So this should be done before the bridge, to prevent it from ever seeing the MAC address so it won't have the possibility to learn it: at the interface level, using the netdev family. It's possible to disable learning of all MACs on the bridge port, but not select which are or aren't. If the filtering was done at the bridge level (aka bridge family), this would indeed filter traffic, but this would not prevent the bridge to learn any MAC address before the extra MACs are dropped by the filter, because netfilter's bridge hooks are called from the bridge, after such frames were seen by the bridge (could be confirmed by running bridge monitor fdb).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |