libvirt/examples/xml/nwfilter/clean-traffic.xml

<filter name='clean-traffic' chain='root'>
   <!-- An example of a traffic filter enforcing clean traffic
        from a VM by
      - preventing MAC spoofing -->
   <filterref filter='no-mac-spoofing'/>

   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
   <filterref filter='no-ip-spoofing'/>

   <rule direction='out' action='accept' priority='-650'>
      <mac protocolid='ipv4'/>
   </rule>

   <filterref filter='allow-incoming-ipv4'/>

   <!-- preventing ARP spoofing/poisoning -->
   <filterref filter='no-arp-spoofing'/>

   <!-- accept all other incoming and outgoing ARP traffic -->
   <rule action='accept' direction='inout' priority='-500'>
      <mac protocolid='arp'/>
   </rule>

   <!-- preventing any other traffic than IPv4 and ARP -->
   <filterref filter='no-other-l2-traffic'/>

   <!-- allow qemu to send a self-announce upon migration end -->
   <filterref filter='qemu-announce-self'/>

</filter>