diff --git a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
index 0833cb5a321..f5fc39c917d 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
@@ -92,7 +92,7 @@ class CsNetfilters(object):
         for r in del_list:
             cmd = "iptables -t %s %s" % (r.get_table(), r.to_str(True))
             CsHelper.execute(cmd)
-            print "Delete rule %s from table %s" % (r.to_str(True), r.get_table())
+            #print "Delete rule %s from table %s" % (r.to_str(True), r.get_table())
             logging.info("Delete rule %s from table %s", r.to_str(True), r.get_table())
 
     def compare(self, list):
@@ -109,6 +109,7 @@ class CsNetfilters(object):
             if self.has_rule(new_rule):
                 logging.debug("rule %s exists in table %s", fw[2], new_rule.get_table())
             else:
+                #print "Add rule %s in table %s" % ( fw[2], new_rule.get_table())
                 logging.info("Add rule %s in table %s", fw[2], new_rule.get_table())
                 # front means insert instead of append
                 cpy = fw[2]
@@ -177,6 +178,8 @@ class CsNetfilter(object):
         rule = rule.replace('-p all', '')
         rule = rule.replace('  ', ' ')
         rule = rule.replace('bootpc', '68')
+        # Ugly hack no.23 split this or else I will have an odd number of parameters
+        rule = rule.replace('--checksum-fill', '--checksum fill')
         # -m can appear twice in a string
         rule = rule.replace('-m state', '-m2 state')
         rule = rule.replace('ESTABLISHED,RELATED', 'RELATED,ESTABLISHED')
@@ -206,8 +209,8 @@ class CsNetfilter(object):
     def to_str(self, delete = False):
         """ Convert the rule back into aynactically correct iptables command """
         # Order is important 
-        order = ['-A', '-s', '-d', '!_-d', '-i', '-p', '-m', '-m2', '--icmp-type', '--state', 
-                '--dport', '--destination-port', '-o', '-j', '--set-xmark',
+        order = ['-A', '-s', '-d', '!_-d', '-i', '!_-i', '-p', '-m', '-m2', '--icmp-type', '--state', 
+                '--dport', '--destination-port', '-o', '!_-o', '-j', '--set-xmark', '--checksum',
                  '--to-source', '--to-destination']
         str = ''
         for k in order:
@@ -220,6 +223,7 @@ class CsNetfilter(object):
                     str = "%s %s" % (printable, self.rule[k])
                 else:
                     str = "%s %s %s" % (str, printable, self.rule[k])
+        str = str.replace("--checksum fill", "--checksum-fill")
         return str
 
     def __eq__(self, rule):
@@ -229,6 +233,8 @@ class CsNetfilter(object):
             return False
         if len(rule.get_rule().items()) != len(self.get_rule().items()):
             return False
+        #if '--checksum' in self.get_rule().keys() and self.get_rule()['--checksum'] == "fill":
+            #pprint(self.get_rule())
         common = set(rule.get_rule().items()) & set(self.get_rule().items())
         if len(common) != len(rule.get_rule()):
             return False
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
index 147a9c314a2..547bda9916f 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@@ -489,8 +489,6 @@ class CsIP:
             self.post_config_change("delete")
 
 
-
-
 class CsPassword(CsDataBag):
     """
       Update the password cache
@@ -761,6 +759,7 @@ class CsAddress(CsDataBag):
             if dev == "id":
                 continue
             ip = CsIP(dev)
+            addcnt = 0
             for address in self.dbag[dev]:
                 if not address["nw_type"] == "control":
                     CsRoute(dev).add(address)
@@ -772,6 +771,36 @@ class CsAddress(CsDataBag):
                     logging.info("Address %s on device %s not configured", ip.ip(), dev)
                     if CsDevice(dev).waitfordevice():
                         ip.configure()
+                # This could go one level up but the ip type is stored in the 
+                # ip address object and not in the device object
+                # Call only once
+                if addcnt == 0:
+                    self.add_netstats(address)
+                addcnt += 1
+
+    def add_netstats(self, address):
+        # add in the network stats iptables rules
+        dev = "eth%s" % address['nic_dev_id']
+        if address["nw_type"] == "public_ip":
+            fw.append(["", "front", "-A FORWARD -j NETWORK_STATS"])
+            fw.append(["", "front", "-A INPUT -j NETWORK_STATS"])
+            fw.append(["", "front", "-A OUTPUT -j NETWORK_STATS"])
+            # it is not possible to calculate these devices
+            # When the vrouter and the vpc router are combined this silliness can go
+            fw.append(["", "", "-A NETWORK_STATS -i %s -o eth0 -p tcp" % dev])
+            fw.append(["", "", "-A NETWORK_STATS -o %s -i eth0 -p tcp" % dev])
+            fw.append(["", "", "-A NETWORK_STATS -o %s ! -i eth0 -p tcp" % dev])
+            fw.append(["", "", "-A NETWORK_STATS -i %s ! -o eth0 -p tcp" % dev])
+
+        if address["nw_type"] == "guest":
+            fw.append(["", "front", "-A FORWARD -j NETWORK_STATS_%s" % dev])
+            fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -s %s" % (dev, dev, address['network'])])
+            fw.append(["", "front", "-A NETWORK_STATS_%s -o %s -d %s" % (dev, dev, address['network'])])
+            # Only relevant if there is a VPN configured so will have to move
+            # at some stage
+            fw.append(["mangle", "", "-A FORWARD -j VPN_STATS_%s" % dev])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -o %s -m mark --mark 0x525" % (dev, dev)])
+            fw.append(["mangle", "", "-A VPN_STATS_%s -i %s -m mark --mark 0x524" % (dev, dev)])
 
 class CsForwardingRules(CsDataBag):
     def __init__(self, key):
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/netusage.sh b/systemvm/patches/debian/config/opt/cloud/bin/netusage.sh
index 10c61902a20..3cf808e5fcb 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/netusage.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/netusage.sh
@@ -123,7 +123,7 @@ done
 
 if [ "$cflag" == "1" ] 
 then
-  create_usage_rules  
+  #create_usage_rules  
   unlock_exit $? $lock $locked
 fi
 
@@ -141,13 +141,13 @@ fi
 
 if [ "$aflag" == "1" ] 
 then
-  add_public_interface $publicIf 
+  #add_public_interface $publicIf 
   unlock_exit $? $lock $locked
 fi
 
 if [ "$dflag" == "1" ] 
 then
-  delete_public_interface $publicIf 
+  #delete_public_interface $publicIf 
   unlock_exit $? $lock $locked
 fi
 
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh b/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
index 4f32a46cbb8..7aa75cbdfbf 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/vpc_netusage.sh
@@ -138,13 +138,13 @@ fi
 
 if [ "$nflag" == "1" ] 
 then
-  get_vpn_usage 
+  #get_vpn_usage 
   unlock_exit $? $lock $locked
 fi
 
 if [ "$dflag" == "1" ] 
 then
-  remove_usage_rules
+  #remove_usage_rules
   unlock_exit 0 $lock $locked
 fi
 
diff --git a/tools/vagrant/systemvm/Vagrantfile b/tools/vagrant/systemvm/Vagrantfile
index 657ad482dde..b7842982653 100644
--- a/tools/vagrant/systemvm/Vagrantfile
+++ b/tools/vagrant/systemvm/Vagrantfile
@@ -81,6 +81,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     'config/opt'  => '/opt',
     'config/root' => '/root',
     'config/var'  => '/var',
+    'config/etc/iptables'  => '/etc/iptables',
     # cannot have two rsyncs pointing to the same dir
     # 'vpn/etc'     => '/etc',
     # 'vpn/opt'     => '/opt',