With new filters borrowed from David Steven's submission:
A set of new filters to handle multiple IP addresses and MAC addresses
per interface. The alternative would be to replace some of the existing
ones with these here.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

---
 examples/xml/nwfilter/Makefile.am             |    6 +++++
 examples/xml/nwfilter/clean-traffic-new.xml   |   29 ++++++++++++++++++++++++++
 examples/xml/nwfilter/no-arp-spoofing-new.xml |    4 +++
 examples/xml/nwfilter/no-arpip-spoofing.xml   |   12 ++++++++++
 examples/xml/nwfilter/no-arpmac-spoofing.xml  |    8 +++++++
 examples/xml/nwfilter/no-ip-spoofing-new.xml  |    5 ++++
 examples/xml/nwfilter/no-mac-spoofing-new.xml |   10 ++++++++
 7 files changed, 74 insertions(+)

Index: libvirt-acl/examples/xml/nwfilter/Makefile.am
===================================================================
--- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am
+++ libvirt-acl/examples/xml/nwfilter/Makefile.am
@@ -8,11 +8,17 @@ FILTERS = \
 	allow-incoming-ipv4.xml \
 	allow-ipv4.xml \
 	clean-traffic.xml \
+	clean-traffic-new.xml \
 	no-arp-spoofing.xml \
+	no-arp-spoofing-new.xml \
+	no-arpip-spoofing.xml \
+	no-arpmac-spoofing.xml \
 	no-ip-multicast.xml \
 	no-ip-spoofing.xml \
+	no-ip-spoofing-new.xml \
 	no-mac-broadcast.xml \
 	no-mac-spoofing.xml \
+	no-mac-spoofing-new.xml \
 	no-other-l2-traffic.xml \
 	no-other-rarp-traffic.xml \
 	qemu-announce-self.xml \
Index: libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -0,0 +1,12 @@
+<filter name='no-arpip-spoofing' chain='arpip' priority='-510'>
+   <!-- no arp spoofing -->
+   <!-- drop if ipaddr does not belong to guest -->
+   <rule action='return' direction='out' priority='400' >
+       <arp match='yes' arpsrcipaddr='$IP' />
+   </rule>
+   <rule action='return' direction='out' priority='410' >
+       <arp match='yes' arpsrcipaddr='0.0.0.0' />
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='out' priority='1000' />
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -0,0 +1,8 @@
+<filter name='no-arpmac-spoofing' chain='arpmac' priority='-510'>
+   <rule action='return' direction='out' priority='350' >
+       <arp match='yes' arpsrcmacaddr='$MAC'/>
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='out' priority='1000' />
+</filter>
+
Index: libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/clean-traffic-new.xml
@@ -0,0 +1,29 @@
+<filter name='clean-traffic-new' chain='root'>
+   <!-- An example of a traffic filter enforcing clean traffic
+        from a VM by
+      - preventing MAC spoofing -->
+   <filterref filter='no-mac-spoofing-new'/>
+
+   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+   <filterref filter='no-ip-spoofing-new'/>
+
+   <rule direction='out' action='accept' priority='-750'>
+     <mac protocolid='ipv4'/>
+   </rule>
+
+   <filterref filter='allow-incoming-ipv4'/>
+
+   <!-- preventing ARP spoofing/poisoning -->
+   <filterref filter='no-arp-spoofing-new'/>
+
+   <rule direction='out' action='accept' priority='-550'>
+      <mac protocolid='arp'/>
+   </rule>
+
+   <!-- preventing any other traffic than IPv4 and ARP -->
+   <filterref filter='no-other-l2-traffic'/>
+
+   <!-- allow qemu to send a self-announce upon migration end -->
+   <filterref filter='qemu-announce-self'/>
+
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing-new.xml
@@ -0,0 +1,4 @@
+<filter name='no-arp-spoofing-new'>
+   <filterref filter='no-arpmac-spoofing'/>
+   <filterref filter='no-arpip-spoofing'/>
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-mac-spoofing-new.xml
@@ -0,0 +1,10 @@
+<filter name='no-mac-spoofing-new' chain='mac' priority='-800'>
+  <!-- return packets with VM's MAC address as source address -->
+  <rule direction='out' action='return'>
+    <mac srcmacaddr='$MAC'/>
+  </rule>
+  <!-- drop everything else -->
+  <rule direction='out' action='drop'>
+    <mac/>
+  </rule>
+</filter>
Index: libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml
===================================================================
--- /dev/null
+++ libvirt-acl/examples/xml/nwfilter/no-ip-spoofing-new.xml
@@ -0,0 +1,5 @@
+<filter name='no-ip-spoofing-new' chain='ipv4-ip' priority='-710'>
+  <rule direction='out' action='return'>
+    <ip match='yes' srcipaddr='$IP'/>
+  </rule>
+</filter>