I had the same feeling so I tried dropping traffic to cfg_server (UDP 7788 and TCP 7788) and infosvr (UDP 9999) on the primary to see if it would help.
The primary no longer knew the SSIDs of the repeater (they were visible in nvram show before) and no longer knew it was an AX-55, so that's something. Unfortunately the wds still ended up in br0 with no ebtables restrictions. (I also tried again connecting the repeater to guest 1 but it still ends up in br0 instead of br1/2).
It's possible my rules weren't perfect or that there are more processes at play (/usr/sbin/asusdiscovery seems to start during the pairing but it doesn't run long enough for me to see if it listens or sends anything).
I took your advice and did some tests to see what still goes through. Asus rules were indeed leaky, so I improved a bit. I also looked for the best script to apply the new rules, which seems to be service-event-end when $2==wireless and firewall-start.
Code:
#!/bin/sh
LAN_SUBNET="192.168.1.0/24"
ROUTER_IP="192.168.1.1"
ebtables -t broute --new-chain RESTRICT_LAN 2> /dev/null
ebtables -t broute -F RESTRICT_LAN
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-proto udp --ip-sport 67:68 --ip-dport 67:68 -j ACCEPT # DHCP
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst $ROUTER_IP --ip-proto tcp --ip-dport 53 -j ACCEPT # DNS
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst $ROUTER_IP --ip-proto udp --ip-dport 53 -j ACCEPT # DNS
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst $ROUTER_IP --ip-proto udp --ip-dport 5351 -j ACCEPT # NAT-PMP
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst $ROUTER_IP --ip-proto icmp -j ACCEPT
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst $LAN_SUBNET -j DROP
ebtables -t broute -A RESTRICT_LAN -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
ebtables -t broute -A RESTRICT_LAN -p IPv6 -j DROP
# Always apply our restrictions to WDS devices (avoid(reduce) isolation break when a repeater connects to a guest network)
ebtables -t broute -D BROUTING -i wds+ -j RESTRICT_LAN
ebtables -t broute -A BROUTING -i wds+ -j RESTRICT_LAN
# Apply our custom restrictions to guest 2 and 3 if needed
for INTERFACE in wl0.2 wl0.3 wl1.2 wl1.3; do
ebtables -t broute -L BROUTING | grep "\-i $INTERFACE " | while read -r line ; do
ebtables -t broute -D BROUTING $line
done
if [ "$(nvram get "${INTERFACE}_bss_enabled")-$(nvram get ${INTERFACE}_lanaccess)" = "1-off" ]; then
ebtables -t broute -A BROUTING -i $INTERFACE -j RESTRICT_LAN
fi
done
As a bonus the single chain now gives a much more readable ebroute -t broute -L output.