diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
index 0fcec2555c4..48e66b1547b 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
@@ -2243,13 +2243,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 			isoPath = isoVol.getPath();
 			
 			DiskDef iso = new DiskDef();
-			iso.defFileBasedDisk(isoPath, "hdc", DiskDef.diskBus.IDE, DiskDef.diskFmtType.RAW);
-			iso.setDeviceType(DiskDef.deviceType.CDROM);
+			iso.defISODisk(isoPath);
 			isoXml = iso.toString();
 		} else {
 			DiskDef iso = new DiskDef();
-			iso.defFileBasedDisk(null, "hdc", DiskDef.diskBus.IDE,  DiskDef.diskFmtType.RAW);
-			iso.setDeviceType(DiskDef.deviceType.CDROM);
+			iso.defISODisk(null);
 			isoXml = iso.toString();
 		}
 		
@@ -2259,43 +2257,44 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
 	protected synchronized String attachOrDetachDisk(Connect conn, boolean attach, String vmName, String sourceFile, int devId) throws LibvirtException, InternalErrorException {
 		List<DiskDef> disks = null;
 		Domain dm = null;
+		int deviceId = devId;
 		try {
-			dm = conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
-			LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
-			String xml = dm.getXMLDesc(0);
-			parser.parseDomainXML(xml);
-			disks = parser.getDisks();
-		} catch (LibvirtException e) {
-			throw e;
+		    if (!attach) {
+		        dm = conn.domainLookupByUUID(UUID.nameUUIDFromBytes(vmName.getBytes()));
+		        LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
+		        String xml = dm.getXMLDesc(0);
+		        parser.parseDomainXML(xml);
+		        disks = parser.getDisks();
+
+		        boolean diskAttached = false;
+
+		        for (DiskDef disk : disks) {
+		            String file = disk.getDiskPath();
+		            if (file != null && file.equalsIgnoreCase(sourceFile)) {
+		                deviceId = disk.getDiskSeq();
+		                diskAttached = true;
+		                break;
+		            }
+		        }
+		        if (!diskAttached) {
+		            throw new InternalErrorException("disk: " + sourceFile + " is not attached before");
+		        }
+		    }
+		    
+		    DiskDef disk = new DiskDef();
+	        String guestOSType = getGuestType(conn, vmName);
+	        if (isGuestPVEnabled(guestOSType)) {
+	            disk.defFileBasedDisk(sourceFile, deviceId, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
+	        } else {
+	            disk.defFileBasedDisk(sourceFile, deviceId, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
+	        }
+	        String xml = disk.toString();
+	        return attachOrDetachDevice(conn, attach, vmName, xml);
 		} finally {
 			if (dm != null) {
 				dm.free();
 			}
 		}
-
-		if (!attach) {
-		    boolean diskAttached = false;
-
-		    for (DiskDef disk : disks) {
-		        if (disk.getDiskPath().equalsIgnoreCase(sourceFile)) {
-		            devId = disk.getDiskSeq();
-		            diskAttached = true;
-		        }
-		    }
-		    if (!diskAttached) {
-		        throw new InternalErrorException("disk: " + sourceFile + " is not attached before");
-		    }
-		}
-
-		DiskDef disk = new DiskDef();
-		String guestOSType = getGuestType(conn, vmName);
-		if (isGuestPVEnabled(guestOSType)) {
-			disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.VIRTIO, DiskDef.diskFmtType.QCOW2);
-		} else {
-			disk.defFileBasedDisk(sourceFile, devId, DiskDef.diskBus.SCSI, DiskDef.diskFmtType.QCOW2);
-		}
-		String xml = disk.toString();
-		return attachOrDetachDevice(conn, attach, vmName, xml);
 	}
 	
 	private synchronized String attachOrDetachDevice(Connect conn, boolean attach, String vmName, String xml) throws LibvirtException, InternalErrorException{
@@ -3193,7 +3192,8 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     	cmd.add("--sig", sig);
     	cmd.add("--seq", seq);
     	cmd.add("--vmmac", mac);
-    	cmd.add("--rules", newRules);
+    	if (rules != null)
+    	    cmd.add("--rules", newRules);
     	String result = cmd.execute();
     	if (result != null) {
     		return false;
diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java b/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
index 092468b04d6..b69df8fabd3 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtVMDef.java
@@ -303,9 +303,9 @@ public class LibvirtVMDef {
 			_bus = bus;
 
 		}
-		/*device id starting from 0, but iso is 3*/
+		/*skip iso label*/
 		private String getDevLabel(int devId, diskBus bus) {
-			if ( devId >= 2 ) {
+			if ( devId == 2 ) {
 				devId++;
 			}
 			
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index 45e0a7304f2..df7c1c64926 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -115,7 +115,6 @@ def destroy_network_rules_for_vm(vm_name):
     
     delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
     if vm_name.startswith('i-') or vm_name.startswith('r-'):
-        vmchain =  '-'.join(vm_name.split('-')[:-1])
         vmchain_default =  '-'.join(vm_name.split('-')[:-1]) + "-def"
 
     destroy_ebtables_rules(vmchain)
@@ -183,12 +182,12 @@ def default_ebtables_rules(vm_name, rules):
             vm_mac = r.split(",")[1]
             vif = r.split(",")[2]
             execute("ebtables -t nat -A " +  vmchain_in + " -i " + vif + " -s ! " +  vm_mac + " -j DROP")
-            execute("ebtables -t nat -A " +  vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
-            execute("ebtables -t nat -A " +  vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
-            execute("ebtables -t nat -A " + vmchain_in +  " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP") 
-            execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")   
-            execute("ebtables -t nat -A " + vmchain_in  + " -p ARP --arp-op Reply -j ACCEPT")    
-            execute("ebtables -t nat -A " + vmchain_in + " -p ARP  -j DROP")    
+            execute("ebtables -t nat -A " +  vmchain_in + " -i " + vif + " -p ARP -s ! " + vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " +  vmchain_in + " -i " + vif + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " + vmchain_in + " -i " + vif +  " -p ARP --arp-ip-src ! " + vm_ip + " -j DROP") 
+            execute("ebtables -t nat -A " + vmchain_in + " -i " + vif + " -p ARP --arp-op Request -j ACCEPT")   
+            execute("ebtables -t nat -A " + vmchain_in  + " -i " + vif + " -p ARP --arp-op Reply -j ACCEPT")    
+            execute("ebtables -t nat -A " + vmchain_in + " -i " + vif + " -p ARP  -j DROP")    
     except:
         logging.exception("Failed to program default ebtables IN rules")
         return 'false'
@@ -197,11 +196,12 @@ def default_ebtables_rules(vm_name, rules):
         for r in rule:
             vm_ip = r.split(",")[0]
             vm_mac = r.split(",")[1]
-            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " +  vm_mac + " -j DROP")
-            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP") 
-            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")   
-            execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")    
-            execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")    
+            vif = r.split(",")[2]
+            execute("ebtables -t nat -A " + vmchain_out + " -i " + vif + " -p ARP --arp-op Reply --arp-mac-dst ! " +  vm_mac + " -j DROP")
+            execute("ebtables -t nat -A " + vmchain_out + " -i " + vif + " -p ARP --arp-ip-dst ! " + vm_ip + " -j DROP") 
+            execute("ebtables -t nat -A " + vmchain_out + " -i " + vif + " -p ARP --arp-op Request -j ACCEPT")   
+            execute("ebtables -t nat -A " + vmchain_out + " -i " + vif + " -p ARP --arp-op Reply -j ACCEPT")    
+            execute("ebtables -t nat -A " + vmchain_out + " -i " + vif + " -p ARP -j DROP")    
     except:
         logging.debug("Failed to program default ebtables OUT rules")
         return 'false' 
@@ -455,7 +455,8 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
         return 'true'
     
     if rules == "" or rules == None:
-	return 'true'
+        write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
+        return 'true'
 
     lines = rules.split(';')[:-1]