- bridge main with assigned ip 192.168.1.2/24
- bridge bridge-580 with assigned ip 192.168.8.1/24, few (but not all) ports connected to it
- ipip tunnel , ip irrelevant
This rule does 90% of the isolation job:
The 10% missing are that I can still ping IPs assigned to interfaces on that router, for example 192.168.1.2. Experimented a lot with the rules, read the packet flow diagram, and it seems like the major catch is that such traffic is not destined to bridge port or physical out interface, so I don't understand where it fits in the flow. I can capture such traffic in the input chain, but the forward chain ignores it regardless if I specify it with ips or interfaces. This rule does not capture ping to the neighbour bridge address, but captures traffic that exits the neighbour bridge:chain=forward action=reject reject-with=icmp-network-unreachable in-interface=bridge-580 out-interface=!ipip-tunnel1 log=no log-prefix=""
Also, if I ping 192.168.1.2 from 192.168.8.x, while torching bridge main, I don't see the packets.chain=forward action=passthrough src-address=192.168.8.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""