--- xen-4.1.0-orig/tools/hotplug/Linux/vif-bridge	2008-08-22 10:49:07.000000000 +0100
+++ xen-4.1.0-new/tools/hotplug/Linux/vif-bridge	2008-08-29 11:29:38.000000000 +0100
@@ -96,10 +96,6 @@ case "$command" in
         ;;
 esac
 
-if [ "$type_if" = vif ]; then
-    handle_iptable
-fi
-
 call_hooks vif post
 
 log debug "Successful vif-bridge $command for $dev, bridge $bridge."
--- xen-3.3.0-orig/tools/hotplug/Linux/xen-network-common.sh	2008-08-22 10:49:07.000000000 +0100
+++ xen-3.3.0-new/tools/hotplug/Linux/xen-network-common.sh	2008-08-29 11:29:38.000000000 +0100
@@ -99,6 +99,13 @@ create_bridge () {
 	brctl addbr ${bridge}
 	brctl stp ${bridge} off
 	brctl setfd ${bridge} 0
+	# Setting these to zero stops guest<->LAN traffic
+	# traversing the bridge from hitting the *tables
+	# rulesets. guest<->host traffic still gets processed
+	# by the host's iptables rules so this isn't a hole
+	sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
     fi
 }