Hi folks,

I'm using libvirt 3.9.0 running under CentOS 7.5. I want the guests,
which are all within the same subnet (e.g. 10.0.0.x.), only talk to
their default gateway (e.g. 10.0.0.1) but to each other. This is caused
by a design issue of our network platform. I set up a filter rule and
attached it to the interface of a guest using nwfilter-define:

<filter name='private_ip' chain='ipv4'>
  <uuid>foobar</uuid>
  <rule action='accept' direction='out' priority='100'>
    <ip srcipaddr='$IP' dstipaddr='10.0.0.1'/>
  </rule>
  <rule action='accept' direction='in' priority='110'>
    <ip srcipaddr='10.0.0.1' dstipaddr='$IP'/>
  </rule>
  <rule action='drop' direction='inout' priority='500'>
    <all/>
  </rule>
</filter>

t simply doesn't work. The guest can talk to the other guests within the
same subnet. All guests are connected to a bridge interface. The IP of
the guest interface is defined in the guests' xml file. Is there any
additional kernel module to load? The module br_netfilter is already
loaded and /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.
After hours of googling and testing I still couldn't find a solution.
Please help!

Thank you very much in advance
Marc