1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables (v2.0.8-1) - Ethernet bridge frame table administration
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
25 ebtables is an application program used to set up and maintain the
26 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27 It is analogous to the iptables application, but less complicated, due
28 to the fact that the Ethernet protocol is much simpler than the IP pro‐
29 tocol.
30 CHAINS
32 There are three ebtables tables with built-in chains in the Linux ker‐
33 nel. These tables are used to divide functionality into different sets
34 of rules. Each set of rules is called a chain. Each chain is an
35 ordered list of rules that can match Ethernet frames. If a rule matches
36 an Ethernet frame, then a processing specification tells what to do
37 with that matching frame. The processing specification is called a
38 'target'. However, if the frame does not match the current rule in the
39 chain, then the next rule in the chain is examined and so forth. The
40 user can create new (user-defined) chains that can be used as the 'tar‐
41 get' of a rule. User-defined chains are very useful to get better per‐
42 formance over the linear traversal of the rules and are also essential
43 for structuring the filtering rules into well-organized and maintain‐
44 able sets of rules.
45 TARGETS
47 A firewall rule specifies criteria for an Ethernet frame and a frame
48 processing specification called a target. When a frame matches a rule,
49 then the next action performed by the kernel is specified by the tar‐
50 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
51 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52 ACCEPT means to let the frame through. DROP means the frame has to be
54 dropped. In the BROUTING chain however, the ACCEPT and DROP target have
55 different meanings (see the info provided for the -t option). CONTINUE
56 means the next rule has to be checked. This can be handy, f.e., to know
57 how many frames pass a certain point in the chain, to log those frames
58 or to apply multiple targets on a frame. RETURN means stop traversing
59 this chain and resume at the next rule in the previous (calling) chain.
60 For the extension targets please refer to the TARGET EXTENSIONS section
61 of this man page.
62 TABLES
64 As stated earlier, there are three ebtables tables in the Linux kernel.
65 The table names are filter, nat and broute. Of these three tables, the
66 filter table is the default table that the command operates on. If you
67 are working with the filter table, then you can drop the '-t filter'
68 argument to the ebtables command. However, you will need to provide
69 the -t argument for the other two tables. Moreover, the -t argument
70 must be the first argument on the ebtables command line, if used.
71 -t, --table
73 filter is the default table and contains three built-in chains:
74 INPUT (for frames destined for the bridge itself, on the level
75 of the MAC destination address), OUTPUT (for locally-generated
76 or (b)routed frames) and FORWARD (for frames being forwarded by
77 the bridge).
78 nat is mostly used to change the mac addresses and contains
79 three built-in chains: PREROUTING (for altering frames as soon
80 as they come in), OUTPUT (for altering locally generated or
81 (b)routed frames before they are bridged) and POSTROUTING (for
82 altering frames as they are about to go out). A small note on
83 the naming of chains PREROUTING and POSTROUTING: it would be
84 more accurate to call them PREFORWARDING and POSTFORWARDING, but
85 for all those who come from the iptables world to ebtables it is
86 easier to have the same names. Note that you can change the name
87 (-E) if you don't like the default.
88 broute is used to make a brouter, it has one built-in chain:
89 BROUTING. The targets DROP and ACCEPT have a special meaning in
90 the broute table (these names are used instead of more descrip‐
91 tive names to keep the implementation generic). DROP actually
92 means the frame has to be routed, while ACCEPT means the frame
93 has to be bridged. The BROUTING chain is traversed very early.
94 However, it is only traversed by frames entering on a bridge
95 port that is in forwarding state. Normally those frames would be
96 bridged, but you can decide otherwise here. The redirect target
97 is very handy here.
98
100 After the initial ebtables '-t table' command line argument, the
101 remaining arguments can be divided into several groups. These groups
102 are commands, miscellaneous commands, rule specifications, match exten‐
103 sions, watcher extensions and target extensions.
104 COMMANDS
106 The ebtables command arguments specify the actions to perform on the
107 table defined with the -t argument. If you do not use the -t argument
108 to name a table, the commands apply to the default filter table. Only
109 one command may be used on the command line at a time, except when the
110 commands -L and -Z are combined, the commands -N and -P are combined,
111 or when --atomic-file is used.
112 -A, --append
114 Append a rule to the end of the selected chain.
115 -D, --delete
117 Delete the specified rule or rules from the selected chain.
118 There are two ways to use this command. The first is by specify‐
119 ing an interval of rule numbers to delete (directly after -D).
120 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
121 their rule number). When end_nr is omitted, all rules starting
122 from start_nr are deleted. Using negative numbers is allowed,
123 for more details about using negative numbers, see the -I com‐
124 mand. The second usage is by specifying the complete rule as it
125 would have been specified when it was added. Only the first
126 encountered rule that is the same as this specified rule, in
127 other words the matching rule with the lowest (positive) rule
128 number, is deleted.
129 -C, --change-counters
131 Change the counters of the specified rule or rules from the
132 selected chain. There are two ways to use this command. The
133 first is by specifying an interval of rule numbers to do the
134 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
135 -L --Ln to list the rules with their rule number). The details
136 are the same as for the -D command. The second usage is by spec‐
137 ifying the complete rule as it would have been specified when it
138 was added. Only the counters of the first encountered rule that
139 is the same as this specified rule, in other words the matching
140 rule with the lowest (positive) rule number, are changed. In
141 the first usage, the counters are specified directly after the
142 interval specification, in the second usage directly after -C.
143 First the packet counter is specified, then the byte counter. If
144 the specified counters start with a '+', the counter values are
145 added to the respective current counter values. If the speci‐
146 fied counters start with a '-', the counter values are decreased
147 from the respective current counter values. No bounds checking
148 is done. If the counters don't start with '+' or '-', the cur‐
149 rent counters are changed to the specified counters.
150 -I, --insert
152 Insert the specified rule into the selected chain at the speci‐
153 fied rule number. If the rule number is not specified, the rule
154 is added at the head of the chain. If the current number of
155 rules equals N, then the specified number can be between -N and
156 N+1. For a positive number i, it holds that i and i-N-1 specify
157 the same place in the chain where the rule should be inserted.
158 The rule number 0 specifies the place past the last rule in the
159 chain and using this number is therefore equivalent to using the
160 -A command. Rule numbers structly smaller than 0 can be useful
161 when more than one rule needs to be inserted in a chain.
162 -P, --policy
164 Set the policy for the chain to the given target. The policy can
165 be ACCEPT, DROP or RETURN.
166 -F, --flush
168 Flush the selected chain. If no chain is selected, then every
169 chain will be flushed. Flushing a chain does not change the pol‐
170 icy of the chain, however.
171 -Z, --zero
173 Set the counters of the selected chain to zero. If no chain is
174 selected, all the counters are set to zero. The -Z command can
175 be used in conjunction with the -L command. When both the -Z
176 and -L commands are used together in this way, the rule counters
177 are printed on the screen before they are set to zero.
178 -L, --list
180 List all rules in the selected chain. If no chain is selected,
181 all chains are listed.
182 The following options change the output of the -L command.
183 --Ln
184 Places the rule number in front of every rule. This option is
185 incompatible with the --Lx option.
186 --Lc
187 Shows the counters at the end of each rule displayed by the -L
188 command. Both a frame counter (pcnt) and a byte counter (bcnt)
189 are displayed. The frame counter shows how many frames have
190 matched the specific rule, the byte counter shows the sum of the
191 frame sizes of these matching frames. Using this option in com‐
192 bination with the --Lx option causes the counters to be written
193 out in the '-c <pcnt> <bcnt>' option format.
194 --Lx
195 Changes the output so that it produces a set of ebtables com‐
196 mands that construct the contents of the chain, when specified.
197 If no chain is specified, ebtables commands to construct the
198 contents of the table are given, including commands for creating
199 the user-defined chains (if any). You can use this set of com‐
200 mands in an ebtables boot or reload script. For example the
201 output could be used at system startup. The --Lx option is
202 incompatible with the --Ln listing option. Using the --Lx option
203 together with the --Lc option will cause the counters to be
204 written out in the '-c <pcnt> <bcnt>' option format.
205 --Lmac2
206 Shows all MAC addresses with the same length, adding leading
207 zeroes if necessary. The default representation omits leading
208 zeroes in the addresses.
209 -N, --new-chain
211 Create a new user-defined chain with the given name. The number
212 of user-defined chains is limited only by the number of possible
213 chain names. A user-defined chain name has a maximum length of
214 31 characters. The standard policy of the user-defined chain is
215 ACCEPT. The policy of the new chain can be initialized to a dif‐
216 ferent standard target by using the -P command together with the
217 -N command. In this case, the chain name does not have to be
218 specified for the -P command.
219 -X, --delete-chain
221 Delete the specified user-defined chain. There must be no
222 remaining references (jumps) to the specified chain, otherwise
223 ebtables will refuse to delete it. If no chain is specified, all
224 user-defined chains that aren't referenced will be removed.
225 -E, --rename-chain
227 Rename the specified chain to a new name. Besides renaming a
228 user-defined chain, you can rename a standard chain to a name
229 that suits your taste. For example, if you like PREFORWARDING
230 more than PREROUTING, then you can use the -E command to rename
231 the PREROUTING chain. If you do rename one of the standard ebta‐
232 bles chain names, please be sure to mention this fact should you
233 post a question on the ebtables mailing lists. It would be wise
234 to use the standard name in your post. Renaming a standard ebta‐
235 bles chain in this fashion has no effect on the structure or
236 functioning of the ebtables kernel table.
237 --init-table
239 Replace the current table data by the initial table data.
240 --atomic-init
242 Copy the kernel's initial data of the table to the specified
243 file. This can be used as the first action, after which rules
244 are added to the file. The file can be specified using the
245 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
246 ronment variable.
247 --atomic-save
249 Copy the kernel's current data of the table to the specified
250 file. This can be used as the first action, after which rules
251 are added to the file. The file can be specified using the
252 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
253 ronment variable.
254 --atomic-commit
256 Replace the kernel table data with the data contained in the
257 specified file. This is a useful command that allows you to load
258 all your rules of a certain table into the kernel at once, sav‐
259 ing the kernel a lot of precious time and allowing atomic
260 updates of the tables. The file which contains the table data is
261 constructed by using either the --atomic-init or the --atomic-
262 save command to generate a starting file. After that, using the
263 --atomic-file command when constructing rules or setting the
264 EBTABLES_ATOMIC_FILE environment variable allows you to extend
265 the file and build the complete table before committing it to
266 the kernel. This command can be very useful in boot scripts to
267 populate the ebtables tables in a fast way.
268 MISCELLANOUS COMMANDS
270 -V, --version
271 Show the version of the ebtables userspace program.
272 -h, --help [list of module names]
274 Give a brief description of the command syntax. Here you can
275 also specify names of extensions and ebtables will try to write
276 help about those extensions. E.g. ebtables -h snat log ip arp.
277 Specify list_extensions to list all extensions supported by the
278 userspace utility.
279 -j, --jump target
281 The target of the rule. This is one of the following values:
282 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
283 EXTENSIONS) or a user-defined chain name.
284 --atomic-file file
286 Let the command operate on the specified file. The data of the
287 table to operate on will be extracted from the file and the
288 result of the operation will be saved back into the file. If
289 specified, this option should come before the command specifica‐
290 tion. An alternative that should be preferred, is setting the
291 EBTABLES_ATOMIC_FILE environment variable.
292 -M, --modprobe program
294 When talking to the kernel, use this program to try to automati‐
295 cally load missing kernel modules.
296 RULE SPECIFICATIONS
299 The following command line arguments make up a rule specification (as
300 used in the add and delete commands). A "!" option before the specifi‐
301 cation inverts the test for that specification. Apart from these stan‐
302 dard rule specifications there are some other command line arguments of
303 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
304 below.
305 -p, --protocol [!] protocol
307 The protocol that was responsible for creating the frame. This
308 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
309 or LENGTH. The protocol field of the Ethernet frame can be used
310 to denote the length of the header (802.2/802.3 networks). When
311 the value of that field is below or equals 0x0600, the value
312 equals the size of the header and shouldn't be used as a proto‐
313 col number. Instead, all frames where the protocol field is used
314 as the length field are assumed to be of the same 'protocol'.
315 The protocol name used in ebtables for these frames is LENGTH.
316 The file /etc/ethertypes can be used to show readable characters
317 instead of hexadecimal numbers for the protocols. For example,
318 0x0800 will be represented by IPV4. The use of this file is not
319 case sensitive. See that file for more information. The flag
320 --proto is an alias for this option.
321 -i, --in-interface [!] name
323 The interface (bridge port) via which a frame is received (this
324 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
325 chains). If the interface name ends with '+', then any interface
326 name that begins with this name (disregarding '+') will match.
327 The flag --in-if is an alias for this option.
328 --logical-in [!] name
330 The (logical) bridge interface via which a frame is received
331 (this option is useful in the INPUT, FORWARD, PREROUTING and
332 BROUTING chains). If the interface name ends with '+', then any
333 interface name that begins with this name (disregarding '+')
334 will match.
335 -o, --out-interface [!] name
337 The interface (bridge port) via which a frame is going to be
338 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339 ING chains). If the interface name ends with '+', then any
340 interface name that begins with this name (disregarding '+')
341 will match. The flag --out-if is an alias for this option.
342 --logical-out [!] name
344 The (logical) bridge interface via which a frame is going to be
345 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
346 ING chains). If the interface name ends with '+', then any
347 interface name that begins with this name (disregarding '+')
348 will match.
349 -s, --source [!] address[/mask]
351 The source MAC address. Both mask and address are written as 6
352 hexadecimal numbers separated by colons. Alternatively one can
353 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
354 Address):
355 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
356 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
357 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
358 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
359 address will also match the multicast specification. The flag
360 --src is an alias for this option.
361 -d, --destination [!] address[/mask]
363 The destination MAC address. See -s (above) for more details on
364 MAC addresses. The flag --dst is an alias for this option.
365 -c, --set-counter pcnt bcnt
367 If used with -A or -I, then the packet and byte counters of the
368 new rule will be set to pcnt, resp. bcnt. If used with the -C
369 or -D commands, only rules with a packet and byte count equal to
370 pcnt, resp. bcnt will match.
371 MATCH EXTENSIONS
374 Ebtables extensions are dynamically loaded into the userspace tool,
375 there is therefore no need to explicitly load them with a -m option
376 like is done in iptables. These extensions deal with functionality
377 supported by kernel modules supplemental to the core ebtables code.
378 802_3
380 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
381 specified as LENGTH (see the option -p above).
382 --802_3-sap [!] sap
384 DSAP and SSAP are two one byte 802.3 fields. The bytes are
385 always equal, so only one byte (hexadecimal) is needed as an
386 argument.
387 --802_3-type [!] type
389 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
390 field must be consulted to determine the payload protocol. This
391 is a two byte (hexadecimal) argument. Only 802.3 frames with
392 DSAP/SSAP 0xaa are checked for type.
393 among
395 Match a MAC address or MAC/IP address pair versus a list of MAC
396 addresses and MAC/IP address pairs. A list entry has the following
397 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
398 separated by a comma, specifying an IP address corresponding to the MAC
399 address is optional. Multiple MAC/IP address pairs with the same MAC
400 address but different IP address (and vice versa) can be specified. If
401 the MAC address doesn't match any entry from the list, the frame
402 doesn't match the rule (unless "!" was used).
403 --among-dst [!] list
405 Compare the MAC destination to the given list. If the Ethernet
406 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
407 tion address pairs from the list is possible.
408 --among-src [!] list
410 Compare the MAC source to the given list. If the Ethernet frame
411 has type IPv4 or ARP, then comparison with MAC/IP source address
412 pairs from the list is possible.
413 --among-dst-file [!] file
415 Same as --among-dst but the list is read in from the specified
416 file.
417 --among-src-file [!] file
419 Same as --among-src but the list is read in from the specified
420 file.
421 arp
423 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
424 --arp-opcode [!] opcode
426 The (R)ARP opcode (decimal or a string, for more details see
427 ebtables -h arp).
428 --arp-htype [!] hardware type
430 The hardware type, this can be a decimal or the string Ethernet
431 (which sets type to 1). Most (R)ARP packets have Eternet as
432 hardware type.
433 --arp-ptype [!] protocol type
435 The protocol type for which the (r)arp is used (hexadecimal or
436 the string IPv4, denoting 0x0800). Most (R)ARP packets have
437 protocol type IPv4.
438 --arp-ip-src [!] address[/mask]
440 The (R)ARP IP source address specification.
441 --arp-ip-dst [!] address[/mask]
443 The (R)ARP IP destination address specification.
444 --arp-mac-src [!] address[/mask]
446 The (R)ARP MAC source address specification.
447 --arp-mac-dst [!] address[/mask]
449 The (R)ARP MAC destination address specification.
450 [!] --arp-gratuitous
452 Checks for ARP gratuitous packets: checks equality of IPv4
453 source address and IPv4 destination address inside the ARP
454 header.
455 ip
457 Specify IPv4 fields. The protocol must be specified as IPv4.
458 --ip-source [!] address[/mask]
460 The source IP address. The flag --ip-src is an alias for this
461 option.
462 --ip-destination [!] address[/mask]
464 The destination IP address. The flag --ip-dst is an alias for
465 this option.
466 --ip-tos [!] tos
468 The IP type of service, in hexadecimal numbers. IPv4.
469 --ip-protocol [!] protocol
471 The IP protocol. The flag --ip-proto is an alias for this
472 option.
473 --ip-source-port [!] port1[:port2]
475 The source port or port range for the IP protocols 6 (TCP), 17
476 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
477 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
478 0:port2 is used; if port2 is omitted but a colon is specified,
479 port1:65535 is used. The flag --ip-sport is an alias for this
480 option.
481 --ip-destination-port [!] port1[:port2]
483 The destination port or port range for ip protocols 6 (TCP), 17
484 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
485 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
486 0:port2 is used; if port2 is omitted but a colon is specified,
487 port1:65535 is used. The flag --ip-dport is an alias for this
488 option.
489 limit
491 This module matches at a limited rate using a token bucket filter. A
492 rule using this extension will match until this limit is reached. It
493 can be used with the --log watcher to give limited logging, for exam‐
494 ple. Its use is the same as the limit match of iptables.
495 --limit [value]
497 Maximum average matching rate: specified as a number, with an
498 optional /second, /minute, /hour, or /day suffix; the default is
499 3/hour.
500 --limit-burst [number]
502 Maximum initial number of packets to match: this number gets
503 recharged by one every time the limit specified above is not
504 reached, up to this number; the default is 5.
505 mark_m
507 --mark [!] [value][/mask]
508 Matches frames with the given unsigned mark value. If a value
509 and mask are specified, the logical AND of the mark value of the
510 frame and the user-specified mask is taken before comparing it
511 with the user-specified mark value. When only a mark value is
512 specified, the packet only matches when the mark value of the
513 frame equals the user-specified mark value. If only a mask is
514 specified, the logical AND of the mark value of the frame and
515 the user-specified mask is taken and the frame matches when the
516 result of this logical AND is non-zero. Only specifying a mask
517 is useful to match multiple mark values.
518 pkttype
520 --pkttype-type [!] type
521 Matches on the Ethernet "class" of the frame, which is deter‐
522 mined by the generic networking code. Possible values: broadcast
523 (MAC destination is the broadcast address), multicast (MAC des‐
524 tination is a multicast address), host (MAC destination is the
525 receiving network device), or otherhost (none of the above).
526 stp
528 Specify stp BPDU (bridge protocol data unit) fields. The destination
529 address (-d) must be specified as the bridge group address (BGA). For
530 all options for which a range of values can be specified, it holds that
531 if the lower bound is omitted (but the colon is not), then the lowest
532 possible lower bound for that option is used, while if the upper bound
533 is omitted (but the colon again is not), the highest possible upper
534 bound for that option is used.
535 --stp-type [!] type
537 The BPDU type (0-255), recognized non-numerical types are con‐
538 fig, denoting a configuration BPDU (=0), and tcn, denothing a
539 topology change notification BPDU (=128).
540 --stp-flags [!] flag
542 The BPDU flag (0-255), recognized non-numerical flags are topol‐
543 ogy-change, denoting the topology change flag (=1), and topol‐
544 ogy-change-ack, denoting the topology change acknowledgement
545 flag (=128).
546 --stp-root-prio [!] [prio][:prio]
548 The root priority (0-65535) range.
549 --stp-root-addr [!] [address][/mask]
551 The root mac address, see the option -s for more details.
552 --stp-root-cost [!] [cost][:cost]
554 The root path cost (0-4294967295) range.
555 --stp-sender-prio [!] [prio][:prio]
557 The BPDU's sender priority (0-65535) range.
558 --stp-sender-addr [!] [address][/mask]
560 The BPDU's sender mac address, see the option -s for more
561 details.
562 --stp-port [!] [port][:port]
564 The port identifier (0-65535) range.
565 --stp-msg-age [!] [age][:age]
567 The message age timer (0-65535) range.
568 --stp-max-age [!] [age][:age]
570 The max age timer (0-65535) range.
571 --stp-hello-time [!] [time][:time]
573 The hello time timer (0-65535) range.
574 --stp-forward-delay [!] [delay][:delay]
576 The forward delay timer (0-65535) range.
577 vlan
579 Specify 802.1Q Tag Control Information fields. The protocol must be
580 specified as 802_1Q (0x8100).
581 --vlan-id [!] id
583 The VLAN identifier field (VID). Decimal number from 0 to 4095.
584 --vlan-prio [!] prio
586 The user priority field, a decimal number from 0 to 7. The VID
587 should be set to 0 ("null VID") or unspecified (in the latter
588 case the VID is deliberately set to 0).
589 --vlan-encap [!] type
591 The encapsulated Ethernet frame type/length. Specified as a
592 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
593 from /etc/ethertypes.
594 WATCHER EXTENSIONS
597 Watchers only look at frames passing by, they don't modify them nor
598 decide to accept the frames or not. These watchers only see the frame
599 if the frame matches the rule, and they see it before the target is
600 executed.
601 log
603 The log watcher writes descriptive data about a frame to the syslog.
604 --log
606 Log with the default loggin options: log-level= info, log-pre‐
607 fix="", no ip logging, no arp logging.
608 --log-level level
610 Defines the logging level. For the possible values, see ebtables
611 -h log. The default level is info.
612 --log-prefix text
614 Defines the prefix text to be printed at the beginning of the
615 line with the logging information.
616 --log-ip
618 Will log the ip information when a frame made by the ip protocol
619 matches the rule. The default is no ip information logging.
620 --log-arp
622 Will log the (r)arp information when a frame made by the (r)arp
623 protocols matches the rule. The default is no (r)arp information
624 logging.
625 ulog
627 The ulog watcher passes the packet to a userspace logging daemon using
628 netlink multicast sockets. This differs from the log watcher in the
629 sense that the complete packet is sent to userspace instead of a
630 descriptive text and that netlink multicast sockets are used instead of
631 the syslog. This watcher enables parsing of packets with userspace
632 programs, the physical bridge in and out ports are also included in the
633 netlink messages. The ulog watcher module accepts 2 parameters when
634 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
635 specifies how big the buffer for each netlink multicast group is. If
636 you say nlbufsiz=8192, for example, up to eight kB of packets will get
637 accumulated in the kernel until they are sent to userspace. It is not
638 possible to allocate more than 128kB. Please also keep in mind that
639 this buffer size is allocated for each nlgroup you are using, so the
640 total kernel memory usage increases by that factor. The default is
641 4096. flushtimeout specifies after how many hundredths of a second the
642 queue should be flushed, even if it is not full yet. The default is 10
643 (one tenth of a second).
644 --ulog
646 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
647 cprange=4096, ulog-qthreshold=1.
648 --ulog-prefix text
650 Defines the prefix included with the packets sent to userspace.
651 --ulog-nlgroup group
653 Defines which netlink group number to use (a number from 1 to
654 32). Make sure the netlink group numbers used for the iptables
655 ULOG target differ from those used for the ebtables ulog
656 watcher. The default group number is 1.
657 --ulog-cprange range
659 Defines the maximum copy range to userspace, for packets match‐
660 ing the rule. The default range is 0, which means the maximum
661 copy range is given by nlbufsiz. A maximum copy range larger
662 than 128*1024 is meaningless as the packets sent to userspace
663 have an upper size limit of 128*1024.
664 --ulog-qthreshold threshold
666 Queue at most threshold number of packets before sending them to
667 userspace with a netlink socket. Note that packets can be sent
668 to userspace before the queue is full, this happens when the
669 ulog kernel timer goes off (the frequency of this timer depends
670 on flushtimeout).
671 TARGET EXTENSIONS
673 arpreply
674 The arpreply target can be used in the PREROUTING chain of the nat ta‐
675 ble. If this target sees an ARP request it will automatically reply
676 with an ARP reply. The used MAC address for the reply can be specified.
677 The protocol must be specified as ARP. When the ARP message is not an
678 ARP request or when the ARP request isn't for an IP address on an Eth‐
679 ernet network, it is ignored by this target (CONTINUE). When the ARP
680 request is malformed, it is dropped (DROP).
681 --arpreply-mac address
683 Specifies the MAC address to reply with: the Ethernet source MAC
684 and the ARP payload source MAC will be filled in with this
685 address.
686 --arpreply-target target
688 Specifies the standard target. After sending the ARP reply, the
689 rule still has to give a standard target so ebtables knows what
690 to do with the ARP request. The default target is DROP.
691 dnat
693 The dnat target can only be used in the BROUTING chain of the broute
694 table and the PREROUTING and OUTPUT chains of the nat table. It speci‐
695 fies that the destination MAC address has to be changed.
696 --to-destination address
698 Change the destination MAC address to the specified address.
699 The flag --to-dst is an alias for this option.
700 --dnat-target target
702 Specifies the standard target. After doing the dnat, the rule
703 still has to give a standard target so ebtables knows what to do
704 with the dnated frame. The default target is ACCEPT. Making it
705 CONTINUE could let you use multiple target extensions on the
706 same frame. Making it DROP only makes sense in the BROUTING
707 chain but using the redirect target is more logical there.
708 RETURN is also allowed. Note that using RETURN in a base chain
709 is not allowed (for obvious reasons).
710 mark
712 The mark target can be used in every chain of every table. It is possi‐
713 ble to use the marking of a frame/packet in both ebtables and iptables,
714 if the bridge-nf code is compiled into the kernel. Both put the marking
715 at the same place. This allows for a form of communication between
716 ebtables and iptables.
717 --mark-set value
719 Mark the frame with the specified non-negative value.
720 --mark-or value
722 Or the frame with the specified non-negative value.
723 --mark-and value
725 And the frame with the specified non-negative value.
726 --mark-xor value
728 Xor the frame with the specified non-negative value.
729 --mark-target target
731 Specifies the standard target. After marking the frame, the rule
732 still has to give a standard target so ebtables knows what to
733 do. The default target is ACCEPT. Making it CONTINUE can let
734 you do other things with the frame in subsequent rules of the
735 chain.
736 redirect
738 The redirect target will change the MAC target address to that of the
739 bridge device the frame arrived on. This target can only be used in the
740 BROUTING chain of the broute table and the PREROUTING chain of the nat
741 table. In the BROUTING chain, the MAC address of the bridge port is
742 used as destination address, in the PREROUTING chain, the MAC address
743 of the bridge is used.
744 --redirect-target target
746 Specifies the standard target. After doing the MAC redirect, the
747 rule still has to give a standard target so ebtables knows what
748 to do. The default target is ACCEPT. Making it CONTINUE could
749 let you use multiple target extensions on the same frame. Making
750 it DROP in the BROUTING chain will let the frames be routed.
751 RETURN is also allowed. Note that using RETURN in a base chain
752 is not allowed.
753 snat
755 The snat target can only be used in the POSTROUTING chain of the nat
756 table. It specifies that the source MAC address has to be changed.
757 --to-source address
759 Changes the source MAC address to the specified address. The
760 flag --to-src is an alias for this option.
761 --snat-target target
763 Specifies the standard target. After doing the snat, the rule
764 still has to give a standard target so ebtables knows what to
765 do. The default target is ACCEPT. Making it CONTINUE could let
766 you use multiple target extensions on the same frame. Making it
767 DROP doesn't make sense, but you could do that too. RETURN is
768 also allowed. Note that using RETURN in a base chain is not
769 allowed.
770 --snat-arp
772 Also change the hardware source address inside the arp header if
773 the packet is an arp message and the hardware address length in
774 the arp header is 6 bytes.
775
777 /etc/ethertypes
778
780 EBTABLES_ATOMIC_FILE
781
783 ebtables-user@lists.sourceforge.net
784 ebtables-devel@lists.sourceforge.net
785
787 iptables(8), brctl(8), ifconfig(8), route(8)
788 May 2007 EBTABLES(8)