diff --git a/plugins/xenserver/networking/etc/init.d/openvswitch-nova b/plugins/xenserver/networking/etc/init.d/openvswitch-nova
index 8672a69b885d..51f6b324c240 100755
--- a/plugins/xenserver/networking/etc/init.d/openvswitch-nova
+++ b/plugins/xenserver/networking/etc/init.d/openvswitch-nova
@@ -5,6 +5,7 @@
 # chkconfig: 2345 96 89
 # description: Apply initial OVS flows for Nova
 
+# Copyright 2011 Citrix Systems, Inc.
 # Copyright 2011 OpenStack LLC.
 # Copyright (C) 2009, 2010, 2011 Nicira Networks, Inc.
 # All Rights Reserved.
@@ -59,11 +60,11 @@ case ${NETWORK_MODE:=openvswitch} in
 esac
 
 function run_ovs_conf_base_flows {
-    # expected format: DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1"
-    for pair in $DEVICE_BRIDGES; do
-	# below in $info, physical device is [0], bridge name is [1]
-	info=${pair//:/ }
-	/usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $1 ${info[0]} ${info[1]}
+    local action="$1"
+    local all_interfaces=$(cd /sys/class/net/; /bin/ls -d eth*)
+    local interfaces="${INTERFACES-$all_interfaces}"
+    for interface in $interfaces; do
+	/usr/bin/python $OVS_CONFIGURE_BASE_FLOWS $action $interface
     done
 }
 
diff --git a/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova b/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova
index 829782fb60ae..dd5fa6ca7b13 100644
--- a/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova
+++ b/plugins/xenserver/networking/etc/sysconfig/openvswitch-nova
@@ -1 +1,15 @@
-#DEVICE_BRIDGES="eth0:xenbr0 eth1:xenbr1"
+# The interfaces that you want to apply base OVS rules to.  If this is
+# unspecified then rules are applied to all eth* interfaces, which is a good
+# default.
+#
+# If you are worried about the performance of having rules on interfaces
+# that aren't carrying tenant traffic, or you want to do something
+# custom, then here you can explicitly choose the interfaces that should have
+# rules applied.
+#
+# Note that if there is an IP address on the bridge in domain 0 (i.e. the
+# xenbrX interface) then a rule will be applied that allows traffic to it.
+# Make sure that this is what you want.  If you don't want tenant traffic
+# to be able to reach domain 0 -- the usual case -- then you should have
+# tenant traffic and domain 0 on entirely separate bridges.
+#INTERFACES="eth0 eth1"
diff --git a/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py b/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py
index 514a43a2dfc5..010c7673a14b 100755
--- a/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py
+++ b/plugins/xenserver/networking/etc/xensource/scripts/ovs_configure_base_flows.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
+# Copyright 2011 Citrix Systems, Inc.
 # Copyright 2011 OpenStack LLC.
 # All Rights Reserved.
 #
@@ -27,9 +28,12 @@ import sys
 from novalib import execute, execute_get_output
 
 
-def main(command, phys_dev_name, bridge_name):
+def main(command, phys_dev_name):
     ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
 
+    bridge_name = \
+        execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
+
     # always clear all flows first
     ovs_ofctl('del-flows', bridge_name)
 
@@ -44,19 +48,27 @@ def main(command, phys_dev_name, bridge_name):
         ovs_ofctl('add-flow', bridge_name,
                   "priority=2,in_port=%s,actions=normal" % pnic_ofport)
 
+        # Allow traffic from dom0 if there is a management interface
+        # present (its IP address is on the bridge itself)
+        bridge_addr = \
+            execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
+                               bridge_name)
+        if bridge_addr != '':
+            ovs_ofctl('add-flow', bridge_name,
+                      "priority=2,in_port=LOCAL,actions=normal")
+
         # default drop
         ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
 
 
 if __name__ == "__main__":
-    if len(sys.argv) != 4 or sys.argv[1] not in ('online', 'offline', 'reset'):
+    if len(sys.argv) != 3 or sys.argv[1] not in ('online', 'offline', 'reset'):
         print sys.argv
         script_name = os.path.basename(sys.argv[0])
         print "This script configures base ovs flows."
-        print "usage: %s [online|offline|reset] phys-dev-name bridge-name" \
-                % script_name
-        print "   ex: %s online eth0 xenbr0" % script_name
+        print "usage: %s [online|offline|reset] phys-dev-name" % script_name
+        print "   ex: %s online eth0" % script_name
         sys.exit(1)
     else:
-        command, phys_dev_name, bridge_name = sys.argv[1:4]
-        main(command, phys_dev_name, bridge_name)
+        command, phys_dev_name = sys.argv[1:3]
+        main(command, phys_dev_name)