diff --git a/cleanup.sh b/cleanup.sh
new file mode 100755
index 0000000..0a0488f
--- /dev/null
+++ b/cleanup.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+for mach in machines/*; do
+	statedir="state/${mach##*/}"
+	rm -rvf "$statedir"
+done
diff --git a/init-shim.sh b/init-shim.sh
new file mode 100755
index 0000000..5b7c972
--- /dev/null
+++ b/init-shim.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+unshare -rnm ./init.sh
diff --git a/init.sh b/init.sh
new file mode 100755
index 0000000..805f6a1
--- /dev/null
+++ b/init.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -eu
+for mach in machines/*; do
+	$mach/run-shim.sh
+done
+
+tmux
diff --git a/lib.shs b/lib.shs
new file mode 100644
index 0000000..3031f74
--- /dev/null
+++ b/lib.shs
@@ -0,0 +1,24 @@
+#!/bin/false
+
+mach=$(basename $(dirname "$0"))
+
+netns=netns
+nethorror_root="`pwd`" # and hope?
+
+ensure_started() {
+	test -e state/$mach/$netns || machines/$mach/start.sh
+}
+
+attach() {
+	machines/$mach/attach.sh "$@"
+}
+
+setup_statedir() {
+	dir="state/$mach"
+	mkdir "$dir"
+	for ns in $namespaces; do
+		nsfile="${ns#*=}"
+		touch "$nsfile"
+	done
+}
+
diff --git a/machines/iana/attach.sh b/machines/iana/attach.sh
new file mode 100755
index 0000000..9d0b686
--- /dev/null
+++ b/machines/iana/attach.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -eu
+. ./lib.shs
+. machines/$mach/opts.shs
+
+nsenter --wdns=$nethorror_root $namespaces "$@"
diff --git a/machines/iana/opts.shs b/machines/iana/opts.shs
new file mode 100644
index 0000000..f0998ef
--- /dev/null
+++ b/machines/iana/opts.shs
@@ -0,0 +1,3 @@
+#!/bin/false
+
+namespaces="--net=./state/$mach/netns --mount=./state/$mach/mntns"
diff --git a/machines/iana/run-shim.sh b/machines/iana/run-shim.sh
new file mode 100755
index 0000000..2f42dd8
--- /dev/null
+++ b/machines/iana/run-shim.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+. ./lib.shs
+
+ensure_started
+attach machines/$mach/setup.sh
diff --git a/machines/iana/setup.sh b/machines/iana/setup.sh
new file mode 100755
index 0000000..667db30
--- /dev/null
+++ b/machines/iana/setup.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -eu
+
+# typically: bring up the networks
+# TODO: veth naming?
+
+# dummy for now:
+ip route add unreachable 192.168.3.0/24
diff --git a/machines/iana/start.sh b/machines/iana/start.sh
new file mode 100755
index 0000000..9a0474c
--- /dev/null
+++ b/machines/iana/start.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -eu
+. ./lib.shs
+. machines/$mach/opts.shs
+
+setup_statedir
+
+unshare $namespaces /bin/true # just create the namespaces
+
+# TODO: connect to the bridges
diff --git a/state/gitkeep b/state/gitkeep
new file mode 100644
index 0000000..e69de29