diff --git a/common/setup_ip b/common/setup_ip
index 61f197cf..ad42cf46 100755
--- a/common/setup_ip
+++ b/common/setup_ip
@@ -8,6 +8,17 @@ if [ x$ip != x ]; then
     /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
     /sbin/ifconfig $INTERFACE up
     /sbin/route add default dev $INTERFACE
+    /sbin/ethtool -K $INTERFACE sg off
     echo "nameserver $gateway" > /etc/resolv.conf
     echo "nameserver $secondary_dns" >> /etc/resolv.conf
+	network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)
+	if [ "x$network" != "x" ]; then
+		gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
+		netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
+		secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
+		echo "NS1=$gateway" > /var/run/qubes/qubes_ns
+		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
+		/usr/lib/qubes/qubes_setup_dnat_to_ns
+	fi
+
 fi
diff --git a/dom0/aux-tools/qubes-watch-updates.sh b/dom0/aux-tools/qubes-watch-updates.sh
index 9f5111f6..ecfda429 100755
--- a/dom0/aux-tools/qubes-watch-updates.sh
+++ b/dom0/aux-tools/qubes-watch-updates.sh
@@ -58,9 +58,8 @@ while true; do
     done
     
     # At the end synchronize clock
-    UNTRUSTED_CURRENT_TIME="`$QREXEC_CLIENT -d $UPDATES_VM 'user:date +%s.%N'`"
-    # I believe that date has safe input parsing...
-    sudo date -s "$UNTRUSTED_CURRENT_TIME"
+    qvm-sync-dom0-clock
+
     sleep $UPDATES_SLEEP
 done
 
diff --git a/dom0/pm-utils/01qubes-suspend-netvm b/dom0/pm-utils/01qubes-suspend-netvm
index d6e362d1..a206fc84 100755
--- a/dom0/pm-utils/01qubes-suspend-netvm
+++ b/dom0/pm-utils/01qubes-suspend-netvm
@@ -16,7 +16,7 @@ get_running_netvms() {
 suspend_net()
 {
     for VM in `get_running_netvms`; do
-        qvm-run -u root --pass_io $VM 'service NetworkManager stop; for if in `ls /sys/class/net|grep -v "lo\|vif"`; do ip l s $if down; done'
+        qvm-run -u root --pass_io $VM 'service NetworkManager stop; for if in `ls /sys/class/net|grep -v "lo\|vif"`; do ip l s $if down; done; rmmod ehci_hcd'
     done
     # Ignore exit status from netvm...
     return 0
@@ -25,7 +25,7 @@ suspend_net()
 resume_net()
 {
     for VM in `get_running_netvms`; do
-        qvm-run -u root --pass_io $VM "service NetworkManager start"
+        qvm-run -u root --pass_io $VM "modprobe ehci_hcd; service NetworkManager start"
     done
     # Ignore exit status from netvm...
     return 0
diff --git a/dom0/qubes-cached.repo b/dom0/qubes-cached.repo
index 948d4876..963a7ba5 100644
--- a/dom0/qubes-cached.repo
+++ b/dom0/qubes-cached.repo
@@ -3,3 +3,4 @@ name = Qubes OS Repository for Dom0
 baseurl = file:///var/lib/qubes/updates
 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-1-primary
 gpgcheck = 1
+metadata_expire = 0
diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index ab4c594e..fa68b161 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1137,6 +1137,13 @@ class QubesTemplateVm(QubesVm):
         if retcode != 0:
             raise IOError ("Error while copying {0} to {1}".\
                            format(self.clean_volatile_img, self.volatile_img))
+
+        if verbose:
+            print "--> Copying the template's DispVM prerun script..."
+        retcode = subprocess.call (["cp", src_template_vm.dir_path + '/dispvm-prerun.sh', self.dir_path + '/dispvm-prerun.sh'])
+        if retcode != 0:
+            raise IOError ("Error while copying DispVM prerun script")
+
         if verbose:
             print "--> Copying the template's appmenus templates dir:\n{0} ==>\n{1}".\
                     format(src_template_vm.appmenus_templates_dir, self.appmenus_templates_dir)
@@ -1452,6 +1459,7 @@ class QubesProxyVm(QubesNetVm):
                 "{0}".format(self.netvm_vm.get_xid()))
 
     def write_iptables_xenstore_entry(self):
+        xs.rm('', "/local/domain/{0}/qubes_iptables_domainrules".format(self.get_xid()))
         iptables =  "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
         iptables += "*filter\n"
         iptables += ":INPUT DROP [0:0]\n"
@@ -1470,9 +1478,12 @@ class QubesProxyVm(QubesNetVm):
         iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
         # Deny inter-VMs networking
         iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"
+        iptables += "COMMIT\n"
+        xs.write('', "/local/domain/{0}/qubes_iptables_header".format(self.get_xid()), iptables)
 
         vms = [vm for vm in self.connected_vms.values()]
         for vm in vms:
+            iptables="*filter\n"
             if vm.has_firewall():
                 conf = vm.get_firewall_conf()
             else:
@@ -1515,16 +1526,14 @@ class QubesProxyVm(QubesNetVm):
                 iptables += "-A FORWARD -i vif{0}.+ -p icmp -j ACCEPT\n".format(xid)
 
             iptables += "-A FORWARD -i vif{0}.+ -j {1}\n".format(xid, default_action)
-
-        iptables += "#End of VM rules\n"
-        iptables += "-A FORWARD -j DROP\n"
-
-        iptables += "COMMIT"
+            iptables += "COMMIT\n"
+            xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables)
+        # no need for ending -A FORWARD -j DROP, cause default action is DROP
 
         self.write_netvm_domid_entry()
 
         self.rules_applied = None
-        xs.write('', "/local/domain/{0}/qubes_iptables".format(self.get_xid()), iptables)
+        xs.write('', "/local/domain/{0}/qubes_iptables".format(self.get_xid()), 'reload')
 
     def get_xml_attrs(self):
         attrs = super(QubesProxyVm, self).get_xml_attrs()
diff --git a/dom0/qvm-tools/qvm-backup b/dom0/qvm-tools/qvm-backup
index c855a537..18abd56d 100755
--- a/dom0/qvm-tools/qvm-backup
+++ b/dom0/qvm-tools/qvm-backup
@@ -121,7 +121,12 @@ def main():
 
             files_to_backup += file_to_backup(vm.icon_path)
             if vm.is_updateable():
-                files_to_backup += file_to_backup(vm.dir_path + "/apps.templates")
+                if os.path.exists(vm.dir_path + "/apps.templates"):
+                    # template
+                    files_to_backup += file_to_backup(vm.dir_path + "/apps.templates")
+                else:
+                    # standaloneVM
+                    files_to_backup += file_to_backup(vm.dir_path + "/apps")
             if os.path.exists (vm.firewall_conf):
                 files_to_backup += file_to_backup(vm.firewall_conf)
             if os.path.exists(vm.dir_path + '/whitelisted-appmenus.list'):
diff --git a/dom0/qvm-tools/qvm-dom0-upgrade b/dom0/qvm-tools/qvm-dom0-upgrade
index 1f496f6a..6cb16922 100755
--- a/dom0/qvm-tools/qvm-dom0-upgrade
+++ b/dom0/qvm-tools/qvm-dom0-upgrade
@@ -6,6 +6,10 @@ if [ -z "$UPDATEVM" ]; then
     exit 1
 fi
 
+# We should ensure the clocks in Dom0 and UpdateVM are in sync
+# becuase otherwise yum might complain about future timestamps
+qvm-sync-dom0-clock
+
 echo "Checking for dom0 updates"
 
 # Start VM if not running already
diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs
index 67874cc6..e0f4cdb5 100755
--- a/dom0/qvm-tools/qvm-prefs
+++ b/dom0/qvm-tools/qvm-prefs
@@ -119,7 +119,24 @@ def set_netvm(vms, vm, args):
         vm.uses_default_netvm = False
 
     vm.netvm_vm = netvm_vm
-
+    if not vm.is_running():
+        return
+    if not vm.netvm_vm.is_running():
+        subprocess.check_call(["qvm-start", vm.netvm_vm.name])
+    subprocess.check_call(["xl", "network-detach", vm.name, "0"])
+    domain_path="/local/domain/"+str(vm.get_xid())
+    subprocess.check_call(["xenstore-write",
+        domain_path+"/qubes_ip",
+        vm.ip])
+    subprocess.check_call(["xenstore-write",
+        domain_path+"/qubes_gateway",
+        vm.netvm_vm.gateway])
+    subprocess.check_call(["xenstore-write",
+        domain_path+"/qubes_secondary_dns",
+        vm.netvm_vm.secondary_dns])
+    subprocess.check_call(["xl", "network-attach", vm.name, "ip="+vm.ip,
+        "backend="+vm.netvm_vm.name,
+        "script=/etc/xen/scripts/vif-route-qubes"])
 
 def set_updateable(vms, vm, args):
     if vm.is_updateable():
diff --git a/dom0/qvm-tools/qvm-sync-dom0-clock b/dom0/qvm-tools/qvm-sync-dom0-clock
new file mode 100755
index 00000000..ab588c05
--- /dev/null
+++ b/dom0/qvm-tools/qvm-sync-dom0-clock
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+UPDATES_VM=`qvm-get-updatevm`
+
+QREXEC_CLIENT=/usr/lib/qubes/qrexec_client
+
+if [ -z "$UPDATES_VM" ]; then
+    echo "UpdateVM not set, exiting!" >&2
+    exit 1
+fi
+
+if ! xl domid "$UPDATES_VM" > /dev/null 2>&1; then
+    echo "UpdateVM not started, exiting!"
+    exit 1
+fi
+
+# dd is supposed to not allow memory exhaustion
+# grep does basic sanity checking
+# there seems to be no way to pass output of date +%s.%N to date,
+# so we use human-readable format
+
+CURRENT_TIME="$($QREXEC_CLIENT -d $UPDATES_VM 'user:date -u' |
+	dd count=1 2>/dev/null |
+	grep '^[A-Za-z]* [A-Za-z]* [ 0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9] [A-Z]* [0-9][0-9][0-9][0-9]$'|
+	head -1)"
+
+if [ -n "$CURRENT_TIME" ] ; then 
+	echo Syncing Dom0 clock: setting time "$CURRENT_TIME"...
+	sudo date -u -s "$CURRENT_TIME" ;
+	echo Done.
+else
+	echo "Error while parsing the time obtained from the UpdateVM ($UPDATES_VM).."
+fi
+
diff --git a/dom0/restore/qfile-daemon-dvm b/dom0/restore/qfile-daemon-dvm
index 04a811f3..c03a6cba 100755
--- a/dom0/restore/qfile-daemon-dvm
+++ b/dom0/restore/qfile-daemon-dvm
@@ -109,8 +109,7 @@ class QfileDaemonDvm:
 
     def get_dvm(self):
         if not self.dvm_setup_ok():
-            self.tray_notify("Updating DisposableVM savefile, please wait", 120000)
-            if os.system("qvm-create-default-dvm --default-template --default-script >/var/run/qubes/qvm-create-default-dvm.stdout </dev/null" ) != 0:
+            if os.system("/usr/lib/qubes/qubes_update_dispvm_savefile_with_progress.sh >/dev/null </dev/null" ) != 0:
                 self.tray_notify_error("DVM savefile creation failed")
                 return None 
         return self.do_get_dvm()
diff --git a/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh b/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh
new file mode 100755
index 00000000..aaaa5578
--- /dev/null
+++ b/dom0/restore/qubes_update_dispvm_savefile_with_progress.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+trap "exit 1" USR1 TERM
+export SHELL_PID=$$
+(
+	echo "1"
+	if ! qvm-create-default-dvm --used-template --default-script >/var/run/qubes/qvm-create-default-dvm.stdout </dev/null ; then 
+		kill -USR1 $SHELL_PID
+	fi
+        echo 100 
+) | zenity --progress --pulsate --auto-close \
+	--text="Please wait (up to 120s) while the DispVM savefile is being updated. This only happens when you have updated the template, next time will be much faster." \
+	--title="Updating default DispVM savefile"
+exit 0
+                  
\ No newline at end of file
diff --git a/dom0/restore/qvm-create-default-dvm b/dom0/restore/qvm-create-default-dvm
index 75ffeeba..e3a819fb 100755
--- a/dom0/restore/qvm-create-default-dvm
+++ b/dom0/restore/qvm-create-default-dvm
@@ -1,16 +1,23 @@
 #!/bin/sh
 if [ $# != 1 -a $# != 2 ] ; then
-	echo 'Usage: qvm-create-default-dvm templatename|--default-template [script-name|--default-script]'
+	echo 'Usage: qvm-create-default-dvm templatename|--default-template|--used-template [script-name|--default-script]'
 	exit 1
 fi
-if [ "$1" = --default-template ] ; then
+export ROOT=/var/lib/qubes/dvmdata/savefile_root
+TEMPLATENAME=$1
+if [ "$TEMPLATENAME" = --used-template ] ; then
+	if [ -e $ROOT ] ; then
+		TEMPLATENAME=$(readlink $ROOT | sed -e 's/.root.img//' -e 's/.*\///')
+	else
+		TEMPLATENAME=--default-template
+	fi
+fi
+if [ "$TEMPLATENAME" = --default-template ] ; then
 	TEMPLATENAME=$(qvm-get-default-template)
 	if [ "X"$TEMPLATENAME = "X" ] ; then
 		echo No default template ?
 		exit 1
 	fi
-else
-	TEMPLATENAME=$1
 fi
 
 if [ "X""$2" = "X""--default-script" ] ; then
@@ -38,7 +45,6 @@ if ! /usr/lib/qubes/qubes_prepare_saved_domain.sh \
 	"$DVMTMPL" "/var/lib/qubes/appvms/$DVMTMPL/dvm-savefile" $SCRIPTNAME ; then
 	exit 1
 fi
-ROOT=/var/lib/qubes/dvmdata/savefile_root
 DEFAULT=/var/lib/qubes/dvmdata/default_savefile
 DEFAULTCONF=/var/lib/qubes/dvmdata/default_dvm.conf
 CURRENT=/var/run/qubes/current_savefile
diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall
index fbac2959..13f5ba24 100755
--- a/proxyvm/bin/qubes_firewall
+++ b/proxyvm/bin/qubes_firewall
@@ -3,9 +3,9 @@ set -e
 
 PIDFILE=/var/run/qubes/qubes_firewall.pid
 XENSTORE_IPTABLES=qubes_iptables
+XENSTORE_IPTABLES_HEADER=qubes_iptables_header
 XENSTORE_ERROR=qubes_iptables_error
 OLD_RULES=""
-
 # PIDfile handling
 [[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
 echo $$ >$PIDFILE
@@ -13,24 +13,26 @@ echo $$ >$PIDFILE
 trap 'exit 0' SIGTERM
 
 while true; do
-	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
-
-	if [[ "$RULES" != "$OLD_RULES" ]]; then
-		IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
-		OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
-		/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
-		if [ "$OUT" ]; then
-			DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
-		fi
-
-		if [[ -z "$OUT" ]]; then
-			# If OK save it for later
-			/sbin/service iptables save >/dev/null
-		fi
-
-		OLD_RULES="$RULES"
-	fi
-
 	# Wait for changes in xenstore file
 	/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
+	TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
+
+	if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
+	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
+	IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
+	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
+
+	for i in $(xenstore-list qubes_iptables_domainrules) ; do 
+		RULES=$(/usr/bin/xenstore-read qubes_iptables_domainrules/"$i")
+		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || :`
+		OUT="$OUT""$ERRS"
+	done		
+	/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
+	if [ "$OUT" ]; then
+		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
+	fi
+	if [[ -z "$OUT" ]]; then
+		# If OK save it for later
+		/sbin/service iptables save >/dev/null
+	fi
 done
diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec
index ad7b3009..e4518ed7 100644
--- a/rpm_spec/core-commonvm.spec
+++ b/rpm_spec/core-commonvm.spec
@@ -214,6 +214,9 @@ mkdir -p /rw
 #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
 #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
 
+# Prevent unnecessary updates in VMs:
+echo 'exclude = kernel, xorg-*' >> /etc/yum.conf
+
 %preun
 if [ "$1" = 0 ] ; then
     # no more packages left
diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec
index b29e7540..b377ad81 100644
--- a/rpm_spec/core-dom0.spec
+++ b/rpm_spec/core-dom0.spec
@@ -40,9 +40,9 @@ BuildRequires:  xen-devel
 Requires:	python, xen-runtime, pciutils, python-inotify, python-daemon, kernel-qubes-dom0
 Conflicts:      qubes-gui-dom0 < 1.1.13
 Requires:       yum-plugin-post-transaction-actions
-Requires:       NetworkManager >= 0.8.1-1
 Requires:       xen >= 4.1.0-2
 Requires:       createrepo
+Requires:       gnome-packagekit
 %define _builddir %(pwd)/dom0
 
 %description
@@ -117,6 +117,7 @@ cp restore/qvm-create-default-dvm $RPM_BUILD_ROOT/usr/bin
 cp restore/xenstore-watch $RPM_BUILD_ROOT/usr/bin/xenstore-watch-qubes
 cp restore/qubes_restore restore/xenfreepages $RPM_BUILD_ROOT/usr/lib/qubes
 cp restore/qubes_prepare_saved_domain.sh  $RPM_BUILD_ROOT/usr/lib/qubes
+cp restore/qubes_update_dispvm_savefile_with_progress.sh  $RPM_BUILD_ROOT/usr/lib/qubes
 cp restore/qfile-daemon-dvm $RPM_BUILD_ROOT/usr/lib/qubes
 
 mkdir -p $RPM_BUILD_ROOT/etc/yum.real.repos.d
@@ -333,6 +334,7 @@ fi
 /usr/bin/xenstore-watch-qubes
 /usr/lib/qubes/qubes_restore
 /usr/lib/qubes/qubes_prepare_saved_domain.sh
+/usr/lib/qubes/qubes_update_dispvm_savefile_with_progress.sh
 /etc/xen/scripts/block.qubes
 /etc/xen/scripts/block-snapshot
 /etc/xen/scripts/block-origin
diff --git a/version_dom0 b/version_dom0
index 99c026bd..7a9d7939 100644
--- a/version_dom0
+++ b/version_dom0
@@ -1 +1 @@
-1.6.11
+1.6.18
diff --git a/version_vm b/version_vm
index 99c026bd..e55f803c 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.11
+1.6.19