even just dropping all packets from that mac, but the question is how to get that into the firewall early enough that it hasn't been accepted already
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
Of course that will shut off outgoing packets not incoming
@YvanCB it looks like the "forwarding_rule" chain executes before the ACCEPT of established,related traffic so if you can add your rule to that chain, it should work. I'm not sure how to inject a rule into a specific chain using UCI but you could do it with a command line:
iptables -A forwarding_rule ...