diff -ru xen-3.0.3_0-src.orig/tools/examples/vif-bridge xen-3.0.3_0-src.new/tools/examples/vif-bridge
--- xen-3.0.3_0-src.orig/tools/examples/vif-bridge	2006-10-15 08:22:03.000000000 -0400
+++ xen-3.0.3_0-src.new/tools/examples/vif-bridge	2006-10-26 22:24:18.000000000 -0400
@@ -30,6 +30,7 @@
 #============================================================================
 
 dir=$(dirname "$0")
+vifmode="bridge"
 . "$dir/vif-common.sh"
 
 bridge=${bridge:-}
diff -ru xen-3.0.3_0-src.orig/tools/examples/vif-common.sh xen-3.0.3_0-src.new/tools/examples/vif-common.sh
--- xen-3.0.3_0-src.orig/tools/examples/vif-common.sh	2006-10-15 08:22:03.000000000 -0400
+++ xen-3.0.3_0-src.new/tools/examples/vif-common.sh	2006-10-26 22:23:58.000000000 -0400
@@ -51,7 +51,7 @@
 # Check presence of compulsory args.
 XENBUS_PATH="${XENBUS_PATH:?}"
 vif="${vif:?}"
-
+vifmode="${vifmode:=raw}"
 
 vifname=$(xenstore_read_default "$XENBUS_PATH/vifname" "")
 if [ "$vifname" ]
@@ -63,25 +63,35 @@
   vif="$vifname"
 fi
 
+function do_iptables
+{
+    if [ "$vifmode" = "raw" ]
+    then
+      iptables "$@" -i "$vif" 2>/dev/null || \
+        [ "$1" == "-D" ] || log err \
+     "iptables $@ -i $vif failed.
+If you are using iptables, this may affect networking for guest domains."
+    else
+      iptables "$@" -m physdev --physdev-in "$vif" 2>/dev/null || \
+        [ "$1" == "-D" ] || log err \
+     "iptables $@ -m physdev --physdev-in $vif failed.
+If you are using iptables, this may affect networking for guest domains."
+    fi
+}
 
 function frob_iptable()
 {
   if [ "$command" == "online" ]
   then
-    local c="-A"
+    local c="-I"
   else
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
-    2>/dev/null ||
-    [ "$c" == "-D" ] ||
-    log err \
-     "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed.
-If you are using iptables, this may affect networking for guest domains."
+  do_iptables "$c" INPUT "$@" -j ACCEPT 
+  do_iptables "$c" FORWARD "$@" -j ACCEPT
 }
 
-
 ##
 # Add or remove the appropriate entries in the iptables.  With antispoofing
 # turned on, we have to explicitly allow packets to the interface, regardless