1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
3
4
6 ebtables-nft - Ethernet bridge frame table administration
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
25 ebtables is an application program used to set up and maintain the
26 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27 It is analogous to the iptables application, but less complicated, due
28 to the fact that the Ethernet protocol is much simpler than the IP pro‐
29 tocol.
30
31 CHAINS
32 There are two ebtables-nft tables with built-in chains in the Linux
33 kernel. These tables are used to divide functionality into different
34 sets of rules. Each set of rules is called a chain. Each chain is an
35 ordered list of rules that can match Ethernet frames. If a rule matches
36 an Ethernet frame, then a processing specification tells what to do
37 with that matching frame. The processing specification is called a
38 'target'. However, if the frame does not match the current rule in the
39 chain, then the next rule in the chain is examined and so forth. The
40 user can create new (user-defined) chains that can be used as the 'tar‐
41 get' of a rule. User-defined chains are very useful to get better per‐
42 formance over the linear traversal of the rules and are also essential
43 for structuring the filtering rules into well-organized and maintain‐
44 able sets of rules.
45
46 TARGETS
47 A firewall rule specifies criteria for an Ethernet frame and a frame
48 processing specification called a target. When a frame matches a rule,
49 then the next action performed by the kernel is specified by the tar‐
50 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
51 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52
53 ACCEPT means to let the frame through. DROP means the frame has to be
54 dropped. CONTINUE means the next rule has to be checked. This can be
55 handy, f.e., to know how many frames pass a certain point in the chain,
56 to log those frames or to apply multiple targets on a frame. RETURN
57 means stop traversing this chain and resume at the next rule in the
58 previous (calling) chain. For the extension targets please refer to
59 the TARGET EXTENSIONS section of this man page.
60
61 TABLES
62 As stated earlier, there are two ebtables-nft tables in the Linux ker‐
63 nel. The table names are filter and nat. Of these two tables, the
64 filter table is the default table that the command operates on. If you
65 are working with the filter table, then you can drop the '-t filter'
66 argument to the ebtables command. However, you will need to provide
67 the -t argument for nat table. Moreover, the -t argument must be the
68 first argument on the ebtables command line, if used.
69
70 -t, --table
71 filter is the default table and contains three built-in chains:
72 INPUT (for frames destined for the bridge itself, on the level
73 of the MAC destination address), OUTPUT (for locally-generated
74 or (b)routed frames) and FORWARD (for frames being forwarded by
75 the bridge).
76 nat is mostly used to change the mac addresses and contains
77 three built-in chains: PREROUTING (for altering frames as soon
78 as they come in), OUTPUT (for altering locally generated or
79 (b)routed frames before they are bridged) and POSTROUTING (for
80 altering frames as they are about to go out). A small note on
81 the naming of chains PREROUTING and POSTROUTING: it would be
82 more accurate to call them PREFORWARDING and POSTFORWARDING, but
83 for all those who come from the iptables world to ebtables it is
84 easier to have the same names. Note that you can change the name
85 (-E) if you don't like the default.
86
88 After the initial ebtables '-t table' command line argument, the
89 remaining arguments can be divided into several groups. These groups
90 are commands, miscellaneous commands, rule specifications, match exten‐
91 sions, watcher extensions and target extensions.
92
93 COMMANDS
94 The ebtables command arguments specify the actions to perform on the
95 table defined with the -t argument. If you do not use the -t argument
96 to name a table, the commands apply to the default filter table. Only
97 one command may be used on the command line at a time, except when the
98 commands -L and -Z are combined, the commands -N and -P are combined,
99 or when --atomic-file is used.
100
101 -A, --append
102 Append a rule to the end of the selected chain.
103
104 -D, --delete
105 Delete the specified rule or rules from the selected chain.
106 There are two ways to use this command. The first is by specify‐
107 ing an interval of rule numbers to delete (directly after -D).
108 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
109 their rule number). When end_nr is omitted, all rules starting
110 from start_nr are deleted. Using negative numbers is allowed,
111 for more details about using negative numbers, see the -I com‐
112 mand. The second usage is by specifying the complete rule as it
113 would have been specified when it was added. Only the first
114 encountered rule that is the same as this specified rule, in
115 other words the matching rule with the lowest (positive) rule
116 number, is deleted.
117
118 -C, --change-counters
119 Change the counters of the specified rule or rules from the
120 selected chain. There are two ways to use this command. The
121 first is by specifying an interval of rule numbers to do the
122 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
123 -L --Ln to list the rules with their rule number). The details
124 are the same as for the -D command. The second usage is by spec‐
125 ifying the complete rule as it would have been specified when it
126 was added. Only the counters of the first encountered rule that
127 is the same as this specified rule, in other words the matching
128 rule with the lowest (positive) rule number, are changed. In
129 the first usage, the counters are specified directly after the
130 interval specification, in the second usage directly after -C.
131 First the packet counter is specified, then the byte counter. If
132 the specified counters start with a '+', the counter values are
133 added to the respective current counter values. If the speci‐
134 fied counters start with a '-', the counter values are decreased
135 from the respective current counter values. No bounds checking
136 is done. If the counters don't start with '+' or '-', the cur‐
137 rent counters are changed to the specified counters.
138
139 -I, --insert
140 Insert the specified rule into the selected chain at the speci‐
141 fied rule number. If the rule number is not specified, the rule
142 is added at the head of the chain. If the current number of
143 rules equals N, then the specified number can be between -N and
144 N+1. For a positive number i, it holds that i and i-N-1 specify
145 the same place in the chain where the rule should be inserted.
146 The rule number 0 specifies the place past the last rule in the
147 chain and using this number is therefore equivalent to using the
148 -A command. Rule numbers structly smaller than 0 can be useful
149 when more than one rule needs to be inserted in a chain.
150
151 -P, --policy
152 Set the policy for the chain to the given target. The policy can
153 be ACCEPT, DROP or RETURN.
154
155 -F, --flush
156 Flush the selected chain. If no chain is selected, then every
157 chain will be flushed. Flushing a chain does not change the pol‐
158 icy of the chain, however.
159
160 -Z, --zero
161 Set the counters of the selected chain to zero. If no chain is
162 selected, all the counters are set to zero. The -Z command can
163 be used in conjunction with the -L command. When both the -Z
164 and -L commands are used together in this way, the rule counters
165 are printed on the screen before they are set to zero.
166
167 -L, --list
168 List all rules in the selected chain. If no chain is selected,
169 all chains are listed.
170 The following options change the output of the -L command.
171 --Ln
172 Places the rule number in front of every rule. This option is
173 incompatible with the --Lx option.
174 --Lc
175 Shows the counters at the end of each rule displayed by the -L
176 command. Both a frame counter (pcnt) and a byte counter (bcnt)
177 are displayed. The frame counter shows how many frames have
178 matched the specific rule, the byte counter shows the sum of the
179 frame sizes of these matching frames. Using this option in com‐
180 bination with the --Lx option causes the counters to be written
181 out in the '-c <pcnt> <bcnt>' option format.
182 --Lx
183 Changes the output so that it produces a set of ebtables com‐
184 mands that construct the contents of the chain, when specified.
185 If no chain is specified, ebtables commands to construct the
186 contents of the table are given, including commands for creating
187 the user-defined chains (if any). You can use this set of com‐
188 mands in an ebtables boot or reload script. For example the
189 output could be used at system startup. The --Lx option is
190 incompatible with the --Ln listing option. Using the --Lx option
191 together with the --Lc option will cause the counters to be
192 written out in the '-c <pcnt> <bcnt>' option format.
193 --Lmac2
194 Shows all MAC addresses with the same length, adding leading
195 zeroes if necessary. The default representation omits leading
196 zeroes in the addresses.
197
198 -N, --new-chain
199 Create a new user-defined chain with the given name. The number
200 of user-defined chains is limited only by the number of possible
201 chain names. A user-defined chain name has a maximum length of
202 31 characters. The standard policy of the user-defined chain is
203 ACCEPT. The policy of the new chain can be initialized to a dif‐
204 ferent standard target by using the -P command together with the
205 -N command. In this case, the chain name does not have to be
206 specified for the -P command.
207
208 -X, --delete-chain
209 Delete the specified user-defined chain. There must be no
210 remaining references (jumps) to the specified chain, otherwise
211 ebtables will refuse to delete it. If no chain is specified, all
212 user-defined chains that aren't referenced will be removed.
213
214 -E, --rename-chain
215 Rename the specified chain to a new name. Besides renaming a
216 user-defined chain, you can rename a standard chain to a name
217 that suits your taste. For example, if you like PREFORWARDING
218 more than PREROUTING, then you can use the -E command to rename
219 the PREROUTING chain. If you do rename one of the standard ebta‐
220 bles chain names, please be sure to mention this fact should you
221 post a question on the ebtables mailing lists. It would be wise
222 to use the standard name in your post. Renaming a standard ebta‐
223 bles chain in this fashion has no effect on the structure or
224 functioning of the ebtables kernel table.
225
226 --init-table
227 Replace the current table data by the initial table data.
228
229 --atomic-init
230 Copy the kernel's initial data of the table to the specified
231 file. This can be used as the first action, after which rules
232 are added to the file. The file can be specified using the
233 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
234 ronment variable.
235
236 --atomic-save
237 Copy the kernel's current data of the table to the specified
238 file. This can be used as the first action, after which rules
239 are added to the file. The file can be specified using the
240 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
241 ronment variable.
242
243 --atomic-commit
244 Replace the kernel table data with the data contained in the
245 specified file. This is a useful command that allows you to load
246 all your rules of a certain table into the kernel at once, sav‐
247 ing the kernel a lot of precious time and allowing atomic
248 updates of the tables. The file which contains the table data is
249 constructed by using either the --atomic-init or the --atomic-
250 save command to generate a starting file. After that, using the
251 --atomic-file command when constructing rules or setting the
252 EBTABLES_ATOMIC_FILE environment variable allows you to extend
253 the file and build the complete table before committing it to
254 the kernel. This command can be very useful in boot scripts to
255 populate the ebtables tables in a fast way.
256
257 MISCELLANOUS COMMANDS
258 -V, --version
259 Show the version of the ebtables userspace program.
260
261 -h, --help [list of module names]
262 Give a brief description of the command syntax. Here you can
263 also specify names of extensions and ebtables will try to write
264 help about those extensions. E.g. ebtables -h snat log ip arp.
265 Specify list_extensions to list all extensions supported by the
266 userspace utility.
267
268 -j, --jump target
269 The target of the rule. This is one of the following values:
270 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
271 EXTENSIONS) or a user-defined chain name.
272
273 --atomic-file file
274 Let the command operate on the specified file. The data of the
275 table to operate on will be extracted from the file and the
276 result of the operation will be saved back into the file. If
277 specified, this option should come before the command specifica‐
278 tion. An alternative that should be preferred, is setting the
279 EBTABLES_ATOMIC_FILE environment variable.
280
281 -M, --modprobe program
282 When talking to the kernel, use this program to try to automati‐
283 cally load missing kernel modules.
284
285 --concurrent
286 Use a file lock to support concurrent scripts updating the ebta‐
287 bles kernel tables.
288
289
290 RULE SPECIFICATIONS
291 The following command line arguments make up a rule specification (as
292 used in the add and delete commands). A "!" option before the specifi‐
293 cation inverts the test for that specification. Apart from these stan‐
294 dard rule specifications there are some other command line arguments of
295 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
296 below.
297
298 -p, --protocol [!] protocol
299 The protocol that was responsible for creating the frame. This
300 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
301 or LENGTH. The protocol field of the Ethernet frame can be used
302 to denote the length of the header (802.2/802.3 networks). When
303 the value of that field is below or equals 0x0600, the value
304 equals the size of the header and shouldn't be used as a proto‐
305 col number. Instead, all frames where the protocol field is used
306 as the length field are assumed to be of the same 'protocol'.
307 The protocol name used in ebtables for these frames is LENGTH.
308 The file /etc/ethertypes can be used to show readable characters
309 instead of hexadecimal numbers for the protocols. For example,
310 0x0800 will be represented by IPV4. The use of this file is not
311 case sensitive. See that file for more information. The flag
312 --proto is an alias for this option.
313
314 -i, --in-interface [!] name
315 The interface (bridge port) via which a frame is received (this
316 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
317 chains). If the interface name ends with '+', then any interface
318 name that begins with this name (disregarding '+') will match.
319 The flag --in-if is an alias for this option.
320
321 --logical-in [!] name
322 The (logical) bridge interface via which a frame is received
323 (this option is useful in the INPUT, FORWARD, PREROUTING and
324 BROUTING chains). If the interface name ends with '+', then any
325 interface name that begins with this name (disregarding '+')
326 will match.
327
328 -o, --out-interface [!] name
329 The interface (bridge port) via which a frame is going to be
330 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
331 ING chains). If the interface name ends with '+', then any
332 interface name that begins with this name (disregarding '+')
333 will match. The flag --out-if is an alias for this option.
334
335 --logical-out [!] name
336 The (logical) bridge interface via which a frame is going to be
337 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
338 ING chains). If the interface name ends with '+', then any
339 interface name that begins with this name (disregarding '+')
340 will match.
341
342 -s, --source [!] address[/mask]
343 The source MAC address. Both mask and address are written as 6
344 hexadecimal numbers separated by colons. Alternatively one can
345 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
346 Address):
347 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
348 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
349 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
350 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
351 address will also match the multicast specification. The flag
352 --src is an alias for this option.
353
354 -d, --destination [!] address[/mask]
355 The destination MAC address. See -s (above) for more details on
356 MAC addresses. The flag --dst is an alias for this option.
357
358 -c, --set-counter pcnt bcnt
359 If used with -A or -I, then the packet and byte counters of the
360 new rule will be set to pcnt, resp. bcnt. If used with the -C
361 or -D commands, only rules with a packet and byte count equal to
362 pcnt, resp. bcnt will match.
363
364
365 MATCH EXTENSIONS
366 Ebtables extensions are dynamically loaded into the userspace tool,
367 there is therefore no need to explicitly load them with a -m option
368 like is done in iptables. These extensions deal with functionality
369 supported by kernel modules supplemental to the core ebtables code.
370
371 802_3
372 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
373 specified as LENGTH (see the option -p above).
374
375 --802_3-sap [!] sap
376 DSAP and SSAP are two one byte 802.3 fields. The bytes are
377 always equal, so only one byte (hexadecimal) is needed as an
378 argument.
379
380 --802_3-type [!] type
381 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
382 field must be consulted to determine the payload protocol. This
383 is a two byte (hexadecimal) argument. Only 802.3 frames with
384 DSAP/SSAP 0xaa are checked for type.
385
386 among
387 Match a MAC address or MAC/IP address pair versus a list of MAC
388 addresses and MAC/IP address pairs. A list entry has the following
389 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
390 separated by a comma, specifying an IP address corresponding to the MAC
391 address is optional. Multiple MAC/IP address pairs with the same MAC
392 address but different IP address (and vice versa) can be specified. If
393 the MAC address doesn't match any entry from the list, the frame
394 doesn't match the rule (unless "!" was used).
395
396 --among-dst [!] list
397 Compare the MAC destination to the given list. If the Ethernet
398 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
399 tion address pairs from the list is possible.
400
401 --among-src [!] list
402 Compare the MAC source to the given list. If the Ethernet frame
403 has type IPv4 or ARP, then comparison with MAC/IP source address
404 pairs from the list is possible.
405
406 --among-dst-file [!] file
407 Same as --among-dst but the list is read in from the specified
408 file.
409
410 --among-src-file [!] file
411 Same as --among-src but the list is read in from the specified
412 file.
413
414 arp
415 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
416
417 --arp-opcode [!] opcode
418 The (R)ARP opcode (decimal or a string, for more details see
419 ebtables -h arp).
420
421 --arp-htype [!] hardware type
422 The hardware type, this can be a decimal or the string Ethernet
423 (which sets type to 1). Most (R)ARP packets have Eternet as
424 hardware type.
425
426 --arp-ptype [!] protocol type
427 The protocol type for which the (r)arp is used (hexadecimal or
428 the string IPv4, denoting 0x0800). Most (R)ARP packets have
429 protocol type IPv4.
430
431 --arp-ip-src [!] address[/mask]
432 The (R)ARP IP source address specification.
433
434 --arp-ip-dst [!] address[/mask]
435 The (R)ARP IP destination address specification.
436
437 --arp-mac-src [!] address[/mask]
438 The (R)ARP MAC source address specification.
439
440 --arp-mac-dst [!] address[/mask]
441 The (R)ARP MAC destination address specification.
442
443 [!] --arp-gratuitous
444 Checks for ARP gratuitous packets: checks equality of IPv4
445 source address and IPv4 destination address inside the ARP
446 header.
447
448 ip
449 Specify IPv4 fields. The protocol must be specified as IPv4.
450
451 --ip-source [!] address[/mask]
452 The source IP address. The flag --ip-src is an alias for this
453 option.
454
455 --ip-destination [!] address[/mask]
456 The destination IP address. The flag --ip-dst is an alias for
457 this option.
458
459 --ip-tos [!] tos
460 The IP type of service, in hexadecimal numbers. IPv4.
461
462 --ip-protocol [!] protocol
463 The IP protocol. The flag --ip-proto is an alias for this
464 option.
465
466 --ip-source-port [!] port1[:port2]
467 The source port or port range for the IP protocols 6 (TCP), 17
468 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
469 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
470 0:port2 is used; if port2 is omitted but a colon is specified,
471 port1:65535 is used. The flag --ip-sport is an alias for this
472 option.
473
474 --ip-destination-port [!] port1[:port2]
475 The destination port or port range for ip protocols 6 (TCP), 17
476 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
477 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
478 0:port2 is used; if port2 is omitted but a colon is specified,
479 port1:65535 is used. The flag --ip-dport is an alias for this
480 option.
481
482 ip6
483 Specify IPv6 fields. The protocol must be specified as IPv6.
484
485 --ip6-source [!] address[/mask]
486 The source IPv6 address. The flag --ip6-src is an alias for
487 this option.
488
489 --ip6-destination [!] address[/mask]
490 The destination IPv6 address. The flag --ip6-dst is an alias
491 for this option.
492
493 --ip6-tclass [!] tclass
494 The IPv6 traffic class, in hexadecimal numbers.
495
496 --ip6-protocol [!] protocol
497 The IP protocol. The flag --ip6-proto is an alias for this
498 option.
499
500 --ip6-source-port [!] port1[:port2]
501 The source port or port range for the IPv6 protocols 6 (TCP), 17
502 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
503 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
504 0:port2 is used; if port2 is omitted but a colon is specified,
505 port1:65535 is used. The flag --ip6-sport is an alias for this
506 option.
507
508 --ip6-destination-port [!] port1[:port2]
509 The destination port or port range for IPv6 protocols 6 (TCP),
510 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
511 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
512 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
513 fied, port1:65535 is used. The flag --ip6-dport is an alias for
514 this option.
515
516 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
517 Specify ipv6-icmp type and code to match. Ranges for both type
518 and code are supported. Type and code are separated by a slash.
519 Valid numbers for type and range are 0 to 255. To match a sin‐
520 gle type including all valid codes, symbolic names can be used
521 instead of numbers. The list of known type names is shown by the
522 command
523 ebtables --help ip6
524 This option is only valid for --ip6-prococol ipv6-icmp.
525
526 limit
527 This module matches at a limited rate using a token bucket filter. A
528 rule using this extension will match until this limit is reached. It
529 can be used with the --log watcher to give limited logging, for exam‐
530 ple. Its use is the same as the limit match of iptables.
531
532 --limit [value]
533 Maximum average matching rate: specified as a number, with an
534 optional /second, /minute, /hour, or /day suffix; the default is
535 3/hour.
536
537 --limit-burst [number]
538 Maximum initial number of packets to match: this number gets
539 recharged by one every time the limit specified above is not
540 reached, up to this number; the default is 5.
541
542 mark_m
543 --mark [!] [value][/mask]
544 Matches frames with the given unsigned mark value. If a value
545 and mask are specified, the logical AND of the mark value of the
546 frame and the user-specified mask is taken before comparing it
547 with the user-specified mark value. When only a mark value is
548 specified, the packet only matches when the mark value of the
549 frame equals the user-specified mark value. If only a mask is
550 specified, the logical AND of the mark value of the frame and
551 the user-specified mask is taken and the frame matches when the
552 result of this logical AND is non-zero. Only specifying a mask
553 is useful to match multiple mark values.
554
555 pkttype
556 --pkttype-type [!] type
557 Matches on the Ethernet "class" of the frame, which is deter‐
558 mined by the generic networking code. Possible values: broadcast
559 (MAC destination is the broadcast address), multicast (MAC des‐
560 tination is a multicast address), host (MAC destination is the
561 receiving network device), or otherhost (none of the above).
562
563 stp
564 Specify stp BPDU (bridge protocol data unit) fields. The destination
565 address (-d) must be specified as the bridge group address (BGA). For
566 all options for which a range of values can be specified, it holds that
567 if the lower bound is omitted (but the colon is not), then the lowest
568 possible lower bound for that option is used, while if the upper bound
569 is omitted (but the colon again is not), the highest possible upper
570 bound for that option is used.
571
572 --stp-type [!] type
573 The BPDU type (0-255), recognized non-numerical types are con‐
574 fig, denoting a configuration BPDU (=0), and tcn, denothing a
575 topology change notification BPDU (=128).
576
577 --stp-flags [!] flag
578 The BPDU flag (0-255), recognized non-numerical flags are topol‐
579 ogy-change, denoting the topology change flag (=1), and topol‐
580 ogy-change-ack, denoting the topology change acknowledgement
581 flag (=128).
582
583 --stp-root-prio [!] [prio][:prio]
584 The root priority (0-65535) range.
585
586 --stp-root-addr [!] [address][/mask]
587 The root mac address, see the option -s for more details.
588
589 --stp-root-cost [!] [cost][:cost]
590 The root path cost (0-4294967295) range.
591
592 --stp-sender-prio [!] [prio][:prio]
593 The BPDU's sender priority (0-65535) range.
594
595 --stp-sender-addr [!] [address][/mask]
596 The BPDU's sender mac address, see the option -s for more
597 details.
598
599 --stp-port [!] [port][:port]
600 The port identifier (0-65535) range.
601
602 --stp-msg-age [!] [age][:age]
603 The message age timer (0-65535) range.
604
605 --stp-max-age [!] [age][:age]
606 The max age timer (0-65535) range.
607
608 --stp-hello-time [!] [time][:time]
609 The hello time timer (0-65535) range.
610
611 --stp-forward-delay [!] [delay][:delay]
612 The forward delay timer (0-65535) range.
613
614 vlan
615 Specify 802.1Q Tag Control Information fields. The protocol must be
616 specified as 802_1Q (0x8100).
617
618 --vlan-id [!] id
619 The VLAN identifier field (VID). Decimal number from 0 to 4095.
620
621 --vlan-prio [!] prio
622 The user priority field, a decimal number from 0 to 7. The VID
623 should be set to 0 ("null VID") or unspecified (in the latter
624 case the VID is deliberately set to 0).
625
626 --vlan-encap [!] type
627 The encapsulated Ethernet frame type/length. Specified as a
628 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
629 from /etc/ethertypes.
630
631
632 WATCHER EXTENSIONS
633 Watchers only look at frames passing by, they don't modify them nor
634 decide to accept the frames or not. These watchers only see the frame
635 if the frame matches the rule, and they see it before the target is
636 executed.
637
638 log
639 The log watcher writes descriptive data about a frame to the syslog.
640
641 --log
642 Log with the default loggin options: log-level= info, log-pre‐
643 fix="", no ip logging, no arp logging.
644
645 --log-level level
646 Defines the logging level. For the possible values, see ebtables
647 -h log. The default level is info.
648
649 --log-prefix text
650 Defines the prefix text to be printed at the beginning of the
651 line with the logging information.
652
653 --log-ip
654 Will log the ip information when a frame made by the ip protocol
655 matches the rule. The default is no ip information logging.
656
657 --log-ip6
658 Will log the ipv6 information when a frame made by the ipv6 pro‐
659 tocol matches the rule. The default is no ipv6 information log‐
660 ging.
661
662 --log-arp
663 Will log the (r)arp information when a frame made by the (r)arp
664 protocols matches the rule. The default is no (r)arp information
665 logging.
666
667 nflog
668 The nflog watcher passes the packet to the loaded logging backend in
669 order to log the packet. This is usually used in combination with
670 nfnetlink_log as logging backend, which will multicast the packet
671 through a netlink socket to the specified multicast group. One or more
672 userspace processes may subscribe to the group to receive the packets.
673
674 --nflog
675 Log with the default logging options
676
677 --nflog-group nlgroup
678 The netlink group (1 - 2^32-1) to which packets are (only appli‐
679 cable for nfnetlink_log). The default value is 1.
680
681 --nflog-prefix prefix
682 A prefix string to include in the log message, up to 30 charac‐
683 ters long, useful for distinguishing messages in the logs.
684
685 --nflog-range size
686 The number of bytes to be copied to userspace (only applicable
687 for nfnetlink_log). nfnetlink_log instances may specify their
688 own range, this option overrides it.
689
690 --nflog-threshold size
691 Number of packets to queue inside the kernel before sending them
692 to userspace (only applicable for nfnetlink_log). Higher values
693 result in less overhead per packet, but increase delay until the
694 packets reach userspace. The default value is 1.
695
696 ulog
697 The ulog watcher passes the packet to a userspace logging daemon using
698 netlink multicast sockets. This differs from the log watcher in the
699 sense that the complete packet is sent to userspace instead of a
700 descriptive text and that netlink multicast sockets are used instead of
701 the syslog. This watcher enables parsing of packets with userspace
702 programs, the physical bridge in and out ports are also included in the
703 netlink messages. The ulog watcher module accepts 2 parameters when
704 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
705 specifies how big the buffer for each netlink multicast group is. If
706 you say nlbufsiz=8192, for example, up to eight kB of packets will get
707 accumulated in the kernel until they are sent to userspace. It is not
708 possible to allocate more than 128kB. Please also keep in mind that
709 this buffer size is allocated for each nlgroup you are using, so the
710 total kernel memory usage increases by that factor. The default is
711 4096. flushtimeout specifies after how many hundredths of a second the
712 queue should be flushed, even if it is not full yet. The default is 10
713 (one tenth of a second).
714
715 --ulog
716 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
717 cprange=4096, ulog-qthreshold=1.
718
719 --ulog-prefix text
720 Defines the prefix included with the packets sent to userspace.
721
722 --ulog-nlgroup group
723 Defines which netlink group number to use (a number from 1 to
724 32). Make sure the netlink group numbers used for the iptables
725 ULOG target differ from those used for the ebtables ulog
726 watcher. The default group number is 1.
727
728 --ulog-cprange range
729 Defines the maximum copy range to userspace, for packets match‐
730 ing the rule. The default range is 0, which means the maximum
731 copy range is given by nlbufsiz. A maximum copy range larger
732 than 128*1024 is meaningless as the packets sent to userspace
733 have an upper size limit of 128*1024.
734
735 --ulog-qthreshold threshold
736 Queue at most threshold number of packets before sending them to
737 userspace with a netlink socket. Note that packets can be sent
738 to userspace before the queue is full, this happens when the
739 ulog kernel timer goes off (the frequency of this timer depends
740 on flushtimeout).
741
742 TARGET EXTENSIONS
743 arpreply
744 The arpreply target can be used in the PREROUTING chain of the nat ta‐
745 ble. If this target sees an ARP request it will automatically reply
746 with an ARP reply. The used MAC address for the reply can be specified.
747 The protocol must be specified as ARP. When the ARP message is not an
748 ARP request or when the ARP request isn't for an IP address on an Eth‐
749 ernet network, it is ignored by this target (CONTINUE). When the ARP
750 request is malformed, it is dropped (DROP).
751
752 --arpreply-mac address
753 Specifies the MAC address to reply with: the Ethernet source MAC
754 and the ARP payload source MAC will be filled in with this
755 address.
756
757 --arpreply-target target
758 Specifies the standard target. After sending the ARP reply, the
759 rule still has to give a standard target so ebtables knows what
760 to do with the ARP request. The default target is DROP.
761
762 dnat
763 The dnat target can only be used in the PREROUTING and OUTPUT chains of
764 the nat table. It specifies that the destination MAC address has to be
765 changed.
766
767 --to-destination address
768 Change the destination MAC address to the specified address.
769 The flag --to-dst is an alias for this option.
770
771 --dnat-target target
772 Specifies the standard target. After doing the dnat, the rule
773 still has to give a standard target so ebtables knows what to do
774 with the dnated frame. The default target is ACCEPT. Making it
775 CONTINUE could let you use multiple target extensions on the
776 same frame. Making it DROP only makes sense in the BROUTING
777 chain but using the redirect target is more logical there.
778 RETURN is also allowed. Note that using RETURN in a base chain
779 is not allowed (for obvious reasons).
780
781 mark
782 The mark target can be used in every chain of every table. It is possi‐
783 ble to use the marking of a frame/packet in both ebtables and iptables,
784 if the bridge-nf code is compiled into the kernel. Both put the marking
785 at the same place. This allows for a form of communication between
786 ebtables and iptables.
787
788 --mark-set value
789 Mark the frame with the specified non-negative value.
790
791 --mark-or value
792 Or the frame with the specified non-negative value.
793
794 --mark-and value
795 And the frame with the specified non-negative value.
796
797 --mark-xor value
798 Xor the frame with the specified non-negative value.
799
800 --mark-target target
801 Specifies the standard target. After marking the frame, the rule
802 still has to give a standard target so ebtables knows what to
803 do. The default target is ACCEPT. Making it CONTINUE can let
804 you do other things with the frame in subsequent rules of the
805 chain.
806
807 redirect
808 The redirect target will change the MAC target address to that of the
809 bridge device the frame arrived on. This target can only be used in the
810 PREROUTING chain of the nat table. The MAC address of the bridge is
811 used as destination address."
812
813 --redirect-target target
814 Specifies the standard target. After doing the MAC redirect, the
815 rule still has to give a standard target so ebtables knows what
816 to do. The default target is ACCEPT. Making it CONTINUE could
817 let you use multiple target extensions on the same frame. Making
818 it DROP in the BROUTING chain will let the frames be routed.
819 RETURN is also allowed. Note that using RETURN in a base chain
820 is not allowed.
821
822 snat
823 The snat target can only be used in the POSTROUTING chain of the nat
824 table. It specifies that the source MAC address has to be changed.
825
826 --to-source address
827 Changes the source MAC address to the specified address. The
828 flag --to-src is an alias for this option.
829
830 --snat-target target
831 Specifies the standard target. After doing the snat, the rule
832 still has to give a standard target so ebtables knows what to
833 do. The default target is ACCEPT. Making it CONTINUE could let
834 you use multiple target extensions on the same frame. Making it
835 DROP doesn't make sense, but you could do that too. RETURN is
836 also allowed. Note that using RETURN in a base chain is not
837 allowed.
838
839 --snat-arp
840 Also change the hardware source address inside the arp header if
841 the packet is an arp message and the hardware address length in
842 the arp header is 6 bytes.
843
845 /etc/ethertypes /run/ebtables.lock
846
848 EBTABLES_ATOMIC_FILE
849
851 See http://netfilter.org/mailinglists.html
852
854 The version of ebtables this man page ships with does not support the
855 broute table. Also there is no support for the among match. And
856 finally, this list is probably not complete.
857
859 xtables-nft(8), iptables(8), brctl(8), ifconfig(8), route(8)
860
861 See http://ebtables.sf.net
862
863
864
865 December 2011 EBTABLES(8)