<filter name='no-arp-spoofing' chain='arp'> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> <!-- no arp spoofing --> <!-- drop if ipaddr or macaddr does not belong to guest --> <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcipaddr='$IP' /> </rule> <!-- drop if ipaddr or macaddr odes not belong to guest --> <rule action='drop' direction='in' priority='400' > <arp match='no' arpdstmacaddr='$MAC'/> <arp opcode='reply'/> </rule> <rule action='drop' direction='in' priority='400' > <arp match='no' arpdstipaddr='$IP' /> </rule> <!-- accept only request or reply packets --> <rule action='accept' direction='inout' priority='500' > <arp opcode='request'/> </rule> <rule action='accept' direction='inout' priority='500' > <arp opcode='reply'/> </rule> <!-- drop everything else --> <rule action='drop' direction='inout' priority='1000' /> </filter>