<filter name='clean-traffic' chain='root'> <!-- An example of a traffic filter enforcing clean traffic from a VM by - preventing MAC spoofing --> <filterref filter='no-mac-spoofing'/> <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming --> <filterref filter='no-ip-spoofing'/> <rule direction='out' action='accept' priority='-650'> <mac protocolid='ipv4'/> </rule> <filterref filter='allow-incoming-ipv4'/> <!-- preventing ARP spoofing/poisoning --> <filterref filter='no-arp-spoofing'/> <!-- accept all other incoming and outgoing ARP traffic --> <rule action='accept' direction='inout' priority='-500'> <mac protocolid='arp'/> </rule> <!-- preventing any other traffic than IPv4 and ARP --> <filterref filter='no-other-l2-traffic'/> <!-- allow qemu to send a self-announce upon migration end --> <filterref filter='qemu-announce-self'/> </filter>