1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables - Ethernet bridge frame table administration (nft-based)
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20 ebtables [-t table ] [--atomic-file file] --atomic-commit
21 ebtables [-t table ] [--atomic-file file] --atomic-init
22 ebtables [-t table ] [--atomic-file file] --atomic-save
23
26 ebtables is an application program used to set up and maintain the
27 tables of rules (inside the Linux kernel) that inspect Ethernet frames.
28 It is analogous to the iptables application, but less complicated, due
29 to the fact that the Ethernet protocol is much simpler than the IP pro‐
30 tocol.
31 CHAINS
33 There are two ebtables tables with built-in chains in the Linux kernel.
34 These tables are used to divide functionality into different sets of
35 rules. Each set of rules is called a chain. Each chain is an ordered
36 list of rules that can match Ethernet frames. If a rule matches an Eth‐
37 ernet frame, then a processing specification tells what to do with that
38 matching frame. The processing specification is called a 'target'. How‐
39 ever, if the frame does not match the current rule in the chain, then
40 the next rule in the chain is examined and so forth. The user can cre‐
41 ate new (user-defined) chains that can be used as the 'target' of a
42 rule. User-defined chains are very useful to get better performance
43 over the linear traversal of the rules and are also essential for
44 structuring the filtering rules into well-organized and maintainable
45 sets of rules.
46 TARGETS
48 A firewall rule specifies criteria for an Ethernet frame and a frame
49 processing specification called a target. When a frame matches a rule,
50 then the next action performed by the kernel is specified by the tar‐
51 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
52 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
53 ACCEPT means to let the frame through. DROP means the frame has to be
55 dropped. CONTINUE means the next rule has to be checked. This can be
56 handy, f.e., to know how many frames pass a certain point in the chain,
57 to log those frames or to apply multiple targets on a frame. RETURN
58 means stop traversing this chain and resume at the next rule in the
59 previous (calling) chain. For the extension targets please refer to
60 the TARGET EXTENSIONS section of this man page.
61 TABLES
63 As stated earlier, there are two ebtables tables in the Linux kernel.
64 The table names are filter and nat. Of these two tables, the filter
65 table is the default table that the command operates on. If you are
66 working with the filter table, then you can drop the '-t filter' argu‐
67 ment to the ebtables command. However, you will need to provide the -t
68 argument for nat table. Moreover, the -t argument must be the first
69 argument on the ebtables command line, if used.
70 -t, --table
72 filter is the default table and contains three built-in chains:
73 INPUT (for frames destined for the bridge itself, on the level
74 of the MAC destination address), OUTPUT (for locally-generated
75 or (b)routed frames) and FORWARD (for frames being forwarded by
76 the bridge).
77 nat is mostly used to change the mac addresses and contains
78 three built-in chains: PREROUTING (for altering frames as soon
79 as they come in), OUTPUT (for altering locally generated or
80 (b)routed frames before they are bridged) and POSTROUTING (for
81 altering frames as they are about to go out). A small note on
82 the naming of chains PREROUTING and POSTROUTING: it would be
83 more accurate to call them PREFORWARDING and POSTFORWARDING, but
84 for all those who come from the iptables world to ebtables it is
85 easier to have the same names. Note that you can change the name
86 (-E) if you don't like the default.
87
89 After the initial ebtables '-t table' command line argument, the
90 remaining arguments can be divided into several groups. These groups
91 are commands, miscellaneous commands, rule specifications, match exten‐
92 sions, watcher extensions and target extensions.
93 COMMANDS
95 The ebtables command arguments specify the actions to perform on the
96 table defined with the -t argument. If you do not use the -t argument
97 to name a table, the commands apply to the default filter table. Only
98 one command may be used on the command line at a time, except when the
99 commands -L and -Z are combined, the commands -N and -P are combined,
100 or when --atomic-file is used.
101 -A, --append
103 Append a rule to the end of the selected chain.
104 -D, --delete
106 Delete the specified rule or rules from the selected chain.
107 There are two ways to use this command. The first is by specify‐
108 ing an interval of rule numbers to delete (directly after -D).
109 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
110 their rule number). When end_nr is omitted, all rules starting
111 from start_nr are deleted. Using negative numbers is allowed,
112 for more details about using negative numbers, see the -I com‐
113 mand. The second usage is by specifying the complete rule as it
114 would have been specified when it was added. Only the first
115 encountered rule that is the same as this specified rule, in
116 other words the matching rule with the lowest (positive) rule
117 number, is deleted.
118 -C, --change-counters
120 Change the counters of the specified rule or rules from the
121 selected chain. There are two ways to use this command. The
122 first is by specifying an interval of rule numbers to do the
123 changes on (directly after -C). Syntax: start_nr[:end_nr] (use
124 -L --Ln to list the rules with their rule number). The details
125 are the same as for the -D command. The second usage is by spec‐
126 ifying the complete rule as it would have been specified when it
127 was added. Only the counters of the first encountered rule that
128 is the same as this specified rule, in other words the matching
129 rule with the lowest (positive) rule number, are changed. In
130 the first usage, the counters are specified directly after the
131 interval specification, in the second usage directly after -C.
132 First the packet counter is specified, then the byte counter. If
133 the specified counters start with a '+', the counter values are
134 added to the respective current counter values. If the speci‐
135 fied counters start with a '-', the counter values are decreased
136 from the respective current counter values. No bounds checking
137 is done. If the counters don't start with '+' or '-', the cur‐
138 rent counters are changed to the specified counters.
139 -I, --insert
141 Insert the specified rule into the selected chain at the speci‐
142 fied rule number. If the rule number is not specified, the rule
143 is added at the head of the chain. If the current number of
144 rules equals N, then the specified number can be between -N and
145 N+1. For a positive number i, it holds that i and i-N-1 specify
146 the same place in the chain where the rule should be inserted.
147 The rule number 0 specifies the place past the last rule in the
148 chain and using this number is therefore equivalent to using the
149 -A command. Rule numbers structly smaller than 0 can be useful
150 when more than one rule needs to be inserted in a chain.
151 -P, --policy
153 Set the policy for the chain to the given target. The policy can
154 be ACCEPT, DROP or RETURN.
155 -F, --flush
157 Flush the selected chain. If no chain is selected, then every
158 chain will be flushed. Flushing a chain does not change the pol‐
159 icy of the chain, however.
160 -Z, --zero
162 Set the counters of the selected chain to zero. If no chain is
163 selected, all the counters are set to zero. The -Z command can
164 be used in conjunction with the -L command. When both the -Z
165 and -L commands are used together in this way, the rule counters
166 are printed on the screen before they are set to zero.
167 -L, --list
169 List all rules in the selected chain. If no chain is selected,
170 all chains are listed.
171 The following options change the output of the -L command.
172 --Ln
173 Places the rule number in front of every rule. This option is
174 incompatible with the --Lx option.
175 --Lc
176 Shows the counters at the end of each rule displayed by the -L
177 command. Both a frame counter (pcnt) and a byte counter (bcnt)
178 are displayed. The frame counter shows how many frames have
179 matched the specific rule, the byte counter shows the sum of the
180 frame sizes of these matching frames. Using this option in com‐
181 bination with the --Lx option causes the counters to be written
182 out in the '-c <pcnt> <bcnt>' option format.
183 --Lx
184 Changes the output so that it produces a set of ebtables com‐
185 mands that construct the contents of the chain, when specified.
186 If no chain is specified, ebtables commands to construct the
187 contents of the table are given, including commands for creating
188 the user-defined chains (if any). You can use this set of com‐
189 mands in an ebtables boot or reload script. For example the
190 output could be used at system startup. The --Lx option is
191 incompatible with the --Ln listing option. Using the --Lx option
192 together with the --Lc option will cause the counters to be
193 written out in the '-c <pcnt> <bcnt>' option format.
194 --Lmac2
195 Shows all MAC addresses with the same length, adding leading
196 zeroes if necessary. The default representation omits leading
197 zeroes in the addresses.
198 -N, --new-chain
200 Create a new user-defined chain with the given name. The number
201 of user-defined chains is limited only by the number of possible
202 chain names. A user-defined chain name has a maximum length of
203 31 characters. The standard policy of the user-defined chain is
204 ACCEPT. The policy of the new chain can be initialized to a dif‐
205 ferent standard target by using the -P command together with the
206 -N command. In this case, the chain name does not have to be
207 specified for the -P command.
208 -X, --delete-chain
210 Delete the specified user-defined chain. There must be no
211 remaining references (jumps) to the specified chain, otherwise
212 ebtables will refuse to delete it. If no chain is specified, all
213 user-defined chains that aren't referenced will be removed.
214 -E, --rename-chain
216 Rename the specified chain to a new name. Besides renaming a
217 user-defined chain, you can rename a standard chain to a name
218 that suits your taste. For example, if you like PREFORWARDING
219 more than PREROUTING, then you can use the -E command to rename
220 the PREROUTING chain. If you do rename one of the standard ebta‐
221 bles chain names, please be sure to mention this fact should you
222 post a question on the ebtables mailing lists. It would be wise
223 to use the standard name in your post. Renaming a standard ebta‐
224 bles chain in this fashion has no effect on the structure or
225 functioning of the ebtables kernel table.
226 --init-table
228 Replace the current table data by the initial table data.
229 --atomic-init
231 Copy the kernel's initial data of the table to the specified
232 file. This can be used as the first action, after which rules
233 are added to the file. The file can be specified using the
234 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
235 ronment variable.
236 --atomic-save
238 Copy the kernel's current data of the table to the specified
239 file. This can be used as the first action, after which rules
240 are added to the file. The file can be specified using the
241 --atomic-file command or through the EBTABLES_ATOMIC_FILE envi‐
242 ronment variable.
243 --atomic-commit
245 Replace the kernel table data with the data contained in the
246 specified file. This is a useful command that allows you to load
247 all your rules of a certain table into the kernel at once, sav‐
248 ing the kernel a lot of precious time and allowing atomic
249 updates of the tables. The file which contains the table data is
250 constructed by using either the --atomic-init or the --atomic-
251 save command to generate a starting file. After that, using the
252 --atomic-file command when constructing rules or setting the
253 EBTABLES_ATOMIC_FILE environment variable allows you to extend
254 the file and build the complete table before committing it to
255 the kernel. This command can be very useful in boot scripts to
256 populate the ebtables tables in a fast way.
257 MISCELLANOUS COMMANDS
259 -V, --version
260 Show the version of the ebtables userspace program.
261 -h, --help [list of module names]
263 Give a brief description of the command syntax. Here you can
264 also specify names of extensions and ebtables will try to write
265 help about those extensions. E.g. ebtables -h snat log ip arp.
266 Specify list_extensions to list all extensions supported by the
267 userspace utility.
268 -j, --jump target
270 The target of the rule. This is one of the following values:
271 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
272 EXTENSIONS) or a user-defined chain name.
273 --atomic-file file
275 Let the command operate on the specified file. The data of the
276 table to operate on will be extracted from the file and the
277 result of the operation will be saved back into the file. If
278 specified, this option should come before the command specifica‐
279 tion. An alternative that should be preferred, is setting the
280 EBTABLES_ATOMIC_FILE environment variable.
281 -M, --modprobe program
283 When talking to the kernel, use this program to try to automati‐
284 cally load missing kernel modules.
285 --concurrent
287 Use a file lock to support concurrent scripts updating the ebta‐
288 bles kernel tables.
289 RULE SPECIFICATIONS
292 The following command line arguments make up a rule specification (as
293 used in the add and delete commands). A "!" option before the specifi‐
294 cation inverts the test for that specification. Apart from these stan‐
295 dard rule specifications there are some other command line arguments of
296 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS
297 below.
298 -p, --protocol [!] protocol
300 The protocol that was responsible for creating the frame. This
301 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
302 or LENGTH. The protocol field of the Ethernet frame can be used
303 to denote the length of the header (802.2/802.3 networks). When
304 the value of that field is below or equals 0x0600, the value
305 equals the size of the header and shouldn't be used as a proto‐
306 col number. Instead, all frames where the protocol field is used
307 as the length field are assumed to be of the same 'protocol'.
308 The protocol name used in ebtables for these frames is LENGTH.
309 The file /etc/ethertypes can be used to show readable characters
310 instead of hexadecimal numbers for the protocols. For example,
311 0x0800 will be represented by IPV4. The use of this file is not
312 case sensitive. See that file for more information. The flag
313 --proto is an alias for this option.
314 -i, --in-interface [!] name
316 The interface (bridge port) via which a frame is received (this
317 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
318 chains). If the interface name ends with '+', then any interface
319 name that begins with this name (disregarding '+') will match.
320 The flag --in-if is an alias for this option.
321 --logical-in [!] name
323 The (logical) bridge interface via which a frame is received
324 (this option is useful in the INPUT, FORWARD, PREROUTING and
325 BROUTING chains). If the interface name ends with '+', then any
326 interface name that begins with this name (disregarding '+')
327 will match.
328 -o, --out-interface [!] name
330 The interface (bridge port) via which a frame is going to be
331 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
332 ING chains). If the interface name ends with '+', then any
333 interface name that begins with this name (disregarding '+')
334 will match. The flag --out-if is an alias for this option.
335 --logical-out [!] name
337 The (logical) bridge interface via which a frame is going to be
338 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339 ING chains). If the interface name ends with '+', then any
340 interface name that begins with this name (disregarding '+')
341 will match.
342 -s, --source [!] address[/mask]
344 The source MAC address. Both mask and address are written as 6
345 hexadecimal numbers separated by colons. Alternatively one can
346 specify Unicast, Multicast, Broadcast or BGA (Bridge Group
347 Address):
348 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
349 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
350 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
351 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
352 address will also match the multicast specification. The flag
353 --src is an alias for this option.
354 -d, --destination [!] address[/mask]
356 The destination MAC address. See -s (above) for more details on
357 MAC addresses. The flag --dst is an alias for this option.
358 -c, --set-counter pcnt bcnt
360 If used with -A or -I, then the packet and byte counters of the
361 new rule will be set to pcnt, resp. bcnt. If used with the -C
362 or -D commands, only rules with a packet and byte count equal to
363 pcnt, resp. bcnt will match.
364 MATCH EXTENSIONS
367 Ebtables extensions are dynamically loaded into the userspace tool,
368 there is therefore no need to explicitly load them with a -m option
369 like is done in iptables. These extensions deal with functionality
370 supported by kernel modules supplemental to the core ebtables code.
371 802_3
373 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
374 specified as LENGTH (see the option -p above).
375 --802_3-sap [!] sap
377 DSAP and SSAP are two one byte 802.3 fields. The bytes are
378 always equal, so only one byte (hexadecimal) is needed as an
379 argument.
380 --802_3-type [!] type
382 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
383 field must be consulted to determine the payload protocol. This
384 is a two byte (hexadecimal) argument. Only 802.3 frames with
385 DSAP/SSAP 0xaa are checked for type.
386 arp
388 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
389 --arp-opcode [!] opcode
391 The (R)ARP opcode (decimal or a string, for more details see
392 ebtables -h arp).
393 --arp-htype [!] hardware type
395 The hardware type, this can be a decimal or the string Ethernet
396 (which sets type to 1). Most (R)ARP packets have Eternet as
397 hardware type.
398 --arp-ptype [!] protocol type
400 The protocol type for which the (r)arp is used (hexadecimal or
401 the string IPv4, denoting 0x0800). Most (R)ARP packets have
402 protocol type IPv4.
403 --arp-ip-src [!] address[/mask]
405 The (R)ARP IP source address specification.
406 --arp-ip-dst [!] address[/mask]
408 The (R)ARP IP destination address specification.
409 --arp-mac-src [!] address[/mask]
411 The (R)ARP MAC source address specification.
412 --arp-mac-dst [!] address[/mask]
414 The (R)ARP MAC destination address specification.
415 [!] --arp-gratuitous
417 Checks for ARP gratuitous packets: checks equality of IPv4
418 source address and IPv4 destination address inside the ARP
419 header.
420 ip
422 Specify IPv4 fields. The protocol must be specified as IPv4.
423 --ip-source [!] address[/mask]
425 The source IP address. The flag --ip-src is an alias for this
426 option.
427 --ip-destination [!] address[/mask]
429 The destination IP address. The flag --ip-dst is an alias for
430 this option.
431 --ip-tos [!] tos
433 The IP type of service, in hexadecimal numbers. IPv4.
434 --ip-protocol [!] protocol
436 The IP protocol. The flag --ip-proto is an alias for this
437 option.
438 --ip-source-port [!] port1[:port2]
440 The source port or port range for the IP protocols 6 (TCP), 17
441 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
442 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
443 0:port2 is used; if port2 is omitted but a colon is specified,
444 port1:65535 is used. The flag --ip-sport is an alias for this
445 option.
446 --ip-destination-port [!] port1[:port2]
448 The destination port or port range for ip protocols 6 (TCP), 17
449 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
450 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
451 0:port2 is used; if port2 is omitted but a colon is specified,
452 port1:65535 is used. The flag --ip-dport is an alias for this
453 option.
454 ip6
456 Specify IPv6 fields. The protocol must be specified as IPv6.
457 --ip6-source [!] address[/mask]
459 The source IPv6 address. The flag --ip6-src is an alias for
460 this option.
461 --ip6-destination [!] address[/mask]
463 The destination IPv6 address. The flag --ip6-dst is an alias
464 for this option.
465 --ip6-tclass [!] tclass
467 The IPv6 traffic class, in hexadecimal numbers.
468 --ip6-protocol [!] protocol
470 The IP protocol. The flag --ip6-proto is an alias for this
471 option.
472 --ip6-source-port [!] port1[:port2]
474 The source port or port range for the IPv6 protocols 6 (TCP), 17
475 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
476 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
477 0:port2 is used; if port2 is omitted but a colon is specified,
478 port1:65535 is used. The flag --ip6-sport is an alias for this
479 option.
480 --ip6-destination-port [!] port1[:port2]
482 The destination port or port range for IPv6 protocols 6 (TCP),
483 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
484 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
485 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
486 fied, port1:65535 is used. The flag --ip6-dport is an alias for
487 this option.
488 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
490 Specify ipv6-icmp type and code to match. Ranges for both type
491 and code are supported. Type and code are separated by a slash.
492 Valid numbers for type and range are 0 to 255. To match a sin‐
493 gle type including all valid codes, symbolic names can be used
494 instead of numbers. The list of known type names is shown by the
495 command
496 ebtables --help ip6
497 This option is only valid for --ip6-prococol ipv6-icmp.
498 limit
500 This module matches at a limited rate using a token bucket filter. A
501 rule using this extension will match until this limit is reached. It
502 can be used with the --log watcher to give limited logging, for exam‐
503 ple. Its use is the same as the limit match of iptables.
504 --limit [value]
506 Maximum average matching rate: specified as a number, with an
507 optional /second, /minute, /hour, or /day suffix; the default is
508 3/hour.
509 --limit-burst [number]
511 Maximum initial number of packets to match: this number gets
512 recharged by one every time the limit specified above is not
513 reached, up to this number; the default is 5.
514 mark_m
516 --mark [!] [value][/mask]
517 Matches frames with the given unsigned mark value. If a value
518 and mask are specified, the logical AND of the mark value of the
519 frame and the user-specified mask is taken before comparing it
520 with the user-specified mark value. When only a mark value is
521 specified, the packet only matches when the mark value of the
522 frame equals the user-specified mark value. If only a mask is
523 specified, the logical AND of the mark value of the frame and
524 the user-specified mask is taken and the frame matches when the
525 result of this logical AND is non-zero. Only specifying a mask
526 is useful to match multiple mark values.
527 pkttype
529 --pkttype-type [!] type
530 Matches on the Ethernet "class" of the frame, which is deter‐
531 mined by the generic networking code. Possible values: broadcast
532 (MAC destination is the broadcast address), multicast (MAC des‐
533 tination is a multicast address), host (MAC destination is the
534 receiving network device), or otherhost (none of the above).
535 stp
537 Specify stp BPDU (bridge protocol data unit) fields. The destination
538 address (-d) must be specified as the bridge group address (BGA). For
539 all options for which a range of values can be specified, it holds that
540 if the lower bound is omitted (but the colon is not), then the lowest
541 possible lower bound for that option is used, while if the upper bound
542 is omitted (but the colon again is not), the highest possible upper
543 bound for that option is used.
544 --stp-type [!] type
546 The BPDU type (0-255), recognized non-numerical types are con‐
547 fig, denoting a configuration BPDU (=0), and tcn, denothing a
548 topology change notification BPDU (=128).
549 --stp-flags [!] flag
551 The BPDU flag (0-255), recognized non-numerical flags are topol‐
552 ogy-change, denoting the topology change flag (=1), and topol‐
553 ogy-change-ack, denoting the topology change acknowledgement
554 flag (=128).
555 --stp-root-prio [!] [prio][:prio]
557 The root priority (0-65535) range.
558 --stp-root-addr [!] [address][/mask]
560 The root mac address, see the option -s for more details.
561 --stp-root-cost [!] [cost][:cost]
563 The root path cost (0-4294967295) range.
564 --stp-sender-prio [!] [prio][:prio]
566 The BPDU's sender priority (0-65535) range.
567 --stp-sender-addr [!] [address][/mask]
569 The BPDU's sender mac address, see the option -s for more
570 details.
571 --stp-port [!] [port][:port]
573 The port identifier (0-65535) range.
574 --stp-msg-age [!] [age][:age]
576 The message age timer (0-65535) range.
577 --stp-max-age [!] [age][:age]
579 The max age timer (0-65535) range.
580 --stp-hello-time [!] [time][:time]
582 The hello time timer (0-65535) range.
583 --stp-forward-delay [!] [delay][:delay]
585 The forward delay timer (0-65535) range.
586 vlan
588 Specify 802.1Q Tag Control Information fields. The protocol must be
589 specified as 802_1Q (0x8100).
590 --vlan-id [!] id
592 The VLAN identifier field (VID). Decimal number from 0 to 4095.
593 --vlan-prio [!] prio
595 The user priority field, a decimal number from 0 to 7. The VID
596 should be set to 0 ("null VID") or unspecified (in the latter
597 case the VID is deliberately set to 0).
598 --vlan-encap [!] type
600 The encapsulated Ethernet frame type/length. Specified as a
601 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
602 from /etc/ethertypes.
603 WATCHER EXTENSIONS
606 Watchers only look at frames passing by, they don't modify them nor
607 decide to accept the frames or not. These watchers only see the frame
608 if the frame matches the rule, and they see it before the target is
609 executed.
610 log
612 The log watcher writes descriptive data about a frame to the syslog.
613 --log
615 Log with the default loggin options: log-level= info, log-pre‐
616 fix="", no ip logging, no arp logging.
617 --log-level level
619 Defines the logging level. For the possible values, see ebtables
620 -h log. The default level is info.
621 --log-prefix text
623 Defines the prefix text to be printed at the beginning of the
624 line with the logging information.
625 --log-ip
627 Will log the ip information when a frame made by the ip protocol
628 matches the rule. The default is no ip information logging.
629 --log-ip6
631 Will log the ipv6 information when a frame made by the ipv6 pro‐
632 tocol matches the rule. The default is no ipv6 information log‐
633 ging.
634 --log-arp
636 Will log the (r)arp information when a frame made by the (r)arp
637 protocols matches the rule. The default is no (r)arp information
638 logging.
639 nflog
641 The nflog watcher passes the packet to the loaded logging backend in
642 order to log the packet. This is usually used in combination with
643 nfnetlink_log as logging backend, which will multicast the packet
644 through a netlink socket to the specified multicast group. One or more
645 userspace processes may subscribe to the group to receive the packets.
646 --nflog
648 Log with the default logging options
649 --nflog-group nlgroup
651 The netlink group (1 - 2^32-1) to which packets are (only appli‐
652 cable for nfnetlink_log). The default value is 1.
653 --nflog-prefix prefix
655 A prefix string to include in the log message, up to 30 charac‐
656 ters long, useful for distinguishing messages in the logs.
657 --nflog-range size
659 The number of bytes to be copied to userspace (only applicable
660 for nfnetlink_log). nfnetlink_log instances may specify their
661 own range, this option overrides it.
662 --nflog-threshold size
664 Number of packets to queue inside the kernel before sending them
665 to userspace (only applicable for nfnetlink_log). Higher values
666 result in less overhead per packet, but increase delay until the
667 packets reach userspace. The default value is 1.
668 ulog
670 The ulog watcher passes the packet to a userspace logging daemon using
671 netlink multicast sockets. This differs from the log watcher in the
672 sense that the complete packet is sent to userspace instead of a
673 descriptive text and that netlink multicast sockets are used instead of
674 the syslog. This watcher enables parsing of packets with userspace
675 programs, the physical bridge in and out ports are also included in the
676 netlink messages. The ulog watcher module accepts 2 parameters when
677 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
678 specifies how big the buffer for each netlink multicast group is. If
679 you say nlbufsiz=8192, for example, up to eight kB of packets will get
680 accumulated in the kernel until they are sent to userspace. It is not
681 possible to allocate more than 128kB. Please also keep in mind that
682 this buffer size is allocated for each nlgroup you are using, so the
683 total kernel memory usage increases by that factor. The default is
684 4096. flushtimeout specifies after how many hundredths of a second the
685 queue should be flushed, even if it is not full yet. The default is 10
686 (one tenth of a second).
687 --ulog
689 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
690 cprange=4096, ulog-qthreshold=1.
691 --ulog-prefix text
693 Defines the prefix included with the packets sent to userspace.
694 --ulog-nlgroup group
696 Defines which netlink group number to use (a number from 1 to
697 32). Make sure the netlink group numbers used for the iptables
698 ULOG target differ from those used for the ebtables ulog
699 watcher. The default group number is 1.
700 --ulog-cprange range
702 Defines the maximum copy range to userspace, for packets match‐
703 ing the rule. The default range is 0, which means the maximum
704 copy range is given by nlbufsiz. A maximum copy range larger
705 than 128*1024 is meaningless as the packets sent to userspace
706 have an upper size limit of 128*1024.
707 --ulog-qthreshold threshold
709 Queue at most threshold number of packets before sending them to
710 userspace with a netlink socket. Note that packets can be sent
711 to userspace before the queue is full, this happens when the
712 ulog kernel timer goes off (the frequency of this timer depends
713 on flushtimeout).
714 TARGET EXTENSIONS
716 arpreply
717 The arpreply target can be used in the PREROUTING chain of the nat ta‐
718 ble. If this target sees an ARP request it will automatically reply
719 with an ARP reply. The used MAC address for the reply can be specified.
720 The protocol must be specified as ARP. When the ARP message is not an
721 ARP request or when the ARP request isn't for an IP address on an Eth‐
722 ernet network, it is ignored by this target (CONTINUE). When the ARP
723 request is malformed, it is dropped (DROP).
724 --arpreply-mac address
726 Specifies the MAC address to reply with: the Ethernet source MAC
727 and the ARP payload source MAC will be filled in with this
728 address.
729 --arpreply-target target
731 Specifies the standard target. After sending the ARP reply, the
732 rule still has to give a standard target so ebtables knows what
733 to do with the ARP request. The default target is DROP.
734 dnat
736 The dnat target can only be used in the PREROUTING and OUTPUT chains of
737 the nat table. It specifies that the destination MAC address has to be
738 changed.
739 --to-destination address
741 Change the destination MAC address to the specified address.
742 The flag --to-dst is an alias for this option.
743 --dnat-target target
745 Specifies the standard target. After doing the dnat, the rule
746 still has to give a standard target so ebtables knows what to do
747 with the dnated frame. The default target is ACCEPT. Making it
748 CONTINUE could let you use multiple target extensions on the
749 same frame. Making it DROP only makes sense in the BROUTING
750 chain but using the redirect target is more logical there.
751 RETURN is also allowed. Note that using RETURN in a base chain
752 is not allowed (for obvious reasons).
753 mark
755 The mark target can be used in every chain of every table. It is possi‐
756 ble to use the marking of a frame/packet in both ebtables and iptables,
757 if the bridge-nf code is compiled into the kernel. Both put the marking
758 at the same place. This allows for a form of communication between
759 ebtables and iptables.
760 --mark-set value
762 Mark the frame with the specified non-negative value.
763 --mark-or value
765 Or the frame with the specified non-negative value.
766 --mark-and value
768 And the frame with the specified non-negative value.
769 --mark-xor value
771 Xor the frame with the specified non-negative value.
772 --mark-target target
774 Specifies the standard target. After marking the frame, the rule
775 still has to give a standard target so ebtables knows what to
776 do. The default target is ACCEPT. Making it CONTINUE can let
777 you do other things with the frame in subsequent rules of the
778 chain.
779 redirect
781 The redirect target will change the MAC target address to that of the
782 bridge device the frame arrived on. This target can only be used in the
783 PREROUTING chain of the nat table. The MAC address of the bridge is
784 used as destination address."
785 --redirect-target target
787 Specifies the standard target. After doing the MAC redirect, the
788 rule still has to give a standard target so ebtables knows what
789 to do. The default target is ACCEPT. Making it CONTINUE could
790 let you use multiple target extensions on the same frame. Making
791 it DROP in the BROUTING chain will let the frames be routed.
792 RETURN is also allowed. Note that using RETURN in a base chain
793 is not allowed.
794 snat
796 The snat target can only be used in the POSTROUTING chain of the nat
797 table. It specifies that the source MAC address has to be changed.
798 --to-source address
800 Changes the source MAC address to the specified address. The
801 flag --to-src is an alias for this option.
802 --snat-target target
804 Specifies the standard target. After doing the snat, the rule
805 still has to give a standard target so ebtables knows what to
806 do. The default target is ACCEPT. Making it CONTINUE could let
807 you use multiple target extensions on the same frame. Making it
808 DROP doesn't make sense, but you could do that too. RETURN is
809 also allowed. Note that using RETURN in a base chain is not
810 allowed.
811 --snat-arp
813 Also change the hardware source address inside the arp header if
814 the packet is an arp message and the hardware address length in
815 the arp header is 6 bytes.
816
818 /etc/ethertypes
819
821 EBTABLES_ATOMIC_FILE
822
824 See http://netfilter.org/mailinglists.html
825
827 The version of ebtables this man page ships with does not support the
828 broute table. Also there is no support for among and string matches.
829 And finally, this list is probably not complete.
830
832 xtables-nft(8), iptables(8), ip(8)
833 See https://wiki.nftables.org
835 December 2011 EBTABLES(8)