podman network create

initial implementation of network create.  we only support bridging
networks with this first pass.

Signed-off-by: baude <bbaude@redhat.com>

8 files changed, 821 insertions, 0 deletions

diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/addr_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/addr_linux.go
new file mode 100644
index 000000000..b4db50b9a
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/addr_linux.go
@@ -0,0 +1,68 @@
+// Copyright 2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"syscall"
+	"time"
+
+	"github.com/vishvananda/netlink"
+)
+
+const SETTLE_INTERVAL = 50 * time.Millisecond
+
+// SettleAddresses waits for all addresses on a link to leave tentative state.
+// This is particularly useful for ipv6, where all addresses need to do DAD.
+// There is no easy way to wait for this as an event, so just loop until the
+// addresses are no longer tentative.
+// If any addresses are still tentative after timeout seconds, then error.
+func SettleAddresses(ifName string, timeout int) error {
+	link, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return fmt.Errorf("failed to retrieve link: %v", err)
+	}
+
+	deadline := time.Now().Add(time.Duration(timeout) * time.Second)
+	for {
+		addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		if err != nil {
+			return fmt.Errorf("could not list addresses: %v", err)
+		}
+
+		if len(addrs) == 0 {
+			return nil
+		}
+
+		ok := true
+		for _, addr := range addrs {
+			if addr.Flags&(syscall.IFA_F_TENTATIVE|syscall.IFA_F_DADFAILED) > 0 {
+				ok = false
+				break // Break out of the `range addrs`, not the `for`
+			}
+		}
+
+		if ok {
+			return nil
+		}
+		if time.Now().After(deadline) {
+			return fmt.Errorf("link %s still has tentative addresses after %d seconds",
+				ifName,
+				timeout)
+		}
+
+		time.Sleep(SETTLE_INTERVAL)
+	}
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/cidr.go b/vendor/github.com/containernetworking/plugins/pkg/ip/cidr.go
new file mode 100644
index 000000000..7acc2d47c
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/cidr.go
@@ -0,0 +1,61 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"math/big"
+	"net"
+)
+
+// NextIP returns IP incremented by 1
+func NextIP(ip net.IP) net.IP {
+	i := ipToInt(ip)
+	return intToIP(i.Add(i, big.NewInt(1)))
+}
+
+// PrevIP returns IP decremented by 1
+func PrevIP(ip net.IP) net.IP {
+	i := ipToInt(ip)
+	return intToIP(i.Sub(i, big.NewInt(1)))
+}
+
+// Cmp compares two IPs, returning the usual ordering:
+// a < b : -1
+// a == b : 0
+// a > b : 1
+func Cmp(a, b net.IP) int {
+	aa := ipToInt(a)
+	bb := ipToInt(b)
+	return aa.Cmp(bb)
+}
+
+func ipToInt(ip net.IP) *big.Int {
+	if v := ip.To4(); v != nil {
+		return big.NewInt(0).SetBytes(v)
+	}
+	return big.NewInt(0).SetBytes(ip.To16())
+}
+
+func intToIP(i *big.Int) net.IP {
+	return net.IP(i.Bytes())
+}
+
+// Network masks off the host portion of the IP
+func Network(ipn *net.IPNet) *net.IPNet {
+	return &net.IPNet{
+		IP:   ipn.IP.Mask(ipn.Mask),
+		Mask: ipn.Mask,
+	}
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/ipforward_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/ipforward_linux.go
new file mode 100644
index 000000000..8216a2c38
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/ipforward_linux.go
@@ -0,0 +1,61 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"bytes"
+	"io/ioutil"
+
+	"github.com/containernetworking/cni/pkg/types/current"
+)
+
+func EnableIP4Forward() error {
+	return echo1("/proc/sys/net/ipv4/ip_forward")
+}
+
+func EnableIP6Forward() error {
+	return echo1("/proc/sys/net/ipv6/conf/all/forwarding")
+}
+
+// EnableForward will enable forwarding for all configured
+// address families
+func EnableForward(ips []*current.IPConfig) error {
+	v4 := false
+	v6 := false
+
+	for _, ip := range ips {
+		if ip.Version == "4" && !v4 {
+			if err := EnableIP4Forward(); err != nil {
+				return err
+			}
+			v4 = true
+		} else if ip.Version == "6" && !v6 {
+			if err := EnableIP6Forward(); err != nil {
+				return err
+			}
+			v6 = true
+		}
+	}
+	return nil
+}
+
+func echo1(f string) error {
+	if content, err := ioutil.ReadFile(f); err == nil {
+		if bytes.Equal(bytes.TrimSpace(content), []byte("1")) {
+			return nil
+		}
+	}
+	return ioutil.WriteFile(f, []byte("1"), 0644)
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_linux.go
new file mode 100644
index 000000000..cc640a605
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/ipmasq_linux.go
@@ -0,0 +1,126 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/coreos/go-iptables/iptables"
+)
+
+// SetupIPMasq installs iptables rules to masquerade traffic
+// coming from ip of ipn and going outside of ipn
+func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+	var multicastNet string
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+		multicastNet = "ff00::/8"
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+		multicastNet = "224.0.0.0/4"
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	// Create chain if doesn't exist
+	exists := false
+	chains, err := ipt.ListChains("nat")
+	if err != nil {
+		return fmt.Errorf("failed to list chains: %v", err)
+	}
+	for _, ch := range chains {
+		if ch == chain {
+			exists = true
+			break
+		}
+	}
+	if !exists {
+		if err = ipt.NewChain("nat", chain); err != nil {
+			return err
+		}
+	}
+
+	// Packets to this network should not be touched
+	if err := ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Don't masquerade multicast - pods should be able to talk to other pods
+	// on the local network via multicast.
+	if err := ipt.AppendUnique("nat", chain, "!", "-d", multicastNet, "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
+		return err
+	}
+
+	// Packets from the specific IP of this network will hit the chain
+	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+}
+
+// TeardownIPMasq undoes the effects of SetupIPMasq
+func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
+	isV6 := ipn.IP.To4() == nil
+
+	var ipt *iptables.IPTables
+	var err error
+
+	if isV6 {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	} else {
+		ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	}
+	if err != nil {
+		return fmt.Errorf("failed to locate iptables: %v", err)
+	}
+
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	// for downward compatibility
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	err = ipt.ClearChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+
+	}
+
+	err = ipt.DeleteChain("nat", chain)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+// isNotExist returnst true if the error is from iptables indicating
+// that the target does not exist.
+func isNotExist(err error) bool {
+	e, ok := err.(*iptables.Error)
+	if !ok {
+		return false
+	}
+	return e.IsNotExist()
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/link_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/link_linux.go
new file mode 100644
index 000000000..909afd04e
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/link_linux.go
@@ -0,0 +1,275 @@
+// Copyright 2015 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/containernetworking/plugins/pkg/utils/hwaddr"
+	"github.com/safchain/ethtool"
+	"github.com/vishvananda/netlink"
+)
+
+var (
+	ErrLinkNotFound = errors.New("link not found")
+)
+
+func makeVethPair(name, peer string, mtu int) (netlink.Link, error) {
+	veth := &netlink.Veth{
+		LinkAttrs: netlink.LinkAttrs{
+			Name:  name,
+			Flags: net.FlagUp,
+			MTU:   mtu,
+		},
+		PeerName: peer,
+	}
+	if err := netlink.LinkAdd(veth); err != nil {
+		return nil, err
+	}
+	// Re-fetch the link to get its creation-time parameters, e.g. index and mac
+	veth2, err := netlink.LinkByName(name)
+	if err != nil {
+		netlink.LinkDel(veth) // try and clean up the link if possible.
+		return nil, err
+	}
+
+	return veth2, nil
+}
+
+func peerExists(name string) bool {
+	if _, err := netlink.LinkByName(name); err != nil {
+		return false
+	}
+	return true
+}
+
+func makeVeth(name string, mtu int) (peerName string, veth netlink.Link, err error) {
+	for i := 0; i < 10; i++ {
+		peerName, err = RandomVethName()
+		if err != nil {
+			return
+		}
+
+		veth, err = makeVethPair(name, peerName, mtu)
+		switch {
+		case err == nil:
+			return
+
+		case os.IsExist(err):
+			if peerExists(peerName) {
+				continue
+			}
+			err = fmt.Errorf("container veth name provided (%v) already exists", name)
+			return
+
+		default:
+			err = fmt.Errorf("failed to make veth pair: %v", err)
+			return
+		}
+	}
+
+	// should really never be hit
+	err = fmt.Errorf("failed to find a unique veth name")
+	return
+}
+
+// RandomVethName returns string "veth" with random prefix (hashed from entropy)
+func RandomVethName() (string, error) {
+	entropy := make([]byte, 4)
+	_, err := rand.Reader.Read(entropy)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate random veth name: %v", err)
+	}
+
+	// NetworkManager (recent versions) will ignore veth devices that start with "veth"
+	return fmt.Sprintf("veth%x", entropy), nil
+}
+
+func RenameLink(curName, newName string) error {
+	link, err := netlink.LinkByName(curName)
+	if err == nil {
+		err = netlink.LinkSetName(link, newName)
+	}
+	return err
+}
+
+func ifaceFromNetlinkLink(l netlink.Link) net.Interface {
+	a := l.Attrs()
+	return net.Interface{
+		Index:        a.Index,
+		MTU:          a.MTU,
+		Name:         a.Name,
+		HardwareAddr: a.HardwareAddr,
+		Flags:        a.Flags,
+	}
+}
+
+// SetupVeth sets up a pair of virtual ethernet devices.
+// Call SetupVeth from inside the container netns.  It will create both veth
+// devices and move the host-side veth into the provided hostNS namespace.
+// On success, SetupVeth returns (hostVeth, containerVeth, nil)
+func SetupVeth(contVethName string, mtu int, hostNS ns.NetNS) (net.Interface, net.Interface, error) {
+	hostVethName, contVeth, err := makeVeth(contVethName, mtu)
+	if err != nil {
+		return net.Interface{}, net.Interface{}, err
+	}
+
+	if err = netlink.LinkSetUp(contVeth); err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to set %q up: %v", contVethName, err)
+	}
+
+	hostVeth, err := netlink.LinkByName(hostVethName)
+	if err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to lookup %q: %v", hostVethName, err)
+	}
+
+	if err = netlink.LinkSetNsFd(hostVeth, int(hostNS.Fd())); err != nil {
+		return net.Interface{}, net.Interface{}, fmt.Errorf("failed to move veth to host netns: %v", err)
+	}
+
+	err = hostNS.Do(func(_ ns.NetNS) error {
+		hostVeth, err = netlink.LinkByName(hostVethName)
+		if err != nil {
+			return fmt.Errorf("failed to lookup %q in %q: %v", hostVethName, hostNS.Path(), err)
+		}
+
+		if err = netlink.LinkSetUp(hostVeth); err != nil {
+			return fmt.Errorf("failed to set %q up: %v", hostVethName, err)
+		}
+		return nil
+	})
+	if err != nil {
+		return net.Interface{}, net.Interface{}, err
+	}
+	return ifaceFromNetlinkLink(hostVeth), ifaceFromNetlinkLink(contVeth), nil
+}
+
+// DelLinkByName removes an interface link.
+func DelLinkByName(ifName string) error {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		if err.Error() == "Link not found" {
+			return ErrLinkNotFound
+		}
+		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	if err = netlink.LinkDel(iface); err != nil {
+		return fmt.Errorf("failed to delete %q: %v", ifName, err)
+	}
+
+	return nil
+}
+
+// DelLinkByNameAddr remove an interface and returns its addresses
+func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		if err != nil && err.Error() == "Link not found" {
+			return nil, ErrLinkNotFound
+		}
+		return nil, fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	addrs, err := netlink.AddrList(iface, netlink.FAMILY_ALL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get IP addresses for %q: %v", ifName, err)
+	}
+
+	if err = netlink.LinkDel(iface); err != nil {
+		return nil, fmt.Errorf("failed to delete %q: %v", ifName, err)
+	}
+
+	out := []*net.IPNet{}
+	for _, addr := range addrs {
+		if addr.IP.IsGlobalUnicast() {
+			out = append(out, addr.IPNet)
+		}
+	}
+
+	return out, nil
+}
+
+func SetHWAddrByIP(ifName string, ip4 net.IP, ip6 net.IP) error {
+	iface, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return fmt.Errorf("failed to lookup %q: %v", ifName, err)
+	}
+
+	switch {
+	case ip4 == nil && ip6 == nil:
+		return fmt.Errorf("neither ip4 or ip6 specified")
+
+	case ip4 != nil:
+		{
+			hwAddr, err := hwaddr.GenerateHardwareAddr4(ip4, hwaddr.PrivateMACPrefix)
+			if err != nil {
+				return fmt.Errorf("failed to generate hardware addr: %v", err)
+			}
+			if err = netlink.LinkSetHardwareAddr(iface, hwAddr); err != nil {
+				return fmt.Errorf("failed to add hardware addr to %q: %v", ifName, err)
+			}
+		}
+	case ip6 != nil:
+		// TODO: IPv6
+	}
+
+	return nil
+}
+
+// GetVethPeerIfindex returns the veth link object, the peer ifindex of the
+// veth, or an error. This peer ifindex will only be valid in the peer's
+// network namespace.
+func GetVethPeerIfindex(ifName string) (netlink.Link, int, error) {
+	link, err := netlink.LinkByName(ifName)
+	if err != nil {
+		return nil, -1, fmt.Errorf("could not look up %q: %v", ifName, err)
+	}
+	if _, ok := link.(*netlink.Veth); !ok {
+		return nil, -1, fmt.Errorf("interface %q was not a veth interface", ifName)
+	}
+
+	// veth supports IFLA_LINK (what vishvananda/netlink calls ParentIndex)
+	// on 4.1 and higher kernels
+	peerIndex := link.Attrs().ParentIndex
+	if peerIndex <= 0 {
+		// Fall back to ethtool for 4.0 and earlier kernels
+		e, err := ethtool.NewEthtool()
+		if err != nil {
+			return nil, -1, fmt.Errorf("failed to initialize ethtool: %v", err)
+		}
+		defer e.Close()
+
+		stats, err := e.Stats(link.Attrs().Name)
+		if err != nil {
+			return nil, -1, fmt.Errorf("failed to request ethtool stats: %v", err)
+		}
+		n, ok := stats["peer_ifindex"]
+		if !ok {
+			return nil, -1, fmt.Errorf("failed to find 'peer_ifindex' in ethtool stats")
+		}
+		if n > 32767 || n == 0 {
+			return nil, -1, fmt.Errorf("invalid 'peer_ifindex' %d", n)
+		}
+		peerIndex = int(n)
+	}
+
+	return link, peerIndex, nil
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/route_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/route_linux.go
new file mode 100644
index 000000000..f5c0d0803
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/route_linux.go
@@ -0,0 +1,47 @@
+// Copyright 2015-2017 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"net"
+
+	"github.com/vishvananda/netlink"
+)
+
+// AddRoute adds a universally-scoped route to a device.
+func AddRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
+	return netlink.RouteAdd(&netlink.Route{
+		LinkIndex: dev.Attrs().Index,
+		Scope:     netlink.SCOPE_UNIVERSE,
+		Dst:       ipn,
+		Gw:        gw,
+	})
+}
+
+// AddHostRoute adds a host-scoped route to a device.
+func AddHostRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
+	return netlink.RouteAdd(&netlink.Route{
+		LinkIndex: dev.Attrs().Index,
+		Scope:     netlink.SCOPE_HOST,
+		Dst:       ipn,
+		Gw:        gw,
+	})
+}
+
+// AddDefaultRoute sets the default route on the given gateway.
+func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
+	_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
+	return AddRoute(defNet, gw, dev)
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/ip/utils_linux.go b/vendor/github.com/containernetworking/plugins/pkg/ip/utils_linux.go
new file mode 100644
index 000000000..7623c5e13
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/ip/utils_linux.go
@@ -0,0 +1,120 @@
+// +build linux
+
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ip
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/containernetworking/cni/pkg/types"
+	"github.com/containernetworking/cni/pkg/types/current"
+	"github.com/vishvananda/netlink"
+)
+
+func ValidateExpectedInterfaceIPs(ifName string, resultIPs []*current.IPConfig) error {
+
+	// Ensure ips
+	for _, ips := range resultIPs {
+		ourAddr := netlink.Addr{IPNet: &ips.Address}
+		match := false
+
+		link, err := netlink.LinkByName(ifName)
+		if err != nil {
+			return fmt.Errorf("Cannot find container link %v", ifName)
+		}
+
+		addrList, err := netlink.AddrList(link, netlink.FAMILY_ALL)
+		if err != nil {
+			return fmt.Errorf("Cannot obtain List of IP Addresses")
+		}
+
+		for _, addr := range addrList {
+			if addr.Equal(ourAddr) {
+				match = true
+				break
+			}
+		}
+		if match == false {
+			return fmt.Errorf("Failed to match addr %v on interface %v", ourAddr, ifName)
+		}
+
+		// Convert the host/prefixlen to just prefix for route lookup.
+		_, ourPrefix, err := net.ParseCIDR(ourAddr.String())
+
+		findGwy := &netlink.Route{Dst: ourPrefix}
+		routeFilter := netlink.RT_FILTER_DST
+		var family int
+
+		switch {
+		case ips.Version == "4":
+			family = netlink.FAMILY_V4
+		case ips.Version == "6":
+			family = netlink.FAMILY_V6
+		default:
+			return fmt.Errorf("Invalid IP Version %v for interface %v", ips.Version, ifName)
+		}
+
+		gwy, err := netlink.RouteListFiltered(family, findGwy, routeFilter)
+		if err != nil {
+			return fmt.Errorf("Error %v trying to find Gateway %v for interface %v", err, ips.Gateway, ifName)
+		}
+		if gwy == nil {
+			return fmt.Errorf("Failed to find Gateway %v for interface %v", ips.Gateway, ifName)
+		}
+	}
+
+	return nil
+}
+
+func ValidateExpectedRoute(resultRoutes []*types.Route) error {
+
+	// Ensure that each static route in prevResults is found in the routing table
+	for _, route := range resultRoutes {
+		find := &netlink.Route{Dst: &route.Dst, Gw: route.GW}
+		routeFilter := netlink.RT_FILTER_DST | netlink.RT_FILTER_GW
+		var family int
+
+		switch {
+		case route.Dst.IP.To4() != nil:
+			family = netlink.FAMILY_V4
+			// Default route needs Dst set to nil
+			if route.Dst.String() == "0.0.0.0/0" {
+				find = &netlink.Route{Dst: nil, Gw: route.GW}
+				routeFilter = netlink.RT_FILTER_DST
+			}
+		case len(route.Dst.IP) == net.IPv6len:
+			family = netlink.FAMILY_V6
+			// Default route needs Dst set to nil
+			if route.Dst.String() == "::/0" {
+				find = &netlink.Route{Dst: nil, Gw: route.GW}
+				routeFilter = netlink.RT_FILTER_DST
+			}
+		default:
+			return fmt.Errorf("Invalid static route found %v", route)
+		}
+
+		wasFound, err := netlink.RouteListFiltered(family, find, routeFilter)
+		if err != nil {
+			return fmt.Errorf("Expected Route %v not route table lookup error %v", route, err)
+		}
+		if wasFound == nil {
+			return fmt.Errorf("Expected Route %v not found in routing table", route)
+		}
+	}
+
+	return nil
+}
diff --git a/vendor/github.com/containernetworking/plugins/pkg/utils/hwaddr/hwaddr.go b/vendor/github.com/containernetworking/plugins/pkg/utils/hwaddr/hwaddr.go
new file mode 100644
index 000000000..aaf3b8a02
--- /dev/null
+++ b/vendor/github.com/containernetworking/plugins/pkg/utils/hwaddr/hwaddr.go
@@ -0,0 +1,63 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package hwaddr
+
+import (
+	"fmt"
+	"net"
+)
+
+const (
+	ipRelevantByteLen      = 4
+	PrivateMACPrefixString = "0a:58"
+)
+
+var (
+	// private mac prefix safe to use
+	PrivateMACPrefix = []byte{0x0a, 0x58}
+)
+
+type SupportIp4OnlyErr struct{ msg string }
+
+func (e SupportIp4OnlyErr) Error() string { return e.msg }
+
+type MacParseErr struct{ msg string }
+
+func (e MacParseErr) Error() string { return e.msg }
+
+type InvalidPrefixLengthErr struct{ msg string }
+
+func (e InvalidPrefixLengthErr) Error() string { return e.msg }
+
+// GenerateHardwareAddr4 generates 48 bit virtual mac addresses based on the IP4 input.
+func GenerateHardwareAddr4(ip net.IP, prefix []byte) (net.HardwareAddr, error) {
+	switch {
+
+	case ip.To4() == nil:
+		return nil, SupportIp4OnlyErr{msg: "GenerateHardwareAddr4 only supports valid IPv4 address as input"}
+
+	case len(prefix) != len(PrivateMACPrefix):
+		return nil, InvalidPrefixLengthErr{msg: fmt.Sprintf(
+			"Prefix has length %d instead  of %d", len(prefix), len(PrivateMACPrefix)),
+		}
+	}
+
+	ipByteLen := len(ip)
+	return (net.HardwareAddr)(
+		append(
+			prefix,
+			ip[ipByteLen-ipRelevantByteLen:ipByteLen]...),
+	), nil
+}