This disallows any control net ARP replies emanating from one of
the physical machines in this experiment, for IP addresses it does
not own/control (i.e., its own control net addr, or any of the
public addresses the experimenter asked for).

I had to use ovs-ofctl and flow rules.  As it turns out, arptables
does not drop packets --- it merely drops ARP table *entries*.
This behavior is not what you'd expect, and the man page makes it
sound like you'll drop packets.  So it's useless to us.

Since OVS switch-bridges don't support netfilter bridge hooks (i.e.,
ebtables), we're left to adding openflow drop rules.  Good enough.