1EBTABLES(8)                 System Manager's Manual                EBTABLES(8)
2
3
4

NAME

6       ebtables - Ethernet bridge frame table administration (nft-based)
7

SYNOPSIS

9       ebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten‐
10       sions] [watcher extensions] target
11       ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12       ebtables [-t table ] -F [chain]
13       ebtables [-t table ] -Z [chain]
14       ebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]
15       [--Lmac2]
16       ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17       ebtables [-t table ] -X [chain]
18       ebtables [-t table ] -E old-chain-name new-chain-name
19       ebtables [-t table ] --init-table
20
21

DESCRIPTION

23       ebtables  is an application program used to set up and maintain the ta‐
24       bles of rules (inside the Linux kernel) that inspect  Ethernet  frames.
25       It  is analogous to the iptables application, but less complicated, due
26       to the fact that the Ethernet protocol is much simpler than the IP pro‐
27       tocol.
28
29   CHAINS
30       There are two ebtables tables with built-in chains in the Linux kernel.
31       These tables are used to divide functionality into  different  sets  of
32       rules.  Each  set of rules is called a chain.  Each chain is an ordered
33       list of rules that can match Ethernet frames. If a rule matches an Eth‐
34       ernet frame, then a processing specification tells what to do with that
35       matching frame. The processing specification is called a 'target'. How‐
36       ever,  if  the frame does not match the current rule in the chain, then
37       the next rule in the chain is examined and so forth.  The user can cre‐
38       ate  new  (user-defined)  chains  that can be used as the 'target' of a
39       rule. User-defined chains are very useful  to  get  better  performance
40       over  the  linear  traversal  of  the  rules and are also essential for
41       structuring the filtering rules into  well-organized  and  maintainable
42       sets of rules.
43
44   TARGETS
45       A  firewall  rule  specifies criteria for an Ethernet frame and a frame
46       processing specification called a target.  When a frame matches a rule,
47       then  the  next action performed by the kernel is specified by the tar‐
48       get.  The target can be one of these values:  ACCEPT,  DROP,  CONTINUE,
49       RETURN, an 'extension' (see below) or a jump to a user-defined chain.
50
51       ACCEPT  means to let the frame through.  DROP means the frame has to be
52       dropped.  CONTINUE means the next rule has to be checked. This  can  be
53       handy, f.e., to know how many frames pass a certain point in the chain,
54       to log those frames or to apply multiple targets on  a  frame.   RETURN
55       means  stop  traversing  this  chain and resume at the next rule in the
56       previous (calling) chain.  For the extension targets  please  refer  to
57       the TARGET EXTENSIONS section of this man page.
58
59   TABLES
60       As  stated  earlier, there are two ebtables tables in the Linux kernel.
61       The table names are filter and nat.  Of these two  tables,  the  filter
62       table  is  the  default table that the command operates on.  If you are
63       working with the filter table, then you can drop the '-t filter'  argu‐
64       ment to the ebtables command.  However, you will need to provide the -t
65       argument for nat table.  Moreover, the -t argument must  be  the  first
66       argument on the ebtables command line, if used.
67
68       -t, --table
69              filter  is the default table and contains three built-in chains:
70              INPUT (for frames destined for the bridge itself, on  the  level
71              of  the  MAC destination address), OUTPUT (for locally-generated
72              or (b)routed frames) and FORWARD (for frames being forwarded  by
73              the bridge).
74              nat  is  mostly  used  to  change the mac addresses and contains
75              three built-in chains: PREROUTING (for altering frames  as  soon
76              as  they  come  in),  OUTPUT  (for altering locally generated or
77              (b)routed frames before they are bridged) and  POSTROUTING  (for
78              altering  frames  as  they are about to go out). A small note on
79              the naming of chains PREROUTING and  POSTROUTING:  it  would  be
80              more accurate to call them PREFORWARDING and POSTFORWARDING, but
81              for all those who come from the iptables world to ebtables it is
82              easier to have the same names. Note that you can change the name
83              (-E) if you don't like the default.
84

EBTABLES COMMAND LINE ARGUMENTS

86       After the initial ebtables '-t table' command line  argument,  the  re‐
87       maining arguments can be divided into several groups.  These groups are
88       commands, miscellaneous commands,  rule  specifications,  match  exten‐
89       sions, watcher extensions and target extensions.
90
91   COMMANDS
92       The  ebtables  command  arguments specify the actions to perform on the
93       table defined with the -t argument.  If you do not use the -t  argument
94       to  name a table, the commands apply to the default filter table.  Only
95       one command may be used on the command line at a time, except when  the
96       commands -L and -Z are combined or the commands -N and -P are combined.
97
98       -A, --append
99              Append a rule to the end of the selected chain.
100
101       -D, --delete
102              Delete  the  specified  rule  or  rules from the selected chain.
103              There are two ways to use this command. The first is by specify‐
104              ing  an  interval of rule numbers to delete (directly after -D).
105              Syntax: start_nr[:end_nr] (use -L --Ln to list  the  rules  with
106              their  rule  number). When end_nr is omitted, all rules starting
107              from start_nr are deleted. Using negative  numbers  is  allowed,
108              for  more  details about using negative numbers, see the -I com‐
109              mand. The second usage is by specifying the complete rule as  it
110              would  have been specified when it was added. Only the first en‐
111              countered rule that is the same as this specified rule, in other
112              words  the matching rule with the lowest (positive) rule number,
113              is deleted.
114
115       -C, --change-counters
116              Change the counters of the specified rule or rules from the  se‐
117              lected  chain. There are two ways to use this command. The first
118              is by specifying an interval of rule numbers to do  the  changes
119              on  (directly after -C).  Syntax: start_nr[:end_nr] (use -L --Ln
120              to list the rules with their rule number). The details  are  the
121              same  as  for  the -D command. The second usage is by specifying
122              the complete rule as it would have been specified  when  it  was
123              added.  Only  the counters of the first encountered rule that is
124              the same as this specified rule, in  other  words  the  matching
125              rule  with  the  lowest (positive) rule number, are changed.  In
126              the first usage, the counters are specified directly  after  the
127              interval  specification,  in the second usage directly after -C.
128              First the packet counter is specified, then the byte counter. If
129              the  specified counters start with a '+', the counter values are
130              added to the respective current counter values.  If  the  speci‐
131              fied counters start with a '-', the counter values are decreased
132              from the respective current counter values. No  bounds  checking
133              is  done.  If the counters don't start with '+' or '-', the cur‐
134              rent counters are changed to the specified counters.
135
136       -I, --insert
137              Insert the specified rule into the selected chain at the  speci‐
138              fied  rule number. If the rule number is not specified, the rule
139              is added at the head of the chain.  If  the  current  number  of
140              rules  equals N, then the specified number can be between -N and
141              N+1.  For a positive number i, it holds that i and i-N-1 specify
142              the  same  place in the chain where the rule should be inserted.
143              The rule number 0 specifies the place past the last rule in  the
144              chain and using this number is therefore equivalent to using the
145              -A command.  Rule numbers structly smaller than 0 can be  useful
146              when more than one rule needs to be inserted in a chain.
147
148       -P, --policy
149              Set the policy for the chain to the given target. The policy can
150              be ACCEPT, DROP or RETURN.
151
152       -F, --flush
153              Flush the selected chain. If no chain is  selected,  then  every
154              chain will be flushed. Flushing a chain does not change the pol‐
155              icy of the chain, however.
156
157       -Z, --zero
158              Set the counters of the selected chain to zero. If no  chain  is
159              selected,  all  the counters are set to zero. The -Z command can
160              be used in conjunction with the -L command.  When  both  the  -Z
161              and -L commands are used together in this way, the rule counters
162              are printed on the screen before they are set to zero.
163
164       -L, --list
165              List all rules in the selected chain. If no chain  is  selected,
166              all chains are listed.
167              The following options change the output of the -L command.
168              --Ln
169              Places  the  rule  number in front of every rule. This option is
170              incompatible with the --Lx option.
171              --Lc
172              Shows the counters at the end of each rule displayed by  the  -L
173              command.  Both  a frame counter (pcnt) and a byte counter (bcnt)
174              are displayed.  The frame counter shows  how  many  frames  have
175              matched the specific rule, the byte counter shows the sum of the
176              frame sizes of these matching frames. Using this option in  com‐
177              bination  with the --Lx option causes the counters to be written
178              out in the '-c <pcnt> <bcnt>' option format.
179              --Lx
180              Changes the output so that it produces a set  of  ebtables  com‐
181              mands  that construct the contents of the chain, when specified.
182              If no chain is specified, ebtables  commands  to  construct  the
183              contents of the table are given, including commands for creating
184              the user-defined chains (if any).  You can use this set of  com‐
185              mands  in  an  ebtables  boot or reload script.  For example the
186              output could be used at system startup.  The --Lx option is  in‐
187              compatible  with  the --Ln listing option. Using the --Lx option
188              together with the --Lc option will  cause  the  counters  to  be
189              written out in the '-c <pcnt> <bcnt>' option format.
190              --Lmac2
191              Shows all MAC addresses with the same length, adding leading ze‐
192              roes if necessary. The default representation omits leading  ze‐
193              roes in the addresses.
194
195       -N, --new-chain
196              Create  a new user-defined chain with the given name. The number
197              of user-defined chains is limited only by the number of possible
198              chain  names.  A user-defined chain name has a maximum length of
199              31 characters. The standard policy of the user-defined chain  is
200              ACCEPT. The policy of the new chain can be initialized to a dif‐
201              ferent standard target by using the -P command together with the
202              -N  command.  In  this  case, the chain name does not have to be
203              specified for the -P command.
204
205       -X, --delete-chain
206              Delete the specified user-defined chain. There must  be  no  re‐
207              maining  references  (jumps)  to  the specified chain, otherwise
208              ebtables will refuse to delete it. If no chain is specified, all
209              user-defined chains that aren't referenced will be removed.
210
211       -E, --rename-chain
212              Rename  the  specified  chain to a new name.  Besides renaming a
213              user-defined chain, you can rename a standard chain  to  a  name
214              that  suits  your  taste. For example, if you like PREFORWARDING
215              more than PREROUTING, then you can use the -E command to  rename
216              the PREROUTING chain. If you do rename one of the standard ebta‐
217              bles chain names, please be sure to mention this fact should you
218              post a question on the ebtables mailing lists.  It would be wise
219              to use the standard name in your post. Renaming a standard ebta‐
220              bles  chain  in  this  fashion has no effect on the structure or
221              functioning of the ebtables kernel table.
222
223       --init-table
224              Replace the current table data by the initial table data.
225
226   MISCELLANOUS COMMANDS
227       -v, --verbose
228              Verbose mode.  For appending, insertion, deletion  and  replace‐
229              ment,  this  causes detailed information on the rule or rules to
230              be printed. -v may be specified multiple times to possibly  emit
231              more detailed debug statements.
232
233       -V, --version
234              Show the version of the ebtables userspace program.
235
236       -h, --help [list of module names]
237              Give  a  brief  description  of the command syntax. Here you can
238              also specify names of extensions and ebtables will try to  write
239              help  about those extensions. E.g.  ebtables -h snat log ip arp.
240              Specify list_extensions to list all extensions supported by  the
241              userspace utility.
242
243       -j, --jump target
244              The target of the rule. This is one of the following values: AC‐
245              CEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET EX‐
246              TENSIONS) or a user-defined chain name.
247
248       -M, --modprobe program
249              When talking to the kernel, use this program to try to automati‐
250              cally load missing kernel modules.
251
252       --concurrent
253              Use a file lock to support concurrent scripts updating the ebta‐
254              bles kernel tables.
255
256
257   RULE SPECIFICATIONS
258       The  following  command line arguments make up a rule specification (as
259       used in the add and delete commands). A "!" option before the  specifi‐
260       cation  inverts the test for that specification. Apart from these stan‐
261       dard rule specifications there are some other command line arguments of
262       interest.  See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS be‐
263       low.
264
265       -p, --protocol [!] protocol
266              The protocol that was responsible for creating the  frame.  This
267              can  be  a hexadecimal number, above 0x0600, a name (e.g.  ARP )
268              or LENGTH.  The protocol field of the Ethernet frame can be used
269              to  denote the length of the header (802.2/802.3 networks). When
270              the value of that field is below or  equals  0x0600,  the  value
271              equals  the size of the header and shouldn't be used as a proto‐
272              col number. Instead, all frames where the protocol field is used
273              as  the  length  field are assumed to be of the same 'protocol'.
274              The protocol name used in ebtables for these frames is LENGTH.
275              The file /etc/ethertypes can be used to show readable characters
276              instead  of  hexadecimal numbers for the protocols. For example,
277              0x0800 will be represented by IPV4.  The use of this file is not
278              case  sensitive.   See  that file for more information. The flag
279              --proto is an alias for this option.
280
281       -i, --in-interface [!] name
282              The interface (bridge port) via which a frame is received  (this
283              option  is useful in the INPUT, FORWARD, PREROUTING and BROUTING
284              chains). If the interface name ends with '+', then any interface
285              name  that  begins with this name (disregarding '+') will match.
286              The flag --in-if is an alias for this option.
287
288       --logical-in [!] name
289              The (logical) bridge interface via which  a  frame  is  received
290              (this  option  is  useful  in the INPUT, FORWARD, PREROUTING and
291              BROUTING chains).  If the interface name ends with '+', then any
292              interface  name  that  begins  with this name (disregarding '+')
293              will match.
294
295       -o, --out-interface [!] name
296              The interface (bridge port) via which a frame  is  going  to  be
297              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
298              ING chains). If the interface name ends with '+', then  any  in‐
299              terface  name that begins with this name (disregarding '+') will
300              match.  The flag --out-if is an alias for this option.
301
302       --logical-out [!] name
303              The (logical) bridge interface via which a frame is going to  be
304              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
305              ING chains).  If the interface name ends with '+', then any  in‐
306              terface  name that begins with this name (disregarding '+') will
307              match.
308
309       -s, --source [!] address[/mask]
310              The source MAC address. Both mask and address are written  as  6
311              hexadecimal  numbers  separated by colons. Alternatively one can
312              specify Unicast, Multicast, Broadcast or BGA (Bridge  Group  Ad‐
313              dress):
314              Unicast=00:00:00:00:00:00/01:00:00:00:00:00,              Multi‐
315              cast=01:00:00:00:00:00/01:00:00:00:00:00,                 Broad‐
316              cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff                      or
317              BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.  Note that a  broadcast
318              address  will  also  match the multicast specification. The flag
319              --src is an alias for this option.
320
321       -d, --destination [!] address[/mask]
322              The destination MAC address. See -s (above) for more details  on
323              MAC addresses. The flag --dst is an alias for this option.
324
325       -c, --set-counter pcnt bcnt
326              If  used with -A or -I, then the packet and byte counters of the
327              new rule will be set to pcnt, resp. bcnt.  If used with  the  -C
328              or -D commands, only rules with a packet and byte count equal to
329              pcnt, resp. bcnt will match.
330
331
332   MATCH EXTENSIONS
333       Ebtables extensions are dynamically loaded  into  the  userspace  tool,
334       there  is  therefore  no  need to explicitly load them with a -m option
335       like is done in iptables.  These  extensions  deal  with  functionality
336       supported by kernel modules supplemental to the core ebtables code.
337
338   802_3
339       Specify  802.3  DSAP/SSAP  fields  or  SNAP type.  The protocol must be
340       specified as LENGTH (see the option  -p above).
341
342       --802_3-sap [!] sap
343              DSAP and SSAP are two one byte 802.3 fields.  The bytes are  al‐
344              ways equal, so only one byte (hexadecimal) is needed as an argu‐
345              ment.
346
347       --802_3-type [!] type
348              If the 802.3 DSAP and SSAP values are 0xaa then  the  SNAP  type
349              field must be consulted to determine the payload protocol.  This
350              is a two byte (hexadecimal) argument.  Only  802.3  frames  with
351              DSAP/SSAP 0xaa are checked for type.
352
353   among
354       Match  a  MAC  address  or MAC/IP address pair versus a list of MAC ad‐
355       dresses and MAC/IP address pairs.  A list entry has the following  for‐
356       mat: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are sep‐
357       arated by a comma, specifying an IP address corresponding  to  the  MAC
358       address  is  optional.  Multiple MAC/IP address pairs with the same MAC
359       address but different IP address (and vice versa) can be specified.  If
360       the  MAC  address  doesn't  match  any  entry  from the list, the frame
361       doesn't match the rule (unless "!" was used).
362
363       --among-dst [!] list
364              Compare the MAC destination to the given list. If  the  Ethernet
365              frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
366              tion address pairs from the list is possible.
367
368       --among-src [!] list
369              Compare the MAC source to the given list. If the Ethernet  frame
370              has type IPv4 or ARP, then comparison with MAC/IP source address
371              pairs from the list is possible.
372
373       --among-dst-file [!] file
374              Same as --among-dst but the list is read in from  the  specified
375              file.
376
377       --among-src-file [!] file
378              Same  as  --among-src but the list is read in from the specified
379              file.
380
381   arp
382       Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
383
384       --arp-opcode [!] opcode
385              The (R)ARP opcode (decimal or a string,  for  more  details  see
386              ebtables -h arp).
387
388       --arp-htype [!] hardware type
389              The  hardware type, this can be a decimal or the string Ethernet
390              (which sets type to 1). Most  (R)ARP  packets  have  Eternet  as
391              hardware type.
392
393       --arp-ptype [!] protocol type
394              The  protocol  type for which the (r)arp is used (hexadecimal or
395              the string IPv4, denoting 0x0800).   Most  (R)ARP  packets  have
396              protocol type IPv4.
397
398       --arp-ip-src [!] address[/mask]
399              The (R)ARP IP source address specification.
400
401       --arp-ip-dst [!] address[/mask]
402              The (R)ARP IP destination address specification.
403
404       --arp-mac-src [!] address[/mask]
405              The (R)ARP MAC source address specification.
406
407       --arp-mac-dst [!] address[/mask]
408              The (R)ARP MAC destination address specification.
409
410       [!] --arp-gratuitous
411              Checks  for  ARP  gratuitous  packets:  checks  equality of IPv4
412              source address and  IPv4  destination  address  inside  the  ARP
413              header.
414
415   ip
416       Specify IPv4 fields. The protocol must be specified as IPv4.
417
418       --ip-source [!] address[/mask]
419              The  source  IP address.  The flag --ip-src is an alias for this
420              option.
421
422       --ip-destination [!] address[/mask]
423              The destination IP address.  The flag --ip-dst is an  alias  for
424              this option.
425
426       --ip-tos [!] tos
427              The IP type of service, in hexadecimal numbers.  IPv4.
428
429       --ip-protocol [!] protocol
430              The  IP  protocol.  The flag --ip-proto is an alias for this op‐
431              tion.
432
433       --ip-source-port [!] port1[:port2]
434              The source port or port range for the IP protocols 6  (TCP),  17
435              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
436              specified as TCP, UDP, DCCP  or  SCTP.   If  port1  is  omitted,
437              0:port2  is  used; if port2 is omitted but a colon is specified,
438              port1:65535 is used.  The flag --ip-sport is an alias  for  this
439              option.
440
441       --ip-destination-port [!] port1[:port2]
442              The  destination port or port range for ip protocols 6 (TCP), 17
443              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
444              specified  as  TCP,  UDP,  DCCP  or  SCTP.  If port1 is omitted,
445              0:port2 is used; if port2 is omitted but a colon  is  specified,
446              port1:65535  is  used.  The flag --ip-dport is an alias for this
447              option.
448
449   ip6
450       Specify IPv6 fields. The protocol must be specified as IPv6.
451
452       --ip6-source [!] address[/mask]
453              The source IPv6 address.  The flag --ip6-src  is  an  alias  for
454              this option.
455
456       --ip6-destination [!] address[/mask]
457              The  destination  IPv6  address.  The flag --ip6-dst is an alias
458              for this option.
459
460       --ip6-tclass [!] tclass
461              The IPv6 traffic class, in hexadecimal numbers.
462
463       --ip6-protocol [!] protocol
464              The IP protocol.  The flag --ip6-proto is an alias for this  op‐
465              tion.
466
467       --ip6-source-port [!] port1[:port2]
468              The source port or port range for the IPv6 protocols 6 (TCP), 17
469              (UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol  option  must
470              be  specified  as  TCP, UDP, DCCP or SCTP.  If port1 is omitted,
471              0:port2 is used; if port2 is omitted but a colon  is  specified,
472              port1:65535  is used.  The flag --ip6-sport is an alias for this
473              option.
474
475       --ip6-destination-port [!] port1[:port2]
476              The destination port or port range for IPv6 protocols  6  (TCP),
477              17  (UDP),  33  (DCCP)  or 132 (SCTP). The --ip6-protocol option
478              must be specified as TCP, UDP, DCCP or SCTP.  If port1 is  omit‐
479              ted,  0:port2 is used; if port2 is omitted but a colon is speci‐
480              fied, port1:65535 is used.  The flag --ip6-dport is an alias for
481              this option.
482
483       --ip6-icmp-type [!] {type[:type]/code[:code]|typename}
484              Specify  ipv6-icmp type and code to match.  Ranges for both type
485              and code are supported. Type and code are separated by a  slash.
486              Valid  numbers for type and range are 0 to 255.  To match a sin‐
487              gle type including all valid codes, symbolic names can  be  used
488              instead of numbers. The list of known type names is shown by the
489              command
490                ebtables --help ip6
491              This option is only valid for --ip6-prococol ipv6-icmp.
492
493   limit
494       This module matches at a limited rate using a token bucket  filter.   A
495       rule  using  this extension will match until this limit is reached.  It
496       can be used with the --log watcher to give limited logging,  for  exam‐
497       ple. Its use is the same as the limit match of iptables.
498
499       --limit [value]
500              Maximum  average  matching  rate: specified as a number, with an
501              optional /second, /minute, /hour, or /day suffix; the default is
502              3/hour.
503
504       --limit-burst [number]
505              Maximum  initial  number  of  packets to match: this number gets
506              recharged by one every time the limit  specified  above  is  not
507              reached, up to this number; the default is 5.
508
509   mark_m
510       --mark [!] [value][/mask]
511              Matches  frames  with  the given unsigned mark value. If a value
512              and mask are specified, the logical AND of the mark value of the
513              frame  and  the user-specified mask is taken before comparing it
514              with the user-specified mark value. When only a  mark  value  is
515              specified,  the  packet  only matches when the mark value of the
516              frame equals the user-specified mark value.  If only a  mask  is
517              specified,  the  logical  AND of the mark value of the frame and
518              the user-specified mask is taken and the frame matches when  the
519              result  of  this logical AND is non-zero. Only specifying a mask
520              is useful to match multiple mark values.
521
522   pkttype
523       --pkttype-type [!] type
524              Matches on the Ethernet "class" of the frame,  which  is  deter‐
525              mined by the generic networking code. Possible values: broadcast
526              (MAC destination is the broadcast address), multicast (MAC  des‐
527              tination  is  a multicast address), host (MAC destination is the
528              receiving network device), or otherhost (none of the above).
529
530   stp
531       Specify stp BPDU (bridge protocol data unit)  fields.  The  destination
532       address  (-d) must be specified as the bridge group address (BGA).  For
533       all options for which a range of values can be specified, it holds that
534       if  the  lower bound is omitted (but the colon is not), then the lowest
535       possible lower bound for that option is used, while if the upper  bound
536       is  omitted  (but  the  colon again is not), the highest possible upper
537       bound for that option is used.
538
539       --stp-type [!] type
540              The BPDU type (0-255), recognized non-numerical types  are  con‐
541              fig,  denoting  a  configuration BPDU (=0), and tcn, denothing a
542              topology change notification BPDU (=128).
543
544       --stp-flags [!] flag
545              The BPDU flag (0-255), recognized non-numerical flags are topol‐
546              ogy-change,  denoting  the topology change flag (=1), and topol‐
547              ogy-change-ack, denoting  the  topology  change  acknowledgement
548              flag (=128).
549
550       --stp-root-prio [!] [prio][:prio]
551              The root priority (0-65535) range.
552
553       --stp-root-addr [!] [address][/mask]
554              The root mac address, see the option -s for more details.
555
556       --stp-root-cost [!] [cost][:cost]
557              The root path cost (0-4294967295) range.
558
559       --stp-sender-prio [!] [prio][:prio]
560              The BPDU's sender priority (0-65535) range.
561
562       --stp-sender-addr [!] [address][/mask]
563              The  BPDU's  sender  mac address, see the option -s for more de‐
564              tails.
565
566       --stp-port [!] [port][:port]
567              The port identifier (0-65535) range.
568
569       --stp-msg-age [!] [age][:age]
570              The message age timer (0-65535) range.
571
572       --stp-max-age [!] [age][:age]
573              The max age timer (0-65535) range.
574
575       --stp-hello-time [!] [time][:time]
576              The hello time timer (0-65535) range.
577
578       --stp-forward-delay [!] [delay][:delay]
579              The forward delay timer (0-65535) range.
580
581   vlan
582       Specify 802.1Q Tag Control Information fields.  The  protocol  must  be
583       specified as 802_1Q (0x8100).
584
585       --vlan-id [!] id
586              The VLAN identifier field (VID). Decimal number from 0 to 4095.
587
588       --vlan-prio [!] prio
589              The  user priority field, a decimal number from 0 to 7.  The VID
590              should be set to 0 ("null VID") or unspecified  (in  the  latter
591              case the VID is deliberately set to 0).
592
593       --vlan-encap [!] type
594              The  encapsulated  Ethernet  frame  type/length.  Specified as a
595              hexadecimal number from 0x0000 to 0xFFFF or as a  symbolic  name
596              from /etc/ethertypes.
597
598
599   WATCHER EXTENSIONS
600       Watchers only look at frames passing by, they don't modify them nor de‐
601       cide to accept the frames or not. These watchers only see the frame  if
602       the  frame  matches the rule, and they see it before the target is exe‐
603       cuted.
604
605   log
606       The log watcher writes descriptive data about a frame to the syslog.
607
608       --log
609              Log with the default loggin options: log-level=  info,  log-pre‐
610              fix="", no ip logging, no arp logging.
611
612       --log-level level
613              Defines the logging level. For the possible values, see ebtables
614              -h log.  The default level is info.
615
616       --log-prefix text
617              Defines the prefix text to be printed at the  beginning  of  the
618              line with the logging information.
619
620       --log-ip
621              Will log the ip information when a frame made by the ip protocol
622              matches the rule. The default is no ip information logging.
623
624       --log-ip6
625              Will log the ipv6 information when a frame made by the ipv6 pro‐
626              tocol  matches the rule. The default is no ipv6 information log‐
627              ging.
628
629       --log-arp
630              Will log the (r)arp information when a frame made by the  (r)arp
631              protocols matches the rule. The default is no (r)arp information
632              logging.
633
634   nflog
635       The nflog watcher passes the packet to the loaded  logging  backend  in
636       order  to  log  the  packet.  This  is usually used in combination with
637       nfnetlink_log as logging  backend,  which  will  multicast  the  packet
638       through  a netlink socket to the specified multicast group. One or more
639       userspace processes may subscribe to the group to receive the packets.
640
641       --nflog
642              Log with the default logging options
643
644       --nflog-group nlgroup
645              The netlink group (1 - 2^32-1) to which packets are (only appli‐
646              cable for nfnetlink_log). The default value is 1.
647
648       --nflog-prefix prefix
649              A  prefix string to include in the log message, up to 30 charac‐
650              ters long, useful for distinguishing messages in the logs.
651
652       --nflog-range size
653              The number of bytes to be copied to userspace  (only  applicable
654              for  nfnetlink_log).  nfnetlink_log  instances may specify their
655              own range, this option overrides it.
656
657       --nflog-threshold size
658              Number of packets to queue inside the kernel before sending them
659              to  userspace (only applicable for nfnetlink_log). Higher values
660              result in less overhead per packet, but increase delay until the
661              packets reach userspace. The default value is 1.
662
663   ulog
664       The  ulog watcher passes the packet to a userspace logging daemon using
665       netlink multicast sockets. This differs from the  log  watcher  in  the
666       sense  that  the  complete packet is sent to userspace instead of a de‐
667       scriptive text and that netlink multicast sockets are used  instead  of
668       the  syslog.   This  watcher  enables parsing of packets with userspace
669       programs, the physical bridge in and out ports are also included in the
670       netlink  messages.   The  ulog watcher module accepts 2 parameters when
671       the module is loaded into the kernel  (e.g.  with  modprobe):  nlbufsiz
672       specifies  how  big  the buffer for each netlink multicast group is. If
673       you say nlbufsiz=8192, for example, up to eight kB of packets will  get
674       accumulated  in  the kernel until they are sent to userspace. It is not
675       possible to allocate more than 128kB. Please also  keep  in  mind  that
676       this  buffer  size  is allocated for each nlgroup you are using, so the
677       total kernel memory usage increases by  that  factor.  The  default  is
678       4096.  flushtimeout specifies after how many hundredths of a second the
679       queue should be flushed, even if it is not full yet. The default is  10
680       (one tenth of a second).
681
682       --ulog
683              Use  the default settings: ulog-prefix="", ulog-nlgroup=1, ulog-
684              cprange=4096, ulog-qthreshold=1.
685
686       --ulog-prefix text
687              Defines the prefix included with the packets sent to userspace.
688
689       --ulog-nlgroup group
690              Defines which netlink group number to use (a number  from  1  to
691              32).   Make sure the netlink group numbers used for the iptables
692              ULOG target  differ  from  those  used  for  the  ebtables  ulog
693              watcher.  The default group number is 1.
694
695       --ulog-cprange range
696              Defines  the maximum copy range to userspace, for packets match‐
697              ing the rule. The default range is 0, which  means  the  maximum
698              copy  range  is  given by nlbufsiz.  A maximum copy range larger
699              than 128*1024 is meaningless as the packets  sent  to  userspace
700              have an upper size limit of 128*1024.
701
702       --ulog-qthreshold threshold
703              Queue at most threshold number of packets before sending them to
704              userspace with a netlink socket. Note that packets can  be  sent
705              to  userspace  before  the  queue is full, this happens when the
706              ulog kernel timer goes off (the frequency of this timer  depends
707              on flushtimeout).
708
709   TARGET EXTENSIONS
710   arpreply
711       The  arpreply target can be used in the PREROUTING chain of the nat ta‐
712       ble.  If this target sees an ARP request it  will  automatically  reply
713       with an ARP reply. The used MAC address for the reply can be specified.
714       The protocol must be specified as ARP.  When the ARP message is not  an
715       ARP  request or when the ARP request isn't for an IP address on an Eth‐
716       ernet network, it is ignored by this target (CONTINUE).  When  the  ARP
717       request is malformed, it is dropped (DROP).
718
719       --arpreply-mac address
720              Specifies the MAC address to reply with: the Ethernet source MAC
721              and the ARP payload source MAC will be filled in with  this  ad‐
722              dress.
723
724       --arpreply-target target
725              Specifies  the standard target. After sending the ARP reply, the
726              rule still has to give a standard target so ebtables knows  what
727              to do with the ARP request.  The default target is DROP.
728
729   dnat
730       The dnat target can only be used in the PREROUTING and OUTPUT chains of
731       the nat table.  It specifies that the destination MAC address has to be
732       changed.
733
734       --to-destination address
735              Change  the  destination  MAC  address to the specified address.
736              The flag --to-dst is an alias for this option.
737
738       --dnat-target target
739              Specifies the standard target. After doing the  dnat,  the  rule
740              still has to give a standard target so ebtables knows what to do
741              with the dnated frame.  The default target is ACCEPT.  Making it
742              CONTINUE  could  let  you  use multiple target extensions on the
743              same frame. Making it DROP only  makes  sense  in  the  BROUTING
744              chain  but  using the redirect target is more logical there. RE‐
745              TURN is also allowed. Note that using RETURN in a base chain  is
746              not allowed (for obvious reasons).
747
748   mark
749       The mark target can be used in every chain of every table. It is possi‐
750       ble to use the marking of a frame/packet in both ebtables and iptables,
751       if the bridge-nf code is compiled into the kernel. Both put the marking
752       at the same place. This allows for  a  form  of  communication  between
753       ebtables and iptables.
754
755       --mark-set value
756              Mark the frame with the specified non-negative value.
757
758       --mark-or value
759              Or the frame with the specified non-negative value.
760
761       --mark-and value
762              And the frame with the specified non-negative value.
763
764       --mark-xor value
765              Xor the frame with the specified non-negative value.
766
767       --mark-target target
768              Specifies the standard target. After marking the frame, the rule
769              still has to give a standard target so ebtables  knows  what  to
770              do.   The  default  target is ACCEPT. Making it CONTINUE can let
771              you do other things with the frame in subsequent  rules  of  the
772              chain.
773
774   redirect
775       The  redirect  target will change the MAC target address to that of the
776       bridge device the frame arrived on. This target can only be used in the
777       PREROUTING  chain  of  the nat table.  The MAC address of the bridge is
778       used as destination address."
779
780       --redirect-target target
781              Specifies the standard target. After doing the MAC redirect, the
782              rule  still has to give a standard target so ebtables knows what
783              to do.  The default target is ACCEPT. Making it  CONTINUE  could
784              let you use multiple target extensions on the same frame. Making
785              it DROP in the BROUTING chain will let the frames be routed. RE‐
786              TURN  is also allowed. Note that using RETURN in a base chain is
787              not allowed.
788
789   snat
790       The snat target can only be used in the POSTROUTING chain  of  the  nat
791       table.  It specifies that the source MAC address has to be changed.
792
793       --to-source address
794              Changes  the  source  MAC  address to the specified address. The
795              flag --to-src is an alias for this option.
796
797       --snat-target target
798              Specifies the standard target. After doing the  snat,  the  rule
799              still  has  to  give a standard target so ebtables knows what to
800              do.  The default target is ACCEPT. Making it CONTINUE could  let
801              you  use multiple target extensions on the same frame. Making it
802              DROP doesn't make sense, but you could do that  too.  RETURN  is
803              also  allowed. Note that using RETURN in a base chain is not al‐
804              lowed.
805
806       --snat-arp
807              Also change the hardware source address inside the arp header if
808              the  packet is an arp message and the hardware address length in
809              the arp header is 6 bytes.
810

FILES

812       /etc/ethertypes
813

MAILINGLISTS

815       See http://netfilter.org/mailinglists.html
816

BUGS

818       The version of ebtables this man page ships with does not  support  the
819       broute  table. Also there is no support for string match. Further, sup‐
820       port for atomic-options (--atomic-file,  --atomic-init,  --atomic-save,
821       --atomic-commit)  has  not been implemented, although ebtables-save and
822       ebtables-restore might replace them entirely given the inherent atomic‐
823       ity of nftables.  Finally, this list is probably not complete.
824

SEE ALSO

826       xtables-nft(8), iptables(8), ip(8)
827
828       See https://wiki.nftables.org
829
830
831
832                                 December 2011                     EBTABLES(8)
Impressum