1EBTABLES(8)                 System Manager's Manual                EBTABLES(8)
2
3
4

NAME

6       ebtables-legacy  (2.0.10.4@)  - Ethernet bridge frame table administra‐
7       tion (legacy)
8

SYNOPSIS

10       ebtables [-t table ] -[ACDI] chain  rule  specification  [match  exten‐
11       sions] [watcher extensions] target
12       ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
13       ebtables [-t table ] -F [chain]
14       ebtables [-t table ] -Z [chain]
15       ebtables  [-t  table  ]  -L  [-Z]  [chain]  [  [--Ln] | [--Lx] ] [--Lc]
16       [--Lmac2]
17       ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
18       ebtables [-t table ] -X [chain]
19       ebtables [-t table ] -E old-chain-name new-chain-name
20       ebtables [-t table ] --init-table
21       ebtables [-t table ] [--atomic-file file] --atomic-commit
22       ebtables [-t table ] [--atomic-file file] --atomic-init
23       ebtables [-t table ] [--atomic-file file] --atomic-save
24
25

LEGACY

27       This tool uses the old xtables/setsockopt framework, and  is  a  legacy
28       version  of  ebtables.  That  means that a new, more modern tool exists
29       with the same functionality using the nf_tables framework and  you  are
30       encouraged to migrate now.  The new binaries (known as ebtables-nft and
31       formerly known as ebtables-compat) uses the same syntax  and  semantics
32       than this legacy one.
33
34       You  can  still use this legacy tool. You should probably get some spe‐
35       cific information from your Linux distribution or  vendor.   More  docs
36       are available at https://wiki.nftables.org
37
38

DESCRIPTION

40       ebtables  is  an  application  program  used to set up and maintain the
41       tables of rules (inside the Linux kernel) that inspect Ethernet frames.
42       It  is analogous to the iptables application, but less complicated, due
43       to the fact that the Ethernet protocol is much simpler than the IP pro‐
44       tocol.
45
46   CHAINS
47       There  are three ebtables tables with built-in chains in the Linux ker‐
48       nel. These tables are used to divide functionality into different  sets
49       of  rules.  Each  set  of  rules  is  called a chain.  Each chain is an
50       ordered list of rules that can match Ethernet frames. If a rule matches
51       an  Ethernet  frame,  then  a processing specification tells what to do
52       with that matching frame. The  processing  specification  is  called  a
53       'target'.  However, if the frame does not match the current rule in the
54       chain, then the next rule in the chain is examined and so  forth.   The
55       user can create new (user-defined) chains that can be used as the 'tar‐
56       get' of a rule. User-defined chains are very useful to get better  per‐
57       formance  over the linear traversal of the rules and are also essential
58       for structuring the filtering rules into well-organized  and  maintain‐
59       able sets of rules.
60
61   TARGETS
62       A  firewall  rule  specifies criteria for an Ethernet frame and a frame
63       processing specification called a target.  When a frame matches a rule,
64       then  the  next action performed by the kernel is specified by the tar‐
65       get.  The target can be one of these values:  ACCEPT,  DROP,  CONTINUE,
66       RETURN, an 'extension' (see below) or a jump to a user-defined chain.
67
68       ACCEPT  means to let the frame through.  DROP means the frame has to be
69       dropped. In the BROUTING chain however, the ACCEPT and DROP target have
70       different meanings (see the info provided for the -t option).  CONTINUE
71       means the next rule has to be checked. This can be handy, f.e., to know
72       how  many frames pass a certain point in the chain, to log those frames
73       or to apply multiple targets on a frame.  RETURN means stop  traversing
74       this chain and resume at the next rule in the previous (calling) chain.
75       For the extension targets please refer to the TARGET EXTENSIONS section
76       of this man page.
77
78   TABLES
79       As stated earlier, there are three ebtables tables in the Linux kernel.
80       The table names are filter, nat and broute.  Of these three tables, the
81       filter table is the default table that the command operates on.  If you
82       are working with the filter table, then you can drop  the  '-t  filter'
83       argument  to  the  ebtables command.  However, you will need to provide
84       the -t argument for the other two tables.  Moreover,  the  -t  argument
85       must be the first argument on the ebtables command line, if used.
86
87       -t, --table
88              filter  is the default table and contains three built-in chains:
89              INPUT (for frames destined for the bridge itself, on  the  level
90              of  the  MAC destination address), OUTPUT (for locally-generated
91              or (b)routed frames) and FORWARD (for frames being forwarded  by
92              the bridge).
93              nat  is  mostly  used  to  change the mac addresses and contains
94              three built-in chains: PREROUTING (for altering frames  as  soon
95              as  they  come  in),  OUTPUT  (for altering locally generated or
96              (b)routed frames before they are bridged) and  POSTROUTING  (for
97              altering  frames  as  they are about to go out). A small note on
98              the naming of chains PREROUTING and  POSTROUTING:  it  would  be
99              more accurate to call them PREFORWARDING and POSTFORWARDING, but
100              for all those who come from the iptables world to ebtables it is
101              easier to have the same names. Note that you can change the name
102              (-E) if you don't like the default.
103              broute is used to make a brouter, it  has  one  built-in  chain:
104              BROUTING.  The targets DROP and ACCEPT have a special meaning in
105              the broute table (these names are used instead of more  descrip‐
106              tive  names  to keep the implementation generic).  DROP actually
107              means the frame has to be routed, while ACCEPT means  the  frame
108              has  to  be bridged. The BROUTING chain is traversed very early.
109              However, it is only traversed by frames  entering  on  a  bridge
110              port that is in forwarding state. Normally those frames would be
111              bridged, but you can decide otherwise here. The redirect  target
112              is very handy here.
113

EBTABLES COMMAND LINE ARGUMENTS

115       After  the  initial  ebtables  '-t  table'  command  line argument, the
116       remaining arguments can be divided into several groups.   These  groups
117       are commands, miscellaneous commands, rule specifications, match exten‐
118       sions, watcher extensions and target extensions.
119
120   COMMANDS
121       The ebtables command arguments specify the actions to  perform  on  the
122       table  defined with the -t argument.  If you do not use the -t argument
123       to name a table, the commands apply to the default filter table.   Only
124       one  command may be used on the command line at a time, except when the
125       commands -L and -Z are combined, the commands -N and -P  are  combined,
126       or when --atomic-file is used.
127
128       -A, --append
129              Append a rule to the end of the selected chain.
130
131       -D, --delete
132              Delete  the  specified  rule  or  rules from the selected chain.
133              There are two ways to use this command. The first is by specify‐
134              ing  an  interval of rule numbers to delete (directly after -D).
135              Syntax: start_nr[:end_nr] (use -L --Ln to list  the  rules  with
136              their  rule  number). When end_nr is omitted, all rules starting
137              from start_nr are deleted. Using negative  numbers  is  allowed,
138              for  more  details about using negative numbers, see the -I com‐
139              mand. The second usage is by specifying the complete rule as  it
140              would  have  been  specified  when  it was added. Only the first
141              encountered rule that is the same as  this  specified  rule,  in
142              other  words  the  matching rule with the lowest (positive) rule
143              number, is deleted.
144
145       -C, --change-counters
146              Change the counters of the specified  rule  or  rules  from  the
147              selected  chain.  There  are  two  ways to use this command. The
148              first is by specifying an interval of rule  numbers  to  do  the
149              changes  on (directly after -C).  Syntax: start_nr[:end_nr] (use
150              -L --Ln to list the rules with their rule number).  The  details
151              are the same as for the -D command. The second usage is by spec‐
152              ifying the complete rule as it would have been specified when it
153              was  added. Only the counters of the first encountered rule that
154              is the same as this specified rule, in other words the  matching
155              rule  with  the  lowest (positive) rule number, are changed.  In
156              the first usage, the counters are specified directly  after  the
157              interval  specification,  in the second usage directly after -C.
158              First the packet counter is specified, then the byte counter. If
159              the  specified counters start with a '+', the counter values are
160              added to the respective current counter values.  If  the  speci‐
161              fied counters start with a '-', the counter values are decreased
162              from the respective current counter values. No  bounds  checking
163              is  done.  If the counters don't start with '+' or '-', the cur‐
164              rent counters are changed to the specified counters.
165
166       -I, --insert
167              Insert the specified rule into the selected chain at the  speci‐
168              fied  rule number. If the rule number is not specified, the rule
169              is added at the head of the chain.  If  the  current  number  of
170              rules  equals N, then the specified number can be between -N and
171              N+1.  For a positive number i, it holds that i and i-N-1 specify
172              the  same  place in the chain where the rule should be inserted.
173              The rule number 0 specifies the place past the last rule in  the
174              chain and using this number is therefore equivalent to using the
175              -A command.  Rule numbers structly smaller than 0 can be  useful
176              when more than one rule needs to be inserted in a chain.
177
178       -P, --policy
179              Set the policy for the chain to the given target. The policy can
180              be ACCEPT, DROP or RETURN.
181
182       -F, --flush
183              Flush the selected chain. If no chain is  selected,  then  every
184              chain will be flushed. Flushing a chain does not change the pol‐
185              icy of the chain, however.
186
187       -Z, --zero
188              Set the counters of the selected chain to zero. If no  chain  is
189              selected,  all  the counters are set to zero. The -Z command can
190              be used in conjunction with the -L command.  When  both  the  -Z
191              and -L commands are used together in this way, the rule counters
192              are printed on the screen before they are set to zero.
193
194       -L, --list
195              List all rules in the selected chain. If no chain  is  selected,
196              all chains are listed.
197              The following options change the output of the -L command.
198              --Ln
199              Places  the  rule  number in front of every rule. This option is
200              incompatible with the --Lx option.
201              --Lc
202              Shows the counters at the end of each rule displayed by  the  -L
203              command.  Both  a frame counter (pcnt) and a byte counter (bcnt)
204              are displayed.  The frame counter shows  how  many  frames  have
205              matched the specific rule, the byte counter shows the sum of the
206              frame sizes of these matching frames. Using this option in  com‐
207              bination  with the --Lx option causes the counters to be written
208              out in the '-c <pcnt> <bcnt>' option format.
209              --Lx
210              Changes the output so that it produces a set  of  ebtables  com‐
211              mands  that construct the contents of the chain, when specified.
212              If no chain is specified, ebtables  commands  to  construct  the
213              contents of the table are given, including commands for creating
214              the user-defined chains (if any).  You can use this set of  com‐
215              mands  in  an  ebtables  boot or reload script.  For example the
216              output could be used at system  startup.   The  --Lx  option  is
217              incompatible with the --Ln listing option. Using the --Lx option
218              together with the --Lc option will  cause  the  counters  to  be
219              written out in the '-c <pcnt> <bcnt>' option format.
220              --Lmac2
221              Shows  all  MAC  addresses  with the same length, adding leading
222              zeroes if necessary. The default  representation  omits  leading
223              zeroes in the addresses.
224
225       -N, --new-chain
226              Create  a new user-defined chain with the given name. The number
227              of user-defined chains is limited only by the number of possible
228              chain  names.  A user-defined chain name has a maximum length of
229              31 characters. The standard policy of the user-defined chain  is
230              ACCEPT. The policy of the new chain can be initialized to a dif‐
231              ferent standard target by using the -P command together with the
232              -N  command.  In  this  case, the chain name does not have to be
233              specified for the -P command.
234
235       -X, --delete-chain
236              Delete the  specified  user-defined  chain.  There  must  be  no
237              remaining  references  (jumps) to the specified chain, otherwise
238              ebtables will refuse to delete it. If no chain is specified, all
239              user-defined chains that aren't referenced will be removed.
240
241       -E, --rename-chain
242              Rename  the  specified  chain to a new name.  Besides renaming a
243              user-defined chain, you can rename a standard chain  to  a  name
244              that  suits  your  taste. For example, if you like PREFORWARDING
245              more than PREROUTING, then you can use the -E command to  rename
246              the PREROUTING chain. If you do rename one of the standard ebta‐
247              bles chain names, please be sure to mention this fact should you
248              post a question on the ebtables mailing lists.  It would be wise
249              to use the standard name in your post. Renaming a standard ebta‐
250              bles  chain  in  this  fashion has no effect on the structure or
251              functioning of the ebtables kernel table.
252
253       --init-table
254              Replace the current table data by the initial table data.
255
256       --atomic-init
257              Copy the kernel's initial data of the  table  to  the  specified
258              file.  This  can  be used as the first action, after which rules
259              are added to the file. The  file  can  be  specified  using  the
260              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
261              ronment variable.
262
263       --atomic-save
264              Copy the kernel's current data of the  table  to  the  specified
265              file.  This  can  be used as the first action, after which rules
266              are added to the file. The  file  can  be  specified  using  the
267              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
268              ronment variable.
269
270       --atomic-commit
271              Replace the kernel table data with the  data  contained  in  the
272              specified file. This is a useful command that allows you to load
273              all your rules of a certain table into the kernel at once,  sav‐
274              ing  the  kernel  a  lot  of  precious  time and allowing atomic
275              updates of the tables. The file which contains the table data is
276              constructed  by  using either the --atomic-init or the --atomic-
277              save command to generate a starting file. After that, using  the
278              --atomic-file  command  when  constructing  rules or setting the
279              EBTABLES_ATOMIC_FILE environment variable allows you  to  extend
280              the  file  and  build the complete table before committing it to
281              the kernel. This command can be very useful in boot  scripts  to
282              populate the ebtables tables in a fast way.
283
284   MISCELLANOUS COMMANDS
285       -V, --version
286              Show the version of the ebtables userspace program.
287
288       -h, --help [list of module names]
289              Give  a  brief  description  of the command syntax. Here you can
290              also specify names of extensions and ebtables will try to  write
291              help  about those extensions. E.g.  ebtables -h snat log ip arp.
292              Specify list_extensions to list all extensions supported by  the
293              userspace utility.
294
295       -j, --jump target
296              The  target  of  the  rule. This is one of the following values:
297              ACCEPT, DROP, CONTINUE, RETURN, a target extension  (see  TARGET
298              EXTENSIONS) or a user-defined chain name.
299
300       --atomic-file file
301              Let  the command operate on the specified file.  The data of the
302              table to operate on will be extracted  from  the  file  and  the
303              result  of  the  operation  will be saved back into the file. If
304              specified, this option should come before the command specifica‐
305              tion.  An  alternative  that should be preferred, is setting the
306              EBTABLES_ATOMIC_FILE environment variable.
307
308       -M, --modprobe program
309              When talking to the kernel, use this program to try to automati‐
310              cally load missing kernel modules.
311
312       --concurrent
313              Use a file lock to support concurrent scripts updating the ebta‐
314              bles kernel tables.
315
316
317   RULE SPECIFICATIONS
318       The following command line arguments make up a rule  specification  (as
319       used  in the add and delete commands). A "!" option before the specifi‐
320       cation inverts the test for that specification. Apart from these  stan‐
321       dard rule specifications there are some other command line arguments of
322       interest.  See both the MATCH EXTENSIONS  and  the  WATCHER  EXTENSIONS
323       below.
324
325       -p, --protocol [!] protocol
326              The  protocol  that was responsible for creating the frame. This
327              can be a hexadecimal number, above 0x0600, a name (e.g.   ARP  )
328              or LENGTH.  The protocol field of the Ethernet frame can be used
329              to denote the length of the header (802.2/802.3 networks).  When
330              the  value  of  that  field is below or equals 0x0600, the value
331              equals the size of the header and shouldn't be used as a  proto‐
332              col number. Instead, all frames where the protocol field is used
333              as the length field are assumed to be of  the  same  'protocol'.
334              The protocol name used in ebtables for these frames is LENGTH.
335              The file /etc/ethertypes can be used to show readable characters
336              instead of hexadecimal numbers for the protocols.  For  example,
337              0x0800 will be represented by IPV4.  The use of this file is not
338              case sensitive.  See that file for more  information.  The  flag
339              --proto is an alias for this option.
340
341       -i, --in-interface [!] name
342              The  interface (bridge port) via which a frame is received (this
343              option is useful in the INPUT, FORWARD, PREROUTING and  BROUTING
344              chains). If the interface name ends with '+', then any interface
345              name that begins with this name (disregarding '+')  will  match.
346              The flag --in-if is an alias for this option.
347
348       --logical-in [!] name
349              The  (logical)  bridge  interface  via which a frame is received
350              (this option is useful in the  INPUT,  FORWARD,  PREROUTING  and
351              BROUTING chains).  If the interface name ends with '+', then any
352              interface name that begins with  this  name  (disregarding  '+')
353              will match.
354
355       -o, --out-interface [!] name
356              The  interface  (bridge  port)  via which a frame is going to be
357              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
358              ING  chains).  If  the  interface  name  ends with '+', then any
359              interface name that begins with  this  name  (disregarding  '+')
360              will match.  The flag --out-if is an alias for this option.
361
362       --logical-out [!] name
363              The  (logical) bridge interface via which a frame is going to be
364              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
365              ING  chains).   If  the  interface  name ends with '+', then any
366              interface name that begins with  this  name  (disregarding  '+')
367              will match.
368
369       -s, --source [!] address[/mask]
370              The  source  MAC address. Both mask and address are written as 6
371              hexadecimal numbers separated by colons. Alternatively  one  can
372              specify  Unicast,  Multicast,  Broadcast  or  BGA  (Bridge Group
373              Address):
374              Unicast=00:00:00:00:00:00/01:00:00:00:00:00,              Multi‐
375              cast=01:00:00:00:00:00/01:00:00:00:00:00,                 Broad‐
376              cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff                      or
377              BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.   Note that a broadcast
378              address will also match the multicast  specification.  The  flag
379              --src is an alias for this option.
380
381       -d, --destination [!] address[/mask]
382              The  destination MAC address. See -s (above) for more details on
383              MAC addresses. The flag --dst is an alias for this option.
384
385       -c, --set-counter pcnt bcnt
386              If used with -A or -I, then the packet and byte counters of  the
387              new  rule  will be set to pcnt, resp. bcnt.  If used with the -C
388              or -D commands, only rules with a packet and byte count equal to
389              pcnt, resp. bcnt will match.
390
391
392   MATCH EXTENSIONS
393       Ebtables  extensions  are  dynamically  loaded into the userspace tool,
394       there is therefore no need to explicitly load them  with  a  -m  option
395       like  is  done  in  iptables.  These extensions deal with functionality
396       supported by kernel modules supplemental to the core ebtables code.
397
398   802_3
399       Specify 802.3 DSAP/SSAP fields or SNAP  type.   The  protocol  must  be
400       specified as LENGTH (see the option  -p above).
401
402       --802_3-sap [!] sap
403              DSAP  and  SSAP  are  two  one byte 802.3 fields.  The bytes are
404              always equal, so only one byte (hexadecimal)  is  needed  as  an
405              argument.
406
407       --802_3-type [!] type
408              If  the  802.3  DSAP and SSAP values are 0xaa then the SNAP type
409              field must be consulted to determine the payload protocol.  This
410              is  a  two  byte (hexadecimal) argument.  Only 802.3 frames with
411              DSAP/SSAP 0xaa are checked for type.
412
413   among
414       Match a MAC address or  MAC/IP  address  pair  versus  a  list  of  MAC
415       addresses  and  MAC/IP  address  pairs.  A list entry has the following
416       format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list  entries  are
417       separated by a comma, specifying an IP address corresponding to the MAC
418       address is optional. Multiple MAC/IP address pairs with  the  same  MAC
419       address  but different IP address (and vice versa) can be specified. If
420       the MAC address doesn't match  any  entry  from  the  list,  the  frame
421       doesn't match the rule (unless "!" was used).
422
423       --among-dst [!] list
424              Compare  the  MAC destination to the given list. If the Ethernet
425              frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
426              tion address pairs from the list is possible.
427
428       --among-src [!] list
429              Compare  the MAC source to the given list. If the Ethernet frame
430              has type IPv4 or ARP, then comparison with MAC/IP source address
431              pairs from the list is possible.
432
433       --among-dst-file [!] file
434              Same  as  --among-dst but the list is read in from the specified
435              file.
436
437       --among-src-file [!] file
438              Same as --among-src but the list is read in from  the  specified
439              file.
440
441   arp
442       Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
443
444       --arp-opcode [!] opcode
445              The  (R)ARP  opcode  (decimal  or a string, for more details see
446              ebtables -h arp).
447
448       --arp-htype [!] hardware type
449              The hardware type, this can be a decimal or the string  Ethernet
450              (which  sets  type  to  1).  Most (R)ARP packets have Eternet as
451              hardware type.
452
453       --arp-ptype [!] protocol type
454              The protocol type for which the (r)arp is used  (hexadecimal  or
455              the  string  IPv4,  denoting  0x0800).  Most (R)ARP packets have
456              protocol type IPv4.
457
458       --arp-ip-src [!] address[/mask]
459              The (R)ARP IP source address specification.
460
461       --arp-ip-dst [!] address[/mask]
462              The (R)ARP IP destination address specification.
463
464       --arp-mac-src [!] address[/mask]
465              The (R)ARP MAC source address specification.
466
467       --arp-mac-dst [!] address[/mask]
468              The (R)ARP MAC destination address specification.
469
470       [!] --arp-gratuitous
471              Checks for ARP  gratuitous  packets:  checks  equality  of  IPv4
472              source  address  and  IPv4  destination  address  inside the ARP
473              header.
474
475   ip
476       Specify IPv4 fields. The protocol must be specified as IPv4.
477
478       --ip-source [!] address[/mask]
479              The source IP address.  The flag --ip-src is an alias  for  this
480              option.
481
482       --ip-destination [!] address[/mask]
483              The  destination  IP address.  The flag --ip-dst is an alias for
484              this option.
485
486       --ip-tos [!] tos
487              The IP type of service, in hexadecimal numbers.  IPv4.
488
489       --ip-protocol [!] protocol
490              The IP protocol.  The flag  --ip-proto  is  an  alias  for  this
491              option.
492
493       --ip-source-port [!] port1[:port2]
494              The  source  port or port range for the IP protocols 6 (TCP), 17
495              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
496              specified  as  TCP,  UDP,  DCCP  or  SCTP.  If port1 is omitted,
497              0:port2 is used; if port2 is omitted but a colon  is  specified,
498              port1:65535  is  used.  The flag --ip-sport is an alias for this
499              option.
500
501       --ip-destination-port [!] port1[:port2]
502              The destination port or port range for ip protocols 6 (TCP),  17
503              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
504              specified as TCP, UDP, DCCP  or  SCTP.   If  port1  is  omitted,
505              0:port2  is  used; if port2 is omitted but a colon is specified,
506              port1:65535 is used.  The flag --ip-dport is an alias  for  this
507              option.
508
509   ip6
510       Specify IPv6 fields. The protocol must be specified as IPv6.
511
512       --ip6-source [!] address[/mask]
513              The  source  IPv6  address.   The flag --ip6-src is an alias for
514              this option.
515
516       --ip6-destination [!] address[/mask]
517              The destination IPv6 address.  The flag --ip6-dst  is  an  alias
518              for this option.
519
520       --ip6-tclass [!] tclass
521              The IPv6 traffic class, in hexadecimal numbers.
522
523       --ip6-protocol [!] protocol
524              The  IP  protocol.   The  flag  --ip6-proto is an alias for this
525              option.
526
527       --ip6-source-port [!] port1[:port2]
528              The source port or port range for the IPv6 protocols 6 (TCP), 17
529              (UDP),  33  (DCCP) or 132 (SCTP). The --ip6-protocol option must
530              be specified as TCP, UDP, DCCP or SCTP.  If  port1  is  omitted,
531              0:port2  is  used; if port2 is omitted but a colon is specified,
532              port1:65535 is used.  The flag --ip6-sport is an alias for  this
533              option.
534
535       --ip6-destination-port [!] port1[:port2]
536              The  destination  port or port range for IPv6 protocols 6 (TCP),
537              17 (UDP), 33 (DCCP) or 132  (SCTP).  The  --ip6-protocol  option
538              must  be specified as TCP, UDP, DCCP or SCTP.  If port1 is omit‐
539              ted, 0:port2 is used; if port2 is omitted but a colon is  speci‐
540              fied, port1:65535 is used.  The flag --ip6-dport is an alias for
541              this option.
542
543       --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
544              Specify ipv6-icmp type and code to match.  Ranges for both  type
545              and  code are supported. Type and code are separated by a slash.
546              Valid numbers for type and range are 0 to 255.  To match a  sin‐
547              gle  type  including all valid codes, symbolic names can be used
548              instead of numbers. The list of known type names is shown by the
549              command
550                ebtables --help ip6
551              This option is only valid for --ip6-prococol ipv6-icmp.
552
553   limit
554       This  module  matches at a limited rate using a token bucket filter.  A
555       rule using this extension will match until this limit is  reached.   It
556       can  be  used with the --log watcher to give limited logging, for exam‐
557       ple. Its use is the same as the limit match of iptables.
558
559       --limit [value]
560              Maximum average matching rate: specified as a  number,  with  an
561              optional /second, /minute, /hour, or /day suffix; the default is
562              3/hour.
563
564       --limit-burst [number]
565              Maximum initial number of packets to  match:  this  number  gets
566              recharged  by  one  every  time the limit specified above is not
567              reached, up to this number; the default is 5.
568
569   mark_m
570       --mark [!] [value][/mask]
571              Matches frames with the given unsigned mark value.  If  a  value
572              and mask are specified, the logical AND of the mark value of the
573              frame and the user-specified mask is taken before  comparing  it
574              with  the  user-specified  mark value. When only a mark value is
575              specified, the packet only matches when the mark  value  of  the
576              frame  equals  the user-specified mark value.  If only a mask is
577              specified, the logical AND of the mark value of  the  frame  and
578              the  user-specified mask is taken and the frame matches when the
579              result of this logical AND is non-zero. Only specifying  a  mask
580              is useful to match multiple mark values.
581
582   pkttype
583       --pkttype-type [!] type
584              Matches  on  the  Ethernet "class" of the frame, which is deter‐
585              mined by the generic networking code. Possible values: broadcast
586              (MAC  destination is the broadcast address), multicast (MAC des‐
587              tination is a multicast address), host (MAC destination  is  the
588              receiving network device), or otherhost (none of the above).
589
590   stp
591       Specify  stp  BPDU  (bridge protocol data unit) fields. The destination
592       address (-d) must be specified as the bridge group address (BGA).   For
593       all options for which a range of values can be specified, it holds that
594       if the lower bound is omitted (but the colon is not), then  the  lowest
595       possible  lower bound for that option is used, while if the upper bound
596       is omitted (but the colon again is not),  the  highest  possible  upper
597       bound for that option is used.
598
599       --stp-type [!] type
600              The  BPDU  type (0-255), recognized non-numerical types are con‐
601              fig, denoting a configuration BPDU (=0), and  tcn,  denothing  a
602              topology change notification BPDU (=128).
603
604       --stp-flags [!] flag
605              The BPDU flag (0-255), recognized non-numerical flags are topol‐
606              ogy-change, denoting the topology change flag (=1),  and  topol‐
607              ogy-change-ack,  denoting  the  topology  change acknowledgement
608              flag (=128).
609
610       --stp-root-prio [!] [prio][:prio]
611              The root priority (0-65535) range.
612
613       --stp-root-addr [!] [address][/mask]
614              The root mac address, see the option -s for more details.
615
616       --stp-root-cost [!] [cost][:cost]
617              The root path cost (0-4294967295) range.
618
619       --stp-sender-prio [!] [prio][:prio]
620              The BPDU's sender priority (0-65535) range.
621
622       --stp-sender-addr [!] [address][/mask]
623              The BPDU's sender mac  address,  see  the  option  -s  for  more
624              details.
625
626       --stp-port [!] [port][:port]
627              The port identifier (0-65535) range.
628
629       --stp-msg-age [!] [age][:age]
630              The message age timer (0-65535) range.
631
632       --stp-max-age [!] [age][:age]
633              The max age timer (0-65535) range.
634
635       --stp-hello-time [!] [time][:time]
636              The hello time timer (0-65535) range.
637
638       --stp-forward-delay [!] [delay][:delay]
639              The forward delay timer (0-65535) range.
640
641   string
642       This  module  matches  on  a  given  string using some pattern matching
643       strategy.
644
645       --string-algo algorithm
646              The pattern matching strategy. (bm = Boyer-Moore, kmp  =  Knuth-
647              Pratt-Morris)
648
649       --string-from offset
650              The lowest offset from which a match can start. (default: 0)
651
652       --string-to offset
653              The  highest offset from which a match can start. (default: size
654              of frame)
655
656       --string [!] pattern
657              Matches the given pattern.
658
659       --string-hex [!] pattern
660              Matches the given pattern  in  hex  notation,  e.g.  '|0D  0A|',
661              '|0D0A|', 'www|09|netfilter|03|org|00|'
662
663       --string-icase
664              Ignore case when searching.
665
666   vlan
667       Specify  802.1Q  Tag  Control Information fields.  The protocol must be
668       specified as 802_1Q (0x8100).
669
670       --vlan-id [!] id
671              The VLAN identifier field (VID). Decimal number from 0 to 4095.
672
673       --vlan-prio [!] prio
674              The user priority field, a decimal number from 0 to 7.  The  VID
675              should  be  set  to 0 ("null VID") or unspecified (in the latter
676              case the VID is deliberately set to 0).
677
678       --vlan-encap [!] type
679              The encapsulated Ethernet frame  type/length.   Specified  as  a
680              hexadecimal  number  from 0x0000 to 0xFFFF or as a symbolic name
681              from /etc/ethertypes.
682
683
684   WATCHER EXTENSIONS
685       Watchers only look at frames passing by, they  don't  modify  them  nor
686       decide  to  accept the frames or not. These watchers only see the frame
687       if the frame matches the rule, and they see it  before  the  target  is
688       executed.
689
690   log
691       The log watcher writes descriptive data about a frame to the syslog.
692
693       --log
694              Log  with  the default loggin options: log-level= info, log-pre‐
695              fix="", no ip logging, no arp logging.
696
697       --log-level level
698              Defines the logging level. For the possible values, see ebtables
699              -h log.  The default level is info.
700
701       --log-prefix text
702              Defines  the  prefix  text to be printed at the beginning of the
703              line with the logging information.
704
705       --log-ip
706              Will log the ip information when a frame made by the ip protocol
707              matches the rule. The default is no ip information logging.
708
709       --log-ip6
710              Will log the ipv6 information when a frame made by the ipv6 pro‐
711              tocol matches the rule. The default is no ipv6 information  log‐
712              ging.
713
714       --log-arp
715              Will  log the (r)arp information when a frame made by the (r)arp
716              protocols matches the rule. The default is no (r)arp information
717              logging.
718
719   nflog
720       The  nflog  watcher  passes the packet to the loaded logging backend in
721       order to log the packet. This  is  usually  used  in  combination  with
722       nfnetlink_log  as  logging  backend,  which  will  multicast the packet
723       through a netlink socket to the specified multicast group. One or  more
724       userspace processes may subscribe to the group to receive the packets.
725
726       --nflog
727              Log with the default logging options
728
729       --nflog-group nlgroup
730              The netlink group (1 - 2^32-1) to which packets are (only appli‐
731              cable for nfnetlink_log). The default value is 1.
732
733       --nflog-prefix prefix
734              A prefix string to include in the log message, up to 30  charac‐
735              ters long, useful for distinguishing messages in the logs.
736
737       --nflog-range size
738              The  number  of bytes to be copied to userspace (only applicable
739              for nfnetlink_log). nfnetlink_log instances  may  specify  their
740              own range, this option overrides it.
741
742       --nflog-threshold size
743              Number of packets to queue inside the kernel before sending them
744              to userspace (only applicable for nfnetlink_log). Higher  values
745              result in less overhead per packet, but increase delay until the
746              packets reach userspace. The default value is 1.
747
748   ulog
749       The ulog watcher passes the packet to a userspace logging daemon  using
750       netlink  multicast  sockets.  This  differs from the log watcher in the
751       sense that the complete packet  is  sent  to  userspace  instead  of  a
752       descriptive text and that netlink multicast sockets are used instead of
753       the syslog.  This watcher enables parsing  of  packets  with  userspace
754       programs, the physical bridge in and out ports are also included in the
755       netlink messages.  The ulog watcher module accepts  2  parameters  when
756       the  module  is  loaded  into the kernel (e.g. with modprobe): nlbufsiz
757       specifies how big the buffer for each netlink multicast  group  is.  If
758       you  say nlbufsiz=8192, for example, up to eight kB of packets will get
759       accumulated in the kernel until they are sent to userspace. It  is  not
760       possible  to  allocate  more  than 128kB. Please also keep in mind that
761       this buffer size is allocated for each nlgroup you are  using,  so  the
762       total  kernel  memory  usage  increases  by that factor. The default is
763       4096.  flushtimeout specifies after how many hundredths of a second the
764       queue  should be flushed, even if it is not full yet. The default is 10
765       (one tenth of a second).
766
767       --ulog
768              Use the default settings: ulog-prefix="", ulog-nlgroup=1,  ulog-
769              cprange=4096, ulog-qthreshold=1.
770
771       --ulog-prefix text
772              Defines the prefix included with the packets sent to userspace.
773
774       --ulog-nlgroup group
775              Defines  which  netlink  group number to use (a number from 1 to
776              32).  Make sure the netlink group numbers used for the  iptables
777              ULOG  target  differ  from  those  used  for  the  ebtables ulog
778              watcher.  The default group number is 1.
779
780       --ulog-cprange range
781              Defines the maximum copy range to userspace, for packets  match‐
782              ing  the  rule.  The default range is 0, which means the maximum
783              copy range is given by nlbufsiz.  A maximum  copy  range  larger
784              than  128*1024  is  meaningless as the packets sent to userspace
785              have an upper size limit of 128*1024.
786
787       --ulog-qthreshold threshold
788              Queue at most threshold number of packets before sending them to
789              userspace  with  a netlink socket. Note that packets can be sent
790              to userspace before the queue is full,  this  happens  when  the
791              ulog  kernel timer goes off (the frequency of this timer depends
792              on flushtimeout).
793
794   TARGET EXTENSIONS
795   arpreply
796       The arpreply target can be used in the PREROUTING chain of the nat  ta‐
797       ble.   If  this  target sees an ARP request it will automatically reply
798       with an ARP reply. The used MAC address for the reply can be specified.
799       The  protocol must be specified as ARP.  When the ARP message is not an
800       ARP request or when the ARP request isn't for an IP address on an  Eth‐
801       ernet  network,  it is ignored by this target (CONTINUE).  When the ARP
802       request is malformed, it is dropped (DROP).
803
804       --arpreply-mac address
805              Specifies the MAC address to reply with: the Ethernet source MAC
806              and  the  ARP  payload  source  MAC  will be filled in with this
807              address.
808
809       --arpreply-target target
810              Specifies the standard target. After sending the ARP reply,  the
811              rule  still has to give a standard target so ebtables knows what
812              to do with the ARP request.  The default target is DROP.
813
814   dnat
815       The dnat target can only be used in the BROUTING chain  of  the  broute
816       table and the PREROUTING and OUTPUT chains of the nat table.  It speci‐
817       fies that the destination MAC address has to be changed.
818
819       --to-destination address
820              Change the destination MAC address  to  the  specified  address.
821              The flag --to-dst is an alias for this option.
822
823       --dnat-target target
824              Specifies  the  standard  target. After doing the dnat, the rule
825              still has to give a standard target so ebtables knows what to do
826              with the dnated frame.  The default target is ACCEPT.  Making it
827              CONTINUE could let you use multiple  target  extensions  on  the
828              same  frame.  Making  it  DROP  only makes sense in the BROUTING
829              chain but using the  redirect  target  is  more  logical  there.
830              RETURN  is  also allowed. Note that using RETURN in a base chain
831              is not allowed (for obvious reasons).
832
833   mark
834       The mark target can be used in every chain of every table. It is possi‐
835       ble to use the marking of a frame/packet in both ebtables and iptables,
836       if the bridge-nf code is compiled into the kernel. Both put the marking
837       at  the  same  place.  This  allows for a form of communication between
838       ebtables and iptables.
839
840       --mark-set value
841              Mark the frame with the specified non-negative value.
842
843       --mark-or value
844              Or the frame with the specified non-negative value.
845
846       --mark-and value
847              And the frame with the specified non-negative value.
848
849       --mark-xor value
850              Xor the frame with the specified non-negative value.
851
852       --mark-target target
853              Specifies the standard target. After marking the frame, the rule
854              still  has  to  give a standard target so ebtables knows what to
855              do.  The default target is ACCEPT. Making it  CONTINUE  can  let
856              you  do  other  things with the frame in subsequent rules of the
857              chain.
858
859   redirect
860       The redirect target will change the MAC target address to that  of  the
861       bridge device the frame arrived on. This target can only be used in the
862       BROUTING chain of the broute table and the PREROUTING chain of the  nat
863       table.   In  the  BROUTING chain, the MAC address of the bridge port is
864       used as destination address, in the PREROUTING chain, the  MAC  address
865       of the bridge is used.
866
867       --redirect-target target
868              Specifies the standard target. After doing the MAC redirect, the
869              rule still has to give a standard target so ebtables knows  what
870              to  do.   The default target is ACCEPT. Making it CONTINUE could
871              let you use multiple target extensions on the same frame. Making
872              it  DROP  in  the  BROUTING chain will let the frames be routed.
873              RETURN is also allowed. Note that using RETURN in a  base  chain
874              is not allowed.
875
876   snat
877       The  snat  target  can only be used in the POSTROUTING chain of the nat
878       table.  It specifies that the source MAC address has to be changed.
879
880       --to-source address
881              Changes the source MAC address to  the  specified  address.  The
882              flag --to-src is an alias for this option.
883
884       --snat-target target
885              Specifies  the  standard  target. After doing the snat, the rule
886              still has to give a standard target so ebtables  knows  what  to
887              do.   The default target is ACCEPT. Making it CONTINUE could let
888              you use multiple target extensions on the same frame. Making  it
889              DROP  doesn't  make  sense, but you could do that too. RETURN is
890              also allowed. Note that using RETURN in  a  base  chain  is  not
891              allowed.
892
893       --snat-arp
894              Also change the hardware source address inside the arp header if
895              the packet is an arp message and the hardware address length  in
896              the arp header is 6 bytes.
897

FILES

899       /etc/ethertypes /run/ebtables.lock
900

ENVIRONMENT VARIABLES

902       EBTABLES_ATOMIC_FILE
903

MAILINGLISTS

905       See http://netfilter.org/mailinglists.html
906

SEE ALSO

908       iptables(8), brctl(8), ifconfig(8), route(8)
909
910       See http://ebtables.sf.net
911
912
913
914                                 December 2011                     EBTABLES(8)
Impressum