<filter name='no-mac-spoofing' chain='mac' priority='-800'>
  <!-- return packets with VM's MAC address as source address -->
  <rule direction='out' action='return'>
    <mac srcmacaddr='$MAC'/>
  </rule>
  <!-- drop everything else -->
  <rule direction='out' action='drop'>
    <mac/>
  </rule>
</filter>
