1EBTABLES(8) System Manager's Manual EBTABLES(8)
2
6 ebtables - Ethernet bridge frame table administration (nft-based)
7
9 ebtables [-t table ] -[ACDI] chain rule specification [match exten‐
10 sions] [watcher extensions] target
11 ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12 ebtables [-t table ] -F [chain]
13 ebtables [-t table ] -Z [chain]
14 ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
15 [--Lmac2]
16 ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17 ebtables [-t table ] -X [chain]
18 ebtables [-t table ] -E old-chain-name new-chain-name
19 ebtables [-t table ] --init-table
20
23 ebtables is an application program used to set up and maintain the ta‐
24 bles of rules (inside the Linux kernel) that inspect Ethernet frames.
25 It is analogous to the iptables application, but less complicated, due
26 to the fact that the Ethernet protocol is much simpler than the IP pro‐
27 tocol.
28 CHAINS
30 There are two ebtables tables with built-in chains in the Linux kernel.
31 These tables are used to divide functionality into different sets of
32 rules. Each set of rules is called a chain. Each chain is an ordered
33 list of rules that can match Ethernet frames. If a rule matches an Eth‐
34 ernet frame, then a processing specification tells what to do with that
35 matching frame. The processing specification is called a 'target'. How‐
36 ever, if the frame does not match the current rule in the chain, then
37 the next rule in the chain is examined and so forth. The user can cre‐
38 ate new (user-defined) chains that can be used as the 'target' of a
39 rule. User-defined chains are very useful to get better performance
40 over the linear traversal of the rules and are also essential for
41 structuring the filtering rules into well-organized and maintainable
42 sets of rules.
43 TARGETS
45 A firewall rule specifies criteria for an Ethernet frame and a frame
46 processing specification called a target. When a frame matches a rule,
47 then the next action performed by the kernel is specified by the tar‐
48 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
49 RETURN, an 'extension' (see below) or a jump to a user-defined chain.
50 ACCEPT means to let the frame through. DROP means the frame has to be
52 dropped. CONTINUE means the next rule has to be checked. This can be
53 handy, f.e., to know how many frames pass a certain point in the chain,
54 to log those frames or to apply multiple targets on a frame. RETURN
55 means stop traversing this chain and resume at the next rule in the
56 previous (calling) chain. For the extension targets please refer to
57 the TARGET EXTENSIONS section of this man page.
58 TABLES
60 As stated earlier, there are two ebtables tables in the Linux kernel.
61 The table names are filter and nat. Of these two tables, the filter
62 table is the default table that the command operates on. If you are
63 working with the filter table, then you can drop the '-t filter' argu‐
64 ment to the ebtables command. However, you will need to provide the -t
65 argument for nat table. Moreover, the -t argument must be the first
66 argument on the ebtables command line, if used.
67 -t, --table
69 filter is the default table and contains three built-in chains:
70 INPUT (for frames destined for the bridge itself, on the level
71 of the MAC destination address), OUTPUT (for locally-generated
72 or (b)routed frames) and FORWARD (for frames being forwarded by
73 the bridge).
74 nat is mostly used to change the mac addresses and contains
75 three built-in chains: PREROUTING (for altering frames as soon
76 as they come in), OUTPUT (for altering locally generated or
77 (b)routed frames before they are bridged) and POSTROUTING (for
78 altering frames as they are about to go out). A small note on
79 the naming of chains PREROUTING and POSTROUTING: it would be
80 more accurate to call them PREFORWARDING and POSTFORWARDING, but
81 for all those who come from the iptables world to ebtables it is
82 easier to have the same names. Note that you can change the name
83 (-E) if you don't like the default.
84
86 After the initial ebtables '-t table' command line argument, the re‐
87 maining arguments can be divided into several groups. These groups are
88 commands, miscellaneous commands, rule specifications, match exten‐
89 sions, watcher extensions and target extensions.
90 COMMANDS
92 The ebtables command arguments specify the actions to perform on the
93 table defined with the -t argument. If you do not use the -t argument
94 to name a table, the commands apply to the default filter table. Only
95 one command may be used on the command line at a time, except when the
96 commands -L and -Z are combined or the commands -N and -P are combined.
97 -A, --append
99 Append a rule to the end of the selected chain.
100 -D, --delete
102 Delete the specified rule or rules from the selected chain.
103 There are two ways to use this command. The first is by specify‐
104 ing an interval of rule numbers to delete (directly after -D).
105 Syntax: start_nr[:end_nr] (use -L --Ln to list the rules with
106 their rule number). When end_nr is omitted, all rules starting
107 from start_nr are deleted. Using negative numbers is allowed,
108 for more details about using negative numbers, see the -I com‐
109 mand. The second usage is by specifying the complete rule as it
110 would have been specified when it was added. Only the first en‐
111 countered rule that is the same as this specified rule, in other
112 words the matching rule with the lowest (positive) rule number,
113 is deleted.
114 -C, --change-counters
116 Change the counters of the specified rule or rules from the se‐
117 lected chain. There are two ways to use this command. The first
118 is by specifying an interval of rule numbers to do the changes
119 on (directly after -C). Syntax: start_nr[:end_nr] (use -L --Ln
120 to list the rules with their rule number). The details are the
121 same as for the -D command. The second usage is by specifying
122 the complete rule as it would have been specified when it was
123 added. Only the counters of the first encountered rule that is
124 the same as this specified rule, in other words the matching
125 rule with the lowest (positive) rule number, are changed. In
126 the first usage, the counters are specified directly after the
127 interval specification, in the second usage directly after -C.
128 First the packet counter is specified, then the byte counter. If
129 the specified counters start with a '+', the counter values are
130 added to the respective current counter values. If the speci‐
131 fied counters start with a '-', the counter values are decreased
132 from the respective current counter values. No bounds checking
133 is done. If the counters don't start with '+' or '-', the cur‐
134 rent counters are changed to the specified counters.
135 -I, --insert
137 Insert the specified rule into the selected chain at the speci‐
138 fied rule number. If the rule number is not specified, the rule
139 is added at the head of the chain. If the current number of
140 rules equals N, then the specified number can be between -N and
141 N+1. For a positive number i, it holds that i and i-N-1 specify
142 the same place in the chain where the rule should be inserted.
143 The rule number 0 specifies the place past the last rule in the
144 chain and using this number is therefore equivalent to using the
145 -A command. Rule numbers structly smaller than 0 can be useful
146 when more than one rule needs to be inserted in a chain.
147 -P, --policy
149 Set the policy for the chain to the given target. The policy can
150 be ACCEPT, DROP or RETURN.
151 -F, --flush
153 Flush the selected chain. If no chain is selected, then every
154 chain will be flushed. Flushing a chain does not change the pol‐
155 icy of the chain, however.
156 -Z, --zero
158 Set the counters of the selected chain to zero. If no chain is
159 selected, all the counters are set to zero. The -Z command can
160 be used in conjunction with the -L command. When both the -Z
161 and -L commands are used together in this way, the rule counters
162 are printed on the screen before they are set to zero.
163 -L, --list
165 List all rules in the selected chain. If no chain is selected,
166 all chains are listed.
167 The following options change the output of the -L command.
168 --Ln
169 Places the rule number in front of every rule. This option is
170 incompatible with the --Lx option.
171 --Lc
172 Shows the counters at the end of each rule displayed by the -L
173 command. Both a frame counter (pcnt) and a byte counter (bcnt)
174 are displayed. The frame counter shows how many frames have
175 matched the specific rule, the byte counter shows the sum of the
176 frame sizes of these matching frames. Using this option in com‐
177 bination with the --Lx option causes the counters to be written
178 out in the '-c <pcnt> <bcnt>' option format.
179 --Lx
180 Changes the output so that it produces a set of ebtables com‐
181 mands that construct the contents of the chain, when specified.
182 If no chain is specified, ebtables commands to construct the
183 contents of the table are given, including commands for creating
184 the user-defined chains (if any). You can use this set of com‐
185 mands in an ebtables boot or reload script. For example the
186 output could be used at system startup. The --Lx option is in‐
187 compatible with the --Ln listing option. Using the --Lx option
188 together with the --Lc option will cause the counters to be
189 written out in the '-c <pcnt> <bcnt>' option format.
190 --Lmac2
191 Shows all MAC addresses with the same length, adding leading ze‐
192 roes if necessary. The default representation omits leading ze‐
193 roes in the addresses.
194 -N, --new-chain
196 Create a new user-defined chain with the given name. The number
197 of user-defined chains is limited only by the number of possible
198 chain names. A user-defined chain name has a maximum length of
199 31 characters. The standard policy of the user-defined chain is
200 ACCEPT. The policy of the new chain can be initialized to a dif‐
201 ferent standard target by using the -P command together with the
202 -N command. In this case, the chain name does not have to be
203 specified for the -P command.
204 -X, --delete-chain
206 Delete the specified user-defined chain. There must be no re‐
207 maining references (jumps) to the specified chain, otherwise
208 ebtables will refuse to delete it. If no chain is specified, all
209 user-defined chains that aren't referenced will be removed.
210 -E, --rename-chain
212 Rename the specified chain to a new name. Besides renaming a
213 user-defined chain, you can rename a standard chain to a name
214 that suits your taste. For example, if you like PREFORWARDING
215 more than PREROUTING, then you can use the -E command to rename
216 the PREROUTING chain. If you do rename one of the standard ebta‐
217 bles chain names, please be sure to mention this fact should you
218 post a question on the ebtables mailing lists. It would be wise
219 to use the standard name in your post. Renaming a standard ebta‐
220 bles chain in this fashion has no effect on the structure or
221 functioning of the ebtables kernel table.
222 --init-table
224 Replace the current table data by the initial table data.
225 MISCELLANOUS COMMANDS
227 -v, --verbose
228 Verbose mode. For appending, insertion, deletion and replace‐
229 ment, this causes detailed information on the rule or rules to
230 be printed. -v may be specified multiple times to possibly emit
231 more detailed debug statements.
232 -V, --version
234 Show the version of the ebtables userspace program.
235 -h, --help [list of module names]
237 Give a brief description of the command syntax. Here you can
238 also specify names of extensions and ebtables will try to write
239 help about those extensions. E.g. ebtables -h snat log ip arp.
240 Specify list_extensions to list all extensions supported by the
241 userspace utility.
242 -j, --jump target
244 The target of the rule. This is one of the following values: AC‐
245 CEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET EX‐
246 TENSIONS) or a user-defined chain name.
247 -M, --modprobe program
249 When talking to the kernel, use this program to try to automati‐
250 cally load missing kernel modules.
251 --concurrent
253 Use a file lock to support concurrent scripts updating the ebta‐
254 bles kernel tables.
255 RULE SPECIFICATIONS
258 The following command line arguments make up a rule specification (as
259 used in the add and delete commands). A "!" option before the specifi‐
260 cation inverts the test for that specification. Apart from these stan‐
261 dard rule specifications there are some other command line arguments of
262 interest. See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS be‐
263 low.
264 -p, --protocol [!] protocol
266 The protocol that was responsible for creating the frame. This
267 can be a hexadecimal number, above 0x0600, a name (e.g. ARP )
268 or LENGTH. The protocol field of the Ethernet frame can be used
269 to denote the length of the header (802.2/802.3 networks). When
270 the value of that field is below or equals 0x0600, the value
271 equals the size of the header and shouldn't be used as a proto‐
272 col number. Instead, all frames where the protocol field is used
273 as the length field are assumed to be of the same 'protocol'.
274 The protocol name used in ebtables for these frames is LENGTH.
275 The file /etc/ethertypes can be used to show readable characters
276 instead of hexadecimal numbers for the protocols. For example,
277 0x0800 will be represented by IPV4. The use of this file is not
278 case sensitive. See that file for more information. The flag
279 --proto is an alias for this option.
280 -i, --in-interface [!] name
282 The interface (bridge port) via which a frame is received (this
283 option is useful in the INPUT, FORWARD, PREROUTING and BROUTING
284 chains). If the interface name ends with '+', then any interface
285 name that begins with this name (disregarding '+') will match.
286 The flag --in-if is an alias for this option.
287 --logical-in [!] name
289 The (logical) bridge interface via which a frame is received
290 (this option is useful in the INPUT, FORWARD, PREROUTING and
291 BROUTING chains). If the interface name ends with '+', then any
292 interface name that begins with this name (disregarding '+')
293 will match.
294 -o, --out-interface [!] name
296 The interface (bridge port) via which a frame is going to be
297 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
298 ING chains). If the interface name ends with '+', then any in‐
299 terface name that begins with this name (disregarding '+') will
300 match. The flag --out-if is an alias for this option.
301 --logical-out [!] name
303 The (logical) bridge interface via which a frame is going to be
304 sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
305 ING chains). If the interface name ends with '+', then any in‐
306 terface name that begins with this name (disregarding '+') will
307 match.
308 -s, --source [!] address[/mask]
310 The source MAC address. Both mask and address are written as 6
311 hexadecimal numbers separated by colons. Alternatively one can
312 specify Unicast, Multicast, Broadcast or BGA (Bridge Group Ad‐
313 dress):
314 Unicast=00:00:00:00:00:00/01:00:00:00:00:00, Multi‐
315 cast=01:00:00:00:00:00/01:00:00:00:00:00, Broad‐
316 cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or
317 BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff. Note that a broadcast
318 address will also match the multicast specification. The flag
319 --src is an alias for this option.
320 -d, --destination [!] address[/mask]
322 The destination MAC address. See -s (above) for more details on
323 MAC addresses. The flag --dst is an alias for this option.
324 -c, --set-counter pcnt bcnt
326 If used with -A or -I, then the packet and byte counters of the
327 new rule will be set to pcnt, resp. bcnt. If used with the -C
328 or -D commands, only rules with a packet and byte count equal to
329 pcnt, resp. bcnt will match.
330 MATCH EXTENSIONS
333 Ebtables extensions are dynamically loaded into the userspace tool,
334 there is therefore no need to explicitly load them with a -m option
335 like is done in iptables. These extensions deal with functionality
336 supported by kernel modules supplemental to the core ebtables code.
337 802_3
339 Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be
340 specified as LENGTH (see the option -p above).
341 --802_3-sap [!] sap
343 DSAP and SSAP are two one byte 802.3 fields. The bytes are al‐
344 ways equal, so only one byte (hexadecimal) is needed as an argu‐
345 ment.
346 --802_3-type [!] type
348 If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type
349 field must be consulted to determine the payload protocol. This
350 is a two byte (hexadecimal) argument. Only 802.3 frames with
351 DSAP/SSAP 0xaa are checked for type.
352 among
354 Match a MAC address or MAC/IP address pair versus a list of MAC ad‐
355 dresses and MAC/IP address pairs. A list entry has the following for‐
356 mat: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are sep‐
357 arated by a comma, specifying an IP address corresponding to the MAC
358 address is optional. Multiple MAC/IP address pairs with the same MAC
359 address but different IP address (and vice versa) can be specified. If
360 the MAC address doesn't match any entry from the list, the frame
361 doesn't match the rule (unless "!" was used).
362 --among-dst [!] list
364 Compare the MAC destination to the given list. If the Ethernet
365 frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
366 tion address pairs from the list is possible.
367 --among-src [!] list
369 Compare the MAC source to the given list. If the Ethernet frame
370 has type IPv4 or ARP, then comparison with MAC/IP source address
371 pairs from the list is possible.
372 --among-dst-file [!] file
374 Same as --among-dst but the list is read in from the specified
375 file.
376 --among-src-file [!] file
378 Same as --among-src but the list is read in from the specified
379 file.
380 arp
382 Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
383 --arp-opcode [!] opcode
385 The (R)ARP opcode (decimal or a string, for more details see
386 ebtables -h arp).
387 --arp-htype [!] hardware type
389 The hardware type, this can be a decimal or the string Ethernet
390 (which sets type to 1). Most (R)ARP packets have Eternet as
391 hardware type.
392 --arp-ptype [!] protocol type
394 The protocol type for which the (r)arp is used (hexadecimal or
395 the string IPv4, denoting 0x0800). Most (R)ARP packets have
396 protocol type IPv4.
397 --arp-ip-src [!] address[/mask]
399 The (R)ARP IP source address specification.
400 --arp-ip-dst [!] address[/mask]
402 The (R)ARP IP destination address specification.
403 --arp-mac-src [!] address[/mask]
405 The (R)ARP MAC source address specification.
406 --arp-mac-dst [!] address[/mask]
408 The (R)ARP MAC destination address specification.
409 [!] --arp-gratuitous
411 Checks for ARP gratuitous packets: checks equality of IPv4
412 source address and IPv4 destination address inside the ARP
413 header.
414 ip
416 Specify IPv4 fields. The protocol must be specified as IPv4.
417 --ip-source [!] address[/mask]
419 The source IP address. The flag --ip-src is an alias for this
420 option.
421 --ip-destination [!] address[/mask]
423 The destination IP address. The flag --ip-dst is an alias for
424 this option.
425 --ip-tos [!] tos
427 The IP type of service, in hexadecimal numbers. IPv4.
428 --ip-protocol [!] protocol
430 The IP protocol. The flag --ip-proto is an alias for this op‐
431 tion.
432 --ip-source-port [!] port1[:port2]
434 The source port or port range for the IP protocols 6 (TCP), 17
435 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
436 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
437 0:port2 is used; if port2 is omitted but a colon is specified,
438 port1:65535 is used. The flag --ip-sport is an alias for this
439 option.
440 --ip-destination-port [!] port1[:port2]
442 The destination port or port range for ip protocols 6 (TCP), 17
443 (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
444 specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
445 0:port2 is used; if port2 is omitted but a colon is specified,
446 port1:65535 is used. The flag --ip-dport is an alias for this
447 option.
448 ip6
450 Specify IPv6 fields. The protocol must be specified as IPv6.
451 --ip6-source [!] address[/mask]
453 The source IPv6 address. The flag --ip6-src is an alias for
454 this option.
455 --ip6-destination [!] address[/mask]
457 The destination IPv6 address. The flag --ip6-dst is an alias
458 for this option.
459 --ip6-tclass [!] tclass
461 The IPv6 traffic class, in hexadecimal numbers.
462 --ip6-protocol [!] protocol
464 The IP protocol. The flag --ip6-proto is an alias for this op‐
465 tion.
466 --ip6-source-port [!] port1[:port2]
468 The source port or port range for the IPv6 protocols 6 (TCP), 17
469 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option must
470 be specified as TCP, UDP, DCCP or SCTP. If port1 is omitted,
471 0:port2 is used; if port2 is omitted but a colon is specified,
472 port1:65535 is used. The flag --ip6-sport is an alias for this
473 option.
474 --ip6-destination-port [!] port1[:port2]
476 The destination port or port range for IPv6 protocols 6 (TCP),
477 17 (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol option
478 must be specified as TCP, UDP, DCCP or SCTP. If port1 is omit‐
479 ted, 0:port2 is used; if port2 is omitted but a colon is speci‐
480 fied, port1:65535 is used. The flag --ip6-dport is an alias for
481 this option.
482 --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
484 Specify ipv6-icmp type and code to match. Ranges for both type
485 and code are supported. Type and code are separated by a slash.
486 Valid numbers for type and range are 0 to 255. To match a sin‐
487 gle type including all valid codes, symbolic names can be used
488 instead of numbers. The list of known type names is shown by the
489 command
490 ebtables --help ip6
491 This option is only valid for --ip6-prococol ipv6-icmp.
492 limit
494 This module matches at a limited rate using a token bucket filter. A
495 rule using this extension will match until this limit is reached. It
496 can be used with the --log watcher to give limited logging, for exam‐
497 ple. Its use is the same as the limit match of iptables.
498 --limit [value]
500 Maximum average matching rate: specified as a number, with an
501 optional /second, /minute, /hour, or /day suffix; the default is
502 3/hour.
503 --limit-burst [number]
505 Maximum initial number of packets to match: this number gets
506 recharged by one every time the limit specified above is not
507 reached, up to this number; the default is 5.
508 mark_m
510 --mark [!] [value][/mask]
511 Matches frames with the given unsigned mark value. If a value
512 and mask are specified, the logical AND of the mark value of the
513 frame and the user-specified mask is taken before comparing it
514 with the user-specified mark value. When only a mark value is
515 specified, the packet only matches when the mark value of the
516 frame equals the user-specified mark value. If only a mask is
517 specified, the logical AND of the mark value of the frame and
518 the user-specified mask is taken and the frame matches when the
519 result of this logical AND is non-zero. Only specifying a mask
520 is useful to match multiple mark values.
521 pkttype
523 --pkttype-type [!] type
524 Matches on the Ethernet "class" of the frame, which is deter‐
525 mined by the generic networking code. Possible values: broadcast
526 (MAC destination is the broadcast address), multicast (MAC des‐
527 tination is a multicast address), host (MAC destination is the
528 receiving network device), or otherhost (none of the above).
529 stp
531 Specify stp BPDU (bridge protocol data unit) fields. The destination
532 address (-d) must be specified as the bridge group address (BGA). For
533 all options for which a range of values can be specified, it holds that
534 if the lower bound is omitted (but the colon is not), then the lowest
535 possible lower bound for that option is used, while if the upper bound
536 is omitted (but the colon again is not), the highest possible upper
537 bound for that option is used.
538 --stp-type [!] type
540 The BPDU type (0-255), recognized non-numerical types are con‐
541 fig, denoting a configuration BPDU (=0), and tcn, denothing a
542 topology change notification BPDU (=128).
543 --stp-flags [!] flag
545 The BPDU flag (0-255), recognized non-numerical flags are topol‐
546 ogy-change, denoting the topology change flag (=1), and topol‐
547 ogy-change-ack, denoting the topology change acknowledgement
548 flag (=128).
549 --stp-root-prio [!] [prio][:prio]
551 The root priority (0-65535) range.
552 --stp-root-addr [!] [address][/mask]
554 The root mac address, see the option -s for more details.
555 --stp-root-cost [!] [cost][:cost]
557 The root path cost (0-4294967295) range.
558 --stp-sender-prio [!] [prio][:prio]
560 The BPDU's sender priority (0-65535) range.
561 --stp-sender-addr [!] [address][/mask]
563 The BPDU's sender mac address, see the option -s for more de‐
564 tails.
565 --stp-port [!] [port][:port]
567 The port identifier (0-65535) range.
568 --stp-msg-age [!] [age][:age]
570 The message age timer (0-65535) range.
571 --stp-max-age [!] [age][:age]
573 The max age timer (0-65535) range.
574 --stp-hello-time [!] [time][:time]
576 The hello time timer (0-65535) range.
577 --stp-forward-delay [!] [delay][:delay]
579 The forward delay timer (0-65535) range.
580 vlan
582 Specify 802.1Q Tag Control Information fields. The protocol must be
583 specified as 802_1Q (0x8100).
584 --vlan-id [!] id
586 The VLAN identifier field (VID). Decimal number from 0 to 4095.
587 --vlan-prio [!] prio
589 The user priority field, a decimal number from 0 to 7. The VID
590 should be set to 0 ("null VID") or unspecified (in the latter
591 case the VID is deliberately set to 0).
592 --vlan-encap [!] type
594 The encapsulated Ethernet frame type/length. Specified as a
595 hexadecimal number from 0x0000 to 0xFFFF or as a symbolic name
596 from /etc/ethertypes.
597 WATCHER EXTENSIONS
600 Watchers only look at frames passing by, they don't modify them nor de‐
601 cide to accept the frames or not. These watchers only see the frame if
602 the frame matches the rule, and they see it before the target is exe‐
603 cuted.
604 log
606 The log watcher writes descriptive data about a frame to the syslog.
607 --log
609 Log with the default loggin options: log-level= info, log-pre‐
610 fix="", no ip logging, no arp logging.
611 --log-level level
613 Defines the logging level. For the possible values, see ebtables
614 -h log. The default level is info.
615 --log-prefix text
617 Defines the prefix text to be printed at the beginning of the
618 line with the logging information.
619 --log-ip
621 Will log the ip information when a frame made by the ip protocol
622 matches the rule. The default is no ip information logging.
623 --log-ip6
625 Will log the ipv6 information when a frame made by the ipv6 pro‐
626 tocol matches the rule. The default is no ipv6 information log‐
627 ging.
628 --log-arp
630 Will log the (r)arp information when a frame made by the (r)arp
631 protocols matches the rule. The default is no (r)arp information
632 logging.
633 nflog
635 The nflog watcher passes the packet to the loaded logging backend in
636 order to log the packet. This is usually used in combination with
637 nfnetlink_log as logging backend, which will multicast the packet
638 through a netlink socket to the specified multicast group. One or more
639 userspace processes may subscribe to the group to receive the packets.
640 --nflog
642 Log with the default logging options
643 --nflog-group nlgroup
645 The netlink group (1 - 2^32-1) to which packets are (only appli‐
646 cable for nfnetlink_log). The default value is 1.
647 --nflog-prefix prefix
649 A prefix string to include in the log message, up to 30 charac‐
650 ters long, useful for distinguishing messages in the logs.
651 --nflog-range size
653 The number of bytes to be copied to userspace (only applicable
654 for nfnetlink_log). nfnetlink_log instances may specify their
655 own range, this option overrides it.
656 --nflog-threshold size
658 Number of packets to queue inside the kernel before sending them
659 to userspace (only applicable for nfnetlink_log). Higher values
660 result in less overhead per packet, but increase delay until the
661 packets reach userspace. The default value is 1.
662 ulog
664 The ulog watcher passes the packet to a userspace logging daemon using
665 netlink multicast sockets. This differs from the log watcher in the
666 sense that the complete packet is sent to userspace instead of a de‐
667 scriptive text and that netlink multicast sockets are used instead of
668 the syslog. This watcher enables parsing of packets with userspace
669 programs, the physical bridge in and out ports are also included in the
670 netlink messages. The ulog watcher module accepts 2 parameters when
671 the module is loaded into the kernel (e.g. with modprobe): nlbufsiz
672 specifies how big the buffer for each netlink multicast group is. If
673 you say nlbufsiz=8192, for example, up to eight kB of packets will get
674 accumulated in the kernel until they are sent to userspace. It is not
675 possible to allocate more than 128kB. Please also keep in mind that
676 this buffer size is allocated for each nlgroup you are using, so the
677 total kernel memory usage increases by that factor. The default is
678 4096. flushtimeout specifies after how many hundredths of a second the
679 queue should be flushed, even if it is not full yet. The default is 10
680 (one tenth of a second).
681 --ulog
683 Use the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
684 cprange=4096, ulog-qthreshold=1.
685 --ulog-prefix text
687 Defines the prefix included with the packets sent to userspace.
688 --ulog-nlgroup group
690 Defines which netlink group number to use (a number from 1 to
691 32). Make sure the netlink group numbers used for the iptables
692 ULOG target differ from those used for the ebtables ulog
693 watcher. The default group number is 1.
694 --ulog-cprange range
696 Defines the maximum copy range to userspace, for packets match‐
697 ing the rule. The default range is 0, which means the maximum
698 copy range is given by nlbufsiz. A maximum copy range larger
699 than 128*1024 is meaningless as the packets sent to userspace
700 have an upper size limit of 128*1024.
701 --ulog-qthreshold threshold
703 Queue at most threshold number of packets before sending them to
704 userspace with a netlink socket. Note that packets can be sent
705 to userspace before the queue is full, this happens when the
706 ulog kernel timer goes off (the frequency of this timer depends
707 on flushtimeout).
708 TARGET EXTENSIONS
710 arpreply
711 The arpreply target can be used in the PREROUTING chain of the nat ta‐
712 ble. If this target sees an ARP request it will automatically reply
713 with an ARP reply. The used MAC address for the reply can be specified.
714 The protocol must be specified as ARP. When the ARP message is not an
715 ARP request or when the ARP request isn't for an IP address on an Eth‐
716 ernet network, it is ignored by this target (CONTINUE). When the ARP
717 request is malformed, it is dropped (DROP).
718 --arpreply-mac address
720 Specifies the MAC address to reply with: the Ethernet source MAC
721 and the ARP payload source MAC will be filled in with this ad‐
722 dress.
723 --arpreply-target target
725 Specifies the standard target. After sending the ARP reply, the
726 rule still has to give a standard target so ebtables knows what
727 to do with the ARP request. The default target is DROP.
728 dnat
730 The dnat target can only be used in the PREROUTING and OUTPUT chains of
731 the nat table. It specifies that the destination MAC address has to be
732 changed.
733 --to-destination address
735 Change the destination MAC address to the specified address.
736 The flag --to-dst is an alias for this option.
737 --dnat-target target
739 Specifies the standard target. After doing the dnat, the rule
740 still has to give a standard target so ebtables knows what to do
741 with the dnated frame. The default target is ACCEPT. Making it
742 CONTINUE could let you use multiple target extensions on the
743 same frame. Making it DROP only makes sense in the BROUTING
744 chain but using the redirect target is more logical there. RE‐
745 TURN is also allowed. Note that using RETURN in a base chain is
746 not allowed (for obvious reasons).
747 mark
749 The mark target can be used in every chain of every table. It is possi‐
750 ble to use the marking of a frame/packet in both ebtables and iptables,
751 if the bridge-nf code is compiled into the kernel. Both put the marking
752 at the same place. This allows for a form of communication between
753 ebtables and iptables.
754 --mark-set value
756 Mark the frame with the specified non-negative value.
757 --mark-or value
759 Or the frame with the specified non-negative value.
760 --mark-and value
762 And the frame with the specified non-negative value.
763 --mark-xor value
765 Xor the frame with the specified non-negative value.
766 --mark-target target
768 Specifies the standard target. After marking the frame, the rule
769 still has to give a standard target so ebtables knows what to
770 do. The default target is ACCEPT. Making it CONTINUE can let
771 you do other things with the frame in subsequent rules of the
772 chain.
773 redirect
775 The redirect target will change the MAC target address to that of the
776 bridge device the frame arrived on. This target can only be used in the
777 PREROUTING chain of the nat table. The MAC address of the bridge is
778 used as destination address."
779 --redirect-target target
781 Specifies the standard target. After doing the MAC redirect, the
782 rule still has to give a standard target so ebtables knows what
783 to do. The default target is ACCEPT. Making it CONTINUE could
784 let you use multiple target extensions on the same frame. Making
785 it DROP in the BROUTING chain will let the frames be routed. RE‐
786 TURN is also allowed. Note that using RETURN in a base chain is
787 not allowed.
788 snat
790 The snat target can only be used in the POSTROUTING chain of the nat
791 table. It specifies that the source MAC address has to be changed.
792 --to-source address
794 Changes the source MAC address to the specified address. The
795 flag --to-src is an alias for this option.
796 --snat-target target
798 Specifies the standard target. After doing the snat, the rule
799 still has to give a standard target so ebtables knows what to
800 do. The default target is ACCEPT. Making it CONTINUE could let
801 you use multiple target extensions on the same frame. Making it
802 DROP doesn't make sense, but you could do that too. RETURN is
803 also allowed. Note that using RETURN in a base chain is not al‐
804 lowed.
805 --snat-arp
807 Also change the hardware source address inside the arp header if
808 the packet is an arp message and the hardware address length in
809 the arp header is 6 bytes.
810
812 /etc/ethertypes
813
815 See http://netfilter.org/mailinglists.html
816
818 The version of ebtables this man page ships with does not support the
819 broute table. Also there is no support for string match. Further, sup‐
820 port for atomic-options (--atomic-file, --atomic-init, --atomic-save,
821 --atomic-commit) has not been implemented, although ebtables-save and
822 ebtables-restore might replace them entirely given the inherent atomic‐
823 ity of nftables. Finally, this list is probably not complete.
824
826 xtables-nft(8), iptables(8), ip(8)
827 See https://wiki.nftables.org
829 December 2011 EBTABLES(8)