> I hope the following script will exemplify what I mean. .. Oh, i get it now. Frankly speaking we haven't stumbled across such scenario / issue before. But i can tell it does indeed seems a bit broken; I think there are 2 options here: 1. The setup itself seems insecure, and user should be aware of such behavior / issue; 2. Bridge indeed should not learn MACs if BR_PORT_LOCKED is set. E.g. learning condition should be something like: not BR_PORT_locked and learning is on; > I don't understand the last step. Why is the BR_PORT_LOCKED flag disabled? > If disabled, the port will receive frames with any unknown MAC SA, > not just the authorized ones. Sorry for the confusion. Basically, what i described what i would expect from a daemon (e.g. daemon would disable LOCKED); So just ignore that part.
