1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
3
4
6 ebtables (v2.0.9-1) - Ethernet bridge frame table administration
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
25 ebtables is an application program used to set up and maintain the
26 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27 It is analogous to the iptables application, but less complicated, due
28 to the fact that the Ethernet protocol is much simpler than the IP pro‐
29 tocol.
30
31 CHAINS
32 There are three ebtables tables with built-in chains in the Linux ker‐
33 nel. These tables are used to divide functionality into different sets
34 of rules. Each set of rules is called a chain. Each chain is an
35 ordered list of rules that can match Ethernet frames. If a rule matches
36 an Ethernet frame, then a processing specification tells what to do
37 with that matching frame. The processing specification is called a
38 'target'. However, if the frame does not match the current rule in the
39 chain, then the next rule in the chain is examined and so forth. The
40 user can create new (user-defined) chains that can be used as the 'tar‐
41 get' of a rule. User-defined chains are very useful to get better per‐
42 formance over the linear traversal of the rules and are also essential
43 for structuring the filtering rules into well-organized and maintain‐
44 able sets of rules.
45
46 TARGETS
47 A firewall rule specifies criteria for an Ethernet frame and a frame
48 processing specification called a target. When a frame matches a rule,
49 then the next action performed by the kernel is specified by the tar‐
50 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
51 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52
53 ACCEPT means to let the frame through. DROP means the frame has to be
54 dropped. In the BROUTING chain however, the ACCEPT and DROP target have
55 different meanings (see the info provided for the -t option). CONTINUE
56 means the next rule has to be checked. This can be handy, f.e., to know
57 how many frames pass a certain point in the chain, to log those frames
58 or to apply multiple targets on a frame. RETURN means stop traversing
59 this chain and resume at the next rule in the previous (calling) chain.
60 For the extension targets please refer to the TARGET EXTENSIONS section
61 of this man page.
62
63 TABLES
64 As stated earlier, there are three ebtables tables in the Linux kernel.
65 The table names are filter, nat and broute. Of these three tables, the
66 filter table is the default table that the command operates on. If you
67 are working with the filter table, then you can drop the '-t filter'
68 argument to the ebtables command. However, you will need to provide
69 the -t argument for the other two tables. Moreover, the -t argument
70 must be the first argument on the ebtables command line, if used.
71
72 -t, --table
73 filter is the default table and contains three built-in chains:
74 INPUT (for frames destined for the bridge itself, on the level
75 of the MAC destination address), OUTPUT (for locally-generated
76 or (b)routed frames) and FORWARD (for frames being forwarded by
77 the bridge).
78 nat is mostly used to change the mac addresses and contains
79 three built-in chains: PREROUTING (for altering frames as soon
80 as they come in), OUTPUT (for altering locally generated or
81 (b)routed frames before they are bridged) and POSTROUTING (for
82 altering frames as they are about to go out). A small note on
83 the naming of chains PREROUTING and POSTROUTING: it would be
84 more accurate to call them PREFORWARDING and POSTFORWARDING, but
85 for all those who come from the iptables world to ebtables it is
86 easier to have the same names. Note that you can change the name
87 (-E) if you don't like the default.
88 broute is used to make a brouter, it has one built-in chain:
89 BROUTING. The targets DROP and ACCEPT have a special meaning in
90 the broute table (these names are used instead of more descrip‐
91 tive names to keep the implementation generic). DROP actually
92 means the frame has to be routed, while ACCEPT means the frame
93 has to be bridged. The BROUTING chain is traversed very early.
94 However, it is only traversed by frames entering on a bridge
95 port that is in forwarding state. Normally those frames would be
96 bridged, but you can decide otherwise here. The redirect target
97 is very handy here.
98
100 After the initial ebtables '-t table' command line argument, the
101 remaining arguments can be divided into several groups. These groups
102 are commands, miscellaneous commands, rule specifications, match exten‐
103 sions, watcher extensions and target extensions.
104
105 COMMANDS
106 The ebtables command arguments specify the actions to perform on the
107 table defined with the -t argument. If you do not use the -t argument
108 to name a table, the commands apply to the default filter table. Only
109 one command may be used on the command line at a time, except when the
110 commands -L and -Z are combined, the commands -N and -P are combined,
111 or when --atomic-file is used.
112
113 -A, --append
114 Append a rule to the end of the selected chain.
115
116 -D, --delete
117 Delete the specified rule or rules from the selected chain.
118 There are two ways to use this command. The first is by specify‐
119 ing an interval of rule numbers to delete (directly after -D).
120 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
121 their rule number). When end_nr is omitted, all rules starting
122 from start_nr are deleted. Using negative numbers is allowed,
123 for more details about using negative numbers, see the -I com‐
124 mand. The second usage is by specifying the complete rule as it
125 would have been specified when it was added. Only the first
126 encountered rule that is the same as this specified rule, in
127 other words the matching rule with the lowest (positive) rule
128 number, is deleted.
129
130 -C, --change-counters
131 Change the counters of the specified rule or rules from the
132 selected chain. There are two ways to use this command. The
133 first is by specifying an interval of rule numbers to do the
134 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
135 -L --Ln to list the rules with their rule number). The details
136 are the same as for the -D command. The second usage is by spec‐
137 ifying the complete rule as it would have been specified when it
138 was added. Only the counters of the first encountered rule that
139 is the same as this specified rule, in other words the matching
140 rule with the lowest (positive) rule number, are changed. In
141 the first usage, the counters are specified directly after the
142 interval specification, in the second usage directly after -C.
143 First the packet counter is specified, then the byte counter. If
144 the specified counters start with a '+', the counter values are
145 added to the respective current counter values. If the speci‐
146 fied counters start with a '-', the counter values are decreased
147 from the respective current counter values. No bounds checking
148 is done. If the counters don't start with '+' or '-', the cur‐
149 rent counters are changed to the specified counters.
150
151 -I, --insert
152 Insert the specified rule into the selected chain at the speci‐
153 fied rule number. If the rule number is not specified, the rule
154 is added at the head of the chain. If the current number of
155 rules equals N, then the specified number can be between -N and
156 N+1. For a positive number i, it holds that i and i-N-1 specify
157 the same place in the chain where the rule should be inserted.
158 The rule number 0 specifies the place past the last rule in the
159 chain and using this number is therefore equivalent to using the
160 -A command. Rule numbers structly smaller than 0 can be useful
161 when more than one rule needs to be inserted in a chain.
162
163 -P, --policy
164 Set the policy for the chain to the given target. The policy can
165 be ACCEPT, DROP or RETURN.
166
167 -F, --flush
168 Flush the selected chain. If no chain is selected, then every
169 chain will be flushed. Flushing a chain does not change the pol‐
170 icy of the chain, however.
171
172 -Z, --zero
173 Set the counters of the selected chain to zero. If no chain is
174 selected, all the counters are set to zero. The -Z command can
175 be used in conjunction with the -L command. When both the -Z
176 and -L commands are used together in this way, the rule counters
177 are printed on the screen before they are set to zero.
178
179 -L, --list
180 List all rules in the selected chain. If no chain is selected,
181 all chains are listed.
182 The following options change the output of the -L command.
183 --Ln
184 Places the rule number in front of every rule. This option is
185 incompatible with the --Lx option.
186 --Lc
187 Shows the counters at the end of each rule displayed by the -L
188 command. Both a frame counter (pcnt) and a byte counter (bcnt)
189 are displayed. The frame counter shows how many frames have
190 matched the specific rule, the byte counter shows the sum of the
191 frame sizes of these matching frames. Using this option in com‐
192 bination with the --Lx option causes the counters to be written
193 out in the '-c <pcnt> <bcnt>' option format.
194 --Lx
195 Changes the output so that it produces a set of ebtables com‐
196 mands that construct the contents of the chain, when specified.
197 If no chain is specified, ebtables commands to construct the
198 contents of the table are given, including commands for creating
199 the user-defined chains (if any). You can use this set of com‐
200 mands in an ebtables boot or reload script. For example the
201 output could be used at system startup. The --Lx option is
202 incompatible with the --Ln listing option. Using the --Lx option
203 together with the --Lc option will cause the counters to be
204 written out in the '-c <pcnt> <bcnt>' option format.
205 --Lmac2
206 Shows all MAC addresses with the same length, adding leading
207 zeroes if necessary. The default representation omits leading
208 zeroes in the addresses.
209
210 -N, --new-chain
211 Create a new user-defined chain with the given name. The number
212 of user-defined chains is limited only by the number of possible
213 chain names. A user-defined chain name has a maximum length of
214 31 characters. The standard policy of the user-defined chain is
215 ACCEPT. The policy of the new chain can be initialized to a dif‐
216 ferent standard target by using the -P command together with the
217 -N command. In this case, the chain name does not have to be
218 specified for the -P command.
219
220 -X, --delete-chain
221 Delete the specified user-defined chain. There must be no
222 remaining references (jumps) to the specified chain, otherwise
223 ebtables will refuse to delete it. If no chain is specified, all
224 user-defined chains that aren't referenced will be removed.
225
226 -E, --rename-chain
227 Rename the specified chain to a new name. Besides renaming a
228 user-defined chain, you can rename a standard chain to a name
229 that suits your taste. For example, if you like PREFORWARDING
230 more than PREROUTING, then you can use the -E command to rename
231 the PREROUTING chain. If you do rename one of the standard ebta‐
232 bles chain names, please be sure to mention this fact should you
233 post a question on the ebtables mailing lists. It would be wise
234 to use the standard name in your post. Renaming a standard ebta‐
235 bles chain in this fashion has no effect on the structure or
236 functioning of the ebtables kernel table.
237
238 --init-table
239 Replace the current table data by the initial table data.
240
241 --atomic-init
242 Copy the kernel's initial data of the table to the specified
243 file. This can be used as the first action, after which rules
244 are added to the file. The file can be specified using the
245 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
246 ronment variable.
247
248 --atomic-save
249 Copy the kernel's current data of the table to the specified
250 file. This can be used as the first action, after which rules
251 are added to the file. The file can be specified using the
252 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
253 ronment variable.
254
255 --atomic-commit
256 Replace the kernel table data with the data contained in the
257 specified file. This is a useful command that allows you to load
258 all your rules of a certain table into the kernel at once, sav‐
259 ing the kernel a lot of precious time and allowing atomic
260 updates of the tables. The file which contains the table data is
261 constructed by using either the --atomic-init or the --atomic-
262 save command to generate a starting file. After that, using the
263 --atomic-file command when constructing rules or setting the
264 EBTABLES_ATOMIC_FILE environment variable allows you to extend
265 the file and build the complete table before committing it to
266 the kernel. This command can be very useful in boot scripts to
267 populate the ebtables tables in a fast way.
268
269 MISCELLANOUS COMMANDS
270 -V, --version
271 Show the version of the ebtables userspace program.
272
273 -h, --help [list of module names]
274 Give a brief description of the command syntax. Here you can
275 also specify names of extensions and ebtables will try to write
276 help about those extensions. E.g. ebtables -h snat log ip arp.
277 Specify list_extensions to list all extensions supported by the
278 userspace utility.
279
280 -j, --jump target
281 The target of the rule. This is one of the following values:
282 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
283 EXTENSIONS) or a user-defined chain name.
284
285 --atomic-file file
286 Let the command operate on the specified file. The data of the
287 table to operate on will be extracted from the file and the
288 result of the operation will be saved back into the file. If
289 specified, this option should come before the command specifica‐
290 tion. An alternative that should be preferred, is setting the
291 EBTABLES_ATOMIC_FILE environment variable.
292
293 -M, --modprobe program
294 When talking to the kernel, use this program to try to automati‐
295 cally load missing kernel modules.
296
297
298 RULE SPECIFICATIONS
299 The following command line arguments make up a rule specification (as
300 used in the add and delete commands). A "!" option before the specifi‐
301 cation inverts the test for that specification. Apart from these stan‐
302 dard rule specifications there are some other command line arguments of
303 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
304 below.
305
306 -p, --protocol [!] protocol
307 The protocol that was responsible for creating the frame. This
308 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
309 or LENGTH. The protocol field of the Ethernet frame can be used
310 to denote the length of the header (802.2/802.3 networks). When
311 the value of that field is below or equals 0x0600, the value
312 equals the size of the header and shouldn't be used as a proto‐
313 col number. Instead, all frames where the protocol field is used
314 as the length field are assumed to be of the same 'protocol'.
315 The protocol name used in ebtables for these frames is LENGTH.
316 The file /etc/ethertypes can be used to show readable characters
317 instead of hexadecimal numbers for the protocols. For example,
318 0x0800 will be represented by IPV4. The use of this file is not
319 case sensitive. See that file for more information. The flag
320 --proto is an alias for this option.
321
322 -i, --in-interface [!] name
323 The interface (bridge port) via which a frame is received (this
324 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
325 chains). If the interface name ends with '+', then any interface
326 name that begins with this name (disregarding '+') will match.
327 The flag --in-if is an alias for this option.
328
329 --logical-in [!] name
330 The (logical) bridge interface via which a frame is received
331 (this option is useful in the INPUT, FORWARD, PREROUTING and
332 BROUTING chains). If the interface name ends with '+', then any
333 interface name that begins with this name (disregarding '+')
334 will match.
335
336 -o, --out-interface [!] name
337 The interface (bridge port) via which a frame is going to be
338 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339 ING chains). If the interface name ends with '+', then any
340 interface name that begins with this name (disregarding '+')
341 will match. The flag --out-if is an alias for this option.
342
343 --logical-out [!] name
344 The (logical) bridge interface via which a frame is going to be
345 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
346 ING chains). If the interface name ends with '+', then any
347 interface name that begins with this name (disregarding '+')
348 will match.
349
350 -s, --source [!] address[/mask]
351 The source MAC address. Both mask and address are written as 6
352 hexadecimal numbers separated by colons. Alternatively one can
353 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
354 Address):
355 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
356 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
357 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
358 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
359 address will also match the multicast specification. The flag
360 --src is an alias for this option.
361
362 -d, --destination [!] address[/mask]
363 The destination MAC address. See -s (above) for more details on
364 MAC addresses. The flag --dst is an alias for this option.
365
366 -c, --set-counter pcnt bcnt
367 If used with -A or -I, then the packet and byte counters of the
368 new rule will be set to pcnt, resp. bcnt. If used with the -C
369 or -D commands, only rules with a packet and byte count equal to
370 pcnt, resp. bcnt will match.
371
372
373 MATCH EXTENSIONS
374 Ebtables extensions are dynamically loaded into the userspace tool,
375 there is therefore no need to explicitly load them with a -m option
376 like is done in iptables. These extensions deal with functionality
377 supported by kernel modules supplemental to the core ebtables code.
378
379 802_3
380 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
381 specified as LENGTH (see the option -p above).
382
383 --802_3-sap [!] sap
384 DSAP and SSAP are two one byte 802.3 fields. The bytes are
385 always equal, so only one byte (hexadecimal) is needed as an
386 argument.
387
388 --802_3-type [!] type
389 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
390 field must be consulted to determine the payload protocol. This
391 is a two byte (hexadecimal) argument. Only 802.3 frames with
392 DSAP/SSAP 0xaa are checked for type.
393
394 among
395 Match a MAC address or MAC/IP address pair versus a list of MAC
396 addresses and MAC/IP address pairs. A list entry has the following
397 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
398 separated by a comma, specifying an IP address corresponding to the MAC
399 address is optional. Multiple MAC/IP address pairs with the same MAC
400 address but different IP address (and vice versa) can be specified. If
401 the MAC address doesn't match any entry from the list, the frame
402 doesn't match the rule (unless "!" was used).
403
404 --among-dst [!] list
405 Compare the MAC destination to the given list. If the Ethernet
406 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
407 tion address pairs from the list is possible.
408
409 --among-src [!] list
410 Compare the MAC source to the given list. If the Ethernet frame
411 has type IPv4 or ARP, then comparison with MAC/IP source address
412 pairs from the list is possible.
413
414 --among-dst-file [!] file
415 Same as --among-dst but the list is read in from the specified
416 file.
417
418 --among-src-file [!] file
419 Same as --among-src but the list is read in from the specified
420 file.
421
422 arp
423 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
424
425 --arp-opcode [!] opcode
426 The (R)ARP opcode (decimal or a string, for more details see
427 ebtables -h arp).
428
429 --arp-htype [!] hardware type
430 The hardware type, this can be a decimal or the string Ethernet
431 (which sets type to 1). Most (R)ARP packets have Eternet as
432 hardware type.
433
434 --arp-ptype [!] protocol type
435 The protocol type for which the (r)arp is used (hexadecimal or
436 the string IPv4, denoting 0x0800). Most (R)ARP packets have
437 protocol type IPv4.
438
439 --arp-ip-src [!] address[/mask]
440 The (R)ARP IP source address specification.
441
442 --arp-ip-dst [!] address[/mask]
443 The (R)ARP IP destination address specification.
444
445 --arp-mac-src [!] address[/mask]
446 The (R)ARP MAC source address specification.
447
448 --arp-mac-dst [!] address[/mask]
449 The (R)ARP MAC destination address specification.
450
451 [!] --arp-gratuitous
452 Checks for ARP gratuitous packets: checks equality of IPv4
453 source address and IPv4 destination address inside the ARP
454 header.
455
456 ip
457 Specify IPv4 fields. The protocol must be specified as IPv4.
458
459 --ip-source [!] address[/mask]
460 The source IP address. The flag --ip-src is an alias for this
461 option.
462
463 --ip-destination [!] address[/mask]
464 The destination IP address. The flag --ip-dst is an alias for
465 this option.
466
467 --ip-tos [!] tos
468 The IP type of service, in hexadecimal numbers. IPv4.
469
470 --ip-protocol [!] protocol
471 The IP protocol. The flag --ip-proto is an alias for this
472 option.
473
474 --ip-source-port [!] port1[:port2]
475 The source port or port range for the IP protocols 6 (TCP), 17
476 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
477 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
478 0:port2 is used; if port2 is omitted but a colon is specified,
479 port1:65535 is used. The flag --ip-sport is an alias for this
480 option.
481
482 --ip-destination-port [!] port1[:port2]
483 The destination port or port range for ip protocols 6 (TCP), 17
484 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
485 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
486 0:port2 is used; if port2 is omitted but a colon is specified,
487 port1:65535 is used. The flag --ip-dport is an alias for this
488 option.
489
490 ip6
491 Specify IPv6 fields. The protocol must be specified as IPv6.
492
493 --ip6-source [!] address[/mask]
494 The source IPv6 address. The flag --ip6-src is an alias for
495 this option.
496
497 --ip6-destination [!] address[/mask]
498 The destination IPv6 address. The flag --ip6-dst is an alias
499 for this option.
500
501 --ip6-tclass [!] tclass
502 The IPv6 traffic class, in hexadecimal numbers.
503
504 --ip6-protocol [!] protocol
505 The IP protocol. The flag --ip6-proto is an alias for this
506 option.
507
508 --ip6-source-port [!] port1[:port2]
509 The source port or port range for the IPv6 protocols 6 (TCP), 17
510 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
511 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
512 0:port2 is used; if port2 is omitted but a colon is specified,
513 port1:65535 is used. The flag --ip6-sport is an alias for this
514 option.
515
516 --ip6-destination-port [!] port1[:port2]
517 The destination port or port range for IPv6 protocols 6 (TCP),
518 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
519 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
520 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
521 fied, port1:65535 is used. The flag --ip6-dport is an alias for
522 this option.
523
524 limit
525 This module matches at a limited rate using a token bucket filter. A
526 rule using this extension will match until this limit is reached. It
527 can be used with the --log watcher to give limited logging, for exam‐
528 ple. Its use is the same as the limit match of iptables.
529
530 --limit [value]
531 Maximum average matching rate: specified as a number, with an
532 optional /second, /minute, /hour, or /day suffix; the default is
533 3/hour.
534
535 --limit-burst [number]
536 Maximum initial number of packets to match: this number gets
537 recharged by one every time the limit specified above is not
538 reached, up to this number; the default is 5.
539
540 mark_m
541 --mark [!] [value][/mask]
542 Matches frames with the given unsigned mark value. If a value
543 and mask are specified, the logical AND of the mark value of the
544 frame and the user-specified mask is taken before comparing it
545 with the user-specified mark value. When only a mark value is
546 specified, the packet only matches when the mark value of the
547 frame equals the user-specified mark value. If only a mask is
548 specified, the logical AND of the mark value of the frame and
549 the user-specified mask is taken and the frame matches when the
550 result of this logical AND is non-zero. Only specifying a mask
551 is useful to match multiple mark values.
552
553 pkttype
554 --pkttype-type [!] type
555 Matches on the Ethernet "class" of the frame, which is deter‐
556 mined by the generic networking code. Possible values: broadcast
557 (MAC destination is the broadcast address), multicast (MAC des‐
558 tination is a multicast address), host (MAC destination is the
559 receiving network device), or otherhost (none of the above).
560
561 stp
562 Specify stp BPDU (bridge protocol data unit) fields. The destination
563 address (-d) must be specified as the bridge group address (BGA). For
564 all options for which a range of values can be specified, it holds that
565 if the lower bound is omitted (but the colon is not), then the lowest
566 possible lower bound for that option is used, while if the upper bound
567 is omitted (but the colon again is not), the highest possible upper
568 bound for that option is used.
569
570 --stp-type [!] type
571 The BPDU type (0-255), recognized non-numerical types are con‐
572 fig, denoting a configuration BPDU (=0), and tcn, denothing a
573 topology change notification BPDU (=128).
574
575 --stp-flags [!] flag
576 The BPDU flag (0-255), recognized non-numerical flags are topol‐
577 ogy-change, denoting the topology change flag (=1), and topol‐
578 ogy-change-ack, denoting the topology change acknowledgement
579 flag (=128).
580
581 --stp-root-prio [!] [prio][:prio]
582 The root priority (0-65535) range.
583
584 --stp-root-addr [!] [address][/mask]
585 The root mac address, see the option -s for more details.
586
587 --stp-root-cost [!] [cost][:cost]
588 The root path cost (0-4294967295) range.
589
590 --stp-sender-prio [!] [prio][:prio]
591 The BPDU's sender priority (0-65535) range.
592
593 --stp-sender-addr [!] [address][/mask]
594 The BPDU's sender mac address, see the option -s for more
595 details.
596
597 --stp-port [!] [port][:port]
598 The port identifier (0-65535) range.
599
600 --stp-msg-age [!] [age][:age]
601 The message age timer (0-65535) range.
602
603 --stp-max-age [!] [age][:age]
604 The max age timer (0-65535) range.
605
606 --stp-hello-time [!] [time][:time]
607 The hello time timer (0-65535) range.
608
609 --stp-forward-delay [!] [delay][:delay]
610 The forward delay timer (0-65535) range.
611
612 vlan
613 Specify 802.1Q Tag Control Information fields. The protocol must be
614 specified as 802_1Q (0x8100).
615
616 --vlan-id [!] id
617 The VLAN identifier field (VID). Decimal number from 0 to 4095.
618
619 --vlan-prio [!] prio
620 The user priority field, a decimal number from 0 to 7. The VID
621 should be set to 0 ("null VID") or unspecified (in the latter
622 case the VID is deliberately set to 0).
623
624 --vlan-encap [!] type
625 The encapsulated Ethernet frame type/length. Specified as a
626 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
627 from /etc/ethertypes.
628
629
630 WATCHER EXTENSIONS
631 Watchers only look at frames passing by, they don't modify them nor
632 decide to accept the frames or not. These watchers only see the frame
633 if the frame matches the rule, and they see it before the target is
634 executed.
635
636 log
637 The log watcher writes descriptive data about a frame to the syslog.
638
639 --log
640 Log with the default loggin options: log-level= info, log-pre‐
641 fix="", no ip logging, no arp logging.
642
643 --log-level level
644 Defines the logging level. For the possible values, see ebtables
645 -h log. The default level is info.
646
647 --log-prefix text
648 Defines the prefix text to be printed at the beginning of the
649 line with the logging information.
650
651 --log-ip
652 Will log the ip information when a frame made by the ip protocol
653 matches the rule. The default is no ip information logging.
654
655 --log-ip6
656 Will log the ipv6 information when a frame made by the ipv6 pro‐
657 tocol matches the rule. The default is no ipv6 information log‐
658 ging.
659
660 --log-arp
661 Will log the (r)arp information when a frame made by the (r)arp
662 protocols matches the rule. The default is no (r)arp information
663 logging.
664
665 nflog
666 The nflog watcher passes the packet to the loaded logging backend in
667 order to log the packet. This is usually used in combination with
668 nfnetlink_log as logging backend, which will multicast the packet
669 through a netlink socket to the specified multicast group. One or more
670 userspace processes may subscribe to the group to receive the packets.
671
672 --nflog
673 Log with the default logging options
674
675 --nflog-group nlgroup
676 The netlink group (1 - 2^32-1) to which packets are (only appli‐
677 cable for nfnetlink_log). The default value is 1.
678
679 --nflog-prefix prefix
680 A prefix string to include in the log message, up to 30 charac‐
681 ters long, useful for distinguishing messages in the logs.
682
683 --nflog-range size
684 The number of bytes to be copied to userspace (only applicable
685 for nfnetlink_log). nfnetlink_log instances may specify their
686 own range, this option overrides it.
687
688 --nflog-threshold size
689 Number of packets to queue inside the kernel before sending them
690 to userspace (only applicable for nfnetlink_log). Higher values
691 result in less overhead per packet, but increase delay until the
692 packets reach userspace. The default value is 1.
693
694 ulog
695 The ulog watcher passes the packet to a userspace logging daemon using
696 netlink multicast sockets. This differs from the log watcher in the
697 sense that the complete packet is sent to userspace instead of a
698 descriptive text and that netlink multicast sockets are used instead of
699 the syslog. This watcher enables parsing of packets with userspace
700 programs, the physical bridge in and out ports are also included in the
701 netlink messages. The ulog watcher module accepts 2 parameters when
702 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
703 specifies how big the buffer for each netlink multicast group is. If
704 you say nlbufsiz=8192, for example, up to eight kB of packets will get
705 accumulated in the kernel until they are sent to userspace. It is not
706 possible to allocate more than 128kB. Please also keep in mind that
707 this buffer size is allocated for each nlgroup you are using, so the
708 total kernel memory usage increases by that factor. The default is
709 4096. flushtimeout specifies after how many hundredths of a second the
710 queue should be flushed, even if it is not full yet. The default is 10
711 (one tenth of a second).
712
713 --ulog
714 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
715 cprange=4096, ulog-qthreshold=1.
716
717 --ulog-prefix text
718 Defines the prefix included with the packets sent to userspace.
719
720 --ulog-nlgroup group
721 Defines which netlink group number to use (a number from 1 to
722 32). Make sure the netlink group numbers used for the iptables
723 ULOG target differ from those used for the ebtables ulog
724 watcher. The default group number is 1.
725
726 --ulog-cprange range
727 Defines the maximum copy range to userspace, for packets match‐
728 ing the rule. The default range is 0, which means the maximum
729 copy range is given by nlbufsiz. A maximum copy range larger
730 than 128*1024 is meaningless as the packets sent to userspace
731 have an upper size limit of 128*1024.
732
733 --ulog-qthreshold threshold
734 Queue at most threshold number of packets before sending them to
735 userspace with a netlink socket. Note that packets can be sent
736 to userspace before the queue is full, this happens when the
737 ulog kernel timer goes off (the frequency of this timer depends
738 on flushtimeout).
739
740 TARGET EXTENSIONS
741 arpreply
742 The arpreply target can be used in the PREROUTING chain of the nat ta‐
743 ble. If this target sees an ARP request it will automatically reply
744 with an ARP reply. The used MAC address for the reply can be specified.
745 The protocol must be specified as ARP. When the ARP message is not an
746 ARP request or when the ARP request isn't for an IP address on an Eth‐
747 ernet network, it is ignored by this target (CONTINUE). When the ARP
748 request is malformed, it is dropped (DROP).
749
750 --arpreply-mac address
751 Specifies the MAC address to reply with: the Ethernet source MAC
752 and the ARP payload source MAC will be filled in with this
753 address.
754
755 --arpreply-target target
756 Specifies the standard target. After sending the ARP reply, the
757 rule still has to give a standard target so ebtables knows what
758 to do with the ARP request. The default target is DROP.
759
760 dnat
761 The dnat target can only be used in the BROUTING chain of the broute
762 table and the PREROUTING and OUTPUT chains of the nat table. It speci‐
763 fies that the destination MAC address has to be changed.
764
765 --to-destination address
766 Change the destination MAC address to the specified address.
767 The flag --to-dst is an alias for this option.
768
769 --dnat-target target
770 Specifies the standard target. After doing the dnat, the rule
771 still has to give a standard target so ebtables knows what to do
772 with the dnated frame. The default target is ACCEPT. Making it
773 CONTINUE could let you use multiple target extensions on the
774 same frame. Making it DROP only makes sense in the BROUTING
775 chain but using the redirect target is more logical there.
776 RETURN is also allowed. Note that using RETURN in a base chain
777 is not allowed (for obvious reasons).
778
779 mark
780 The mark target can be used in every chain of every table. It is possi‐
781 ble to use the marking of a frame/packet in both ebtables and iptables,
782 if the bridge-nf code is compiled into the kernel. Both put the marking
783 at the same place. This allows for a form of communication between
784 ebtables and iptables.
785
786 --mark-set value
787 Mark the frame with the specified non-negative value.
788
789 --mark-or value
790 Or the frame with the specified non-negative value.
791
792 --mark-and value
793 And the frame with the specified non-negative value.
794
795 --mark-xor value
796 Xor the frame with the specified non-negative value.
797
798 --mark-target target
799 Specifies the standard target. After marking the frame, the rule
800 still has to give a standard target so ebtables knows what to
801 do. The default target is ACCEPT. Making it CONTINUE can let
802 you do other things with the frame in subsequent rules of the
803 chain.
804
805 redirect
806 The redirect target will change the MAC target address to that of the
807 bridge device the frame arrived on. This target can only be used in the
808 BROUTING chain of the broute table and the PREROUTING chain of the nat
809 table. In the BROUTING chain, the MAC address of the bridge port is
810 used as destination address, in the PREROUTING chain, the MAC address
811 of the bridge is used.
812
813 --redirect-target target
814 Specifies the standard target. After doing the MAC redirect, the
815 rule still has to give a standard target so ebtables knows what
816 to do. The default target is ACCEPT. Making it CONTINUE could
817 let you use multiple target extensions on the same frame. Making
818 it DROP in the BROUTING chain will let the frames be routed.
819 RETURN is also allowed. Note that using RETURN in a base chain
820 is not allowed.
821
822 snat
823 The snat target can only be used in the POSTROUTING chain of the nat
824 table. It specifies that the source MAC address has to be changed.
825
826 --to-source address
827 Changes the source MAC address to the specified address. The
828 flag --to-src is an alias for this option.
829
830 --snat-target target
831 Specifies the standard target. After doing the snat, the rule
832 still has to give a standard target so ebtables knows what to
833 do. The default target is ACCEPT. Making it CONTINUE could let
834 you use multiple target extensions on the same frame. Making it
835 DROP doesn't make sense, but you could do that too. RETURN is
836 also allowed. Note that using RETURN in a base chain is not
837 allowed.
838
839 --snat-arp
840 Also change the hardware source address inside the arp header if
841 the packet is an arp message and the hardware address length in
842 the arp header is 6 bytes.
843
845 /etc/ethertypes
846
848 EBTABLES_ATOMIC_FILE
849
851 ebtables-user@lists.sourceforge.net
852 ebtables-devel@lists.sourceforge.net
853
855 iptables(8), brctl(8), ifconfig(8), route(8)
856
857
858
859 June 2009 EBTABLES(8)