<filter name='no-mac-spoofing' chain='mac' priority='-800'> <!-- return packets with VM's MAC address as source address --> <rule direction='out' action='return'> <mac srcmacaddr='$MAC'/> </rule> <!-- drop everything else --> <rule direction='out' action='drop'> <mac/> </rule> </filter>