diff --git a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
index 47a905c1fe6..8598b9fa29b 100644
--- a/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
+++ b/agent/src/com/cloud/agent/resource/computing/LibvirtComputingResource.java
@@ -79,6 +79,7 @@ import com.cloud.agent.api.CheckHealthCommand;
 import com.cloud.agent.api.CheckStateCommand;
 import com.cloud.agent.api.CheckVirtualMachineAnswer;
 import com.cloud.agent.api.CheckVirtualMachineCommand;
+import com.cloud.agent.api.CleanupNetworkRulesCmd;
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.CreatePrivateTemplateFromSnapshotCommand;
 import com.cloud.agent.api.CreatePrivateTemplateFromVolumeCommand;
@@ -869,6 +870,8 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
             	return execute((NetworkUsageCommand) cmd);
             } else if (cmd instanceof NetworkRulesSystemVmCommand) {
                return execute((NetworkRulesSystemVmCommand)cmd);
+            } else if (cmd instanceof CleanupNetworkRulesCmd) {
+               return execute((CleanupNetworkRulesCmd)cmd);
             } else {
         		s_logger.warn("Unsupported command ");
                 return Answer.createUnsupportedCommandAnswer(cmd);
@@ -1574,6 +1577,11 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     	}
     }
     
+    private Answer execute(CleanupNetworkRulesCmd cmd) {
+        boolean result = cleanup_rules();
+        return new Answer(cmd, result, "");
+    }
+    
 	protected GetVncPortAnswer execute(GetVncPortCommand cmd) {
 		try {
 			Connect conn = LibvirtConnection.getConnection();
@@ -3500,6 +3508,19 @@ public class LibvirtComputingResource extends ServerResourceBase implements Serv
     	return true;
     }
     
+    private boolean cleanup_rules() {
+        if (!_can_bridge_firewall) {
+            return false;
+        }
+        Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
+        cmd.add("cleanup_rules");
+        String result = cmd.execute();
+        if (result != null) {
+            return false;
+        }
+        return true;
+    }
+    
     private String get_rule_logs_for_vms() {
     	Script cmd = new Script(_securityGroupPath, _timeout, s_logger);
     	cmd.add("get_rule_logs_for_vms");
diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py
index abd7da8c441..e8597a2c7e0 100755
--- a/scripts/vm/network/security_group.py
+++ b/scripts/vm/network/security_group.py
@@ -434,7 +434,6 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
   try:
     vmName = vm_name
     domId = getvmId(vmName)
-    vm_name =  '-'.join(vm_name.split('-')[:-1])
     vmchain = vm_name
     
     changes = check_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno)
@@ -447,14 +446,17 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
         logging.debug("Change detected in vmId or vmIp or domId, resetting default rules")
         default_network_rules(vmName, vm_ip, vm_id, vmMac)
         
+    if rules == "" or rules == None:
+	return 'true'
+
     lines = rules.split(';')
 
     print lines
     logging.debug("    programming network rules for  IP: " + vm_ip + " vmname=" + vm_name)
     #iptables('-F', vmchain)
-    print lines
     
     for line in lines:
+	
         tokens = line.split(':')
         if len(tokens) != 4:
           continue
@@ -473,16 +475,16 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
         if ips:    
             if protocol == 'all':
                 for ip in ips:
-                    iptables = "iptables -I " + vmchain + " -m state --state NEW -m iprange --src-range " + ip + " -j ACCEPT"
+                    iptables = "iptables -I " + vmchain + " -m state --state NEW -s " + ip + " -j ACCEPT"
             elif protocol != 'icmp':
                 for ip in ips:
-                    iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -m iprange --src-range " + ip + " -j ACCEPT"
+                    iptables = "iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -s " + ip + " -j ACCEPT"
             else:
                 range = start + "/" + end
                 if start == "-1":
                     range = "any"
                     for ip in ips:
-                        iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -m iprange --src-range " + ip + " -j ACCEPT"
+                        iptables = "iptables -I " + vmchain + " -p icmp --icmp-type " + range + " -s " + ip + " -j ACCEPT"
             execute(iptables)
         
         if allow_any and protocol != 'all':
@@ -497,7 +499,6 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules):
 
     iptables =  "iptables -A " + vmchain + " -j DROP"       
     execute(iptables)
-
     if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False:
         return 'false'
     
@@ -548,3 +549,5 @@ if __name__ == '__main__':
         get_rule_logs_for_vms()
     elif cmd == "add_network_rules":
         add_network_rules(option.vmName, option.vmID, option.vmIP, option.sig, option.seq, option.vmMAC, option.rules)
+    elif cmd == "cleanup_rules":
+	cleanup_rules()
diff --git a/server/src/com/cloud/network/security/SecurityGroupManager.java b/server/src/com/cloud/network/security/SecurityGroupManager.java
index cfb409ad0ff..8fa2eb19d58 100644
--- a/server/src/com/cloud/network/security/SecurityGroupManager.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManager.java
@@ -39,7 +39,7 @@ public interface SecurityGroupManager {
 	
 	public SecurityGroupVO createDefaultSecurityGroup( Long accountId);
 	
-	public boolean addInstanceToGroups(Long userVmId, List<SecurityGroupVO> groups);
+	public boolean addInstanceToGroups(Long userVmId, List<String> groups);
 
 	public void removeInstanceFromGroups(Long userVmId);
 
diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
index 601043e8091..590276b3ab8 100644
--- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
+++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java
@@ -1044,7 +1044,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 				agentId = vm.getHostId();
 				if (agentId != null ) {
 					_rulesetLogDao.findByVmId(work.getInstanceId());
-					SecurityIngressRulesCmd cmd = generateRulesetCmd(vm.getInstanceName(), vm.getGuestIpAddress(), vm.getGuestMacAddress(), vm.getId(), generateRulesetSignature(rules), seqnum, rules);
+					SecurityIngressRulesCmd cmd = generateRulesetCmd(vm.getInstanceName(), vm.getPrivateIpAddress(), vm.getPrivateMacAddress(), vm.getId(), generateRulesetSignature(rules), seqnum, rules);
 					Commands cmds = new Commands(cmd);
 					try {
 						_agentMgr.send(agentId, cmds, _answerListener);
@@ -1067,16 +1067,21 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
 
 	@Override
 	@DB
-	public boolean addInstanceToGroups(final Long userVmId, final List<SecurityGroupVO> groups) {
+	public boolean addInstanceToGroups(final Long userVmId, final List<String> groups) {
 		if (!_enabled) {
 			return true;
 		}
-		if (groups != null) {
-			final Set<SecurityGroupVO> uniqueGroups = new TreeSet<SecurityGroupVO>(new SecurityGroupVOComparator());
-			uniqueGroups.addAll(groups);
+		if (groups != null || !groups.isEmpty()) {
+	
 			final Transaction txn = Transaction.currentTxn();
 			txn.start();
 			UserVm userVm = _userVMDao.acquireInLockTable(userVmId); //ensures that duplicate entries are not created.
+			List<SecurityGroupVO> sgs = new ArrayList<SecurityGroupVO>();
+			for (String sg : groups) {
+			    sgs.add(_securityGroupDao.findByAccountAndName(userVm.getAccountId(), sg));
+			}
+			final Set<SecurityGroupVO> uniqueGroups = new TreeSet<SecurityGroupVO>(new SecurityGroupVOComparator());
+			uniqueGroups.addAll(sgs);
 			if (userVm == null) {
 				s_logger.warn("Failed to acquire lock on user vm id=" + userVmId);
 			}
diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java
index 752d19107f0..404cae9d8aa 100755
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@@ -128,6 +128,7 @@ import com.cloud.network.ovs.OvsNetworkManager;
 import com.cloud.network.router.VirtualNetworkApplianceManager;
 import com.cloud.network.rules.RulesManager;
 import com.cloud.network.security.SecurityGroupManager;
+import com.cloud.network.security.SecurityGroupVO;
 import com.cloud.offerings.dao.NetworkOfferingDao;
 import com.cloud.server.Criteria;
 import com.cloud.service.ServiceOfferingVO;
@@ -2134,7 +2135,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
 		} finally {
 			updateVmStateForFailedVmCreation(vm.getId());
 		}
-		vm.setPassword(password);
+		
+		_networkGroupMgr.addInstanceToGroups(vm.getId(), cmd.getSecurityGroupList());
+		
 	    return vm;
 	}