Index: share/man/man4/ng_bpf.4
===================================================================
--- share/man/man4/ng_bpf.4
+++ share/man/man4/ng_bpf.4
@@ -170,6 +170,51 @@
   ifNotMatch=\\"${NOTMATCHHOOK}\\" \\
   ${BPFPROG} }
 .Ed
+
+Based on the previous example, it is possible to prevent a jail (or a VM)
+from spoofing by allowing only traffic that has the expected ethernet and
+IP addresses:
+.Bd -literal -offset 4n
+#!/bin/sh
+
+NODEPATH="my_node:"
+JAIL_MAC="0a:00:de:ad:be:ef"
+JAIL_IP="128.66.1.42"
+JAIL_HOOK="jail"
+HOST_HOOK="host"
+DEBUG_HOOK="nomatch"
+
+bpf_prog() {
+    local PATTERN=$1
+
+    tcpdump -s 8192 -p -ddd ${PATTERN} | (
+        read len
+        echo -n "bpf_prog_len=$len "
+        echo -n "bpf_prog=["
+        while read code jt jf k ; do
+            echo -n " { code=$code jt=$jt jf=$jf k=$k }"
+        done
+        echo " ]"
+    )
+}
+
+# Prevent jail from spoofing (filter packets coming from jail)
+ngctl msg ${NODEPATH} setprogram {                        \\
+    thisHook=\\"${JAIL_HOOK}\\"                             \\
+    ifMatch=\\"${HOST_HOOK}\\"                              \\
+    ifNotMatch=\\"${DEBUG_HOOK}\\"                          \\
+    $(bpf_prog "ether src ${JAIL_MAC} && src ${JAIL_IP}") \\
+}
+
+# Prevent jail from receiving spoofed packets (filter packets
+# coming from host)
+ngctl msg ${NODEPATH} setprogram {                        \\
+    thisHook=\\"${HOST_HOOK}\\"                             \\
+    ifMatch=\\"${JAIL_HOOK}\\"                              \\
+    ifNotMatch=\\"${DEBUG_HOOK}\\"                          \\
+    $(bpf_prog "ether dst ${JAIL_MAC} && dst ${JAIL_IP}") \\
+}
+.Ed
 .Sh SEE ALSO
 .Xr bpf 4 ,
 .Xr netgraph 4 ,