1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
3
4
6 ebtables-legacy (2.0.10.4@) - Ethernet bridge frame table administra‐
7 tion (legacy)
8
10 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
11 sions] [watcher extensions] target
12 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
13 ebtables [-t table ] -F [chain]
14 ebtables [-t table ] -Z [chain]
15 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
16 [--Lmac2]
17 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
18 ebtables [-t table ] -X [chain]
19 ebtables [-t table ] -E old-chain-name new-chain-name
20 ebtables [-t table ] --init-table
21 ebtables [-t table ] [--atomic-file file] --atomic-commit
22 ebtables [-t table ] [--atomic-file file] --atomic-init
23 ebtables [-t table ] [--atomic-file file] --atomic-save
24
25
27 This tool uses the old xtables/setsockopt framework, and is a legacy
28 version of ebtables. That means that a new, more modern tool exists
29 with the same functionality using the nf_tables framework and you are
30 encouraged to migrate now. The new binaries (known as ebtables-nft and
31 formerly known as ebtables-compat) uses the same syntax and semantics
32 than this legacy one.
33
34 You can still use this legacy tool. You should probably get some spe‐
35 cific information from your Linux distribution or vendor. More docs
36 are available at https://wiki.nftables.org
37
38
40 ebtables is an application program used to set up and maintain the
41 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
42 It is analogous to the iptables application, but less complicated, due
43 to the fact that the Ethernet protocol is much simpler than the IP pro‐
44 tocol.
45
46 CHAINS
47 There are three ebtables tables with built-in chains in the Linux ker‐
48 nel. These tables are used to divide functionality into different sets
49 of rules. Each set of rules is called a chain. Each chain is an
50 ordered list of rules that can match Ethernet frames. If a rule matches
51 an Ethernet frame, then a processing specification tells what to do
52 with that matching frame. The processing specification is called a
53 'target'. However, if the frame does not match the current rule in the
54 chain, then the next rule in the chain is examined and so forth. The
55 user can create new (user-defined) chains that can be used as the 'tar‐
56 get' of a rule. User-defined chains are very useful to get better per‐
57 formance over the linear traversal of the rules and are also essential
58 for structuring the filtering rules into well-organized and maintain‐
59 able sets of rules.
60
61 TARGETS
62 A firewall rule specifies criteria for an Ethernet frame and a frame
63 processing specification called a target. When a frame matches a rule,
64 then the next action performed by the kernel is specified by the tar‐
65 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
66 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
67
68 ACCEPT means to let the frame through. DROP means the frame has to be
69 dropped. In the BROUTING chain however, the ACCEPT and DROP target have
70 different meanings (see the info provided for the -t option). CONTINUE
71 means the next rule has to be checked. This can be handy, f.e., to know
72 how many frames pass a certain point in the chain, to log those frames
73 or to apply multiple targets on a frame. RETURN means stop traversing
74 this chain and resume at the next rule in the previous (calling) chain.
75 For the extension targets please refer to the TARGET EXTENSIONS section
76 of this man page.
77
78 TABLES
79 As stated earlier, there are three ebtables tables in the Linux kernel.
80 The table names are filter, nat and broute. Of these three tables, the
81 filter table is the default table that the command operates on. If you
82 are working with the filter table, then you can drop the '-t filter'
83 argument to the ebtables command. However, you will need to provide
84 the -t argument for the other two tables. Moreover, the -t argument
85 must be the first argument on the ebtables command line, if used.
86
87 -t, --table
88 filter is the default table and contains three built-in chains:
89 INPUT (for frames destined for the bridge itself, on the level
90 of the MAC destination address), OUTPUT (for locally-generated
91 or (b)routed frames) and FORWARD (for frames being forwarded by
92 the bridge).
93 nat is mostly used to change the mac addresses and contains
94 three built-in chains: PREROUTING (for altering frames as soon
95 as they come in), OUTPUT (for altering locally generated or
96 (b)routed frames before they are bridged) and POSTROUTING (for
97 altering frames as they are about to go out). A small note on
98 the naming of chains PREROUTING and POSTROUTING: it would be
99 more accurate to call them PREFORWARDING and POSTFORWARDING, but
100 for all those who come from the iptables world to ebtables it is
101 easier to have the same names. Note that you can change the name
102 (-E) if you don't like the default.
103 broute is used to make a brouter, it has one built-in chain:
104 BROUTING. The targets DROP and ACCEPT have a special meaning in
105 the broute table (these names are used instead of more descrip‐
106 tive names to keep the implementation generic). DROP actually
107 means the frame has to be routed, while ACCEPT means the frame
108 has to be bridged. The BROUTING chain is traversed very early.
109 However, it is only traversed by frames entering on a bridge
110 port that is in forwarding state. Normally those frames would be
111 bridged, but you can decide otherwise here. The redirect target
112 is very handy here.
113
115 After the initial ebtables '-t table' command line argument, the
116 remaining arguments can be divided into several groups. These groups
117 are commands, miscellaneous commands, rule specifications, match exten‐
118 sions, watcher extensions and target extensions.
119
120 COMMANDS
121 The ebtables command arguments specify the actions to perform on the
122 table defined with the -t argument. If you do not use the -t argument
123 to name a table, the commands apply to the default filter table. Only
124 one command may be used on the command line at a time, except when the
125 commands -L and -Z are combined, the commands -N and -P are combined,
126 or when --atomic-file is used.
127
128 -A, --append
129 Append a rule to the end of the selected chain.
130
131 -D, --delete
132 Delete the specified rule or rules from the selected chain.
133 There are two ways to use this command. The first is by specify‐
134 ing an interval of rule numbers to delete (directly after -D).
135 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
136 their rule number). When end_nr is omitted, all rules starting
137 from start_nr are deleted. Using negative numbers is allowed,
138 for more details about using negative numbers, see the -I com‐
139 mand. The second usage is by specifying the complete rule as it
140 would have been specified when it was added. Only the first
141 encountered rule that is the same as this specified rule, in
142 other words the matching rule with the lowest (positive) rule
143 number, is deleted.
144
145 -C, --change-counters
146 Change the counters of the specified rule or rules from the
147 selected chain. There are two ways to use this command. The
148 first is by specifying an interval of rule numbers to do the
149 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
150 -L --Ln to list the rules with their rule number). The details
151 are the same as for the -D command. The second usage is by spec‐
152 ifying the complete rule as it would have been specified when it
153 was added. Only the counters of the first encountered rule that
154 is the same as this specified rule, in other words the matching
155 rule with the lowest (positive) rule number, are changed. In
156 the first usage, the counters are specified directly after the
157 interval specification, in the second usage directly after -C.
158 First the packet counter is specified, then the byte counter. If
159 the specified counters start with a '+', the counter values are
160 added to the respective current counter values. If the speci‐
161 fied counters start with a '-', the counter values are decreased
162 from the respective current counter values. No bounds checking
163 is done. If the counters don't start with '+' or '-', the cur‐
164 rent counters are changed to the specified counters.
165
166 -I, --insert
167 Insert the specified rule into the selected chain at the speci‐
168 fied rule number. If the rule number is not specified, the rule
169 is added at the head of the chain. If the current number of
170 rules equals N, then the specified number can be between -N and
171 N+1. For a positive number i, it holds that i and i-N-1 specify
172 the same place in the chain where the rule should be inserted.
173 The rule number 0 specifies the place past the last rule in the
174 chain and using this number is therefore equivalent to using the
175 -A command. Rule numbers structly smaller than 0 can be useful
176 when more than one rule needs to be inserted in a chain.
177
178 -P, --policy
179 Set the policy for the chain to the given target. The policy can
180 be ACCEPT, DROP or RETURN.
181
182 -F, --flush
183 Flush the selected chain. If no chain is selected, then every
184 chain will be flushed. Flushing a chain does not change the pol‐
185 icy of the chain, however.
186
187 -Z, --zero
188 Set the counters of the selected chain to zero. If no chain is
189 selected, all the counters are set to zero. The -Z command can
190 be used in conjunction with the -L command. When both the -Z
191 and -L commands are used together in this way, the rule counters
192 are printed on the screen before they are set to zero.
193
194 -L, --list
195 List all rules in the selected chain. If no chain is selected,
196 all chains are listed.
197 The following options change the output of the -L command.
198 --Ln
199 Places the rule number in front of every rule. This option is
200 incompatible with the --Lx option.
201 --Lc
202 Shows the counters at the end of each rule displayed by the -L
203 command. Both a frame counter (pcnt) and a byte counter (bcnt)
204 are displayed. The frame counter shows how many frames have
205 matched the specific rule, the byte counter shows the sum of the
206 frame sizes of these matching frames. Using this option in com‐
207 bination with the --Lx option causes the counters to be written
208 out in the '-c <pcnt> <bcnt>' option format.
209 --Lx
210 Changes the output so that it produces a set of ebtables com‐
211 mands that construct the contents of the chain, when specified.
212 If no chain is specified, ebtables commands to construct the
213 contents of the table are given, including commands for creating
214 the user-defined chains (if any). You can use this set of com‐
215 mands in an ebtables boot or reload script. For example the
216 output could be used at system startup. The --Lx option is
217 incompatible with the --Ln listing option. Using the --Lx option
218 together with the --Lc option will cause the counters to be
219 written out in the '-c <pcnt> <bcnt>' option format.
220 --Lmac2
221 Shows all MAC addresses with the same length, adding leading
222 zeroes if necessary. The default representation omits leading
223 zeroes in the addresses.
224
225 -N, --new-chain
226 Create a new user-defined chain with the given name. The number
227 of user-defined chains is limited only by the number of possible
228 chain names. A user-defined chain name has a maximum length of
229 31 characters. The standard policy of the user-defined chain is
230 ACCEPT. The policy of the new chain can be initialized to a dif‐
231 ferent standard target by using the -P command together with the
232 -N command. In this case, the chain name does not have to be
233 specified for the -P command.
234
235 -X, --delete-chain
236 Delete the specified user-defined chain. There must be no
237 remaining references (jumps) to the specified chain, otherwise
238 ebtables will refuse to delete it. If no chain is specified, all
239 user-defined chains that aren't referenced will be removed.
240
241 -E, --rename-chain
242 Rename the specified chain to a new name. Besides renaming a
243 user-defined chain, you can rename a standard chain to a name
244 that suits your taste. For example, if you like PREFORWARDING
245 more than PREROUTING, then you can use the -E command to rename
246 the PREROUTING chain. If you do rename one of the standard ebta‐
247 bles chain names, please be sure to mention this fact should you
248 post a question on the ebtables mailing lists. It would be wise
249 to use the standard name in your post. Renaming a standard ebta‐
250 bles chain in this fashion has no effect on the structure or
251 functioning of the ebtables kernel table.
252
253 --init-table
254 Replace the current table data by the initial table data.
255
256 --atomic-init
257 Copy the kernel's initial data of the table to the specified
258 file. This can be used as the first action, after which rules
259 are added to the file. The file can be specified using the
260 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
261 ronment variable.
262
263 --atomic-save
264 Copy the kernel's current data of the table to the specified
265 file. This can be used as the first action, after which rules
266 are added to the file. The file can be specified using the
267 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
268 ronment variable.
269
270 --atomic-commit
271 Replace the kernel table data with the data contained in the
272 specified file. This is a useful command that allows you to load
273 all your rules of a certain table into the kernel at once, sav‐
274 ing the kernel a lot of precious time and allowing atomic
275 updates of the tables. The file which contains the table data is
276 constructed by using either the --atomic-init or the --atomic-
277 save command to generate a starting file. After that, using the
278 --atomic-file command when constructing rules or setting the
279 EBTABLES_ATOMIC_FILE environment variable allows you to extend
280 the file and build the complete table before committing it to
281 the kernel. This command can be very useful in boot scripts to
282 populate the ebtables tables in a fast way.
283
284 MISCELLANOUS COMMANDS
285 -V, --version
286 Show the version of the ebtables userspace program.
287
288 -h, --help [list of module names]
289 Give a brief description of the command syntax. Here you can
290 also specify names of extensions and ebtables will try to write
291 help about those extensions. E.g. ebtables -h snat log ip arp.
292 Specify list_extensions to list all extensions supported by the
293 userspace utility.
294
295 -j, --jump target
296 The target of the rule. This is one of the following values:
297 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
298 EXTENSIONS) or a user-defined chain name.
299
300 --atomic-file file
301 Let the command operate on the specified file. The data of the
302 table to operate on will be extracted from the file and the
303 result of the operation will be saved back into the file. If
304 specified, this option should come before the command specifica‐
305 tion. An alternative that should be preferred, is setting the
306 EBTABLES_ATOMIC_FILE environment variable.
307
308 -M, --modprobe program
309 When talking to the kernel, use this program to try to automati‐
310 cally load missing kernel modules.
311
312 --concurrent
313 Use a file lock to support concurrent scripts updating the ebta‐
314 bles kernel tables.
315
316
317 RULE SPECIFICATIONS
318 The following command line arguments make up a rule specification (as
319 used in the add and delete commands). A "!" option before the specifi‐
320 cation inverts the test for that specification. Apart from these stan‐
321 dard rule specifications there are some other command line arguments of
322 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
323 below.
324
325 -p, --protocol [!] protocol
326 The protocol that was responsible for creating the frame. This
327 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
328 or LENGTH. The protocol field of the Ethernet frame can be used
329 to denote the length of the header (802.2/802.3 networks). When
330 the value of that field is below or equals 0x0600, the value
331 equals the size of the header and shouldn't be used as a proto‐
332 col number. Instead, all frames where the protocol field is used
333 as the length field are assumed to be of the same 'protocol'.
334 The protocol name used in ebtables for these frames is LENGTH.
335 The file /etc/ethertypes can be used to show readable characters
336 instead of hexadecimal numbers for the protocols. For example,
337 0x0800 will be represented by IPV4. The use of this file is not
338 case sensitive. See that file for more information. The flag
339 --proto is an alias for this option.
340
341 -i, --in-interface [!] name
342 The interface (bridge port) via which a frame is received (this
343 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
344 chains). If the interface name ends with '+', then any interface
345 name that begins with this name (disregarding '+') will match.
346 The flag --in-if is an alias for this option.
347
348 --logical-in [!] name
349 The (logical) bridge interface via which a frame is received
350 (this option is useful in the INPUT, FORWARD, PREROUTING and
351 BROUTING chains). If the interface name ends with '+', then any
352 interface name that begins with this name (disregarding '+')
353 will match.
354
355 -o, --out-interface [!] name
356 The interface (bridge port) via which a frame is going to be
357 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
358 ING chains). If the interface name ends with '+', then any
359 interface name that begins with this name (disregarding '+')
360 will match. The flag --out-if is an alias for this option.
361
362 --logical-out [!] name
363 The (logical) bridge interface via which a frame is going to be
364 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
365 ING chains). If the interface name ends with '+', then any
366 interface name that begins with this name (disregarding '+')
367 will match.
368
369 -s, --source [!] address[/mask]
370 The source MAC address. Both mask and address are written as 6
371 hexadecimal numbers separated by colons. Alternatively one can
372 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
373 Address):
374 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
375 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
376 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
377 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
378 address will also match the multicast specification. The flag
379 --src is an alias for this option.
380
381 -d, --destination [!] address[/mask]
382 The destination MAC address. See -s (above) for more details on
383 MAC addresses. The flag --dst is an alias for this option.
384
385 -c, --set-counter pcnt bcnt
386 If used with -A or -I, then the packet and byte counters of the
387 new rule will be set to pcnt, resp. bcnt. If used with the -C
388 or -D commands, only rules with a packet and byte count equal to
389 pcnt, resp. bcnt will match.
390
391
392 MATCH EXTENSIONS
393 Ebtables extensions are dynamically loaded into the userspace tool,
394 there is therefore no need to explicitly load them with a -m option
395 like is done in iptables. These extensions deal with functionality
396 supported by kernel modules supplemental to the core ebtables code.
397
398 802_3
399 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
400 specified as LENGTH (see the option -p above).
401
402 --802_3-sap [!] sap
403 DSAP and SSAP are two one byte 802.3 fields. The bytes are
404 always equal, so only one byte (hexadecimal) is needed as an
405 argument.
406
407 --802_3-type [!] type
408 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
409 field must be consulted to determine the payload protocol. This
410 is a two byte (hexadecimal) argument. Only 802.3 frames with
411 DSAP/SSAP 0xaa are checked for type.
412
413 among
414 Match a MAC address or MAC/IP address pair versus a list of MAC
415 addresses and MAC/IP address pairs. A list entry has the following
416 format: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are
417 separated by a comma, specifying an IP address corresponding to the MAC
418 address is optional. Multiple MAC/IP address pairs with the same MAC
419 address but different IP address (and vice versa) can be specified. If
420 the MAC address doesn't match any entry from the list, the frame
421 doesn't match the rule (unless "!" was used).
422
423 --among-dst [!] list
424 Compare the MAC destination to the given list. If the Ethernet
425 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
426 tion address pairs from the list is possible.
427
428 --among-src [!] list
429 Compare the MAC source to the given list. If the Ethernet frame
430 has type IPv4 or ARP, then comparison with MAC/IP source address
431 pairs from the list is possible.
432
433 --among-dst-file [!] file
434 Same as --among-dst but the list is read in from the specified
435 file.
436
437 --among-src-file [!] file
438 Same as --among-src but the list is read in from the specified
439 file.
440
441 arp
442 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
443
444 --arp-opcode [!] opcode
445 The (R)ARP opcode (decimal or a string, for more details see
446 ebtables -h arp).
447
448 --arp-htype [!] hardware type
449 The hardware type, this can be a decimal or the string Ethernet
450 (which sets type to 1). Most (R)ARP packets have Eternet as
451 hardware type.
452
453 --arp-ptype [!] protocol type
454 The protocol type for which the (r)arp is used (hexadecimal or
455 the string IPv4, denoting 0x0800). Most (R)ARP packets have
456 protocol type IPv4.
457
458 --arp-ip-src [!] address[/mask]
459 The (R)ARP IP source address specification.
460
461 --arp-ip-dst [!] address[/mask]
462 The (R)ARP IP destination address specification.
463
464 --arp-mac-src [!] address[/mask]
465 The (R)ARP MAC source address specification.
466
467 --arp-mac-dst [!] address[/mask]
468 The (R)ARP MAC destination address specification.
469
470 [!] --arp-gratuitous
471 Checks for ARP gratuitous packets: checks equality of IPv4
472 source address and IPv4 destination address inside the ARP
473 header.
474
475 ip
476 Specify IPv4 fields. The protocol must be specified as IPv4.
477
478 --ip-source [!] address[/mask]
479 The source IP address. The flag --ip-src is an alias for this
480 option.
481
482 --ip-destination [!] address[/mask]
483 The destination IP address. The flag --ip-dst is an alias for
484 this option.
485
486 --ip-tos [!] tos
487 The IP type of service, in hexadecimal numbers. IPv4.
488
489 --ip-protocol [!] protocol
490 The IP protocol. The flag --ip-proto is an alias for this
491 option.
492
493 --ip-source-port [!] port1[:port2]
494 The source port or port range for the IP protocols 6 (TCP), 17
495 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
496 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
497 0:port2 is used; if port2 is omitted but a colon is specified,
498 port1:65535 is used. The flag --ip-sport is an alias for this
499 option.
500
501 --ip-destination-port [!] port1[:port2]
502 The destination port or port range for ip protocols 6 (TCP), 17
503 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
504 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
505 0:port2 is used; if port2 is omitted but a colon is specified,
506 port1:65535 is used. The flag --ip-dport is an alias for this
507 option.
508
509 ip6
510 Specify IPv6 fields. The protocol must be specified as IPv6.
511
512 --ip6-source [!] address[/mask]
513 The source IPv6 address. The flag --ip6-src is an alias for
514 this option.
515
516 --ip6-destination [!] address[/mask]
517 The destination IPv6 address. The flag --ip6-dst is an alias
518 for this option.
519
520 --ip6-tclass [!] tclass
521 The IPv6 traffic class, in hexadecimal numbers.
522
523 --ip6-protocol [!] protocol
524 The IP protocol. The flag --ip6-proto is an alias for this
525 option.
526
527 --ip6-source-port [!] port1[:port2]
528 The source port or port range for the IPv6 protocols 6 (TCP), 17
529 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
530 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
531 0:port2 is used; if port2 is omitted but a colon is specified,
532 port1:65535 is used. The flag --ip6-sport is an alias for this
533 option.
534
535 --ip6-destination-port [!] port1[:port2]
536 The destination port or port range for IPv6 protocols 6 (TCP),
537 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
538 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
539 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
540 fied, port1:65535 is used. The flag --ip6-dport is an alias for
541 this option.
542
543 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
544 Specify ipv6-icmp type and code to match. Ranges for both type
545 and code are supported. Type and code are separated by a slash.
546 Valid numbers for type and range are 0 to 255. To match a sin‐
547 gle type including all valid codes, symbolic names can be used
548 instead of numbers. The list of known type names is shown by the
549 command
550 ebtables --help ip6
551 This option is only valid for --ip6-prococol ipv6-icmp.
552
553 limit
554 This module matches at a limited rate using a token bucket filter. A
555 rule using this extension will match until this limit is reached. It
556 can be used with the --log watcher to give limited logging, for exam‐
557 ple. Its use is the same as the limit match of iptables.
558
559 --limit [value]
560 Maximum average matching rate: specified as a number, with an
561 optional /second, /minute, /hour, or /day suffix; the default is
562 3/hour.
563
564 --limit-burst [number]
565 Maximum initial number of packets to match: this number gets
566 recharged by one every time the limit specified above is not
567 reached, up to this number; the default is 5.
568
569 mark_m
570 --mark [!] [value][/mask]
571 Matches frames with the given unsigned mark value. If a value
572 and mask are specified, the logical AND of the mark value of the
573 frame and the user-specified mask is taken before comparing it
574 with the user-specified mark value. When only a mark value is
575 specified, the packet only matches when the mark value of the
576 frame equals the user-specified mark value. If only a mask is
577 specified, the logical AND of the mark value of the frame and
578 the user-specified mask is taken and the frame matches when the
579 result of this logical AND is non-zero. Only specifying a mask
580 is useful to match multiple mark values.
581
582 pkttype
583 --pkttype-type [!] type
584 Matches on the Ethernet "class" of the frame, which is deter‐
585 mined by the generic networking code. Possible values: broadcast
586 (MAC destination is the broadcast address), multicast (MAC des‐
587 tination is a multicast address), host (MAC destination is the
588 receiving network device), or otherhost (none of the above).
589
590 stp
591 Specify stp BPDU (bridge protocol data unit) fields. The destination
592 address (-d) must be specified as the bridge group address (BGA). For
593 all options for which a range of values can be specified, it holds that
594 if the lower bound is omitted (but the colon is not), then the lowest
595 possible lower bound for that option is used, while if the upper bound
596 is omitted (but the colon again is not), the highest possible upper
597 bound for that option is used.
598
599 --stp-type [!] type
600 The BPDU type (0-255), recognized non-numerical types are con‐
601 fig, denoting a configuration BPDU (=0), and tcn, denothing a
602 topology change notification BPDU (=128).
603
604 --stp-flags [!] flag
605 The BPDU flag (0-255), recognized non-numerical flags are topol‐
606 ogy-change, denoting the topology change flag (=1), and topol‐
607 ogy-change-ack, denoting the topology change acknowledgement
608 flag (=128).
609
610 --stp-root-prio [!] [prio][:prio]
611 The root priority (0-65535) range.
612
613 --stp-root-addr [!] [address][/mask]
614 The root mac address, see the option -s for more details.
615
616 --stp-root-cost [!] [cost][:cost]
617 The root path cost (0-4294967295) range.
618
619 --stp-sender-prio [!] [prio][:prio]
620 The BPDU's sender priority (0-65535) range.
621
622 --stp-sender-addr [!] [address][/mask]
623 The BPDU's sender mac address, see the option -s for more
624 details.
625
626 --stp-port [!] [port][:port]
627 The port identifier (0-65535) range.
628
629 --stp-msg-age [!] [age][:age]
630 The message age timer (0-65535) range.
631
632 --stp-max-age [!] [age][:age]
633 The max age timer (0-65535) range.
634
635 --stp-hello-time [!] [time][:time]
636 The hello time timer (0-65535) range.
637
638 --stp-forward-delay [!] [delay][:delay]
639 The forward delay timer (0-65535) range.
640
641 string
642 This module matches on a given string using some pattern matching
643 strategy.
644
645 --string-algo algorithm
646 The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-
647 Pratt-Morris)
648
649 --string-from offset
650 The lowest offset from which a match can start. (default: 0)
651
652 --string-to offset
653 The highest offset from which a match can start. (default: size
654 of frame)
655
656 --string [!] pattern
657 Matches the given pattern.
658
659 --string-hex [!] pattern
660 Matches the given pattern in hex notation, e.g. '|0D 0A|',
661 '|0D0A|', 'www|09|netfilter|03|org|00|'
662
663 --string-icase
664 Ignore case when searching.
665
666 vlan
667 Specify 802.1Q Tag Control Information fields. The protocol must be
668 specified as 802_1Q (0x8100).
669
670 --vlan-id [!] id
671 The VLAN identifier field (VID). Decimal number from 0 to 4095.
672
673 --vlan-prio [!] prio
674 The user priority field, a decimal number from 0 to 7. The VID
675 should be set to 0 ("null VID") or unspecified (in the latter
676 case the VID is deliberately set to 0).
677
678 --vlan-encap [!] type
679 The encapsulated Ethernet frame type/length. Specified as a
680 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
681 from /etc/ethertypes.
682
683
684 WATCHER EXTENSIONS
685 Watchers only look at frames passing by, they don't modify them nor
686 decide to accept the frames or not. These watchers only see the frame
687 if the frame matches the rule, and they see it before the target is
688 executed.
689
690 log
691 The log watcher writes descriptive data about a frame to the syslog.
692
693 --log
694 Log with the default loggin options: log-level= info, log-pre‐
695 fix="", no ip logging, no arp logging.
696
697 --log-level level
698 Defines the logging level. For the possible values, see ebtables
699 -h log. The default level is info.
700
701 --log-prefix text
702 Defines the prefix text to be printed at the beginning of the
703 line with the logging information.
704
705 --log-ip
706 Will log the ip information when a frame made by the ip protocol
707 matches the rule. The default is no ip information logging.
708
709 --log-ip6
710 Will log the ipv6 information when a frame made by the ipv6 pro‐
711 tocol matches the rule. The default is no ipv6 information log‐
712 ging.
713
714 --log-arp
715 Will log the (r)arp information when a frame made by the (r)arp
716 protocols matches the rule. The default is no (r)arp information
717 logging.
718
719 nflog
720 The nflog watcher passes the packet to the loaded logging backend in
721 order to log the packet. This is usually used in combination with
722 nfnetlink_log as logging backend, which will multicast the packet
723 through a netlink socket to the specified multicast group. One or more
724 userspace processes may subscribe to the group to receive the packets.
725
726 --nflog
727 Log with the default logging options
728
729 --nflog-group nlgroup
730 The netlink group (1 - 2^32-1) to which packets are (only appli‐
731 cable for nfnetlink_log). The default value is 1.
732
733 --nflog-prefix prefix
734 A prefix string to include in the log message, up to 30 charac‐
735 ters long, useful for distinguishing messages in the logs.
736
737 --nflog-range size
738 The number of bytes to be copied to userspace (only applicable
739 for nfnetlink_log). nfnetlink_log instances may specify their
740 own range, this option overrides it.
741
742 --nflog-threshold size
743 Number of packets to queue inside the kernel before sending them
744 to userspace (only applicable for nfnetlink_log). Higher values
745 result in less overhead per packet, but increase delay until the
746 packets reach userspace. The default value is 1.
747
748 ulog
749 The ulog watcher passes the packet to a userspace logging daemon using
750 netlink multicast sockets. This differs from the log watcher in the
751 sense that the complete packet is sent to userspace instead of a
752 descriptive text and that netlink multicast sockets are used instead of
753 the syslog. This watcher enables parsing of packets with userspace
754 programs, the physical bridge in and out ports are also included in the
755 netlink messages. The ulog watcher module accepts 2 parameters when
756 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
757 specifies how big the buffer for each netlink multicast group is. If
758 you say nlbufsiz=8192, for example, up to eight kB of packets will get
759 accumulated in the kernel until they are sent to userspace. It is not
760 possible to allocate more than 128kB. Please also keep in mind that
761 this buffer size is allocated for each nlgroup you are using, so the
762 total kernel memory usage increases by that factor. The default is
763 4096. flushtimeout specifies after how many hundredths of a second the
764 queue should be flushed, even if it is not full yet. The default is 10
765 (one tenth of a second).
766
767 --ulog
768 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
769 cprange=4096, ulog-qthreshold=1.
770
771 --ulog-prefix text
772 Defines the prefix included with the packets sent to userspace.
773
774 --ulog-nlgroup group
775 Defines which netlink group number to use (a number from 1 to
776 32). Make sure the netlink group numbers used for the iptables
777 ULOG target differ from those used for the ebtables ulog
778 watcher. The default group number is 1.
779
780 --ulog-cprange range
781 Defines the maximum copy range to userspace, for packets match‐
782 ing the rule. The default range is 0, which means the maximum
783 copy range is given by nlbufsiz. A maximum copy range larger
784 than 128*1024 is meaningless as the packets sent to userspace
785 have an upper size limit of 128*1024.
786
787 --ulog-qthreshold threshold
788 Queue at most threshold number of packets before sending them to
789 userspace with a netlink socket. Note that packets can be sent
790 to userspace before the queue is full, this happens when the
791 ulog kernel timer goes off (the frequency of this timer depends
792 on flushtimeout).
793
794 TARGET EXTENSIONS
795 arpreply
796 The arpreply target can be used in the PREROUTING chain of the nat ta‐
797 ble. If this target sees an ARP request it will automatically reply
798 with an ARP reply. The used MAC address for the reply can be specified.
799 The protocol must be specified as ARP. When the ARP message is not an
800 ARP request or when the ARP request isn't for an IP address on an Eth‐
801 ernet network, it is ignored by this target (CONTINUE). When the ARP
802 request is malformed, it is dropped (DROP).
803
804 --arpreply-mac address
805 Specifies the MAC address to reply with: the Ethernet source MAC
806 and the ARP payload source MAC will be filled in with this
807 address.
808
809 --arpreply-target target
810 Specifies the standard target. After sending the ARP reply, the
811 rule still has to give a standard target so ebtables knows what
812 to do with the ARP request. The default target is DROP.
813
814 dnat
815 The dnat target can only be used in the BROUTING chain of the broute
816 table and the PREROUTING and OUTPUT chains of the nat table. It speci‐
817 fies that the destination MAC address has to be changed.
818
819 --to-destination address
820 Change the destination MAC address to the specified address.
821 The flag --to-dst is an alias for this option.
822
823 --dnat-target target
824 Specifies the standard target. After doing the dnat, the rule
825 still has to give a standard target so ebtables knows what to do
826 with the dnated frame. The default target is ACCEPT. Making it
827 CONTINUE could let you use multiple target extensions on the
828 same frame. Making it DROP only makes sense in the BROUTING
829 chain but using the redirect target is more logical there.
830 RETURN is also allowed. Note that using RETURN in a base chain
831 is not allowed (for obvious reasons).
832
833 mark
834 The mark target can be used in every chain of every table. It is possi‐
835 ble to use the marking of a frame/packet in both ebtables and iptables,
836 if the bridge-nf code is compiled into the kernel. Both put the marking
837 at the same place. This allows for a form of communication between
838 ebtables and iptables.
839
840 --mark-set value
841 Mark the frame with the specified non-negative value.
842
843 --mark-or value
844 Or the frame with the specified non-negative value.
845
846 --mark-and value
847 And the frame with the specified non-negative value.
848
849 --mark-xor value
850 Xor the frame with the specified non-negative value.
851
852 --mark-target target
853 Specifies the standard target. After marking the frame, the rule
854 still has to give a standard target so ebtables knows what to
855 do. The default target is ACCEPT. Making it CONTINUE can let
856 you do other things with the frame in subsequent rules of the
857 chain.
858
859 redirect
860 The redirect target will change the MAC target address to that of the
861 bridge device the frame arrived on. This target can only be used in the
862 BROUTING chain of the broute table and the PREROUTING chain of the nat
863 table. In the BROUTING chain, the MAC address of the bridge port is
864 used as destination address, in the PREROUTING chain, the MAC address
865 of the bridge is used.
866
867 --redirect-target target
868 Specifies the standard target. After doing the MAC redirect, the
869 rule still has to give a standard target so ebtables knows what
870 to do. The default target is ACCEPT. Making it CONTINUE could
871 let you use multiple target extensions on the same frame. Making
872 it DROP in the BROUTING chain will let the frames be routed.
873 RETURN is also allowed. Note that using RETURN in a base chain
874 is not allowed.
875
876 snat
877 The snat target can only be used in the POSTROUTING chain of the nat
878 table. It specifies that the source MAC address has to be changed.
879
880 --to-source address
881 Changes the source MAC address to the specified address. The
882 flag --to-src is an alias for this option.
883
884 --snat-target target
885 Specifies the standard target. After doing the snat, the rule
886 still has to give a standard target so ebtables knows what to
887 do. The default target is ACCEPT. Making it CONTINUE could let
888 you use multiple target extensions on the same frame. Making it
889 DROP doesn't make sense, but you could do that too. RETURN is
890 also allowed. Note that using RETURN in a base chain is not
891 allowed.
892
893 --snat-arp
894 Also change the hardware source address inside the arp header if
895 the packet is an arp message and the hardware address length in
896 the arp header is 6 bytes.
897
899 /etc/ethertypes /run/ebtables.lock
900
902 EBTABLES_ATOMIC_FILE
903
905 See http://netfilter.org/mailinglists.html
906
908 iptables(8), brctl(8), ifconfig(8), route(8)
909
910 See http://ebtables.sf.net
911
912
913
914 December 2011 EBTABLES(8)