diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index f2b766e78b..7bb4f7b1c9 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -398,11 +398,11 @@
 		},
 		{
 			"ImportPath": "github.com/vishvananda/netlink",
-			"Rev": "f9bc7a684edbe780a09b87689db6cb1706bf327f"
+			"Rev": "b824519a9a33e5a757ba599209d66a34be8361b1"
 		},
 		{
 			"ImportPath": "github.com/vishvananda/netlink/nl",
-			"Rev": "f9bc7a684edbe780a09b87689db6cb1706bf327f"
+			"Rev": "b824519a9a33e5a757ba599209d66a34be8361b1"
 		},
 		{
 			"ImportPath": "github.com/vishvananda/netns",
diff --git a/Godeps/_workspace/src/github.com/vishvananda/netlink/Makefile b/Godeps/_workspace/src/github.com/vishvananda/netlink/Makefile
index 75f3429836..8dc5a92e98 100644
--- a/Godeps/_workspace/src/github.com/vishvananda/netlink/Makefile
+++ b/Godeps/_workspace/src/github.com/vishvananda/netlink/Makefile
@@ -18,7 +18,7 @@ $(call goroot,$(DEPS)):
 
 .PHONY: $(call testdirs,$(DIRS))
 $(call testdirs,$(DIRS)):
-	sudo -E go test -v github.com/vishvananda/netlink/$@
+	sudo -E go test -test.parallel 4 -timeout 60s -v github.com/vishvananda/netlink/$@
 
 $(call fmt,$(call testdirs,$(DIRS))):
 	! gofmt -l $(subst fmt-,,$@)/*.go | grep ''
diff --git a/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go b/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go
index 1e5233b932..8306890526 100644
--- a/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go
+++ b/Godeps/_workspace/src/github.com/vishvananda/netlink/nl/nl_linux.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"runtime"
+	"sync"
 	"sync/atomic"
 	"syscall"
 	"unsafe"
@@ -233,6 +234,9 @@ func (req *NetlinkRequest) Execute(sockType int, resType uint16) ([][]byte, erro
 			return nil, err
 		}
 		defer s.Close()
+	} else {
+		s.Lock()
+		defer s.Unlock()
 	}
 
 	if err := s.Send(req); err != nil {
@@ -302,6 +306,7 @@ func NewNetlinkRequest(proto, flags int) *NetlinkRequest {
 type NetlinkSocket struct {
 	fd  int
 	lsa syscall.SockaddrNetlink
+	sync.Mutex
 }
 
 func getNetlinkSocket(protocol int) (*NetlinkSocket, error) {
diff --git a/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go b/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go
index 662de8d8e0..7f38bfa226 100644
--- a/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go
+++ b/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state.go
@@ -3,6 +3,8 @@ package netlink
 import (
 	"fmt"
 	"net"
+
+	"github.com/vishvananda/netlink/nl"
 )
 
 // XfrmStateAlgo represents the algorithm to use for the ipsec encryption.
@@ -47,6 +49,18 @@ func (e XfrmStateEncap) String() string {
 		e.Type, e.SrcPort, e.DstPort, e.OriginalAddress)
 }
 
+// XfrmStateLimits represents the configured limits for the state.
+type XfrmStateLimits struct {
+	ByteSoft    uint64
+	ByteHard    uint64
+	PacketSoft  uint64
+	PacketHard  uint64
+	TimeSoft    uint64
+	TimeHard    uint64
+	TimeUseSoft uint64
+	TimeUseHard uint64
+}
+
 // XfrmState represents the state of an ipsec policy. It optionally
 // contains an XfrmStateAlgo for encryption and one for authentication.
 type XfrmState struct {
@@ -57,6 +71,7 @@ type XfrmState struct {
 	Spi          int
 	Reqid        int
 	ReplayWindow int
+	Limits       XfrmStateLimits
 	Mark         *XfrmMark
 	Auth         *XfrmStateAlgo
 	Crypt        *XfrmStateAlgo
@@ -67,3 +82,19 @@ func (sa XfrmState) String() string {
 	return fmt.Sprintf("Dst: %v, Src: %v, Proto: %s, Mode: %s, SPI: 0x%x, ReqID: 0x%x, ReplayWindow: %d, Mark: %v, Auth: %v, Crypt: %v, Encap: %v",
 		sa.Dst, sa.Src, sa.Proto, sa.Mode, sa.Spi, sa.Reqid, sa.ReplayWindow, sa.Mark, sa.Auth, sa.Crypt, sa.Encap)
 }
+func (sa XfrmState) Print(stats bool) string {
+	if !stats {
+		return sa.String()
+	}
+
+	return fmt.Sprintf("%s, ByteSoft: %s, ByteHard: %s, PacketSoft: %s, PacketHard: %s, TimeSoft: %d, TimeHard: %d, TimeUseSoft: %d, TimeUseHard: %d",
+		sa.String(), printLimit(sa.Limits.ByteSoft), printLimit(sa.Limits.ByteHard), printLimit(sa.Limits.PacketSoft), printLimit(sa.Limits.PacketHard),
+		sa.Limits.TimeSoft, sa.Limits.TimeHard, sa.Limits.TimeUseSoft, sa.Limits.TimeUseHard)
+}
+
+func printLimit(lmt uint64) string {
+	if lmt == nl.XFRM_INF {
+		return "(INF)"
+	}
+	return fmt.Sprintf("%d", lmt)
+}
diff --git a/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go b/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go
index f4d6562059..5f294c713d 100644
--- a/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go
+++ b/Godeps/_workspace/src/github.com/vishvananda/netlink/xfrm_state_linux.go
@@ -3,6 +3,7 @@ package netlink
 import (
 	"fmt"
 	"syscall"
+	"unsafe"
 
 	"github.com/vishvananda/netlink/nl"
 )
@@ -85,10 +86,7 @@ func (h *Handle) xfrmStateAddOrUpdate(state *XfrmState, nlProto int) error {
 	msg.Id.Spi = nl.Swap32(uint32(state.Spi))
 	msg.Reqid = uint32(state.Reqid)
 	msg.ReplayWindow = uint8(state.ReplayWindow)
-	msg.Lft.SoftByteLimit = nl.XFRM_INF
-	msg.Lft.HardByteLimit = nl.XFRM_INF
-	msg.Lft.SoftPacketLimit = nl.XFRM_INF
-	msg.Lft.HardPacketLimit = nl.XFRM_INF
+	limitsToLft(state.Limits, &msg.Lft)
 	req.AddData(msg)
 
 	if state.Auth != nil {
@@ -242,6 +240,7 @@ func parseXfrmState(m []byte, family int) (*XfrmState, error) {
 	state.Spi = int(nl.Swap32(msg.Id.Spi))
 	state.Reqid = int(msg.Reqid)
 	state.ReplayWindow = int(msg.ReplayWindow)
+	lftToLimits(&msg.Lft, &state.Limits)
 
 	attrs, err := nl.ParseRouteAttr(m[nl.SizeofXfrmUsersaInfo:])
 	if err != nil {
@@ -312,3 +311,34 @@ func (h *Handle) XfrmStateFlush(proto Proto) error {
 
 	return nil
 }
+
+func limitsToLft(lmts XfrmStateLimits, lft *nl.XfrmLifetimeCfg) {
+	if lmts.ByteSoft != 0 {
+		lft.SoftByteLimit = lmts.ByteSoft
+	} else {
+		lft.SoftByteLimit = nl.XFRM_INF
+	}
+	if lmts.ByteHard != 0 {
+		lft.HardByteLimit = lmts.ByteHard
+	} else {
+		lft.HardByteLimit = nl.XFRM_INF
+	}
+	if lmts.PacketSoft != 0 {
+		lft.SoftPacketLimit = lmts.PacketSoft
+	} else {
+		lft.SoftPacketLimit = nl.XFRM_INF
+	}
+	if lmts.PacketHard != 0 {
+		lft.HardPacketLimit = lmts.PacketHard
+	} else {
+		lft.HardPacketLimit = nl.XFRM_INF
+	}
+	lft.SoftAddExpiresSeconds = lmts.TimeSoft
+	lft.HardAddExpiresSeconds = lmts.TimeHard
+	lft.SoftUseExpiresSeconds = lmts.TimeUseSoft
+	lft.HardUseExpiresSeconds = lmts.TimeUseHard
+}
+
+func lftToLimits(lft *nl.XfrmLifetimeCfg, lmts *XfrmStateLimits) {
+	*lmts = *(*XfrmStateLimits)(unsafe.Pointer(lft))
+}