constrain network traffic passing through the bridge
kvm-manager defaults to using a bridged configuration.
one guest might (accidentally or otherwise) sometimes try to claim a public IP address that does not belong to them.
It would be nice if kvm-manager could optionally constrain the guests so that the only traffic which passes is acceptable IP and ARP traffic. This is probably best done by filtering the port that is added to the bridge.
Note that guests may end up with several IP addresses, and they might be IPv4 or IPv6 addresses.
We may also want to constrain mac addresses somehow, to avoid one guest spoofing another's MAC address, but if we can avoid that i'd prefer to avoid it. Filtering out malicious ARPs ought to be enough to constrain MAC addresses, and i don't want guests to break if they have MAC address randomization turned on for whatever reason.
ebtables has historically been the best place to do this, but with modern systems, i believe that nftables is the recommended approach.