so by definition guest from different subnets cannot talk to each other directly unless they are connected via some router. That means you don't need any filter for that. If there is a router between the networks and it is needed for some cases then you could change the filter I have posted to use IP restriction instead of MAC one e.g . Have not tested it myself but it should work fine.
Hopefully this helps.
<!-- An example of a traffic filter enforcing clean traffic
from a VM by
- preventing MAC spoofing -->
<!-- preventing IP spoofing on outgoing -->
<!-- preventing ARP spoofing/poisoning -->
<!-- accept all other incoming and outgoing ARP traffic -->
<rule action="" direction='inout' priority='-500'>
<!-- accept traffic only from specified MAC address -->
<rule action="" direction='in'>
<ip match='yes' srcipaddr='$GATEWAY_IP'
<!-- allow traffic only to specified MAC address -->
<rule action="" direction='out'>
<ip match='yes' dstipaddr='$GATEWAY_IP'
<!-- preventing any other traffic than between specified MACs
and ARP -->
<!-- allow qemu to send a self-announce upon migration end -->