Hi folks, I'm using libvirt 3.9.0 running under CentOS 7.5. I want the guests, which are all within the same subnet (e.g. 10.0.0.x.), only talk to their default gateway (e.g. 10.0.0.1) but to each other. This is caused by a design issue of our network platform. I set up a filter rule and attached it to the interface of a guest using nwfilter-define: <filter name='private_ip' chain='ipv4'>   <uuid>foobar</uuid>   <rule action='accept' direction='out' priority='100'>     <ip srcipaddr='$IP' dstipaddr='10.0.0.1'/>   </rule>   <rule action='accept' direction='in' priority='110'>     <ip srcipaddr='10.0.0.1' dstipaddr='$IP'/>   </rule>   <rule action='drop' direction='inout' priority='500'>     <all/>   </rule> </filter> t simply doesn't work. The guest can talk to the other guests within the same subnet. All guests are connected to a bridge interface. The IP of the guest interface is defined in the guests' xml file. Is there any additional kernel module to load? The module br_netfilter is already loaded and /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. After hours of googling and testing I still couldn't find a solution. Please help! Thank you very much in advance Marc