(session.Out).Should(gbytes.Say("\n"))
+			conn, err := tryConnect()
+			Expect(err).NotTo(HaveOccurred())
+			conn.Close()
+		})
+
+		It("will echo data back to us", func() {
+			Eventually(session.Out).Should(gbytes.Say("\n"))
+			conn, err := tryConnect()
+			Expect(err).NotTo(HaveOccurred())
+			defer conn.Close()
+
+			fmt.Fprintf(conn, "hello\n")
+			Expect(ioutil.ReadAll(conn)).To(Equal([]byte("hello")))
+		})
+	})
+
+	Context("Client Server Test", func() {
+		It("starts and doesn't terminate immediately", func() {
+			Consistently(session).ShouldNot(gexec.Exit())
+		})
+
+		It("connects successfully using echo client", func() {
+			Eventually(session.Out).Should(gbytes.Say("\n"))
+			serverAddress := strings.TrimSpace(string(session.Out.Contents()))
+			fmt.Println("Server address", string(serverAddress))
+
+			cmd := exec.Command(clientBinaryPath, "-target", serverAddress, "-message", "hello")
+			clientSession, err := gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
+			Expect(err).NotTo(HaveOccurred())
+			Eventually(clientSession.Out).Should(gbytes.Say("hello"))
+			Eventually(clientSession).Should(gexec.Exit())
+		})
+	})
+})
--- a/pkg/testutils/echo/init_test.go
+++ b/pkg/testutils/echo/init_test.go
@@ -1,4 +1,4 @@
-package types_test
+package main_test

 import (
 	. "github.com/onsi/ginkgo"
@@ -7,7 +7,7 @@ import (
 	"testing"
 )

-func TestTypes(t *testing.T) {
+func TestEchosvr(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Types Suite")
+	RunSpecs(t, "pkg/testutils/echosvr")
 }
--- a/pkg/testutils/echo/server/main.go
+++ b/pkg/testutils/echo/server/main.go
@@ -0,0 +1,86 @@
+// Echosvr is a simple TCP echo server
+//
+// It prints its listen address on stdout
+//    127.0.0.1:xxxxx
+//  A test should wait for this line, parse it
+//  and may then attempt to connect.
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"os"
+	"strings"
+	"time"
+)
+
+func main() {
+	// Start TCP server
+	listener, err := net.Listen("tcp", ":")
+	if err != nil {
+		panic(err)
+	}
+	defer listener.Close()
+	// use the same port for UDP
+	_, port, err := net.SplitHostPort(listener.Addr().String())
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("127.0.0.1:%s\n", port)
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				panic(err)
+			}
+			go handleConnection(conn)
+		}
+	}()
+
+	// Start UDP server
+	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf(":%s", port))
+	if err != nil {
+		log.Fatalf("Error from net.ResolveUDPAddr(): %s", err)
+	}
+	sock, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		log.Fatalf("Error from ListenUDP(): %s", err)
+	}
+	defer sock.Close()
+
+	buffer := make([]byte, 1024)
+	for {
+		n, addr, err := sock.ReadFrom(buffer)
+		if err != nil {
+			log.Fatalf("Error from ReadFrom(): %s", err)
+		}
+		sock.SetWriteDeadline(time.Now().Add(1 * time.Minute))
+		n, err = sock.WriteTo(buffer[0:n], addr)
+		if err != nil {
+			return
+		}
+	}
+}
+
+func handleConnection(conn net.Conn) {
+	conn.SetReadDeadline(time.Now().Add(1 * time.Minute))
+	content, err := bufio.NewReader(conn).ReadString('\n')
+	if err != nil && err != io.EOF {
+		fmt.Fprint(os.Stderr, err.Error())
+		return
+	}
+
+	conn.SetWriteDeadline(time.Now().Add(1 * time.Minute))
+	if _, err = conn.Write([]byte(strings.TrimSuffix(content, "\n"))); err != nil {
+		fmt.Fprint(os.Stderr, err.Error())
+		return
+	}
+
+	if err = conn.Close(); err != nil {
+		fmt.Fprint(os.Stderr, err.Error())
+		return
+	}
+}
--- a/pkg/testutils/netns_linux.go
+++ b/pkg/testutils/netns_linux.go
@@ -0,0 +1,176 @@
+// Copyright 2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import (
+	"crypto/rand"
+	"fmt"
+	"os"
+	"path"
+	"runtime"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"golang.org/x/sys/unix"
+)
+
+func getNsRunDir() string {
+	xdgRuntimeDir := os.Getenv("XDG_RUNTIME_DIR")
+
+	/// If XDG_RUNTIME_DIR is set, check if the current user owns /var/run.  If
+	// the owner is different, we are most likely running in a user namespace.
+	// In that case use $XDG_RUNTIME_DIR/netns as runtime dir.
+	if xdgRuntimeDir != "" {
+		if s, err := os.Stat("/var/run"); err == nil {
+			st, ok := s.Sys().(*syscall.Stat_t)
+			if ok && int(st.Uid) != os.Geteuid() {
+				return path.Join(xdgRuntimeDir, "netns")
+			}
+		}
+	}
+
+	return "/var/run/netns"
+}
+
+// Creates a new persistent (bind-mounted) network namespace and returns an object
+// representing that namespace, without switching to it.
+func NewNS() (ns.NetNS, error) {
+
+	nsRunDir := getNsRunDir()
+
+	b := make([]byte, 16)
+	_, err := rand.Reader.Read(b)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate random netns name: %v", err)
+	}
+
+	// Create the directory for mounting network namespaces
+	// This needs to be a shared mountpoint in case it is mounted in to
+	// other namespaces (containers)
+	err = os.MkdirAll(nsRunDir, 0755)
+	if err != nil {
+		return nil, err
+	}
+
+	// Remount the namespace directory shared. This will fail if it is not
+	// already a mountpoint, so bind-mount it on to itself to "upgrade" it
+	// to a mountpoint.
+	err = unix.Mount("", nsRunDir, "none", unix.MS_SHARED|unix.MS_REC, "")
+	if err != nil {
+		if err != unix.EINVAL {
+			return nil, fmt.Errorf("mount --make-rshared %s failed: %q", nsRunDir, err)
+		}
+
+		// Recursively remount /var/run/netns on itself. The recursive flag is
+		// so that any existing netns bindmounts are carried over.
+		err = unix.Mount(nsRunDir, nsRunDir, "none", unix.MS_BIND|unix.MS_REC, "")
+		if err != nil {
+			return nil, fmt.Errorf("mount --rbind %s %s failed: %q", nsRunDir, nsRunDir, err)
+		}
+
+		// Now we can make it shared
+		err = unix.Mount("", nsRunDir, "none", unix.MS_SHARED|unix.MS_REC, "")
+		if err != nil {
+			return nil, fmt.Errorf("mount --make-rshared %s failed: %q", nsRunDir, err)
+		}
+
+	}
+
+	nsName := fmt.Sprintf("cnitest-%x-%x-%x-%x-%x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
+
+	// create an empty file at the mount point
+	nsPath := path.Join(nsRunDir, nsName)
+	mountPointFd, err := os.Create(nsPath)
+	if err != nil {
+		return nil, err
+	}
+	mountPointFd.Close()
+
+	// Ensure the mount point is cleaned up on errors; if the namespace
+	// was successfully mounted this will have no effect because the file
+	// is in-use
+	defer os.RemoveAll(nsPath)
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	// do namespace work in a dedicated goroutine, so that we can safely
+	// Lock/Unlock OSThread without upsetting the lock/unlock state of
+	// the caller of this function
+	go (func() {
+		defer wg.Done()
+		runtime.LockOSThread()
+		// Don't unlock. By not unlocking, golang will kill the OS thread when the
+		// goroutine is done (for go1.10+)
+
+		var origNS ns.NetNS
+		origNS, err = ns.GetNS(getCurrentThreadNetNSPath())
+		if err != nil {
+			return
+		}
+		defer origNS.Close()
+
+		// create a new netns on the current thread
+		err = unix.Unshare(unix.CLONE_NEWNET)
+		if err != nil {
+			return
+		}
+
+		// Put this thread back to the orig ns, since it might get reused (pre go1.10)
+		defer origNS.Set()
+
+		// bind mount the netns from the current thread (from /proc) onto the
+		// mount point. This causes the namespace to persist, even when there
+		// are no threads in the ns.
+		err = unix.Mount(getCurrentThreadNetNSPath(), nsPath, "none", unix.MS_BIND, "")
+		if err != nil {
+			err = fmt.Errorf("failed to bind mount ns at %s: %v", nsPath, err)
+		}
+	})()
+	wg.Wait()
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create namespace: %v", err)
+	}
+
+	return ns.GetNS(nsPath)
+}
+
+// UnmountNS unmounts the NS held by the netns object
+func UnmountNS(ns ns.NetNS) error {
+	nsPath := ns.Path()
+	// Only unmount if it's been bind-mounted (don't touch namespaces in /proc...)
+	if strings.HasPrefix(nsPath, getNsRunDir()) {
+		if err := unix.Unmount(nsPath, 0); err != nil {
+			return fmt.Errorf("failed to unmount NS: at %s: %v", nsPath, err)
+		}
+
+		if err := os.Remove(nsPath); err != nil {
+			return fmt.Errorf("failed to remove ns path %s: %v", nsPath, err)
+		}
+	}
+
+	return nil
+}
+
+// getCurrentThreadNetNSPath copied from pkg/ns
+func getCurrentThreadNetNSPath() string {
+	// /proc/self/ns/net returns the namespace of the main thread, not
+	// of whatever thread this goroutine is running on.  Make sure we
+	// use the thread's net namespace since the thread is switching around
+	return fmt.Sprintf("/proc/%d/task/%d/ns/net", os.Getpid(), unix.Gettid())
+}
--- a/pkg/testutils/ping.go
+++ b/pkg/testutils/ping.go
@@ -0,0 +1,55 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package testutils
+
+import (
+	"bytes"
+	"fmt"
+	"os/exec"
+	"strconv"
+	"syscall"
+)
+
+// Ping shells out to the `ping` command. Returns nil if successful.
+func Ping(saddr, daddr string, isV6 bool, timeoutSec int) error {
+	args := []string{
+		"-c", "1",
+		"-W", strconv.Itoa(timeoutSec),
+		"-I", saddr,
+		daddr,
+	}
+
+	bin := "ping"
+	if isV6 {
+		bin = "ping6"
+	}
+
+	cmd := exec.Command(bin, args...)
+	var stderr bytes.Buffer
+	cmd.Stderr = &stderr
+
+	if err := cmd.Run(); err != nil {
+		switch e := err.(type) {
+		case *exec.ExitError:
+			return fmt.Errorf("%v exit status %d: %s",
+				args, e.Sys().(syscall.WaitStatus).ExitStatus(),
+				stderr.String())
+		default:
+			return err
+		}
+	}
+
+	return nil
+}
--- a/pkg/types/args_test.go
+++ b/pkg/types/args_test.go
@@ -1,92 +0,0 @@
-package types_test
-
-import (
-	"reflect"
-
-	. "github.com/appc/cni/pkg/types"
-
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/ginkgo/extensions/table"
-	. "github.com/onsi/gomega"
-)
-
-var _ = Describe("UnmarshallableBool UnmarshalText", func() {
-	DescribeTable("string to bool detection should succeed in all cases",
-		func(inputs []string, expected bool) {
-			for _, s := range inputs {
-				var ub UnmarshallableBool
-				err := ub.UnmarshalText([]byte(s))
-				Expect(err).ToNot(HaveOccurred())
-				Expect(ub).To(Equal(UnmarshallableBool(expected)))
-			}
-		},
-		Entry("parse to true", []string{"True", "true", "1"}, true),
-		Entry("parse to false", []string{"False", "false", "0"}, false),
-	)
-
-	Context("When passed an invalid value", func() {
-		It("should result in an error", func() {
-			var ub UnmarshallableBool
-			err := ub.UnmarshalText([]byte("invalid"))
-			Expect(err).To(HaveOccurred())
-		})
-	})
-})
-
-var _ = Describe("GetKeyField", func() {
-	type testcontainer struct {
-		Valid string `json:"valid,omitempty"`
-	}
-	var (
-		container          = testcontainer{Valid: "valid"}
-		containerInterface = func(i interface{}) interface{} { return i }(&container)
-		containerValue     = reflect.ValueOf(containerInterface)
-	)
-	Context("When a valid field is provided", func() {
-		It("should return the correct field", func() {
-			field := GetKeyField("Valid", containerValue)
-			Expect(field.String()).To(Equal("valid"))
-		})
-	})
-})
-
-var _ = Describe("LoadArgs", func() {
-	Context("When no arguments are passed", func() {
-		It("LoadArgs should succeed", func() {
-			err := LoadArgs("", struct{}{})
-			Expect(err).NotTo(HaveOccurred())
-		})
-	})
-
-	Context("When unknown arguments are passed and ignored", func() {
-		It("LoadArgs should succeed", func() {
-			ca := CommonArgs{}
-			err := LoadArgs("IgnoreUnknown=True;Unk=nown", &ca)
-			Expect(err).NotTo(HaveOccurred())
-		})
-	})
-
-	Context("When unknown arguments are passed and not ignored", func() {
-		It("LoadArgs should fail", func() {
-			ca := CommonArgs{}
-			err := LoadArgs("Unk=nown", &ca)
-			Expect(err).To(HaveOccurred())
-		})
-	})
-
-	Context("When unknown arguments are passed and explicitly not ignored", func() {
-		It("LoadArgs should fail", func() {
-			ca := CommonArgs{}
-			err := LoadArgs("IgnoreUnknown=0, Unk=nown", &ca)
-			Expect(err).To(HaveOccurred())
-		})
-	})
-
-	Context("When known arguments are passed", func() {
-		It("LoadArgs should succeed", func() {
-			ca := CommonArgs{}
-			err := LoadArgs("IgnoreUnknown=1", &ca)
-			Expect(err).NotTo(HaveOccurred())
-		})
-	})
-})
--- a/pkg/utils/buildversion/buildversion.go
+++ b/pkg/utils/buildversion/buildversion.go
@@ -0,0 +1,26 @@
+// Copyright 2019 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Buildversion is a destination for the linker trickery so we can auto
+// set the build-version
+package buildversion
+
+import "fmt"
+
+// This is overridden in the linker script
+var BuildVersion = "version unknown"
+
+func BuildString(pluginName string) string {
+	return fmt.Sprintf("CNI %s plugin %s", pluginName, BuildVersion)
+}
--- a/pkg/utils/conntrack.go
+++ b/pkg/utils/conntrack.go
@@ -0,0 +1,73 @@
+// Copyright 2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+)
+
+// Assigned Internet Protocol Numbers
+// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+const (
+	PROTOCOL_TCP  = 6
+	PROTOCOL_UDP  = 17
+	PROTOCOL_SCTP = 132
+)
+
+// getNetlinkFamily returns the Netlink IP family constant
+func getNetlinkFamily(isIPv6 bool) netlink.InetFamily {
+	if isIPv6 {
+		return unix.AF_INET6
+	}
+	return unix.AF_INET
+}
+
+// DeleteConntrackEntriesForDstIP delete the conntrack entries for the connections
+// specified by the given destination IP and protocol
+func DeleteConntrackEntriesForDstIP(dstIP string, protocol uint8) error {
+	ip := net.ParseIP(dstIP)
+	if ip == nil {
+		return fmt.Errorf("error deleting connection tracking state, bad IP %s", ip)
+	}
+	family := getNetlinkFamily(ip.To4() == nil)
+
+	filter := &netlink.ConntrackFilter{}
+	filter.AddIP(netlink.ConntrackOrigDstIP, ip)
+	filter.AddProtocol(protocol)
+
+	_, err := netlink.ConntrackDeleteFilter(netlink.ConntrackTable, family, filter)
+	if err != nil {
+		return fmt.Errorf("error deleting connection tracking state for protocol: %d IP: %s, error: %v", protocol, ip, err)
+	}
+	return nil
+}
+
+// DeleteConntrackEntriesForDstPort delete the conntrack entries for the connections specified
+// by the given destination port, protocol and IP family
+func DeleteConntrackEntriesForDstPort(port uint16, protocol uint8, family netlink.InetFamily) error {
+	filter := &netlink.ConntrackFilter{}
+	filter.AddPort(netlink.ConntrackOrigDstPort, port)
+	filter.AddProtocol(protocol)
+
+	_, err := netlink.ConntrackDeleteFilter(netlink.ConntrackTable, family, filter)
+	if err != nil {
+		return fmt.Errorf("error deleting connection tracking state for protocol: %d Port: %d, error: %v", protocol, port, err)
+	}
+	return nil
+}
--- a/pkg/utils/hwaddr/hwaddr.go
+++ b/pkg/utils/hwaddr/hwaddr.go
@@ -0,0 +1,63 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hwaddr
+
+import (
+	"fmt"
+	"net"
+)
+
+const (
+	ipRelevantByteLen      = 4
+	PrivateMACPrefixString = "0a:58"
+)
+
+var (
+	// private mac prefix safe to use
+	PrivateMACPrefix = []byte{0x0a, 0x58}
+)
+
+type SupportIp4OnlyErr struct{ msg string }
+
+func (e SupportIp4OnlyErr) Error() string { return e.msg }
+
+type MacParseErr struct{ msg string }
+
+func (e MacParseErr) Error() string { return e.msg }
+
+type InvalidPrefixLengthErr struct{ msg string }
+
+func (e InvalidPrefixLengthErr) Error() string { return e.msg }
+
+// GenerateHardwareAddr4 generates 48 bit virtual mac addresses based on the IP4 input.
+func GenerateHardwareAddr4(ip net.IP, prefix []byte) (net.HardwareAddr, error) {
+	switch {
+
+	case ip.To4() == nil:
+		return nil, SupportIp4OnlyErr{msg: "GenerateHardwareAddr4 only supports valid IPv4 address as input"}
+
+	case len(prefix) != len(PrivateMACPrefix):
+		return nil, InvalidPrefixLengthErr{msg: fmt.Sprintf(
+			"Prefix has length %d instead  of %d", len(prefix), len(PrivateMACPrefix)),
+		}
+	}
+
+	ipByteLen := len(ip)
+	return (net.HardwareAddr)(
+		append(
+			prefix,
+			ip[ipByteLen-ipRelevantByteLen:ipByteLen]...),
+	), nil
+}
--- a/pkg/utils/hwaddr/hwaddr_suite_test.go
+++ b/pkg/utils/hwaddr/hwaddr_suite_test.go
@@ -0,0 +1,27 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hwaddr_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestHwaddr(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "pkg/utils/hwaddr")
+}
--- a/pkg/utils/hwaddr/hwaddr_test.go
+++ b/pkg/utils/hwaddr/hwaddr_test.go
@@ -0,0 +1,74 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hwaddr_test
+
+import (
+	"net"
+
+	"github.com/containernetworking/plugins/pkg/utils/hwaddr"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Hwaddr", func() {
+	Context("Generate Hardware Address", func() {
+		It("generate hardware address based on ipv4 address", func() {
+			testCases := []struct {
+				ip          net.IP
+				expectedMAC net.HardwareAddr
+			}{
+				{
+					ip:          net.ParseIP("10.0.0.2"),
+					expectedMAC: (net.HardwareAddr)(append(hwaddr.PrivateMACPrefix, 0x0a, 0x00, 0x00, 0x02)),
+				},
+				{
+					ip:          net.ParseIP("10.250.0.244"),
+					expectedMAC: (net.HardwareAddr)(append(hwaddr.PrivateMACPrefix, 0x0a, 0xfa, 0x00, 0xf4)),
+				},
+				{
+					ip:          net.ParseIP("172.17.0.2"),
+					expectedMAC: (net.HardwareAddr)(append(hwaddr.PrivateMACPrefix, 0xac, 0x11, 0x00, 0x02)),
+				},
+				{
+					ip:          net.IPv4(byte(172), byte(17), byte(0), byte(2)),
+					expectedMAC: (net.HardwareAddr)(append(hwaddr.PrivateMACPrefix, 0xac, 0x11, 0x00, 0x02)),
+				},
+			}
+
+			for _, tc := range testCases {
+				mac, err := hwaddr.GenerateHardwareAddr4(tc.ip, hwaddr.PrivateMACPrefix)
+				Expect(err).NotTo(HaveOccurred())
+				Expect(mac).To(Equal(tc.expectedMAC))
+			}
+		})
+
+		It("return error if input is not ipv4 address", func() {
+			testCases := []net.IP{
+				net.ParseIP(""),
+				net.ParseIP("2001:db8:0:1:1:1:1:1"),
+			}
+			for _, tc := range testCases {
+				_, err := hwaddr.GenerateHardwareAddr4(tc, hwaddr.PrivateMACPrefix)
+				Expect(err).To(BeAssignableToTypeOf(hwaddr.SupportIp4OnlyErr{}))
+			}
+		})
+
+		It("return error if prefix is invalid", func() {
+			_, err := hwaddr.GenerateHardwareAddr4(net.ParseIP("10.0.0.2"), []byte{0x58})
+			Expect(err).To(BeAssignableToTypeOf(hwaddr.InvalidPrefixLengthErr{}))
+		})
+	})
+})
--- a/pkg/utils/iptables.go
+++ b/pkg/utils/iptables.go
@@ -0,0 +1,121 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/coreos/go-iptables/iptables"
+)
+
+const statusChainExists = 1
+
+// EnsureChain idempotently creates the iptables chain. It does not
+// return an error if the chain already exists.
+func EnsureChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	exists, err := ChainExists(ipt, table, chain)
+	if err != nil {
+		return fmt.Errorf("failed to list iptables chains: %v", err)
+	}
+	if !exists {
+		err = ipt.NewChain(table, chain)
+		if err != nil {
+			eerr, eok := err.(*iptables.Error)
+			if eok && eerr.ExitStatus() != statusChainExists {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// ChainExists checks whether an iptables chain exists.
+func ChainExists(ipt *iptables.IPTables, table, chain string) (bool, error) {
+	if ipt == nil {
+		return false, errors.New("failed to check iptable chain: IPTables was nil")
+	}
+	chains, err := ipt.ListChains(table)
+	if err != nil {
+		return false, err
+	}
+
+	for _, ch := range chains {
+		if ch == chain {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// DeleteRule idempotently delete the iptables rule in the specified table/chain.
+// It does not return an error if the referring chain doesn't exist
+func DeleteRule(ipt *iptables.IPTables, table, chain string, rulespec ...string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	if err := ipt.Delete(table, chain, rulespec...); err != nil {
+		eerr, eok := err.(*iptables.Error)
+		switch {
+		case eok && eerr.IsNotExist():
+			// swallow here, the chain was already deleted
+			return nil
+		case eok && eerr.ExitStatus() == 2:
+			// swallow here, invalid command line parameter because the referring rule is missing
+			return nil
+		default:
+			return fmt.Errorf("Failed to delete referring rule %s %s: %v", table, chain, err)
+		}
+	}
+	return nil
+}
+
+// DeleteChain idempotently deletes the specified table/chain.
+// It does not return an errors if the chain does not exist
+func DeleteChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+
+	err := ipt.DeleteChain(table, chain)
+	eerr, eok := err.(*iptables.Error)
+	switch {
+	case eok && eerr.IsNotExist():
+		// swallow here, the chain was already deleted
+		return nil
+	default:
+		return err
+	}
+}
+
+// ClearChain idempotently clear the iptables rules in the specified table/chain.
+// If the chain does not exist, a new one will be created
+func ClearChain(ipt *iptables.IPTables, table, chain string) error {
+	if ipt == nil {
+		return errors.New("failed to ensure iptable chain: IPTables was nil")
+	}
+	err := ipt.ClearChain(table, chain)
+	eerr, eok := err.(*iptables.Error)
+	switch {
+	case eok && eerr.IsNotExist():
+		// swallow here, the chain was already deleted
+		return EnsureChain(ipt, table, chain)
+	default:
+		return err
+	}
+}
--- a/pkg/utils/iptables_test.go
+++ b/pkg/utils/iptables_test.go
@@ -0,0 +1,97 @@
+// Copyright 2017-2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"fmt"
+	"math/rand"
+	"runtime"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+	"github.com/coreos/go-iptables/iptables"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+const TABLE = "filter" // We'll monkey around here
+
+var _ = Describe("chain tests", func() {
+	var testChain string
+	var ipt *iptables.IPTables
+	var cleanup func()
+
+	BeforeEach(func() {
+
+		// Save a reference to the original namespace,
+		// Add a new NS
+		currNs, err := ns.GetCurrentNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		testNs, err := testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		testChain = fmt.Sprintf("cni-test-%d", rand.Intn(10000000))
+
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+		Expect(err).NotTo(HaveOccurred())
+
+		runtime.LockOSThread()
+		err = testNs.Set()
+		Expect(err).NotTo(HaveOccurred())
+
+		cleanup = func() {
+			if ipt == nil {
+				return
+			}
+			ipt.ClearChain(TABLE, testChain)
+			ipt.DeleteChain(TABLE, testChain)
+			currNs.Set()
+		}
+
+	})
+
+	AfterEach(func() {
+		cleanup()
+	})
+
+	Describe("EnsureChain", func() {
+		It("creates chains idempotently", func() {
+			err := EnsureChain(ipt, TABLE, testChain)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Create it again!
+			err = EnsureChain(ipt, TABLE, testChain)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	Describe("DeleteChain", func() {
+		It("delete chains idempotently", func() {
+			// Create chain
+			err := EnsureChain(ipt, TABLE, testChain)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Delete chain
+			err = DeleteChain(ipt, TABLE, testChain)
+			Expect(err).NotTo(HaveOccurred())
+
+			// Delete it again!
+			err = DeleteChain(ipt, TABLE, testChain)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+})
--- a/pkg/utils/sysctl/sysctl_linux.go
+++ b/pkg/utils/sysctl/sysctl_linux.go
@@ -0,0 +1,80 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sysctl
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"strings"
+)
+
+// Sysctl provides a method to set/get values from /proc/sys - in linux systems
+// new interface to set/get values of variables formerly handled by sysctl syscall
+// If optional `params` have only one string value - this function will
+// set this value into corresponding sysctl variable
+func Sysctl(name string, params ...string) (string, error) {
+	if len(params) > 1 {
+		return "", fmt.Errorf("unexcepted additional parameters")
+	} else if len(params) == 1 {
+		return setSysctl(name, params[0])
+	}
+	return getSysctl(name)
+}
+
+func getSysctl(name string) (string, error) {
+	fullName := filepath.Join("/proc/sys", toNormalName(name))
+	fullName = filepath.Clean(fullName)
+	data, err := ioutil.ReadFile(fullName)
+	if err != nil {
+		return "", err
+	}
+
+	return string(data[:len(data)-1]), nil
+}
+
+func setSysctl(name, value string) (string, error) {
+	fullName := filepath.Join("/proc/sys", toNormalName(name))
+	fullName = filepath.Clean(fullName)
+	if err := ioutil.WriteFile(fullName, []byte(value), 0644); err != nil {
+		return "", err
+	}
+
+	return getSysctl(name)
+}
+
+// Normalize names by using slash as separator
+// Sysctl names can use dots or slashes as separator:
+// - if dots are used, dots and slashes are interchanged.
+// - if slashes are used, slashes and dots are left intact.
+// Separator in use is determined by first occurrence.
+func toNormalName(name string) string {
+	interchange := false
+	for _, c := range name {
+		if c == '.' {
+			interchange = true
+			break
+		}
+		if c == '/' {
+			break
+		}
+	}
+
+	if interchange {
+		r := strings.NewReplacer(".", "/", "/", ".")
+		return r.Replace(name)
+	}
+	return name
+}
--- a/pkg/utils/sysctl/sysctl_linux_test.go
+++ b/pkg/utils/sysctl/sysctl_linux_test.go
@@ -0,0 +1,114 @@
+// Copyright 2017-2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sysctl_test
+
+import (
+	"fmt"
+	"math/rand"
+	"runtime"
+	"strings"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+	"github.com/containernetworking/plugins/pkg/utils/sysctl"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/vishvananda/netlink"
+)
+
+const (
+	sysctlDotKeyTemplate   = "net.ipv4.conf.%s.proxy_arp"
+	sysctlSlashKeyTemplate = "net/ipv4/conf/%s/proxy_arp"
+)
+
+var _ = Describe("Sysctl tests", func() {
+	var testIfaceName string
+	var cleanup func()
+
+	BeforeEach(func() {
+
+		// Save a reference to the original namespace,
+		// Add a new NS
+		currNs, err := ns.GetCurrentNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		testNs, err := testutils.NewNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		testIfaceName = fmt.Sprintf("cnitest.%d", rand.Intn(100000))
+		testIface := &netlink.Dummy{
+			LinkAttrs: netlink.LinkAttrs{
+				Name:      testIfaceName,
+				Namespace: netlink.NsFd(int(testNs.Fd())),
+			},
+		}
+
+		err = netlink.LinkAdd(testIface)
+		Expect(err).NotTo(HaveOccurred())
+
+		runtime.LockOSThread()
+		err = testNs.Set()
+		Expect(err).NotTo(HaveOccurred())
+
+		cleanup = func() {
+			netlink.LinkDel(testIface)
+			currNs.Set()
+		}
+
+	})
+
+	AfterEach(func() {
+		cleanup()
+	})
+
+	Describe("Sysctl", func() {
+		It("reads keys with dot separators", func() {
+			sysctlIfaceName := strings.Replace(testIfaceName, ".", "/", -1)
+			sysctlKey := fmt.Sprintf(sysctlDotKeyTemplate, sysctlIfaceName)
+
+			_, err := sysctl.Sysctl(sysctlKey)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	Describe("Sysctl", func() {
+		It("reads keys with slash separators", func() {
+			sysctlKey := fmt.Sprintf(sysctlSlashKeyTemplate, testIfaceName)
+
+			_, err := sysctl.Sysctl(sysctlKey)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	Describe("Sysctl", func() {
+		It("writes keys with dot separators", func() {
+			sysctlIfaceName := strings.Replace(testIfaceName, ".", "/", -1)
+			sysctlKey := fmt.Sprintf(sysctlDotKeyTemplate, sysctlIfaceName)
+
+			_, err := sysctl.Sysctl(sysctlKey, "1")
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	Describe("Sysctl", func() {
+		It("writes keys with slash separators", func() {
+			sysctlKey := fmt.Sprintf(sysctlSlashKeyTemplate, testIfaceName)
+
+			_, err := sysctl.Sysctl(sysctlKey, "1")
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+})
--- a/pkg/utils/sysctl/sysctl_suite_test.go
+++ b/pkg/utils/sysctl/sysctl_suite_test.go
@@ -0,0 +1,27 @@
+// Copyright 2017-2020 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sysctl_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestSysctl(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Sysctl Suite")
+}
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@@ -1,3 +1,17 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package utils

 import (
@@ -8,16 +22,22 @@ import (
 const (
 	maxChainLength = 28
 	chainPrefix    = "CNI-"
-	prefixLength   = len(chainPrefix)
 )

-// Generates a chain name to be used with iptables.
-// Ensures that the generated chain name is exactly
-// maxChainLength chars in length
+// FormatChainName generates a chain name to be used
+// with iptables. Ensures that the generated chain
+// name is exactly maxChainLength chars in length.
 func FormatChainName(name string, id string) string {
-	chainBytes := sha512.Sum512([]byte(name + id))
-	chain := fmt.Sprintf("%s%x", chainPrefix, chainBytes)
-	return chain[:maxChainLength]
+	return MustFormatChainNameWithPrefix(name, id, "")
+}
+
+// MustFormatChainNameWithPrefix generates a chain name similar
+// to FormatChainName, but adds a custom prefix between
+// chainPrefix and unique identifier. Ensures that the
+// generated chain name is exactly maxChainLength chars in length.
+// Panics if the given prefix is too long.
+func MustFormatChainNameWithPrefix(name string, id string, prefix string) string {
+	return MustFormatHashWithPrefix(maxChainLength, chainPrefix+prefix, name+id)
 }

 // FormatComment returns a comment used for easier
@@ -25,3 +45,16 @@ func FormatChainName(name string, id string) string {
 func FormatComment(name string, id string) string {
 	return fmt.Sprintf("name: %q id: %q", name, id)
 }
+
+const MaxHashLen = sha512.Size * 2
+
+// MustFormatHashWithPrefix returns a string of given length that begins with the
+// given prefix. It is filled with entropy based on the given string toHash.
+func MustFormatHashWithPrefix(length int, prefix string, toHash string) string {
+	if len(prefix) >= length || length > MaxHashLen {
+		panic("invalid length")
+	}
+
+	output := sha512.Sum512([]byte(toHash))
+	return fmt.Sprintf("%s%x", prefix, output)[:length]
+}
--- a/pkg/utils/utils_suite_test.go
+++ b/pkg/utils/utils_suite_test.go
@@ -1,3 +1,17 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package utils_test

 import (
@@ -9,5 +23,5 @@ import (

 func TestUtils(t *testing.T) {
 	RegisterFailHandler(Fail)
-	RunSpecs(t, "Utils Suite")
+	RunSpecs(t, "pkg/utils")
 }
--- a/pkg/utils/utils_test.go
+++ b/pkg/utils/utils_test.go
@@ -1,37 +1,165 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package utils

 import (
+	"fmt"
+	"strings"
+
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )

 var _ = Describe("Utils", func() {
-	It("must format a short name", func() {
-		chain := FormatChainName("test", "1234")
-		Expect(len(chain)).To(Equal(maxChainLength))
-		Expect(chain).To(Equal("CNI-2bbe0c48b91a7d1b8a6753a8"))
+	Describe("FormatChainName", func() {
+		It("must format a short name", func() {
+			chain := FormatChainName("test", "1234")
+			Expect(len(chain)).To(Equal(maxChainLength))
+			Expect(chain).To(Equal("CNI-2bbe0c48b91a7d1b8a6753a8"))
+		})
+
+		It("must truncate a long name", func() {
+			chain := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
+			Expect(len(chain)).To(Equal(maxChainLength))
+			Expect(chain).To(Equal("CNI-374f33fe84ab0ed84dcdebe3"))
+		})
+
+		It("must be predictable", func() {
+			chain1 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
+			chain2 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
+			Expect(len(chain1)).To(Equal(maxChainLength))
+			Expect(len(chain2)).To(Equal(maxChainLength))
+			Expect(chain1).To(Equal(chain2))
+		})
+
+		It("must change when a character changes", func() {
+			chain1 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
+			chain2 := FormatChainName("testalongnamethatdoesnotmakesense", "1235")
+			Expect(len(chain1)).To(Equal(maxChainLength))
+			Expect(len(chain2)).To(Equal(maxChainLength))
+			Expect(chain1).To(Equal("CNI-374f33fe84ab0ed84dcdebe3"))
+			Expect(chain1).NotTo(Equal(chain2))
+		})
 	})

-	It("must truncate a long name", func() {
-		chain := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
-		Expect(len(chain)).To(Equal(maxChainLength))
-		Expect(chain).To(Equal("CNI-374f33fe84ab0ed84dcdebe3"))
+	Describe("MustFormatChainNameWithPrefix", func() {
+		It("generates a chain name with a prefix", func() {
+			chain := MustFormatChainNameWithPrefix("test", "1234", "PREFIX-")
+			Expect(len(chain)).To(Equal(maxChainLength))
+			Expect(chain).To(Equal("CNI-PREFIX-2bbe0c48b91a7d1b8"))
+		})
+
+		It("must format a short name", func() {
+			chain := MustFormatChainNameWithPrefix("test", "1234", "PREFIX-")
+			Expect(len(chain)).To(Equal(maxChainLength))
+			Expect(chain).To(Equal("CNI-PREFIX-2bbe0c48b91a7d1b8"))
+		})
+
+		It("must truncate a long name", func() {
+			chain := MustFormatChainNameWithPrefix("testalongnamethatdoesnotmakesense", "1234", "PREFIX-")
+			Expect(len(chain)).To(Equal(maxChainLength))
+			Expect(chain).To(Equal("CNI-PREFIX-374f33fe84ab0ed84"))
+		})
+
+		It("must be predictable", func() {
+			chain1 := MustFormatChainNameWithPrefix("testalongnamethatdoesnotmakesense", "1234", "PREFIX-")
+			chain2 := MustFormatChainNameWithPrefix("testalongnamethatdoesnotmakesense", "1234", "PREFIX-")
+			Expect(len(chain1)).To(Equal(maxChainLength))
+			Expect(len(chain2)).To(Equal(maxChainLength))
+			Expect(chain1).To(Equal(chain2))
+		})
+
+		It("must change when a character changes", func() {
+			chain1 := MustFormatChainNameWithPrefix("testalongnamethatdoesnotmakesense", "1234", "PREFIX-")
+			chain2 := MustFormatChainNameWithPrefix("testalongnamethatdoesnotmakesense", "1235", "PREFIX-")
+			Expect(len(chain1)).To(Equal(maxChainLength))
+			Expect(len(chain2)).To(Equal(maxChainLength))
+			Expect(chain1).To(Equal("CNI-PREFIX-374f33fe84ab0ed84"))
+			Expect(chain1).NotTo(Equal(chain2))
+		})
+
+		It("panics when prefix is too large", func() {
+			longPrefix := strings.Repeat("PREFIX-", 4)
+			Expect(func() {
+				MustFormatChainNameWithPrefix("test", "1234", longPrefix)
+			}).To(Panic())
+		})
 	})

-	It("must be predictable", func() {
-		chain1 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
-		chain2 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
-		Expect(len(chain1)).To(Equal(maxChainLength))
-		Expect(len(chain2)).To(Equal(maxChainLength))
-		Expect(chain1).To(Equal(chain2))
+	Describe("MustFormatHashWithPrefix", func() {
+		It("always returns a string with the given prefix", func() {
+			Expect(MustFormatHashWithPrefix(10, "AAA", "some string")).To(HavePrefix("AAA"))
+			Expect(MustFormatHashWithPrefix(10, "foo", "some string")).To(HavePrefix("foo"))
+			Expect(MustFormatHashWithPrefix(10, "bar", "some string")).To(HavePrefix("bar"))
+		})
+
+		It("always returns a string of the given length", func() {
+			Expect(MustFormatHashWithPrefix(10, "AAA", "some string")).To(HaveLen(10))
+			Expect(MustFormatHashWithPrefix(15, "AAA", "some string")).To(HaveLen(15))
+			Expect(MustFormatHashWithPrefix(5, "AAA", "some string")).To(HaveLen(5))
+		})
+
+		It("is deterministic", func() {
+			val1 := MustFormatHashWithPrefix(10, "AAA", "some string")
+			val2 := MustFormatHashWithPrefix(10, "AAA", "some string")
+			val3 := MustFormatHashWithPrefix(10, "AAA", "some string")
+			Expect(val1).To(Equal(val2))
+			Expect(val1).To(Equal(val3))
+		})
+
+		It("is (nearly) perfect (injective function)", func() {
+			hashes := map[string]int{}
+
+			for i := 0; i < 1000; i++ {
+				name := fmt.Sprintf("string %d", i)
+				hashes[MustFormatHashWithPrefix(8, "", name)]++
+			}
+
+			for key, count := range hashes {
+				Expect(count).To(Equal(1), "for key "+key+" got non-unique correspondence")
+			}
+		})
+
+		assertPanicWith := func(f func(), expectedErrorMessage string) {
+			defer func() {
+				Expect(recover()).To(Equal(expectedErrorMessage))
+			}()
+			f()
+			Fail("function should have panicked but did not")
+		}
+
+		It("panics when prefix is longer than the length", func() {
+			assertPanicWith(
+				func() { MustFormatHashWithPrefix(3, "AAA", "some string") },
+				"invalid length",
+			)
+		})
+
+		It("panics when length is not positive", func() {
+			assertPanicWith(
+				func() { MustFormatHashWithPrefix(0, "", "some string") },
+				"invalid length",
+			)
+		})
+
+		It("panics when length is larger than MaxLen", func() {
+			assertPanicWith(
+				func() { MustFormatHashWithPrefix(MaxHashLen+1, "", "some string") },
+				"invalid length",
+			)
+		})
 	})

-	It("must change when a character changes", func() {
-		chain1 := FormatChainName("testalongnamethatdoesnotmakesense", "1234")
-		chain2 := FormatChainName("testalongnamethatdoesnotmakesense", "1235")
-		Expect(len(chain1)).To(Equal(maxChainLength))
-		Expect(len(chain2)).To(Equal(maxChainLength))
-		Expect(chain1).To(Equal("CNI-374f33fe84ab0ed84dcdebe3"))
-		Expect(chain1).NotTo(Equal(chain2))
-	})
 })
--- a/plugins/ipam/dhcp/README.md
+++ b/plugins/ipam/dhcp/README.md
@@ -0,0 +1,4 @@
+
+This document has moved to the [containernetworking/cni.dev](https://github.com/containernetworking/cni.dev) repo.
+
+You can find it online here: https://cni.dev/plugins/ipam/dhcp/
--- a/plugins/ipam/dhcp/client.go
+++ b/plugins/ipam/dhcp/client.go
@@ -0,0 +1,135 @@
+// Copyright 2021 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"github.com/d2g/dhcp4"
+	"github.com/d2g/dhcp4client"
+)
+
+const (
+	MaxDHCPLen = 576
+)
+
+//Send the Discovery Packet to the Broadcast Channel
+func DhcpSendDiscoverPacket(c *dhcp4client.Client, options dhcp4.Options) (dhcp4.Packet, error) {
+	discoveryPacket := c.DiscoverPacket()
+
+	for opt, data := range options {
+		discoveryPacket.AddOption(opt, data)
+	}
+
+	discoveryPacket.PadToMinSize()
+	return discoveryPacket, c.SendPacket(discoveryPacket)
+}
+
+//Send Request Based On the offer Received.
+func DhcpSendRequest(c *dhcp4client.Client, options dhcp4.Options, offerPacket *dhcp4.Packet) (dhcp4.Packet, error) {
+	requestPacket := c.RequestPacket(offerPacket)
+
+	for opt, data := range options {
+		requestPacket.AddOption(opt, data)
+	}
+
+	requestPacket.PadToMinSize()
+
+	return requestPacket, c.SendPacket(requestPacket)
+}
+
+//Send Decline to the received acknowledgement.
+func DhcpSendDecline(c *dhcp4client.Client, acknowledgementPacket *dhcp4.Packet, options dhcp4.Options) (dhcp4.Packet, error) {
+	declinePacket := c.DeclinePacket(acknowledgementPacket)
+
+	for opt, data := range options {
+		declinePacket.AddOption(opt, data)
+	}
+
+	declinePacket.PadToMinSize()
+
+	return declinePacket, c.SendPacket(declinePacket)
+}
+
+//Lets do a Full DHCP Request.
+func DhcpRequest(c *dhcp4client.Client, options dhcp4.Options) (bool, dhcp4.Packet, error) {
+	discoveryPacket, err := DhcpSendDiscoverPacket(c, options)
+	if err != nil {
+		return false, discoveryPacket, err
+	}
+
+	offerPacket, err := c.GetOffer(&discoveryPacket)
+	if err != nil {
+		return false, offerPacket, err
+	}
+
+	requestPacket, err := DhcpSendRequest(c, options, &offerPacket)
+	if err != nil {
+		return false, requestPacket, err
+	}
+
+	acknowledgement, err := c.GetAcknowledgement(&requestPacket)
+	if err != nil {
+		return false, acknowledgement, err
+	}
+
+	acknowledgementOptions := acknowledgement.ParseOptions()
+	if dhcp4.MessageType(acknowledgementOptions[dhcp4.OptionDHCPMessageType][0]) != dhcp4.ACK {
+		return false, acknowledgement, nil
+	}
+
+	return true, acknowledgement, nil
+}
+
+//Renew a lease backed on the Acknowledgement Packet.
+//Returns Successful, The AcknoledgementPacket, Any Errors
+func DhcpRenew(c *dhcp4client.Client, acknowledgement dhcp4.Packet, options dhcp4.Options) (bool, dhcp4.Packet, error) {
+	renewRequest := c.RenewalRequestPacket(&acknowledgement)
+
+	for opt, data := range options {
+		renewRequest.AddOption(opt, data)
+	}
+
+	renewRequest.PadToMinSize()
+
+	err := c.SendPacket(renewRequest)
+	if err != nil {
+		return false, renewRequest, err
+	}
+
+	newAcknowledgement, err := c.GetAcknowledgement(&renewRequest)
+	if err != nil {
+		return false, newAcknowledgement, err
+	}
+
+	newAcknowledgementOptions := newAcknowledgement.ParseOptions()
+	if dhcp4.MessageType(newAcknowledgementOptions[dhcp4.OptionDHCPMessageType][0]) != dhcp4.ACK {
+		return false, newAcknowledgement, nil
+	}
+
+	return true, newAcknowledgement, nil
+}
+
+//Release a lease backed on the Acknowledgement Packet.
+//Returns Any Errors
+func DhcpRelease(c *dhcp4client.Client, acknowledgement dhcp4.Packet, options dhcp4.Options) error {
+	release := c.ReleasePacket(&acknowledgement)
+
+	for opt, data := range options {
+		release.AddOption(opt, data)
+	}
+
+	release.PadToMinSize()
+
+	return c.SendPacket(release)
+}
--- a/plugins/ipam/dhcp/daemon.go
+++ b/plugins/ipam/dhcp/daemon.go
@@ -18,7 +18,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"log"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"net/rpc"
@@ -26,38 +26,48 @@ import (
 	"path/filepath"
 	"runtime"
 	"sync"
+	"time"

-	"github.com/appc/cni/pkg/skel"
-	"github.com/appc/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/skel"
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/types/current"
 	"github.com/coreos/go-systemd/activation"
 )

 const listenFdsStart = 3
-const resendCount = 3

 var errNoMoreTries = errors.New("no more tries")

 type DHCP struct {
-	mux    sync.Mutex
-	leases map[string]*DHCPLease
+	mux             sync.Mutex
+	leases          map[string]*DHCPLease
+	hostNetnsPrefix string
+	clientTimeout   time.Duration
+	broadcast       bool
 }

-func newDHCP() *DHCP {
+func newDHCP(clientTimeout time.Duration) *DHCP {
 	return &DHCP{
-		leases: make(map[string]*DHCPLease),
+		leases:        make(map[string]*DHCPLease),
+		clientTimeout: clientTimeout,
 	}
 }

+func generateClientID(containerID string, netName string, ifName string) string {
+	return containerID + "/" + netName + "/" + ifName
+}
+
 // Allocate acquires an IP from a DHCP server for a specified container.
 // The acquired lease will be maintained until Release() is called.
-func (d *DHCP) Allocate(args *skel.CmdArgs, result *types.Result) error {
+func (d *DHCP) Allocate(args *skel.CmdArgs, result *current.Result) error {
 	conf := types.NetConf{}
 	if err := json.Unmarshal(args.StdinData, &conf); err != nil {
 		return fmt.Errorf("error parsing netconf: %v", err)
 	}

-	clientID := args.ContainerID + "/" + conf.Name
-	l, err := AcquireLease(clientID, args.Netns, args.IfName)
+	clientID := generateClientID(args.ContainerID, conf.Name, args.IfName)
+	hostNetns := d.hostNetnsPrefix + args.Netns
+	l, err := AcquireLease(clientID, hostNetns, args.IfName, d.clientTimeout, d.broadcast)
 	if err != nil {
 		return err
 	}
@@ -68,13 +78,14 @@ func (d *DHCP) Allocate(args *skel.CmdArgs, result *types.Result) error {
 		return err
 	}

-	d.setLease(args.ContainerID, conf.Name, l)
+	d.setLease(clientID, l)

-	result.IP4 = &types.IPConfig{
-		IP:      *ipn,
+	result.IPs = []*current.IPConfig{{
+		Version: "4",
+		Address: *ipn,
 		Gateway: l.Gateway(),
-		Routes:  l.Routes(),
-	}
+	}}
+	result.Routes = l.Routes()

 	return nil
 }
@@ -87,36 +98,46 @@ func (d *DHCP) Release(args *skel.CmdArgs, reply *struct{}) error {
 		return fmt.Errorf("error parsing netconf: %v", err)
 	}

-	if l := d.getLease(args.ContainerID, conf.Name); l != nil {
+	clientID := generateClientID(args.ContainerID, conf.Name, args.IfName)
+	if l := d.getLease(clientID); l != nil {
 		l.Stop()
-		return nil
+		d.clearLease(clientID)
 	}

-	return fmt.Errorf("lease not found: %v/%v", args.ContainerID, conf.Name)
+	return nil
 }

-func (d *DHCP) getLease(contID, netName string) *DHCPLease {
+func (d *DHCP) getLease(clientID string) *DHCPLease {
 	d.mux.Lock()
 	defer d.mux.Unlock()

 	// TODO(eyakubovich): hash it to avoid collisions
-	l, ok := d.leases[contID+netName]
+	l, ok := d.leases[clientID]
 	if !ok {
 		return nil
 	}
 	return l
 }

-func (d *DHCP) setLease(contID, netName string, l *DHCPLease) {
+func (d *DHCP) setLease(clientID string, l *DHCPLease) {
 	d.mux.Lock()
 	defer d.mux.Unlock()

 	// TODO(eyakubovich): hash it to avoid collisions
-	d.leases[contID+netName] = l
+	d.leases[clientID] = l
 }

-func getListener() (net.Listener, error) {
-	l, err := activation.Listeners(true)
+//func (d *DHCP) clearLease(contID, netName, ifName string) {
+func (d *DHCP) clearLease(clientID string) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	// TODO(eyakubovich): hash it to avoid collisions
+	delete(d.leases, clientID)
+}
+
+func getListener(socketPath string) (net.Listener, error) {
+	l, err := activation.Listeners()
 	if err != nil {
 		return nil, err
 	}
@@ -139,19 +160,34 @@ func getListener() (net.Listener, error) {
 	}
 }

-func runDaemon() {
+func runDaemon(
+	pidfilePath, hostPrefix, socketPath string,
+	dhcpClientTimeout time.Duration, broadcast bool,
+) error {
 	// since other goroutines (on separate threads) will change namespaces,
 	// ensure the RPC server does not get scheduled onto those
 	runtime.LockOSThread()

-	l, err := getListener()
-	if err != nil {
-		log.Printf("Error getting listener: %v", err)
-		return
+	// Write the pidfile
+	if pidfilePath != "" {
+		if !filepath.IsAbs(pidfilePath) {
+			return fmt.Errorf("Error writing pidfile %q: path not absolute", pidfilePath)
+		}
+		if err := ioutil.WriteFile(pidfilePath, []byte(fmt.Sprintf("%d", os.Getpid())), 0644); err != nil {
+			return fmt.Errorf("Error writing pidfile %q: %v", pidfilePath, err)
+		}
 	}

-	dhcp := newDHCP()
+	l, err := getListener(hostPrefix + socketPath)
+	if err != nil {
+		return fmt.Errorf("Error getting listener: %v", err)
+	}
+
+	dhcp := newDHCP(dhcpClientTimeout)
+	dhcp.hostNetnsPrefix = hostPrefix
+	dhcp.broadcast = broadcast
 	rpc.Register(dhcp)
 	rpc.HandleHTTP()
 	http.Serve(l, nil)
+	return nil
 }
--- a/plugins/ipam/dhcp/dhcp2_test.go
+++ b/plugins/ipam/dhcp/dhcp2_test.go
@@ -0,0 +1,183 @@
+// Copyright 2015-2018 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"os/exec"
+	"sync"
+	"time"
+
+	"github.com/containernetworking/cni/pkg/skel"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/testutils"
+
+	"github.com/vishvananda/netlink"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("DHCP Multiple Lease Operations", func() {
+	var originalNS, targetNS ns.NetNS
+	var dhcpServerStopCh chan bool
+	var dhcpServerDone *sync.WaitGroup
+	var clientCmd *exec.Cmd
+	var socketPath string
+	var tmpDir string
+	var serverIP net.IPNet
+	var err error
+
+	BeforeEach(func() {
+		dhcpServerStopCh, serverIP, socketPath, originalNS, targetNS, err = dhcpSetupOriginalNS()
+		Expect(err).NotTo(HaveOccurred())
+
+		// Move the container side to the container's NS
+		err = targetNS.Do(func(_ ns.NetNS) error {
+			defer GinkgoRecover()
+
+			link, err := netlink.LinkByName(contVethName0)
+			Expect(err).NotTo(HaveOccurred())
+			err = netlink.LinkSetUp(link)
+			Expect(err).NotTo(HaveOccurred())
+
+			link1, err := netlink.LinkByName(contVethName1)
+			Expect(err).NotTo(HaveOccurred())
+			err = netlink.LinkSetUp(link1)
+			Expect(err).NotTo(HaveOccurred())
+			return nil
+		})
+
+		// Start the DHCP server
+		dhcpServerDone, err = dhcpServerStart(originalNS, net.IPv4(192, 168, 1, 5), serverIP.IP, 2, dhcpServerStopCh)
+		Expect(err).NotTo(HaveOccurred())
+
+		// Start the DHCP client daemon
+		dhcpPluginPath, err := exec.LookPath("dhcp")
+		Expect(err).NotTo(HaveOccurred())
+		clientCmd = exec.Command(dhcpPluginPath, "daemon", "-socketpath", socketPath)
+		err = clientCmd.Start()
+		Expect(err).NotTo(HaveOccurred())
+		Expect(clientCmd.Process).NotTo(BeNil())
+
+		// Wait up to 15 seconds for the client socket
+		Eventually(func() bool {
+			_, err := os.Stat(socketPath)
+			return err == nil
+		}, time.Second*15, time.Second/4).Should(BeTrue())
+	})
+
+	AfterEach(func() {
+		dhcpServerStopCh <- true
+		dhcpServerDone.Wait()
+		clientCmd.Process.Kill()
+		clientCmd.Wait()
+
+		Expect(originalNS.Close()).To(Succeed())
+		Expect(targetNS.Close()).To(Succeed())
+		defer os.RemoveAll(tmpDir)
+	})
+
+	It("configures multiple links with multiple ADD/DEL", func() {
+		conf := fmt.Sprintf(`{
+	    "cniVersion": "0.3.1",
+	    "name": "mynet",
+	    "type": "bridge",
+	    "bridge": "%s",
+	    "ipam": {
+	        "type": "dhcp",
+		"daemonSocketPath": "%s"
+	    }
+	}`, hostBridgeName, socketPath)
+
+		args := &skel.CmdArgs{
+			ContainerID: "dummy",
+			Netns:       targetNS.Path(),
+			IfName:      contVethName0,
+			StdinData:   []byte(conf),
+		}
+
+		var addResult *current.Result
+		err := originalNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			r, _, err := testutils.CmdAddWithArgs(args, func() error {
+				return cmdAdd(args)
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			addResult, err = current.GetResult(r)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(len(addResult.IPs)).To(Equal(1))
+			Expect(addResult.IPs[0].Address.String()).To(Equal("192.168.1.5/24"))
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		args = &skel.CmdArgs{
+			ContainerID: "dummy",
+			Netns:       targetNS.Path(),
+			IfName:      contVethName1,
+			StdinData:   []byte(conf),
+		}
+
+		err = originalNS.Do(func(ns.NetNS) error {
+			defer GinkgoRecover()
+
+			r, _, err := testutils.CmdAddWithArgs(args, func() error {
+				return cmdAdd(args)
+			})
+			Expect(err).NotTo(HaveOccurred())
+
+			addResult, err = current.GetResult(r)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(len(addResult.IPs)).To(Equal(1))
+			Expect(addResult.IPs[0].Address.String()).To(Equal("192.168.1.6/24"))
+			return nil
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		args = &skel.CmdArgs{
+			ContainerID: "dummy",
+			Netns:       targetNS.Path(),
+			IfName:      contVethName1,
+			StdinData:   []byte(conf),
+		}
+
+		err = originalNS.Do(func(ns.NetNS) error {
+			return testutils.CmdDelWithArgs(args, func() error {
+				return cmdDel(args)
+			})
+		})
+		Expect(err).NotTo(HaveOccurred())
+
+		args = &skel.CmdArgs{
+			ContainerID: "dummy",
+			Netns:       targetNS.Path(),
+			IfName:      contVethName0,
+			StdinData:   []byte(conf),
+		}
+
+		err = originalNS.Do(func(ns.NetNS) error {
+			return testutils.CmdDelWithArgs(args, func() error {
+				return cmdDel(args)
+			})
+		})
+		Expect(err).NotTo(HaveOccurred())
+	})
+})
--- a/Show More
+++ b/Show More