TL:DR : I am building a network tap with a raspberry-pi that must remains stealth. I have a bridge (br0) between the switch interface (eth0) and the workstation (eth1).
Here is how i am building it (open to any suggestion):
# Create a bridge with the name br0
ip link add "$BRIDGE_INT" type bridge
# Add the eth0 interface to the bridge
ip link set "$WORKSTATION_INT" master "$BRIDGE_INT"
# Add the eth1 interface to the bridge
ip link set "$SWITCH_INT" master "$BRIDGE_INT"
After this process is done, I am plugging the network cables and I can see that my eth0 is leaking its M.A.C on multiple protocols.
What I've tested :
nft add table inet filter
nft add chain inet filter output { type filter hook output priority 0 \; }
nft add rule inet filter output ether saddr "$SWITCH_MAC" drop
Which still leaks on eth0 DHCP -> ARP -> MDNS.
I've then decided to put a DHCP static address. After multiple tries I've found the right configuration for that (Open to any suggestion):
/etc/network/interfaces
auto eth0
iface eth0 inet manual
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.254
/etc/dhcpcd.conf
interface eth0
static ip_address=192.168.0.10/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1 8.8.8.8
This configuration won't query the network for dhcp. But ARP -> MDNS are still leaking.
As this project is aimed to be adaptable, I think the best solution is to drop everything having the SWITCH_MAC. But this doesn't stop traffic from flowing out.
What I've noticed is that my rule is correctly dropping packets with SWITCH_MAC that I send on purpose but doesn't drop what's emitted by the OS.
CONCLUSION
The OS is leaking unwanted traffic even though the test traffic is being dropped. I suspect my issue is similar to this one : Filtering traffic by MAC address with nftables
Which is very well explained, but no solution has been found yet.
