laurenceman / rpms / iptables

Forked from rpms/iptables 5 years ago
Clone
8cce6c
.TH EBTABLES 8  "December 2011"
8cce6c
.\"
8cce6c
.\" Man page written by Bart De Schuymer <bdschuym@pandora.be>
8cce6c
.\" It is based on the iptables man page.
8cce6c
.\"
8cce6c
.\" The man page was edited, February 25th 2003, by 
8cce6c
.\"      Greg Morgan <" dr_kludge_at_users_sourceforge_net >
8cce6c
.\"
8cce6c
.\" Iptables page by Herve Eychenne March 2000.
8cce6c
.\"
8cce6c
.\"     This program is free software; you can redistribute it and/or modify
8cce6c
.\"     it under the terms of the GNU General Public License as published by
8cce6c
.\"     the Free Software Foundation; either version 2 of the License, or
8cce6c
.\"     (at your option) any later version.
8cce6c
.\"
8cce6c
.\"     This program is distributed in the hope that it will be useful,
8cce6c
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
8cce6c
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
8cce6c
.\"     GNU General Public License for more details.
8cce6c
.\"
8cce6c
.\"     You should have received a copy of the GNU General Public License
8cce6c
.\"     along with this program; if not, write to the Free Software
8cce6c
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
8cce6c
.\"     
8cce6c
.\"
8cce6c
.SH NAME
8cce6c
ebtables-nft \- Ethernet bridge frame table administration
8cce6c
.SH SYNOPSIS
8cce6c
.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -P " chain " ACCEPT " | " DROP " | " RETURN
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -F " [chain]"
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -Z " [chain]"
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -L " [" -Z "] [chain] [ [" --Ln "] | [" --Lx "] ] [" --Lc "] [" --Lmac2 ]
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -N " chain [" "-P ACCEPT " | " DROP " | " RETURN" ]
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -X " [chain]"
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " -E " old-chain-name new-chain-name"
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] " --init-table
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-commit
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-init
8cce6c
.br
8cce6c
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
8cce6c
.br
8cce6c
.SH DESCRIPTION
8cce6c
.B ebtables
8cce6c
is an application program used to set up and maintain the
8cce6c
tables of rules (inside the Linux kernel) that inspect
8cce6c
Ethernet frames.
8cce6c
It is analogous to the
8cce6c
.B iptables
8cce6c
application, but less complicated, due to the fact that the Ethernet protocol
8cce6c
is much simpler than the IP protocol.
8cce6c
.SS CHAINS
8cce6c
There are two ebtables-nft tables with built-in chains in the
8cce6c
Linux kernel. These tables are used to divide functionality into
8cce6c
different sets of rules. Each set of rules is called a chain.
8cce6c
Each chain is an ordered list of rules that can match Ethernet frames. If a
8cce6c
rule matches an Ethernet frame, then a processing specification tells
8cce6c
what to do with that matching frame. The processing specification is
8cce6c
called a 'target'. However, if the frame does not match the current
8cce6c
rule in the chain, then the next rule in the chain is examined and so forth.
8cce6c
The user can create new (user-defined) chains that can be used as the 'target'
8cce6c
of a rule. User-defined chains are very useful to get better performance
8cce6c
over the linear traversal of the rules and are also essential for structuring
8cce6c
the filtering rules into well-organized and maintainable sets of rules.
8cce6c
.SS TARGETS
8cce6c
A firewall rule specifies criteria for an Ethernet frame and a frame
8cce6c
processing specification called a target.  When a frame matches a rule,
8cce6c
then the next action performed by the kernel is specified by the target.
8cce6c
The target can be one of these values:
8cce6c
.BR ACCEPT ,
8cce6c
.BR DROP ,
8cce6c
.BR CONTINUE ,
8cce6c
.BR RETURN ,
8cce6c
an 'extension' (see below) or a jump to a user-defined chain.
8cce6c
.PP
8cce6c
.B ACCEPT
8cce6c
means to let the frame through.
8cce6c
.B DROP
8cce6c
means the frame has to be dropped.
8cce6c
.B CONTINUE
8cce6c
means the next rule has to be checked. This can be handy, f.e., to know how many
8cce6c
frames pass a certain point in the chain, to log those frames or to apply multiple
8cce6c
targets on a frame.
8cce6c
.B RETURN
8cce6c
means stop traversing this chain and resume at the next rule in the
8cce6c
previous (calling) chain.
8cce6c
For the extension targets please refer to the
8cce6c
.B "TARGET EXTENSIONS"
8cce6c
section of this man page.
8cce6c
.SS TABLES
8cce6c
As stated earlier, there are two ebtables-nft tables in the Linux
8cce6c
kernel.  The table names are
8cce6c
.BR filter " and " nat .
8cce6c
Of these two tables,
8cce6c
the filter table is the default table that the command operates on.
8cce6c
If you are working with the filter table, then you can drop the '-t filter'
8cce6c
argument to the ebtables command.  However, you will need to provide
8cce6c
the -t argument for
8cce6c
.B nat
8cce6c
table.  Moreover, the -t argument must be the
8cce6c
first argument on the ebtables command line, if used. 
8cce6c
.TP
8cce6c
.B "-t, --table"
8cce6c
.br
8cce6c
.B filter
8cce6c
is the default table and contains three built-in chains:
8cce6c
.B INPUT 
8cce6c
(for frames destined for the bridge itself, on the level of the MAC destination address), 
8cce6c
.B OUTPUT 
8cce6c
(for locally-generated or (b)routed frames) and
8cce6c
.B FORWARD 
8cce6c
(for frames being forwarded by the bridge).
8cce6c
.br
8cce6c
.br
8cce6c
.B nat
8cce6c
is mostly used to change the mac addresses and contains three built-in chains:
8cce6c
.B PREROUTING 
8cce6c
(for altering frames as soon as they come in), 
8cce6c
.B OUTPUT 
8cce6c
(for altering locally generated or (b)routed frames before they are bridged) and 
8cce6c
.B POSTROUTING
8cce6c
(for altering frames as they are about to go out). A small note on the naming
8cce6c
of chains PREROUTING and POSTROUTING: it would be more accurate to call them
8cce6c
PREFORWARDING and POSTFORWARDING, but for all those who come from the
8cce6c
iptables world to ebtables it is easier to have the same names. Note that you
8cce6c
can change the name
8cce6c
.BR "" ( -E )
8cce6c
if you don't like the default.
8cce6c
.SH EBTABLES COMMAND LINE ARGUMENTS
8cce6c
After the initial ebtables '-t table' command line argument, the remaining
8cce6c
arguments can be divided into several groups.  These groups
8cce6c
are commands, miscellaneous commands, rule specifications, match extensions,
8cce6c
watcher extensions and target extensions.
8cce6c
.SS COMMANDS
8cce6c
The ebtables command arguments specify the actions to perform on the table
8cce6c
defined with the -t argument.  If you do not use the -t argument to name
8cce6c
a table, the commands apply to the default filter table.
8cce6c
Only one command may be used on the command line at a time, except when
8cce6c
the commands
8cce6c
.BR -L " and " -Z
8cce6c
are combined, the commands
8cce6c
.BR -N " and " -P
8cce6c
are combined, or when
8cce6c
.B --atomic-file
8cce6c
is used.
8cce6c
.TP
8cce6c
.B "-A, --append"
8cce6c
Append a rule to the end of the selected chain.
8cce6c
.TP
8cce6c
.B "-D, --delete"
8cce6c
Delete the specified rule or rules from the selected chain. There are two ways to
8cce6c
use this command. The first is by specifying an interval of rule numbers
8cce6c
to delete (directly after
8cce6c
.BR -D ).
8cce6c
Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use
8cce6c
.B -L --Ln
8cce6c
to list the rules with their rule number). When \fIend_nr\fP is omitted, all rules starting
8cce6c
from \fIstart_nr\fP are deleted. Using negative numbers is allowed, for more
8cce6c
details about using negative numbers, see the
8cce6c
.B -I
8cce6c
command. The second usage is by
8cce6c
specifying the complete rule as it would have been specified when it was added. Only
8cce6c
the first encountered rule that is the same as this specified rule, in other
8cce6c
words the matching rule with the lowest (positive) rule number, is deleted.
8cce6c
.TP
8cce6c
.B "-C, --change-counters"
8cce6c
Change the counters of the specified rule or rules from the selected chain. There are two ways to
8cce6c
use this command. The first is by specifying an interval of rule numbers
8cce6c
to do the changes on (directly after
8cce6c
.BR -C ).
8cce6c
Syntax: \fIstart_nr\fP[\fI:end_nr\fP] (use
8cce6c
.B -L --Ln
8cce6c
to list the rules with their rule number). The details are the same as for the
8cce6c
.BR -D " command. The second usage is by"
8cce6c
specifying the complete rule as it would have been specified when it was added. Only
8cce6c
the counters of the first encountered rule that is the same as this specified rule, in other
8cce6c
words the matching rule with the lowest (positive) rule number, are changed.
8cce6c
In the first usage, the counters are specified directly after the interval specification,
8cce6c
in the second usage directly after
8cce6c
.BR -C .
8cce6c
First the packet counter is specified, then the byte counter. If the specified counters start
8cce6c
with a '+', the counter values are added to the respective current counter values.
8cce6c
If the specified counters start with a '-', the counter values are decreased from the respective
8cce6c
current counter values. No bounds checking is done. If the counters don't start with '+' or '-',
8cce6c
the current counters are changed to the specified counters.
8cce6c
.TP
8cce6c
.B "-I, --insert"
8cce6c
Insert the specified rule into the selected chain at the specified rule number. If the
8cce6c
rule number is not specified, the rule is added at the head of the chain.
8cce6c
If the current number of rules equals
8cce6c
.IR N ,
8cce6c
then the specified number can be
8cce6c
between
8cce6c
.IR -N " and " N+1 .
8cce6c
For a positive number
8cce6c
.IR i ,
8cce6c
it holds that
8cce6c
.IR i " and " i-N-1
8cce6c
specify the same place in the chain where the rule should be inserted. The rule number
8cce6c
0 specifies the place past the last rule in the chain and using this number is therefore
8cce6c
equivalent to using the
8cce6c
.BR -A " command."
8cce6c
Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted
8cce6c
in a chain.
8cce6c
.TP
8cce6c
.B "-P, --policy"
8cce6c
Set the policy for the chain to the given target. The policy can be
8cce6c
.BR ACCEPT ", " DROP " or " RETURN .
8cce6c
.TP
8cce6c
.B "-F, --flush"
8cce6c
Flush the selected chain. If no chain is selected, then every chain will be
8cce6c
flushed. Flushing a chain does not change the policy of the
8cce6c
chain, however.
8cce6c
.TP
8cce6c
.B "-Z, --zero"
8cce6c
Set the counters of the selected chain to zero. If no chain is selected, all the counters
8cce6c
are set to zero. The
8cce6c
.B "-Z"
8cce6c
command can be used in conjunction with the 
8cce6c
.B "-L"
8cce6c
command.
8cce6c
When both the
8cce6c
.B "-Z"
8cce6c
and
8cce6c
.B "-L"
8cce6c
commands are used together in this way, the rule counters are printed on the screen
8cce6c
before they are set to zero.
8cce6c
.TP
8cce6c
.B "-L, --list"
8cce6c
List all rules in the selected chain. If no chain is selected, all chains
8cce6c
are listed.
8cce6c
.br
8cce6c
The following options change the output of the
8cce6c
.B "-L"
8cce6c
command.
8cce6c
.br
8cce6c
.B "--Ln"
8cce6c
.br
8cce6c
Places the rule number in front of every rule. This option is incompatible with the
8cce6c
.BR --Lx " option."
8cce6c
.br
8cce6c
.B "--Lc"
8cce6c
.br
8cce6c
Shows the counters at the end of each rule displayed by the
8cce6c
.B "-L"
8cce6c
command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed.
8cce6c
The frame counter shows how many frames have matched the specific rule, the byte
8cce6c
counter shows the sum of the frame sizes of these matching frames. Using this option
8cce6c
.BR "" "in combination with the " --Lx " option causes the counters to be written out"
8cce6c
.BR "" "in the '" -c " <pcnt> <bcnt>' option format."
8cce6c
.br
8cce6c
.B "--Lx"
8cce6c
.br
8cce6c
Changes the output so that it produces a set of ebtables commands that construct
8cce6c
the contents of the chain, when specified.
8cce6c
If no chain is specified, ebtables commands to construct the contents of the
8cce6c
table are given, including commands for creating the user-defined chains (if any).
8cce6c
You can use this set of commands in an ebtables boot or reload
8cce6c
script.  For example the output could be used at system startup.
8cce6c
The 
8cce6c
.B "--Lx"
8cce6c
option is incompatible with the
8cce6c
.B "--Ln"
8cce6c
listing option. Using the
8cce6c
.BR --Lx " option together with the " --Lc " option will cause the counters to be written out"
8cce6c
.BR "" "in the '" -c " <pcnt> <bcnt>' option format."
8cce6c
.br
8cce6c
.B "--Lmac2"
8cce6c
.br
8cce6c
Shows all MAC addresses with the same length, adding leading zeroes
8cce6c
if necessary. The default representation omits leading zeroes in the addresses.
8cce6c
.TP
8cce6c
.B "-N, --new-chain"
8cce6c
Create a new user-defined chain with the given name. The number of
8cce6c
user-defined chains is limited only by the number of possible chain names.
8cce6c
A user-defined chain name has a maximum
8cce6c
length of 31 characters. The standard policy of the user-defined chain is
8cce6c
ACCEPT. The policy of the new chain can be initialized to a different standard
8cce6c
target by using the
8cce6c
.B -P
8cce6c
command together with the
8cce6c
.B -N
8cce6c
command. In this case, the chain name does not have to be specified for the
8cce6c
.B -P
8cce6c
command.
8cce6c
.TP
8cce6c
.B "-X, --delete-chain"
8cce6c
Delete the specified user-defined chain. There must be no remaining references (jumps)
8cce6c
to the specified chain, otherwise ebtables will refuse to delete it. If no chain is
8cce6c
specified, all user-defined chains that aren't referenced will be removed.
8cce6c
.TP
8cce6c
.B "-E, --rename-chain"
8cce6c
Rename the specified chain to a new name.  Besides renaming a user-defined
8cce6c
chain, you can rename a standard chain to a name that suits your
8cce6c
taste. For example, if you like PREFORWARDING more than PREROUTING,
8cce6c
then you can use the -E command to rename the PREROUTING chain. If you do
8cce6c
rename one of the standard ebtables chain names, please be sure to mention
8cce6c
this fact should you post a question on the ebtables mailing lists.
8cce6c
It would be wise to use the standard name in your post. Renaming a standard
8cce6c
ebtables chain in this fashion has no effect on the structure or functioning
8cce6c
of the ebtables kernel table.
8cce6c
.TP
8cce6c
.B "--init-table"
8cce6c
Replace the current table data by the initial table data.
8cce6c
.TP
8cce6c
.B "--atomic-init"
8cce6c
Copy the kernel's initial data of the table to the specified
8cce6c
file. This can be used as the first action, after which rules are added
8cce6c
to the file. The file can be specified using the
8cce6c
.B --atomic-file
8cce6c
command or through the
8cce6c
.IR EBTABLES_ATOMIC_FILE " environment variable."
8cce6c
.TP
8cce6c
.B "--atomic-save"
8cce6c
Copy the kernel's current data of the table to the specified
8cce6c
file. This can be used as the first action, after which rules are added
8cce6c
to the file. The file can be specified using the
8cce6c
.B --atomic-file
8cce6c
command or through the
8cce6c
.IR EBTABLES_ATOMIC_FILE " environment variable."
8cce6c
.TP
8cce6c
.B "--atomic-commit"
8cce6c
Replace the kernel table data with the data contained in the specified
8cce6c
file. This is a useful command that allows you to load all your rules of a
8cce6c
certain table into the kernel at once, saving the kernel a lot of precious
8cce6c
time and allowing atomic updates of the tables. The file which contains
8cce6c
the table data is constructed by using either the
8cce6c
.B "--atomic-init"
8cce6c
or the
8cce6c
.B "--atomic-save"
8cce6c
command to generate a starting file. After that, using the
8cce6c
.B "--atomic-file"
8cce6c
command when constructing rules or setting the
8cce6c
.IR EBTABLES_ATOMIC_FILE " environment variable"
8cce6c
allows you to extend the file and build the complete table before
8cce6c
committing it to the kernel. This command can be very useful in boot scripts
8cce6c
to populate the ebtables tables in a fast way.
8cce6c
.SS MISCELLANOUS COMMANDS
8cce6c
.TP
8cce6c
.B "-V, --version"
8cce6c
Show the version of the ebtables userspace program.
8cce6c
.TP
8cce6c
.BR "-h, --help " "[\fIlist of module names\fP]"
8cce6c
Give a brief description of the command syntax. Here you can also specify
8cce6c
names of extensions and ebtables will try to write help about those
8cce6c
extensions. E.g.
8cce6c
.IR "ebtables -h snat log ip arp" .
8cce6c
Specify
8cce6c
.I list_extensions
8cce6c
to list all extensions supported by the userspace
8cce6c
utility.
8cce6c
.TP
8cce6c
.BR "-j, --jump " "\fItarget\fP"
8cce6c
The target of the rule. This is one of the following values:
8cce6c
.BR ACCEPT ,
8cce6c
.BR DROP ,
8cce6c
.BR CONTINUE ,
8cce6c
.BR RETURN ,
8cce6c
a target extension (see
8cce6c
.BR "TARGET EXTENSIONS" ")"
8cce6c
or a user-defined chain name.
8cce6c
.TP
8cce6c
.B --atomic-file "\fIfile\fP"
8cce6c
Let the command operate on the specified
8cce6c
.IR file .
8cce6c
The data of the table to
8cce6c
operate on will be extracted from the file and the result of the operation
8cce6c
will be saved back into the file. If specified, this option should come
8cce6c
before the command specification. An alternative that should be preferred,
8cce6c
is setting the
8cce6c
.IR EBTABLES_ATOMIC_FILE " environment variable."
8cce6c
.TP
8cce6c
.B -M, --modprobe "\fIprogram\fP"
8cce6c
When talking to the kernel, use this
8cce6c
.I program
8cce6c
to try to automatically load missing kernel modules.
8cce6c
.TP
8cce6c
.B --concurrent
8cce6c
Use a file lock to support concurrent scripts updating the ebtables kernel tables.
8cce6c
8cce6c
.SS
8cce6c
RULE SPECIFICATIONS
8cce6c
The following command line arguments make up a rule specification (as used 
8cce6c
in the add and delete commands). A "!" option before the specification 
8cce6c
inverts the test for that specification. Apart from these standard rule 
8cce6c
specifications there are some other command line arguments of interest.
8cce6c
See both the 
8cce6c
.BR "MATCH EXTENSIONS" 
8cce6c
and the
8cce6c
.BR "WATCHER EXTENSIONS" 
8cce6c
below.
8cce6c
.TP
8cce6c
.BR "-p, --protocol " "[!] \fIprotocol\fP"
8cce6c
The protocol that was responsible for creating the frame. This can be a
8cce6c
hexadecimal number, above 
8cce6c
.IR 0x0600 ,
8cce6c
a name (e.g.
8cce6c
.I ARP
8cce6c
) or
8cce6c
.BR LENGTH .
8cce6c
The protocol field of the Ethernet frame can be used to denote the
8cce6c
length of the header (802.2/802.3 networks). When the value of that field is
8cce6c
below or equals
8cce6c
.IR 0x0600 ,
8cce6c
the value equals the size of the header and shouldn't be used as a
8cce6c
protocol number. Instead, all frames where the protocol field is used as
8cce6c
the length field are assumed to be of the same 'protocol'. The protocol
8cce6c
name used in ebtables for these frames is
8cce6c
.BR LENGTH .
8cce6c
.br
8cce6c
The file
8cce6c
.B /etc/ethertypes
8cce6c
can be used to show readable
8cce6c
characters instead of hexadecimal numbers for the protocols. For example,
8cce6c
.I 0x0800
8cce6c
will be represented by 
8cce6c
.IR IPV4 .
8cce6c
The use of this file is not case sensitive. 
8cce6c
See that file for more information. The flag 
8cce6c
.B --proto
8cce6c
is an alias for this option.
8cce6c
.TP 
8cce6c
.BR "-i, --in-interface " "[!] \fIname\fP"
8cce6c
The interface (bridge port) via which a frame is received (this option is useful in the
8cce6c
.BR INPUT ,
8cce6c
.BR FORWARD ,
8cce6c
.BR PREROUTING " and " BROUTING
8cce6c
chains). If the interface name ends with '+', then
8cce6c
any interface name that begins with this name (disregarding '+') will match.
8cce6c
The flag
8cce6c
.B --in-if
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--logical-in " "[!] \fIname\fP"
8cce6c
The (logical) bridge interface via which a frame is received (this option is useful in the
8cce6c
.BR INPUT ,
8cce6c
.BR FORWARD ,
8cce6c
.BR PREROUTING " and " BROUTING
8cce6c
chains).
8cce6c
If the interface name ends with '+', then
8cce6c
any interface name that begins with this name (disregarding '+') will match.
8cce6c
.TP
8cce6c
.BR "-o, --out-interface " "[!] \fIname\fP"
8cce6c
The interface (bridge port) via which a frame is going to be sent (this option is useful in the
8cce6c
.BR OUTPUT ,
8cce6c
.B FORWARD
8cce6c
and
8cce6c
.B POSTROUTING
8cce6c
chains). If the interface name ends with '+', then
8cce6c
any interface name that begins with this name (disregarding '+') will match.
8cce6c
The flag
8cce6c
.B --out-if
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--logical-out " "[!] \fIname\fP"
8cce6c
The (logical) bridge interface via which a frame is going to be sent (this option
8cce6c
is useful in the
8cce6c
.BR OUTPUT ,
8cce6c
.B FORWARD
8cce6c
and
8cce6c
.B POSTROUTING
8cce6c
chains).
8cce6c
If the interface name ends with '+', then
8cce6c
any interface name that begins with this name (disregarding '+') will match.
8cce6c
.TP
8cce6c
.BR "-s, --source " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The source MAC address. Both mask and address are written as 6 hexadecimal
8cce6c
numbers separated by colons. Alternatively one can specify Unicast,
8cce6c
Multicast, Broadcast or BGA (Bridge Group Address):
8cce6c
.br
8cce6c
.IR "Unicast" "=00:00:00:00:00:00/01:00:00:00:00:00,"
8cce6c
.IR "Multicast" "=01:00:00:00:00:00/01:00:00:00:00:00,"
8cce6c
.IR "Broadcast" "=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or"
8cce6c
.IR "BGA" "=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff."
8cce6c
Note that a broadcast
8cce6c
address will also match the multicast specification. The flag
8cce6c
.B --src
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "-d, --destination " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The destination MAC address. See
8cce6c
.B -s
8cce6c
(above) for more details on MAC addresses. The flag
8cce6c
.B --dst
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "-c, --set-counter " "\fIpcnt bcnt\fP"
8cce6c
If used with
8cce6c
.BR -A " or " -I ", then the packet and byte counters of the new rule will be set to
8cce6c
.IR pcnt ", resp. " bcnt ".
8cce6c
If used with the
8cce6c
.BR -C " or " -D " commands, only rules with a packet and byte count equal to"
8cce6c
.IR pcnt ", resp. " bcnt " will match."
8cce6c
8cce6c
.SS MATCH EXTENSIONS
8cce6c
Ebtables extensions are dynamically loaded into the userspace tool,
8cce6c
there is therefore no need to explicitly load them with a
8cce6c
-m option like is done in iptables.
8cce6c
These extensions deal with functionality supported by kernel modules supplemental to
8cce6c
the core ebtables code.
8cce6c
.SS 802_3
8cce6c
Specify 802.3 DSAP/SSAP fields or SNAP type.  The protocol must be specified as
8cce6c
.IR "LENGTH " "(see the option " " -p " above).
8cce6c
.TP
8cce6c
.BR "--802_3-sap " "[!] \fIsap\fP"
8cce6c
DSAP and SSAP are two one byte 802.3 fields.  The bytes are always
8cce6c
equal, so only one byte (hexadecimal) is needed as an argument.
8cce6c
.TP
8cce6c
.BR "--802_3-type " "[!] \fItype\fP"
8cce6c
If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
8cce6c
be consulted to determine the payload protocol.  This is a two byte
8cce6c
(hexadecimal) argument.  Only 802.3 frames with DSAP/SSAP 0xaa are
8cce6c
checked for type.
8cce6c
.SS among
8cce6c
Match a MAC address or MAC/IP address pair versus a list of MAC addresses
8cce6c
and MAC/IP address pairs.
8cce6c
A list entry has the following format:
8cce6c
.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
8cce6c
list entries are separated by a comma, specifying an IP address corresponding to
8cce6c
the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
8cce6c
but different IP address (and vice versa) can be specified. If the MAC address doesn't
8cce6c
match any entry from the list, the frame doesn't match the rule (unless "!" was used).
8cce6c
.TP
8cce6c
.BR "--among-dst " "[!] \fIlist\fP"
8cce6c
Compare the MAC destination to the given list. If the Ethernet frame has type
8cce6c
.IR IPv4 " or " ARP ,
8cce6c
then comparison with MAC/IP destination address pairs from the
8cce6c
list is possible.
8cce6c
.TP
8cce6c
.BR "--among-src " "[!] \fIlist\fP"
8cce6c
Compare the MAC source to the given list. If the Ethernet frame has type
8cce6c
.IR IPv4 " or " ARP ,
8cce6c
then comparison with MAC/IP source address pairs from the list
8cce6c
is possible.
8cce6c
.TP
8cce6c
.BR "--among-dst-file " "[!] \fIfile\fP"
8cce6c
Same as
8cce6c
.BR --among-dst " but the list is read in from the specified file."
8cce6c
.TP
8cce6c
.BR "--among-src-file " "[!] \fIfile\fP"
8cce6c
Same as
8cce6c
.BR --among-src " but the list is read in from the specified file."
8cce6c
.SS arp
8cce6c
Specify (R)ARP fields. The protocol must be specified as
8cce6c
.IR ARP " or " RARP .
8cce6c
.TP
8cce6c
.BR "--arp-opcode " "[!] \fIopcode\fP"
8cce6c
The (R)ARP opcode (decimal or a string, for more details see
8cce6c
.BR "ebtables -h arp" ).
8cce6c
.TP
8cce6c
.BR "--arp-htype " "[!] \fIhardware type\fP"
8cce6c
The hardware type, this can be a decimal or the string
8cce6c
.I Ethernet
8cce6c
(which sets
8cce6c
.I type
8cce6c
to 1). Most (R)ARP packets have Eternet as hardware type.
8cce6c
.TP
8cce6c
.BR "--arp-ptype " "[!] \fIprotocol type\fP"
8cce6c
The protocol type for which the (r)arp is used (hexadecimal or the string
8cce6c
.IR IPv4 ,
8cce6c
denoting 0x0800).
8cce6c
Most (R)ARP packets have protocol type IPv4.
8cce6c
.TP
8cce6c
.BR "--arp-ip-src " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The (R)ARP IP source address specification.
8cce6c
.TP
8cce6c
.BR "--arp-ip-dst " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The (R)ARP IP destination address specification.
8cce6c
.TP
8cce6c
.BR "--arp-mac-src " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The (R)ARP MAC source address specification.
8cce6c
.TP
8cce6c
.BR "--arp-mac-dst " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The (R)ARP MAC destination address specification.
8cce6c
.TP
8cce6c
.BR "" "[!]" " --arp-gratuitous"
8cce6c
Checks for ARP gratuitous packets: checks equality of IPv4 source
8cce6c
address and IPv4 destination address inside the ARP header.
8cce6c
.SS ip
8cce6c
Specify IPv4 fields. The protocol must be specified as
8cce6c
.IR IPv4 .
8cce6c
.TP
8cce6c
.BR "--ip-source " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The source IP address.
8cce6c
The flag
8cce6c
.B --ip-src
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip-destination " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The destination IP address.
8cce6c
The flag
8cce6c
.B --ip-dst
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip-tos " "[!] \fItos\fP"
8cce6c
The IP type of service, in hexadecimal numbers.
8cce6c
.BR IPv4 .
8cce6c
.TP
8cce6c
.BR "--ip-protocol " "[!] \fIprotocol\fP"
8cce6c
The IP protocol.
8cce6c
The flag
8cce6c
.B --ip-proto
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
8cce6c
The source port or port range for the IP protocols 6 (TCP), 17
8cce6c
(UDP), 33 (DCCP) or 132 (SCTP). The
8cce6c
.B --ip-protocol
8cce6c
option must be specified as
8cce6c
.IR TCP ", " UDP ", " DCCP " or " SCTP .
8cce6c
If
8cce6c
.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
8cce6c
The flag
8cce6c
.B --ip-sport
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
8cce6c
The destination port or port range for ip protocols 6 (TCP), 17
8cce6c
(UDP), 33 (DCCP) or 132 (SCTP). The
8cce6c
.B --ip-protocol
8cce6c
option must be specified as
8cce6c
.IR TCP ", " UDP ", " DCCP " or " SCTP .
8cce6c
If
8cce6c
.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
8cce6c
The flag
8cce6c
.B --ip-dport
8cce6c
is an alias for this option.
8cce6c
.SS ip6
8cce6c
Specify IPv6 fields. The protocol must be specified as
8cce6c
.IR IPv6 .
8cce6c
.TP
8cce6c
.BR "--ip6-source " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The source IPv6 address.
8cce6c
The flag
8cce6c
.B --ip6-src
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip6-destination " "[!] \fIaddress\fP[/\fImask\fP]"
8cce6c
The destination IPv6 address.
8cce6c
The flag
8cce6c
.B --ip6-dst
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip6-tclass " "[!] \fItclass\fP"
8cce6c
The IPv6 traffic class, in hexadecimal numbers.
8cce6c
.TP
8cce6c
.BR "--ip6-protocol " "[!] \fIprotocol\fP"
8cce6c
The IP protocol.
8cce6c
The flag
8cce6c
.B --ip6-proto
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip6-source-port " "[!] \fIport1\fP[:\fIport2\fP]"
8cce6c
The source port or port range for the IPv6 protocols 6 (TCP), 17
8cce6c
(UDP), 33 (DCCP) or 132 (SCTP). The
8cce6c
.B --ip6-protocol
8cce6c
option must be specified as
8cce6c
.IR TCP ", " UDP ", " DCCP " or " SCTP .
8cce6c
If
8cce6c
.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
8cce6c
The flag
8cce6c
.B --ip6-sport
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip6-destination-port " "[!] \fIport1\fP[:\fIport2\fP]"
8cce6c
The destination port or port range for IPv6 protocols 6 (TCP), 17
8cce6c
(UDP), 33 (DCCP) or 132 (SCTP). The
8cce6c
.B --ip6-protocol
8cce6c
option must be specified as
8cce6c
.IR TCP ", " UDP ", " DCCP " or " SCTP .
8cce6c
If
8cce6c
.IR port1 " is omitted, " 0:port2 " is used; if " port2 " is omitted but a colon is specified, " port1:65535 " is used."
8cce6c
The flag
8cce6c
.B --ip6-dport
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--ip6-icmp-type " "[!] {\fItype\fP[:\fItype\fP]/\fIcode\fP[:\fIcode\fP]|\fItypename\fP}"
8cce6c
Specify ipv6\-icmp type and code to match.
8cce6c
Ranges for both type and code are supported. Type and code are
8cce6c
separated by a slash. Valid numbers for type and range are 0 to 255.
8cce6c
To match a single type including all valid codes, symbolic names can
8cce6c
be used instead of numbers. The list of known type names is shown by the command
8cce6c
.nf
8cce6c
  ebtables \-\-help ip6
8cce6c
.fi
8cce6c
This option is only valid for \-\-ip6-prococol ipv6-icmp.
8cce6c
.SS limit
8cce6c
This module matches at a limited rate using a token bucket filter.
8cce6c
A rule using this extension will match until this limit is reached.
8cce6c
It can be used with the
8cce6c
.B --log
8cce6c
watcher to give limited logging, for example. Its use is the same
8cce6c
as the limit match of iptables.
8cce6c
.TP
8cce6c
.BR "--limit " "[\fIvalue\fP]"
8cce6c
Maximum average matching rate: specified as a number, with an optional
8cce6c
.IR /second ", " /minute ", " /hour ", or " /day " suffix; the default is " 3/hour .
8cce6c
.TP
8cce6c
.BR "--limit-burst " "[\fInumber\fP]"
8cce6c
Maximum initial number of packets to match: this number gets recharged by
8cce6c
one every time the limit specified above is not reached, up to this
8cce6c
number; the default is
8cce6c
.IR 5 .
8cce6c
.SS mark_m
8cce6c
.TP
8cce6c
.BR "--mark " "[!] [\fIvalue\fP][/\fImask\fP]"
8cce6c
Matches frames with the given unsigned mark value. If a
8cce6c
.IR value " and " mask " are specified, the logical AND of the mark value of the frame and"
8cce6c
the user-specified
8cce6c
.IR mask " is taken before comparing it with the"
8cce6c
user-specified mark
8cce6c
.IR value ". When only a mark "
8cce6c
.IR value " is specified, the packet"
8cce6c
only matches when the mark value of the frame equals the user-specified
8cce6c
mark
8cce6c
.IR value .
8cce6c
If only a
8cce6c
.IR mask " is specified, the logical"
8cce6c
AND of the mark value of the frame and the user-specified
8cce6c
.IR mask " is taken and the frame matches when the result of this logical AND is"
8cce6c
non-zero. Only specifying a
8cce6c
.IR mask " is useful to match multiple mark values."
8cce6c
.SS pkttype
8cce6c
.TP
8cce6c
.BR "--pkttype-type " "[!] \fItype\fP"
8cce6c
Matches on the Ethernet "class" of the frame, which is determined by the
8cce6c
generic networking code. Possible values:
8cce6c
.IR broadcast " (MAC destination is the broadcast address),"
8cce6c
.IR multicast " (MAC destination is a multicast address),"
8cce6c
.IR host " (MAC destination is the receiving network device), or "
8cce6c
.IR otherhost " (none of the above)."
8cce6c
.SS stp
8cce6c
Specify stp BPDU (bridge protocol data unit) fields. The destination
8cce6c
address
8cce6c
.BR "" ( -d ") must be specified as the bridge group address"
8cce6c
.IR "" ( BGA ).
8cce6c
For all options for which a range of values can be specified, it holds that
8cce6c
if the lower bound is omitted (but the colon is not), then the lowest possible lower bound
8cce6c
for that option is used, while if the upper bound is omitted (but the colon again is not), the
8cce6c
highest possible upper bound for that option is used.
8cce6c
.TP
8cce6c
.BR "--stp-type " "[!] \fItype\fP"
8cce6c
The BPDU type (0-255), recognized non-numerical types are
8cce6c
.IR config ", denoting a configuration BPDU (=0), and"
8cce6c
.IR tcn ", denothing a topology change notification BPDU (=128)."
8cce6c
.TP
8cce6c
.BR "--stp-flags " "[!] \fIflag\fP"
8cce6c
The BPDU flag (0-255), recognized non-numerical flags are
8cce6c
.IR topology-change ", denoting the topology change flag (=1), and"
8cce6c
.IR topology-change-ack ", denoting the topology change acknowledgement flag (=128)."
8cce6c
.TP
8cce6c
.BR "--stp-root-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
8cce6c
The root priority (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-root-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
8cce6c
The root mac address, see the option
8cce6c
.BR -s " for more details."
8cce6c
.TP
8cce6c
.BR "--stp-root-cost " "[!] [\fIcost\fP][:\fIcost\fP]"
8cce6c
The root path cost (0-4294967295) range.
8cce6c
.TP
8cce6c
.BR "--stp-sender-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
8cce6c
The BPDU's sender priority (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-sender-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
8cce6c
The BPDU's sender mac address, see the option
8cce6c
.BR -s " for more details."
8cce6c
.TP
8cce6c
.BR "--stp-port " "[!] [\fIport\fP][:\fIport\fP]"
8cce6c
The port identifier (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-msg-age " "[!] [\fIage\fP][:\fIage\fP]"
8cce6c
The message age timer (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-max-age " "[!] [\fIage\fP][:\fIage\fP]"
8cce6c
The max age timer (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-hello-time " "[!] [\fItime\fP][:\fItime\fP]"
8cce6c
The hello time timer (0-65535) range.
8cce6c
.TP
8cce6c
.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
8cce6c
The forward delay timer (0-65535) range.
8cce6c
.SS vlan
8cce6c
Specify 802.1Q Tag Control Information fields.
8cce6c
The protocol must be specified as
8cce6c
.IR 802_1Q " (0x8100)."
8cce6c
.TP
8cce6c
.BR "--vlan-id " "[!] \fIid\fP"
8cce6c
The VLAN identifier field (VID). Decimal number from 0 to 4095.
8cce6c
.TP
8cce6c
.BR "--vlan-prio " "[!] \fIprio\fP"
8cce6c
The user priority field, a decimal number from 0 to 7.
8cce6c
The VID should be set to 0 ("null VID") or unspecified
8cce6c
(in the latter case the VID is deliberately set to 0).
8cce6c
.TP
8cce6c
.BR "--vlan-encap " "[!] \fItype\fP"
8cce6c
The encapsulated Ethernet frame type/length.
8cce6c
Specified as a hexadecimal
8cce6c
number from 0x0000 to 0xFFFF or as a symbolic name
8cce6c
from
8cce6c
.BR /etc/ethertypes .
8cce6c
8cce6c
.SS WATCHER EXTENSIONS
8cce6c
Watchers only look at frames passing by, they don't modify them nor decide
8cce6c
to accept the frames or not. These watchers only
8cce6c
see the frame if the frame matches the rule, and they see it before the
8cce6c
target is executed.
8cce6c
.SS log
8cce6c
The log watcher writes descriptive data about a frame to the syslog.
8cce6c
.TP
8cce6c
.B "--log"
8cce6c
.br
8cce6c
Log with the default loggin options: log-level=
8cce6c
.IR info ,
8cce6c
log-prefix="", no ip logging, no arp logging.
8cce6c
.TP
8cce6c
.B --log-level "\fIlevel\fP"
8cce6c
.br
8cce6c
Defines the logging level. For the possible values, see
8cce6c
.BR "ebtables -h log" .
8cce6c
The default level is 
8cce6c
.IR info .
8cce6c
.TP
8cce6c
.BR --log-prefix " \fItext\fP"
8cce6c
.br
8cce6c
Defines the prefix
8cce6c
.I text
8cce6c
to be printed at the beginning of the line with the logging information.
8cce6c
.TP
8cce6c
.B --log-ip 
8cce6c
.br
8cce6c
Will log the ip information when a frame made by the ip protocol matches 
8cce6c
the rule. The default is no ip information logging.
8cce6c
.TP
8cce6c
.B --log-ip6 
8cce6c
.br
8cce6c
Will log the ipv6 information when a frame made by the ipv6 protocol matches 
8cce6c
the rule. The default is no ipv6 information logging.
8cce6c
.TP
8cce6c
.B --log-arp
8cce6c
.br
8cce6c
Will log the (r)arp information when a frame made by the (r)arp protocols
8cce6c
matches the rule. The default is no (r)arp information logging.
8cce6c
.SS nflog
8cce6c
The nflog watcher passes the packet to the loaded logging backend
8cce6c
in order to log the packet. This is usually used in combination with
8cce6c
nfnetlink_log as logging backend, which will multicast the packet
8cce6c
through a
8cce6c
.IR netlink
8cce6c
socket to the specified multicast group. One or more userspace processes
8cce6c
may subscribe to the group to receive the packets.
8cce6c
.TP
8cce6c
.B "--nflog"
8cce6c
.br
8cce6c
Log with the default logging options
8cce6c
.TP
8cce6c
.B --nflog-group "\fInlgroup\fP"
8cce6c
.br
8cce6c
The netlink group (1 - 2^32-1) to which packets are (only applicable for
8cce6c
nfnetlink_log). The default value is 1.
8cce6c
.TP
8cce6c
.B --nflog-prefix "\fIprefix\fP"
8cce6c
.br
8cce6c
A prefix string to include in the log message, up to 30 characters
8cce6c
long, useful for distinguishing messages in the logs.
8cce6c
.TP
8cce6c
.B --nflog-range "\fIsize\fP"
8cce6c
.br
8cce6c
The number of bytes to be copied to userspace (only applicable for
8cce6c
nfnetlink_log). nfnetlink_log instances may specify their own
8cce6c
range, this option overrides it.
8cce6c
.TP
8cce6c
.B --nflog-threshold "\fIsize\fP"
8cce6c
.br
8cce6c
Number of packets to queue inside the kernel before sending them
8cce6c
to userspace (only applicable for nfnetlink_log). Higher values
8cce6c
result in less overhead per packet, but increase delay until the
8cce6c
packets reach userspace. The default value is 1.
8cce6c
.SS ulog
8cce6c
The ulog watcher passes the packet to a userspace
8cce6c
logging daemon using netlink multicast sockets. This differs
8cce6c
from the log watcher in the sense that the complete packet is
8cce6c
sent to userspace instead of a descriptive text and that
8cce6c
netlink multicast sockets are used instead of the syslog.
8cce6c
This watcher enables parsing of packets with userspace programs, the
8cce6c
physical bridge in and out ports are also included in the netlink messages.
8cce6c
The ulog watcher module accepts 2 parameters when the module is loaded
8cce6c
into the kernel (e.g. with modprobe):
8cce6c
.B nlbufsiz
8cce6c
specifies how big the buffer for each netlink multicast
8cce6c
group is. If you say
8cce6c
.IR nlbufsiz=8192 ,
8cce6c
for example, up to eight kB of packets will
8cce6c
get accumulated in the kernel until they are sent to userspace. It is
8cce6c
not possible to allocate more than 128kB. Please also keep in mind that
8cce6c
this buffer size is allocated for each nlgroup you are using, so the
8cce6c
total kernel memory usage increases by that factor. The default is 4096.
8cce6c
.B flushtimeout
8cce6c
specifies after how many hundredths of a second the queue should be
8cce6c
flushed, even if it is not full yet. The default is 10 (one tenth of
8cce6c
a second).
8cce6c
.TP
8cce6c
.B "--ulog"
8cce6c
.br
8cce6c
Use the default settings: ulog-prefix="", ulog-nlgroup=1,
8cce6c
ulog-cprange=4096, ulog-qthreshold=1.
8cce6c
.TP
8cce6c
.B --ulog-prefix "\fItext\fP"
8cce6c
.br
8cce6c
Defines the prefix included with the packets sent to userspace.
8cce6c
.TP
8cce6c
.BR --ulog-nlgroup " \fIgroup\fP"
8cce6c
.br
8cce6c
Defines which netlink group number to use (a number from 1 to 32).
8cce6c
Make sure the netlink group numbers used for the iptables ULOG
8cce6c
target differ from those used for the ebtables ulog watcher.
8cce6c
The default group number is 1.
8cce6c
.TP
8cce6c
.BR --ulog-cprange " \fIrange\fP"
8cce6c
.br
8cce6c
Defines the maximum copy range to userspace, for packets matching the
8cce6c
rule. The default range is 0, which means the maximum copy range is
8cce6c
given by
8cce6c
.BR nlbufsiz .
8cce6c
A maximum copy range larger than
8cce6c
128*1024 is meaningless as the packets sent to userspace have an upper
8cce6c
size limit of 128*1024.
8cce6c
.TP
8cce6c
.BR --ulog-qthreshold " \fIthreshold\fP"
8cce6c
.br
8cce6c
Queue at most
8cce6c
.I threshold
8cce6c
number of packets before sending them to
8cce6c
userspace with a netlink socket. Note that packets can be sent to
8cce6c
userspace before the queue is full, this happens when the ulog
8cce6c
kernel timer goes off (the frequency of this timer depends on
8cce6c
.BR flushtimeout ).
8cce6c
.SS TARGET EXTENSIONS
8cce6c
.SS arpreply
8cce6c
The
8cce6c
.B arpreply
8cce6c
target can be used in the
8cce6c
.BR PREROUTING " chain of the " nat " table."
8cce6c
If this target sees an ARP request it will automatically reply
8cce6c
with an ARP reply. The used MAC address for the reply can be specified.
8cce6c
The protocol must be specified as
8cce6c
.IR ARP .
8cce6c
When the ARP message is not an ARP request or when the ARP request isn't
8cce6c
for an IP address on an Ethernet network, it is ignored by this target
8cce6c
.BR "" ( CONTINUE ).
8cce6c
When the ARP request is malformed, it is dropped
8cce6c
.BR "" ( DROP ).
8cce6c
.TP
8cce6c
.BR "--arpreply-mac " "\fIaddress\fP"
8cce6c
Specifies the MAC address to reply with: the Ethernet source MAC and the
8cce6c
ARP payload source MAC will be filled in with this address.
8cce6c
.TP
8cce6c
.BR "--arpreply-target " "\fItarget\fP"
8cce6c
Specifies the standard target. After sending the ARP reply, the rule still
8cce6c
has to give a standard target so ebtables knows what to do with the ARP request.
8cce6c
The default target
8cce6c
.BR "" "is " DROP .
8cce6c
.SS dnat
8cce6c
The
8cce6c
.B dnat
8cce6c
target can only be used in the
8cce6c
.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
8cce6c
It specifies that the destination MAC address has to be changed.
8cce6c
.TP
8cce6c
.BR "--to-destination " "\fIaddress\fP"
8cce6c
.br
8cce6c
Change the destination MAC address to the specified
8cce6c
.IR address .
8cce6c
The flag
8cce6c
.B --to-dst
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--dnat-target " "\fItarget\fP"
8cce6c
.br
8cce6c
Specifies the standard target. After doing the dnat, the rule still has to
8cce6c
give a standard target so ebtables knows what to do with the dnated frame.
8cce6c
The default target is
8cce6c
.BR ACCEPT .
8cce6c
Making it
8cce6c
.BR CONTINUE " could let you use"
8cce6c
multiple target extensions on the same frame. Making it
8cce6c
.BR DROP " only makes"
8cce6c
sense in the
8cce6c
.BR BROUTING " chain but using the " redirect " target is more logical there. " RETURN " is also allowed. Note that using " RETURN
8cce6c
in a base chain is not allowed (for obvious reasons).
8cce6c
.SS mark
8cce6c
.BR "" "The " mark " target can be used in every chain of every table. It is possible"
8cce6c
to use the marking of a frame/packet in both ebtables and iptables,
8cce6c
if the bridge-nf code is compiled into the kernel. Both put the marking at the
8cce6c
same place. This allows for a form of communication between ebtables and iptables.
8cce6c
.TP
8cce6c
.BR "--mark-set " "\fIvalue\fP"
8cce6c
.br
8cce6c
Mark the frame with the specified non-negative
8cce6c
.IR value .
8cce6c
.TP
8cce6c
.BR "--mark-or " "\fIvalue\fP"
8cce6c
.br
8cce6c
Or the frame with the specified non-negative
8cce6c
.IR value .
8cce6c
.TP
8cce6c
.BR "--mark-and " "\fIvalue\fP"
8cce6c
.br
8cce6c
And the frame with the specified non-negative
8cce6c
.IR value .
8cce6c
.TP
8cce6c
.BR "--mark-xor " "\fIvalue\fP"
8cce6c
.br
8cce6c
Xor the frame with the specified non-negative
8cce6c
.IR value .
8cce6c
.TP
8cce6c
.BR "--mark-target " "\fItarget\fP"
8cce6c
.br
8cce6c
Specifies the standard target. After marking the frame, the rule
8cce6c
still has to give a standard target so ebtables knows what to do.
8cce6c
The default target is
8cce6c
.BR ACCEPT ". Making it " CONTINUE " can let you do other"
8cce6c
things with the frame in subsequent rules of the chain.
8cce6c
.SS redirect
8cce6c
The
8cce6c
.B redirect
8cce6c
target will change the MAC target address to that of the bridge device the
8cce6c
frame arrived on. This target can only be used in the
8cce6c
.BR PREROUTING " chain of the " nat " table."
8cce6c
The MAC address of the bridge is used as destination address."
8cce6c
.TP
8cce6c
.BR "--redirect-target " "\fItarget\fP"
8cce6c
.br
8cce6c
Specifies the standard target. After doing the MAC redirect, the rule
8cce6c
still has to give a standard target so ebtables knows what to do.
8cce6c
The default target is
8cce6c
.BR ACCEPT ". Making it " CONTINUE " could let you use"
8cce6c
multiple target extensions on the same frame. Making it
8cce6c
.BR DROP " in the " BROUTING " chain will let the frames be routed. " RETURN " is also allowed. Note"
8cce6c
.BR "" "that using " RETURN " in a base chain is not allowed."
8cce6c
.SS snat
8cce6c
The
8cce6c
.B snat
8cce6c
target can only be used in the
8cce6c
.BR POSTROUTING " chain of the " nat " table."
8cce6c
It specifies that the source MAC address has to be changed.
8cce6c
.TP
8cce6c
.BR "--to-source " "\fIaddress\fP"
8cce6c
.br
8cce6c
Changes the source MAC address to the specified
8cce6c
.IR address ". The flag"
8cce6c
.B --to-src
8cce6c
is an alias for this option.
8cce6c
.TP
8cce6c
.BR "--snat-target " "\fItarget\fP"
8cce6c
.br
8cce6c
Specifies the standard target. After doing the snat, the rule still has 
8cce6c
to give a standard target so ebtables knows what to do.
8cce6c
.BR "" "The default target is " ACCEPT ". Making it " CONTINUE " could let you use"
8cce6c
.BR "" "multiple target extensions on the same frame. Making it " DROP " doesn't"
8cce6c
.BR "" "make sense, but you could do that too. " RETURN " is also allowed. Note"
8cce6c
.BR "" "that using " RETURN " in a base chain is not allowed."
8cce6c
.br
8cce6c
.TP
8cce6c
.BR "--snat-arp "
8cce6c
.br
8cce6c
Also change the hardware source address inside the arp header if the packet is an
8cce6c
arp message and the hardware address length in the arp header is 6 bytes.
8cce6c
.br
8cce6c
.SH FILES
8cce6c
.I /etc/ethertypes
8cce6c
.I /run/ebtables.lock
8cce6c
.SH ENVIRONMENT VARIABLES
8cce6c
.I EBTABLES_ATOMIC_FILE
8cce6c
.SH MAILINGLISTS
8cce6c
.BR "" "See " http://netfilter.org/mailinglists.html
8cce6c
.SH BUGS
8cce6c
The version of ebtables this man page ships with does not support the
8cce6c
.B broute
8cce6c
table. Also there is no support for the
8cce6c
.B among
8cce6c
match. And finally, this list is probably not complete.
8cce6c
.SH SEE ALSO
8cce6c
.BR xtables-nft "(8), " iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
8cce6c
.PP
8cce6c
.BR "" "See " http://ebtables.sf.net