--- orig/xen/common/domain.c
+++ mod/xen/common/domain.c
@@ -128,6 +128,7 @@
 void __kill_domain(struct task_struct *p)
 {
     extern void destroy_event_channels(struct task_struct *);
+    extern void delete_all_domain_rules(domid_t);
 
     int i;
     struct task_struct **pp;
@@ -152,6 +153,7 @@
         unlink_net_vif(p->net_vif_list[i]);
 
     destroy_event_channels(p);
+    delete_all_domain_rules(p->domain);
 
     /*
      * Note this means that find_domain_by_id may fail, even when the caller


--- orig/xen/common/network.c
+++ mod/xen/common/network.c
@@ -312,6 +312,28 @@
     write_unlock(&net_rule_lock);
     return 0;
 }
+
+void delete_all_domain_rules(domid_t dom_id)
+{
+    net_rule_ent_t **pent, *ent;
+
+    write_lock(&net_rule_lock);
+
+    for ( pent = &net_rule_list; pent != NULL && (ent=*pent); )
+    {
+
+        if ( ent->r.src_dom==dom_id || ent->r.dst_dom==dom_id )
+        {
+            *pent = ent->next;
+            kmem_cache_free(net_rule_cache, ent);
+            continue;
+        }
+
+        pent = &ent->next;
+    }
+    write_unlock(&net_rule_lock);
+}
+ 
  
 static char *idx_to_name(unsigned int idx)
 {