on my host I created 2 macvlan-interfaces in bridge-mode. One in the main-network-namespace, the other in a docker container. Both interfaces are in the same subnet.
So far everything works.
Now the traffic to the host and container should by filtered by iptable-rules.
Since both macvlan-interfaces are connected to the same physical interface, I have difficulties to understand how it works.
Is it needed to put iptable-rules to the container and the host. (because they are in different namespaces) Or can the host somehow filter the traffic to the container?
Are the macvlan-interfaces isolated or do they see the traffic from/to each other?
Are there any "best practices"?