1EBTABLES(8)                 System Manager's Manual                EBTABLES(8)
2
3
4

NAME

6       ebtables (v2.0.9-1) - Ethernet bridge frame table administration
7

SYNOPSIS

9       ebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten‐
10       sions] [watcher extensions] target
11       ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12       ebtables [-t table ] -F [chain]
13       ebtables [-t table ] -Z [chain]
14       ebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]
15       [--Lmac2]
16       ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17       ebtables [-t table ] -X [chain]
18       ebtables [-t table ] -E old-chain-name new-chain-name
19       ebtables [-t table ] --init-table
20       ebtables [-t table ] [--atomic-file file] --atomic-commit
21       ebtables [-t table ] [--atomic-file file] --atomic-init
22       ebtables [-t table ] [--atomic-file file] --atomic-save
23

DESCRIPTION

25       ebtables  is  an  application  program  used to set up and maintain the
26       tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27       It  is analogous to the iptables application, but less complicated, due
28       to the fact that the Ethernet protocol is much simpler than the IP pro‐
29       tocol.
30
31   CHAINS
32       There  are three ebtables tables with built-in chains in the Linux ker‐
33       nel. These tables are used to divide functionality into different  sets
34       of  rules.  Each  set  of  rules  is  called a chain.  Each chain is an
35       ordered list of rules that can match Ethernet frames. If a rule matches
36       an  Ethernet  frame,  then  a processing specification tells what to do
37       with that matching frame. The  processing  specification  is  called  a
38       'target'.  However, if the frame does not match the current rule in the
39       chain, then the next rule in the chain is examined and so  forth.   The
40       user can create new (user-defined) chains that can be used as the 'tar‐
41       get' of a rule. User-defined chains are very useful to get better  per‐
42       formance  over the linear traversal of the rules and are also essential
43       for structuring the filtering rules into well-organized  and  maintain‐
44       able sets of rules.
45
46   TARGETS
47       A  firewall  rule  specifies criteria for an Ethernet frame and a frame
48       processing specification called a target.  When a frame matches a rule,
49       then  the  next action performed by the kernel is specified by the tar‐
50       get.  The target can be one of these values:  ACCEPT,  DROP,  CONTINUE,
51       RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52
53       ACCEPT  means to let the frame through.  DROP means the frame has to be
54       dropped. In the BROUTING chain however, the ACCEPT and DROP target have
55       different meanings (see the info provided for the -t option).  CONTINUE
56       means the next rule has to be checked. This can be handy, f.e., to know
57       how  many frames pass a certain point in the chain, to log those frames
58       or to apply multiple targets on a frame.  RETURN means stop  traversing
59       this chain and resume at the next rule in the previous (calling) chain.
60       For the extension targets please refer to the TARGET EXTENSIONS section
61       of this man page.
62
63   TABLES
64       As stated earlier, there are three ebtables tables in the Linux kernel.
65       The table names are filter, nat and broute.  Of these three tables, the
66       filter table is the default table that the command operates on.  If you
67       are working with the filter table, then you can drop  the  '-t  filter'
68       argument  to  the  ebtables command.  However, you will need to provide
69       the -t argument for the other two tables.  Moreover,  the  -t  argument
70       must be the first argument on the ebtables command line, if used.
71
72       -t, --table
73              filter  is the default table and contains three built-in chains:
74              INPUT (for frames destined for the bridge itself, on  the  level
75              of  the  MAC destination address), OUTPUT (for locally-generated
76              or (b)routed frames) and FORWARD (for frames being forwarded  by
77              the bridge).
78              nat  is  mostly  used  to  change the mac addresses and contains
79              three built-in chains: PREROUTING (for altering frames  as  soon
80              as  they  come  in),  OUTPUT  (for altering locally generated or
81              (b)routed frames before they are bridged) and  POSTROUTING  (for
82              altering  frames  as  they are about to go out). A small note on
83              the naming of chains PREROUTING and  POSTROUTING:  it  would  be
84              more accurate to call them PREFORWARDING and POSTFORWARDING, but
85              for all those who come from the iptables world to ebtables it is
86              easier to have the same names. Note that you can change the name
87              (-E) if you don't like the default.
88              broute is used to make a brouter, it  has  one  built-in  chain:
89              BROUTING.  The targets DROP and ACCEPT have a special meaning in
90              the broute table (these names are used instead of more  descrip‐
91              tive  names  to keep the implementation generic).  DROP actually
92              means the frame has to be routed, while ACCEPT means  the  frame
93              has  to  be bridged. The BROUTING chain is traversed very early.
94              However, it is only traversed by frames  entering  on  a  bridge
95              port that is in forwarding state. Normally those frames would be
96              bridged, but you can decide otherwise here. The redirect  target
97              is very handy here.
98

EBTABLES COMMAND LINE ARGUMENTS

100       After  the  initial  ebtables  '-t  table'  command  line argument, the
101       remaining arguments can be divided into several groups.   These  groups
102       are commands, miscellaneous commands, rule specifications, match exten‐
103       sions, watcher extensions and target extensions.
104
105   COMMANDS
106       The ebtables command arguments specify the actions to  perform  on  the
107       table  defined with the -t argument.  If you do not use the -t argument
108       to name a table, the commands apply to the default filter table.   Only
109       one  command may be used on the command line at a time, except when the
110       commands -L and -Z are combined, the commands -N and -P  are  combined,
111       or when --atomic-file is used.
112
113       -A, --append
114              Append a rule to the end of the selected chain.
115
116       -D, --delete
117              Delete  the  specified  rule  or  rules from the selected chain.
118              There are two ways to use this command. The first is by specify‐
119              ing  an  interval of rule numbers to delete (directly after -D).
120              Syntax: start_nr[:end_nr] (use -L --Ln to list  the  rules  with
121              their  rule  number). When end_nr is omitted, all rules starting
122              from start_nr are deleted. Using negative  numbers  is  allowed,
123              for  more  details about using negative numbers, see the -I com‐
124              mand. The second usage is by specifying the complete rule as  it
125              would  have  been  specified  when  it was added. Only the first
126              encountered rule that is the same as  this  specified  rule,  in
127              other  words  the  matching rule with the lowest (positive) rule
128              number, is deleted.
129
130       -C, --change-counters
131              Change the counters of the specified  rule  or  rules  from  the
132              selected  chain.  There  are  two  ways to use this command. The
133              first is by specifying an interval of rule  numbers  to  do  the
134              changes  on (directly after -C).  Syntax: start_nr[:end_nr] (use
135              -L --Ln to list the rules with their rule number).  The  details
136              are the same as for the -D command. The second usage is by spec‐
137              ifying the complete rule as it would have been specified when it
138              was  added. Only the counters of the first encountered rule that
139              is the same as this specified rule, in other words the  matching
140              rule  with  the  lowest (positive) rule number, are changed.  In
141              the first usage, the counters are specified directly  after  the
142              interval  specification,  in the second usage directly after -C.
143              First the packet counter is specified, then the byte counter. If
144              the  specified counters start with a '+', the counter values are
145              added to the respective current counter values.  If  the  speci‐
146              fied counters start with a '-', the counter values are decreased
147              from the respective current counter values. No  bounds  checking
148              is  done.  If the counters don't start with '+' or '-', the cur‐
149              rent counters are changed to the specified counters.
150
151       -I, --insert
152              Insert the specified rule into the selected chain at the  speci‐
153              fied  rule number. If the rule number is not specified, the rule
154              is added at the head of the chain.  If  the  current  number  of
155              rules  equals N, then the specified number can be between -N and
156              N+1.  For a positive number i, it holds that i and i-N-1 specify
157              the  same  place in the chain where the rule should be inserted.
158              The rule number 0 specifies the place past the last rule in  the
159              chain and using this number is therefore equivalent to using the
160              -A command.  Rule numbers structly smaller than 0 can be  useful
161              when more than one rule needs to be inserted in a chain.
162
163       -P, --policy
164              Set the policy for the chain to the given target. The policy can
165              be ACCEPT, DROP or RETURN.
166
167       -F, --flush
168              Flush the selected chain. If no chain is  selected,  then  every
169              chain will be flushed. Flushing a chain does not change the pol‐
170              icy of the chain, however.
171
172       -Z, --zero
173              Set the counters of the selected chain to zero. If no  chain  is
174              selected,  all  the counters are set to zero. The -Z command can
175              be used in conjunction with the -L command.  When  both  the  -Z
176              and -L commands are used together in this way, the rule counters
177              are printed on the screen before they are set to zero.
178
179       -L, --list
180              List all rules in the selected chain. If no chain  is  selected,
181              all chains are listed.
182              The following options change the output of the -L command.
183              --Ln
184              Places  the  rule  number in front of every rule. This option is
185              incompatible with the --Lx option.
186              --Lc
187              Shows the counters at the end of each rule displayed by  the  -L
188              command.  Both  a frame counter (pcnt) and a byte counter (bcnt)
189              are displayed.  The frame counter shows  how  many  frames  have
190              matched the specific rule, the byte counter shows the sum of the
191              frame sizes of these matching frames. Using this option in  com‐
192              bination  with the --Lx option causes the counters to be written
193              out in the '-c <pcnt> <bcnt>' option format.
194              --Lx
195              Changes the output so that it produces a set  of  ebtables  com‐
196              mands  that construct the contents of the chain, when specified.
197              If no chain is specified, ebtables  commands  to  construct  the
198              contents of the table are given, including commands for creating
199              the user-defined chains (if any).  You can use this set of  com‐
200              mands  in  an  ebtables  boot or reload script.  For example the
201              output could be used at system  startup.   The  --Lx  option  is
202              incompatible with the --Ln listing option. Using the --Lx option
203              together with the --Lc option will  cause  the  counters  to  be
204              written out in the '-c <pcnt> <bcnt>' option format.
205              --Lmac2
206              Shows  all  MAC  addresses  with the same length, adding leading
207              zeroes if necessary. The default  representation  omits  leading
208              zeroes in the addresses.
209
210       -N, --new-chain
211              Create  a new user-defined chain with the given name. The number
212              of user-defined chains is limited only by the number of possible
213              chain  names.  A user-defined chain name has a maximum length of
214              31 characters. The standard policy of the user-defined chain  is
215              ACCEPT. The policy of the new chain can be initialized to a dif‐
216              ferent standard target by using the -P command together with the
217              -N  command.  In  this  case, the chain name does not have to be
218              specified for the -P command.
219
220       -X, --delete-chain
221              Delete the  specified  user-defined  chain.  There  must  be  no
222              remaining  references  (jumps) to the specified chain, otherwise
223              ebtables will refuse to delete it. If no chain is specified, all
224              user-defined chains that aren't referenced will be removed.
225
226       -E, --rename-chain
227              Rename  the  specified  chain to a new name.  Besides renaming a
228              user-defined chain, you can rename a standard chain  to  a  name
229              that  suits  your  taste. For example, if you like PREFORWARDING
230              more than PREROUTING, then you can use the -E command to  rename
231              the PREROUTING chain. If you do rename one of the standard ebta‐
232              bles chain names, please be sure to mention this fact should you
233              post a question on the ebtables mailing lists.  It would be wise
234              to use the standard name in your post. Renaming a standard ebta‐
235              bles  chain  in  this  fashion has no effect on the structure or
236              functioning of the ebtables kernel table.
237
238       --init-table
239              Replace the current table data by the initial table data.
240
241       --atomic-init
242              Copy the kernel's initial data of the  table  to  the  specified
243              file.  This  can  be used as the first action, after which rules
244              are added to the file. The  file  can  be  specified  using  the
245              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
246              ronment variable.
247
248       --atomic-save
249              Copy the kernel's current data of the  table  to  the  specified
250              file.  This  can  be used as the first action, after which rules
251              are added to the file. The  file  can  be  specified  using  the
252              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
253              ronment variable.
254
255       --atomic-commit
256              Replace the kernel table data with the  data  contained  in  the
257              specified file. This is a useful command that allows you to load
258              all your rules of a certain table into the kernel at once,  sav‐
259              ing  the  kernel  a  lot  of  precious  time and allowing atomic
260              updates of the tables. The file which contains the table data is
261              constructed  by  using either the --atomic-init or the --atomic-
262              save command to generate a starting file. After that, using  the
263              --atomic-file  command  when  constructing  rules or setting the
264              EBTABLES_ATOMIC_FILE environment variable allows you  to  extend
265              the  file  and  build the complete table before committing it to
266              the kernel. This command can be very useful in boot  scripts  to
267              populate the ebtables tables in a fast way.
268
269   MISCELLANOUS COMMANDS
270       -V, --version
271              Show the version of the ebtables userspace program.
272
273       -h, --help [list of module names]
274              Give  a  brief  description  of the command syntax. Here you can
275              also specify names of extensions and ebtables will try to  write
276              help  about those extensions. E.g.  ebtables -h snat log ip arp.
277              Specify list_extensions to list all extensions supported by  the
278              userspace utility.
279
280       -j, --jump target
281              The  target  of  the  rule. This is one of the following values:
282              ACCEPT, DROP, CONTINUE, RETURN, a target extension  (see  TARGET
283              EXTENSIONS) or a user-defined chain name.
284
285       --atomic-file file
286              Let  the command operate on the specified file.  The data of the
287              table to operate on will be extracted  from  the  file  and  the
288              result  of  the  operation  will be saved back into the file. If
289              specified, this option should come before the command specifica‐
290              tion.  An  alternative  that should be preferred, is setting the
291              EBTABLES_ATOMIC_FILE environment variable.
292
293       -M, --modprobe program
294              When talking to the kernel, use this program to try to automati‐
295              cally load missing kernel modules.
296
297
298   RULE SPECIFICATIONS
299       The  following  command line arguments make up a rule specification (as
300       used in the add and delete commands). A "!" option before the  specifi‐
301       cation  inverts the test for that specification. Apart from these stan‐
302       dard rule specifications there are some other command line arguments of
303       interest.   See  both  the  MATCH EXTENSIONS and the WATCHER EXTENSIONS
304       below.
305
306       -p, --protocol [!] protocol
307              The protocol that was responsible for creating the  frame.  This
308              can  be  a hexadecimal number, above 0x0600, a name (e.g.  ARP )
309              or LENGTH.  The protocol field of the Ethernet frame can be used
310              to  denote the length of the header (802.2/802.3 networks). When
311              the value of that field is below or  equals  0x0600,  the  value
312              equals  the size of the header and shouldn't be used as a proto‐
313              col number. Instead, all frames where the protocol field is used
314              as  the  length  field are assumed to be of the same 'protocol'.
315              The protocol name used in ebtables for these frames is LENGTH.
316              The file /etc/ethertypes can be used to show readable characters
317              instead  of  hexadecimal numbers for the protocols. For example,
318              0x0800 will be represented by IPV4.  The use of this file is not
319              case  sensitive.   See  that file for more information. The flag
320              --proto is an alias for this option.
321
322       -i, --in-interface [!] name
323              The interface (bridge port) via which a frame is received  (this
324              option  is useful in the INPUT, FORWARD, PREROUTING and BROUTING
325              chains). If the interface name ends with '+', then any interface
326              name  that  begins with this name (disregarding '+') will match.
327              The flag --in-if is an alias for this option.
328
329       --logical-in [!] name
330              The (logical) bridge interface via which  a  frame  is  received
331              (this  option  is  useful  in the INPUT, FORWARD, PREROUTING and
332              BROUTING chains).  If the interface name ends with '+', then any
333              interface  name  that  begins  with this name (disregarding '+')
334              will match.
335
336       -o, --out-interface [!] name
337              The interface (bridge port) via which a frame  is  going  to  be
338              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339              ING chains). If the interface  name  ends  with  '+',  then  any
340              interface  name  that  begins  with this name (disregarding '+')
341              will match.  The flag --out-if is an alias for this option.
342
343       --logical-out [!] name
344              The (logical) bridge interface via which a frame is going to  be
345              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
346              ING chains).  If the interface name  ends  with  '+',  then  any
347              interface  name  that  begins  with this name (disregarding '+')
348              will match.
349
350       -s, --source [!] address[/mask]
351              The source MAC address. Both mask and address are written  as  6
352              hexadecimal  numbers  separated by colons. Alternatively one can
353              specify Unicast,  Multicast,  Broadcast  or  BGA  (Bridge  Group
354              Address):
355              Unicast=00:00:00:00:00:00/01:00:00:00:00:00,              Multi‐
356              cast=01:00:00:00:00:00/01:00:00:00:00:00,                 Broad‐
357              cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff                      or
358              BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.  Note that a  broadcast
359              address  will  also  match the multicast specification. The flag
360              --src is an alias for this option.
361
362       -d, --destination [!] address[/mask]
363              The destination MAC address. See -s (above) for more details  on
364              MAC addresses. The flag --dst is an alias for this option.
365
366       -c, --set-counter pcnt bcnt
367              If  used with -A or -I, then the packet and byte counters of the
368              new rule will be set to pcnt, resp. bcnt.  If used with  the  -C
369              or -D commands, only rules with a packet and byte count equal to
370              pcnt, resp. bcnt will match.
371
372
373   MATCH EXTENSIONS
374       Ebtables extensions are dynamically loaded  into  the  userspace  tool,
375       there  is  therefore  no  need to explicitly load them with a -m option
376       like is done in iptables.  These  extensions  deal  with  functionality
377       supported by kernel modules supplemental to the core ebtables code.
378
379   802_3
380       Specify  802.3  DSAP/SSAP  fields  or  SNAP type.  The protocol must be
381       specified as LENGTH (see the option  -p above).
382
383       --802_3-sap [!] sap
384              DSAP and SSAP are two one byte  802.3  fields.   The  bytes  are
385              always  equal,  so  only  one byte (hexadecimal) is needed as an
386              argument.
387
388       --802_3-type [!] type
389              If the 802.3 DSAP and SSAP values are 0xaa then  the  SNAP  type
390              field must be consulted to determine the payload protocol.  This
391              is a two byte (hexadecimal) argument.  Only  802.3  frames  with
392              DSAP/SSAP 0xaa are checked for type.
393
394   among
395       Match  a  MAC  address  or  MAC/IP  address  pair  versus a list of MAC
396       addresses and MAC/IP address pairs.  A list  entry  has  the  following
397       format:  xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,].  Multiple list entries are
398       separated by a comma, specifying an IP address corresponding to the MAC
399       address  is  optional.  Multiple MAC/IP address pairs with the same MAC
400       address but different IP address (and vice versa) can be specified.  If
401       the  MAC  address  doesn't  match  any  entry  from the list, the frame
402       doesn't match the rule (unless "!" was used).
403
404       --among-dst [!] list
405              Compare the MAC destination to the given list. If  the  Ethernet
406              frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
407              tion address pairs from the list is possible.
408
409       --among-src [!] list
410              Compare the MAC source to the given list. If the Ethernet  frame
411              has type IPv4 or ARP, then comparison with MAC/IP source address
412              pairs from the list is possible.
413
414       --among-dst-file [!] file
415              Same as --among-dst but the list is read in from  the  specified
416              file.
417
418       --among-src-file [!] file
419              Same  as  --among-src but the list is read in from the specified
420              file.
421
422   arp
423       Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
424
425       --arp-opcode [!] opcode
426              The (R)ARP opcode (decimal or a string,  for  more  details  see
427              ebtables -h arp).
428
429       --arp-htype [!] hardware type
430              The  hardware type, this can be a decimal or the string Ethernet
431              (which sets type to 1). Most  (R)ARP  packets  have  Eternet  as
432              hardware type.
433
434       --arp-ptype [!] protocol type
435              The  protocol  type for which the (r)arp is used (hexadecimal or
436              the string IPv4, denoting 0x0800).   Most  (R)ARP  packets  have
437              protocol type IPv4.
438
439       --arp-ip-src [!] address[/mask]
440              The (R)ARP IP source address specification.
441
442       --arp-ip-dst [!] address[/mask]
443              The (R)ARP IP destination address specification.
444
445       --arp-mac-src [!] address[/mask]
446              The (R)ARP MAC source address specification.
447
448       --arp-mac-dst [!] address[/mask]
449              The (R)ARP MAC destination address specification.
450
451       [!] --arp-gratuitous
452              Checks  for  ARP  gratuitous  packets:  checks  equality of IPv4
453              source address and  IPv4  destination  address  inside  the  ARP
454              header.
455
456   ip
457       Specify IPv4 fields. The protocol must be specified as IPv4.
458
459       --ip-source [!] address[/mask]
460              The  source  IP address.  The flag --ip-src is an alias for this
461              option.
462
463       --ip-destination [!] address[/mask]
464              The destination IP address.  The flag --ip-dst is an  alias  for
465              this option.
466
467       --ip-tos [!] tos
468              The IP type of service, in hexadecimal numbers.  IPv4.
469
470       --ip-protocol [!] protocol
471              The  IP  protocol.   The  flag  --ip-proto  is an alias for this
472              option.
473
474       --ip-source-port [!] port1[:port2]
475              The source port or port range for the IP protocols 6  (TCP),  17
476              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
477              specified as TCP, UDP, DCCP  or  SCTP.   If  port1  is  omitted,
478              0:port2  is  used; if port2 is omitted but a colon is specified,
479              port1:65535 is used.  The flag --ip-sport is an alias  for  this
480              option.
481
482       --ip-destination-port [!] port1[:port2]
483              The  destination port or port range for ip protocols 6 (TCP), 17
484              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
485              specified  as  TCP,  UDP,  DCCP  or  SCTP.  If port1 is omitted,
486              0:port2 is used; if port2 is omitted but a colon  is  specified,
487              port1:65535  is  used.  The flag --ip-dport is an alias for this
488              option.
489
490   ip6
491       Specify IPv6 fields. The protocol must be specified as IPv6.
492
493       --ip6-source [!] address[/mask]
494              The source IPv6 address.  The flag --ip6-src  is  an  alias  for
495              this option.
496
497       --ip6-destination [!] address[/mask]
498              The  destination  IPv6  address.  The flag --ip6-dst is an alias
499              for this option.
500
501       --ip6-tclass [!] tclass
502              The IPv6 traffic class, in hexadecimal numbers.
503
504       --ip6-protocol [!] protocol
505              The IP protocol.  The flag --ip6-proto  is  an  alias  for  this
506              option.
507
508       --ip6-source-port [!] port1[:port2]
509              The source port or port range for the IPv6 protocols 6 (TCP), 17
510              (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol  option  must
511              be  specified  as  TCP, UDP, DCCP or SCTP.  If port1 is omitted,
512              0:port2 is used; if port2 is omitted but a colon  is  specified,
513              port1:65535  is used.  The flag --ip6-sport is an alias for this
514              option.
515
516       --ip6-destination-port [!] port1[:port2]
517              The destination port or port range for IPv6 protocols  6  (TCP),
518              17  (UDP),  33  (DCCP)  or 132 (SCTP). The --ip6-protocol option
519              must be specified as TCP, UDP, DCCP or SCTP.  If port1 is  omit‐
520              ted,  0:port2 is used; if port2 is omitted but a colon is speci‐
521              fied, port1:65535 is used.  The flag --ip6-dport is an alias for
522              this option.
523
524   limit
525       This  module  matches at a limited rate using a token bucket filter.  A
526       rule using this extension will match until this limit is  reached.   It
527       can  be  used with the --log watcher to give limited logging, for exam‐
528       ple. Its use is the same as the limit match of iptables.
529
530       --limit [value]
531              Maximum average matching rate: specified as a  number,  with  an
532              optional /second, /minute, /hour, or /day suffix; the default is
533              3/hour.
534
535       --limit-burst [number]
536              Maximum initial number of packets to  match:  this  number  gets
537              recharged  by  one  every  time the limit specified above is not
538              reached, up to this number; the default is 5.
539
540   mark_m
541       --mark [!] [value][/mask]
542              Matches frames with the given unsigned mark value.  If  a  value
543              and mask are specified, the logical AND of the mark value of the
544              frame and the user-specified mask is taken before  comparing  it
545              with  the  user-specified  mark value. When only a mark value is
546              specified, the packet only matches when the mark  value  of  the
547              frame  equals  the user-specified mark value.  If only a mask is
548              specified, the logical AND of the mark value of  the  frame  and
549              the  user-specified mask is taken and the frame matches when the
550              result of this logical AND is non-zero. Only specifying  a  mask
551              is useful to match multiple mark values.
552
553   pkttype
554       --pkttype-type [!] type
555              Matches  on  the  Ethernet "class" of the frame, which is deter‐
556              mined by the generic networking code. Possible values: broadcast
557              (MAC  destination is the broadcast address), multicast (MAC des‐
558              tination is a multicast address), host (MAC destination  is  the
559              receiving network device), or otherhost (none of the above).
560
561   stp
562       Specify  stp  BPDU  (bridge protocol data unit) fields. The destination
563       address (-d) must be specified as the bridge group address (BGA).   For
564       all options for which a range of values can be specified, it holds that
565       if the lower bound is omitted (but the colon is not), then  the  lowest
566       possible  lower bound for that option is used, while if the upper bound
567       is omitted (but the colon again is not),  the  highest  possible  upper
568       bound for that option is used.
569
570       --stp-type [!] type
571              The  BPDU  type (0-255), recognized non-numerical types are con‐
572              fig, denoting a configuration BPDU (=0), and  tcn,  denothing  a
573              topology change notification BPDU (=128).
574
575       --stp-flags [!] flag
576              The BPDU flag (0-255), recognized non-numerical flags are topol‐
577              ogy-change, denoting the topology change flag (=1),  and  topol‐
578              ogy-change-ack,  denoting  the  topology  change acknowledgement
579              flag (=128).
580
581       --stp-root-prio [!] [prio][:prio]
582              The root priority (0-65535) range.
583
584       --stp-root-addr [!] [address][/mask]
585              The root mac address, see the option -s for more details.
586
587       --stp-root-cost [!] [cost][:cost]
588              The root path cost (0-4294967295) range.
589
590       --stp-sender-prio [!] [prio][:prio]
591              The BPDU's sender priority (0-65535) range.
592
593       --stp-sender-addr [!] [address][/mask]
594              The BPDU's sender mac  address,  see  the  option  -s  for  more
595              details.
596
597       --stp-port [!] [port][:port]
598              The port identifier (0-65535) range.
599
600       --stp-msg-age [!] [age][:age]
601              The message age timer (0-65535) range.
602
603       --stp-max-age [!] [age][:age]
604              The max age timer (0-65535) range.
605
606       --stp-hello-time [!] [time][:time]
607              The hello time timer (0-65535) range.
608
609       --stp-forward-delay [!] [delay][:delay]
610              The forward delay timer (0-65535) range.
611
612   vlan
613       Specify  802.1Q  Tag  Control Information fields.  The protocol must be
614       specified as 802_1Q (0x8100).
615
616       --vlan-id [!] id
617              The VLAN identifier field (VID). Decimal number from 0 to 4095.
618
619       --vlan-prio [!] prio
620              The user priority field, a decimal number from 0 to 7.  The  VID
621              should  be  set  to 0 ("null VID") or unspecified (in the latter
622              case the VID is deliberately set to 0).
623
624       --vlan-encap [!] type
625              The encapsulated Ethernet frame  type/length.   Specified  as  a
626              hexadecimal  number  from 0x0000 to 0xFFFF or as a symbolic name
627              from /etc/ethertypes.
628
629
630   WATCHER EXTENSIONS
631       Watchers only look at frames passing by, they  don't  modify  them  nor
632       decide  to  accept the frames or not. These watchers only see the frame
633       if the frame matches the rule, and they see it  before  the  target  is
634       executed.
635
636   log
637       The log watcher writes descriptive data about a frame to the syslog.
638
639       --log
640              Log  with  the default loggin options: log-level= info, log-pre‐
641              fix="", no ip logging, no arp logging.
642
643       --log-level level
644              Defines the logging level. For the possible values, see ebtables
645              -h log.  The default level is info.
646
647       --log-prefix text
648              Defines  the  prefix  text to be printed at the beginning of the
649              line with the logging information.
650
651       --log-ip
652              Will log the ip information when a frame made by the ip protocol
653              matches the rule. The default is no ip information logging.
654
655       --log-ip6
656              Will log the ipv6 information when a frame made by the ipv6 pro‐
657              tocol matches the rule. The default is no ipv6 information  log‐
658              ging.
659
660       --log-arp
661              Will  log the (r)arp information when a frame made by the (r)arp
662              protocols matches the rule. The default is no (r)arp information
663              logging.
664
665   nflog
666       The  nflog  watcher  passes the packet to the loaded logging backend in
667       order to log the packet. This  is  usually  used  in  combination  with
668       nfnetlink_log  as  logging  backend,  which  will  multicast the packet
669       through a netlink socket to the specified multicast group. One or  more
670       userspace processes may subscribe to the group to receive the packets.
671
672       --nflog
673              Log with the default logging options
674
675       --nflog-group nlgroup
676              The netlink group (1 - 2^32-1) to which packets are (only appli‐
677              cable for nfnetlink_log). The default value is 1.
678
679       --nflog-prefix prefix
680              A prefix string to include in the log message, up to 30  charac‐
681              ters long, useful for distinguishing messages in the logs.
682
683       --nflog-range size
684              The  number  of bytes to be copied to userspace (only applicable
685              for nfnetlink_log). nfnetlink_log instances  may  specify  their
686              own range, this option overrides it.
687
688       --nflog-threshold size
689              Number of packets to queue inside the kernel before sending them
690              to userspace (only applicable for nfnetlink_log). Higher  values
691              result in less overhead per packet, but increase delay until the
692              packets reach userspace. The default value is 1.
693
694   ulog
695       The ulog watcher passes the packet to a userspace logging daemon  using
696       netlink  multicast  sockets.  This  differs from the log watcher in the
697       sense that the complete packet  is  sent  to  userspace  instead  of  a
698       descriptive text and that netlink multicast sockets are used instead of
699       the syslog.  This watcher enables parsing  of  packets  with  userspace
700       programs, the physical bridge in and out ports are also included in the
701       netlink messages.  The ulog watcher module accepts  2  parameters  when
702       the  module  is  loaded  into the kernel (e.g. with modprobe): nlbufsiz
703       specifies how big the buffer for each netlink multicast  group  is.  If
704       you  say nlbufsiz=8192, for example, up to eight kB of packets will get
705       accumulated in the kernel until they are sent to userspace. It  is  not
706       possible  to  allocate  more  than 128kB. Please also keep in mind that
707       this buffer size is allocated for each nlgroup you are  using,  so  the
708       total  kernel  memory  usage  increases  by that factor. The default is
709       4096.  flushtimeout specifies after how many hundredths of a second the
710       queue  should be flushed, even if it is not full yet. The default is 10
711       (one tenth of a second).
712
713       --ulog
714              Use the default settings: ulog-prefix="", ulog-nlgroup=1,  ulog-
715              cprange=4096, ulog-qthreshold=1.
716
717       --ulog-prefix text
718              Defines the prefix included with the packets sent to userspace.
719
720       --ulog-nlgroup group
721              Defines  which  netlink  group number to use (a number from 1 to
722              32).  Make sure the netlink group numbers used for the  iptables
723              ULOG  target  differ  from  those  used  for  the  ebtables ulog
724              watcher.  The default group number is 1.
725
726       --ulog-cprange range
727              Defines the maximum copy range to userspace, for packets  match‐
728              ing  the  rule.  The default range is 0, which means the maximum
729              copy range is given by nlbufsiz.  A maximum  copy  range  larger
730              than  128*1024  is  meaningless as the packets sent to userspace
731              have an upper size limit of 128*1024.
732
733       --ulog-qthreshold threshold
734              Queue at most threshold number of packets before sending them to
735              userspace  with  a netlink socket. Note that packets can be sent
736              to userspace before the queue is full,  this  happens  when  the
737              ulog  kernel timer goes off (the frequency of this timer depends
738              on flushtimeout).
739
740   TARGET EXTENSIONS
741   arpreply
742       The arpreply target can be used in the PREROUTING chain of the nat  ta‐
743       ble.   If  this  target sees an ARP request it will automatically reply
744       with an ARP reply. The used MAC address for the reply can be specified.
745       The  protocol must be specified as ARP.  When the ARP message is not an
746       ARP request or when the ARP request isn't for an IP address on an  Eth‐
747       ernet  network,  it is ignored by this target (CONTINUE).  When the ARP
748       request is malformed, it is dropped (DROP).
749
750       --arpreply-mac address
751              Specifies the MAC address to reply with: the Ethernet source MAC
752              and  the  ARP  payload  source  MAC  will be filled in with this
753              address.
754
755       --arpreply-target target
756              Specifies the standard target. After sending the ARP reply,  the
757              rule  still has to give a standard target so ebtables knows what
758              to do with the ARP request.  The default target is DROP.
759
760   dnat
761       The dnat target can only be used in the BROUTING chain  of  the  broute
762       table and the PREROUTING and OUTPUT chains of the nat table.  It speci‐
763       fies that the destination MAC address has to be changed.
764
765       --to-destination address
766              Change the destination MAC address  to  the  specified  address.
767              The flag --to-dst is an alias for this option.
768
769       --dnat-target target
770              Specifies  the  standard  target. After doing the dnat, the rule
771              still has to give a standard target so ebtables knows what to do
772              with the dnated frame.  The default target is ACCEPT.  Making it
773              CONTINUE could let you use multiple  target  extensions  on  the
774              same  frame.  Making  it  DROP  only makes sense in the BROUTING
775              chain but using the  redirect  target  is  more  logical  there.
776              RETURN  is  also allowed. Note that using RETURN in a base chain
777              is not allowed (for obvious reasons).
778
779   mark
780       The mark target can be used in every chain of every table. It is possi‐
781       ble to use the marking of a frame/packet in both ebtables and iptables,
782       if the bridge-nf code is compiled into the kernel. Both put the marking
783       at  the  same  place.  This  allows for a form of communication between
784       ebtables and iptables.
785
786       --mark-set value
787              Mark the frame with the specified non-negative value.
788
789       --mark-or value
790              Or the frame with the specified non-negative value.
791
792       --mark-and value
793              And the frame with the specified non-negative value.
794
795       --mark-xor value
796              Xor the frame with the specified non-negative value.
797
798       --mark-target target
799              Specifies the standard target. After marking the frame, the rule
800              still  has  to  give a standard target so ebtables knows what to
801              do.  The default target is ACCEPT. Making it  CONTINUE  can  let
802              you  do  other  things with the frame in subsequent rules of the
803              chain.
804
805   redirect
806       The redirect target will change the MAC target address to that  of  the
807       bridge device the frame arrived on. This target can only be used in the
808       BROUTING chain of the broute table and the PREROUTING chain of the  nat
809       table.   In  the  BROUTING chain, the MAC address of the bridge port is
810       used as destination address, in the PREROUTING chain, the  MAC  address
811       of the bridge is used.
812
813       --redirect-target target
814              Specifies the standard target. After doing the MAC redirect, the
815              rule still has to give a standard target so ebtables knows  what
816              to  do.   The default target is ACCEPT. Making it CONTINUE could
817              let you use multiple target extensions on the same frame. Making
818              it  DROP  in  the  BROUTING chain will let the frames be routed.
819              RETURN is also allowed. Note that using RETURN in a  base  chain
820              is not allowed.
821
822   snat
823       The  snat  target  can only be used in the POSTROUTING chain of the nat
824       table.  It specifies that the source MAC address has to be changed.
825
826       --to-source address
827              Changes the source MAC address to  the  specified  address.  The
828              flag --to-src is an alias for this option.
829
830       --snat-target target
831              Specifies  the  standard  target. After doing the snat, the rule
832              still has to give a standard target so ebtables  knows  what  to
833              do.   The default target is ACCEPT. Making it CONTINUE could let
834              you use multiple target extensions on the same frame. Making  it
835              DROP  doesn't  make  sense, but you could do that too. RETURN is
836              also allowed. Note that using RETURN in  a  base  chain  is  not
837              allowed.
838
839       --snat-arp
840              Also change the hardware source address inside the arp header if
841              the packet is an arp message and the hardware address length  in
842              the arp header is 6 bytes.
843

FILES

845       /etc/ethertypes
846

ENVIRONMENT VARIABLES

848       EBTABLES_ATOMIC_FILE
849

MAILINGLISTS

851       ebtables-user@lists.sourceforge.net
852       ebtables-devel@lists.sourceforge.net
853

SEE ALSO

855       iptables(8), brctl(8), ifconfig(8), route(8)
856
857
858
859                                   June 2009                       EBTABLES(8)
Impressum