I did a little more experimentation after I confirmed that the resetting the exception policy fixed things:
- only the inline bridge interfaces of the IPS VM must be using the
e1000drivers - I tried experimenting with settings mentioned in another post to see if I could get virtIO to work, but unfortunately, these config changes followed by changing the NICs back to virtIO resulted in loss of network connectivity. No idea why virtIO reacts so badly to AFPACKET bridging, but here we are.