1EBTABLES(8)                 System Manager's Manual                EBTABLES(8)
2
3
4

NAME

6       ebtables (v2.0.8-1) - Ethernet bridge frame table administration
7

SYNOPSIS

9       ebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten‐
10       sions] [watcher extensions] target
11       ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
12       ebtables [-t table ] -F [chain]
13       ebtables [-t table ] -Z [chain]
14       ebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]
15       [--Lmac2]
16       ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
17       ebtables [-t table ] -X [chain]
18       ebtables [-t table ] -E old-chain-name new-chain-name
19       ebtables [-t table ] --init-table
20       ebtables [-t table ] [--atomic-file file] --atomic-commit
21       ebtables [-t table ] [--atomic-file file] --atomic-init
22       ebtables [-t table ] [--atomic-file file] --atomic-save
23

DESCRIPTION

25       ebtables  is  an  application  program  used to set up and maintain the
26       tables of rules (inside the Linux kernel) that inspect Ethernet frames.
27       It  is analogous to the iptables application, but less complicated, due
28       to the fact that the Ethernet protocol is much simpler than the IP pro‐
29       tocol.
30
31   CHAINS
32       There  are three ebtables tables with built-in chains in the Linux ker‐
33       nel. These tables are used to divide functionality into different  sets
34       of  rules.  Each  set  of  rules  is  called a chain.  Each chain is an
35       ordered list of rules that can match Ethernet frames. If a rule matches
36       an  Ethernet  frame,  then  a processing specification tells what to do
37       with that matching frame. The  processing  specification  is  called  a
38       'target'.  However, if the frame does not match the current rule in the
39       chain, then the next rule in the chain is examined and so  forth.   The
40       user can create new (user-defined) chains that can be used as the 'tar‐
41       get' of a rule. User-defined chains are very useful to get better  per‐
42       formance  over the linear traversal of the rules and are also essential
43       for structuring the filtering rules into well-organized  and  maintain‐
44       able sets of rules.
45
46   TARGETS
47       A  firewall  rule  specifies criteria for an Ethernet frame and a frame
48       processing specification called a target.  When a frame matches a rule,
49       then  the  next action performed by the kernel is specified by the tar‐
50       get.  The target can be one of these values:  ACCEPT,  DROP,  CONTINUE,
51       RETURN, an 'extension' (see below) or a jump to a user-defined chain.
52
53       ACCEPT  means to let the frame through.  DROP means the frame has to be
54       dropped. In the BROUTING chain however, the ACCEPT and DROP target have
55       different meanings (see the info provided for the -t option).  CONTINUE
56       means the next rule has to be checked. This can be handy, f.e., to know
57       how  many frames pass a certain point in the chain, to log those frames
58       or to apply multiple targets on a frame.  RETURN means stop  traversing
59       this chain and resume at the next rule in the previous (calling) chain.
60       For the extension targets please refer to the TARGET EXTENSIONS section
61       of this man page.
62
63   TABLES
64       As stated earlier, there are three ebtables tables in the Linux kernel.
65       The table names are filter, nat and broute.  Of these three tables, the
66       filter table is the default table that the command operates on.  If you
67       are working with the filter table, then you can drop  the  '-t  filter'
68       argument  to  the  ebtables command.  However, you will need to provide
69       the -t argument for the other two tables.  Moreover,  the  -t  argument
70       must be the first argument on the ebtables command line, if used.
71
72       -t, --table
73              filter  is the default table and contains three built-in chains:
74              INPUT (for frames destined for the bridge itself, on  the  level
75              of  the  MAC destination address), OUTPUT (for locally-generated
76              or (b)routed frames) and FORWARD (for frames being forwarded  by
77              the bridge).
78              nat  is  mostly  used  to  change the mac addresses and contains
79              three built-in chains: PREROUTING (for altering frames  as  soon
80              as  they  come  in),  OUTPUT  (for altering locally generated or
81              (b)routed frames before they are bridged) and  POSTROUTING  (for
82              altering  frames  as  they are about to go out). A small note on
83              the naming of chains PREROUTING and  POSTROUTING:  it  would  be
84              more accurate to call them PREFORWARDING and POSTFORWARDING, but
85              for all those who come from the iptables world to ebtables it is
86              easier to have the same names. Note that you can change the name
87              (-E) if you don't like the default.
88              broute is used to make a brouter, it  has  one  built-in  chain:
89              BROUTING.  The targets DROP and ACCEPT have a special meaning in
90              the broute table (these names are used instead of more  descrip‐
91              tive  names  to keep the implementation generic).  DROP actually
92              means the frame has to be routed, while ACCEPT means  the  frame
93              has  to  be bridged. The BROUTING chain is traversed very early.
94              However, it is only traversed by frames  entering  on  a  bridge
95              port that is in forwarding state. Normally those frames would be
96              bridged, but you can decide otherwise here. The redirect  target
97              is very handy here.
98

EBTABLES COMMAND LINE ARGUMENTS

100       After  the  initial  ebtables  '-t  table'  command  line argument, the
101       remaining arguments can be divided into several groups.   These  groups
102       are commands, miscellaneous commands, rule specifications, match exten‐
103       sions, watcher extensions and target extensions.
104
105   COMMANDS
106       The ebtables command arguments specify the actions to  perform  on  the
107       table  defined with the -t argument.  If you do not use the -t argument
108       to name a table, the commands apply to the default filter table.   Only
109       one  command may be used on the command line at a time, except when the
110       commands -L and -Z are combined, the commands -N and -P  are  combined,
111       or when --atomic-file is used.
112
113       -A, --append
114              Append a rule to the end of the selected chain.
115
116       -D, --delete
117              Delete  the  specified  rule  or  rules from the selected chain.
118              There are two ways to use this command. The first is by specify‐
119              ing  an  interval of rule numbers to delete (directly after -D).
120              Syntax: start_nr[:end_nr] (use -L --Ln to list  the  rules  with
121              their  rule  number). When end_nr is omitted, all rules starting
122              from start_nr are deleted. Using negative  numbers  is  allowed,
123              for  more  details about using negative numbers, see the -I com‐
124              mand. The second usage is by specifying the complete rule as  it
125              would  have  been  specified  when  it was added. Only the first
126              encountered rule that is the same as  this  specified  rule,  in
127              other  words  the  matching rule with the lowest (positive) rule
128              number, is deleted.
129
130       -C, --change-counters
131              Change the counters of the specified  rule  or  rules  from  the
132              selected  chain.  There  are  two  ways to use this command. The
133              first is by specifying an interval of rule  numbers  to  do  the
134              changes  on (directly after -C).  Syntax: start_nr[:end_nr] (use
135              -L --Ln to list the rules with their rule number).  The  details
136              are the same as for the -D command. The second usage is by spec‐
137              ifying the complete rule as it would have been specified when it
138              was  added. Only the counters of the first encountered rule that
139              is the same as this specified rule, in other words the  matching
140              rule  with  the  lowest (positive) rule number, are changed.  In
141              the first usage, the counters are specified directly  after  the
142              interval  specification,  in the second usage directly after -C.
143              First the packet counter is specified, then the byte counter. If
144              the  specified counters start with a '+', the counter values are
145              added to the respective current counter values.  If  the  speci‐
146              fied counters start with a '-', the counter values are decreased
147              from the respective current counter values. No  bounds  checking
148              is  done.  If the counters don't start with '+' or '-', the cur‐
149              rent counters are changed to the specified counters.
150
151       -I, --insert
152              Insert the specified rule into the selected chain at the  speci‐
153              fied  rule number. If the rule number is not specified, the rule
154              is added at the head of the chain.  If  the  current  number  of
155              rules  equals N, then the specified number can be between -N and
156              N+1.  For a positive number i, it holds that i and i-N-1 specify
157              the  same  place in the chain where the rule should be inserted.
158              The rule number 0 specifies the place past the last rule in  the
159              chain and using this number is therefore equivalent to using the
160              -A command.  Rule numbers structly smaller than 0 can be  useful
161              when more than one rule needs to be inserted in a chain.
162
163       -P, --policy
164              Set the policy for the chain to the given target. The policy can
165              be ACCEPT, DROP or RETURN.
166
167       -F, --flush
168              Flush the selected chain. If no chain is  selected,  then  every
169              chain will be flushed. Flushing a chain does not change the pol‐
170              icy of the chain, however.
171
172       -Z, --zero
173              Set the counters of the selected chain to zero. If no  chain  is
174              selected,  all  the counters are set to zero. The -Z command can
175              be used in conjunction with the -L command.  When  both  the  -Z
176              and -L commands are used together in this way, the rule counters
177              are printed on the screen before they are set to zero.
178
179       -L, --list
180              List all rules in the selected chain. If no chain  is  selected,
181              all chains are listed.
182              The following options change the output of the -L command.
183              --Ln
184              Places  the  rule  number in front of every rule. This option is
185              incompatible with the --Lx option.
186              --Lc
187              Shows the counters at the end of each rule displayed by  the  -L
188              command.  Both  a frame counter (pcnt) and a byte counter (bcnt)
189              are displayed.  The frame counter shows  how  many  frames  have
190              matched the specific rule, the byte counter shows the sum of the
191              frame sizes of these matching frames. Using this option in  com‐
192              bination  with the --Lx option causes the counters to be written
193              out in the '-c <pcnt> <bcnt>' option format.
194              --Lx
195              Changes the output so that it produces a set  of  ebtables  com‐
196              mands  that construct the contents of the chain, when specified.
197              If no chain is specified, ebtables  commands  to  construct  the
198              contents of the table are given, including commands for creating
199              the user-defined chains (if any).  You can use this set of  com‐
200              mands  in  an  ebtables  boot or reload script.  For example the
201              output could be used at system  startup.   The  --Lx  option  is
202              incompatible with the --Ln listing option. Using the --Lx option
203              together with the --Lc option will  cause  the  counters  to  be
204              written out in the '-c <pcnt> <bcnt>' option format.
205              --Lmac2
206              Shows  all  MAC  addresses  with the same length, adding leading
207              zeroes if necessary. The default  representation  omits  leading
208              zeroes in the addresses.
209
210       -N, --new-chain
211              Create  a new user-defined chain with the given name. The number
212              of user-defined chains is limited only by the number of possible
213              chain  names.  A user-defined chain name has a maximum length of
214              31 characters. The standard policy of the user-defined chain  is
215              ACCEPT. The policy of the new chain can be initialized to a dif‐
216              ferent standard target by using the -P command together with the
217              -N  command.  In  this  case, the chain name does not have to be
218              specified for the -P command.
219
220       -X, --delete-chain
221              Delete the  specified  user-defined  chain.  There  must  be  no
222              remaining  references  (jumps) to the specified chain, otherwise
223              ebtables will refuse to delete it. If no chain is specified, all
224              user-defined chains that aren't referenced will be removed.
225
226       -E, --rename-chain
227              Rename  the  specified  chain to a new name.  Besides renaming a
228              user-defined chain, you can rename a standard chain  to  a  name
229              that  suits  your  taste. For example, if you like PREFORWARDING
230              more than PREROUTING, then you can use the -E command to  rename
231              the PREROUTING chain. If you do rename one of the standard ebta‐
232              bles chain names, please be sure to mention this fact should you
233              post a question on the ebtables mailing lists.  It would be wise
234              to use the standard name in your post. Renaming a standard ebta‐
235              bles  chain  in  this  fashion has no effect on the structure or
236              functioning of the ebtables kernel table.
237
238       --init-table
239              Replace the current table data by the initial table data.
240
241       --atomic-init
242              Copy the kernel's initial data of the  table  to  the  specified
243              file.  This  can  be used as the first action, after which rules
244              are added to the file. The  file  can  be  specified  using  the
245              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
246              ronment variable.
247
248       --atomic-save
249              Copy the kernel's current data of the  table  to  the  specified
250              file.  This  can  be used as the first action, after which rules
251              are added to the file. The  file  can  be  specified  using  the
252              --atomic-file  command or through the EBTABLES_ATOMIC_FILE envi‐
253              ronment variable.
254
255       --atomic-commit
256              Replace the kernel table data with the  data  contained  in  the
257              specified file. This is a useful command that allows you to load
258              all your rules of a certain table into the kernel at once,  sav‐
259              ing  the  kernel  a  lot  of  precious  time and allowing atomic
260              updates of the tables. The file which contains the table data is
261              constructed  by  using either the --atomic-init or the --atomic-
262              save command to generate a starting file. After that, using  the
263              --atomic-file  command  when  constructing  rules or setting the
264              EBTABLES_ATOMIC_FILE environment variable allows you  to  extend
265              the  file  and  build the complete table before committing it to
266              the kernel. This command can be very useful in boot  scripts  to
267              populate the ebtables tables in a fast way.
268
269   MISCELLANOUS COMMANDS
270       -V, --version
271              Show the version of the ebtables userspace program.
272
273       -h, --help [list of module names]
274              Give  a  brief  description  of the command syntax. Here you can
275              also specify names of extensions and ebtables will try to  write
276              help  about those extensions. E.g.  ebtables -h snat log ip arp.
277              Specify list_extensions to list all extensions supported by  the
278              userspace utility.
279
280       -j, --jump target
281              The  target  of  the  rule. This is one of the following values:
282              ACCEPT, DROP, CONTINUE, RETURN, a target extension  (see  TARGET
283              EXTENSIONS) or a user-defined chain name.
284
285       --atomic-file file
286              Let  the command operate on the specified file.  The data of the
287              table to operate on will be extracted  from  the  file  and  the
288              result  of  the  operation  will be saved back into the file. If
289              specified, this option should come before the command specifica‐
290              tion.  An  alternative  that should be preferred, is setting the
291              EBTABLES_ATOMIC_FILE environment variable.
292
293       -M, --modprobe program
294              When talking to the kernel, use this program to try to automati‐
295              cally load missing kernel modules.
296
297
298   RULE SPECIFICATIONS
299       The  following  command line arguments make up a rule specification (as
300       used in the add and delete commands). A "!" option before the  specifi‐
301       cation  inverts the test for that specification. Apart from these stan‐
302       dard rule specifications there are some other command line arguments of
303       interest.   See  both  the  MATCH EXTENSIONS and the WATCHER EXTENSIONS
304       below.
305
306       -p, --protocol [!] protocol
307              The protocol that was responsible for creating the  frame.  This
308              can  be  a hexadecimal number, above 0x0600, a name (e.g.  ARP )
309              or LENGTH.  The protocol field of the Ethernet frame can be used
310              to  denote the length of the header (802.2/802.3 networks). When
311              the value of that field is below or  equals  0x0600,  the  value
312              equals  the size of the header and shouldn't be used as a proto‐
313              col number. Instead, all frames where the protocol field is used
314              as  the  length  field are assumed to be of the same 'protocol'.
315              The protocol name used in ebtables for these frames is LENGTH.
316              The file /etc/ethertypes can be used to show readable characters
317              instead  of  hexadecimal numbers for the protocols. For example,
318              0x0800 will be represented by IPV4.  The use of this file is not
319              case  sensitive.   See  that file for more information. The flag
320              --proto is an alias for this option.
321
322       -i, --in-interface [!] name
323              The interface (bridge port) via which a frame is received  (this
324              option  is useful in the INPUT, FORWARD, PREROUTING and BROUTING
325              chains). If the interface name ends with '+', then any interface
326              name  that  begins with this name (disregarding '+') will match.
327              The flag --in-if is an alias for this option.
328
329       --logical-in [!] name
330              The (logical) bridge interface via which  a  frame  is  received
331              (this  option  is  useful  in the INPUT, FORWARD, PREROUTING and
332              BROUTING chains).  If the interface name ends with '+', then any
333              interface  name  that  begins  with this name (disregarding '+')
334              will match.
335
336       -o, --out-interface [!] name
337              The interface (bridge port) via which a frame  is  going  to  be
338              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
339              ING chains). If the interface  name  ends  with  '+',  then  any
340              interface  name  that  begins  with this name (disregarding '+')
341              will match.  The flag --out-if is an alias for this option.
342
343       --logical-out [!] name
344              The (logical) bridge interface via which a frame is going to  be
345              sent (this option is useful in the OUTPUT, FORWARD and POSTROUT‐
346              ING chains).  If the interface name  ends  with  '+',  then  any
347              interface  name  that  begins  with this name (disregarding '+')
348              will match.
349
350       -s, --source [!] address[/mask]
351              The source MAC address. Both mask and address are written  as  6
352              hexadecimal  numbers  separated by colons. Alternatively one can
353              specify Unicast,  Multicast,  Broadcast  or  BGA  (Bridge  Group
354              Address):
355              Unicast=00:00:00:00:00:00/01:00:00:00:00:00,              Multi‐
356              cast=01:00:00:00:00:00/01:00:00:00:00:00,                 Broad‐
357              cast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff                      or
358              BGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.  Note that a  broadcast
359              address  will  also  match the multicast specification. The flag
360              --src is an alias for this option.
361
362       -d, --destination [!] address[/mask]
363              The destination MAC address. See -s (above) for more details  on
364              MAC addresses. The flag --dst is an alias for this option.
365
366       -c, --set-counter pcnt bcnt
367              If  used with -A or -I, then the packet and byte counters of the
368              new rule will be set to pcnt, resp. bcnt.  If used with  the  -C
369              or -D commands, only rules with a packet and byte count equal to
370              pcnt, resp. bcnt will match.
371
372
373   MATCH EXTENSIONS
374       Ebtables extensions are dynamically loaded  into  the  userspace  tool,
375       there  is  therefore  no  need to explicitly load them with a -m option
376       like is done in iptables.  These  extensions  deal  with  functionality
377       supported by kernel modules supplemental to the core ebtables code.
378
379   802_3
380       Specify  802.3  DSAP/SSAP  fields  or  SNAP type.  The protocol must be
381       specified as LENGTH (see the option  -p above).
382
383       --802_3-sap [!] sap
384              DSAP and SSAP are two one byte  802.3  fields.   The  bytes  are
385              always  equal,  so  only  one byte (hexadecimal) is needed as an
386              argument.
387
388       --802_3-type [!] type
389              If the 802.3 DSAP and SSAP values are 0xaa then  the  SNAP  type
390              field must be consulted to determine the payload protocol.  This
391              is a two byte (hexadecimal) argument.  Only  802.3  frames  with
392              DSAP/SSAP 0xaa are checked for type.
393
394   among
395       Match  a  MAC  address  or  MAC/IP  address  pair  versus a list of MAC
396       addresses and MAC/IP address pairs.  A list  entry  has  the  following
397       format:  xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,].  Multiple list entries are
398       separated by a comma, specifying an IP address corresponding to the MAC
399       address  is  optional.  Multiple MAC/IP address pairs with the same MAC
400       address but different IP address (and vice versa) can be specified.  If
401       the  MAC  address  doesn't  match  any  entry  from the list, the frame
402       doesn't match the rule (unless "!" was used).
403
404       --among-dst [!] list
405              Compare the MAC destination to the given list. If  the  Ethernet
406              frame has type IPv4 or ARP, then comparison with MAC/IP destina‐
407              tion address pairs from the list is possible.
408
409       --among-src [!] list
410              Compare the MAC source to the given list. If the Ethernet  frame
411              has type IPv4 or ARP, then comparison with MAC/IP source address
412              pairs from the list is possible.
413
414       --among-dst-file [!] file
415              Same as --among-dst but the list is read in from  the  specified
416              file.
417
418       --among-src-file [!] file
419              Same  as  --among-src but the list is read in from the specified
420              file.
421
422   arp
423       Specify (R)ARP fields. The protocol must be specified as ARP or RARP.
424
425       --arp-opcode [!] opcode
426              The (R)ARP opcode (decimal or a string,  for  more  details  see
427              ebtables -h arp).
428
429       --arp-htype [!] hardware type
430              The  hardware type, this can be a decimal or the string Ethernet
431              (which sets type to 1). Most  (R)ARP  packets  have  Eternet  as
432              hardware type.
433
434       --arp-ptype [!] protocol type
435              The  protocol  type for which the (r)arp is used (hexadecimal or
436              the string IPv4, denoting 0x0800).   Most  (R)ARP  packets  have
437              protocol type IPv4.
438
439       --arp-ip-src [!] address[/mask]
440              The (R)ARP IP source address specification.
441
442       --arp-ip-dst [!] address[/mask]
443              The (R)ARP IP destination address specification.
444
445       --arp-mac-src [!] address[/mask]
446              The (R)ARP MAC source address specification.
447
448       --arp-mac-dst [!] address[/mask]
449              The (R)ARP MAC destination address specification.
450
451       [!] --arp-gratuitous
452              Checks  for  ARP  gratuitous  packets:  checks  equality of IPv4
453              source address and  IPv4  destination  address  inside  the  ARP
454              header.
455
456   ip
457       Specify IPv4 fields. The protocol must be specified as IPv4.
458
459       --ip-source [!] address[/mask]
460              The  source  IP address.  The flag --ip-src is an alias for this
461              option.
462
463       --ip-destination [!] address[/mask]
464              The destination IP address.  The flag --ip-dst is an  alias  for
465              this option.
466
467       --ip-tos [!] tos
468              The IP type of service, in hexadecimal numbers.  IPv4.
469
470       --ip-protocol [!] protocol
471              The  IP  protocol.   The  flag  --ip-proto  is an alias for this
472              option.
473
474       --ip-source-port [!] port1[:port2]
475              The source port or port range for the IP protocols 6  (TCP),  17
476              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
477              specified as TCP, UDP, DCCP  or  SCTP.   If  port1  is  omitted,
478              0:port2  is  used; if port2 is omitted but a colon is specified,
479              port1:65535 is used.  The flag --ip-sport is an alias  for  this
480              option.
481
482       --ip-destination-port [!] port1[:port2]
483              The  destination port or port range for ip protocols 6 (TCP), 17
484              (UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be
485              specified  as  TCP,  UDP,  DCCP  or  SCTP.  If port1 is omitted,
486              0:port2 is used; if port2 is omitted but a colon  is  specified,
487              port1:65535  is  used.  The flag --ip-dport is an alias for this
488              option.
489
490   limit
491       This module matches at a limited rate using a token bucket  filter.   A
492       rule  using  this extension will match until this limit is reached.  It
493       can be used with the --log watcher to give limited logging,  for  exam‐
494       ple. Its use is the same as the limit match of iptables.
495
496       --limit [value]
497              Maximum  average  matching  rate: specified as a number, with an
498              optional /second, /minute, /hour, or /day suffix; the default is
499              3/hour.
500
501       --limit-burst [number]
502              Maximum  initial  number  of  packets to match: this number gets
503              recharged by one every time the limit  specified  above  is  not
504              reached, up to this number; the default is 5.
505
506   mark_m
507       --mark [!] [value][/mask]
508              Matches  frames  with  the given unsigned mark value. If a value
509              and mask are specified, the logical AND of the mark value of the
510              frame  and  the user-specified mask is taken before comparing it
511              with the user-specified mark value. When only a  mark  value  is
512              specified,  the  packet  only matches when the mark value of the
513              frame equals the user-specified mark value.  If only a  mask  is
514              specified,  the  logical  AND of the mark value of the frame and
515              the user-specified mask is taken and the frame matches when  the
516              result  of  this logical AND is non-zero. Only specifying a mask
517              is useful to match multiple mark values.
518
519   pkttype
520       --pkttype-type [!] type
521              Matches on the Ethernet "class" of the frame,  which  is  deter‐
522              mined by the generic networking code. Possible values: broadcast
523              (MAC destination is the broadcast address), multicast (MAC  des‐
524              tination  is  a multicast address), host (MAC destination is the
525              receiving network device), or otherhost (none of the above).
526
527   stp
528       Specify stp BPDU (bridge protocol data unit)  fields.  The  destination
529       address  (-d) must be specified as the bridge group address (BGA).  For
530       all options for which a range of values can be specified, it holds that
531       if  the  lower bound is omitted (but the colon is not), then the lowest
532       possible lower bound for that option is used, while if the upper  bound
533       is  omitted  (but  the  colon again is not), the highest possible upper
534       bound for that option is used.
535
536       --stp-type [!] type
537              The BPDU type (0-255), recognized non-numerical types  are  con‐
538              fig,  denoting  a  configuration BPDU (=0), and tcn, denothing a
539              topology change notification BPDU (=128).
540
541       --stp-flags [!] flag
542              The BPDU flag (0-255), recognized non-numerical flags are topol‐
543              ogy-change,  denoting  the topology change flag (=1), and topol‐
544              ogy-change-ack, denoting  the  topology  change  acknowledgement
545              flag (=128).
546
547       --stp-root-prio [!] [prio][:prio]
548              The root priority (0-65535) range.
549
550       --stp-root-addr [!] [address][/mask]
551              The root mac address, see the option -s for more details.
552
553       --stp-root-cost [!] [cost][:cost]
554              The root path cost (0-4294967295) range.
555
556       --stp-sender-prio [!] [prio][:prio]
557              The BPDU's sender priority (0-65535) range.
558
559       --stp-sender-addr [!] [address][/mask]
560              The  BPDU's  sender  mac  address,  see  the  option -s for more
561              details.
562
563       --stp-port [!] [port][:port]
564              The port identifier (0-65535) range.
565
566       --stp-msg-age [!] [age][:age]
567              The message age timer (0-65535) range.
568
569       --stp-max-age [!] [age][:age]
570              The max age timer (0-65535) range.
571
572       --stp-hello-time [!] [time][:time]
573              The hello time timer (0-65535) range.
574
575       --stp-forward-delay [!] [delay][:delay]
576              The forward delay timer (0-65535) range.
577
578   vlan
579       Specify 802.1Q Tag Control Information fields.  The  protocol  must  be
580       specified as 802_1Q (0x8100).
581
582       --vlan-id [!] id
583              The VLAN identifier field (VID). Decimal number from 0 to 4095.
584
585       --vlan-prio [!] prio
586              The  user priority field, a decimal number from 0 to 7.  The VID
587              should be set to 0 ("null VID") or unspecified  (in  the  latter
588              case the VID is deliberately set to 0).
589
590       --vlan-encap [!] type
591              The  encapsulated  Ethernet  frame  type/length.  Specified as a
592              hexadecimal number from 0x0000 to 0xFFFF or as a  symbolic  name
593              from /etc/ethertypes.
594
595
596   WATCHER EXTENSIONS
597       Watchers  only  look  at  frames passing by, they don't modify them nor
598       decide to accept the frames or not. These watchers only see  the  frame
599       if  the  frame  matches  the rule, and they see it before the target is
600       executed.
601
602   log
603       The log watcher writes descriptive data about a frame to the syslog.
604
605       --log
606              Log with the default loggin options: log-level=  info,  log-pre‐
607              fix="", no ip logging, no arp logging.
608
609       --log-level level
610              Defines the logging level. For the possible values, see ebtables
611              -h log.  The default level is info.
612
613       --log-prefix text
614              Defines the prefix text to be printed at the  beginning  of  the
615              line with the logging information.
616
617       --log-ip
618              Will log the ip information when a frame made by the ip protocol
619              matches the rule. The default is no ip information logging.
620
621       --log-arp
622              Will log the (r)arp information when a frame made by the  (r)arp
623              protocols matches the rule. The default is no (r)arp information
624              logging.
625
626   ulog
627       The ulog watcher passes the packet to a userspace logging daemon  using
628       netlink  multicast  sockets.  This  differs from the log watcher in the
629       sense that the complete packet  is  sent  to  userspace  instead  of  a
630       descriptive text and that netlink multicast sockets are used instead of
631       the syslog.  This watcher enables parsing  of  packets  with  userspace
632       programs, the physical bridge in and out ports are also included in the
633       netlink messages.  The ulog watcher module accepts  2  parameters  when
634       the  module  is  loaded  into the kernel (e.g. with modprobe): nlbufsiz
635       specifies how big the buffer for each netlink multicast  group  is.  If
636       you  say nlbufsiz=8192, for example, up to eight kB of packets will get
637       accumulated in the kernel until they are sent to userspace. It  is  not
638       possible  to  allocate  more  than 128kB. Please also keep in mind that
639       this buffer size is allocated for each nlgroup you are  using,  so  the
640       total  kernel  memory  usage  increases  by that factor. The default is
641       4096.  flushtimeout specifies after how many hundredths of a second the
642       queue  should be flushed, even if it is not full yet. The default is 10
643       (one tenth of a second).
644
645       --ulog
646              Use the default settings: ulog-prefix="", ulog-nlgroup=1,  ulog-
647              cprange=4096, ulog-qthreshold=1.
648
649       --ulog-prefix text
650              Defines the prefix included with the packets sent to userspace.
651
652       --ulog-nlgroup group
653              Defines  which  netlink  group number to use (a number from 1 to
654              32).  Make sure the netlink group numbers used for the  iptables
655              ULOG  target  differ  from  those  used  for  the  ebtables ulog
656              watcher.  The default group number is 1.
657
658       --ulog-cprange range
659              Defines the maximum copy range to userspace, for packets  match‐
660              ing  the  rule.  The default range is 0, which means the maximum
661              copy range is given by nlbufsiz.  A maximum  copy  range  larger
662              than  128*1024  is  meaningless as the packets sent to userspace
663              have an upper size limit of 128*1024.
664
665       --ulog-qthreshold threshold
666              Queue at most threshold number of packets before sending them to
667              userspace  with  a netlink socket. Note that packets can be sent
668              to userspace before the queue is full,  this  happens  when  the
669              ulog  kernel timer goes off (the frequency of this timer depends
670              on flushtimeout).
671
672   TARGET EXTENSIONS
673   arpreply
674       The arpreply target can be used in the PREROUTING chain of the nat  ta‐
675       ble.   If  this  target sees an ARP request it will automatically reply
676       with an ARP reply. The used MAC address for the reply can be specified.
677       The  protocol must be specified as ARP.  When the ARP message is not an
678       ARP request or when the ARP request isn't for an IP address on an  Eth‐
679       ernet  network,  it is ignored by this target (CONTINUE).  When the ARP
680       request is malformed, it is dropped (DROP).
681
682       --arpreply-mac address
683              Specifies the MAC address to reply with: the Ethernet source MAC
684              and  the  ARP  payload  source  MAC  will be filled in with this
685              address.
686
687       --arpreply-target target
688              Specifies the standard target. After sending the ARP reply,  the
689              rule  still has to give a standard target so ebtables knows what
690              to do with the ARP request.  The default target is DROP.
691
692   dnat
693       The dnat target can only be used in the BROUTING chain  of  the  broute
694       table and the PREROUTING and OUTPUT chains of the nat table.  It speci‐
695       fies that the destination MAC address has to be changed.
696
697       --to-destination address
698              Change the destination MAC address  to  the  specified  address.
699              The flag --to-dst is an alias for this option.
700
701       --dnat-target target
702              Specifies  the  standard  target. After doing the dnat, the rule
703              still has to give a standard target so ebtables knows what to do
704              with the dnated frame.  The default target is ACCEPT.  Making it
705              CONTINUE could let you use multiple  target  extensions  on  the
706              same  frame.  Making  it  DROP  only makes sense in the BROUTING
707              chain but using the  redirect  target  is  more  logical  there.
708              RETURN  is  also allowed. Note that using RETURN in a base chain
709              is not allowed (for obvious reasons).
710
711   mark
712       The mark target can be used in every chain of every table. It is possi‐
713       ble to use the marking of a frame/packet in both ebtables and iptables,
714       if the bridge-nf code is compiled into the kernel. Both put the marking
715       at  the  same  place.  This  allows for a form of communication between
716       ebtables and iptables.
717
718       --mark-set value
719              Mark the frame with the specified non-negative value.
720
721       --mark-or value
722              Or the frame with the specified non-negative value.
723
724       --mark-and value
725              And the frame with the specified non-negative value.
726
727       --mark-xor value
728              Xor the frame with the specified non-negative value.
729
730       --mark-target target
731              Specifies the standard target. After marking the frame, the rule
732              still  has  to  give a standard target so ebtables knows what to
733              do.  The default target is ACCEPT. Making it  CONTINUE  can  let
734              you  do  other  things with the frame in subsequent rules of the
735              chain.
736
737   redirect
738       The redirect target will change the MAC target address to that  of  the
739       bridge device the frame arrived on. This target can only be used in the
740       BROUTING chain of the broute table and the PREROUTING chain of the  nat
741       table.   In  the  BROUTING chain, the MAC address of the bridge port is
742       used as destination address, in the PREROUTING chain, the  MAC  address
743       of the bridge is used.
744
745       --redirect-target target
746              Specifies the standard target. After doing the MAC redirect, the
747              rule still has to give a standard target so ebtables knows  what
748              to  do.   The default target is ACCEPT. Making it CONTINUE could
749              let you use multiple target extensions on the same frame. Making
750              it  DROP  in  the  BROUTING chain will let the frames be routed.
751              RETURN is also allowed. Note that using RETURN in a  base  chain
752              is not allowed.
753
754   snat
755       The  snat  target  can only be used in the POSTROUTING chain of the nat
756       table.  It specifies that the source MAC address has to be changed.
757
758       --to-source address
759              Changes the source MAC address to  the  specified  address.  The
760              flag --to-src is an alias for this option.
761
762       --snat-target target
763              Specifies  the  standard  target. After doing the snat, the rule
764              still has to give a standard target so ebtables  knows  what  to
765              do.   The default target is ACCEPT. Making it CONTINUE could let
766              you use multiple target extensions on the same frame. Making  it
767              DROP  doesn't  make  sense, but you could do that too. RETURN is
768              also allowed. Note that using RETURN in  a  base  chain  is  not
769              allowed.
770
771       --snat-arp
772              Also change the hardware source address inside the arp header if
773              the packet is an arp message and the hardware address length  in
774              the arp header is 6 bytes.
775

FILES

777       /etc/ethertypes
778

ENVIRONMENT VARIABLES

780       EBTABLES_ATOMIC_FILE
781

MAILINGLISTS

783       ebtables-user@lists.sourceforge.net
784       ebtables-devel@lists.sourceforge.net
785

SEE ALSO

787       iptables(8), brctl(8), ifconfig(8), route(8)
788
789
790
791                                   May 2007                        EBTABLES(8)
Impressum