1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables - Ethernet bridge frame table administration (nft-based)
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
26 ebtables is an application program used to set up and maintain the
27 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
28 It is analogous to the iptables application, but less complicated, due
29 to the fact that the Ethernet protocol is much simpler than the IP pro‐
30 tocol.
31 CHAINS
33 There are two ebtables tables with built-in chains in the Linux kernel.
34 These tables are used to divide functionality into different sets of
35 rules. Each set of rules is called a chain. Each chain is an ordered
36 list of rules that can match Ethernet frames. If a rule matches an Eth‐
37 ernet frame, then a processing specification tells what to do with that
38 matching frame. The processing specification is called a 'target'. How‐
39 ever, if the frame does not match the current rule in the chain, then
40 the next rule in the chain is examined and so forth. The user can cre‐
41 ate new (user-defined) chains that can be used as the 'target' of a
42 rule. User-defined chains are very useful to get better performance
43 over the linear traversal of the rules and are also essential for
44 structuring the filtering rules into well-organized and maintainable
45 sets of rules.
46 TARGETS
48 A firewall rule specifies criteria for an Ethernet frame and a frame
49 processing specification called a target. When a frame matches a rule,
50 then the next action performed by the kernel is specified by the tar‐
51 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
52 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
53 ACCEPT means to let the frame through. DROP means the frame has to be
55 dropped. CONTINUE means the next rule has to be checked. This can be
56 handy, f.e., to know how many frames pass a certain point in the chain,
57 to log those frames or to apply multiple targets on a frame. RETURN
58 means stop traversing this chain and resume at the next rule in the
59 previous (calling) chain. For the extension targets please refer to
60 the TARGET EXTENSIONS section of this man page.
61 TABLES
63 As stated earlier, there are two ebtables tables in the Linux kernel.
64 The table names are filter and nat. Of these two tables, the filter
65 table is the default table that the command operates on. If you are
66 working with the filter table, then you can drop the '-t filter' argu‐
67 ment to the ebtables command. However, you will need to provide the -t
68 argument for nat table. Moreover, the -t argument must be the first
69 argument on the ebtables command line, if used.
70 -t, --table
72 filter is the default table and contains three built-in chains:
73 INPUT (for frames destined for the bridge itself, on the level
74 of the MAC destination address), OUTPUT (for locally-generated
75 or (b)routed frames) and FORWARD (for frames being forwarded by
76 the bridge).
77 nat is mostly used to change the mac addresses and contains
78 three built-in chains: PREROUTING (for altering frames as soon
79 as they come in), OUTPUT (for altering locally generated or
80 (b)routed frames before they are bridged) and POSTROUTING (for
81 altering frames as they are about to go out). A small note on
82 the naming of chains PREROUTING and POSTROUTING: it would be
83 more accurate to call them PREFORWARDING and POSTFORWARDING, but
84 for all those who come from the iptables world to ebtables it is
85 easier to have the same names. Note that you can change the name
86 (-E) if you don't like the default.
87
89 After the initial ebtables '-t table' command line argument, the
90 remaining arguments can be divided into several groups. These groups
91 are commands, miscellaneous commands, rule specifications, match exten‐
92 sions, watcher extensions and target extensions.
93 COMMANDS
95 The ebtables command arguments specify the actions to perform on the
96 table defined with the -t argument. If you do not use the -t argument
97 to name a table, the commands apply to the default filter table. Only
98 one command may be used on the command line at a time, except when the
99 commands -L and -Z are combined, the commands -N and -P are combined,
100 or when --atomic-file is used.
101 -A, --append
103 Append a rule to the end of the selected chain.
104 -D, --delete
106 Delete the specified rule or rules from the selected chain.
107 There are two ways to use this command. The first is by specify‐
108 ing an interval of rule numbers to delete (directly after -D).
109 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
110 their rule number). When end_nr is omitted, all rules starting
111 from start_nr are deleted. Using negative numbers is allowed,
112 for more details about using negative numbers, see the -I com‐
113 mand. The second usage is by specifying the complete rule as it
114 would have been specified when it was added. Only the first
115 encountered rule that is the same as this specified rule, in
116 other words the matching rule with the lowest (positive) rule
117 number, is deleted.
118 -C, --change-counters
120 Change the counters of the specified rule or rules from the
121 selected chain. There are two ways to use this command. The
122 first is by specifying an interval of rule numbers to do the
123 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
124 -L --Ln to list the rules with their rule number). The details
125 are the same as for the -D command. The second usage is by spec‐
126 ifying the complete rule as it would have been specified when it
127 was added. Only the counters of the first encountered rule that
128 is the same as this specified rule, in other words the matching
129 rule with the lowest (positive) rule number, are changed. In
130 the first usage, the counters are specified directly after the
131 interval specification, in the second usage directly after -C.
132 First the packet counter is specified, then the byte counter. If
133 the specified counters start with a '+', the counter values are
134 added to the respective current counter values. If the speci‐
135 fied counters start with a '-', the counter values are decreased
136 from the respective current counter values. No bounds checking
137 is done. If the counters don't start with '+' or '-', the cur‐
138 rent counters are changed to the specified counters.
139 -I, --insert
141 Insert the specified rule into the selected chain at the speci‐
142 fied rule number. If the rule number is not specified, the rule
143 is added at the head of the chain. If the current number of
144 rules equals N, then the specified number can be between -N and
145 N+1. For a positive number i, it holds that i and i-N-1 specify
146 the same place in the chain where the rule should be inserted.
147 The rule number 0 specifies the place past the last rule in the
148 chain and using this number is therefore equivalent to using the
149 -A command. Rule numbers structly smaller than 0 can be useful
150 when more than one rule needs to be inserted in a chain.
151 -P, --policy
153 Set the policy for the chain to the given target. The policy can
154 be ACCEPT, DROP or RETURN.
155 -F, --flush
157 Flush the selected chain. If no chain is selected, then every
158 chain will be flushed. Flushing a chain does not change the pol‐
159 icy of the chain, however.
160 -Z, --zero
162 Set the counters of the selected chain to zero. If no chain is
163 selected, all the counters are set to zero. The -Z command can
164 be used in conjunction with the -L command. When both the -Z
165 and -L commands are used together in this way, the rule counters
166 are printed on the screen before they are set to zero.
167 -L, --list
169 List all rules in the selected chain. If no chain is selected,
170 all chains are listed.
171 The following options change the output of the -L command.
172 --Ln
173 Places the rule number in front of every rule. This option is
174 incompatible with the --Lx option.
175 --Lc
176 Shows the counters at the end of each rule displayed by the -L
177 command. Both a frame counter (pcnt) and a byte counter (bcnt)
178 are displayed. The frame counter shows how many frames have
179 matched the specific rule, the byte counter shows the sum of the
180 frame sizes of these matching frames. Using this option in com‐
181 bination with the --Lx option causes the counters to be written
182 out in the '-c <pcnt> <bcnt>' option format.
183 --Lx
184 Changes the output so that it produces a set of ebtables com‐
185 mands that construct the contents of the chain, when specified.
186 If no chain is specified, ebtables commands to construct the
187 contents of the table are given, including commands for creating
188 the user-defined chains (if any). You can use this set of com‐
189 mands in an ebtables boot or reload script. For example the
190 output could be used at system startup. The --Lx option is
191 incompatible with the --Ln listing option. Using the --Lx option
192 together with the --Lc option will cause the counters to be
193 written out in the '-c <pcnt> <bcnt>' option format.
194 --Lmac2
195 Shows all MAC addresses with the same length, adding leading
196 zeroes if necessary. The default representation omits leading
197 zeroes in the addresses.
198 -N, --new-chain
200 Create a new user-defined chain with the given name. The number
201 of user-defined chains is limited only by the number of possible
202 chain names. A user-defined chain name has a maximum length of
203 31 characters. The standard policy of the user-defined chain is
204 ACCEPT. The policy of the new chain can be initialized to a dif‐
205 ferent standard target by using the -P command together with the
206 -N command. In this case, the chain name does not have to be
207 specified for the -P command.
208 -X, --delete-chain
210 Delete the specified user-defined chain. There must be no
211 remaining references (jumps) to the specified chain, otherwise
212 ebtables will refuse to delete it. If no chain is specified, all
213 user-defined chains that aren't referenced will be removed.
214 -E, --rename-chain
216 Rename the specified chain to a new name. Besides renaming a
217 user-defined chain, you can rename a standard chain to a name
218 that suits your taste. For example, if you like PREFORWARDING
219 more than PREROUTING, then you can use the -E command to rename
220 the PREROUTING chain. If you do rename one of the standard ebta‐
221 bles chain names, please be sure to mention this fact should you
222 post a question on the ebtables mailing lists. It would be wise
223 to use the standard name in your post. Renaming a standard ebta‐
224 bles chain in this fashion has no effect on the structure or
225 functioning of the ebtables kernel table.
226 --init-table
228 Replace the current table data by the initial table data.
229 --atomic-init
231 Copy the kernel's initial data of the table to the specified
232 file. This can be used as the first action, after which rules
233 are added to the file. The file can be specified using the
234 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
235 ronment variable.
236 --atomic-save
238 Copy the kernel's current data of the table to the specified
239 file. This can be used as the first action, after which rules
240 are added to the file. The file can be specified using the
241 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
242 ronment variable.
243 --atomic-commit
245 Replace the kernel table data with the data contained in the
246 specified file. This is a useful command that allows you to load
247 all your rules of a certain table into the kernel at once, sav‐
248 ing the kernel a lot of precious time and allowing atomic
249 updates of the tables. The file which contains the table data is
250 constructed by using either the --atomic-init or the --atomic-
251 save command to generate a starting file. After that, using the
252 --atomic-file command when constructing rules or setting the
253 EBTABLES_ATOMIC_FILE environment variable allows you to extend
254 the file and build the complete table before committing it to
255 the kernel. This command can be very useful in boot scripts to
256 populate the ebtables tables in a fast way.
257 MISCELLANOUS COMMANDS
259 -V, --version
260 Show the version of the ebtables userspace program.
261 -h, --help [list of module names]
263 Give a brief description of the command syntax. Here you can
264 also specify names of extensions and ebtables will try to write
265 help about those extensions. E.g. ebtables -h snat log ip arp.
266 Specify list_extensions to list all extensions supported by the
267 userspace utility.
268 -j, --jump target
270 The target of the rule. This is one of the following values:
271 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
272 EXTENSIONS) or a user-defined chain name.
273 --atomic-file file
275 Let the command operate on the specified file. The data of the
276 table to operate on will be extracted from the file and the
277 result of the operation will be saved back into the file. If
278 specified, this option should come before the command specifica‐
279 tion. An alternative that should be preferred, is setting the
280 EBTABLES_ATOMIC_FILE environment variable.
281 -M, --modprobe program
283 When talking to the kernel, use this program to try to automati‐
284 cally load missing kernel modules.
285 --concurrent
287 Use a file lock to support concurrent scripts updating the ebta‐
288 bles kernel tables.
289 RULE SPECIFICATIONS
292 The following command line arguments make up a rule specification (as
293 used in the add and delete commands). A "!" option before the specifi‐
294 cation inverts the test for that specification. Apart from these stan‐
295 dard rule specifications there are some other command line arguments of
296 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
297 below.
298 -p, --protocol [!] protocol
300 The protocol that was responsible for creating the frame. This
301 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
302 or LENGTH. The protocol field of the Ethernet frame can be used
303 to denote the length of the header (802.2/802.3 networks). When
304 the value of that field is below or equals 0x0600, the value
305 equals the size of the header and shouldn't be used as a proto‐
306 col number. Instead, all frames where the protocol field is used
307 as the length field are assumed to be of the same 'protocol'.
308 The protocol name used in ebtables for these frames is LENGTH.
309 The file /etc/ethertypes can be used to show readable characters
310 instead of hexadecimal numbers for the protocols. For example,
311 0x0800 will be represented by IPV4. The use of this file is not
312 case sensitive. See that file for more information. The flag
313 --proto is an alias for this option.
314 -i, --in-interface [!] name
316 The interface (bridge port) via which a frame is received (this
317 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
318 chains). If the interface name ends with '+', then any interface
319 name that begins with this name (disregarding '+') will match.
320 The flag --in-if is an alias for this option.
321 --logical-in [!] name
323 The (logical) bridge interface via which a frame is received
324 (this option is useful in the INPUT, FORWARD, PREROUTING and
325 BROUTING chains). If the interface name ends with '+', then any
326 interface name that begins with this name (disregarding '+')
327 will match.
328 -o, --out-interface [!] name
330 The interface (bridge port) via which a frame is going to be
331 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
332 ING chains). If the interface name ends with '+', then any
333 interface name that begins with this name (disregarding '+')
334 will match. The flag --out-if is an alias for this option.
335 --logical-out [!] name
337 The (logical) bridge interface via which a frame is going to be
338 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339 ING chains). If the interface name ends with '+', then any
340 interface name that begins with this name (disregarding '+')
341 will match.
342 -s, --source [!] address[/mask]
344 The source MAC address. Both mask and address are written as 6
345 hexadecimal numbers separated by colons. Alternatively one can
346 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
347 Address):
348 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
349 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
350 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
351 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
352 address will also match the multicast specification. The flag
353 --src is an alias for this option.
354 -d, --destination [!] address[/mask]
356 The destination MAC address. See -s (above) for more details on
357 MAC addresses. The flag --dst is an alias for this option.
358 -c, --set-counter pcnt bcnt
360 If used with -A or -I, then the packet and byte counters of the
361 new rule will be set to pcnt, resp. bcnt. If used with the -C
362 or -D commands, only rules with a packet and byte count equal to
363 pcnt, resp. bcnt will match.
364 MATCH EXTENSIONS
367 Ebtables extensions are dynamically loaded into the userspace tool,
368 there is therefore no need to explicitly load them with a -m option
369 like is done in iptables. These extensions deal with functionality
370 supported by kernel modules supplemental to the core ebtables code.
371 802_3
373 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
374 specified as LENGTH (see the option -p above).
375 --802_3-sap [!] sap
377 DSAP and SSAP are two one byte 802.3 fields. The bytes are
378 always equal, so only one byte (hexadecimal) is needed as an
379 argument.
380 --802_3-type [!] type
382 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
383 field must be consulted to determine the payload protocol. This
384 is a two byte (hexadecimal) argument. Only 802.3 frames with
385 DSAP/SSAP 0xaa are checked for type.
386 among
388 Match a MAC address or MAC/IP address pair versus a list of MAC
389 addresses and MAC/IP address pairs. A list entry has the following
390 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
391 separated by a comma, specifying an IP address corresponding to the MAC
392 address is optional. Multiple MAC/IP address pairs with the same MAC
393 address but different IP address (and vice versa) can be specified. If
394 the MAC address doesn't match any entry from the list, the frame
395 doesn't match the rule (unless "!" was used).
396 --among-dst [!] list
398 Compare the MAC destination to the given list. If the Ethernet
399 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
400 tion address pairs from the list is possible.
401 --among-src [!] list
403 Compare the MAC source to the given list. If the Ethernet frame
404 has type IPv4 or ARP, then comparison with MAC/IP source address
405 pairs from the list is possible.
406 --among-dst-file [!] file
408 Same as --among-dst but the list is read in from the specified
409 file.
410 --among-src-file [!] file
412 Same as --among-src but the list is read in from the specified
413 file.
414 arp
416 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
417 --arp-opcode [!] opcode
419 The (R)ARP opcode (decimal or a string, for more details see
420 ebtables -h arp).
421 --arp-htype [!] hardware type
423 The hardware type, this can be a decimal or the string Ethernet
424 (which sets type to 1). Most (R)ARP packets have Eternet as
425 hardware type.
426 --arp-ptype [!] protocol type
428 The protocol type for which the (r)arp is used (hexadecimal or
429 the string IPv4, denoting 0x0800). Most (R)ARP packets have
430 protocol type IPv4.
431 --arp-ip-src [!] address[/mask]
433 The (R)ARP IP source address specification.
434 --arp-ip-dst [!] address[/mask]
436 The (R)ARP IP destination address specification.
437 --arp-mac-src [!] address[/mask]
439 The (R)ARP MAC source address specification.
440 --arp-mac-dst [!] address[/mask]
442 The (R)ARP MAC destination address specification.
443 [!] --arp-gratuitous
445 Checks for ARP gratuitous packets: checks equality of IPv4
446 source address and IPv4 destination address inside the ARP
447 header.
448 ip
450 Specify IPv4 fields. The protocol must be specified as IPv4.
451 --ip-source [!] address[/mask]
453 The source IP address. The flag --ip-src is an alias for this
454 option.
455 --ip-destination [!] address[/mask]
457 The destination IP address. The flag --ip-dst is an alias for
458 this option.
459 --ip-tos [!] tos
461 The IP type of service, in hexadecimal numbers. IPv4.
462 --ip-protocol [!] protocol
464 The IP protocol. The flag --ip-proto is an alias for this
465 option.
466 --ip-source-port [!] port1[:port2]
468 The source port or port range for the IP protocols 6 (TCP), 17
469 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
470 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
471 0:port2 is used; if port2 is omitted but a colon is specified,
472 port1:65535 is used. The flag --ip-sport is an alias for this
473 option.
474 --ip-destination-port [!] port1[:port2]
476 The destination port or port range for ip protocols 6 (TCP), 17
477 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
478 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
479 0:port2 is used; if port2 is omitted but a colon is specified,
480 port1:65535 is used. The flag --ip-dport is an alias for this
481 option.
482 ip6
484 Specify IPv6 fields. The protocol must be specified as IPv6.
485 --ip6-source [!] address[/mask]
487 The source IPv6 address. The flag --ip6-src is an alias for
488 this option.
489 --ip6-destination [!] address[/mask]
491 The destination IPv6 address. The flag --ip6-dst is an alias
492 for this option.
493 --ip6-tclass [!] tclass
495 The IPv6 traffic class, in hexadecimal numbers.
496 --ip6-protocol [!] protocol
498 The IP protocol. The flag --ip6-proto is an alias for this
499 option.
500 --ip6-source-port [!] port1[:port2]
502 The source port or port range for the IPv6 protocols 6 (TCP), 17
503 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
504 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
505 0:port2 is used; if port2 is omitted but a colon is specified,
506 port1:65535 is used. The flag --ip6-sport is an alias for this
507 option.
508 --ip6-destination-port [!] port1[:port2]
510 The destination port or port range for IPv6 protocols 6 (TCP),
511 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
512 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
513 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
514 fied, port1:65535 is used. The flag --ip6-dport is an alias for
515 this option.
516 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
518 Specify ipv6-icmp type and code to match. Ranges for both type
519 and code are supported. Type and code are separated by a slash.
520 Valid numbers for type and range are 0 to 255. To match a sin‐
521 gle type including all valid codes, symbolic names can be used
522 instead of numbers. The list of known type names is shown by the
523 command
524 ebtables --help ip6
525 This option is only valid for --ip6-prococol ipv6-icmp.
526 limit
528 This module matches at a limited rate using a token bucket filter. A
529 rule using this extension will match until this limit is reached. It
530 can be used with the --log watcher to give limited logging, for exam‐
531 ple. Its use is the same as the limit match of iptables.
532 --limit [value]
534 Maximum average matching rate: specified as a number, with an
535 optional /second, /minute, /hour, or /day suffix; the default is
536 3/hour.
537 --limit-burst [number]
539 Maximum initial number of packets to match: this number gets
540 recharged by one every time the limit specified above is not
541 reached, up to this number; the default is 5.
542 mark_m
544 --mark [!] [value][/mask]
545 Matches frames with the given unsigned mark value. If a value
546 and mask are specified, the logical AND of the mark value of the
547 frame and the user-specified mask is taken before comparing it
548 with the user-specified mark value. When only a mark value is
549 specified, the packet only matches when the mark value of the
550 frame equals the user-specified mark value. If only a mask is
551 specified, the logical AND of the mark value of the frame and
552 the user-specified mask is taken and the frame matches when the
553 result of this logical AND is non-zero. Only specifying a mask
554 is useful to match multiple mark values.
555 pkttype
557 --pkttype-type [!] type
558 Matches on the Ethernet "class" of the frame, which is deter‐
559 mined by the generic networking code. Possible values: broadcast
560 (MAC destination is the broadcast address), multicast (MAC des‐
561 tination is a multicast address), host (MAC destination is the
562 receiving network device), or otherhost (none of the above).
563 stp
565 Specify stp BPDU (bridge protocol data unit) fields. The destination
566 address (-d) must be specified as the bridge group address (BGA). For
567 all options for which a range of values can be specified, it holds that
568 if the lower bound is omitted (but the colon is not), then the lowest
569 possible lower bound for that option is used, while if the upper bound
570 is omitted (but the colon again is not), the highest possible upper
571 bound for that option is used.
572 --stp-type [!] type
574 The BPDU type (0-255), recognized non-numerical types are con‐
575 fig, denoting a configuration BPDU (=0), and tcn, denothing a
576 topology change notification BPDU (=128).
577 --stp-flags [!] flag
579 The BPDU flag (0-255), recognized non-numerical flags are topol‐
580 ogy-change, denoting the topology change flag (=1), and topol‐
581 ogy-change-ack, denoting the topology change acknowledgement
582 flag (=128).
583 --stp-root-prio [!] [prio][:prio]
585 The root priority (0-65535) range.
586 --stp-root-addr [!] [address][/mask]
588 The root mac address, see the option -s for more details.
589 --stp-root-cost [!] [cost][:cost]
591 The root path cost (0-4294967295) range.
592 --stp-sender-prio [!] [prio][:prio]
594 The BPDU's sender priority (0-65535) range.
595 --stp-sender-addr [!] [address][/mask]
597 The BPDU's sender mac address, see the option -s for more
598 details.
599 --stp-port [!] [port][:port]
601 The port identifier (0-65535) range.
602 --stp-msg-age [!] [age][:age]
604 The message age timer (0-65535) range.
605 --stp-max-age [!] [age][:age]
607 The max age timer (0-65535) range.
608 --stp-hello-time [!] [time][:time]
610 The hello time timer (0-65535) range.
611 --stp-forward-delay [!] [delay][:delay]
613 The forward delay timer (0-65535) range.
614 vlan
616 Specify 802.1Q Tag Control Information fields. The protocol must be
617 specified as 802_1Q (0x8100).
618 --vlan-id [!] id
620 The VLAN identifier field (VID). Decimal number from 0 to 4095.
621 --vlan-prio [!] prio
623 The user priority field, a decimal number from 0 to 7. The VID
624 should be set to 0 ("null VID") or unspecified (in the latter
625 case the VID is deliberately set to 0).
626 --vlan-encap [!] type
628 The encapsulated Ethernet frame type/length. Specified as a
629 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
630 from /etc/ethertypes.
631 WATCHER EXTENSIONS
634 Watchers only look at frames passing by, they don't modify them nor
635 decide to accept the frames or not. These watchers only see the frame
636 if the frame matches the rule, and they see it before the target is
637 executed.
638 log
640 The log watcher writes descriptive data about a frame to the syslog.
641 --log
643 Log with the default loggin options: log-level= info, log-pre‐
644 fix="", no ip logging, no arp logging.
645 --log-level level
647 Defines the logging level. For the possible values, see ebtables
648 -h log. The default level is info.
649 --log-prefix text
651 Defines the prefix text to be printed at the beginning of the
652 line with the logging information.
653 --log-ip
655 Will log the ip information when a frame made by the ip protocol
656 matches the rule. The default is no ip information logging.
657 --log-ip6
659 Will log the ipv6 information when a frame made by the ipv6 pro‐
660 tocol matches the rule. The default is no ipv6 information log‐
661 ging.
662 --log-arp
664 Will log the (r)arp information when a frame made by the (r)arp
665 protocols matches the rule. The default is no (r)arp information
666 logging.
667 nflog
669 The nflog watcher passes the packet to the loaded logging backend in
670 order to log the packet. This is usually used in combination with
671 nfnetlink_log as logging backend, which will multicast the packet
672 through a netlink socket to the specified multicast group. One or more
673 userspace processes may subscribe to the group to receive the packets.
674 --nflog
676 Log with the default logging options
677 --nflog-group nlgroup
679 The netlink group (1 - 2^32-1) to which packets are (only appli‐
680 cable for nfnetlink_log). The default value is 1.
681 --nflog-prefix prefix
683 A prefix string to include in the log message, up to 30 charac‐
684 ters long, useful for distinguishing messages in the logs.
685 --nflog-range size
687 The number of bytes to be copied to userspace (only applicable
688 for nfnetlink_log). nfnetlink_log instances may specify their
689 own range, this option overrides it.
690 --nflog-threshold size
692 Number of packets to queue inside the kernel before sending them
693 to userspace (only applicable for nfnetlink_log). Higher values
694 result in less overhead per packet, but increase delay until the
695 packets reach userspace. The default value is 1.
696 ulog
698 The ulog watcher passes the packet to a userspace logging daemon using
699 netlink multicast sockets. This differs from the log watcher in the
700 sense that the complete packet is sent to userspace instead of a
701 descriptive text and that netlink multicast sockets are used instead of
702 the syslog. This watcher enables parsing of packets with userspace
703 programs, the physical bridge in and out ports are also included in the
704 netlink messages. The ulog watcher module accepts 2 parameters when
705 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
706 specifies how big the buffer for each netlink multicast group is. If
707 you say nlbufsiz=8192, for example, up to eight kB of packets will get
708 accumulated in the kernel until they are sent to userspace. It is not
709 possible to allocate more than 128kB. Please also keep in mind that
710 this buffer size is allocated for each nlgroup you are using, so the
711 total kernel memory usage increases by that factor. The default is
712 4096. flushtimeout specifies after how many hundredths of a second the
713 queue should be flushed, even if it is not full yet. The default is 10
714 (one tenth of a second).
715 --ulog
717 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
718 cprange=4096, ulog-qthreshold=1.
719 --ulog-prefix text
721 Defines the prefix included with the packets sent to userspace.
722 --ulog-nlgroup group
724 Defines which netlink group number to use (a number from 1 to
725 32). Make sure the netlink group numbers used for the iptables
726 ULOG target differ from those used for the ebtables ulog
727 watcher. The default group number is 1.
728 --ulog-cprange range
730 Defines the maximum copy range to userspace, for packets match‐
731 ing the rule. The default range is 0, which means the maximum
732 copy range is given by nlbufsiz. A maximum copy range larger
733 than 128*1024 is meaningless as the packets sent to userspace
734 have an upper size limit of 128*1024.
735 --ulog-qthreshold threshold
737 Queue at most threshold number of packets before sending them to
738 userspace with a netlink socket. Note that packets can be sent
739 to userspace before the queue is full, this happens when the
740 ulog kernel timer goes off (the frequency of this timer depends
741 on flushtimeout).
742 TARGET EXTENSIONS
744 arpreply
745 The arpreply target can be used in the PREROUTING chain of the nat ta‐
746 ble. If this target sees an ARP request it will automatically reply
747 with an ARP reply. The used MAC address for the reply can be specified.
748 The protocol must be specified as ARP. When the ARP message is not an
749 ARP request or when the ARP request isn't for an IP address on an Eth‐
750 ernet network, it is ignored by this target (CONTINUE). When the ARP
751 request is malformed, it is dropped (DROP).
752 --arpreply-mac address
754 Specifies the MAC address to reply with: the Ethernet source MAC
755 and the ARP payload source MAC will be filled in with this
756 address.
757 --arpreply-target target
759 Specifies the standard target. After sending the ARP reply, the
760 rule still has to give a standard target so ebtables knows what
761 to do with the ARP request. The default target is DROP.
762 dnat
764 The dnat target can only be used in the PREROUTING and OUTPUT chains of
765 the nat table. It specifies that the destination MAC address has to be
766 changed.
767 --to-destination address
769 Change the destination MAC address to the specified address.
770 The flag --to-dst is an alias for this option.
771 --dnat-target target
773 Specifies the standard target. After doing the dnat, the rule
774 still has to give a standard target so ebtables knows what to do
775 with the dnated frame. The default target is ACCEPT. Making it
776 CONTINUE could let you use multiple target extensions on the
777 same frame. Making it DROP only makes sense in the BROUTING
778 chain but using the redirect target is more logical there.
779 RETURN is also allowed. Note that using RETURN in a base chain
780 is not allowed (for obvious reasons).
781 mark
783 The mark target can be used in every chain of every table. It is possi‐
784 ble to use the marking of a frame/packet in both ebtables and iptables,
785 if the bridge-nf code is compiled into the kernel. Both put the marking
786 at the same place. This allows for a form of communication between
787 ebtables and iptables.
788 --mark-set value
790 Mark the frame with the specified non-negative value.
791 --mark-or value
793 Or the frame with the specified non-negative value.
794 --mark-and value
796 And the frame with the specified non-negative value.
797 --mark-xor value
799 Xor the frame with the specified non-negative value.
800 --mark-target target
802 Specifies the standard target. After marking the frame, the rule
803 still has to give a standard target so ebtables knows what to
804 do. The default target is ACCEPT. Making it CONTINUE can let
805 you do other things with the frame in subsequent rules of the
806 chain.
807 redirect
809 The redirect target will change the MAC target address to that of the
810 bridge device the frame arrived on. This target can only be used in the
811 PREROUTING chain of the nat table. The MAC address of the bridge is
812 used as destination address."
813 --redirect-target target
815 Specifies the standard target. After doing the MAC redirect, the
816 rule still has to give a standard target so ebtables knows what
817 to do. The default target is ACCEPT. Making it CONTINUE could
818 let you use multiple target extensions on the same frame. Making
819 it DROP in the BROUTING chain will let the frames be routed.
820 RETURN is also allowed. Note that using RETURN in a base chain
821 is not allowed.
822 snat
824 The snat target can only be used in the POSTROUTING chain of the nat
825 table. It specifies that the source MAC address has to be changed.
826 --to-source address
828 Changes the source MAC address to the specified address. The
829 flag --to-src is an alias for this option.
830 --snat-target target
832 Specifies the standard target. After doing the snat, the rule
833 still has to give a standard target so ebtables knows what to
834 do. The default target is ACCEPT. Making it CONTINUE could let
835 you use multiple target extensions on the same frame. Making it
836 DROP doesn't make sense, but you could do that too. RETURN is
837 also allowed. Note that using RETURN in a base chain is not
838 allowed.
839 --snat-arp
841 Also change the hardware source address inside the arp header if
842 the packet is an arp message and the hardware address length in
843 the arp header is 6 bytes.
844
846 /etc/ethertypes
847
849 EBTABLES_ATOMIC_FILE
850
852 See http://netfilter.org/mailinglists.html
853
855 The version of ebtables this man page ships with does not support the
856 broute table. Also there is no support for string match. And finally,
857 this list is probably not complete.
858
860 xtables-nft(8), iptables(8), ip(8)
861 See https://wiki.nftables.org
863 December 2011 EBTABLES(8)