1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables (v2.0.10-4) - Ethernet bridge frame table administration
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
25 ebtables is an application program used to set up and maintain the
26 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27 It is analogous to the iptables application, but less complicated, due
28 to the fact that the Ethernet protocol is much simpler than the IP pro‐
29 tocol.
30 CHAINS
32 There are three ebtables tables with built-in chains in the Linux ker‐
33 nel. These tables are used to divide functionality into different sets
34 of rules. Each set of rules is called a chain. Each chain is an
35 ordered list of rules that can match Ethernet frames. If a rule matches
36 an Ethernet frame, then a processing specification tells what to do
37 with that matching frame. The processing specification is called a
38 'target'. However, if the frame does not match the current rule in the
39 chain, then the next rule in the chain is examined and so forth. The
40 user can create new (user-defined) chains that can be used as the 'tar‐
41 get' of a rule. User-defined chains are very useful to get better per‐
42 formance over the linear traversal of the rules and are also essential
43 for structuring the filtering rules into well-organized and maintain‐
44 able sets of rules.
45 TARGETS
47 A firewall rule specifies criteria for an Ethernet frame and a frame
48 processing specification called a target. When a frame matches a rule,
49 then the next action performed by the kernel is specified by the tar‐
50 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
51 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52 ACCEPT means to let the frame through. DROP means the frame has to be
54 dropped. In the BROUTING chain however, the ACCEPT and DROP target have
55 different meanings (see the info provided for the -t option). CONTINUE
56 means the next rule has to be checked. This can be handy, f.e., to know
57 how many frames pass a certain point in the chain, to log those frames
58 or to apply multiple targets on a frame. RETURN means stop traversing
59 this chain and resume at the next rule in the previous (calling) chain.
60 For the extension targets please refer to the TARGET EXTENSIONS section
61 of this man page.
62 TABLES
64 As stated earlier, there are three ebtables tables in the Linux kernel.
65 The table names are filter, nat and broute. Of these three tables, the
66 filter table is the default table that the command operates on. If you
67 are working with the filter table, then you can drop the '-t filter'
68 argument to the ebtables command. However, you will need to provide
69 the -t argument for the other two tables. Moreover, the -t argument
70 must be the first argument on the ebtables command line, if used.
71 -t, --table
73 filter is the default table and contains three built-in chains:
74 INPUT (for frames destined for the bridge itself, on the level
75 of the MAC destination address), OUTPUT (for locally-generated
76 or (b)routed frames) and FORWARD (for frames being forwarded by
77 the bridge).
78 nat is mostly used to change the mac addresses and contains
79 three built-in chains: PREROUTING (for altering frames as soon
80 as they come in), OUTPUT (for altering locally generated or
81 (b)routed frames before they are bridged) and POSTROUTING (for
82 altering frames as they are about to go out). A small note on
83 the naming of chains PREROUTING and POSTROUTING: it would be
84 more accurate to call them PREFORWARDING and POSTFORWARDING, but
85 for all those who come from the iptables world to ebtables it is
86 easier to have the same names. Note that you can change the name
87 (-E) if you don't like the default.
88 broute is used to make a brouter, it has one built-in chain:
89 BROUTING. The targets DROP and ACCEPT have a special meaning in
90 the broute table (these names are used instead of more descrip‐
91 tive names to keep the implementation generic). DROP actually
92 means the frame has to be routed, while ACCEPT means the frame
93 has to be bridged. The BROUTING chain is traversed very early.
94 However, it is only traversed by frames entering on a bridge
95 port that is in forwarding state. Normally those frames would be
96 bridged, but you can decide otherwise here. The redirect target
97 is very handy here.
98
100 After the initial ebtables '-t table' command line argument, the
101 remaining arguments can be divided into several groups. These groups
102 are commands, miscellaneous commands, rule specifications, match exten‐
103 sions, watcher extensions and target extensions.
104 COMMANDS
106 The ebtables command arguments specify the actions to perform on the
107 table defined with the -t argument. If you do not use the -t argument
108 to name a table, the commands apply to the default filter table. Only
109 one command may be used on the command line at a time, except when the
110 commands -L and -Z are combined, the commands -N and -P are combined,
111 or when --atomic-file is used.
112 -A, --append
114 Append a rule to the end of the selected chain.
115 -D, --delete
117 Delete the specified rule or rules from the selected chain.
118 There are two ways to use this command. The first is by specify‐
119 ing an interval of rule numbers to delete (directly after -D).
120 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
121 their rule number). When end_nr is omitted, all rules starting
122 from start_nr are deleted. Using negative numbers is allowed,
123 for more details about using negative numbers, see the -I com‐
124 mand. The second usage is by specifying the complete rule as it
125 would have been specified when it was added. Only the first
126 encountered rule that is the same as this specified rule, in
127 other words the matching rule with the lowest (positive) rule
128 number, is deleted.
129 -C, --change-counters
131 Change the counters of the specified rule or rules from the
132 selected chain. There are two ways to use this command. The
133 first is by specifying an interval of rule numbers to do the
134 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
135 -L --Ln to list the rules with their rule number). The details
136 are the same as for the -D command. The second usage is by spec‐
137 ifying the complete rule as it would have been specified when it
138 was added. Only the counters of the first encountered rule that
139 is the same as this specified rule, in other words the matching
140 rule with the lowest (positive) rule number, are changed. In
141 the first usage, the counters are specified directly after the
142 interval specification, in the second usage directly after -C.
143 First the packet counter is specified, then the byte counter. If
144 the specified counters start with a '+', the counter values are
145 added to the respective current counter values. If the speci‐
146 fied counters start with a '-', the counter values are decreased
147 from the respective current counter values. No bounds checking
148 is done. If the counters don't start with '+' or '-', the cur‐
149 rent counters are changed to the specified counters.
150 -I, --insert
152 Insert the specified rule into the selected chain at the speci‐
153 fied rule number. If the rule number is not specified, the rule
154 is added at the head of the chain. If the current number of
155 rules equals N, then the specified number can be between -N and
156 N+1. For a positive number i, it holds that i and i-N-1 specify
157 the same place in the chain where the rule should be inserted.
158 The rule number 0 specifies the place past the last rule in the
159 chain and using this number is therefore equivalent to using the
160 -A command. Rule numbers structly smaller than 0 can be useful
161 when more than one rule needs to be inserted in a chain.
162 -P, --policy
164 Set the policy for the chain to the given target. The policy can
165 be ACCEPT, DROP or RETURN.
166 -F, --flush
168 Flush the selected chain. If no chain is selected, then every
169 chain will be flushed. Flushing a chain does not change the pol‐
170 icy of the chain, however.
171 -Z, --zero
173 Set the counters of the selected chain to zero. If no chain is
174 selected, all the counters are set to zero. The -Z command can
175 be used in conjunction with the -L command. When both the -Z
176 and -L commands are used together in this way, the rule counters
177 are printed on the screen before they are set to zero.
178 -L, --list
180 List all rules in the selected chain. If no chain is selected,
181 all chains are listed.
182 The following options change the output of the -L command.
183 --Ln
184 Places the rule number in front of every rule. This option is
185 incompatible with the --Lx option.
186 --Lc
187 Shows the counters at the end of each rule displayed by the -L
188 command. Both a frame counter (pcnt) and a byte counter (bcnt)
189 are displayed. The frame counter shows how many frames have
190 matched the specific rule, the byte counter shows the sum of the
191 frame sizes of these matching frames. Using this option in com‐
192 bination with the --Lx option causes the counters to be written
193 out in the '-c <pcnt> <bcnt>' option format.
194 --Lx
195 Changes the output so that it produces a set of ebtables com‐
196 mands that construct the contents of the chain, when specified.
197 If no chain is specified, ebtables commands to construct the
198 contents of the table are given, including commands for creating
199 the user-defined chains (if any). You can use this set of com‐
200 mands in an ebtables boot or reload script. For example the
201 output could be used at system startup. The --Lx option is
202 incompatible with the --Ln listing option. Using the --Lx option
203 together with the --Lc option will cause the counters to be
204 written out in the '-c <pcnt> <bcnt>' option format.
205 --Lmac2
206 Shows all MAC addresses with the same length, adding leading
207 zeroes if necessary. The default representation omits leading
208 zeroes in the addresses.
209 -N, --new-chain
211 Create a new user-defined chain with the given name. The number
212 of user-defined chains is limited only by the number of possible
213 chain names. A user-defined chain name has a maximum length of
214 31 characters. The standard policy of the user-defined chain is
215 ACCEPT. The policy of the new chain can be initialized to a dif‐
216 ferent standard target by using the -P command together with the
217 -N command. In this case, the chain name does not have to be
218 specified for the -P command.
219 -X, --delete-chain
221 Delete the specified user-defined chain. There must be no
222 remaining references (jumps) to the specified chain, otherwise
223 ebtables will refuse to delete it. If no chain is specified, all
224 user-defined chains that aren't referenced will be removed.
225 -E, --rename-chain
227 Rename the specified chain to a new name. Besides renaming a
228 user-defined chain, you can rename a standard chain to a name
229 that suits your taste. For example, if you like PREFORWARDING
230 more than PREROUTING, then you can use the -E command to rename
231 the PREROUTING chain. If you do rename one of the standard ebta‐
232 bles chain names, please be sure to mention this fact should you
233 post a question on the ebtables mailing lists. It would be wise
234 to use the standard name in your post. Renaming a standard ebta‐
235 bles chain in this fashion has no effect on the structure or
236 functioning of the ebtables kernel table.
237 --init-table
239 Replace the current table data by the initial table data.
240 --atomic-init
242 Copy the kernel's initial data of the table to the specified
243 file. This can be used as the first action, after which rules
244 are added to the file. The file can be specified using the
245 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
246 ronment variable.
247 --atomic-save
249 Copy the kernel's current data of the table to the specified
250 file. This can be used as the first action, after which rules
251 are added to the file. The file can be specified using the
252 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
253 ronment variable.
254 --atomic-commit
256 Replace the kernel table data with the data contained in the
257 specified file. This is a useful command that allows you to load
258 all your rules of a certain table into the kernel at once, sav‐
259 ing the kernel a lot of precious time and allowing atomic
260 updates of the tables. The file which contains the table data is
261 constructed by using either the --atomic-init or the --atomic-
262 save command to generate a starting file. After that, using the
263 --atomic-file command when constructing rules or setting the
264 EBTABLES_ATOMIC_FILE environment variable allows you to extend
265 the file and build the complete table before committing it to
266 the kernel. This command can be very useful in boot scripts to
267 populate the ebtables tables in a fast way.
268 MISCELLANOUS COMMANDS
270 -V, --version
271 Show the version of the ebtables userspace program.
272 -h, --help [list of module names]
274 Give a brief description of the command syntax. Here you can
275 also specify names of extensions and ebtables will try to write
276 help about those extensions. E.g. ebtables -h snat log ip arp.
277 Specify list_extensions to list all extensions supported by the
278 userspace utility.
279 -j, --jump target
281 The target of the rule. This is one of the following values:
282 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
283 EXTENSIONS) or a user-defined chain name.
284 --atomic-file file
286 Let the command operate on the specified file. The data of the
287 table to operate on will be extracted from the file and the
288 result of the operation will be saved back into the file. If
289 specified, this option should come before the command specifica‐
290 tion. An alternative that should be preferred, is setting the
291 EBTABLES_ATOMIC_FILE environment variable.
292 -M, --modprobe program
294 When talking to the kernel, use this program to try to automati‐
295 cally load missing kernel modules.
296 --concurrent
298 Use a file lock to support concurrent scripts updating the ebta‐
299 bles kernel tables.
300 RULE SPECIFICATIONS
303 The following command line arguments make up a rule specification (as
304 used in the add and delete commands). A "!" option before the specifi‐
305 cation inverts the test for that specification. Apart from these stan‐
306 dard rule specifications there are some other command line arguments of
307 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
308 below.
309 -p, --protocol [!] protocol
311 The protocol that was responsible for creating the frame. This
312 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
313 or LENGTH. The protocol field of the Ethernet frame can be used
314 to denote the length of the header (802.2/802.3 networks). When
315 the value of that field is below or equals 0x0600, the value
316 equals the size of the header and shouldn't be used as a proto‐
317 col number. Instead, all frames where the protocol field is used
318 as the length field are assumed to be of the same 'protocol'.
319 The protocol name used in ebtables for these frames is LENGTH.
320 The file /etc/ethertypes can be used to show readable characters
321 instead of hexadecimal numbers for the protocols. For example,
322 0x0800 will be represented by IPV4. The use of this file is not
323 case sensitive. See that file for more information. The flag
324 --proto is an alias for this option.
325 -i, --in-interface [!] name
327 The interface (bridge port) via which a frame is received (this
328 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
329 chains). If the interface name ends with '+', then any interface
330 name that begins with this name (disregarding '+') will match.
331 The flag --in-if is an alias for this option.
332 --logical-in [!] name
334 The (logical) bridge interface via which a frame is received
335 (this option is useful in the INPUT, FORWARD, PREROUTING and
336 BROUTING chains). If the interface name ends with '+', then any
337 interface name that begins with this name (disregarding '+')
338 will match.
339 -o, --out-interface [!] name
341 The interface (bridge port) via which a frame is going to be
342 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
343 ING chains). If the interface name ends with '+', then any
344 interface name that begins with this name (disregarding '+')
345 will match. The flag --out-if is an alias for this option.
346 --logical-out [!] name
348 The (logical) bridge interface via which a frame is going to be
349 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
350 ING chains). If the interface name ends with '+', then any
351 interface name that begins with this name (disregarding '+')
352 will match.
353 -s, --source [!] address[/mask]
355 The source MAC address. Both mask and address are written as 6
356 hexadecimal numbers separated by colons. Alternatively one can
357 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
358 Address):
359 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
360 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
361 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
362 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
363 address will also match the multicast specification. The flag
364 --src is an alias for this option.
365 -d, --destination [!] address[/mask]
367 The destination MAC address. See -s (above) for more details on
368 MAC addresses. The flag --dst is an alias for this option.
369 -c, --set-counter pcnt bcnt
371 If used with -A or -I, then the packet and byte counters of the
372 new rule will be set to pcnt, resp. bcnt. If used with the -C
373 or -D commands, only rules with a packet and byte count equal to
374 pcnt, resp. bcnt will match.
375 MATCH EXTENSIONS
378 Ebtables extensions are dynamically loaded into the userspace tool,
379 there is therefore no need to explicitly load them with a -m option
380 like is done in iptables. These extensions deal with functionality
381 supported by kernel modules supplemental to the core ebtables code.
382 802_3
384 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
385 specified as LENGTH (see the option -p above).
386 --802_3-sap [!] sap
388 DSAP and SSAP are two one byte 802.3 fields. The bytes are
389 always equal, so only one byte (hexadecimal) is needed as an
390 argument.
391 --802_3-type [!] type
393 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
394 field must be consulted to determine the payload protocol. This
395 is a two byte (hexadecimal) argument. Only 802.3 frames with
396 DSAP/SSAP 0xaa are checked for type.
397 among
399 Match a MAC address or MAC/IP address pair versus a list of MAC
400 addresses and MAC/IP address pairs. A list entry has the following
401 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
402 separated by a comma, specifying an IP address corresponding to the MAC
403 address is optional. Multiple MAC/IP address pairs with the same MAC
404 address but different IP address (and vice versa) can be specified. If
405 the MAC address doesn't match any entry from the list, the frame
406 doesn't match the rule (unless "!" was used).
407 --among-dst [!] list
409 Compare the MAC destination to the given list. If the Ethernet
410 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
411 tion address pairs from the list is possible.
412 --among-src [!] list
414 Compare the MAC source to the given list. If the Ethernet frame
415 has type IPv4 or ARP, then comparison with MAC/IP source address
416 pairs from the list is possible.
417 --among-dst-file [!] file
419 Same as --among-dst but the list is read in from the specified
420 file.
421 --among-src-file [!] file
423 Same as --among-src but the list is read in from the specified
424 file.
425 arp
427 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
428 --arp-opcode [!] opcode
430 The (R)ARP opcode (decimal or a string, for more details see
431 ebtables -h arp).
432 --arp-htype [!] hardware type
434 The hardware type, this can be a decimal or the string Ethernet
435 (which sets type to 1). Most (R)ARP packets have Eternet as
436 hardware type.
437 --arp-ptype [!] protocol type
439 The protocol type for which the (r)arp is used (hexadecimal or
440 the string IPv4, denoting 0x0800). Most (R)ARP packets have
441 protocol type IPv4.
442 --arp-ip-src [!] address[/mask]
444 The (R)ARP IP source address specification.
445 --arp-ip-dst [!] address[/mask]
447 The (R)ARP IP destination address specification.
448 --arp-mac-src [!] address[/mask]
450 The (R)ARP MAC source address specification.
451 --arp-mac-dst [!] address[/mask]
453 The (R)ARP MAC destination address specification.
454 [!] --arp-gratuitous
456 Checks for ARP gratuitous packets: checks equality of IPv4
457 source address and IPv4 destination address inside the ARP
458 header.
459 ip
461 Specify IPv4 fields. The protocol must be specified as IPv4.
462 --ip-source [!] address[/mask]
464 The source IP address. The flag --ip-src is an alias for this
465 option.
466 --ip-destination [!] address[/mask]
468 The destination IP address. The flag --ip-dst is an alias for
469 this option.
470 --ip-tos [!] tos
472 The IP type of service, in hexadecimal numbers. IPv4.
473 --ip-protocol [!] protocol
475 The IP protocol. The flag --ip-proto is an alias for this
476 option.
477 --ip-source-port [!] port1[:port2]
479 The source port or port range for the IP protocols 6 (TCP), 17
480 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
481 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
482 0:port2 is used; if port2 is omitted but a colon is specified,
483 port1:65535 is used. The flag --ip-sport is an alias for this
484 option.
485 --ip-destination-port [!] port1[:port2]
487 The destination port or port range for ip protocols 6 (TCP), 17
488 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
489 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
490 0:port2 is used; if port2 is omitted but a colon is specified,
491 port1:65535 is used. The flag --ip-dport is an alias for this
492 option.
493 ip6
495 Specify IPv6 fields. The protocol must be specified as IPv6.
496 --ip6-source [!] address[/mask]
498 The source IPv6 address. The flag --ip6-src is an alias for
499 this option.
500 --ip6-destination [!] address[/mask]
502 The destination IPv6 address. The flag --ip6-dst is an alias
503 for this option.
504 --ip6-tclass [!] tclass
506 The IPv6 traffic class, in hexadecimal numbers.
507 --ip6-protocol [!] protocol
509 The IP protocol. The flag --ip6-proto is an alias for this
510 option.
511 --ip6-source-port [!] port1[:port2]
513 The source port or port range for the IPv6 protocols 6 (TCP), 17
514 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
515 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
516 0:port2 is used; if port2 is omitted but a colon is specified,
517 port1:65535 is used. The flag --ip6-sport is an alias for this
518 option.
519 --ip6-destination-port [!] port1[:port2]
521 The destination port or port range for IPv6 protocols 6 (TCP),
522 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
523 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
524 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
525 fied, port1:65535 is used. The flag --ip6-dport is an alias for
526 this option.
527 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
529 Specify ipv6-icmp type and code to match. Ranges for both type
530 and code are supported. Type and code are separated by a slash.
531 Valid numbers for type and range are 0 to 255. To match a sin‐
532 gle type including all valid codes, symbolic names can be used
533 instead of numbers. The list of known type names is shown by the
534 command
535 ebtables --help ip6
536 This option is only valid for --ip6-prococol ipv6-icmp.
537 limit
539 This module matches at a limited rate using a token bucket filter. A
540 rule using this extension will match until this limit is reached. It
541 can be used with the --log watcher to give limited logging, for exam‐
542 ple. Its use is the same as the limit match of iptables.
543 --limit [value]
545 Maximum average matching rate: specified as a number, with an
546 optional /second, /minute, /hour, or /day suffix; the default is
547 3/hour.
548 --limit-burst [number]
550 Maximum initial number of packets to match: this number gets
551 recharged by one every time the limit specified above is not
552 reached, up to this number; the default is 5.
553 mark_m
555 --mark [!] [value][/mask]
556 Matches frames with the given unsigned mark value. If a value
557 and mask are specified, the logical AND of the mark value of the
558 frame and the user-specified mask is taken before comparing it
559 with the user-specified mark value. When only a mark value is
560 specified, the packet only matches when the mark value of the
561 frame equals the user-specified mark value. If only a mask is
562 specified, the logical AND of the mark value of the frame and
563 the user-specified mask is taken and the frame matches when the
564 result of this logical AND is non-zero. Only specifying a mask
565 is useful to match multiple mark values.
566 pkttype
568 --pkttype-type [!] type
569 Matches on the Ethernet "class" of the frame, which is deter‐
570 mined by the generic networking code. Possible values: broadcast
571 (MAC destination is the broadcast address), multicast (MAC des‐
572 tination is a multicast address), host (MAC destination is the
573 receiving network device), or otherhost (none of the above).
574 stp
576 Specify stp BPDU (bridge protocol data unit) fields. The destination
577 address (-d) must be specified as the bridge group address (BGA). For
578 all options for which a range of values can be specified, it holds that
579 if the lower bound is omitted (but the colon is not), then the lowest
580 possible lower bound for that option is used, while if the upper bound
581 is omitted (but the colon again is not), the highest possible upper
582 bound for that option is used.
583 --stp-type [!] type
585 The BPDU type (0-255), recognized non-numerical types are con‐
586 fig, denoting a configuration BPDU (=0), and tcn, denothing a
587 topology change notification BPDU (=128).
588 --stp-flags [!] flag
590 The BPDU flag (0-255), recognized non-numerical flags are topol‐
591 ogy-change, denoting the topology change flag (=1), and topol‐
592 ogy-change-ack, denoting the topology change acknowledgement
593 flag (=128).
594 --stp-root-prio [!] [prio][:prio]
596 The root priority (0-65535) range.
597 --stp-root-addr [!] [address][/mask]
599 The root mac address, see the option -s for more details.
600 --stp-root-cost [!] [cost][:cost]
602 The root path cost (0-4294967295) range.
603 --stp-sender-prio [!] [prio][:prio]
605 The BPDU's sender priority (0-65535) range.
606 --stp-sender-addr [!] [address][/mask]
608 The BPDU's sender mac address, see the option -s for more
609 details.
610 --stp-port [!] [port][:port]
612 The port identifier (0-65535) range.
613 --stp-msg-age [!] [age][:age]
615 The message age timer (0-65535) range.
616 --stp-max-age [!] [age][:age]
618 The max age timer (0-65535) range.
619 --stp-hello-time [!] [time][:time]
621 The hello time timer (0-65535) range.
622 --stp-forward-delay [!] [delay][:delay]
624 The forward delay timer (0-65535) range.
625 vlan
627 Specify 802.1Q Tag Control Information fields. The protocol must be
628 specified as 802_1Q (0x8100).
629 --vlan-id [!] id
631 The VLAN identifier field (VID). Decimal number from 0 to 4095.
632 --vlan-prio [!] prio
634 The user priority field, a decimal number from 0 to 7. The VID
635 should be set to 0 ("null VID") or unspecified (in the latter
636 case the VID is deliberately set to 0).
637 --vlan-encap [!] type
639 The encapsulated Ethernet frame type/length. Specified as a
640 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
641 from /etc/ethertypes.
642 WATCHER EXTENSIONS
645 Watchers only look at frames passing by, they don't modify them nor
646 decide to accept the frames or not. These watchers only see the frame
647 if the frame matches the rule, and they see it before the target is
648 executed.
649 log
651 The log watcher writes descriptive data about a frame to the syslog.
652 --log
654 Log with the default loggin options: log-level= info, log-pre‐
655 fix="", no ip logging, no arp logging.
656 --log-level level
658 Defines the logging level. For the possible values, see ebtables
659 -h log. The default level is info.
660 --log-prefix text
662 Defines the prefix text to be printed at the beginning of the
663 line with the logging information.
664 --log-ip
666 Will log the ip information when a frame made by the ip protocol
667 matches the rule. The default is no ip information logging.
668 --log-ip6
670 Will log the ipv6 information when a frame made by the ipv6 pro‐
671 tocol matches the rule. The default is no ipv6 information log‐
672 ging.
673 --log-arp
675 Will log the (r)arp information when a frame made by the (r)arp
676 protocols matches the rule. The default is no (r)arp information
677 logging.
678 nflog
680 The nflog watcher passes the packet to the loaded logging backend in
681 order to log the packet. This is usually used in combination with
682 nfnetlink_log as logging backend, which will multicast the packet
683 through a netlink socket to the specified multicast group. One or more
684 userspace processes may subscribe to the group to receive the packets.
685 --nflog
687 Log with the default logging options
688 --nflog-group nlgroup
690 The netlink group (1 - 2^32-1) to which packets are (only appli‐
691 cable for nfnetlink_log). The default value is 1.
692 --nflog-prefix prefix
694 A prefix string to include in the log message, up to 30 charac‐
695 ters long, useful for distinguishing messages in the logs.
696 --nflog-range size
698 The number of bytes to be copied to userspace (only applicable
699 for nfnetlink_log). nfnetlink_log instances may specify their
700 own range, this option overrides it.
701 --nflog-threshold size
703 Number of packets to queue inside the kernel before sending them
704 to userspace (only applicable for nfnetlink_log). Higher values
705 result in less overhead per packet, but increase delay until the
706 packets reach userspace. The default value is 1.
707 ulog
709 The ulog watcher passes the packet to a userspace logging daemon using
710 netlink multicast sockets. This differs from the log watcher in the
711 sense that the complete packet is sent to userspace instead of a
712 descriptive text and that netlink multicast sockets are used instead of
713 the syslog. This watcher enables parsing of packets with userspace
714 programs, the physical bridge in and out ports are also included in the
715 netlink messages. The ulog watcher module accepts 2 parameters when
716 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
717 specifies how big the buffer for each netlink multicast group is. If
718 you say nlbufsiz=8192, for example, up to eight kB of packets will get
719 accumulated in the kernel until they are sent to userspace. It is not
720 possible to allocate more than 128kB. Please also keep in mind that
721 this buffer size is allocated for each nlgroup you are using, so the
722 total kernel memory usage increases by that factor. The default is
723 4096. flushtimeout specifies after how many hundredths of a second the
724 queue should be flushed, even if it is not full yet. The default is 10
725 (one tenth of a second).
726 --ulog
728 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
729 cprange=4096, ulog-qthreshold=1.
730 --ulog-prefix text
732 Defines the prefix included with the packets sent to userspace.
733 --ulog-nlgroup group
735 Defines which netlink group number to use (a number from 1 to
736 32). Make sure the netlink group numbers used for the iptables
737 ULOG target differ from those used for the ebtables ulog
738 watcher. The default group number is 1.
739 --ulog-cprange range
741 Defines the maximum copy range to userspace, for packets match‐
742 ing the rule. The default range is 0, which means the maximum
743 copy range is given by nlbufsiz. A maximum copy range larger
744 than 128*1024 is meaningless as the packets sent to userspace
745 have an upper size limit of 128*1024.
746 --ulog-qthreshold threshold
748 Queue at most threshold number of packets before sending them to
749 userspace with a netlink socket. Note that packets can be sent
750 to userspace before the queue is full, this happens when the
751 ulog kernel timer goes off (the frequency of this timer depends
752 on flushtimeout).
753 TARGET EXTENSIONS
755 arpreply
756 The arpreply target can be used in the PREROUTING chain of the nat ta‐
757 ble. If this target sees an ARP request it will automatically reply
758 with an ARP reply. The used MAC address for the reply can be specified.
759 The protocol must be specified as ARP. When the ARP message is not an
760 ARP request or when the ARP request isn't for an IP address on an Eth‐
761 ernet network, it is ignored by this target (CONTINUE). When the ARP
762 request is malformed, it is dropped (DROP).
763 --arpreply-mac address
765 Specifies the MAC address to reply with: the Ethernet source MAC
766 and the ARP payload source MAC will be filled in with this
767 address.
768 --arpreply-target target
770 Specifies the standard target. After sending the ARP reply, the
771 rule still has to give a standard target so ebtables knows what
772 to do with the ARP request. The default target is DROP.
773 dnat
775 The dnat target can only be used in the BROUTING chain of the broute
776 table and the PREROUTING and OUTPUT chains of the nat table. It speci‐
777 fies that the destination MAC address has to be changed.
778 --to-destination address
780 Change the destination MAC address to the specified address.
781 The flag --to-dst is an alias for this option.
782 --dnat-target target
784 Specifies the standard target. After doing the dnat, the rule
785 still has to give a standard target so ebtables knows what to do
786 with the dnated frame. The default target is ACCEPT. Making it
787 CONTINUE could let you use multiple target extensions on the
788 same frame. Making it DROP only makes sense in the BROUTING
789 chain but using the redirect target is more logical there.
790 RETURN is also allowed. Note that using RETURN in a base chain
791 is not allowed (for obvious reasons).
792 mark
794 The mark target can be used in every chain of every table. It is possi‐
795 ble to use the marking of a frame/packet in both ebtables and iptables,
796 if the bridge-nf code is compiled into the kernel. Both put the marking
797 at the same place. This allows for a form of communication between
798 ebtables and iptables.
799 --mark-set value
801 Mark the frame with the specified non-negative value.
802 --mark-or value
804 Or the frame with the specified non-negative value.
805 --mark-and value
807 And the frame with the specified non-negative value.
808 --mark-xor value
810 Xor the frame with the specified non-negative value.
811 --mark-target target
813 Specifies the standard target. After marking the frame, the rule
814 still has to give a standard target so ebtables knows what to
815 do. The default target is ACCEPT. Making it CONTINUE can let
816 you do other things with the frame in subsequent rules of the
817 chain.
818 redirect
820 The redirect target will change the MAC target address to that of the
821 bridge device the frame arrived on. This target can only be used in the
822 BROUTING chain of the broute table and the PREROUTING chain of the nat
823 table. In the BROUTING chain, the MAC address of the bridge port is
824 used as destination address, in the PREROUTING chain, the MAC address
825 of the bridge is used.
826 --redirect-target target
828 Specifies the standard target. After doing the MAC redirect, the
829 rule still has to give a standard target so ebtables knows what
830 to do. The default target is ACCEPT. Making it CONTINUE could
831 let you use multiple target extensions on the same frame. Making
832 it DROP in the BROUTING chain will let the frames be routed.
833 RETURN is also allowed. Note that using RETURN in a base chain
834 is not allowed.
835 snat
837 The snat target can only be used in the POSTROUTING chain of the nat
838 table. It specifies that the source MAC address has to be changed.
839 --to-source address
841 Changes the source MAC address to the specified address. The
842 flag --to-src is an alias for this option.
843 --snat-target target
845 Specifies the standard target. After doing the snat, the rule
846 still has to give a standard target so ebtables knows what to
847 do. The default target is ACCEPT. Making it CONTINUE could let
848 you use multiple target extensions on the same frame. Making it
849 DROP doesn't make sense, but you could do that too. RETURN is
850 also allowed. Note that using RETURN in a base chain is not
851 allowed.
852 --snat-arp
854 Also change the hardware source address inside the arp header if
855 the packet is an arp message and the hardware address length in
856 the arp header is 6 bytes.
857
859 /etc/ethertypes /run/ebtables.lock
860
862 EBTABLES_ATOMIC_FILE
863
865 See http://netfilter.org/mailinglists.html
866
868 iptables(8), brctl(8), ifconfig(8), route(8)
869 See http://ebtables.sf.net
871 December 2011 EBTABLES(8)