1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables - Ethernet bridge frame table administration (nft-based)
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
26 ebtables is an application program used to set up and maintain the
27 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
28 It is analogous to the iptables application, but less complicated, due
29 to the fact that the Ethernet protocol is much simpler than the IP pro‐
30 tocol.
31 CHAINS
33 There are two ebtables tables with built-in chains in the Linux kernel.
34 These tables are used to divide functionality into different sets of
35 rules. Each set of rules is called a chain. Each chain is an ordered
36 list of rules that can match Ethernet frames. If a rule matches an Eth‐
37 ernet frame, then a processing specification tells what to do with that
38 matching frame. The processing specification is called a 'target'. How‐
39 ever, if the frame does not match the current rule in the chain, then
40 the next rule in the chain is examined and so forth. The user can cre‐
41 ate new (user-defined) chains that can be used as the 'target' of a
42 rule. User-defined chains are very useful to get better performance
43 over the linear traversal of the rules and are also essential for
44 structuring the filtering rules into well-organized and maintainable
45 sets of rules.
46 TARGETS
48 A firewall rule specifies criteria for an Ethernet frame and a frame
49 processing specification called a target. When a frame matches a rule,
50 then the next action performed by the kernel is specified by the tar‐
51 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
52 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
53 ACCEPT means to let the frame through. DROP means the frame has to be
55 dropped. CONTINUE means the next rule has to be checked. This can be
56 handy, f.e., to know how many frames pass a certain point in the chain,
57 to log those frames or to apply multiple targets on a frame. RETURN
58 means stop traversing this chain and resume at the next rule in the
59 previous (calling) chain. For the extension targets please refer to
60 the TARGET EXTENSIONS section of this man page.
61 TABLES
63 As stated earlier, there are two ebtables tables in the Linux kernel.
64 The table names are filter and nat. Of these two tables, the filter
65 table is the default table that the command operates on. If you are
66 working with the filter table, then you can drop the '-t filter' argu‐
67 ment to the ebtables command. However, you will need to provide the -t
68 argument for nat table. Moreover, the -t argument must be the first
69 argument on the ebtables command line, if used.
70 -t, --table
72 filter is the default table and contains three built-in chains:
73 INPUT (for frames destined for the bridge itself, on the level
74 of the MAC destination address), OUTPUT (for locally-generated
75 or (b)routed frames) and FORWARD (for frames being forwarded by
76 the bridge).
77 nat is mostly used to change the mac addresses and contains
78 three built-in chains: PREROUTING (for altering frames as soon
79 as they come in), OUTPUT (for altering locally generated or
80 (b)routed frames before they are bridged) and POSTROUTING (for
81 altering frames as they are about to go out). A small note on
82 the naming of chains PREROUTING and POSTROUTING: it would be
83 more accurate to call them PREFORWARDING and POSTFORWARDING, but
84 for all those who come from the iptables world to ebtables it is
85 easier to have the same names. Note that you can change the name
86 (-E) if you don't like the default.
87
89 After the initial ebtables '-t table' command line argument, the
90 remaining arguments can be divided into several groups. These groups
91 are commands, miscellaneous commands, rule specifications, match exten‐
92 sions, watcher extensions and target extensions.
93 COMMANDS
95 The ebtables command arguments specify the actions to perform on the
96 table defined with the -t argument. If you do not use the -t argument
97 to name a table, the commands apply to the default filter table. Only
98 one command may be used on the command line at a time, except when the
99 commands -L and -Z are combined, the commands -N and -P are combined,
100 or when --atomic-file is used.
101 -A, --append
103 Append a rule to the end of the selected chain.
104 -D, --delete
106 Delete the specified rule or rules from the selected chain.
107 There are two ways to use this command. The first is by specify‐
108 ing an interval of rule numbers to delete (directly after -D).
109 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
110 their rule number). When end_nr is omitted, all rules starting
111 from start_nr are deleted. Using negative numbers is allowed,
112 for more details about using negative numbers, see the -I com‐
113 mand. The second usage is by specifying the complete rule as it
114 would have been specified when it was added. Only the first
115 encountered rule that is the same as this specified rule, in
116 other words the matching rule with the lowest (positive) rule
117 number, is deleted.
118 -C, --change-counters
120 Change the counters of the specified rule or rules from the
121 selected chain. There are two ways to use this command. The
122 first is by specifying an interval of rule numbers to do the
123 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
124 -L --Ln to list the rules with their rule number). The details
125 are the same as for the -D command. The second usage is by spec‐
126 ifying the complete rule as it would have been specified when it
127 was added. Only the counters of the first encountered rule that
128 is the same as this specified rule, in other words the matching
129 rule with the lowest (positive) rule number, are changed. In
130 the first usage, the counters are specified directly after the
131 interval specification, in the second usage directly after -C.
132 First the packet counter is specified, then the byte counter. If
133 the specified counters start with a '+', the counter values are
134 added to the respective current counter values. If the speci‐
135 fied counters start with a '-', the counter values are decreased
136 from the respective current counter values. No bounds checking
137 is done. If the counters don't start with '+' or '-', the cur‐
138 rent counters are changed to the specified counters.
139 -I, --insert
141 Insert the specified rule into the selected chain at the speci‐
142 fied rule number. If the rule number is not specified, the rule
143 is added at the head of the chain. If the current number of
144 rules equals N, then the specified number can be between -N and
145 N+1. For a positive number i, it holds that i and i-N-1 specify
146 the same place in the chain where the rule should be inserted.
147 The rule number 0 specifies the place past the last rule in the
148 chain and using this number is therefore equivalent to using the
149 -A command. Rule numbers structly smaller than 0 can be useful
150 when more than one rule needs to be inserted in a chain.
151 -P, --policy
153 Set the policy for the chain to the given target. The policy can
154 be ACCEPT, DROP or RETURN.
155 -F, --flush
157 Flush the selected chain. If no chain is selected, then every
158 chain will be flushed. Flushing a chain does not change the pol‐
159 icy of the chain, however.
160 -Z, --zero
162 Set the counters of the selected chain to zero. If no chain is
163 selected, all the counters are set to zero. The -Z command can
164 be used in conjunction with the -L command. When both the -Z
165 and -L commands are used together in this way, the rule counters
166 are printed on the screen before they are set to zero.
167 -L, --list
169 List all rules in the selected chain. If no chain is selected,
170 all chains are listed.
171 The following options change the output of the -L command.
172 --Ln
173 Places the rule number in front of every rule. This option is
174 incompatible with the --Lx option.
175 --Lc
176 Shows the counters at the end of each rule displayed by the -L
177 command. Both a frame counter (pcnt) and a byte counter (bcnt)
178 are displayed. The frame counter shows how many frames have
179 matched the specific rule, the byte counter shows the sum of the
180 frame sizes of these matching frames. Using this option in com‐
181 bination with the --Lx option causes the counters to be written
182 out in the '-c <pcnt> <bcnt>' option format.
183 --Lx
184 Changes the output so that it produces a set of ebtables com‐
185 mands that construct the contents of the chain, when specified.
186 If no chain is specified, ebtables commands to construct the
187 contents of the table are given, including commands for creating
188 the user-defined chains (if any). You can use this set of com‐
189 mands in an ebtables boot or reload script. For example the
190 output could be used at system startup. The --Lx option is
191 incompatible with the --Ln listing option. Using the --Lx option
192 together with the --Lc option will cause the counters to be
193 written out in the '-c <pcnt> <bcnt>' option format.
194 --Lmac2
195 Shows all MAC addresses with the same length, adding leading
196 zeroes if necessary. The default representation omits leading
197 zeroes in the addresses.
198 -N, --new-chain
200 Create a new user-defined chain with the given name. The number
201 of user-defined chains is limited only by the number of possible
202 chain names. A user-defined chain name has a maximum length of
203 31 characters. The standard policy of the user-defined chain is
204 ACCEPT. The policy of the new chain can be initialized to a dif‐
205 ferent standard target by using the -P command together with the
206 -N command. In this case, the chain name does not have to be
207 specified for the -P command.
208 -X, --delete-chain
210 Delete the specified user-defined chain. There must be no
211 remaining references (jumps) to the specified chain, otherwise
212 ebtables will refuse to delete it. If no chain is specified, all
213 user-defined chains that aren't referenced will be removed.
214 -E, --rename-chain
216 Rename the specified chain to a new name. Besides renaming a
217 user-defined chain, you can rename a standard chain to a name
218 that suits your taste. For example, if you like PREFORWARDING
219 more than PREROUTING, then you can use the -E command to rename
220 the PREROUTING chain. If you do rename one of the standard ebta‐
221 bles chain names, please be sure to mention this fact should you
222 post a question on the ebtables mailing lists. It would be wise
223 to use the standard name in your post. Renaming a standard ebta‐
224 bles chain in this fashion has no effect on the structure or
225 functioning of the ebtables kernel table.
226 --init-table
228 Replace the current table data by the initial table data.
229 --atomic-init
231 Copy the kernel's initial data of the table to the specified
232 file. This can be used as the first action, after which rules
233 are added to the file. The file can be specified using the
234 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
235 ronment variable.
236 --atomic-save
238 Copy the kernel's current data of the table to the specified
239 file. This can be used as the first action, after which rules
240 are added to the file. The file can be specified using the
241 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
242 ronment variable.
243 --atomic-commit
245 Replace the kernel table data with the data contained in the
246 specified file. This is a useful command that allows you to load
247 all your rules of a certain table into the kernel at once, sav‐
248 ing the kernel a lot of precious time and allowing atomic
249 updates of the tables. The file which contains the table data is
250 constructed by using either the --atomic-init or the --atomic-
251 save command to generate a starting file. After that, using the
252 --atomic-file command when constructing rules or setting the
253 EBTABLES_ATOMIC_FILE environment variable allows you to extend
254 the file and build the complete table before committing it to
255 the kernel. This command can be very useful in boot scripts to
256 populate the ebtables tables in a fast way.
257 MISCELLANOUS COMMANDS
259 -V, --version
260 Show the version of the ebtables userspace program.
261 -h, --help [list of module names]
263 Give a brief description of the command syntax. Here you can
264 also specify names of extensions and ebtables will try to write
265 help about those extensions. E.g. ebtables -h snat log ip arp.
266 Specify list_extensions to list all extensions supported by the
267 userspace utility.
268 -j, --jump target
270 The target of the rule. This is one of the following values:
271 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
272 EXTENSIONS) or a user-defined chain name.
273 --atomic-file file
275 Let the command operate on the specified file. The data of the
276 table to operate on will be extracted from the file and the
277 result of the operation will be saved back into the file. If
278 specified, this option should come before the command specifica‐
279 tion. An alternative that should be preferred, is setting the
280 EBTABLES_ATOMIC_FILE environment variable.
281 -M, --modprobe program
283 When talking to the kernel, use this program to try to automati‐
284 cally load missing kernel modules.
285 --concurrent
287 Use a file lock to support concurrent scripts updating the ebta‐
288 bles kernel tables.
289 RULE SPECIFICATIONS
292 The following command line arguments make up a rule specification (as
293 used in the add and delete commands). A "!" option before the specifi‐
294 cation inverts the test for that specification. Apart from these stan‐
295 dard rule specifications there are some other command line arguments of
296 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
297 below.
298 -p, --protocol [!] protocol
300 The protocol that was responsible for creating the frame. This
301 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
302 or LENGTH. The protocol field of the Ethernet frame can be used
303 to denote the length of the header (802.2/802.3 networks). When
304 the value of that field is below or equals 0x0600, the value
305 equals the size of the header and shouldn't be used as a proto‐
306 col number. Instead, all frames where the protocol field is used
307 as the length field are assumed to be of the same 'protocol'.
308 The protocol name used in ebtables for these frames is LENGTH.
309 The file /etc/ethertypes can be used to show readable characters
310 instead of hexadecimal numbers for the protocols. For example,
311 0x0800 will be represented by IPV4. The use of this file is not
312 case sensitive. See that file for more information. The flag
313 --proto is an alias for this option.
314 -i, --in-interface [!] name
316 The interface (bridge port) via which a frame is received (this
317 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
318 chains). If the interface name ends with '+', then any interface
319 name that begins with this name (disregarding '+') will match.
320 The flag --in-if is an alias for this option.
321 --logical-in [!] name
323 The (logical) bridge interface via which a frame is received
324 (this option is useful in the INPUT, FORWARD, PREROUTING and
325 BROUTING chains). If the interface name ends with '+', then any
326 interface name that begins with this name (disregarding '+')
327 will match.
328 -o, --out-interface [!] name
330 The interface (bridge port) via which a frame is going to be
331 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
332 ING chains). If the interface name ends with '+', then any
333 interface name that begins with this name (disregarding '+')
334 will match. The flag --out-if is an alias for this option.
335 --logical-out [!] name
337 The (logical) bridge interface via which a frame is going to be
338 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339 ING chains). If the interface name ends with '+', then any
340 interface name that begins with this name (disregarding '+')
341 will match.
342 -s, --source [!] address[/mask]
344 The source MAC address. Both mask and address are written as 6
345 hexadecimal numbers separated by colons. Alternatively one can
346 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
347 Address):
348 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
349 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
350 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
351 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
352 address will also match the multicast specification. The flag
353 --src is an alias for this option.
354 -d, --destination [!] address[/mask]
356 The destination MAC address. See -s (above) for more details on
357 MAC addresses. The flag --dst is an alias for this option.
358 -c, --set-counter pcnt bcnt
360 If used with -A or -I, then the packet and byte counters of the
361 new rule will be set to pcnt, resp. bcnt. If used with the -C
362 or -D commands, only rules with a packet and byte count equal to
363 pcnt, resp. bcnt will match.
364 MATCH EXTENSIONS
367 Ebtables extensions are dynamically loaded into the userspace tool,
368 there is therefore no need to explicitly load them with a -m option
369 like is done in iptables. These extensions deal with functionality
370 supported by kernel modules supplemental to the core ebtables code.
371 802_3
373 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
374 specified as LENGTH (see the option -p above).
375 --802_3-sap [!] sap
377 DSAP and SSAP are two one byte 802.3 fields. The bytes are
378 always equal, so only one byte (hexadecimal) is needed as an
379 argument.
380 --802_3-type [!] type
382 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
383 field must be consulted to determine the payload protocol. This
384 is a two byte (hexadecimal) argument. Only 802.3 frames with
385 DSAP/SSAP 0xaa are checked for type.
386 among
388 Match a MAC address or MAC/IP address pair versus a list of MAC
389 addresses and MAC/IP address pairs. A list entry has the following
390 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
391 separated by a comma, specifying an IP address corresponding to the MAC
392 address is optional. Multiple MAC/IP address pairs with the same MAC
393 address but different IP address (and vice versa) can be specified. If
394 the MAC address doesn't match any entry from the list, the frame
395 doesn't match the rule (unless "!" was used).
396 --among-dst [!] list
398 Compare the MAC destination to the given list. If the Ethernet
399 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
400 tion address pairs from the list is possible.
401 --among-src [!] list
403 Compare the MAC source to the given list. If the Ethernet frame
404 has type IPv4 or ARP, then comparison with MAC/IP source address
405 pairs from the list is possible.
406 --among-dst-file [!] file
408 Same as --among-dst but the list is read in from the specified
409 file.
410 --among-src-file [!] file
412 Same as --among-src but the list is read in from the specified
413 file.
414 Note that in this implementation of ebtables, among lists uses must be
416 internally homogeneous regarding whether IP addresses are present or
417 not. Mixed use of MAC addresses and MAC/IP address pairs is not sup‐
418 ported yet.
419 arp
421 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
422 --arp-opcode [!] opcode
424 The (R)ARP opcode (decimal or a string, for more details see
425 ebtables -h arp).
426 --arp-htype [!] hardware type
428 The hardware type, this can be a decimal or the string Ethernet
429 (which sets type to 1). Most (R)ARP packets have Eternet as
430 hardware type.
431 --arp-ptype [!] protocol type
433 The protocol type for which the (r)arp is used (hexadecimal or
434 the string IPv4, denoting 0x0800). Most (R)ARP packets have
435 protocol type IPv4.
436 --arp-ip-src [!] address[/mask]
438 The (R)ARP IP source address specification.
439 --arp-ip-dst [!] address[/mask]
441 The (R)ARP IP destination address specification.
442 --arp-mac-src [!] address[/mask]
444 The (R)ARP MAC source address specification.
445 --arp-mac-dst [!] address[/mask]
447 The (R)ARP MAC destination address specification.
448 [!] --arp-gratuitous
450 Checks for ARP gratuitous packets: checks equality of IPv4
451 source address and IPv4 destination address inside the ARP
452 header.
453 ip
455 Specify IPv4 fields. The protocol must be specified as IPv4.
456 --ip-source [!] address[/mask]
458 The source IP address. The flag --ip-src is an alias for this
459 option.
460 --ip-destination [!] address[/mask]
462 The destination IP address. The flag --ip-dst is an alias for
463 this option.
464 --ip-tos [!] tos
466 The IP type of service, in hexadecimal numbers. IPv4.
467 --ip-protocol [!] protocol
469 The IP protocol. The flag --ip-proto is an alias for this
470 option.
471 --ip-source-port [!] port1[:port2]
473 The source port or port range for the IP protocols 6 (TCP), 17
474 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
475 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
476 0:port2 is used; if port2 is omitted but a colon is specified,
477 port1:65535 is used. The flag --ip-sport is an alias for this
478 option.
479 --ip-destination-port [!] port1[:port2]
481 The destination port or port range for ip protocols 6 (TCP), 17
482 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
483 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
484 0:port2 is used; if port2 is omitted but a colon is specified,
485 port1:65535 is used. The flag --ip-dport is an alias for this
486 option.
487 ip6
489 Specify IPv6 fields. The protocol must be specified as IPv6.
490 --ip6-source [!] address[/mask]
492 The source IPv6 address. The flag --ip6-src is an alias for
493 this option.
494 --ip6-destination [!] address[/mask]
496 The destination IPv6 address. The flag --ip6-dst is an alias
497 for this option.
498 --ip6-tclass [!] tclass
500 The IPv6 traffic class, in hexadecimal numbers.
501 --ip6-protocol [!] protocol
503 The IP protocol. The flag --ip6-proto is an alias for this
504 option.
505 --ip6-source-port [!] port1[:port2]
507 The source port or port range for the IPv6 protocols 6 (TCP), 17
508 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
509 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
510 0:port2 is used; if port2 is omitted but a colon is specified,
511 port1:65535 is used. The flag --ip6-sport is an alias for this
512 option.
513 --ip6-destination-port [!] port1[:port2]
515 The destination port or port range for IPv6 protocols 6 (TCP),
516 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
517 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
518 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
519 fied, port1:65535 is used. The flag --ip6-dport is an alias for
520 this option.
521 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
523 Specify ipv6-icmp type and code to match. Ranges for both type
524 and code are supported. Type and code are separated by a slash.
525 Valid numbers for type and range are 0 to 255. To match a sin‐
526 gle type including all valid codes, symbolic names can be used
527 instead of numbers. The list of known type names is shown by the
528 command
529 ebtables --help ip6
530 This option is only valid for --ip6-prococol ipv6-icmp.
531 limit
533 This module matches at a limited rate using a token bucket filter. A
534 rule using this extension will match until this limit is reached. It
535 can be used with the --log watcher to give limited logging, for exam‐
536 ple. Its use is the same as the limit match of iptables.
537 --limit [value]
539 Maximum average matching rate: specified as a number, with an
540 optional /second, /minute, /hour, or /day suffix; the default is
541 3/hour.
542 --limit-burst [number]
544 Maximum initial number of packets to match: this number gets
545 recharged by one every time the limit specified above is not
546 reached, up to this number; the default is 5.
547 mark_m
549 --mark [!] [value][/mask]
550 Matches frames with the given unsigned mark value. If a value
551 and mask are specified, the logical AND of the mark value of the
552 frame and the user-specified mask is taken before comparing it
553 with the user-specified mark value. When only a mark value is
554 specified, the packet only matches when the mark value of the
555 frame equals the user-specified mark value. If only a mask is
556 specified, the logical AND of the mark value of the frame and
557 the user-specified mask is taken and the frame matches when the
558 result of this logical AND is non-zero. Only specifying a mask
559 is useful to match multiple mark values.
560 pkttype
562 --pkttype-type [!] type
563 Matches on the Ethernet "class" of the frame, which is deter‐
564 mined by the generic networking code. Possible values: broadcast
565 (MAC destination is the broadcast address), multicast (MAC des‐
566 tination is a multicast address), host (MAC destination is the
567 receiving network device), or otherhost (none of the above).
568 stp
570 Specify stp BPDU (bridge protocol data unit) fields. The destination
571 address (-d) must be specified as the bridge group address (BGA). For
572 all options for which a range of values can be specified, it holds that
573 if the lower bound is omitted (but the colon is not), then the lowest
574 possible lower bound for that option is used, while if the upper bound
575 is omitted (but the colon again is not), the highest possible upper
576 bound for that option is used.
577 --stp-type [!] type
579 The BPDU type (0-255), recognized non-numerical types are con‐
580 fig, denoting a configuration BPDU (=0), and tcn, denothing a
581 topology change notification BPDU (=128).
582 --stp-flags [!] flag
584 The BPDU flag (0-255), recognized non-numerical flags are topol‐
585 ogy-change, denoting the topology change flag (=1), and topol‐
586 ogy-change-ack, denoting the topology change acknowledgement
587 flag (=128).
588 --stp-root-prio [!] [prio][:prio]
590 The root priority (0-65535) range.
591 --stp-root-addr [!] [address][/mask]
593 The root mac address, see the option -s for more details.
594 --stp-root-cost [!] [cost][:cost]
596 The root path cost (0-4294967295) range.
597 --stp-sender-prio [!] [prio][:prio]
599 The BPDU's sender priority (0-65535) range.
600 --stp-sender-addr [!] [address][/mask]
602 The BPDU's sender mac address, see the option -s for more
603 details.
604 --stp-port [!] [port][:port]
606 The port identifier (0-65535) range.
607 --stp-msg-age [!] [age][:age]
609 The message age timer (0-65535) range.
610 --stp-max-age [!] [age][:age]
612 The max age timer (0-65535) range.
613 --stp-hello-time [!] [time][:time]
615 The hello time timer (0-65535) range.
616 --stp-forward-delay [!] [delay][:delay]
618 The forward delay timer (0-65535) range.
619 vlan
621 Specify 802.1Q Tag Control Information fields. The protocol must be
622 specified as 802_1Q (0x8100).
623 --vlan-id [!] id
625 The VLAN identifier field (VID). Decimal number from 0 to 4095.
626 --vlan-prio [!] prio
628 The user priority field, a decimal number from 0 to 7. The VID
629 should be set to 0 ("null VID") or unspecified (in the latter
630 case the VID is deliberately set to 0).
631 --vlan-encap [!] type
633 The encapsulated Ethernet frame type/length. Specified as a
634 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
635 from /etc/ethertypes.
636 WATCHER EXTENSIONS
639 Watchers only look at frames passing by, they don't modify them nor
640 decide to accept the frames or not. These watchers only see the frame
641 if the frame matches the rule, and they see it before the target is
642 executed.
643 log
645 The log watcher writes descriptive data about a frame to the syslog.
646 --log
648 Log with the default loggin options: log-level= info, log-pre‐
649 fix="", no ip logging, no arp logging.
650 --log-level level
652 Defines the logging level. For the possible values, see ebtables
653 -h log. The default level is info.
654 --log-prefix text
656 Defines the prefix text to be printed at the beginning of the
657 line with the logging information.
658 --log-ip
660 Will log the ip information when a frame made by the ip protocol
661 matches the rule. The default is no ip information logging.
662 --log-ip6
664 Will log the ipv6 information when a frame made by the ipv6 pro‐
665 tocol matches the rule. The default is no ipv6 information log‐
666 ging.
667 --log-arp
669 Will log the (r)arp information when a frame made by the (r)arp
670 protocols matches the rule. The default is no (r)arp information
671 logging.
672 nflog
674 The nflog watcher passes the packet to the loaded logging backend in
675 order to log the packet. This is usually used in combination with
676 nfnetlink_log as logging backend, which will multicast the packet
677 through a netlink socket to the specified multicast group. One or more
678 userspace processes may subscribe to the group to receive the packets.
679 --nflog
681 Log with the default logging options
682 --nflog-group nlgroup
684 The netlink group (1 - 2^32-1) to which packets are (only appli‐
685 cable for nfnetlink_log). The default value is 1.
686 --nflog-prefix prefix
688 A prefix string to include in the log message, up to 30 charac‐
689 ters long, useful for distinguishing messages in the logs.
690 --nflog-range size
692 The number of bytes to be copied to userspace (only applicable
693 for nfnetlink_log). nfnetlink_log instances may specify their
694 own range, this option overrides it.
695 --nflog-threshold size
697 Number of packets to queue inside the kernel before sending them
698 to userspace (only applicable for nfnetlink_log). Higher values
699 result in less overhead per packet, but increase delay until the
700 packets reach userspace. The default value is 1.
701 ulog
703 The ulog watcher passes the packet to a userspace logging daemon using
704 netlink multicast sockets. This differs from the log watcher in the
705 sense that the complete packet is sent to userspace instead of a
706 descriptive text and that netlink multicast sockets are used instead of
707 the syslog. This watcher enables parsing of packets with userspace
708 programs, the physical bridge in and out ports are also included in the
709 netlink messages. The ulog watcher module accepts 2 parameters when
710 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
711 specifies how big the buffer for each netlink multicast group is. If
712 you say nlbufsiz=8192, for example, up to eight kB of packets will get
713 accumulated in the kernel until they are sent to userspace. It is not
714 possible to allocate more than 128kB. Please also keep in mind that
715 this buffer size is allocated for each nlgroup you are using, so the
716 total kernel memory usage increases by that factor. The default is
717 4096. flushtimeout specifies after how many hundredths of a second the
718 queue should be flushed, even if it is not full yet. The default is 10
719 (one tenth of a second).
720 --ulog
722 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
723 cprange=4096, ulog-qthreshold=1.
724 --ulog-prefix text
726 Defines the prefix included with the packets sent to userspace.
727 --ulog-nlgroup group
729 Defines which netlink group number to use (a number from 1 to
730 32). Make sure the netlink group numbers used for the iptables
731 ULOG target differ from those used for the ebtables ulog
732 watcher. The default group number is 1.
733 --ulog-cprange range
735 Defines the maximum copy range to userspace, for packets match‐
736 ing the rule. The default range is 0, which means the maximum
737 copy range is given by nlbufsiz. A maximum copy range larger
738 than 128*1024 is meaningless as the packets sent to userspace
739 have an upper size limit of 128*1024.
740 --ulog-qthreshold threshold
742 Queue at most threshold number of packets before sending them to
743 userspace with a netlink socket. Note that packets can be sent
744 to userspace before the queue is full, this happens when the
745 ulog kernel timer goes off (the frequency of this timer depends
746 on flushtimeout).
747 TARGET EXTENSIONS
749 arpreply
750 The arpreply target can be used in the PREROUTING chain of the nat ta‐
751 ble. If this target sees an ARP request it will automatically reply
752 with an ARP reply. The used MAC address for the reply can be specified.
753 The protocol must be specified as ARP. When the ARP message is not an
754 ARP request or when the ARP request isn't for an IP address on an Eth‐
755 ernet network, it is ignored by this target (CONTINUE). When the ARP
756 request is malformed, it is dropped (DROP).
757 --arpreply-mac address
759 Specifies the MAC address to reply with: the Ethernet source MAC
760 and the ARP payload source MAC will be filled in with this
761 address.
762 --arpreply-target target
764 Specifies the standard target. After sending the ARP reply, the
765 rule still has to give a standard target so ebtables knows what
766 to do with the ARP request. The default target is DROP.
767 dnat
769 The dnat target can only be used in the PREROUTING and OUTPUT chains of
770 the nat table. It specifies that the destination MAC address has to be
771 changed.
772 --to-destination address
774 Change the destination MAC address to the specified address.
775 The flag --to-dst is an alias for this option.
776 --dnat-target target
778 Specifies the standard target. After doing the dnat, the rule
779 still has to give a standard target so ebtables knows what to do
780 with the dnated frame. The default target is ACCEPT. Making it
781 CONTINUE could let you use multiple target extensions on the
782 same frame. Making it DROP only makes sense in the BROUTING
783 chain but using the redirect target is more logical there.
784 RETURN is also allowed. Note that using RETURN in a base chain
785 is not allowed (for obvious reasons).
786 mark
788 The mark target can be used in every chain of every table. It is possi‐
789 ble to use the marking of a frame/packet in both ebtables and iptables,
790 if the bridge-nf code is compiled into the kernel. Both put the marking
791 at the same place. This allows for a form of communication between
792 ebtables and iptables.
793 --mark-set value
795 Mark the frame with the specified non-negative value.
796 --mark-or value
798 Or the frame with the specified non-negative value.
799 --mark-and value
801 And the frame with the specified non-negative value.
802 --mark-xor value
804 Xor the frame with the specified non-negative value.
805 --mark-target target
807 Specifies the standard target. After marking the frame, the rule
808 still has to give a standard target so ebtables knows what to
809 do. The default target is ACCEPT. Making it CONTINUE can let
810 you do other things with the frame in subsequent rules of the
811 chain.
812 redirect
814 The redirect target will change the MAC target address to that of the
815 bridge device the frame arrived on. This target can only be used in the
816 PREROUTING chain of the nat table. The MAC address of the bridge is
817 used as destination address."
818 --redirect-target target
820 Specifies the standard target. After doing the MAC redirect, the
821 rule still has to give a standard target so ebtables knows what
822 to do. The default target is ACCEPT. Making it CONTINUE could
823 let you use multiple target extensions on the same frame. Making
824 it DROP in the BROUTING chain will let the frames be routed.
825 RETURN is also allowed. Note that using RETURN in a base chain
826 is not allowed.
827 snat
829 The snat target can only be used in the POSTROUTING chain of the nat
830 table. It specifies that the source MAC address has to be changed.
831 --to-source address
833 Changes the source MAC address to the specified address. The
834 flag --to-src is an alias for this option.
835 --snat-target target
837 Specifies the standard target. After doing the snat, the rule
838 still has to give a standard target so ebtables knows what to
839 do. The default target is ACCEPT. Making it CONTINUE could let
840 you use multiple target extensions on the same frame. Making it
841 DROP doesn't make sense, but you could do that too. RETURN is
842 also allowed. Note that using RETURN in a base chain is not
843 allowed.
844 --snat-arp
846 Also change the hardware source address inside the arp header if
847 the packet is an arp message and the hardware address length in
848 the arp header is 6 bytes.
849
851 /etc/ethertypes
852
854 EBTABLES_ATOMIC_FILE
855
857 See http://netfilter.org/mailinglists.html
858
860 The version of ebtables this man page ships with does not support the
861 broute table. Also there is no support for string match. And finally,
862 this list is probably not complete.
863
865 xtables-nft(8), iptables(8), ip(8)
866 See https://wiki.nftables.org
868 December 2011 EBTABLES(8)