[libvirt-users] nwfilter usage

I'm trying to accomplish what I had hoped would be a fairly simple filtering of traffic to my VMs, but I'm hitting a snag. The VMs are allowing traffic when I wouldn't expect them to. Host and Guest are both running the same platform: Ubuntu 12.04.4 LTS 0.9.8-2ubuntu17.19 I have a basic bridge enabled on the host: brctl addbr brdg brctl addif brdg eth1 ip link set brdg up The host has iptables support: root@host:~# lsmod | grep filt ip6table_filter 12815 0 ip6_tables 27864 2 ip6table_filter,xt_TPROXY iptable_filter 12810 1 ip_tables 27473 4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter x_tables 29891 52 ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables Guest network using bridge: <interface type='bridge'> <mac address='00:11:22:33:44:55'/> <source bridge='brdg'/> <model type='virtio'/> <filterref filter='outbound-only'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface> <filter name='outbound-only' chain='root'> <uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid> <filterref filter='allow-arp'/> <filterref filter='allow-dhcp'/> <filterref filter='qemu-announce-self'/> <filterref filter='no-other-l2-traffic'/> </filter> My goal is to allow the guest to reach the internet, but not allow the internet or other guests to reach this guest. I realize this config is not sufficient for that, but I can't get any farther until I understand the current behavior. From the look of the config, this should essentially not be allowing anything except arp and dhcp. And yet, the host has full connectivity. I can run apt-get update on the VM, I can ping the VM from other nodes in my network, etc. It's basically wide-open. So either one of the included rules is not working as advertised, or I'm misunderstanding some feature of the filtering process. Any pointers would be appreciated. Thanks