I hope the following script will exemplify what I mean.
.. Oh, i get it now.
Frankly speaking we haven't stumbled across such scenario / issue before. But i can tell it does indeed seems a bit broken;
I think there are 2 options here: 1. The setup itself seems insecure, and user should be aware of such behavior / issue; 2. Bridge indeed should not learn MACs if BR_PORT_LOCKED is set. E.g. learning condition should be something like: not BR_PORT_locked and learning is on;
I don't understand the last step. Why is the BR_PORT_LOCKED flag disabled? If disabled, the port will receive frames with any unknown MAC SA, not just the authorized ones.
Sorry for the confusion. Basically, what i described what i would expect from a daemon (e.g. daemon would disable LOCKED); So just ignore that part.