ifstate 1.9.0__py3-none-any.whl → 1.10.1__py3-none-any.whl

{ifstate-1.9.0.dist-info → ifstate-1.10.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: ifstate
-Version: 1.9.0
+Version: 1.10.1
 Summary: Manage host interface settings in a declarative manner
 Home-page: https://ifstate.net/
 Author: Thomas Liske
@@ -21,7 +21,7 @@ Requires-Dist: wgnlpy ; extra == 'wireguard'
 
 [![PyPI version](https://badge.fury.io/py/ifstate.svg)](https://badge.fury.io/py/ifstate)
 
-A python library to configure (linux) host interfaces in a declarative manner.
+A python tool to configure (linux) host interfaces in a declarative manner.
 It is a frontend for the kernel netlink protocol using
 [pyroute2](https://pyroute2.org/) and aims to be as powerful as the
 iproute2/bridge/ethtool/tc/wireguard commands.

{ifstate-1.9.0.dist-info → ifstate-1.10.1.dist-info}/RECORD

@@ -1,34 +1,35 @@
 ifstate/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ifstate/ifstate.py,sha256=fdjiCLB9Pnq-Vo_rs1Yr_x6AKx_hMUB9qnFYgCHs29A,7533
 ifstate/shell.py,sha256=7_JFpi4icr9MijynDzbb0v5mxhFsng6PCC4m3uQ255A,2177
-libifstate/__init__.py,sha256=JfwwqmGxbNqLoDo6f_3tHzAW6FH4ov-tQeg29eatnac,27197
+libifstate/__init__.py,sha256=0hjZszKG1LYfGyIiuYFCqOVDADQ2JzasFZpsh-ashOk,29024
 libifstate/exception.py,sha256=-4WgzgXHXdzLdAkaj1sJw_PVQDefzyoyH3EMXpdUN70,2407
 libifstate/log.py,sha256=gSh_tznrggRPp6vk3EorA2VH4XYrzEGkcTZhsdA_qP4,3860
-libifstate/util.py,sha256=kC17XNPrkvcKVGKIw8W1av_r2pzivwk9Y-VReNhaUaw,7285
+libifstate/util.py,sha256=6YQLCLvK5lV1dmP8rDgesBeze5DM3qC2egJ2Gw0KZVI,9190
 libifstate/address/__init__.py,sha256=usa9VqX-xOmwek9mkAuSYjx9aXnuZa1-qhCmoQdEKME,2716
 libifstate/bpf/__init__.py,sha256=NVzaunTmJU2PbIQg9eWBMKpFgLh3EnD3ujNa7Yt6rNc,7699
 libifstate/bpf/ctypes.py,sha256=kLZJHZlba09Vc-tbsJAcKpDwdoNO2IjlYVLCopawHmA,4274
 libifstate/bpf/map.py,sha256=cLHNMvRBDNW2yVCEf3z242_oRdU0HqVbFEYVkKXng0w,10818
 libifstate/brport/__init__.py,sha256=NzdA8F4hr2se1bXKNnyKZbvOFlCWBq_cdjwsL1H0Y-o,2964
+libifstate/fdb/__init__.py,sha256=jMplRZZQKkgwFQT2L7Ua4YCdLKwOzkd43_6OFtet2No,6262
 libifstate/link/__init__.py,sha256=QZggoC-bIscqwVedqVycaSqS1CmXB3Bx3m2FZei8Q_4,115
-libifstate/link/base.py,sha256=yszpeU7qZPCA0SxHk9h9jgEJQD33jWhSM481re-9Gs4,26758
+libifstate/link/base.py,sha256=tWGUFuF1gP9TVEVTiQiu8w8TuoDnK6cMVx6JPT_gwpQ,30897
 libifstate/link/physical.py,sha256=cJiq-MCfy-3XQoU-OxzgfPZZtu_pJ8u2ioJgn9VYdGk,560
 libifstate/link/tun.py,sha256=m55o5cwO3h3DCLofUR-68fM4ggLoTKElp6ZJ2LrJSCc,959
 libifstate/link/veth.py,sha256=SsEKt6S4FDnhmzMtgTiQpOWA2Qd76h0Tp8WTEryWczU,635
 libifstate/neighbour/__init__.py,sha256=FJJpbJvqnxvOEii6QDMYzW5jQDEbiEy71GQOEbqaS48,2463
-libifstate/netns/__init__.py,sha256=_fb8W2vUeVatw-LW26cQKC1NzgVS4rdudSWsPSwIRoE,7100
+libifstate/netns/__init__.py,sha256=VXr-kMXs-WF3yY-EPWQfHvWfAcFQpWW2zUOVpUnPx3w,7747
 libifstate/parser/__init__.py,sha256=byz1W0G7UewVc5FFie-ti3UZjGK3-75wHIaOeq0oySQ,88
-libifstate/parser/base.py,sha256=HrVZ9Sb0ISO65TcKvsOZB6qbUvJIS8kmslzFJM4VEcg,3724
+libifstate/parser/base.py,sha256=4Y_kaUysbgQRM9u_Kg3Lr_5GWFGdTXDmP4EC3McsNzU,4628
 libifstate/parser/yaml.py,sha256=u9D9nPfVhYADTd01EYxFYIywnTBccNF1solOcGeLUjM,1345
 libifstate/routing/__init__.py,sha256=jM9aZwKnuH6d0bv40Wn2cfuamB_A20Wr0czCszZE-Ak,16831
-libifstate/sysctl/__init__.py,sha256=Zt2fZSKVMA43hpVTflc0F6GalcCgaHslKS0ztbpLaKs,2608
+libifstate/sysctl/__init__.py,sha256=L2gkoLnac_HM6RbCaKmsEuDTNj2m7U4Rjw42TEti0kg,3074
 libifstate/tc/__init__.py,sha256=spdRXCxhHybweNHURDRoHlPfpodXx62DLoTbKu_EtCE,11211
 libifstate/wireguard/__init__.py,sha256=1zY82eD-Uxly0Fat1tP5DXyI_XfXF3dX5BTxSwxxjCo,5173
 libifstate/xdp/__init__.py,sha256=X1xhEIGng7R5d5F4KsChykT2g6H-XBRWbWABijoYDQA,7208
-schema/ifstate.conf.schema.json,sha256=ZSzsMEgPovRfX25bNukgte3f3BdUxh_1idn6X4D0lkg,188621
-ifstate-1.9.0.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-ifstate-1.9.0.dist-info/METADATA,sha256=i6_ev704zNwVE4gjWgageGsBISrrYJqh6B79MR8qigs,1387
-ifstate-1.9.0.dist-info/WHEEL,sha256=yQN5g4mg4AybRjkgi-9yy4iQEFibGQmlz78Pik5Or-A,92
-ifstate-1.9.0.dist-info/entry_points.txt,sha256=HF6jX7Uu_nF1Ly-J9uEPeiRapOxnM6LuHsb2y6Mt-k4,52
-ifstate-1.9.0.dist-info/top_level.txt,sha256=A7peI7aKBaM69fsiSPvMbL3rzTKZZr5qDxKC-pHMGdE,19
-ifstate-1.9.0.dist-info/RECORD,,
+schema/ifstate.conf.schema.json,sha256=Tk8ywUx60V2sAfuYIH8-WUB152-iWA3qLy1Gmwm3Kws,196424
+ifstate-1.10.1.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+ifstate-1.10.1.dist-info/METADATA,sha256=WLVtBd9-Ifr1LoNoqkrfEjOkoP1Jg2e6OqnKkvYB4y4,1385
+ifstate-1.10.1.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+ifstate-1.10.1.dist-info/entry_points.txt,sha256=HF6jX7Uu_nF1Ly-J9uEPeiRapOxnM6LuHsb2y6Mt-k4,52
+ifstate-1.10.1.dist-info/top_level.txt,sha256=A7peI7aKBaM69fsiSPvMbL3rzTKZZr5qDxKC-pHMGdE,19
+ifstate-1.10.1.dist-info/RECORD,,

{ifstate-1.9.0.dist-info → ifstate-1.10.1.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.41.2)
+Generator: bdist_wheel (0.41.3)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

libifstate/__init__.py

@@ -1,11 +1,14 @@
 from libifstate.exception import LinkDuplicate
 from libifstate.link.base import ethtool_path, Link
 from libifstate.address import Addresses
+from libifstate.fdb import FDB
 from libifstate.neighbour import Neighbours
 from libifstate.routing import Tables, Rules, RTLookups
 from libifstate.parser import Parser
 from libifstate.tc import TC
 from libifstate.exception import netlinkerror_classes
+import bisect
+import pyroute2
 
 from pyroute2.netlink.rtnl.ifaddrmsg import IFA_F_PERMANENT
 try:
@@ -39,11 +42,12 @@ from copy import deepcopy
 import os
 import pkgutil
 import re
+import secrets
 import json
 import errno
 import logging
 
-__version__ = "1.9.0"
+__version__ = "1.10.1"
 
 
 class IfState():
@@ -119,8 +123,13 @@ class IfState():
         self._update(self.root_netns, ifstates)
         if 'namespaces' in ifstates:
             self.namespaces = {}
+            self.new_namespaces = []
             for netns_name, netns_ifstates in ifstates['namespaces'].items():
+                is_new = netns_name not in pyroute2.netns.listnetns()
                 self.namespaces[netns_name] = NetNameSpace(netns_name)
+                if is_new:
+                    self.new_namespaces.append(netns_name)
+                    self.link_registry.inventory_netns(self.namespaces[netns_name])
                 self._update(self.namespaces[netns_name], netns_ifstates)
 
     def _update(self, netns, ifstates):
@@ -128,10 +137,13 @@ class IfState():
         if 'options' in ifstates:
             # parse global sysctl settings
             if 'sysctl' in ifstates['options']:
-                for iface in ['all', 'default']:
-                    if iface in ifstates['options']['sysctl']:
+                for proto in  ifstates['options']['sysctl'].keys():
+                    if proto in ['all', 'default']:
                         netns.sysctl.add(
-                            iface, ifstates['options']['sysctl'][iface])
+                            proto, ifstates['options']['sysctl'][proto])
+                    else:
+                        netns.sysctl.add_global(
+                            proto, ifstates['options']['sysctl'][proto])
 
         # load BPF programs
         if 'bpf' in ifstates:
@@ -168,6 +180,11 @@ class IfState():
             elif defaults.get('clear_addresses', False):
                 netns.addresses[name] = Addresses(netns, name, [])
 
+            if 'fdb' in ifstate:
+                netns.fdb[name] = FDB(netns, name, ifstate['fdb'])
+            elif defaults.get('clear_fdb', False):
+                netns.fdb[name] = FDB(netns, name, [])
+
             if 'neighbours' in ifstate:
                 netns.neighbours[name] = Neighbours(netns, name, ifstate['neighbours'])
             elif defaults.get('clear_neighbours', False):
@@ -363,7 +380,7 @@ class IfState():
                         raise LinkCircularLinked()
 
                 # can be done right away
-                r.append(t)
+                r.append( sorted(t) )
                 # and cleaned up
                 d=dict(((k, v-t) for k, v in d.items() if v))
             return r
@@ -404,7 +421,7 @@ class IfState():
 
         # create and destroy namespaces to match config
         if not by_vrrp and self.namespaces is not None:
-            prepare_netns(do_apply, self.namespaces.keys())
+            prepare_netns(do_apply, self.namespaces.keys(), self.new_namespaces)
             logger.info("")
 
         # get link dependency tree
@@ -459,7 +476,7 @@ class IfState():
         # create/modify links in order of dependencies
         logger.info("configure interfaces...")
         for stage in stages:
-            for link_dep in sorted(stage):
+            for link_dep in stage:
                 logger.info(" {}".format(link_dep))
                 if link_dep.netns is None:
                     self._apply_iface(do_apply, self.root_netns, link_dep.ifname, by_vrrp, vrrp_type, vrrp_name, vrrp_state)
@@ -490,6 +507,13 @@ class IfState():
                     logger.info("configure sysctl settings...")
                     had_sysctl = True
                 netns.sysctl.apply(iface, do_apply)
+
+        if netns.sysctl.has_globals():
+            if not had_sysctl:
+                logger.info("configure sysctl settings...")
+                had_sysctl = True
+            netns.sysctl.apply_globals(do_apply)
+
         return had_sysctl
 
     def _apply_iface(self, do_apply, netns, ifname, by_vrrp, vrrp_type, vrrp_name, vrrp_state):
@@ -534,6 +558,9 @@ class IfState():
             netns.addresses[ifname].apply(self.ipaddr_ignore, self.ignore.get(
                 'ipaddr_dynamic', True), do_apply)
 
+        if ifname in netns.fdb:
+            netns.fdb[ifname].apply(do_apply)
+
         if ifname in netns.neighbours:
             netns.neighbours[ifname].apply(do_apply)
 
@@ -645,12 +672,23 @@ class IfState():
                             ifs_link['link'][attr] = ref
 
                 mtu = ipr_link.get_attr('IFLA_MTU')
-                if not mtu is None and not mtu in [1500, 65536]:
-                    ifs_link['link']['mtu'] = mtu
+                if not mtu is None:
+                    if not mtu in [1500, 65536] or name == 'lo':
+                        ifs_link['link']['mtu'] = mtu
 
                 brport.BRPort.show(netns.ipr, showall, ipr_link['index'], ifs_link)
 
-                ifs_links.append(ifs_link)
+                if name == 'lo':
+                    if ifs_link['addresses'] == Parser._default_lo_link['addresses']:
+                        del(ifs_link['addresses'])
+
+                    if ifs_link['link'] == Parser._default_lo_link['link']:
+                        del(ifs_link['link'])
+
+                    if len(ifs_link) > 1:
+                        ifs_links.append(ifs_link)
+                else:
+                    ifs_links.append(ifs_link)
 
         routing = {
             'routes': Tables(netns).show_routes(Parser._default_ifstates['ignore']['routes_builtin']),
@@ -659,7 +697,6 @@ class IfState():
 
         return {**{'interfaces': ifs_links, 'routing': routing}}
 
-
     def get_defaults(self, **kwargs):
         for default in self.defaults:
             for match in default['match']:
@@ -675,3 +712,13 @@ class IfState():
                     return default
 
         return {}
+
+    def gen_unique_ifname(self):
+        '''
+        Get a random unique ifname over all namespaces and configured ifnames.
+        '''
+        while True:
+            ifname = "ifs.tmp.{}".format(secrets.token_hex(3))
+            item = self.link_registry.get_link(ifname=ifname)
+            if item is None:
+                return ifname

libifstate/fdb/__init__.py

@@ -0,0 +1,174 @@
+from libifstate.util import logger, IfStateLogging
+from libifstate.exception import netlinkerror_classes
+from ipaddress import ip_address
+from pyroute2.netlink.rtnl.ndmsg import NUD_NOARP, NUD_PERMANENT, NTF_SELF
+from pyroute2.config import AF_BRIDGE
+import pyroute2.netlink.rtnl.ndmsg
+
+class FDB():
+    def __init__(self, netns, iface, fdb):
+        self.netns = netns
+        self.iface = iface
+        self.fdb = {}
+        self.state_mask = NUD_NOARP|NUD_PERMANENT
+
+        for entry in fdb:
+            lladdr = entry['lladdr'].lower()
+            _entry = {
+                'lladdr': lladdr,
+            }
+
+            if 'port' not in entry:
+                _entry['port'] = 8472
+            else:
+                _entry['port'] = entry['port']
+
+            if 'dst' in entry:
+                _entry['dst'] = str(ip_address(entry['dst']))
+
+            if 'state' in entry:
+                _entry['state'] = 0
+                for name, value in pyroute2.netlink.rtnl.ndmsg.states.items():
+                    if name in entry['state']:
+                        _entry['state'] |= value
+
+            if 'flags' in entry:
+                _entry['flags'] = 0
+                for name, value in pyroute2.netlink.rtnl.ndmsg.flags.items():
+                    if name in entry['flags']:
+                        _entry['flags'] |= value
+            else:
+                _entry['flags'] = NTF_SELF
+
+            for opt in ['nhid', 'src_vni', 'vni']:
+                if opt in entry:
+                    _entry[opt] = entry[opt]
+
+            if not lladdr in self.fdb:
+                self.fdb[lladdr] = [_entry]
+            else:
+                self.fdb[lladdr].append(_entry)
+
+    def get_kernel_fdb(self):
+        # get fdb entries (NUD_NOARP|NUD_PERMANENT)
+        fdb = {}
+        for entry in self.netns.ipr.get_neighbours(ifindex=self.idx, family=AF_BRIDGE):
+            state = entry.get('state')
+
+            # look for permanent (local) or noarp (static) entries, only
+            if not state & self.state_mask:
+                continue
+
+            lladdr = entry.get_attr('NDA_LLADDR')
+            _entry = {
+                'lladdr': lladdr,
+                'state': state,
+                'flags': entry.get('flags')
+            }
+
+            attr = entry.get_attr('NDA_DST')
+            if attr is not None:
+                _entry['dst'] = str(ip_address(attr))
+
+            attr = entry.get_attr('NDA_PORT')
+            if attr is None or attr == 0:
+                _entry['port'] = 8472
+            else:
+                _entry['port'] = attr
+
+            for opt in ['nhid', 'src_vni', 'vni']:
+                attr = entry.get_attr(f"NDA_{opt.upper()}")
+                if attr is not None:
+                    _entry[opt] = attr
+
+            if not lladdr in fdb:
+                fdb[lladdr] = [_entry]
+            else:
+                fdb[lladdr].append(_entry)
+
+        return fdb
+
+    def apply(self, do_apply):
+        logger.debug('getting fdb', extra={'iface': self.iface})
+
+        # get ifindex and lladdr
+        link = next(iter(self.netns.ipr.get_links(ifname=self.iface)), None)
+
+        if link == None:
+            logger.warning('link missing', extra={'iface': self.iface})
+            return
+
+        self.idx = link['index']
+        self.lladdr = link.get_attr('IFLA_ADDRESS')
+
+        # prepare default state for entries w/o state specified (depends on link type)
+        default_state = NUD_PERMANENT
+
+        linkinfo = link.get_attr('IFLA_LINKINFO')
+        if linkinfo and linkinfo.get_attr('IFLA_INFO_KIND') in ['vxlan']:
+            default_state |= NUD_NOARP
+
+        # configure fdb entries
+        ipr_entries = self.get_kernel_fdb()
+        for lladdr, entries in self.fdb.items():
+            for entry in entries:
+                # set default_state if missing
+                if not 'state' in entry:
+                    entry['state'] = default_state
+
+                # check if fdb entry is already present
+                if lladdr in ipr_entries:
+                    if entry in ipr_entries[lladdr]:
+                        logger.log_ok('fdb', '= {}'.format(lladdr))
+                        continue
+
+                # fdb entry needs to be added
+                logger.log_add('fdb', '+ {}'.format(lladdr))
+
+                # prepare arguments
+                args = {
+                    'ifindex': self.idx,
+                    'family': AF_BRIDGE
+                }
+                args.update(entry)
+                logger.debug("bridge fdb append: {}".format(
+                    " ".join("{}={}".format(k, v) for k, v in args.items())))
+
+                if do_apply:
+                    try:
+                        self.netns.ipr.fdb("append", **args)
+                    except Exception as err:
+                        if not isinstance(err, netlinkerror_classes):
+                            raise
+                        logger.warning('add {} to fdb failed: {}'.format(
+                            entry['lladdr'], err.args[1]))
+
+        # cleanup orphan fdb entries
+        ipr_entries = self.get_kernel_fdb()
+        for lladdr, entries in ipr_entries.items():
+            # ignore lladdr of the link
+            if lladdr == self.lladdr:
+                continue
+
+            for entry in entries:
+                # check if fdb entry is already present
+                if lladdr not in self.fdb or entry not in self.fdb[lladdr]:
+                    logger.log_del('fdb', '- {}'.format(lladdr))
+
+                    # prepare arguments
+                    args = {
+                        'ifindex': self.idx,
+                        'family': AF_BRIDGE
+                    }
+                    args.update(entry)
+                    logger.debug("bridge fdb del: {}".format(
+                        " ".join("{}={}".format(k, v) for k, v in args.items())))
+
+                    if do_apply:
+                        try:
+                            self.netns.ipr.fdb("del", **args)
+                        except Exception as err:
+                            if not isinstance(err, netlinkerror_classes):
+                                raise
+                            logger.warning('remove {} from fdb failed: {}'.format(
+                                entry['lladdr'], err.args[1]))

libifstate/link/base.py

@@ -80,6 +80,21 @@ class Link(ABC):
     attr_value_lookup = {
         'group': RTLookups.group,
     }
+    attr_bind_kinds = [
+        'ip6tnl',
+        'tun',
+        'vti',
+        'vti6',
+        'vxlan',
+        'ipip',
+        'gre',
+        'gretap',
+        'ip6gre',
+        'ip6gretap',
+        'geneve',
+        'wireguard',
+        'xfrm',
+    ]
 
     def __new__(cls, *args, **kwargs):
         cname = cls.__name__
@@ -170,6 +185,20 @@ class Link(ABC):
                                    extra={'iface': self.settings['ifname'], 'netns': self.netns})
                     del(self.settings[attr])
 
+        if self.settings['kind'] in self.attr_bind_kinds:
+            if not 'bind_netns' in self.settings:
+                logger.debug('set bind_netns to current netns',
+                             extra={'iface': self.settings['ifname'], 'netns': self.netns})
+                self.bind_netns = self.netns.netns
+            else:
+                self.bind_netns = self.settings['bind_netns']
+        elif 'bind_netns' in self.settings:
+            logger.warning('Ignoring not supported link attribute "bind_netns" for %s link.',
+                           self.settings['kind'],
+                           extra={'iface': self.settings['ifname'], 'netns': self.netns})
+        if 'bind_netns' in self.settings:
+            del(self.settings['bind_netns'])
+
     def search_link_registry(self):
         for args in self.link_registry_search_args:
             item = self.ifstate.link_registry.get_link(**args)
@@ -317,9 +346,61 @@ class Link(ABC):
             try:
                 with open(fn, 'w') as fh:
                     yaml.dump(self.ethtool[setting], fh)
-            except Exception as err:
+            except IOError as err:
                 logger.warning('failed write `{}`: {}'.format(fn, err.args[1]))
 
+    def get_bind_fn(self, netns_name, idx):
+        if netns_name is None:
+            dirname = "/run/ifstate/bind"
+        else:
+            dirname = "/run/ifstate/netns/{}/bind".format(netns_name)
+
+        try:
+            os.makedirs(dirname, exist_ok=True)
+        except:
+            pass
+
+        return "{}/{}.mount".format(dirname, idx)
+
+    def set_bind_state(self, state):
+        fn = self.get_bind_fn(self.netns.netns, self.idx)
+        try:
+            with open(fn, 'wb') as fh:
+                fh.write(state)
+        except IOError as err:
+            logger.warning('failed write `{}`: {}'.format(fn, err.args[1]))
+
+    def get_bind_netns(self):
+        if not hasattr(self, 'bind_netns'):
+            return None
+
+        if self.bind_netns is None:
+            return self.ifstate.root_netns
+
+        return self.ifstate.namespaces.get(self.bind_netns)
+
+    def bind_needs_recreate(self, item):
+        if not item.attributes['kind'] in self.attr_bind_kinds:
+            return False
+
+        bind_netns = self.get_bind_netns()
+        if bind_netns is None:
+            logger.warning('bind_netns "%s" is unknown',
+                        self.bind_netns,
+                        extra={
+                            'iface': self.settings['ifname'],
+                            'netns': self.netns})
+            return False
+
+        fn = self.get_bind_fn(item.netns.netns, item.index)
+        try:
+            with open(fn, 'rb') as fh:
+                state = fh.read()
+        except IOError:
+            return True
+
+        return state != bind_netns.mount
+
     def has_vrrp(self):
         return not self.vrrp is None
 
@@ -366,6 +447,14 @@ class Link(ABC):
         # get interface from registry
         item = self.search_link_registry()
 
+        # check if bind_netns option requires a recreate
+        if item is not None and self.bind_needs_recreate(item):
+            self.idx = item.index
+            self.recreate(do_apply, sysctl, excpts)
+
+            self.settings = osettings
+            return excpts
+
         # move interface into netns if required
         if item is not None and item.netns.netns != self.netns.netns:
             logger.log_change('netns')
@@ -382,7 +471,7 @@ class Link(ABC):
                     return excpts
 
         if item is not None:
-            self.idx = item.attributes['index']
+            self.idx = item.index
 
         if self.idx is not None:
             self.iface = next(iter(item.netns.ipr.get_links(self.idx)), None)
@@ -421,24 +510,50 @@ class Link(ABC):
         return excpts
 
     def create(self, do_apply, sysctl, excpts, oper="add"):
-        logger.log_add('link')
+        logger.log_add('link', oper)
+
+        settings = copy.deepcopy(self.settings)
+        bind_netns = self.get_bind_netns()
+        if bind_netns is not None and bind_netns.netns != self.netns.netns:
+            logger.debug("handle link binding", extra={
+                'iface': self.settings['ifname'],
+                'netns': self.netns})
+            settings['ifname'] = self.ifstate.gen_unique_ifname()
 
         logger.debug("ip link add: {}".format(
-            " ".join("{}={}".format(k, v) for k, v in self.settings.items())))
+            " ".join("{}={}".format(k, v) for k, v in settings.items())))
         if do_apply:
             try:
                 # set state later
-                state = self.settings.pop('state', None)
+                state = settings.pop('state', None)
 
                 # prevent altname conflict
                 self.prevent_altname_conflict()
 
                 # add link
-                self.netns.ipr.link('add', **(self.settings))
+                if bind_netns is None or bind_netns.netns == self.netns.netns:
+                    self.netns.ipr.link('add', **(settings))
+                    link = next(iter(self.netns.ipr.get_links(
+                                ifname=settings['ifname'])), None)
+                    if link is not None:
+                        item = self.ifstate.link_registry.add_link(self.netns, link)
+                # add and move link
+                else:
+                    bind_netns.ipr.link('add', **(settings))
+                    link = next(iter(bind_netns.ipr.get_links(
+                                ifname=settings['ifname'])), None)
+                    if link is not None:
+                        item = self.ifstate.link_registry.add_link(bind_netns, link)
+                        item.update_netns(self.netns)
+                        item.update_ifname(self.settings['ifname'])
+
                 self.idx = next(iter(self.netns.ipr.link_lookup(
                     ifname=self.settings['ifname'])), None)
 
                 if self.idx is not None:
+                    if bind_netns is not None:
+                        self.set_bind_state(bind_netns.mount)
+
                     # set sysctl settings if required
                     sysctl.apply(self.settings['ifname'], do_apply)
 
@@ -466,7 +581,7 @@ class Link(ABC):
                 self.settings['ifname'], self.ethtool.keys(), do_apply)
 
     def recreate(self, do_apply, sysctl, excpts):
-        logger.debug('has wrong link kind %s, removing', self.settings['kind'], extra={
+        logger.debug('needs to be recreated', extra={
                      'iface': self.settings['ifname'], 'netns': self.netns})
         if do_apply:
             try: