--- /etc/xensource/scripts/vif.orig	2011-02-17 15:43:24.000000000 +0300
+++ /etc/xensource/scripts/vif	2011-09-23 19:10:30.000000000 +0400
@@ -24,6 +24,7 @@
 IP="/sbin/ip"
 
 vsctl="/usr/bin/ovs-vsctl"
+ofctl="/usr/bin/ovs-ofctl"
 
 handle_promiscuous()
 {
@@ -153,6 +154,58 @@
     esac
 }
 
+restrict_ipv4 ()
+{
+    p_bridge=`ovs-vsctl br-to-parent $bridge`
+    #applying acl for specified port and ipv4 address
+    logger -t scripts-vif "VIF uuid=$vif device=$dev ovs_port=$port bridge=$p_bridge/$bridge restricted to use IPv4 $IP only with mac $mac address."
+    $ofctl add-flow $p_bridge "in_port=$port priority=39000 dl_type=0x0800 nw_src=$IP dl_src=$mac idle_timeout=0 action=normal"
+    $ofctl add-flow $p_bridge "in_port=$port priority=38500 dl_type=0x0806  dl_src=$mac nw_src=$IP idle_timeout=0 action=normal"
+    $ofctl add-flow $p_bridge "in_port=$port priority=38000 idle_timeout=0 action=drop"
+
+}
+
+apply_restriction()
+{
+    #we reading file $IP_RESTRICTION (f.e. /etc/xensource/ip_restriction.conf) and apply it
+    #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE
+    if [[ $NETWORK_MODE != "openvswitch" ]]; then
+        return 0
+    fi
+    vif=$(xenstore-read "${PRIVATE}/vif-uuid" 2>/dev/null)
+    if [ -n "${vif}" ] ; then
+        bridge=$(xenstore-read "${PRIVATE}/bridge")
+        port=`$vsctl get Interface $dev ofport`
+        if [ -n "${bridge}" -a -n "${port}" ]; then
+            IP=`/usr/bin/get_ip $vif`
+            if [ -n "${IP}" ]; then
+                mac=$(xenstore-read "/local/domain/$DOMID/device/vif/$DEVID/mac" 2>/dev/null)
+                restrict_ipv4
+                #here will be autoselection between IPv4 and IPv6 address to apply different filters
+            fi
+        fi
+
+    fi
+
+}
+
+clear_restriction()
+{
+    #we clear all restriction for port
+    #we supports only for openvswitch mode and silently ignore all others NETWORK_MODE
+    if [[ $NETWORK_MODE != "openvswitch" ]]; then
+        return 0
+    fi
+    port=`$vsctl get Interface $dev ofport`
+    bridge=`$vsctl port-to-br $dev`
+    p_bridge=`ovs-vsctl br-to-parent $bridge`
+    $ofctl del-flows $p_bridge "in_port=$port"
+    logger -t scripts-vif "cleaning all restriction for port $port device $dev in bridge $p_bridge"
+
+}
+
+
+
 NETWORK_MODE=$(cat /etc/xensource/network.conf)
 ACTION=$1
 
@@ -206,6 +259,7 @@
 
         handle_mtu
         add_to_bridge
+        apply_restriction
         handle_promiscuous
 
         xenstore-write "${HOTPLUG}/vif" "${dev}"
@@ -219,6 +273,7 @@
 add)
     if [ "${TYPE}" = "tap" ] ; then
         add_to_bridge
+        apply_restriction
     fi
     ;;
 
@@ -227,6 +282,7 @@
         xenstore-rm "${HOTPLUG}/hotplug"
     fi
     logger -t scripts-vif "${dev} has been removed"
+    clear_restriction
     remove_from_bridge
     ;;
 esac