<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
  <!-- no arp spoofing -->
  <!-- drop if ipaddr does not belong to guest -->
  <rule action='return' direction='out' priority='400' >
    <arp match='yes' arpsrcipaddr='$IP' />
  </rule>
  <!-- drop everything else -->
  <rule action='drop' direction='out' priority='1000' />
</filter>
