How to redirect between physical network interfaces within bridge

Question

I have a home PC with a wired ethernet connection (connected to router) and a wifi card. The wifi is configured as an access-point (hostapd) and the network interfaces are bridged:

auto enp0s10
iface enp0s10 inet manual

auto wlan0
allow-hotplug wlan0
iface wlan0 inet manual

auto br0
iface br0 inet dhcp
bridge_ports wlan0 enp0s10
netmask 255.255.255.0

There are some iptables rules which affect selected traffic coming through the wlan0 interface only, using the --physdev-in selector. This setup works as expected.
What I am trying to do now is have a mechanism to force selected processes on the device to only send traffic through wlan0.
Following a lead here I tried:

> sudo ip netns add myNamespace
> sudo ip link set wlan0 netns myNamespace
RTNETLINK answers: Invalid argument 

Which - so far as I can tell - means:

• that I can't nominate the physical interface because it is bridged
• I can't use a netns namespace to achieve my goal
  

EDIT: following the suggestion below from grawity combined with the lead mentioned above, I tried:

> sudo ip netns show
> sudo ip netns add myNamespace
> sudo ip netns show
myNamespace
> sudo iw phy phy0 set name myNamespace
> sudo ip netns exec myNamespace ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

At this stage, should I expect to see either phy0 or wlan0 listed? The iw phy phy0 set name myNamespace command returns no error message yet neither interface appears to have been added to myNamespace. Predictably, attempting to bring up the interface fails:

> sudo ip netns exec myNamespace ifconfig wlan0 192.168.0.10/24 up
SIOCSIFADDR: No such device
wlan0: ERROR while getting interface flags: No such device
wlan0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device
> sudo ip netns exec myNamespace ifconfig phy0 192.168.0.10/24 up  
SIOCSIFADDR: No such device
phy0: ERROR while getting interface flags: No such device
phy0: ERROR while getting interface flags: No such device
SIOCSIFNETMASK: No such device<br/>

Again, I suspect this is complicated by the bridge setup.

Plan B is to create a user/group specifically for this task (let's call them wlantraffic) then use iptables to redirect this user's traffic to wlan0 if/when it is going to enp0s10.
This is where I get stuck. The rule would look something like:

iptables -t nat -A PREROUTING -m owner --gid-owner wlantraffic -m physdev ! --physdev-in wlan0 -j ???

i.e. "traffic from group wlantraffic that hasn't entered the bridge via wlan0 should be rerouted into wlan0"
Packets will be bog-standard internet traffic.
My questions are:

• Is this a PREROUTING or a FORWARD rule?
  
• If I were to DROP matching packets - within the context of a bridge - would the packets then "fall through" to the next interface?
• How do I specify the wlan0 interface as the target?

Answer 1

I can't use a ntns namespace to achieve my goal

The bridge might be your issue; however:

WLAN interfaces are slightly weird when it comes to network namespaces. Each adapter has two layers – phy (representing physical hardware) and netdev (representing the network interface).

(The reason is that is possible to have multiple netdevs on the same phy, e.g. client+AP, or a dual-band Wi-Fi adapter could have wlan0 and wlan1 operating simultaneously on different networks. If curious, see iw phy for what combinations are supported for your adapter.)

Linux currently has a limitation that the entire phy device must be moved into a namespace; the individual netdevs cannot be moved. To do this, use iw:

iw phy phy0 set netns myNamespace

Is this a PREROUTING or a FORWARD rule?

Generally it all depends on what action (the -j parameter) is used. Some only make sense in FORWARD, others only in PREROUTING; some only work in -t nat, others only in -t mangle.

If I were to DROP matching packets - within the context of a bridge - would the packets then "fall through" to the next interface?

No. iptables rules are for IP, and they're processed before the packet reaches the bridging layer. If the packet is dropped at IP layer, it's gone.