--- xen-4.5.1/tools/hotplug/Linux/vif-bridge.orig	2015-10-01 17:51:47.613981230 +0200
+++ xen-4.5.1/tools/hotplug/Linux/vif-bridge	2015-10-01 17:51:51.330647734 +0200
@@ -93,8 +93,6 @@
         ;;
 esac
 
-handle_iptable
-
 call_hooks vif post
 
 log debug "Successful vif-bridge $command for $dev, bridge $bridge."
--- xen-4.14.3/tools/hotplug/Linux/xen-network-common.sh.orig	2021-11-06 16:48:34.064333399 +0100
+++ xen-4.14.3/tools/hotplug/Linux/xen-network-common.sh	2021-11-06 16:52:40.099667177 +0100
@@ -118,6 +118,13 @@ create_bridge () {
         else
             ip link add name ${bridge} type bridge stp_state 0 forward_delay 0
         fi
+	# Setting these to zero stops guest<->LAN traffic
+	# traversing the bridge from hitting the *tables
+	# rulesets. guest<->host traffic still gets processed
+	# by the host's iptables rules so this isn't a hole
+	sysctl -q -w "net.bridge.bridge-nf-call-arptables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0"
+	sysctl -q -w "net.bridge.bridge-nf-call-iptables=0"
     fi
 }