"G.W. Haywood" <netfilter@xxxxxxxxxxxxxxxxxx> writes:
> Hello again,
>
> On Fri, 26 Jun 2020, Hooman wrote:
>
>> ...
>> not being able to manipulate or drop such packets could be a security
>> issue, since these are packets that you can't really manage through
>> iptables/ebtables (think of firewalls). So I leave it to this community
>> to decide whether netfilter should be able to manage such packets.
>> ...
>
> It is not clear to me that the kernel design permits what you suggest.
>
> Thinking of firewalls, nobody in his right mind would do to a firewall
> what you have done to your computer
FWIW, I do the equivalent in wired networks on Cisco Catalyst
2950/2960/2970 switches. There it is called "port isolation".
It prevents switching between desktops, while
still allowing switching between desktop and servers.
It works the same as if you set up a separate 802.1q tag for each
[a desktop] + [all servers], except you don't have to micro-manage it.
https://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
specifically this image
https://www.cisco.com/c/dam/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194-a.gif
ap_isolate=1 in hostapd.conf appears to be the equivalent for 802.11.
https://www.w1.fi/cgit/hostap/tree/hostapd/hostapd.conf#n533
I think the OP originally tried to set it in each wifi client,
instead of in the AP:
https://www.w1.fi/cgit/hostap/commit/?id=19e20c14fb015d063dc248a0f4ded195ad229df3
