We don't want the system's iptables filter/FORWARD
rules to apply to traffic on our bridge.

diff -up xen-3.2.0/tools/examples/xen-network-common.sh.disable-iptables-on-bridge xen-3.2.0/tools/examples/xen-network-common.sh
--- xen-3.2.0/tools/examples/xen-network-common.sh.disable-iptables-on-bridge	2008-01-16 18:34:59.000000000 +0000
+++ xen-3.2.0/tools/examples/xen-network-common.sh	2008-02-18 22:54:18.000000000 +0000
@@ -109,6 +109,13 @@ create_bridge () {
 	brctl addbr ${bridge}
 	brctl stp ${bridge} off
 	brctl setfd ${bridge} 0
+	# Setting these to zero stops guest<->LAN traffic
+	# traversing the bridge from hitting the *tables
+	# rulesets. guest<->host traffic still gets processed
+	# by the host's iptables rules so this isn't a hole
+	sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
     fi
 }
 
diff -up xen-3.2.0/tools/examples/vif-bridge.disable-iptables-on-bridge xen-3.2.0/tools/examples/vif-bridge
--- xen-3.2.0/tools/examples/vif-bridge.disable-iptables-on-bridge	2008-01-16 18:34:59.000000000 +0000
+++ xen-3.2.0/tools/examples/vif-bridge	2008-02-18 22:54:18.000000000 +0000
@@ -91,8 +91,6 @@ case "$command" in
         ;;
 esac
 
-handle_iptable
-
 log debug "Successful vif-bridge $command for $vif, bridge $bridge."
 if [ "$command" == "online" ]
 then