My specific question is so I can understand when packets will show up in the forward hook for nftables when doing network bridge filtering. I'll also offer context for what I'm trying to achieve.
I'm familiar with using nftables and when packets go into the forward hook at layer 3. On layer 3 packets hit the forward hook when the destination IP address is not a local IP address for the machine and the packet is going to have to be routed.
I'd like to confirm my understanding for when the forward hook is used when doing bridge filtering and thus the decisions are being made at layer 2. My assumption is that in bridge filtering the forward hook will be hit when the destination MAC address is not the MAC address for the bridge device. Is this accurate?
What I'm trying to achieve is wireless client isolation when multiple access points are in use and all of the access points share a common VLAN. I've done some searching and reading and it's difficult to separate the signal from the noise here. I've seen lots of different suggestions for how to do this ranging from "enable client isolation on the device associated with the wireless radio and set a filtering rule to drop all packets in the forward hook for the bridge device between the wireless device and the vlan" to what appears to be rather over complicated filtering setups.
I'd like to actually understand exactly what I'm configuring these devices to do so I can be confident I'm configuring them correctly. I'm leaning towards "enable client isolation on the device associated with the wireless radio and set a filtering rule to drop all packets in the forward hook for the bridge device between the wireless device and the vlan" is the correct answer.
Thanks for your help.