<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'> <!-- allow UDP sent from 0.0.0.0 (DHCP); filter more exact later --> <rule action='return' direction='out' priority='100'> <ip srcipaddr='0.0.0.0' protocol='udp'/> </rule> <!-- allow all known IP addresses --> <rule direction='out' action='return' priority='500'> <ip srcipaddr='$IP'/> </rule> <!-- drop everything else --> <rule direction='out' action='drop' priority='1000'/> </filter>