Hi, This is mostly a cut/paste from a bugzilla I just filed, https://bugzilla.redhat.com/show_bug.cgi?id=862887 - Dave Allan mentioned I should post it on the mailing list for comments. I was trying to program up a libvirt nwfilter rule to restrict the ARP destination IP address (in the request) to be a subnet. I can specify one using ebtables directly, but not via a filter. Looking on libvirt.org seems to show it must be an IP address, don't know if anyone's thought about changing that to support a subnet? $ libvirtd --version libvirtd (libvirt) 0.9.8 I created a file that looks something like this: <filter name='only-arp-dstip-net' chain='arp'> <rule action='drop' direction='out' priority='550'> <arp match='no' arpdstipaddr='10.1.2.0/24' /> </rule> </filter> But when it's defined, it loses the arpdstipaddr part: <filter name='only-arp-dstip-net' chain='arp' priority='-500'> <uuid>a4f2f8a4-a590-b406-e4cd-97580a153545</uuid> <rule action='drop' direction='out' priority='550'> <arp/> </rule> </filter> And the corresponding ebtables rule is: Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT <snip> -p ARP -j DROP , pcnt = 0 -- bcnt = 0 Using ebtables works: $ sudo ebtables -t nat -A I-vnet0-arp -p ARP --arp-ip-dst 10.1.2.0/24 -j DROP Bridge chain: I-vnet0-arp, entries: 7, policy: ACCEPT <snip> -p ARP --arp-ip-dst 10.1.2.0/24 -j DROP , pcnt = 0 -- bcnt = 0 The use case I have is that I have a bridge with proxy_arp=1, but I don't want to respond for all IP addresses, just a certain range. Right now a VM can use 'ping -r -I eth0 $any_ip' and the stack will respond. Thanks, -Brian