[libvirt] nwfilter - limit VM traffic to specific mac address

Hi, I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway. I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/: <filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1 vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1 but the filter is not working, I can ping the VMs from each other, Am I missing something? Thanks, Shahar Havivi.