libvirt/examples/xml/nwfilter/no-ip-spoofing.xml

<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
  <!-- allow UDP sent from 0.0.0.0 (DHCP); filter more exact later -->
  <rule action='return' direction='out' priority='100'>
    <ip srcipaddr='0.0.0.0' protocol='udp'/>
  </rule>

  <!-- allow all known IP addresses -->
  <rule direction='out' action='return' priority='500'>
    <ip srcipaddr='$IP'/>
  </rule>

  <!-- drop everything else -->
  <rule direction='out' action='drop' priority='1000'/>
</filter>