From f35897b560d9a0b53686826157fcb92750f67914 Mon Sep 17 00:00:00 2001
From: Chris Plock <chrisplo@cisco.com>
Date: Wed, 17 Jan 2018 15:15:31 -0800
Subject: [PATCH 1/5] initial attempt to add to/from tenant for rules

---
 contivmodel/Makefile                    |  2 +-
 contivmodel/client/contivModel.js       | 12 ++++++----
 contivmodel/client/contivModelClient.go |  6 +++--
 contivmodel/client/contivModelClient.py |  2 ++
 contivmodel/contivModel.go              | 24 +++++++++++++++++--
 contivmodel/rule.json                   | 18 ++++++++++++--
 netctl/commands.go                      |  8 +++++++
 netctl/netctl.go                        | 32 ++++++++++++++++++++-----
 netmaster/mastercfg/policyState.go      | 30 +++++++++++++++++++----
 9 files changed, 112 insertions(+), 22 deletions(-)

diff --git a/contivmodel/Makefile b/contivmodel/Makefile
index 2ced11288..5764fa02b 100644
--- a/contivmodel/Makefile
+++ b/contivmodel/Makefile
@@ -10,7 +10,7 @@ godep:
 	godep save ./...
 
 modelgen:
-	@if [ -z "`which modelgen`" ]; then go get -v github.com/contiv/modelgen; fi
+	@go get -u -v github.com/contiv/modelgen
 
 # systemtest runs all of the systemtests
 systemtests:
diff --git a/contivmodel/client/contivModel.js b/contivmodel/client/contivModel.js
index dbcf10a46..ab82f1f9b 100644
--- a/contivmodel/client/contivModel.js
+++ b/contivmodel/client/contivModel.js
@@ -642,7 +642,7 @@ var RuleSummaryView = React.createClass({
 				<ModalTrigger modal={<RuleModalView rule={ rule }/>}>
 					<tr key={ rule.key } className="info">
 						
-						              
+						                
 					</tr>
 				</ModalTrigger>
 			);
@@ -654,7 +654,7 @@ var RuleSummaryView = React.createClass({
 				<thead>
 					<tr>
 					
-					              
+					                
 					</tr>
 				</thead>
 				<tbody>
@@ -680,10 +680,12 @@ var RuleModalView = React.createClass({
 			
 				<Input type='text' label='From Endpoint Group' ref='fromEndpointGroup' defaultValue={obj.fromEndpointGroup} placeholder='From Endpoint Group' />
 			
-				<Input type='text' label='IP Address' ref='fromIpAddress' defaultValue={obj.fromIpAddress} placeholder='IP Address' />
+				<Input type='text' label='From IP Address' ref='fromIpAddress' defaultValue={obj.fromIpAddress} placeholder='From IP Address' />
 			
 				<Input type='text' label='From Network' ref='fromNetwork' defaultValue={obj.fromNetwork} placeholder='From Network' />
 			
+				<Input type='text' label='From Tenant Name' ref='fromTenantName' defaultValue={obj.fromTenantName} placeholder='From Tenant Name' />
+			
 				<Input type='text' label='Policy Name' ref='policyName' defaultValue={obj.policyName} placeholder='Policy Name' />
 			
 				<Input type='text' label='Port No' ref='port' defaultValue={obj.port} placeholder='Port No' />
@@ -698,10 +700,12 @@ var RuleModalView = React.createClass({
 			
 				<Input type='text' label='To Endpoint Group' ref='toEndpointGroup' defaultValue={obj.toEndpointGroup} placeholder='To Endpoint Group' />
 			
-				<Input type='text' label='IP Address' ref='toIpAddress' defaultValue={obj.toIpAddress} placeholder='IP Address' />
+				<Input type='text' label='To IP Address' ref='toIpAddress' defaultValue={obj.toIpAddress} placeholder='To IP Address' />
 			
 				<Input type='text' label='To Network' ref='toNetwork' defaultValue={obj.toNetwork} placeholder='To Network' />
 			
+				<Input type='text' label='To Tenant Name' ref='toTenantName' defaultValue={obj.toTenantName} placeholder='To Tenant Name' />
+			
 			</div>
 	        <div className='modal-footer'>
 				<Button onClick={this.props.onRequestHide}>Close</Button>
diff --git a/contivmodel/client/contivModelClient.go b/contivmodel/client/contivModelClient.go
index 8435fab54..7c40dd891 100644
--- a/contivmodel/client/contivModelClient.go
+++ b/contivmodel/client/contivModelClient.go
@@ -703,8 +703,9 @@ type Rule struct {
 	Action            string `json:"action,omitempty"`            // Action
 	Direction         string `json:"direction,omitempty"`         // Direction
 	FromEndpointGroup string `json:"fromEndpointGroup,omitempty"` // From Endpoint Group
-	FromIpAddress     string `json:"fromIpAddress,omitempty"`     // IP Address
+	FromIpAddress     string `json:"fromIpAddress,omitempty"`     // From IP Address
 	FromNetwork       string `json:"fromNetwork,omitempty"`       // From Network
+	FromTenantName    string `json:"fromTenantName,omitempty"`    // From Tenant Name
 	PolicyName        string `json:"policyName,omitempty"`        // Policy Name
 	Port              int    `json:"port,omitempty"`              // Port No
 	Priority          int    `json:"priority,omitempty"`          // Priority
@@ -712,8 +713,9 @@ type Rule struct {
 	RuleID            string `json:"ruleId,omitempty"`            // Rule Id
 	TenantName        string `json:"tenantName,omitempty"`        // Tenant Name
 	ToEndpointGroup   string `json:"toEndpointGroup,omitempty"`   // To Endpoint Group
-	ToIpAddress       string `json:"toIpAddress,omitempty"`       // IP Address
+	ToIpAddress       string `json:"toIpAddress,omitempty"`       // To IP Address
 	ToNetwork         string `json:"toNetwork,omitempty"`         // To Network
+	ToTenantName      string `json:"toTenantName,omitempty"`      // To Tenant Name
 
 	// add link-sets and links
 	LinkSets RuleLinkSets `json:"link-sets,omitempty"`
diff --git a/contivmodel/client/contivModelClient.py b/contivmodel/client/contivModelClient.py
index cffa027cf..88e84715b 100644
--- a/contivmodel/client/contivModelClient.py
+++ b/contivmodel/client/contivModelClient.py
@@ -512,6 +512,7 @@ def createRule(self, obj):
 			"fromEndpointGroup": obj.fromEndpointGroup, 
 			"fromIpAddress": obj.fromIpAddress, 
 			"fromNetwork": obj.fromNetwork, 
+			"fromTenantName": obj.fromTenantName, 
 			"policyName": obj.policyName, 
 			"port": obj.port, 
 			"priority": obj.priority, 
@@ -521,6 +522,7 @@ def createRule(self, obj):
 			"toEndpointGroup": obj.toEndpointGroup, 
 			"toIpAddress": obj.toIpAddress, 
 			"toNetwork": obj.toNetwork, 
+			"toTenantName": obj.toTenantName, 
 	    })
 
 	    # Post the data
diff --git a/contivmodel/contivModel.go b/contivmodel/contivModel.go
index 99e2dbd84..a57be5385 100644
--- a/contivmodel/contivModel.go
+++ b/contivmodel/contivModel.go
@@ -342,8 +342,9 @@ type Rule struct {
 	Action            string `json:"action,omitempty"`            // Action
 	Direction         string `json:"direction,omitempty"`         // Direction
 	FromEndpointGroup string `json:"fromEndpointGroup,omitempty"` // From Endpoint Group
-	FromIpAddress     string `json:"fromIpAddress,omitempty"`     // IP Address
+	FromIpAddress     string `json:"fromIpAddress,omitempty"`     // From IP Address
 	FromNetwork       string `json:"fromNetwork,omitempty"`       // From Network
+	FromTenantName    string `json:"fromTenantName,omitempty"`    // From Tenant Name
 	PolicyName        string `json:"policyName,omitempty"`        // Policy Name
 	Port              int    `json:"port,omitempty"`              // Port No
 	Priority          int    `json:"priority,omitempty"`          // Priority
@@ -351,8 +352,9 @@ type Rule struct {
 	RuleID            string `json:"ruleId,omitempty"`            // Rule Id
 	TenantName        string `json:"tenantName,omitempty"`        // Tenant Name
 	ToEndpointGroup   string `json:"toEndpointGroup,omitempty"`   // To Endpoint Group
-	ToIpAddress       string `json:"toIpAddress,omitempty"`       // IP Address
+	ToIpAddress       string `json:"toIpAddress,omitempty"`       // To IP Address
 	ToNetwork         string `json:"toNetwork,omitempty"`         // To Network
+	ToTenantName      string `json:"toTenantName,omitempty"`      // To Tenant Name
 
 	// add link-sets and links
 	LinkSets RuleLinkSets `json:"link-sets,omitempty"`
@@ -4497,6 +4499,15 @@ func ValidateRule(obj *Rule) error {
 		return errors.New("fromNetwork string invalid format")
 	}
 
+	if len(obj.FromTenantName) > 64 {
+		return errors.New("fromTenantName string too long")
+	}
+
+	fromTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$")
+	if fromTenantNameMatch.MatchString(obj.FromTenantName) == false {
+		return errors.New("fromTenantName string invalid format")
+	}
+
 	if len(obj.PolicyName) > 64 {
 		return errors.New("policyName string too long")
 	}
@@ -4568,6 +4579,15 @@ func ValidateRule(obj *Rule) error {
 		return errors.New("toNetwork string invalid format")
 	}
 
+	if len(obj.ToTenantName) > 64 {
+		return errors.New("toTenantName string too long")
+	}
+
+	toTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$")
+	if toTenantNameMatch.MatchString(obj.ToTenantName) == false {
+		return errors.New("toTenantName string invalid format")
+	}
+
 	return nil
 }
 
diff --git a/contivmodel/rule.json b/contivmodel/rule.json
index fe247ebbb..202f361b2 100644
--- a/contivmodel/rule.json
+++ b/contivmodel/rule.json
@@ -79,18 +79,32 @@
 				},
 				"fromIpAddress": {
 					"type": "string",
-					"title": "IP Address",
+					"title": "From IP Address",
 					"description": "Match from IP address. Valid only in incoming direction",
 					"format": "^(((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})(\\\\-(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9]))?(/(3[0-1]|2[0-9]|1[0-9]|[1-9]))?)?$",
 					"showSummary": true
 				},
 				"toIpAddress": {
 					"type": "string",
-					"title": "IP Address",
+					"title": "To IP Address",
 					"description": "Match to IP address. Valid only in outgoing direction",
 					"format": "^(((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])(\\\\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])){3})(\\\\-(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9]))?(/(3[0-1]|2[0-9]|1[0-9]|[1-9]))?)?$",
 					"showSummary": true
 				},
+				"fromTenantName": {
+					"type": "string",
+					"title": "From Tenant Name",
+					"length": 64,
+					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$",
+					"showSummary": true
+				},
+				"toTenantName": {
+					"type": "string",
+					"title": "To Tenant Name",
+					"length": 64,
+					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$",
+					"showSummary": true
+				},
 				"protocol": {
 					"type": "string",
 					"format": "^(tcp|udp|icmp||[0-9]{1,3}?)$",
diff --git a/netctl/commands.go b/netctl/commands.go
index 7ad290910..005651b33 100755
--- a/netctl/commands.go
+++ b/netctl/commands.go
@@ -346,10 +346,18 @@ var Commands = []cli.Command{
 						Name:  "from-group, g",
 						Usage: "From Endpoint Group Name (Valid in incoming direction only)",
 					},
+					cli.StringFlag{
+						Name:  "from-tenant",
+						Usage: "From Tenant Name (Valid in incoming direction only)",
+					},
 					cli.StringFlag{
 						Name:  "to-group, e",
 						Usage: "To Endpoint Group Name (Valid in outgoing direction only)",
 					},
+					cli.StringFlag{
+						Name:  "to-tenant",
+						Usage: "To Tenant Name (Valid in outgoing direction only)",
+					},
 					cli.StringFlag{
 						Name:  "from-network, n",
 						Usage: "From Network name (Valid in incoming direction only)",
diff --git a/netctl/netctl.go b/netctl/netctl.go
index 92523417c..0b5c6e587 100755
--- a/netctl/netctl.go
+++ b/netctl/netctl.go
@@ -219,6 +219,8 @@ func addRule(ctx *cli.Context) {
 		errExit(ctx, exitHelp, "Policy name and Rule ID required", true)
 	}
 
+	toTenant := ctx.String("to-tenant")
+	fromTenant := ctx.String("from-tenant")
 	dir := ctx.String("direction")
 	if dir == "in" {
 		if ctx.String("to-group") != "" {
@@ -227,10 +229,18 @@ func addRule(ctx *cli.Context) {
 		if ctx.String("to-network") != "" {
 			errExit(ctx, exitHelp, "Cant specify to-network for incoming rule", false)
 		}
+		if toTenant != "" {
+			errExit(ctx, exitHelp, "Cant specify to-tenant for incoming rule", false)
+		}
 
-		// If from EPG is specified, make sure from network is specified too
-		if ctx.String("from-group") != "" && ctx.String("from-network") != "" {
-			errExit(ctx, exitHelp, "Can't specify both from-group argument and -from-network ", false)
+		// If from EPG is specified, make sure from network is not specified too
+		if ctx.String("from-group") != "" {
+			if ctx.String("from-network") != "" {
+				errExit(ctx, exitHelp, "Can't specify both from-group argument and -from-network ", false)
+			}
+			if fromTenant == "" {
+				fromTenant = ctx.String("tenant")
+			}
 		}
 	} else if dir == "out" {
 		if ctx.String("from-group") != "" {
@@ -242,10 +252,18 @@ func addRule(ctx *cli.Context) {
 		if ctx.String("from-ip-address") != "" {
 			errExit(ctx, exitHelp, "Cant specify from-ip-address for outgoing rule", false)
 		}
+		if fromTenant != "" {
+			errExit(ctx, exitHelp, "Cant specify from-tenant for incoming rule", false)
+		}
 
-		// If to EPG is specified, make sure to network is specified too
-		if ctx.String("to-group") != "" && ctx.String("to-network") != "" {
-			errExit(ctx, exitHelp, "Can't specify both -to-group and -to-network", false)
+		// If to EPG is specified, make sure to network is not specified too
+		if ctx.String("to-group") != "" {
+			if ctx.String("to-network") != "" {
+				errExit(ctx, exitHelp, "Can't specify both -to-group and -to-network", false)
+			}
+			if toTenant == "" {
+				toTenant = ctx.String("tenant")
+			}
 		}
 	} else {
 		errExit(ctx, exitHelp, "Unknown direction", false)
@@ -258,7 +276,9 @@ func addRule(ctx *cli.Context) {
 		Priority:          ctx.Int("priority"),
 		Direction:         ctx.String("direction"),
 		FromEndpointGroup: ctx.String("from-group"),
+		FromTenantName:    fromTenant,
 		ToEndpointGroup:   ctx.String("to-group"),
+		ToTenantName:      toTenant,
 		FromNetwork:       ctx.String("from-network"),
 		ToNetwork:         ctx.String("to-network"),
 		FromIpAddress:     ctx.String("from-ip-address"),
diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go
index d16fa5cf9..8d6b6297c 100644
--- a/netmaster/mastercfg/policyState.go
+++ b/netmaster/mastercfg/policyState.go
@@ -23,7 +23,6 @@ import (
 
 	log "github.com/Sirupsen/logrus"
 
-	"github.com/contiv/netplugin/contivmodel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/ofnet"
 )
@@ -176,18 +175,24 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	ofnetRule.Priority = rule.Priority
 	ofnetRule.Action = rule.Action
 
+	// from/to tenant name was added for k8s network policy to be part of
+	// the group designation, otherwise the regular tenant (the tenant for
+	// the policy-rule) can be used
+
 	// See if user specified an endpoint Group in the rule
 	if rule.FromEndpointGroup != "" {
-		remoteEpgID, err = GetEndpointGroupID(stateStore, rule.FromEndpointGroup, rule.TenantName)
+		remoteEpgID, err = GetEndpointGroupID(stateStore, rule.FromEndpointGroup, rule.FromTenantName)
 		if err != nil {
 			log.Errorf("Error finding endpoint group %s/%s/%s. Err: %v",
-				rule.FromEndpointGroup, rule.FromNetwork, rule.TenantName, err)
+				rule.FromEndpointGroup, rule.FromNetwork, rule.FromTenantName, err)
+			return nil, errors.New("the FromEndpointGroup key wasn't found")
 		}
 	} else if rule.ToEndpointGroup != "" {
-		remoteEpgID, err = GetEndpointGroupID(stateStore, rule.ToEndpointGroup, rule.TenantName)
+		remoteEpgID, err = GetEndpointGroupID(stateStore, rule.ToEndpointGroup, rule.ToTenantName)
 		if err != nil {
 			log.Errorf("Error finding endpoint group %s/%s/%s. Err: %v",
-				rule.ToEndpointGroup, rule.ToNetwork, rule.TenantName, err)
+				rule.ToEndpointGroup, rule.ToNetwork, rule.ToTenantName, err)
+			return nil, errors.New("the ToEndpointGroup key wasn't found")
 		}
 	} else if rule.FromNetwork != "" {
 		netKey := rule.TenantName + ":" + rule.FromNetwork
@@ -211,6 +216,13 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 		rule.ToIpAddress = net.Subnet
 	}
 
+	if rule.FromTenantName != "" {
+		remoteTenant := rule.FromTenantName
+	}
+	if rule.ToTenantName != "" {
+		remoteTenant := rule.ToTenantName
+	}
+
 	// Set protocol
 	switch rule.Protocol {
 	case "tcp":
@@ -235,7 +247,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "inRx":
 		// Set src/dest endpoint group
 		ofnetRule.DstEndpointGroup = gp.EndpointGroupID
+		ofnetrule.dsttenant = rule.tenantname
 		ofnetRule.SrcEndpointGroup = remoteEpgID
+		ofnetRule.SrcTenant = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.SrcIpAddr = rule.FromIpAddress
@@ -253,7 +267,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "inTx":
 		// Set src/dest endpoint group
 		ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
+		ofnetRule.SrcTenant = rule.TenantName
 		ofnetRule.DstEndpointGroup = remoteEpgID
+		ofnetRule.DstTenant = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.DstIpAddr = rule.FromIpAddress
@@ -266,7 +282,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "outRx":
 		// Set src/dest endpoint group
 		ofnetRule.DstEndpointGroup = gp.EndpointGroupID
+		ofnetRule.DstTenant = rule.TenantName
 		ofnetRule.SrcEndpointGroup = remoteEpgID
+		ofnetRule.SrcTenant = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.SrcIpAddr = rule.ToIpAddress
@@ -276,7 +294,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "outTx":
 		// Set src/dest endpoint group
 		ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
+		ofnetRule.SrcTenant = rule.TenantName
 		ofnetRule.DstEndpointGroup = remoteEpgID
+		ofnetRule.DstTenant = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.DstIpAddr = rule.ToIpAddress

From f99ad5412229762cdcefbae67619ee151ce221ff Mon Sep 17 00:00:00 2001
From: Chris Plock <chrisplo@cisco.com>
Date: Wed, 17 Jan 2018 17:42:18 -0800
Subject: [PATCH 2/5] tenant to/from support and new ofnet

---
 Godeps/Godeps.json                            | 100 +++++++++---------
 {contivmodel => contivModel}/.gitignore       |   0
 {contivmodel => contivModel}/LICENSE          |   0
 {contivmodel => contivModel}/Makefile         |   0
 {contivmodel => contivModel}/README.md        |   0
 {contivmodel => contivModel}/aciGw.json       |   0
 {contivmodel => contivModel}/appProfile.json  |   0
 {contivmodel => contivModel}/bgphost.json     |   0
 .../client/contivModel.js                     |   0
 .../client/contivModelClient.go               |   0
 .../client/contivModelClient.py               |   0
 {contivmodel => contivModel}/contivModel.go   |   0
 {contivmodel => contivModel}/contivModel.png  | Bin
 {contivmodel => contivModel}/endpoint.json    |   0
 .../endpointGroup.json                        |   0
 .../extContractsGroup.json                    |   0
 {contivmodel => contivModel}/generate.sh      |   0
 {contivmodel => contivModel}/global.json      |   0
 {contivmodel => contivModel}/netProfile.json  |   0
 {contivmodel => contivModel}/network.json     |   0
 {contivmodel => contivModel}/policy.json      |   0
 {contivmodel => contivModel}/rule.json        |   0
 {contivmodel => contivModel}/scripts/build.sh |   0
 {contivmodel => contivModel}/servicelb.json   |   0
 {contivmodel => contivModel}/spec/Dockerfile  |   0
 .../spec/Dockerfile.cleanup                   |   0
 {contivmodel => contivModel}/spec/Makefile    |   0
 .../spec/auth_proxy.raml                      |   0
 .../spec/auth_proxy/libraries/auth_proxy.raml |   0
 .../auth_proxy/schemas/collection-item.raml   |   0
 .../spec/auth_proxy/schemas/collection.raml   |   0
 .../auth_proxy/schemas/custom-scheme.raml     |   0
 .../schemas/non-upd-collection-item.raml      |   0
 .../schemas/ro-collection-item.raml           |   0
 {contivmodel => contivModel}/spec/build.sh    |   0
 {contivmodel => contivModel}/spec/cleanup.rb  |   0
 .../spec/docs/body.html                       |   0
 .../spec/docs/contiv.html                     |   0
 .../spec/docs/head.html                       |   0
 .../spec/generate_raml.rb                     |   0
 .../spec/netmaster.raml                       |   0
 .../spec/netmaster/libraries/netmaster.raml   |   0
 .../netmaster/schemas/collection-item.raml    |   0
 .../spec/netmaster/schemas/collection.raml    |   0
 .../spec/netmaster/schemas/custom-scheme.raml |   0
 .../schemas/non-upd-collection-item.raml      |   0
 .../netmaster/schemas/ro-collection-item.raml |   0
 .../systemtests/client_test.go                |   0
 .../systemtests/mock_server.go                |   0
 {contivmodel => contivModel}/tenant.json      |   0
 {contivmodel => contivModel}/volume.json      |   0
 .../volumeProfile.json                        |   0
 mgmtfn/dockplugin/netDriver.go                |   2 +-
 netctl/config.go                              |   2 +-
 netctl/netctl.go                              |   2 +-
 netmaster/k8snetwork/networkpolicy.go         |   2 +-
 netmaster/master/policy.go                    |   2 +-
 netmaster/mastercfg/policyState.go            |   8 +-
 netmaster/objApi/apiController.go             |   2 +-
 netmaster/objApi/extContracts.go              |   3 +-
 netmaster/objApi/infraproxy.go                |   2 +-
 vendor/github.com/contiv/ofnet/ofnet.go       |   4 +-
 vendor/github.com/contiv/ofnet/ofnetMaster.go |   2 +-
 vendor/github.com/contiv/ofnet/ofnetPolicy.go |  74 +++++++------
 vendor/github.com/contiv/ofnet/util.go        |   4 +-
 vendor/github.com/contiv/ofnet/vrouter.go     |  35 ++++--
 66 files changed, 142 insertions(+), 102 deletions(-)
 rename {contivmodel => contivModel}/.gitignore (100%)
 rename {contivmodel => contivModel}/LICENSE (100%)
 rename {contivmodel => contivModel}/Makefile (100%)
 rename {contivmodel => contivModel}/README.md (100%)
 rename {contivmodel => contivModel}/aciGw.json (100%)
 rename {contivmodel => contivModel}/appProfile.json (100%)
 rename {contivmodel => contivModel}/bgphost.json (100%)
 rename {contivmodel => contivModel}/client/contivModel.js (100%)
 rename {contivmodel => contivModel}/client/contivModelClient.go (100%)
 rename {contivmodel => contivModel}/client/contivModelClient.py (100%)
 rename {contivmodel => contivModel}/contivModel.go (100%)
 rename {contivmodel => contivModel}/contivModel.png (100%)
 rename {contivmodel => contivModel}/endpoint.json (100%)
 rename {contivmodel => contivModel}/endpointGroup.json (100%)
 rename {contivmodel => contivModel}/extContractsGroup.json (100%)
 rename {contivmodel => contivModel}/generate.sh (100%)
 rename {contivmodel => contivModel}/global.json (100%)
 rename {contivmodel => contivModel}/netProfile.json (100%)
 rename {contivmodel => contivModel}/network.json (100%)
 rename {contivmodel => contivModel}/policy.json (100%)
 rename {contivmodel => contivModel}/rule.json (100%)
 rename {contivmodel => contivModel}/scripts/build.sh (100%)
 rename {contivmodel => contivModel}/servicelb.json (100%)
 rename {contivmodel => contivModel}/spec/Dockerfile (100%)
 rename {contivmodel => contivModel}/spec/Dockerfile.cleanup (100%)
 rename {contivmodel => contivModel}/spec/Makefile (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/libraries/auth_proxy.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/schemas/collection-item.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/schemas/collection.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/schemas/custom-scheme.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/schemas/non-upd-collection-item.raml (100%)
 rename {contivmodel => contivModel}/spec/auth_proxy/schemas/ro-collection-item.raml (100%)
 rename {contivmodel => contivModel}/spec/build.sh (100%)
 rename {contivmodel => contivModel}/spec/cleanup.rb (100%)
 rename {contivmodel => contivModel}/spec/docs/body.html (100%)
 rename {contivmodel => contivModel}/spec/docs/contiv.html (100%)
 rename {contivmodel => contivModel}/spec/docs/head.html (100%)
 rename {contivmodel => contivModel}/spec/generate_raml.rb (100%)
 rename {contivmodel => contivModel}/spec/netmaster.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/libraries/netmaster.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/schemas/collection-item.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/schemas/collection.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/schemas/custom-scheme.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/schemas/non-upd-collection-item.raml (100%)
 rename {contivmodel => contivModel}/spec/netmaster/schemas/ro-collection-item.raml (100%)
 rename {contivmodel => contivModel}/systemtests/client_test.go (100%)
 rename {contivmodel => contivModel}/systemtests/mock_server.go (100%)
 rename {contivmodel => contivModel}/tenant.json (100%)
 rename {contivmodel => contivModel}/volume.json (100%)
 rename {contivmodel => contivModel}/volumeProfile.json (100%)

diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index b875f5f44..f6744694d 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -1,6 +1,6 @@
 {
 	"ImportPath": "github.com/contiv/netplugin",
-	"GoVersion": "go1.7",
+	"GoVersion": "go1.9",
 	"GodepVersion": "v79",
 	"Packages": [
 		"./..."
@@ -99,23 +99,23 @@
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet",
-			"Rev": "c080e5b6e9bede4db7b5da634c3de01c346edc84"
+			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ofctrl",
-			"Rev": "c080e5b6e9bede4db7b5da634c3de01c346edc84"
+			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ovsdbDriver",
-			"Rev": "c080e5b6e9bede4db7b5da634c3de01c346edc84"
+			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/pqueue",
-			"Rev": "c080e5b6e9bede4db7b5da634c3de01c346edc84"
+			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/rpcHub",
-			"Rev": "c080e5b6e9bede4db7b5da634c3de01c346edc84"
+			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
 		},
 		{
 			"ImportPath": "github.com/contiv/remotessh",
@@ -153,147 +153,147 @@
 		},
 		{
 			"ImportPath": "github.com/docker/distribution/digest",
-			"Comment": "v2.4.0-rc.1-36-g9d49169",
+			"Comment": "v2.4.0-rc.1-36-g9d491698",
 			"Rev": "9d491698ccf3eba4e87213350518dbaacf8e9650"
 		},
 		{
 			"ImportPath": "github.com/docker/distribution/reference",
-			"Comment": "v2.4.0-rc.1-36-g9d49169",
+			"Comment": "v2.4.0-rc.1-36-g9d491698",
 			"Rev": "9d491698ccf3eba4e87213350518dbaacf8e9650"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/server/httputils",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/blkiodev",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/container",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/events",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/filters",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/mount",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/network",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/reference",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/registry",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/strslice",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/swarm",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/time",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/versions",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/api/types/volume",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/client",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/dockerversion",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/ioutils",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/longpath",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/parsers/kernel",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/plugingetter",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/plugins",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/plugins/transport",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/system",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/tlsconfig",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
 			"ImportPath": "github.com/docker/docker/pkg/useragent",
-			"Comment": "v1.13.1-43-g8b1112b",
+			"Comment": "v1.13.1-43-g8b1112be3",
 			"Rev": "8b1112be3ba30451578b0033f98600b4c7f50909"
 		},
 		{
@@ -318,37 +318,37 @@
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/discoverapi",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/driverapi",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/drivers/remote/api",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/ipamapi",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/ipams/remote/api",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/netlabel",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
 			"ImportPath": "github.com/docker/libnetwork/types",
-			"Comment": "v0.8.0-dev.2-663-g5537cb4",
+			"Comment": "v0.8.0-dev.2-663-g5537cb4b",
 			"Rev": "5537cb4b15c16eff2619db126ead3271e0ab45eb"
 		},
 		{
@@ -362,7 +362,7 @@
 		},
 		{
 			"ImportPath": "github.com/eapache/queue",
-			"Comment": "v1.1.0",
+			"Comment": "v1.0.2-7-g44cc805",
 			"Rev": "44cc805cf13205b55f69e14bcb69867d1ae92f98"
 		},
 		{
@@ -408,12 +408,12 @@
 		},
 		{
 			"ImportPath": "github.com/gogo/protobuf/proto",
-			"Comment": "v0.4-8-g3043356",
+			"Comment": "v0.4-8-g30433562",
 			"Rev": "30433562cfbf487fe1df7cd26c7bab168d2f14d0"
 		},
 		{
 			"ImportPath": "github.com/gogo/protobuf/sortkeys",
-			"Comment": "v0.4-8-g3043356",
+			"Comment": "v0.4-8-g30433562",
 			"Rev": "30433562cfbf487fe1df7cd26c7bab168d2f14d0"
 		},
 		{
@@ -481,7 +481,7 @@
 		},
 		{
 			"ImportPath": "github.com/hashicorp/consul/api",
-			"Comment": "v0.6.4-39-g3340d7c",
+			"Comment": "v0.6.4-39-g3340d7cc",
 			"Rev": "3340d7ccd74d4185b1c126833988457da5e414c8"
 		},
 		{
@@ -531,17 +531,17 @@
 		},
 		{
 			"ImportPath": "github.com/influxdata/influxdb/client/v2",
-			"Comment": "v1.0.0-beta3-128-g3c12403",
+			"Comment": "v1.0.0-beta3-128-g3c124036f",
 			"Rev": "3c124036f0aea8e7f7b4dde76bdda5052bc58333"
 		},
 		{
 			"ImportPath": "github.com/influxdata/influxdb/models",
-			"Comment": "v1.0.0-beta3-128-g3c12403",
+			"Comment": "v1.0.0-beta3-128-g3c124036f",
 			"Rev": "3c124036f0aea8e7f7b4dde76bdda5052bc58333"
 		},
 		{
 			"ImportPath": "github.com/influxdata/influxdb/pkg/escape",
-			"Comment": "v1.0.0-beta3-128-g3c12403",
+			"Comment": "v1.0.0-beta3-128-g3c124036f",
 			"Rev": "3c124036f0aea8e7f7b4dde76bdda5052bc58333"
 		},
 		{
@@ -594,7 +594,7 @@
 		},
 		{
 			"ImportPath": "github.com/opencontainers/runc/libcontainer/user",
-			"Comment": "v0.0.3-14-g9be9157",
+			"Comment": "v0.0.3-14-g9be9157f",
 			"Rev": "9be9157fc5cd9cf59c155fe194a0acc5f1e6f926"
 		},
 		{
diff --git a/contivmodel/.gitignore b/contivModel/.gitignore
similarity index 100%
rename from contivmodel/.gitignore
rename to contivModel/.gitignore
diff --git a/contivmodel/LICENSE b/contivModel/LICENSE
similarity index 100%
rename from contivmodel/LICENSE
rename to contivModel/LICENSE
diff --git a/contivmodel/Makefile b/contivModel/Makefile
similarity index 100%
rename from contivmodel/Makefile
rename to contivModel/Makefile
diff --git a/contivmodel/README.md b/contivModel/README.md
similarity index 100%
rename from contivmodel/README.md
rename to contivModel/README.md
diff --git a/contivmodel/aciGw.json b/contivModel/aciGw.json
similarity index 100%
rename from contivmodel/aciGw.json
rename to contivModel/aciGw.json
diff --git a/contivmodel/appProfile.json b/contivModel/appProfile.json
similarity index 100%
rename from contivmodel/appProfile.json
rename to contivModel/appProfile.json
diff --git a/contivmodel/bgphost.json b/contivModel/bgphost.json
similarity index 100%
rename from contivmodel/bgphost.json
rename to contivModel/bgphost.json
diff --git a/contivmodel/client/contivModel.js b/contivModel/client/contivModel.js
similarity index 100%
rename from contivmodel/client/contivModel.js
rename to contivModel/client/contivModel.js
diff --git a/contivmodel/client/contivModelClient.go b/contivModel/client/contivModelClient.go
similarity index 100%
rename from contivmodel/client/contivModelClient.go
rename to contivModel/client/contivModelClient.go
diff --git a/contivmodel/client/contivModelClient.py b/contivModel/client/contivModelClient.py
similarity index 100%
rename from contivmodel/client/contivModelClient.py
rename to contivModel/client/contivModelClient.py
diff --git a/contivmodel/contivModel.go b/contivModel/contivModel.go
similarity index 100%
rename from contivmodel/contivModel.go
rename to contivModel/contivModel.go
diff --git a/contivmodel/contivModel.png b/contivModel/contivModel.png
similarity index 100%
rename from contivmodel/contivModel.png
rename to contivModel/contivModel.png
diff --git a/contivmodel/endpoint.json b/contivModel/endpoint.json
similarity index 100%
rename from contivmodel/endpoint.json
rename to contivModel/endpoint.json
diff --git a/contivmodel/endpointGroup.json b/contivModel/endpointGroup.json
similarity index 100%
rename from contivmodel/endpointGroup.json
rename to contivModel/endpointGroup.json
diff --git a/contivmodel/extContractsGroup.json b/contivModel/extContractsGroup.json
similarity index 100%
rename from contivmodel/extContractsGroup.json
rename to contivModel/extContractsGroup.json
diff --git a/contivmodel/generate.sh b/contivModel/generate.sh
similarity index 100%
rename from contivmodel/generate.sh
rename to contivModel/generate.sh
diff --git a/contivmodel/global.json b/contivModel/global.json
similarity index 100%
rename from contivmodel/global.json
rename to contivModel/global.json
diff --git a/contivmodel/netProfile.json b/contivModel/netProfile.json
similarity index 100%
rename from contivmodel/netProfile.json
rename to contivModel/netProfile.json
diff --git a/contivmodel/network.json b/contivModel/network.json
similarity index 100%
rename from contivmodel/network.json
rename to contivModel/network.json
diff --git a/contivmodel/policy.json b/contivModel/policy.json
similarity index 100%
rename from contivmodel/policy.json
rename to contivModel/policy.json
diff --git a/contivmodel/rule.json b/contivModel/rule.json
similarity index 100%
rename from contivmodel/rule.json
rename to contivModel/rule.json
diff --git a/contivmodel/scripts/build.sh b/contivModel/scripts/build.sh
similarity index 100%
rename from contivmodel/scripts/build.sh
rename to contivModel/scripts/build.sh
diff --git a/contivmodel/servicelb.json b/contivModel/servicelb.json
similarity index 100%
rename from contivmodel/servicelb.json
rename to contivModel/servicelb.json
diff --git a/contivmodel/spec/Dockerfile b/contivModel/spec/Dockerfile
similarity index 100%
rename from contivmodel/spec/Dockerfile
rename to contivModel/spec/Dockerfile
diff --git a/contivmodel/spec/Dockerfile.cleanup b/contivModel/spec/Dockerfile.cleanup
similarity index 100%
rename from contivmodel/spec/Dockerfile.cleanup
rename to contivModel/spec/Dockerfile.cleanup
diff --git a/contivmodel/spec/Makefile b/contivModel/spec/Makefile
similarity index 100%
rename from contivmodel/spec/Makefile
rename to contivModel/spec/Makefile
diff --git a/contivmodel/spec/auth_proxy.raml b/contivModel/spec/auth_proxy.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy.raml
rename to contivModel/spec/auth_proxy.raml
diff --git a/contivmodel/spec/auth_proxy/libraries/auth_proxy.raml b/contivModel/spec/auth_proxy/libraries/auth_proxy.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/libraries/auth_proxy.raml
rename to contivModel/spec/auth_proxy/libraries/auth_proxy.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/collection-item.raml b/contivModel/spec/auth_proxy/schemas/collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/collection-item.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/collection.raml b/contivModel/spec/auth_proxy/schemas/collection.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/collection.raml
rename to contivModel/spec/auth_proxy/schemas/collection.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/custom-scheme.raml b/contivModel/spec/auth_proxy/schemas/custom-scheme.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/custom-scheme.raml
rename to contivModel/spec/auth_proxy/schemas/custom-scheme.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/non-upd-collection-item.raml b/contivModel/spec/auth_proxy/schemas/non-upd-collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/non-upd-collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/non-upd-collection-item.raml
diff --git a/contivmodel/spec/auth_proxy/schemas/ro-collection-item.raml b/contivModel/spec/auth_proxy/schemas/ro-collection-item.raml
similarity index 100%
rename from contivmodel/spec/auth_proxy/schemas/ro-collection-item.raml
rename to contivModel/spec/auth_proxy/schemas/ro-collection-item.raml
diff --git a/contivmodel/spec/build.sh b/contivModel/spec/build.sh
similarity index 100%
rename from contivmodel/spec/build.sh
rename to contivModel/spec/build.sh
diff --git a/contivmodel/spec/cleanup.rb b/contivModel/spec/cleanup.rb
similarity index 100%
rename from contivmodel/spec/cleanup.rb
rename to contivModel/spec/cleanup.rb
diff --git a/contivmodel/spec/docs/body.html b/contivModel/spec/docs/body.html
similarity index 100%
rename from contivmodel/spec/docs/body.html
rename to contivModel/spec/docs/body.html
diff --git a/contivmodel/spec/docs/contiv.html b/contivModel/spec/docs/contiv.html
similarity index 100%
rename from contivmodel/spec/docs/contiv.html
rename to contivModel/spec/docs/contiv.html
diff --git a/contivmodel/spec/docs/head.html b/contivModel/spec/docs/head.html
similarity index 100%
rename from contivmodel/spec/docs/head.html
rename to contivModel/spec/docs/head.html
diff --git a/contivmodel/spec/generate_raml.rb b/contivModel/spec/generate_raml.rb
similarity index 100%
rename from contivmodel/spec/generate_raml.rb
rename to contivModel/spec/generate_raml.rb
diff --git a/contivmodel/spec/netmaster.raml b/contivModel/spec/netmaster.raml
similarity index 100%
rename from contivmodel/spec/netmaster.raml
rename to contivModel/spec/netmaster.raml
diff --git a/contivmodel/spec/netmaster/libraries/netmaster.raml b/contivModel/spec/netmaster/libraries/netmaster.raml
similarity index 100%
rename from contivmodel/spec/netmaster/libraries/netmaster.raml
rename to contivModel/spec/netmaster/libraries/netmaster.raml
diff --git a/contivmodel/spec/netmaster/schemas/collection-item.raml b/contivModel/spec/netmaster/schemas/collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/collection-item.raml
rename to contivModel/spec/netmaster/schemas/collection-item.raml
diff --git a/contivmodel/spec/netmaster/schemas/collection.raml b/contivModel/spec/netmaster/schemas/collection.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/collection.raml
rename to contivModel/spec/netmaster/schemas/collection.raml
diff --git a/contivmodel/spec/netmaster/schemas/custom-scheme.raml b/contivModel/spec/netmaster/schemas/custom-scheme.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/custom-scheme.raml
rename to contivModel/spec/netmaster/schemas/custom-scheme.raml
diff --git a/contivmodel/spec/netmaster/schemas/non-upd-collection-item.raml b/contivModel/spec/netmaster/schemas/non-upd-collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/non-upd-collection-item.raml
rename to contivModel/spec/netmaster/schemas/non-upd-collection-item.raml
diff --git a/contivmodel/spec/netmaster/schemas/ro-collection-item.raml b/contivModel/spec/netmaster/schemas/ro-collection-item.raml
similarity index 100%
rename from contivmodel/spec/netmaster/schemas/ro-collection-item.raml
rename to contivModel/spec/netmaster/schemas/ro-collection-item.raml
diff --git a/contivmodel/systemtests/client_test.go b/contivModel/systemtests/client_test.go
similarity index 100%
rename from contivmodel/systemtests/client_test.go
rename to contivModel/systemtests/client_test.go
diff --git a/contivmodel/systemtests/mock_server.go b/contivModel/systemtests/mock_server.go
similarity index 100%
rename from contivmodel/systemtests/mock_server.go
rename to contivModel/systemtests/mock_server.go
diff --git a/contivmodel/tenant.json b/contivModel/tenant.json
similarity index 100%
rename from contivmodel/tenant.json
rename to contivModel/tenant.json
diff --git a/contivmodel/volume.json b/contivModel/volume.json
similarity index 100%
rename from contivmodel/volume.json
rename to contivModel/volume.json
diff --git a/contivmodel/volumeProfile.json b/contivModel/volumeProfile.json
similarity index 100%
rename from contivmodel/volumeProfile.json
rename to contivModel/volumeProfile.json
diff --git a/mgmtfn/dockplugin/netDriver.go b/mgmtfn/dockplugin/netDriver.go
index 48ca351ad..653e24a59 100644
--- a/mgmtfn/dockplugin/netDriver.go
+++ b/mgmtfn/dockplugin/netDriver.go
@@ -24,7 +24,7 @@ import (
 	"strings"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/contiv/netplugin/contivmodel/client"
+	"github.com/contiv/netplugin/contivModel/client"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/netplugin/netmaster/docknet"
 	"github.com/contiv/netplugin/netmaster/intent"
diff --git a/netctl/config.go b/netctl/config.go
index 68153a659..3ca4adc66 100644
--- a/netctl/config.go
+++ b/netctl/config.go
@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 
 	"github.com/codegangsta/cli"
-	contivClient "github.com/contiv/netplugin/contivmodel/client"
+	contivClient "github.com/contiv/netplugin/contivModel/client"
 )
 
 var errHomeDirectoryNotSet = errors.New("failed to detect HOME directory")
diff --git a/netctl/netctl.go b/netctl/netctl.go
index 0b5c6e587..88a4287af 100755
--- a/netctl/netctl.go
+++ b/netctl/netctl.go
@@ -17,7 +17,7 @@ import (
 	"golang.org/x/crypto/ssh/terminal"
 
 	"github.com/codegangsta/cli"
-	contivClient "github.com/contiv/netplugin/contivmodel/client"
+	contivClient "github.com/contiv/netplugin/contivModel/client"
 	"github.com/contiv/netplugin/version"
 )
 
diff --git a/netmaster/k8snetwork/networkpolicy.go b/netmaster/k8snetwork/networkpolicy.go
index 68f1aa220..b82d1421e 100644
--- a/netmaster/k8snetwork/networkpolicy.go
+++ b/netmaster/k8snetwork/networkpolicy.go
@@ -8,7 +8,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/contiv/netplugin/contivmodel/client"
+	"github.com/contiv/netplugin/contivModel/client"
 	"github.com/contiv/netplugin/utils/k8sutils"
 	"k8s.io/api/networking/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
diff --git a/netmaster/master/policy.go b/netmaster/master/policy.go
index 8d90e89ab..5eea96470 100755
--- a/netmaster/master/policy.go
+++ b/netmaster/master/policy.go
@@ -16,7 +16,7 @@ limitations under the License.
 package master
 
 import (
-	"github.com/contiv/netplugin/contivmodel"
+	"github.com/contiv/netplugin/contivModel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/netplugin/netmaster/mastercfg"
 	"github.com/contiv/netplugin/utils"
diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go
index 8d6b6297c..04f3ce297 100644
--- a/netmaster/mastercfg/policyState.go
+++ b/netmaster/mastercfg/policyState.go
@@ -23,6 +23,7 @@ import (
 
 	log "github.com/Sirupsen/logrus"
 
+	"github.com/contiv/netplugin/contivModel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/ofnet"
 )
@@ -216,11 +217,12 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 		rule.ToIpAddress = net.Subnet
 	}
 
+	var remoteTenant string
 	if rule.FromTenantName != "" {
-		remoteTenant := rule.FromTenantName
+		remoteTenant = rule.FromTenantName
 	}
 	if rule.ToTenantName != "" {
-		remoteTenant := rule.ToTenantName
+		remoteTenant = rule.ToTenantName
 	}
 
 	// Set protocol
@@ -247,7 +249,7 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "inRx":
 		// Set src/dest endpoint group
 		ofnetRule.DstEndpointGroup = gp.EndpointGroupID
-		ofnetrule.dsttenant = rule.tenantname
+		ofnetRule.DstTenant = rule.TenantName
 		ofnetRule.SrcEndpointGroup = remoteEpgID
 		ofnetRule.SrcTenant = remoteTenant
 
diff --git a/netmaster/objApi/apiController.go b/netmaster/objApi/apiController.go
index 917b1a273..d11817110 100644
--- a/netmaster/objApi/apiController.go
+++ b/netmaster/objApi/apiController.go
@@ -25,7 +25,7 @@ import (
 	"io/ioutil"
 	"net/http"
 
-	contivModel "github.com/contiv/netplugin/contivmodel"
+	contivModel "github.com/contiv/netplugin/contivModel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/netplugin/drivers"
 	"github.com/contiv/netplugin/netmaster/docknet"
diff --git a/netmaster/objApi/extContracts.go b/netmaster/objApi/extContracts.go
index cfb837cb1..4c56b7ae7 100644
--- a/netmaster/objApi/extContracts.go
+++ b/netmaster/objApi/extContracts.go
@@ -17,8 +17,9 @@ package objApi
 
 import (
 	"fmt"
+
 	log "github.com/Sirupsen/logrus"
-	"github.com/contiv/netplugin/contivmodel"
+	"github.com/contiv/netplugin/contivModel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/netplugin/objdb/modeldb"
 )
diff --git a/netmaster/objApi/infraproxy.go b/netmaster/objApi/infraproxy.go
index 87d6a63c6..62344293e 100755
--- a/netmaster/objApi/infraproxy.go
+++ b/netmaster/objApi/infraproxy.go
@@ -11,7 +11,7 @@ import (
 	"time"
 
 	log "github.com/Sirupsen/logrus"
-	"github.com/contiv/netplugin/contivmodel"
+	"github.com/contiv/netplugin/contivModel"
 	"github.com/contiv/netplugin/core"
 	"github.com/contiv/netplugin/netmaster/master"
 	"github.com/contiv/netplugin/netmaster/mastercfg"
diff --git a/vendor/github.com/contiv/ofnet/ofnet.go b/vendor/github.com/contiv/ofnet/ofnet.go
index 8a2a7270a..abfb6289c 100755
--- a/vendor/github.com/contiv/ofnet/ofnet.go
+++ b/vendor/github.com/contiv/ofnet/ofnet.go
@@ -189,9 +189,11 @@ type OfnetEndpoint struct {
 type OfnetPolicyRule struct {
 	RuleId           string // Unique identifier for the rule
 	Priority         int    // Priority for the rule (1..100. 100 is highest)
+	SrcTenant        string // For policy rules, reqiured to uniquely identify the SrcEndpointGroup
 	SrcEndpointGroup int    // Source endpoint group
+	DstTenant        string // For policy rules, required to uniquely identify the DstEndpointGroup
 	DstEndpointGroup int    // Destination endpoint group
-	SrcIpAddr        string // source IP addrss and mask
+	SrcIpAddr        string // source IP address and mask
 	DstIpAddr        string // Destination IP address and mask
 	IpProtocol       uint8  // IP protocol number
 	SrcPort          uint16 // Source port
diff --git a/vendor/github.com/contiv/ofnet/ofnetMaster.go b/vendor/github.com/contiv/ofnet/ofnetMaster.go
index dee441486..050391ccb 100755
--- a/vendor/github.com/contiv/ofnet/ofnetMaster.go
+++ b/vendor/github.com/contiv/ofnet/ofnetMaster.go
@@ -229,7 +229,7 @@ func (self *OfnetMaster) UnRegisterNode(hostInfo *OfnetNode, ret *bool) error {
 // Add an Endpoint
 func (self *OfnetMaster) EndpointAdd(ep *OfnetEndpoint, ret *bool) error {
 
-	log.Infof("Received Endpoint CReate from Remote netplugin")
+	log.Infof("Received Endpoint Create from Remote netplugin")
 	// Check if we have the endpoint already and which is more recent
 	self.masterMutex.RLock()
 	oldEp := self.endpointDb[ep.EndpointID]
diff --git a/vendor/github.com/contiv/ofnet/ofnetPolicy.go b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
index dc5a83c0b..e6d774332 100755
--- a/vendor/github.com/contiv/ofnet/ofnetPolicy.go
+++ b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
@@ -93,8 +93,10 @@ func (self *PolicyAgent) SwitchDisconnected(sw *ofctrl.OFSwitch) {
 
 // DstGroupMetadata returns metadata for dst group
 func DstGroupMetadata(groupId int) (uint64, uint64) {
+	// shifted 1 for the VTEP
 	metadata := uint64(groupId) << 1
-	metadataMask := uint64(0xfffe)
+	// format((((1<<16)-1)<<1), 'x')
+	metadataMask := uint64(0x1fffe)
 	metadata = metadata & metadataMask
 
 	return metadata, metadataMask
@@ -102,8 +104,11 @@ func DstGroupMetadata(groupId int) (uint64, uint64) {
 
 // SrcGroupMetadata returns metadata for src group
 func SrcGroupMetadata(groupId int) (uint64, uint64) {
-	metadata := uint64(groupId) << 16
-	metadataMask := uint64(0x7fff0000)
+	// TODO(plockc): missing tenant still
+	// shift 30 for the dest tenant+group, 1 for the VTEP flag
+	metadata := uint64(groupId) << (30 + 1)
+	// format((((1<<16))-1)<<(30+1), 'x')
+	metadataMask := uint64(0x7fff80000000)
 	metadata = metadata & metadataMask
 
 	return metadata, metadataMask
@@ -139,23 +144,23 @@ func (self *PolicyAgent) AddEndpoint(endpoint *OfnetEndpoint) error {
 	self.agent.vrfMutex.RLock()
 	vrfid := self.agent.vrfNameIdMap[*vrf]
 	self.agent.vrfMutex.RUnlock()
-	vrfMetadata, vrfMetadataMask := Vrfmetadata(*vrfid)
-	// Install the Dst group lookup flow
+	vrfMetadata, vrfMetadataMask := VrfDestMetadata(*vrfid)
+	// match destination tenant and IP
 	dstGrpFlow, err := self.dstGrpTable.NewFlow(ofctrl.FlowMatch{
-		Priority:     FLOW_MATCH_PRIORITY,
-		Ethertype:    0x0800,
-		IpDa:         &endpoint.IpAddr,
-		Metadata:     &vrfMetadata,
-		MetadataMask: &vrfMetadataMask,
+		Priority:  FLOW_MATCH_PRIORITY,
+		Ethertype: 0x0800,
+		IpDa:      &endpoint.IpAddr,
 	})
 	if err != nil {
 		log.Errorf("Error adding dstGroup flow for %v. Err: %v", endpoint.IpAddr, err)
 		return err
 	}
 
-	// Format the metadata
-	metadata, metadataMask := DstGroupMetadata(endpoint.EndpointGroup)
+	// Format the metadata for the destination group
+	groupMetadata, groupMetadataMask := DstGroupMetadata(endpoint.EndpointGroup)
 
+	metadata := vrfMetadata | groupMetadata
+	metadataMask := vrfMetadataMask | groupMetadataMask
 	// Set dst GroupId
 	err = dstGrpFlow.SetMetadata(metadata, metadataMask)
 	if err != nil {
@@ -299,8 +304,10 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
 	var ipDaMask *net.IP = nil
 	var ipSa *net.IP = nil
 	var ipSaMask *net.IP = nil
-	var md *uint64 = nil
-	var mdm *uint64 = nil
+	var metadata uint64 = 0     // for calculations of md
+	var metadataMask uint64 = 0 // for calculations of mdm
+	var md *uint64 = nil        // flow metadata
+	var mdm *uint64 = nil       // flow metadata mask
 	var flag, flagMask uint16
 	var flagPtr, flagMaskPtr *uint16
 	var err error
@@ -346,22 +353,29 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
 		}
 	}
 
-	// parse source/dst endpoint groups
-	if rule.SrcEndpointGroup != 0 && rule.DstEndpointGroup != 0 {
-		srcMetadata, srcMetadataMask := SrcGroupMetadata(rule.SrcEndpointGroup)
-		dstMetadata, dstMetadataMask := DstGroupMetadata(rule.DstEndpointGroup)
-		metadata := srcMetadata | dstMetadata
-		metadataMask := srcMetadataMask | dstMetadataMask
-		md = &metadata
-		mdm = &metadataMask
-	} else if rule.SrcEndpointGroup != 0 {
-		srcMetadata, srcMetadataMask := SrcGroupMetadata(rule.SrcEndpointGroup)
-		md = &srcMetadata
-		mdm = &srcMetadataMask
-	} else if rule.DstEndpointGroup != 0 {
-		dstMetadata, dstMetadataMask := DstGroupMetadata(rule.DstEndpointGroup)
-		md = &dstMetadata
-		mdm = &dstMetadataMask
+	updateMetadata := func(meta uint64, mask uint64) (*uint64, *uint64) {
+		metadata |= meta
+		metadataMask |= mask
+		return &metadata, &metadataMask
+	}
+	// parse source/dst endpoint tenants and groups
+	if rule.SrcEndpointGroup != 0 {
+		if rule.SrcTenant == "" {
+			log.Errorf("Source group %v was provided without tenant",
+				rule.DstEndpointGroup)
+		}
+		md, mdm = updateMetadata(SrcGroupMetadata(rule.SrcEndpointGroup))
+		srcVrfId := self.agent.getvrfId(rule.SrcTenant)
+		md, mdm = updateMetadata(VrfSrcMetadata(*srcVrfId))
+	}
+	if rule.DstEndpointGroup != 0 {
+		if rule.DstTenant == "" {
+			log.Errorf("Destination group %v was provided without tenant",
+				rule.DstEndpointGroup)
+		}
+		md, mdm = updateMetadata(DstGroupMetadata(rule.DstEndpointGroup))
+		dstVrfId := self.agent.getvrfId(rule.DstTenant)
+		md, mdm = updateMetadata(VrfDestMetadata(*dstVrfId))
 	}
 
 	// Setup TCP flags
diff --git a/vendor/github.com/contiv/ofnet/util.go b/vendor/github.com/contiv/ofnet/util.go
index 76f57efd1..680a62b88 100755
--- a/vendor/github.com/contiv/ofnet/util.go
+++ b/vendor/github.com/contiv/ofnet/util.go
@@ -181,7 +181,7 @@ func createPortVlanFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, e
 
 	//set vrf id as METADATA
 	vrfid := agent.getvrfId(endpoint.Vrf)
-	metadata, metadataMask := Vrfmetadata(*vrfid)
+	metadata, metadataMask := VrfSrcMetadata(*vrfid)
 
 	// set source EPG id if required
 	if endpoint.EndpointGroup != 0 {
@@ -240,7 +240,7 @@ func createDscpFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, endpo
 
 	//set vrf id as METADATA
 	vrfid := agent.getvrfId(endpoint.Vrf)
-	metadata, metadataMask := Vrfmetadata(*vrfid)
+	metadata, metadataMask := VrfSrcMetadata(*vrfid)
 
 	// set source EPG id if required
 	if endpoint.EndpointGroup != 0 {
diff --git a/vendor/github.com/contiv/ofnet/vrouter.go b/vendor/github.com/contiv/ofnet/vrouter.go
index 37274f8e3..ead9fea47 100755
--- a/vendor/github.com/contiv/ofnet/vrouter.go
+++ b/vendor/github.com/contiv/ofnet/vrouter.go
@@ -263,15 +263,13 @@ func (self *Vrouter) AddLocalEndpoint(endpoint OfnetEndpoint) error {
 		return errors.New("Invalid vrf name")
 	}
 
-	vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+	vrfmetadata, vrfmetadataMask := VrfDestMetadata(*vrfid)
 
 	// Install the IP address
 	ipFlow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
-		Priority:     FLOW_MATCH_PRIORITY,
-		Ethertype:    0x0800,
-		IpDa:         &endpoint.IpAddr,
-		Metadata:     &vrfmetadata,
-		MetadataMask: &vrfmetadataMask,
+		Priority:  FLOW_MATCH_PRIORITY,
+		Ethertype: 0x0800,
+		IpDa:      &endpoint.IpAddr,
 	})
 	if err != nil {
 		log.Errorf("Error creating flow for endpoint: %+v. Err: %v", endpoint, err)
@@ -873,7 +871,7 @@ func (self *Vrouter) AddEndpoint(endpoint *OfnetEndpoint) error {
 	}
 
 	//set vrf id as METADATA
-	metadata, metadataMask := Vrfmetadata(*vrfid)
+	metadata, metadataMask := VrfDestMetadata(*vrfid)
 
 	// Install the IP address
 	ipFlow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
@@ -1302,6 +1300,29 @@ func (self *Vrouter) processArp(pkt protocol.Ethernet, inPort uint32) {
 	}
 }
 
+func VrfDestMetadata(vrfid uint16) (uint64, uint64) {
+	// 1 bit for VTEP, 16 for group
+	metadata := uint64(vrfid) << 17
+	// 14 bits shifted 1 for vtep flag and 16 for group
+	// format((((1<<14))-1)<<(1+16), 'x')
+	metadataMask := uint64(0x7ffe0000)
+	metadata = metadata & metadataMask
+
+	return metadata, metadataMask
+}
+
+func VrfSrcMetadata(vrfid uint16) (uint64, uint64) {
+	// 1 bit for VTEP, 30 for dest tenant+group, 16 for group
+	metadata := uint64(vrfid) << 47
+	// 14 bits shifted 1 for vtep flag and 30 for dest tenant+group
+	// and 16 for source group
+	// format((((1<<14))-1)<<(1+30+16), 'x')
+	metadataMask := uint64(0x1FFF800000000000)
+	metadata = metadata & metadataMask
+
+	return metadata, metadataMask
+}
+
 func Vrfmetadata(vrfid uint16) (uint64, uint64) {
 	metadata := uint64(vrfid) << 32
 	metadataMask := uint64(0xFF00000000)

From fdd08a6396eb360e641b9413ef43468e7d0363e8 Mon Sep 17 00:00:00 2001
From: Chris Plock <chrisplo@cisco.com>
Date: Thu, 18 Jan 2018 13:55:30 -0800
Subject: [PATCH 3/5] to/from contivmodel tenant name optional

---
 contivModel/contivModel.go | 4 ++--
 contivModel/rule.json      | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/contivModel/contivModel.go b/contivModel/contivModel.go
index a57be5385..686c20c1e 100644
--- a/contivModel/contivModel.go
+++ b/contivModel/contivModel.go
@@ -4503,7 +4503,7 @@ func ValidateRule(obj *Rule) error {
 		return errors.New("fromTenantName string too long")
 	}
 
-	fromTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$")
+	fromTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])?$")
 	if fromTenantNameMatch.MatchString(obj.FromTenantName) == false {
 		return errors.New("fromTenantName string invalid format")
 	}
@@ -4583,7 +4583,7 @@ func ValidateRule(obj *Rule) error {
 		return errors.New("toTenantName string too long")
 	}
 
-	toTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])$")
+	toTenantNameMatch := regexp.MustCompile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9])?$")
 	if toTenantNameMatch.MatchString(obj.ToTenantName) == false {
 		return errors.New("toTenantName string invalid format")
 	}
diff --git a/contivModel/rule.json b/contivModel/rule.json
index 202f361b2..8e03e9201 100644
--- a/contivModel/rule.json
+++ b/contivModel/rule.json
@@ -95,14 +95,14 @@
 					"type": "string",
 					"title": "From Tenant Name",
 					"length": 64,
-					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$",
+					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])?$",
 					"showSummary": true
 				},
 				"toTenantName": {
 					"type": "string",
 					"title": "To Tenant Name",
 					"length": 64,
-					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$",
+					"format": "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])?$",
 					"showSummary": true
 				},
 				"protocol": {

From 6d9ca29aca8b87c0c26bae4a795509a2837f415c Mon Sep 17 00:00:00 2001
From: Chris Plock <chrisplo@cisco.com>
Date: Fri, 19 Jan 2018 13:30:07 -0800
Subject: [PATCH 4/5] tenant ingress is working

---
 Godeps/Godeps.json                            | 10 +++++-----
 install/k8s/cluster/bootstrap_centos.sh       |  1 +
 vendor/github.com/contiv/ofnet/ofnetPolicy.go | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index f6744694d..f73f409b0 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -99,23 +99,23 @@
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet",
-			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
+			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ofctrl",
-			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
+			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ovsdbDriver",
-			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
+			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/pqueue",
-			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
+			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/rpcHub",
-			"Rev": "a5366b6229c72aee307c40b7405e55c795614fcf"
+			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
 		},
 		{
 			"ImportPath": "github.com/contiv/remotessh",
diff --git a/install/k8s/cluster/bootstrap_centos.sh b/install/k8s/cluster/bootstrap_centos.sh
index 3c60919b8..43477f7c2 100755
--- a/install/k8s/cluster/bootstrap_centos.sh
+++ b/install/k8s/cluster/bootstrap_centos.sh
@@ -8,6 +8,7 @@ fi
 set -ex
 
 swapoff -a
+sudo sed -i '/swap/d' /etc/fstab
 setenforce 0
 systemctl stop firewalld
 systemctl disable firewalld
diff --git a/vendor/github.com/contiv/ofnet/ofnetPolicy.go b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
index e6d774332..396ffc73c 100755
--- a/vendor/github.com/contiv/ofnet/ofnetPolicy.go
+++ b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
@@ -17,6 +17,7 @@ package ofnet
 
 import (
 	"errors"
+	"fmt"
 	"net"
 	"net/rpc"
 	"reflect"
@@ -365,7 +366,14 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
 				rule.DstEndpointGroup)
 		}
 		md, mdm = updateMetadata(SrcGroupMetadata(rule.SrcEndpointGroup))
+	}
+	if rule.SrcTenant != "" {
 		srcVrfId := self.agent.getvrfId(rule.SrcTenant)
+		if srcVrfId == nil {
+			errMsg := fmt.Sprintf("VRF %s was not found", rule.SrcTenant)
+			log.Errorf(errMsg)
+			return errors.New(errMsg)
+		}
 		md, mdm = updateMetadata(VrfSrcMetadata(*srcVrfId))
 	}
 	if rule.DstEndpointGroup != 0 {
@@ -373,8 +381,16 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
 			log.Errorf("Destination group %v was provided without tenant",
 				rule.DstEndpointGroup)
 		}
+
 		md, mdm = updateMetadata(DstGroupMetadata(rule.DstEndpointGroup))
+	}
+	if rule.DstTenant != "" {
 		dstVrfId := self.agent.getvrfId(rule.DstTenant)
+		if dstVrfId == nil {
+			errMsg := fmt.Sprintf("VRF %s was not found", rule.DstTenant)
+			log.Errorf(errMsg)
+			return errors.New(errMsg)
+		}
 		md, mdm = updateMetadata(VrfDestMetadata(*dstVrfId))
 	}
 

From 8c4521339b42a8a145826fb3dad525cdb1d0c236 Mon Sep 17 00:00:00 2001
From: Chris Plock <chrisplo@cisco.com>
Date: Fri, 26 Jan 2018 13:27:31 -0800
Subject: [PATCH 5/5] WIP upgrading ofnet to k8s ready

---
 Godeps/Godeps.json                            |  10 +-
 Makefile                                      |   2 +-
 core/core.go                                  |  25 ++--
 drivers/ovsd/ovsSwitch.go                     |   6 +-
 drivers/ovsd/ovsdriver.go                     |   6 +-
 netmaster/mastercfg/policyState.go            |  16 +--
 netplugin/netd.go                             |  17 +--
 vendor/github.com/contiv/ofnet/ofnet.go       |   4 +-
 vendor/github.com/contiv/ofnet/ofnetAgent.go  |  19 ++-
 vendor/github.com/contiv/ofnet/ofnetPolicy.go | 123 +++++++++++-------
 vendor/github.com/contiv/ofnet/util.go        |  39 ++++--
 vendor/github.com/contiv/ofnet/vlrouter.go    |   4 +-
 vendor/github.com/contiv/ofnet/vrouter.go     |  37 +++---
 vendor/github.com/contiv/ofnet/vxlanBridge.go |  14 +-
 14 files changed, 191 insertions(+), 131 deletions(-)

diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index f73f409b0..a7d62f752 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -99,23 +99,23 @@
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet",
-			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
+			"Rev": "2e64d1a26ff11efbc7e50188b4e00e331babf48f"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ofctrl",
-			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
+			"Rev": "2e64d1a26ff11efbc7e50188b4e00e331babf48f"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/ovsdbDriver",
-			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
+			"Rev": "2e64d1a26ff11efbc7e50188b4e00e331babf48f"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/pqueue",
-			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
+			"Rev": "2e64d1a26ff11efbc7e50188b4e00e331babf48f"
 		},
 		{
 			"ImportPath": "github.com/contiv/ofnet/rpcHub",
-			"Rev": "dd8738d62a190cfc5e3f60dd4f38bbc9be69ebe8"
+			"Rev": "2e64d1a26ff11efbc7e50188b4e00e331babf48f"
 		},
 		{
 			"ImportPath": "github.com/contiv/remotessh",
diff --git a/Makefile b/Makefile
index 854c54909..c106213e2 100755
--- a/Makefile
+++ b/Makefile
@@ -150,7 +150,7 @@ k8s-l3-destroy:
 
 # ===================================================================
 # kubernetes dev
-k8s-dev: checks-with-docker compile-with-docker binaries-from-container
+k8s-dev: compile-with-docker binaries-from-container
 	CONTIV_TEST="dev" make k8s-cluster
 
 # kubernetes test targets
diff --git a/core/core.go b/core/core.go
index 1b23f8e7c..81c0a1249 100755
--- a/core/core.go
+++ b/core/core.go
@@ -75,18 +75,19 @@ type Plugin interface {
 // InstanceInfo encapsulates data that is specific to a running instance of
 // netplugin like label of host on which it is started.
 type InstanceInfo struct {
-	StateDriver  StateDriver `json:"-"`
-	HostLabel    string      `json:"host-label"`
-	CtrlIP       string      `json:"ctrl-ip"`
-	VtepIP       string      `json:"vtep-ip"`
-	UplinkIntf   []string    `json:"uplink-if"`
-	RouterIP     string      `json:"router-ip"`
-	FwdMode      string      `json:"fwd-mode"`
-	ArpMode      string      `json:"arp-mode"`
-	DbURL        string      `json:"db-url"`
-	PluginMode   string      `json:"plugin-mode"`
-	HostPvtNW    int         `json:"host-pvt-nw"`
-	VxlanUDPPort int         `json:"vxlan-port"`
+	StateDriver          StateDriver `json:"-"`
+	HostLabel            string      `json:"host-label"`
+	CtrlIP               string      `json:"ctrl-ip"`
+	VtepIP               string      `json:"vtep-ip"`
+	UplinkIntf           []string    `json:"uplink-if"`
+	RouterIP             string      `json:"router-ip"`
+	FwdMode              string      `json:"fwd-mode"`
+	ArpMode              string      `json:"arp-mode"`
+	DbURL                string      `json:"db-url"`
+	PluginMode           string      `json:"plugin-mode"`
+	HostPvtNW            int         `json:"host-pvt-nw"`
+	VxlanUDPPort         int         `json:"vxlan-port"`
+	EndpointIpsAreUnique bool        `json:"endpoint-ips-are-unique"`
 }
 
 // PortSpec defines protocol/port info required to host the service
diff --git a/drivers/ovsd/ovsSwitch.go b/drivers/ovsd/ovsSwitch.go
index 42d9217ce..9e52f7649 100755
--- a/drivers/ovsd/ovsSwitch.go
+++ b/drivers/ovsd/ovsSwitch.go
@@ -90,7 +90,7 @@ func (sw *OvsSwitch) GetUplinkInterfaces(uplinkID string) []string {
 
 // NewOvsSwitch Creates a new OVS switch instance
 func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
-	vlanIntf []string, hostPvtNW int, vxlanUDPPort int) (*OvsSwitch, error) {
+	vlanIntf []string, hostPvtNW int, vxlanUDPPort int, endpointIpsAreUnique bool) (*OvsSwitch, error) {
 	var err error
 	var datapath string
 	var ofnetPort, ctrlrPort uint16
@@ -123,7 +123,7 @@ func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
 		}
 		// Create an ofnet agent
 		sw.ofnetAgent, err = ofnet.NewOfnetAgent(bridgeName, datapath, net.ParseIP(localIP),
-			ofnetPort, ctrlrPort, vlanIntf)
+			ofnetPort, ctrlrPort, vlanIntf, endpointIpsAreUnique)
 
 		if err != nil {
 			log.Fatalf("Error initializing ofnet")
@@ -144,7 +144,7 @@ func NewOvsSwitch(bridgeName, netType, localIP, fwdMode string,
 		}
 		// Create an ofnet agent
 		sw.ofnetAgent, err = ofnet.NewOfnetAgent(bridgeName, datapath, net.ParseIP(localIP),
-			ofnetPort, ctrlrPort, vlanIntf)
+			ofnetPort, ctrlrPort, vlanIntf, endpointIpsAreUnique)
 
 		if err != nil {
 			log.Fatalf("Error initializing ofnet")
diff --git a/drivers/ovsd/ovsdriver.go b/drivers/ovsd/ovsdriver.go
index a4cb56149..ce892bd42 100644
--- a/drivers/ovsd/ovsdriver.go
+++ b/drivers/ovsd/ovsdriver.go
@@ -171,13 +171,15 @@ func (d *OvsDriver) Init(info *core.InstanceInfo) error {
 
 	// Create Vxlan switch
 	d.switchDb["vxlan"], err = NewOvsSwitch(vxlanBridgeName, "vxlan", info.VtepIP,
-		info.FwdMode, nil, info.HostPvtNW, info.VxlanUDPPort)
+		info.FwdMode, nil, info.HostPvtNW, info.VxlanUDPPort,
+		info.EndpointIpsAreUnique)
 	if err != nil {
 		log.Fatalf("Error creating vlan switch. Err: %v", err)
 	}
 	// Create Vlan switch
 	d.switchDb["vlan"], err = NewOvsSwitch(vlanBridgeName, "vlan", info.VtepIP,
-		info.FwdMode, info.UplinkIntf, info.HostPvtNW, info.VxlanUDPPort)
+		info.FwdMode, info.UplinkIntf, info.HostPvtNW, info.VxlanUDPPort,
+		info.EndpointIpsAreUnique)
 	if err != nil {
 		log.Fatalf("Error creating vlan switch. Err: %v", err)
 	}
diff --git a/netmaster/mastercfg/policyState.go b/netmaster/mastercfg/policyState.go
index 04f3ce297..08fe03c77 100644
--- a/netmaster/mastercfg/policyState.go
+++ b/netmaster/mastercfg/policyState.go
@@ -249,9 +249,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "inRx":
 		// Set src/dest endpoint group
 		ofnetRule.DstEndpointGroup = gp.EndpointGroupID
-		ofnetRule.DstTenant = rule.TenantName
+		ofnetRule.DstVrf = rule.TenantName
 		ofnetRule.SrcEndpointGroup = remoteEpgID
-		ofnetRule.SrcTenant = remoteTenant
+		ofnetRule.SrcVrf = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.SrcIpAddr = rule.FromIpAddress
@@ -269,9 +269,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "inTx":
 		// Set src/dest endpoint group
 		ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
-		ofnetRule.SrcTenant = rule.TenantName
+		ofnetRule.SrcVrf = rule.TenantName
 		ofnetRule.DstEndpointGroup = remoteEpgID
-		ofnetRule.DstTenant = remoteTenant
+		ofnetRule.DstVrf = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.DstIpAddr = rule.FromIpAddress
@@ -284,9 +284,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "outRx":
 		// Set src/dest endpoint group
 		ofnetRule.DstEndpointGroup = gp.EndpointGroupID
-		ofnetRule.DstTenant = rule.TenantName
+		ofnetRule.DstVrf = rule.TenantName
 		ofnetRule.SrcEndpointGroup = remoteEpgID
-		ofnetRule.SrcTenant = remoteTenant
+		ofnetRule.SrcVrf = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.SrcIpAddr = rule.ToIpAddress
@@ -296,9 +296,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 	case "outTx":
 		// Set src/dest endpoint group
 		ofnetRule.SrcEndpointGroup = gp.EndpointGroupID
-		ofnetRule.SrcTenant = rule.TenantName
+		ofnetRule.SrcVrf = rule.TenantName
 		ofnetRule.DstEndpointGroup = remoteEpgID
-		ofnetRule.DstTenant = remoteTenant
+		ofnetRule.DstVrf = remoteTenant
 
 		// Set src/dest IP Address
 		ofnetRule.DstIpAddr = rule.ToIpAddress
diff --git a/netplugin/netd.go b/netplugin/netd.go
index 37a62ce3e..5bc1ff5dd 100755
--- a/netplugin/netd.go
+++ b/netplugin/netd.go
@@ -110,14 +110,15 @@ func initNetPluginConfig(ctx *cli.Context) (*plugin.Config, error) {
 			State:   dbConfigs.StoreDriver,
 		},
 		Instance: core.InstanceInfo{
-			HostLabel:    hostLabel,
-			CtrlIP:       controlIP,
-			VtepIP:       vtepIP,
-			UplinkIntf:   vlanUpLinks,
-			DbURL:        dbConfigs.StoreURL,
-			PluginMode:   netConfigs.Mode,
-			VxlanUDPPort: vxlanPort,
-			FwdMode:      netConfigs.ForwardMode, // TODO: pass in network mode
+			HostLabel:            hostLabel,
+			CtrlIP:               controlIP,
+			VtepIP:               vtepIP,
+			UplinkIntf:           vlanUpLinks,
+			DbURL:                dbConfigs.StoreURL,
+			PluginMode:           netConfigs.Mode,
+			VxlanUDPPort:         vxlanPort,
+			FwdMode:              netConfigs.ForwardMode, // TODO: pass in network mode
+			EndpointIpsAreUnique: true,
 		},
 	}, nil
 }
diff --git a/vendor/github.com/contiv/ofnet/ofnet.go b/vendor/github.com/contiv/ofnet/ofnet.go
index abfb6289c..aa468a361 100755
--- a/vendor/github.com/contiv/ofnet/ofnet.go
+++ b/vendor/github.com/contiv/ofnet/ofnet.go
@@ -189,9 +189,9 @@ type OfnetEndpoint struct {
 type OfnetPolicyRule struct {
 	RuleId           string // Unique identifier for the rule
 	Priority         int    // Priority for the rule (1..100. 100 is highest)
-	SrcTenant        string // For policy rules, reqiured to uniquely identify the SrcEndpointGroup
+	SrcVrf           string // For policy rules, reqiured to uniquely identify the SrcEndpointGroup
 	SrcEndpointGroup int    // Source endpoint group
-	DstTenant        string // For policy rules, required to uniquely identify the DstEndpointGroup
+	DstVrf           string // For policy rules, required to uniquely identify the DstEndpointGroup
 	DstEndpointGroup int    // Destination endpoint group
 	SrcIpAddr        string // source IP address and mask
 	DstIpAddr        string // Destination IP address and mask
diff --git a/vendor/github.com/contiv/ofnet/ofnetAgent.go b/vendor/github.com/contiv/ofnet/ofnetAgent.go
index d9bcef64a..6c3b8f785 100755
--- a/vendor/github.com/contiv/ofnet/ofnetAgent.go
+++ b/vendor/github.com/contiv/ofnet/ofnetAgent.go
@@ -40,6 +40,10 @@ import (
 	cmap "github.com/streamrail/concurrent-map"
 )
 
+// these can be passed to NewOfnetAgent for endpointIPsAreUnique parameter
+const OFNET_AGENT_ENDPOINT_IPS_ARE_NOT_UNIQUE_PARAM = false
+const OFNET_AGENT_ENDPOINT_IPS_ARE_UNIQUE_PARAM = true
+
 // OfnetAgent state
 type OfnetAgent struct {
 	ctrler      *ofctrl.Controller // Controller instance
@@ -55,6 +59,11 @@ type OfnetAgent struct {
 	datapath    OfnetDatapath      // Configured datapath
 	protopath   OfnetProto         // Configured protopath
 
+	// True if all requests to create endpoints no matter the VRF will have
+	// unique IPs, which would allow for inferring the VRF based on IP address
+	// True also allows endpoints in different VRFs to communicate directly
+	endpointIpsAreUnique bool
+
 	masterDb      map[string]*OfnetNode // list of Masters
 	masterDbMutex sync.Mutex            // Sync mutex for masterDb
 
@@ -147,8 +156,8 @@ const (
 
 // Create a new Ofnet agent and initialize it
 func NewOfnetAgent(bridgeName string, dpName string, localIp net.IP, rpcPort uint16,
-	ovsPort uint16, uplinkInfo []string) (*OfnetAgent, error) {
-	log.Infof("Creating new ofnet agent for %s,%s,%d,%d,%d\n", bridgeName, dpName, localIp, rpcPort, ovsPort)
+	ovsPort uint16, uplinkInfo []string, endpointIpsAreUnique bool) (*OfnetAgent, error) {
+	log.Infof("Creating new ofnet agent for %s,%s,%d,%d,%d,%v\n", bridgeName, dpName, localIp, rpcPort, ovsPort, endpointIpsAreUnique)
 	agent := new(OfnetAgent)
 
 	// Init params
@@ -168,6 +177,8 @@ func NewOfnetAgent(bridgeName string, dpName string, localIp net.IP, rpcPort uin
 	agent.vniVlanMap = make(map[uint32]*uint16)
 	agent.vlanVniMap = make(map[uint16]*uint32)
 
+	agent.endpointIpsAreUnique = endpointIpsAreUnique
+
 	// Initialize vtep database
 	agent.vtepTable = make(map[string]*uint32)
 
@@ -253,6 +264,10 @@ func (self *OfnetAgent) incrErrStats(errName string) {
 	self.stats[errName+"-ERROR"] = currStats
 }
 
+func (a *OfnetAgent) IsEndpointIpsAreUnique() bool {
+	return a.endpointIpsAreUnique
+}
+
 // getEndpointId Get a unique identifier for the endpoint.
 func (self *OfnetAgent) getEndpointId(endpoint EndpointInfo) string {
 	self.vlanVrfMutex.RLock()
diff --git a/vendor/github.com/contiv/ofnet/ofnetPolicy.go b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
index 396ffc73c..b38b678a9 100755
--- a/vendor/github.com/contiv/ofnet/ofnetPolicy.go
+++ b/vendor/github.com/contiv/ofnet/ofnetPolicy.go
@@ -80,36 +80,56 @@ func (self *PolicyAgent) SwitchDisconnected(sw *ofctrl.OFSwitch) {
 }
 
 // Metadata Format
-//	 6			   3 3			   1 1			   0 0
-//	 3			   1 0             6 5			   1 0
-//  +-------------+-+---------------+---------------+-+
-//  |	....U	  |U|    SrcGrp     |    DstGrp     |V|
-//  +-------------+-+---------------+---------------+-+
+//          Source Tenant + Group
+//          0x1fff ffff 8000 0000                 Destination Tenant + Group
+//                     |                                  0x7FFF FFFE
+//            +--------+----------+                            |
+//            |                   v                   +--------+---------+
+//            v             Source Group              v                  v
+//      Source Tenant     0x7FFF 8000 0000   Destination Tenant  Destination Group
+//  0x1FFF 8000 0000 0000         |              0x7FFE 0000        0x0001 FFFE
+//            |                   |                   |                  |
+//    +-------+--------++---------+---------++--------+-----++-----------+------+
+//    |                ||                   ||              ||                  |
+//    v                vv                   vv              vv                  v
+// 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 000V
 //
-//	U: Unused
-//  SrcGrp:  Source endpoint group
-//  DstGrp: Destination endpoint group
 //  V: Received on VTEP Port. Dont flood back to VTEP ports.
-//
 
-// DstGroupMetadata returns metadata for dst group
-func DstGroupMetadata(groupId int) (uint64, uint64) {
-	// shifted 1 for the VTEP
-	metadata := uint64(groupId) << 1
-	// format((((1<<16)-1)<<1), 'x')
-	metadataMask := uint64(0x1fffe)
+// returns openflow metadata and mask values for dst group
+func DstGroupMetadata(vrfid uint16, groupId int) (uint64, uint64) {
+	// vrf:  shift 16 for src group, 1 for VTEP flag
+	// group: shift 1 for the VTEP flag
+	metadata := (uint64(vrfid) << 17) + (uint64(groupId) << 1)
+	// vrf:
+	//   14 bits shifted 1 for vtep flag and 16 for group
+	//   format((((1<<14))-1)<<(1+16), 'x')
+	//   0x7ffe0000
+	// group:
+	//   format((((1<<16)-1)<<1), 'x')
+	//   0x1fffe
+	metadataMask := uint64(0x7ffffffe)
 	metadata = metadata & metadataMask
 
 	return metadata, metadataMask
 }
 
-// SrcGroupMetadata returns metadata for src group
-func SrcGroupMetadata(groupId int) (uint64, uint64) {
-	// TODO(plockc): missing tenant still
-	// shift 30 for the dest tenant+group, 1 for the VTEP flag
-	metadata := uint64(groupId) << (30 + 1)
-	// format((((1<<16))-1)<<(30+1), 'x')
-	metadataMask := uint64(0x7fff80000000)
+// returns openflow metadata and mask for src group
+func SrcGroupMetadata(vrfid uint16, groupId int) (uint64, uint64) {
+	// vrf:
+	//   shift 30 for dest vrf+group, 16 for src group, 1 for VTEP flag = 47
+	// group:
+	//   shift 30 for the dest vrf+group, 1 for the VTEP flag
+	metadata := (uint64(vrfid) << 47) + (uint64(groupId) << (30 + 1))
+	// vrf:
+	//   14 bits shifted by 1: vtep flag + 30: dest vrf+group + 16: src group
+	//   format((((1<<14))-1)<<(1+30+16), 'x')
+	//   0x1FFF800000000000
+	// group:
+	//   16 bits shifted 30 for dest vrf+group plus 1 for vtep flag
+	//   format((((1<<16))-1)<<(30+1), 'x')
+	//   0x7fff80000000
+	metadataMask := uint64(0x1FFFFFFF80000000)
 	metadata = metadata & metadataMask
 
 	return metadata, metadataMask
@@ -145,12 +165,15 @@ func (self *PolicyAgent) AddEndpoint(endpoint *OfnetEndpoint) error {
 	self.agent.vrfMutex.RLock()
 	vrfid := self.agent.vrfNameIdMap[*vrf]
 	self.agent.vrfMutex.RUnlock()
+
 	vrfMetadata, vrfMetadataMask := VrfDestMetadata(*vrfid)
 	// match destination tenant and IP
 	dstGrpFlow, err := self.dstGrpTable.NewFlow(ofctrl.FlowMatch{
-		Priority:  FLOW_MATCH_PRIORITY,
-		Ethertype: 0x0800,
-		IpDa:      &endpoint.IpAddr,
+		Priority:     FLOW_MATCH_PRIORITY,
+		Ethertype:    0x0800,
+		IpDa:         &endpoint.IpAddr,
+		Metadata:     &vrfMetadata,
+		MetadataMask: &vrfMetadataMask,
 	})
 	if err != nil {
 		log.Errorf("Error adding dstGroup flow for %v. Err: %v", endpoint.IpAddr, err)
@@ -158,10 +181,8 @@ func (self *PolicyAgent) AddEndpoint(endpoint *OfnetEndpoint) error {
 	}
 
 	// Format the metadata for the destination group
-	groupMetadata, groupMetadataMask := DstGroupMetadata(endpoint.EndpointGroup)
+	metadata, metadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
 
-	metadata := vrfMetadata | groupMetadata
-	metadataMask := vrfMetadataMask | groupMetadataMask
 	// Set dst GroupId
 	err = dstGrpFlow.SetMetadata(metadata, metadataMask)
 	if err != nil {
@@ -236,7 +257,7 @@ func (self *PolicyAgent) AddIpv6Endpoint(endpoint *OfnetEndpoint) error {
 	vrfid := self.agent.vrfNameIdMap[*vrf]
 	self.agent.vrfMutex.RUnlock()
 
-	vrfMetadata, vrfMetadataMask := Vrfmetadata(*vrfid)
+	vrfMetadata, vrfMetadataMask := VrfDestMetadata(*vrfid)
 	// Install the Dst group lookup flow
 	dstGrpFlow, err := self.dstGrpTable.NewFlow(ofctrl.FlowMatch{
 		Priority:     FLOW_MATCH_PRIORITY,
@@ -251,7 +272,7 @@ func (self *PolicyAgent) AddIpv6Endpoint(endpoint *OfnetEndpoint) error {
 	}
 
 	// Format the metadata
-	metadata, metadataMask := DstGroupMetadata(endpoint.EndpointGroup)
+	metadata, metadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
 
 	// Set dst GroupId
 	err = dstGrpFlow.SetMetadata(metadata, metadataMask)
@@ -360,40 +381,46 @@ func (self *PolicyAgent) AddRule(rule *OfnetPolicyRule, ret *bool) error {
 		return &metadata, &metadataMask
 	}
 	// parse source/dst endpoint tenants and groups
-	if rule.SrcEndpointGroup != 0 {
-		if rule.SrcTenant == "" {
-			log.Errorf("Source group %v was provided without tenant",
-				rule.DstEndpointGroup)
-		}
-		md, mdm = updateMetadata(SrcGroupMetadata(rule.SrcEndpointGroup))
-	}
-	if rule.SrcTenant != "" {
-		srcVrfId := self.agent.getvrfId(rule.SrcTenant)
+	var srcVrfId *uint16
+	var dstVrfId *uint16
+	if rule.SrcVrf != "" {
+		srcVrfId = self.agent.getvrfId(rule.SrcVrf)
 		if srcVrfId == nil {
-			errMsg := fmt.Sprintf("VRF %s was not found", rule.SrcTenant)
+			errMsg := fmt.Sprintf("VRF %s was not found", rule.SrcVrf)
 			log.Errorf(errMsg)
 			return errors.New(errMsg)
 		}
 		md, mdm = updateMetadata(VrfSrcMetadata(*srcVrfId))
 	}
-	if rule.DstEndpointGroup != 0 {
-		if rule.DstTenant == "" {
-			log.Errorf("Destination group %v was provided without tenant",
-				rule.DstEndpointGroup)
+	if rule.SrcEndpointGroup != 0 {
+		if rule.SrcVrf == "" {
+			errMsg := fmt.Sprintf("Source group %v was provided without VRF",
+				rule.SrcEndpointGroup)
+			log.Errorf(errMsg)
+			return errors.New(errMsg)
 		}
 
-		md, mdm = updateMetadata(DstGroupMetadata(rule.DstEndpointGroup))
+		md, mdm = updateMetadata(SrcGroupMetadata(*srcVrfId, rule.SrcEndpointGroup))
 	}
-	if rule.DstTenant != "" {
-		dstVrfId := self.agent.getvrfId(rule.DstTenant)
+	if rule.DstVrf != "" {
+		dstVrfId = self.agent.getvrfId(rule.DstVrf)
 		if dstVrfId == nil {
-			errMsg := fmt.Sprintf("VRF %s was not found", rule.DstTenant)
+			errMsg := fmt.Sprintf("VRF %s was not found", rule.DstVrf)
 			log.Errorf(errMsg)
 			return errors.New(errMsg)
 		}
 		md, mdm = updateMetadata(VrfDestMetadata(*dstVrfId))
 	}
+	if rule.DstEndpointGroup != 0 {
+		if rule.DstVrf == "" {
+			errMsg := fmt.Sprintf("Destination group %v was provided without VRF",
+				rule.DstEndpointGroup)
+			log.Errorf(errMsg)
+			return errors.New(errMsg)
+		}
 
+		md, mdm = updateMetadata(DstGroupMetadata(*dstVrfId, rule.DstEndpointGroup))
+	}
 	// Setup TCP flags
 	if rule.IpProtocol == 6 && rule.TcpFlags != "" {
 		switch rule.TcpFlags {
diff --git a/vendor/github.com/contiv/ofnet/util.go b/vendor/github.com/contiv/ofnet/util.go
index 680a62b88..49b539722 100755
--- a/vendor/github.com/contiv/ofnet/util.go
+++ b/vendor/github.com/contiv/ofnet/util.go
@@ -167,7 +167,8 @@ func buildUDPRespPkt(inEth *protocol.Ethernet, uData []byte) (*protocol.Ethernet
 	return outEth, nil
 }
 
-// createPortVlanFlow creates port vlan flow based on endpoint metadata
+// createPortVlanFlow creates port vlan flow (traffic coming out of a pod)
+// based on endpoint metadata
 func createPortVlanFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, endpoint *OfnetEndpoint) (*ofctrl.Flow, error) {
 	// Install a flow entry for vlan mapping
 	portVlanFlow, err := vlanTable.NewFlow(ofctrl.FlowMatch{
@@ -179,16 +180,24 @@ func createPortVlanFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, e
 		return nil, err
 	}
 
-	//set vrf id as METADATA
+	// set vrf id as METADATA for both source and destination
+	// this enables traffic to reach same VRF when there are overlapping
+	// IPs across VRFs and apply policy against the source VRF
+	// If IPs are unique and traffic is not isolated to single VRF (kubernetes)
+	// thn the table to set destination group will not match source VRF,
+	// just IP and rewrite the destination VRF
 	vrfid := agent.getvrfId(endpoint.Vrf)
 	metadata, metadataMask := VrfSrcMetadata(*vrfid)
+	destMetadata, destMetadataMask := VrfDestMetadata(*vrfid)
+	metadata = metadata | destMetadata
+	metadataMask = metadataMask | destMetadataMask
 
 	// set source EPG id if required
 	if endpoint.EndpointGroup != 0 {
-		srcMetadata, srcMetadataMask := SrcGroupMetadata(endpoint.EndpointGroup)
-		metadata = metadata | srcMetadata
-		metadataMask = metadataMask | srcMetadataMask
-
+		srcMetadata, srcMetadataMask := SrcGroupMetadata(*vrfid, endpoint.EndpointGroup)
+		dstMetadata, dstMetadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
+		metadata = metadata | srcMetadata | dstMetadata
+		metadataMask = metadataMask | srcMetadataMask | dstMetadataMask
 	}
 
 	// set vlan if required
@@ -238,16 +247,24 @@ func createDscpFlow(agent *OfnetAgent, vlanTable, nextTable *ofctrl.Table, endpo
 		return nil, nil, err
 	}
 
-	//set vrf id as METADATA
+	// set vrf id as METADATA for both source and destination
+	// this enables traffic to reach same VRF when there are overlapping
+	// IPs across VRFs and apply policy against the source VRF
+	// If IPs are unique and traffic is not isolated to single VRF (kubernetes)
+	// thn the table to set destination group will not match source VRF,
+	// just IP and rewrite the destination VRF
 	vrfid := agent.getvrfId(endpoint.Vrf)
 	metadata, metadataMask := VrfSrcMetadata(*vrfid)
+	destMetadata, destMetadataMask := VrfDestMetadata(*vrfid)
+	metadata = metadata | destMetadata
+	metadataMask = metadataMask | destMetadataMask
 
 	// set source EPG id if required
 	if endpoint.EndpointGroup != 0 {
-		srcMetadata, srcMetadataMask := SrcGroupMetadata(endpoint.EndpointGroup)
-		metadata = metadata | srcMetadata
-		metadataMask = metadataMask | srcMetadataMask
-
+		srcMetadata, srcMetadataMask := SrcGroupMetadata(*vrfid, endpoint.EndpointGroup)
+		dstMetadata, dstMetadataMask := DstGroupMetadata(*vrfid, endpoint.EndpointGroup)
+		metadata = metadata | srcMetadata | dstMetadata
+		metadataMask = metadataMask | srcMetadataMask | dstMetadataMask
 	}
 
 	// set vlan if required
diff --git a/vendor/github.com/contiv/ofnet/vlrouter.go b/vendor/github.com/contiv/ofnet/vlrouter.go
index c8b8f40d1..e95665b97 100755
--- a/vendor/github.com/contiv/ofnet/vlrouter.go
+++ b/vendor/github.com/contiv/ofnet/vlrouter.go
@@ -633,7 +633,7 @@ func (vl *Vlrouter) AddEndpoint(endpoint *OfnetEndpoint) error {
 	}
 
 	//set vrf id as METADATA
-	//metadata, metadataMask := Vrfmetadata(*vrfid)
+	//metadata, metadataMask := VrfDestMetadata(*vrfid)
 
 	outPort, err := vl.ofSwitch.OutputPort(endpoint.PortNo)
 	if err != nil {
@@ -787,7 +787,7 @@ func (vl *Vlrouter) AddRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
 	}
 
 	//set vrf id as METADATA
-	//metadata, metadataMask := Vrfmetadata(*vrfid)
+	//metadata, metadataMask := VrfDestMetadata(*vrfid)
 
 	outPort, err := vl.ofSwitch.OutputPort(endpoint.PortNo)
 	if err != nil {
diff --git a/vendor/github.com/contiv/ofnet/vrouter.go b/vendor/github.com/contiv/ofnet/vrouter.go
index ead9fea47..6a53204a4 100755
--- a/vendor/github.com/contiv/ofnet/vrouter.go
+++ b/vendor/github.com/contiv/ofnet/vrouter.go
@@ -267,9 +267,11 @@ func (self *Vrouter) AddLocalEndpoint(endpoint OfnetEndpoint) error {
 
 	// Install the IP address
 	ipFlow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
-		Priority:  FLOW_MATCH_PRIORITY,
-		Ethertype: 0x0800,
-		IpDa:      &endpoint.IpAddr,
+		Priority:     FLOW_MATCH_PRIORITY,
+		Ethertype:    0x0800,
+		IpDa:         &endpoint.IpAddr,
+		Metadata:     &vrfmetadata,
+		MetadataMask: &vrfmetadataMask,
 	})
 	if err != nil {
 		log.Errorf("Error creating flow for endpoint: %+v. Err: %v", endpoint, err)
@@ -415,7 +417,7 @@ func (self *Vrouter) RemoveLocalEndpoint(endpoint OfnetEndpoint) error {
 	flowId := self.agent.getEndpointIdByIpVlan(endpoint.IpAddr, endpoint.Vlan)
 	ipFlow := self.flowDb[flowId]
 	if ipFlow == nil {
-		log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+		log.Errorf("Error finding the flow to remove for local endpoint by IP and VLAN: %+v", endpoint)
 		return errors.New("Flow not found")
 	}
 
@@ -573,7 +575,7 @@ func (self *Vrouter) AddLocalIpv6Flow(endpoint OfnetEndpoint) error {
 	}
 
 	//Ip table look up will be vrf,ip
-	vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+	vrfmetadata, vrfmetadataMask := VrfDestMetadata(*vrfid)
 	// Install the IPv6 address
 	ipv6Flow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
 		Priority:     FLOW_MATCH_PRIORITY,
@@ -623,7 +625,7 @@ func (self *Vrouter) RemoveLocalIpv6Flow(endpoint OfnetEndpoint) error {
 	flowId := self.agent.getEndpointIdByIpVlan(endpoint.Ipv6Addr, endpoint.Vlan)
 	ipv6Flow := self.flowDb[flowId]
 	if ipv6Flow == nil {
-		log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+		log.Errorf("Error finding the ipv6 flow by IP and VLAN for local endpoint: %+v", endpoint)
 		return errors.New("Flow not found")
 	}
 
@@ -702,10 +704,11 @@ func (self *Vrouter) AddVtepPort(portNo uint32, remoteIp net.IP) error {
 		}
 
 		//set vrf id as METADATA
-		vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+		vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+		dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
 
-		metadata := METADATA_RX_VTEP | vrfmetadata
-		metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+		metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+		metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
 
 		portVlanFlow.SetMetadata(metadata, metadataMask)
 
@@ -798,7 +801,7 @@ func (self *Vrouter) AddVlan(vlanId uint16, vni uint32, vrf string) error {
 		}
 
 		//set vrf id as METADATA
-		vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+		vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
 
 		// Set the metadata to indicate packet came in from VTEP port
 		metadata := METADATA_RX_VTEP | vrfmetadata
@@ -932,7 +935,7 @@ func (self *Vrouter) RemoveEndpoint(endpoint *OfnetEndpoint) error {
 	flowId := self.agent.getEndpointIdByIpVlan(endpoint.IpAddr, endpoint.Vlan)
 	ipFlow := self.flowDb[flowId]
 	if ipFlow == nil {
-		log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+		log.Errorf("Error finding the flow to remove by IP and VLAN for endpoint: %+v", endpoint)
 		return errors.New("Flow not found")
 	}
 
@@ -988,7 +991,7 @@ func (self *Vrouter) AddRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
 	}
 
 	//set vrf id as METADATA
-	metadata, metadataMask := Vrfmetadata(*vrfid)
+	metadata, metadataMask := VrfDestMetadata(*vrfid)
 
 	// Install the IP address
 	ipv6Flow, err := self.ipTable.NewFlow(ofctrl.FlowMatch{
@@ -1038,7 +1041,7 @@ func (self *Vrouter) RemoveRemoteIpv6Flow(endpoint *OfnetEndpoint) error {
 	flowId := self.agent.getEndpointIdByIpVlan(endpoint.Ipv6Addr, endpoint.Vlan)
 	ipv6Flow := self.flowDb[flowId]
 	if ipv6Flow == nil {
-		log.Errorf("Error finding the flow for endpoint: %+v", endpoint)
+		log.Errorf("Error finding the IPv6 flow for removal by IP and VLAN for endpoint: %+v", endpoint)
 		return errors.New("Flow not found")
 	}
 
@@ -1323,14 +1326,6 @@ func VrfSrcMetadata(vrfid uint16) (uint64, uint64) {
 	return metadata, metadataMask
 }
 
-func Vrfmetadata(vrfid uint16) (uint64, uint64) {
-	metadata := uint64(vrfid) << 32
-	metadataMask := uint64(0xFF00000000)
-	metadata = metadata & metadataMask
-
-	return metadata, metadataMask
-}
-
 //FlushEndpoints flushes endpoints from ovs
 func (self *Vrouter) FlushEndpoints(endpointType int) {
 }
diff --git a/vendor/github.com/contiv/ofnet/vxlanBridge.go b/vendor/github.com/contiv/ofnet/vxlanBridge.go
index 889f7d58e..168c5392e 100755
--- a/vendor/github.com/contiv/ofnet/vxlanBridge.go
+++ b/vendor/github.com/contiv/ofnet/vxlanBridge.go
@@ -490,10 +490,11 @@ func (self *Vxlan) AddVtepPort(portNo uint32, remoteIp net.IP) error {
 			return fmt.Errorf("Unable to find vrf for vlan %v", *vlan)
 		}
 		//set vrf id as METADATA
-		vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+		vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+		dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
 
-		metadata := METADATA_RX_VTEP | vrfmetadata
-		metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+		metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+		metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
 
 		portVlanFlow.SetMetadata(metadata, metadataMask)
 
@@ -620,10 +621,11 @@ func (self *Vxlan) AddVlan(vlanId uint16, vni uint32, vrf string) error {
 			return fmt.Errorf("Unable to find vrf for vlan %v", *vlan)
 		}
 		//set vrf id as METADATA
-		vrfmetadata, vrfmetadataMask := Vrfmetadata(*vrfid)
+		vrfmetadata, vrfmetadataMask := VrfSrcMetadata(*vrfid)
+		dstVrfMetadata, dstVrfMetadataMask := VrfDestMetadata(*vrfid)
 
-		metadata := METADATA_RX_VTEP | vrfmetadata
-		metadataMask := METADATA_RX_VTEP | vrfmetadataMask
+		metadata := METADATA_RX_VTEP | vrfmetadata | dstVrfMetadata
+		metadataMask := METADATA_RX_VTEP | vrfmetadataMask | dstVrfMetadataMask
 
 		portVlanFlow.SetMetadata(metadata, metadataMask)