dnsmasq DHCP server with nwfilter

Hello, I'm trying to set up a nwfilter ruleset, where the client only should be able to answer to incoming requests and pings. The outbound traffic (LAN and Internet) shouldn't be working. I've gut the rules as mentioned below (I moved all filterref inside for debugging): <filter name='fwrule-test0' chain='root' priority='-700'>   <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid>   <rule action='accept' direction='out' priority='100'>     <ip protocol='udp' srcportstart='68' dstportstart='67'/>   </rule>   <rule action='accept' direction='in' priority='101'>     <ip protocol='udp' srcportstart='67' dstportstart='68'/>   </rule>   <rule action='accept' direction='out' priority='200'>     <ip dstipaddr='10.16.136.6'/>   </rule>   <rule action='accept' direction='out' priority='200'>     <ip dstipaddr='10.16.136.9'/>   </rule>   <rule action='accept' direction='in' priority='250'>     <all/>   </rule>   <rule action='accept' direction='inout' priority='300'>     <all state='ESTABLISHED,RELATED'/>   </rule>   <rule action='accept' direction='inout' priority='301'>     <icmp/>   </rule>   <rule action='accept' direction='out' priority='400'>     <udp dstportstart='53'/>   </rule>   <rule action='accept' direction='inout' priority='400'>     <mac protocolid='arp'/>   </rule>   <rule action='drop' direction='out' priority='800'>     <all/>   </rule> </filter> When the guest already has a proper IP address, this seems to work on first sight, the client can't talk to the internet anymore, but is reachable for TCP and UDP requests. However, I can't get DHCP working. I'm using the integrated dnsmasq service for DHCP. It works again, when I remove the last DROP rule taking care of the rest. I looked inside tcpdump / Wireshark for the corresponding interface (virbr4). With the enabled DHCP port rules I can see that DHCP requests go out to 255.255.255.255. I also activated dnsmasq logging for the virbr4 instance. Here, I don't get any DHCP logs.  Without the last DROP rule, I can see clients getting an IP address. I currently have no idea where to look "in between" as the dnsmasq is listening von virbr4. My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter 'allow-dhcp'. Am I missing here something? Thank you! Kai