At the moment, a customer having a virtual machine on kvm can simply change his own ip address or add another one and probably cause an ip address conflict.
How can I prevent that a user can change the ip address of his virtual machine? I read about using ebtables over the bridged network on the host.
Isn't there something like an ACL feature or defining it directly in the guests XML file?
I have found the solution. Libvirt provides a feature called nwfilter which allows you to setup filters. There are also some example filters. They exactly do what I wanted. See this link.
I have downloaded them directly from github and defined with virsh nwfilter-define <file.xml>