There are three pieces of libvirt functionality which do network filtering of some type. At a high level they are: The virtual network driver This provides an isolated bridge device (ie no physical NICs attached). Guest TAP devices are attached to this bridge. Guests can talk to each other and the host, and optionally the wider world. The QEMU driver MAC filtering This provides a generic filtering