diff --git a/Makefile.am b/Makefile.am
index 09439c8346189f461e6b8ca193d6309ab73ef2f7..dd334b5db8ae1f17407eabc002f5b3b686698348 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,8 @@ GENHTML = genhtml
 
 SUBDIRS = gnulib/lib include src daemon tools proxy docs gnulib/tests \
   python tests po examples/domain-events/events-c examples/hellolibvirt \
-  examples/dominfo examples/domsuspend examples/python examples/apparmor
+  examples/dominfo examples/domsuspend examples/python examples/apparmor \
+  examples/xml/nwfilter
 
 ACLOCAL_AMFLAGS = -I m4 -I gnulib/m4
 
diff --git a/configure.ac b/configure.ac
index 0c2c0bedb7cd29009e2a73ddcf15c53dda5fa1d9..94223dd56a0e08d822e1821558a1b2061375b0fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1987,7 +1987,8 @@ AC_OUTPUT(Makefile src/Makefile include/Makefile docs/Makefile \
           examples/domsuspend/Makefile \
           examples/dominfo/Makefile \
           examples/python/Makefile \
-          examples/hellolibvirt/Makefile)
+          examples/hellolibvirt/Makefile \
+          examples/xml/nwfilter/Makefile)
 
 AC_MSG_NOTICE([])
 AC_MSG_NOTICE([Configuration summary])
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..dcf6ce42ddd757fa713e3da0d0a882f16db1b3ee
--- /dev/null
+++ b/examples/xml/nwfilter/Makefile.am
@@ -0,0 +1,30 @@
+
+FILTERS = \
+	allow-arp.xml \
+	allow-dhcp-server.xml \
+	allow-dhcp.xml \
+	allow-incoming-ipv4.xml \
+	allow-ipv4.xml \
+	clean-traffic.xml \
+	no-arp-spoofing.xml \
+	no-ip-multicast.xml \
+	no-ip-spoofing.xml \
+	no-mac-broadcast.xml \
+	no-mac-spoofing.xml \
+	no-other-l2-traffic.xml
+
+confdir = $(sysconfdir)/libvirt
+
+NWFILTER_DIR = "$(DESTDIR)$(sysconfdir)/libvirt/nwfilter"
+
+install-data-local:
+	$(MKDIR_P) "$(NWFILTER_DIR)"
+	for f in $(FILTERS); do \
+		$(INSTALL_DATA) $$f "$(NWFILTER_DIR)"; \
+	done
+
+uninstall-local::
+	for f in $(FILTERS); do \
+		rm -f "$(NWFILTER_DIR)/$$f"; \
+	done
+	-test -z $(shell ls $(NWFILTER_DIR)) || rmdir $(NWFILTER_DIR)
diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml
new file mode 100644
index 0000000000000000000000000000000000000000..63a92b25b4e042e21bd9b3a086601b026460a880
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arp.xml
@@ -0,0 +1,3 @@
+<filter name='allow-arp' chain='arp'>
+  <rule direction='inout' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/allow-dhcp-server.xml b/examples/xml/nwfilter/allow-dhcp-server.xml
new file mode 100644
index 0000000000000000000000000000000000000000..37e708ed4b9c132180316a1853e2a5767e42e346
--- /dev/null
+++ b/examples/xml/nwfilter/allow-dhcp-server.xml
@@ -0,0 +1,24 @@
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip srcipaddr='$DHCPSERVER'
+            protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
diff --git a/examples/xml/nwfilter/allow-dhcp.xml b/examples/xml/nwfilter/allow-dhcp.xml
new file mode 100644
index 0000000000000000000000000000000000000000..d66d2b6668c6c296af331ac0e7f936a3822addcb
--- /dev/null
+++ b/examples/xml/nwfilter/allow-dhcp.xml
@@ -0,0 +1,21 @@
+<filter name='allow-dhcp' chain='ipv4'>
+
+    <!-- accept outgoing DHCP requests -->
+    <!-- not, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast -->
+    <rule action='accept' direction='out' priority='100'>
+        <ip srcipaddr='0.0.0.0'
+            dstipaddr='255.255.255.255'
+            protocol='udp'
+            srcportstart='68'
+            dstportstart='67' />
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action='accept' direction='in' priority='100' >
+        <ip protocol='udp'
+            srcportstart='67'
+            dstportstart='68'/>
+    </rule>
+
+</filter>
diff --git a/examples/xml/nwfilter/allow-incoming-ipv4.xml b/examples/xml/nwfilter/allow-incoming-ipv4.xml
new file mode 100644
index 0000000000000000000000000000000000000000..dd1e50d02efc1946e66d26ca53c1a608989d24d6
--- /dev/null
+++ b/examples/xml/nwfilter/allow-incoming-ipv4.xml
@@ -0,0 +1,3 @@
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+  <rule direction='in' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/allow-ipv4.xml b/examples/xml/nwfilter/allow-ipv4.xml
new file mode 100644
index 0000000000000000000000000000000000000000..28e930a7c8913ee89f7f864697a39e816aa75f2c
--- /dev/null
+++ b/examples/xml/nwfilter/allow-ipv4.xml
@@ -0,0 +1,3 @@
+<filter name='allow-ipv4' chain='ipv4'>
+  <rule direction='inout' action='accept'/>
+</filter>
diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml
new file mode 100644
index 0000000000000000000000000000000000000000..2cc7df983e586c3e1b99877a6fde0b0533dc3d73
--- /dev/null
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -0,0 +1,17 @@
+<filter name='clean-traffic'>
+   <!-- An example of a traffic filter enforcing clean traffic
+        from a VM by
+      - preventing MAC spoofing -->
+   <filterref filter='no-mac-spoofing'/>
+
+   <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+   <filterref filter='no-ip-spoofing'/>
+   <filterref filter='allow-incoming-ipv4'/>
+
+   <!-- preventing ARP spoofing/poisoning -->
+   <filterref filter='no-arp-spoofing'/>
+
+   <!-- preventing any other traffic than IPv4 and ARP -->
+   <filterref filter='no-other-l2-traffic'/>
+
+</filter>
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
new file mode 100644
index 0000000000000000000000000000000000000000..b49e781be479d6fc8e5c85fa7c8f83b0ecef31e3
--- /dev/null
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -0,0 +1,29 @@
+<filter name='no-arp-spoofing' chain='arp'>
+   <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
+
+   <!-- no arp spoofing -->
+   <!-- drop if ipaddr or macaddr does not belong to guest -->
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcmacaddr='$MAC'/>
+   </rule>
+   <rule action='drop' direction='out' priority='400' >
+       <arp match='no' arpsrcipaddr='$IP' />
+   </rule>
+   <!-- drop if ipaddr or macaddr odes not belong to guest -->
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstmacaddr='$MAC'/>
+       <arp opcode='reply'/>
+   </rule>
+   <rule action='drop' direction='in' priority='400' >
+       <arp match='no' arpdstipaddr='$IP' />
+   </rule>
+   <!-- accept only request or reply packets -->
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='request'/>
+   </rule>
+   <rule action='accept' direction='inout' priority='500' >
+       <arp opcode='reply'/>
+   </rule>
+   <!-- drop everything else -->
+   <rule action='drop' direction='inout' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-multicast.xml b/examples/xml/nwfilter/no-ip-multicast.xml
new file mode 100644
index 0000000000000000000000000000000000000000..edcf03f6571946361dde59a20ac70d88ac0dd899
--- /dev/null
+++ b/examples/xml/nwfilter/no-ip-multicast.xml
@@ -0,0 +1,9 @@
+<filter name='no-ip-multicast' chain='ipv4'>
+
+    <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+    <rule action='drop' direction='out'>
+        <ip dstipaddr='224.0.0.0' dstipmask='4' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
new file mode 100644
index 0000000000000000000000000000000000000000..b8c94c82e446bf77204c86f5756d670407ba1a8a
--- /dev/null
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -0,0 +1,7 @@
+<filter name='no-ip-spoofing' chain='ipv4'>
+
+    <!-- drop if srcipaddr is not the IP address of the guest -->
+    <rule action='drop' direction='out'>
+        <ip match='no' srcipaddr='$IP' />
+    </rule>
+</filter>
diff --git a/examples/xml/nwfilter/no-mac-broadcast.xml b/examples/xml/nwfilter/no-mac-broadcast.xml
new file mode 100644
index 0000000000000000000000000000000000000000..74e65bf726656f99db545125ed21e139daf6e9b3
--- /dev/null
+++ b/examples/xml/nwfilter/no-mac-broadcast.xml
@@ -0,0 +1,8 @@
+<filter name='no-mac-broadcast' chain='ipv4'>
+    <!-- drop if destination mac is bcast mac addr. -->
+    <rule action='drop' direction='out'>
+        <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
new file mode 100644
index 0000000000000000000000000000000000000000..f21062327185ee2f7f9631f13a8714bd47f43e23
--- /dev/null
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -0,0 +1,5 @@
+<filter name='no-mac-spoofing' chain='ipv4'>
+  <rule action='drop' direction='out' priority='10'>
+      <mac match='no' srcmacaddr='$MAC' />
+  </rule>
+</filter>
diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml b/examples/xml/nwfilter/no-other-l2-traffic.xml
new file mode 100644
index 0000000000000000000000000000000000000000..8bad86ef52c0293d5c578d3d0a5e35aad845ca95
--- /dev/null
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
@@ -0,0 +1,7 @@
+<filter name='no-other-l2-traffic'>
+
+    <!-- drop all other l2 traffic than for which rules have been
+         written for; i.e., drop all other than arp and ipv4 traffic -->
+    <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>