{
    "content": [
        {
            "type": "text",
            "text": "# EBTABLES (info)\n\n## NAME\n\nebtables - Ethernet bridge frame table administration (nft-based)\n\n## SYNOPSIS\n\nebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten-\nsions] [watcher extensions] target\nebtables [-t table ] -P chain ACCEPT | DROP | RETURN\nebtables [-t table ] -F [chain]\nebtables [-t table ] -Z [chain]\nebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]\n[--Lmac2]\nebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]\nebtables [-t table ] -X [chain]\nebtables [-t table ] -E old-chain-name new-chain-name\nebtables [-t table ] --init-table\nebtables [-t table ] [--atomic-file file] --atomic-commit\nebtables [-t table ] [--atomic-file file] --atomic-init\nebtables [-t table ] [--atomic-file file] --atomic-save\n\n## DESCRIPTION\n\nebtables  is an application program used to set up and maintain the ta-\nbles of rules (inside the Linux kernel) that inspect  Ethernet  frames.\nIt  is analogous to the iptables application, but less complicated, due\nto the fact that the Ethernet protocol is much simpler than the IP pro-\ntocol.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION** (1 subsections)\n- **EBTABLES COMMAND LINE ARGUMENTS** (27 subsections)\n- **FILES**\n- **ENVIRONMENT VARIABLES**\n- **MAILINGLISTS**\n- **BUGS**\n- **SEE ALSO**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "EBTABLES",
        "section": "",
        "mode": "info",
        "summary": "ebtables - Ethernet bridge frame table administration (nft-based)",
        "synopsis": "ebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten-\nsions] [watcher extensions] target\nebtables [-t table ] -P chain ACCEPT | DROP | RETURN\nebtables [-t table ] -F [chain]\nebtables [-t table ] -Z [chain]\nebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]\n[--Lmac2]\nebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]\nebtables [-t table ] -X [chain]\nebtables [-t table ] -E old-chain-name new-chain-name\nebtables [-t table ] --init-table\nebtables [-t table ] [--atomic-file file] --atomic-commit\nebtables [-t table ] [--atomic-file file] --atomic-init\nebtables [-t table ] [--atomic-file file] --atomic-save",
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [
            {
                "flag": "-t",
                "long": "--table",
                "arg": null,
                "description": "filter is the default table and contains three built-in chains: INPUT (for frames destined for the bridge itself, on the level of the MAC destination address), OUTPUT (for locally-generated or (b)routed frames) and FORWARD (for frames being forwarded by the bridge). nat is mostly used to change the mac addresses and contains three built-in chains: PREROUTING (for altering frames as soon as they come in), OUTPUT (for altering locally generated or (b)routed frames before they are bridged) and POSTROUTING (for altering frames as they are about to go out). A small note on the naming of chains PREROUTING and POSTROUTING: it would be more accurate to call them PREFORWARDING and POSTFORWARDING, but for all those who come from the iptables world to ebtables it is easier to have the same names. Note that you can change the name (-E) if you don't like the default."
            }
        ],
        "examples": [],
        "see_also": [
            {
                "name": "xtables-nft",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/xtables-nft/8/json"
            },
            {
                "name": "iptables",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json"
            },
            {
                "name": "ip",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/ip/8/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 15,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 45,
                "subsections": [
                    {
                        "name": "-t, --table",
                        "lines": 16,
                        "flag": "-t",
                        "long": "--table"
                    }
                ]
            },
            {
                "name": "EBTABLES COMMAND LINE ARGUMENTS",
                "lines": 13,
                "subsections": [
                    {
                        "name": "-A, --append",
                        "lines": 2,
                        "flag": "-A",
                        "long": "--append"
                    },
                    {
                        "name": "-D, --delete",
                        "lines": 13,
                        "flag": "-D",
                        "long": "--delete"
                    },
                    {
                        "name": "-C, --change-counters",
                        "lines": 20,
                        "flag": "-C",
                        "long": "--change-counters"
                    },
                    {
                        "name": "-I, --insert",
                        "lines": 11,
                        "flag": "-I",
                        "long": "--insert"
                    },
                    {
                        "name": "-P, --policy",
                        "lines": 3,
                        "flag": "-P",
                        "long": "--policy"
                    },
                    {
                        "name": "-F, --flush",
                        "lines": 4,
                        "flag": "-F",
                        "long": "--flush"
                    },
                    {
                        "name": "-Z, --zero",
                        "lines": 6,
                        "flag": "-Z",
                        "long": "--zero"
                    },
                    {
                        "name": "-L, --list",
                        "lines": 30,
                        "flag": "-L",
                        "long": "--list"
                    },
                    {
                        "name": "-N, --new-chain",
                        "lines": 9,
                        "flag": "-N",
                        "long": "--new-chain"
                    },
                    {
                        "name": "-X, --delete-chain",
                        "lines": 5,
                        "flag": "-X",
                        "long": "--delete-chain"
                    },
                    {
                        "name": "-E, --rename-chain",
                        "lines": 11,
                        "flag": "-E",
                        "long": "--rename-chain"
                    },
                    {
                        "name": "--init-table",
                        "lines": 2,
                        "long": "--init-table"
                    },
                    {
                        "name": "--atomic-init",
                        "lines": 6,
                        "long": "--atomic-init"
                    },
                    {
                        "name": "--atomic-save",
                        "lines": 6,
                        "long": "--atomic-save"
                    },
                    {
                        "name": "--atomic-commit",
                        "lines": 14,
                        "long": "--atomic-commit"
                    },
                    {
                        "name": "-V, --version",
                        "lines": 2,
                        "flag": "-V",
                        "long": "--version"
                    },
                    {
                        "name": "-h, --help [list of module names]",
                        "lines": 23,
                        "flag": "-h",
                        "long": "--help"
                    },
                    {
                        "name": "--concurrent",
                        "lines": 244,
                        "long": "--concurrent"
                    },
                    {
                        "name": "--limit [value]",
                        "lines": 4,
                        "long": "--limit",
                        "arg": "[value]"
                    },
                    {
                        "name": "--limit-burst [number]",
                        "lines": 102,
                        "long": "--limit-burst",
                        "arg": "[number]"
                    },
                    {
                        "name": "--log",
                        "lines": 11,
                        "long": "--log"
                    },
                    {
                        "name": "--log-ip",
                        "lines": 3,
                        "long": "--log-ip"
                    },
                    {
                        "name": "--log-ip6",
                        "lines": 4,
                        "long": "--log-ip6"
                    },
                    {
                        "name": "--log-arp",
                        "lines": 11,
                        "long": "--log-arp"
                    },
                    {
                        "name": "--nflog",
                        "lines": 40,
                        "long": "--nflog"
                    },
                    {
                        "name": "--ulog",
                        "lines": 123,
                        "long": "--ulog"
                    },
                    {
                        "name": "--snat-arp",
                        "lines": 4,
                        "long": "--snat-arp"
                    }
                ]
            },
            {
                "name": "FILES",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "ENVIRONMENT VARIABLES",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "MAILINGLISTS",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "BUGS",
                "lines": 4,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 5,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "ebtables - Ethernet bridge frame table administration (nft-based)\n",
                "subsections": []
            },
            "SYNOPSIS": {
                "content": "ebtables  [-t  table  ]  -[ACDI] chain rule specification [match exten-\nsions] [watcher extensions] target\nebtables [-t table ] -P chain ACCEPT | DROP | RETURN\nebtables [-t table ] -F [chain]\nebtables [-t table ] -Z [chain]\nebtables [-t table ] -L  [-Z]  [chain]  [  [--Ln]  |  [--Lx]  ]  [--Lc]\n[--Lmac2]\nebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]\nebtables [-t table ] -X [chain]\nebtables [-t table ] -E old-chain-name new-chain-name\nebtables [-t table ] --init-table\nebtables [-t table ] [--atomic-file file] --atomic-commit\nebtables [-t table ] [--atomic-file file] --atomic-init\nebtables [-t table ] [--atomic-file file] --atomic-save\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "ebtables  is an application program used to set up and maintain the ta-\nbles of rules (inside the Linux kernel) that inspect  Ethernet  frames.\nIt  is analogous to the iptables application, but less complicated, due\nto the fact that the Ethernet protocol is much simpler than the IP pro-\ntocol.\n\nCHAINS\nThere are two ebtables tables with built-in chains in the Linux kernel.\nThese tables are used to divide functionality into  different  sets  of\nrules.  Each  set of rules is called a chain.  Each chain is an ordered\nlist of rules that can match Ethernet frames. If a rule matches an Eth-\nernet frame, then a processing specification tells what to do with that\nmatching frame. The processing specification is called a 'target'. How-\never,  if  the frame does not match the current rule in the chain, then\nthe next rule in the chain is examined and so forth.  The user can cre-\nate  new  (user-defined)  chains  that can be used as the 'target' of a\nrule. User-defined chains are very useful  to  get  better  performance\nover  the  linear  traversal  of  the  rules and are also essential for\nstructuring the filtering rules into  well-organized  and  maintainable\nsets of rules.\n\nTARGETS\nA  firewall  rule  specifies criteria for an Ethernet frame and a frame\nprocessing specification called a target.  When a frame matches a rule,\nthen  the  next action performed by the kernel is specified by the tar-\nget.  The target can be one of these values:  ACCEPT,  DROP,  CONTINUE,\nRETURN, an 'extension' (see below) or a jump to a user-defined chain.\n\nACCEPT  means to let the frame through.  DROP means the frame has to be\ndropped.  CONTINUE means the next rule has to be checked. This  can  be\nhandy, f.e., to know how many frames pass a certain point in the chain,\nto log those frames or to apply multiple targets on  a  frame.   RETURN\nmeans  stop  traversing  this  chain and resume at the next rule in the\nprevious (calling) chain.  For the extension targets  please  refer  to\nthe TARGET EXTENSIONS section of this man page.\n\nTABLES\nAs  stated  earlier, there are two ebtables tables in the Linux kernel.\nThe table names are filter and nat.  Of these two  tables,  the  filter\ntable  is  the  default table that the command operates on.  If you are\nworking with the filter table, then you can drop the '-t filter'  argu-\nment to the ebtables command.  However, you will need to provide the -t\nargument for nat table.  Moreover, the -t argument must  be  the  first\nargument on the ebtables command line, if used.\n",
                "subsections": [
                    {
                        "name": "-t, --table",
                        "content": "filter  is the default table and contains three built-in chains:\nINPUT (for frames destined for the bridge itself, on  the  level\nof  the  MAC destination address), OUTPUT (for locally-generated\nor (b)routed frames) and FORWARD (for frames being forwarded  by\nthe bridge).\nnat  is  mostly  used  to  change the mac addresses and contains\nthree built-in chains: PREROUTING (for altering frames  as  soon\nas  they  come  in),  OUTPUT  (for altering locally generated or\n(b)routed frames before they are bridged) and  POSTROUTING  (for\naltering  frames  as  they are about to go out). A small note on\nthe naming of chains PREROUTING and  POSTROUTING:  it  would  be\nmore accurate to call them PREFORWARDING and POSTFORWARDING, but\nfor all those who come from the iptables world to ebtables it is\neasier to have the same names. Note that you can change the name\n(-E) if you don't like the default.\n",
                        "flag": "-t",
                        "long": "--table"
                    }
                ]
            },
            "EBTABLES COMMAND LINE ARGUMENTS": {
                "content": "After the initial ebtables '-t table' command line  argument,  the  re-\nmaining arguments can be divided into several groups.  These groups are\ncommands, miscellaneous commands,  rule  specifications,  match  exten-\nsions, watcher extensions and target extensions.\n\nCOMMANDS\nThe  ebtables  command  arguments specify the actions to perform on the\ntable defined with the -t argument.  If you do not use the -t  argument\nto  name a table, the commands apply to the default filter table.  Only\none command may be used on the command line at a time, except when  the\ncommands  -L  and -Z are combined, the commands -N and -P are combined,\nor when --atomic-file is used.\n",
                "subsections": [
                    {
                        "name": "-A, --append",
                        "content": "Append a rule to the end of the selected chain.\n",
                        "flag": "-A",
                        "long": "--append"
                    },
                    {
                        "name": "-D, --delete",
                        "content": "Delete the specified rule or  rules  from  the  selected  chain.\nThere are two ways to use this command. The first is by specify-\ning an interval of rule numbers to delete (directly  after  -D).\nSyntax:  startnr[:endnr]  (use  -L --Ln to list the rules with\ntheir rule number). When endnr is omitted, all  rules  starting\nfrom  startnr  are  deleted. Using negative numbers is allowed,\nfor more details about using negative numbers, see the  -I  com-\nmand.  The second usage is by specifying the complete rule as it\nwould have been specified when it was added. Only the first  en-\ncountered rule that is the same as this specified rule, in other\nwords the matching rule with the lowest (positive) rule  number,\nis deleted.\n",
                        "flag": "-D",
                        "long": "--delete"
                    },
                    {
                        "name": "-C, --change-counters",
                        "content": "Change  the counters of the specified rule or rules from the se-\nlected chain. There are two ways to use this command. The  first\nis  by  specifying an interval of rule numbers to do the changes\non (directly after -C).  Syntax: startnr[:endnr] (use -L  --Ln\nto  list  the rules with their rule number). The details are the\nsame as for the -D command. The second usage  is  by  specifying\nthe  complete  rule  as it would have been specified when it was\nadded. Only the counters of the first encountered rule  that  is\nthe  same  as  this  specified rule, in other words the matching\nrule with the lowest (positive) rule number,  are  changed.   In\nthe  first  usage, the counters are specified directly after the\ninterval specification, in the second usage directly  after  -C.\nFirst the packet counter is specified, then the byte counter. If\nthe specified counters start with a '+', the counter values  are\nadded  to  the respective current counter values.  If the speci-\nfied counters start with a '-', the counter values are decreased\nfrom  the  respective current counter values. No bounds checking\nis done. If the counters don't start with '+' or '-',  the  cur-\nrent counters are changed to the specified counters.\n",
                        "flag": "-C",
                        "long": "--change-counters"
                    },
                    {
                        "name": "-I, --insert",
                        "content": "Insert  the specified rule into the selected chain at the speci-\nfied rule number. If the rule number is not specified, the  rule\nis  added  at  the  head of the chain.  If the current number of\nrules equals N, then the specified number can be between -N  and\nN+1.  For a positive number i, it holds that i and i-N-1 specify\nthe same place in the chain where the rule should  be  inserted.\nThe  rule number 0 specifies the place past the last rule in the\nchain and using this number is therefore equivalent to using the\n-A  command.  Rule numbers structly smaller than 0 can be useful\nwhen more than one rule needs to be inserted in a chain.\n",
                        "flag": "-I",
                        "long": "--insert"
                    },
                    {
                        "name": "-P, --policy",
                        "content": "Set the policy for the chain to the given target. The policy can\nbe ACCEPT, DROP or RETURN.\n",
                        "flag": "-P",
                        "long": "--policy"
                    },
                    {
                        "name": "-F, --flush",
                        "content": "Flush  the  selected  chain. If no chain is selected, then every\nchain will be flushed. Flushing a chain does not change the pol-\nicy of the chain, however.\n",
                        "flag": "-F",
                        "long": "--flush"
                    },
                    {
                        "name": "-Z, --zero",
                        "content": "Set  the  counters of the selected chain to zero. If no chain is\nselected, all the counters are set to zero. The -Z  command  can\nbe  used  in  conjunction with the -L command.  When both the -Z\nand -L commands are used together in this way, the rule counters\nare printed on the screen before they are set to zero.\n",
                        "flag": "-Z",
                        "long": "--zero"
                    },
                    {
                        "name": "-L, --list",
                        "content": "List  all  rules in the selected chain. If no chain is selected,\nall chains are listed.\nThe following options change the output of the -L command.\n--Ln\nPlaces the rule number in front of every rule.  This  option  is\nincompatible with the --Lx option.\n--Lc\nShows  the  counters at the end of each rule displayed by the -L\ncommand. Both a frame counter (pcnt) and a byte  counter  (bcnt)\nare  displayed.   The  frame  counter shows how many frames have\nmatched the specific rule, the byte counter shows the sum of the\nframe  sizes of these matching frames. Using this option in com-\nbination with the --Lx option causes the counters to be  written\nout in the '-c <pcnt> <bcnt>' option format.\n--Lx\nChanges  the  output  so that it produces a set of ebtables com-\nmands that construct the contents of the chain, when  specified.\nIf  no  chain  is  specified, ebtables commands to construct the\ncontents of the table are given, including commands for creating\nthe  user-defined chains (if any).  You can use this set of com-\nmands in an ebtables boot or reload  script.   For  example  the\noutput  could be used at system startup.  The --Lx option is in-\ncompatible with the --Ln listing option. Using the  --Lx  option\ntogether  with  the  --Lc  option  will cause the counters to be\nwritten out in the '-c <pcnt> <bcnt>' option format.\n--Lmac2\nShows all MAC addresses with the same length, adding leading ze-\nroes  if necessary. The default representation omits leading ze-\nroes in the addresses.\n",
                        "flag": "-L",
                        "long": "--list"
                    },
                    {
                        "name": "-N, --new-chain",
                        "content": "Create a new user-defined chain with the given name. The  number\nof user-defined chains is limited only by the number of possible\nchain names.  A user-defined chain name has a maximum length  of\n31  characters. The standard policy of the user-defined chain is\nACCEPT. The policy of the new chain can be initialized to a dif-\nferent standard target by using the -P command together with the\n-N command. In this case, the chain name does  not  have  to  be\nspecified for the -P command.\n",
                        "flag": "-N",
                        "long": "--new-chain"
                    },
                    {
                        "name": "-X, --delete-chain",
                        "content": "Delete  the  specified  user-defined chain. There must be no re-\nmaining references (jumps) to  the  specified  chain,  otherwise\nebtables will refuse to delete it. If no chain is specified, all\nuser-defined chains that aren't referenced will be removed.\n",
                        "flag": "-X",
                        "long": "--delete-chain"
                    },
                    {
                        "name": "-E, --rename-chain",
                        "content": "Rename the specified chain to a new name.   Besides  renaming  a\nuser-defined  chain,  you  can rename a standard chain to a name\nthat suits your taste. For example, if  you  like  PREFORWARDING\nmore  than PREROUTING, then you can use the -E command to rename\nthe PREROUTING chain. If you do rename one of the standard ebta-\nbles chain names, please be sure to mention this fact should you\npost a question on the ebtables mailing lists.  It would be wise\nto use the standard name in your post. Renaming a standard ebta-\nbles chain in this fashion has no effect  on  the  structure  or\nfunctioning of the ebtables kernel table.\n",
                        "flag": "-E",
                        "long": "--rename-chain"
                    },
                    {
                        "name": "--init-table",
                        "content": "Replace the current table data by the initial table data.\n",
                        "long": "--init-table"
                    },
                    {
                        "name": "--atomic-init",
                        "content": "Copy  the  kernel's  initial  data of the table to the specified\nfile. This can be used as the first action,  after  which  rules\nare  added  to  the  file.  The  file can be specified using the\n--atomic-file command or through the EBTABLESATOMICFILE  envi-\nronment variable.\n",
                        "long": "--atomic-init"
                    },
                    {
                        "name": "--atomic-save",
                        "content": "Copy  the  kernel's  current  data of the table to the specified\nfile. This can be used as the first action,  after  which  rules\nare  added  to  the  file.  The  file can be specified using the\n--atomic-file command or through the EBTABLESATOMICFILE  envi-\nronment variable.\n",
                        "long": "--atomic-save"
                    },
                    {
                        "name": "--atomic-commit",
                        "content": "Replace  the  kernel  table  data with the data contained in the\nspecified file. This is a useful command that allows you to load\nall  your rules of a certain table into the kernel at once, sav-\ning the kernel a lot of precious time and  allowing  atomic  up-\ndates  of  the tables. The file which contains the table data is\nconstructed by using either the --atomic-init or  the  --atomic-\nsave  command to generate a starting file. After that, using the\n--atomic-file command when constructing  rules  or  setting  the\nEBTABLESATOMICFILE  environment  variable allows you to extend\nthe file and build the complete table before  committing  it  to\nthe  kernel.  This command can be very useful in boot scripts to\npopulate the ebtables tables in a fast way.\n\nMISCELLANOUS COMMANDS",
                        "long": "--atomic-commit"
                    },
                    {
                        "name": "-V, --version",
                        "content": "Show the version of the ebtables userspace program.\n",
                        "flag": "-V",
                        "long": "--version"
                    },
                    {
                        "name": "-h, --help [list of module names]",
                        "content": "Give a brief description of the command  syntax.  Here  you  can\nalso  specify names of extensions and ebtables will try to write\nhelp about those extensions. E.g.  ebtables -h snat log ip  arp.\nSpecify  listextensions to list all extensions supported by the\nuserspace utility.\n\n-j, --jump target\nThe target of the rule. This is one of the following values: AC-\nCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET EX-\nTENSIONS) or a user-defined chain name.\n\n--atomic-file file\nLet the command operate on the specified file.  The data of  the\ntable  to operate on will be extracted from the file and the re-\nsult of the operation will be saved back into the file. If spec-\nified, this option should come before the command specification.\nAn alternative that should be preferred, is  setting  the  EBTA-\nBLESATOMICFILE environment variable.\n\n-M, --modprobe program\nWhen talking to the kernel, use this program to try to automati-\ncally load missing kernel modules.\n",
                        "flag": "-h",
                        "long": "--help"
                    },
                    {
                        "name": "--concurrent",
                        "content": "Use a file lock to support concurrent scripts updating the ebta-\nbles kernel tables.\n\nRULE SPECIFICATIONS\nThe  following  command line arguments make up a rule specification (as\nused in the add and delete commands). A \"!\" option before the  specifi-\ncation  inverts the test for that specification. Apart from these stan-\ndard rule specifications there are some other command line arguments of\ninterest.  See both the MATCH EXTENSIONS and the WATCHER EXTENSIONS be-\nlow.\n\n-p, --protocol [!] protocol\nThe protocol that was responsible for creating the  frame.  This\ncan  be  a hexadecimal number, above 0x0600, a name (e.g.  ARP )\nor LENGTH.  The protocol field of the Ethernet frame can be used\nto  denote the length of the header (802.2/802.3 networks). When\nthe value of that field is below or  equals  0x0600,  the  value\nequals  the size of the header and shouldn't be used as a proto-\ncol number. Instead, all frames where the protocol field is used\nas  the  length  field are assumed to be of the same 'protocol'.\nThe protocol name used in ebtables for these frames is LENGTH.\nThe file /etc/ethertypes can be used to show readable characters\ninstead  of  hexadecimal numbers for the protocols. For example,\n0x0800 will be represented by IPV4.  The use of this file is not\ncase  sensitive.   See  that file for more information. The flag\n--proto is an alias for this option.\n\n-i, --in-interface [!] name\nThe interface (bridge port) via which a frame is received  (this\noption  is useful in the INPUT, FORWARD, PREROUTING and BROUTING\nchains). If the interface name ends with '+', then any interface\nname  that  begins with this name (disregarding '+') will match.\nThe flag --in-if is an alias for this option.\n\n--logical-in [!] name\nThe (logical) bridge interface via which  a  frame  is  received\n(this  option  is  useful  in the INPUT, FORWARD, PREROUTING and\nBROUTING chains).  If the interface name ends with '+', then any\ninterface  name  that  begins  with this name (disregarding '+')\nwill match.\n\n-o, --out-interface [!] name\nThe interface (bridge port) via which a frame  is  going  to  be\nsent (this option is useful in the OUTPUT, FORWARD and POSTROUT-\nING chains). If the interface name ends with '+', then  any  in-\nterface  name that begins with this name (disregarding '+') will\nmatch.  The flag --out-if is an alias for this option.\n\n--logical-out [!] name\nThe (logical) bridge interface via which a frame is going to  be\nsent (this option is useful in the OUTPUT, FORWARD and POSTROUT-\nING chains).  If the interface name ends with '+', then any  in-\nterface  name that begins with this name (disregarding '+') will\nmatch.\n\n-s, --source [!] address[/mask]\nThe source MAC address. Both mask and address are written  as  6\nhexadecimal  numbers  separated by colons. Alternatively one can\nspecify Unicast, Multicast, Broadcast or BGA (Bridge  Group  Ad-\ndress):\nUnicast=00:00:00:00:00:00/01:00:00:00:00:00,              Multi-\ncast=01:00:00:00:00:00/01:00:00:00:00:00,                 Broad-\ncast=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff                      or\nBGA=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.  Note that a  broadcast\naddress  will  also  match the multicast specification. The flag\n--src is an alias for this option.\n\n-d, --destination [!] address[/mask]\nThe destination MAC address. See -s (above) for more details  on\nMAC addresses. The flag --dst is an alias for this option.\n\n-c, --set-counter pcnt bcnt\nIf  used with -A or -I, then the packet and byte counters of the\nnew rule will be set to pcnt, resp. bcnt.  If used with  the  -C\nor -D commands, only rules with a packet and byte count equal to\npcnt, resp. bcnt will match.\n\nMATCH EXTENSIONS\nEbtables extensions are dynamically loaded  into  the  userspace  tool,\nthere  is  therefore  no  need to explicitly load them with a -m option\nlike is done in iptables.  These  extensions  deal  with  functionality\nsupported by kernel modules supplemental to the core ebtables code.\n\n8023\nSpecify  802.3  DSAP/SSAP  fields  or  SNAP type.  The protocol must be\nspecified as LENGTH (see the option  -p above).\n\n--8023-sap [!] sap\nDSAP and SSAP are two one byte 802.3 fields.  The bytes are  al-\nways equal, so only one byte (hexadecimal) is needed as an argu-\nment.\n\n--8023-type [!] type\nIf the 802.3 DSAP and SSAP values are 0xaa then  the  SNAP  type\nfield must be consulted to determine the payload protocol.  This\nis a two byte (hexadecimal) argument.  Only  802.3  frames  with\nDSAP/SSAP 0xaa are checked for type.\n\namong\nMatch  a  MAC  address  or MAC/IP address pair versus a list of MAC ad-\ndresses and MAC/IP address pairs.  A list entry has the following  for-\nmat: xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]. Multiple list entries are sep-\narated by a comma, specifying an IP address corresponding  to  the  MAC\naddress  is  optional.  Multiple MAC/IP address pairs with the same MAC\naddress but different IP address (and vice versa) can be specified.  If\nthe  MAC  address  doesn't  match  any  entry  from the list, the frame\ndoesn't match the rule (unless \"!\" was used).\n\n--among-dst [!] list\nCompare the MAC destination to the given list. If  the  Ethernet\nframe has type IPv4 or ARP, then comparison with MAC/IP destina-\ntion address pairs from the list is possible.\n\n--among-src [!] list\nCompare the MAC source to the given list. If the Ethernet  frame\nhas type IPv4 or ARP, then comparison with MAC/IP source address\npairs from the list is possible.\n\n--among-dst-file [!] file\nSame as --among-dst but the list is read in from  the  specified\nfile.\n\n--among-src-file [!] file\nSame  as  --among-src but the list is read in from the specified\nfile.\n\narp\nSpecify (R)ARP fields. The protocol must be specified as ARP or RARP.\n\n--arp-opcode [!] opcode\nThe (R)ARP opcode (decimal or a string,  for  more  details  see\nebtables -h arp).\n\n--arp-htype [!] hardware type\nThe  hardware type, this can be a decimal or the string Ethernet\n(which sets type to 1). Most  (R)ARP  packets  have  Eternet  as\nhardware type.\n\n--arp-ptype [!] protocol type\nThe  protocol  type for which the (r)arp is used (hexadecimal or\nthe string IPv4, denoting 0x0800).   Most  (R)ARP  packets  have\nprotocol type IPv4.\n\n--arp-ip-src [!] address[/mask]\nThe (R)ARP IP source address specification.\n\n--arp-ip-dst [!] address[/mask]\nThe (R)ARP IP destination address specification.\n\n--arp-mac-src [!] address[/mask]\nThe (R)ARP MAC source address specification.\n\n--arp-mac-dst [!] address[/mask]\nThe (R)ARP MAC destination address specification.\n\n[!] --arp-gratuitous\nChecks  for  ARP  gratuitous  packets:  checks  equality of IPv4\nsource address and  IPv4  destination  address  inside  the  ARP\nheader.\n\nip\nSpecify IPv4 fields. The protocol must be specified as IPv4.\n\n--ip-source [!] address[/mask]\nThe  source  IP address.  The flag --ip-src is an alias for this\noption.\n\n--ip-destination [!] address[/mask]\nThe destination IP address.  The flag --ip-dst is an  alias  for\nthis option.\n\n--ip-tos [!] tos\nThe IP type of service, in hexadecimal numbers.  IPv4.\n\n--ip-protocol [!] protocol\nThe  IP  protocol.  The flag --ip-proto is an alias for this op-\ntion.\n\n--ip-source-port [!] port1[:port2]\nThe source port or port range for the IP protocols 6  (TCP),  17\n(UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be\nspecified as TCP, UDP, DCCP  or  SCTP.   If  port1  is  omitted,\n0:port2  is  used; if port2 is omitted but a colon is specified,\nport1:65535 is used.  The flag --ip-sport is an alias  for  this\noption.\n\n--ip-destination-port [!] port1[:port2]\nThe  destination port or port range for ip protocols 6 (TCP), 17\n(UDP), 33 (DCCP) or 132 (SCTP). The --ip-protocol option must be\nspecified  as  TCP,  UDP,  DCCP  or  SCTP.  If port1 is omitted,\n0:port2 is used; if port2 is omitted but a colon  is  specified,\nport1:65535  is  used.  The flag --ip-dport is an alias for this\noption.\n\nip6\nSpecify IPv6 fields. The protocol must be specified as IPv6.\n\n--ip6-source [!] address[/mask]\nThe source IPv6 address.  The flag --ip6-src  is  an  alias  for\nthis option.\n\n--ip6-destination [!] address[/mask]\nThe  destination  IPv6  address.  The flag --ip6-dst is an alias\nfor this option.\n\n--ip6-tclass [!] tclass\nThe IPv6 traffic class, in hexadecimal numbers.\n\n--ip6-protocol [!] protocol\nThe IP protocol.  The flag --ip6-proto is an alias for this  op-\ntion.\n\n--ip6-source-port [!] port1[:port2]\nThe source port or port range for the IPv6 protocols 6 (TCP), 17\n(UDP), 33 (DCCP) or 132 (SCTP). The --ip6-protocol  option  must\nbe  specified  as  TCP, UDP, DCCP or SCTP.  If port1 is omitted,\n0:port2 is used; if port2 is omitted but a colon  is  specified,\nport1:65535  is used.  The flag --ip6-sport is an alias for this\noption.\n\n--ip6-destination-port [!] port1[:port2]\nThe destination port or port range for IPv6 protocols  6  (TCP),\n17  (UDP),  33  (DCCP)  or 132 (SCTP). The --ip6-protocol option\nmust be specified as TCP, UDP, DCCP or SCTP.  If port1 is  omit-\nted,  0:port2 is used; if port2 is omitted but a colon is speci-\nfied, port1:65535 is used.  The flag --ip6-dport is an alias for\nthis option.\n\n--ip6-icmp-type [!] {type[:type]/code[:code]|typename}\nSpecify  ipv6-icmp type and code to match.  Ranges for both type\nand code are supported. Type and code are separated by a  slash.\nValid  numbers for type and range are 0 to 255.  To match a sin-\ngle type including all valid codes, symbolic names can  be  used\ninstead of numbers. The list of known type names is shown by the\ncommand\nebtables --help ip6\nThis option is only valid for --ip6-prococol ipv6-icmp.\n\nlimit\nThis module matches at a limited rate using a token bucket  filter.   A\nrule  using  this extension will match until this limit is reached.  It\ncan be used with the --log watcher to give limited logging,  for  exam-\nple. Its use is the same as the limit match of iptables.\n",
                        "long": "--concurrent"
                    },
                    {
                        "name": "--limit [value]",
                        "content": "Maximum  average  matching  rate: specified as a number, with an\noptional /second, /minute, /hour, or /day suffix; the default is\n3/hour.\n",
                        "long": "--limit",
                        "arg": "[value]"
                    },
                    {
                        "name": "--limit-burst [number]",
                        "content": "Maximum  initial  number  of  packets to match: this number gets\nrecharged by one every time the limit  specified  above  is  not\nreached, up to this number; the default is 5.\n\nmarkm\n--mark [!] [value][/mask]\nMatches  frames  with  the given unsigned mark value. If a value\nand mask are specified, the logical AND of the mark value of the\nframe  and  the user-specified mask is taken before comparing it\nwith the user-specified mark value. When only a  mark  value  is\nspecified,  the  packet  only matches when the mark value of the\nframe equals the user-specified mark value.  If only a  mask  is\nspecified,  the  logical  AND of the mark value of the frame and\nthe user-specified mask is taken and the frame matches when  the\nresult  of  this logical AND is non-zero. Only specifying a mask\nis useful to match multiple mark values.\n\npkttype\n--pkttype-type [!] type\nMatches on the Ethernet \"class\" of the frame,  which  is  deter-\nmined by the generic networking code. Possible values: broadcast\n(MAC destination is the broadcast address), multicast (MAC  des-\ntination  is  a multicast address), host (MAC destination is the\nreceiving network device), or otherhost (none of the above).\n\nstp\nSpecify stp BPDU (bridge protocol data unit)  fields.  The  destination\naddress  (-d) must be specified as the bridge group address (BGA).  For\nall options for which a range of values can be specified, it holds that\nif  the  lower bound is omitted (but the colon is not), then the lowest\npossible lower bound for that option is used, while if the upper  bound\nis  omitted  (but  the  colon again is not), the highest possible upper\nbound for that option is used.\n\n--stp-type [!] type\nThe BPDU type (0-255), recognized non-numerical types  are  con-\nfig,  denoting  a  configuration BPDU (=0), and tcn, denothing a\ntopology change notification BPDU (=128).\n\n--stp-flags [!] flag\nThe BPDU flag (0-255), recognized non-numerical flags are topol-\nogy-change,  denoting  the topology change flag (=1), and topol-\nogy-change-ack, denoting  the  topology  change  acknowledgement\nflag (=128).\n\n--stp-root-prio [!] [prio][:prio]\nThe root priority (0-65535) range.\n\n--stp-root-addr [!] [address][/mask]\nThe root mac address, see the option -s for more details.\n\n--stp-root-cost [!] [cost][:cost]\nThe root path cost (0-4294967295) range.\n\n--stp-sender-prio [!] [prio][:prio]\nThe BPDU's sender priority (0-65535) range.\n\n--stp-sender-addr [!] [address][/mask]\nThe  BPDU's  sender  mac address, see the option -s for more de-\ntails.\n\n--stp-port [!] [port][:port]\nThe port identifier (0-65535) range.\n\n--stp-msg-age [!] [age][:age]\nThe message age timer (0-65535) range.\n\n--stp-max-age [!] [age][:age]\nThe max age timer (0-65535) range.\n\n--stp-hello-time [!] [time][:time]\nThe hello time timer (0-65535) range.\n\n--stp-forward-delay [!] [delay][:delay]\nThe forward delay timer (0-65535) range.\n\nvlan\nSpecify 802.1Q Tag Control Information fields.  The  protocol  must  be\nspecified as 8021Q (0x8100).\n\n--vlan-id [!] id\nThe VLAN identifier field (VID). Decimal number from 0 to 4095.\n\n--vlan-prio [!] prio\nThe  user priority field, a decimal number from 0 to 7.  The VID\nshould be set to 0 (\"null VID\") or unspecified  (in  the  latter\ncase the VID is deliberately set to 0).\n\n--vlan-encap [!] type\nThe  encapsulated  Ethernet  frame  type/length.  Specified as a\nhexadecimal number from 0x0000 to 0xFFFF or as a  symbolic  name\nfrom /etc/ethertypes.\n\nWATCHER EXTENSIONS\nWatchers only look at frames passing by, they don't modify them nor de-\ncide to accept the frames or not. These watchers only see the frame  if\nthe  frame  matches the rule, and they see it before the target is exe-\ncuted.\n\nlog\nThe log watcher writes descriptive data about a frame to the syslog.\n",
                        "long": "--limit-burst",
                        "arg": "[number]"
                    },
                    {
                        "name": "--log",
                        "content": "Log with the default loggin options: log-level=  info,  log-pre-\nfix=\"\", no ip logging, no arp logging.\n\n--log-level level\nDefines the logging level. For the possible values, see ebtables\n-h log.  The default level is info.\n\n--log-prefix text\nDefines the prefix text to be printed at the  beginning  of  the\nline with the logging information.\n",
                        "long": "--log"
                    },
                    {
                        "name": "--log-ip",
                        "content": "Will log the ip information when a frame made by the ip protocol\nmatches the rule. The default is no ip information logging.\n",
                        "long": "--log-ip"
                    },
                    {
                        "name": "--log-ip6",
                        "content": "Will log the ipv6 information when a frame made by the ipv6 pro-\ntocol  matches the rule. The default is no ipv6 information log-\nging.\n",
                        "long": "--log-ip6"
                    },
                    {
                        "name": "--log-arp",
                        "content": "Will log the (r)arp information when a frame made by the  (r)arp\nprotocols matches the rule. The default is no (r)arp information\nlogging.\n\nnflog\nThe nflog watcher passes the packet to the loaded  logging  backend  in\norder  to  log  the  packet.  This  is usually used in combination with\nnfnetlinklog as logging  backend,  which  will  multicast  the  packet\nthrough  a netlink socket to the specified multicast group. One or more\nuserspace processes may subscribe to the group to receive the packets.\n",
                        "long": "--log-arp"
                    },
                    {
                        "name": "--nflog",
                        "content": "Log with the default logging options\n\n--nflog-group nlgroup\nThe netlink group (1 - 2^32-1) to which packets are (only appli-\ncable for nfnetlinklog). The default value is 1.\n\n--nflog-prefix prefix\nA  prefix string to include in the log message, up to 30 charac-\nters long, useful for distinguishing messages in the logs.\n\n--nflog-range size\nThe number of bytes to be copied to userspace  (only  applicable\nfor  nfnetlinklog).  nfnetlinklog  instances may specify their\nown range, this option overrides it.\n\n--nflog-threshold size\nNumber of packets to queue inside the kernel before sending them\nto  userspace (only applicable for nfnetlinklog). Higher values\nresult in less overhead per packet, but increase delay until the\npackets reach userspace. The default value is 1.\n\nulog\nThe  ulog watcher passes the packet to a userspace logging daemon using\nnetlink multicast sockets. This differs from the  log  watcher  in  the\nsense  that  the  complete packet is sent to userspace instead of a de-\nscriptive text and that netlink multicast sockets are used  instead  of\nthe  syslog.   This  watcher  enables parsing of packets with userspace\nprograms, the physical bridge in and out ports are also included in the\nnetlink  messages.   The  ulog watcher module accepts 2 parameters when\nthe module is loaded into the kernel  (e.g.  with  modprobe):  nlbufsiz\nspecifies  how  big  the buffer for each netlink multicast group is. If\nyou say nlbufsiz=8192, for example, up to eight kB of packets will  get\naccumulated  in  the kernel until they are sent to userspace. It is not\npossible to allocate more than 128kB. Please also  keep  in  mind  that\nthis  buffer  size  is allocated for each nlgroup you are using, so the\ntotal kernel memory usage increases by  that  factor.  The  default  is\n4096.  flushtimeout specifies after how many hundredths of a second the\nqueue should be flushed, even if it is not full yet. The default is  10\n(one tenth of a second).\n",
                        "long": "--nflog"
                    },
                    {
                        "name": "--ulog",
                        "content": "Use  the default settings: ulog-prefix=\"\", ulog-nlgroup=1, ulog-\ncprange=4096, ulog-qthreshold=1.\n\n--ulog-prefix text\nDefines the prefix included with the packets sent to userspace.\n\n--ulog-nlgroup group\nDefines which netlink group number to use (a number  from  1  to\n32).   Make sure the netlink group numbers used for the iptables\nULOG target  differ  from  those  used  for  the  ebtables  ulog\nwatcher.  The default group number is 1.\n\n--ulog-cprange range\nDefines  the maximum copy range to userspace, for packets match-\ning the rule. The default range is 0, which  means  the  maximum\ncopy  range  is  given by nlbufsiz.  A maximum copy range larger\nthan 128*1024 is meaningless as the packets  sent  to  userspace\nhave an upper size limit of 128*1024.\n\n--ulog-qthreshold threshold\nQueue at most threshold number of packets before sending them to\nuserspace with a netlink socket. Note that packets can  be  sent\nto  userspace  before  the  queue is full, this happens when the\nulog kernel timer goes off (the frequency of this timer  depends\non flushtimeout).\n\nTARGET EXTENSIONS\narpreply\nThe  arpreply target can be used in the PREROUTING chain of the nat ta-\nble.  If this target sees an ARP request it  will  automatically  reply\nwith an ARP reply. The used MAC address for the reply can be specified.\nThe protocol must be specified as ARP.  When the ARP message is not  an\nARP  request or when the ARP request isn't for an IP address on an Eth-\nernet network, it is ignored by this target (CONTINUE).  When  the  ARP\nrequest is malformed, it is dropped (DROP).\n\n--arpreply-mac address\nSpecifies the MAC address to reply with: the Ethernet source MAC\nand the ARP payload source MAC will be filled in with  this  ad-\ndress.\n\n--arpreply-target target\nSpecifies  the standard target. After sending the ARP reply, the\nrule still has to give a standard target so ebtables knows  what\nto do with the ARP request.  The default target is DROP.\n\ndnat\nThe dnat target can only be used in the PREROUTING and OUTPUT chains of\nthe nat table.  It specifies that the destination MAC address has to be\nchanged.\n\n--to-destination address\nChange  the  destination  MAC  address to the specified address.\nThe flag --to-dst is an alias for this option.\n\n--dnat-target target\nSpecifies the standard target. After doing the  dnat,  the  rule\nstill has to give a standard target so ebtables knows what to do\nwith the dnated frame.  The default target is ACCEPT.  Making it\nCONTINUE  could  let  you  use multiple target extensions on the\nsame frame. Making it DROP only  makes  sense  in  the  BROUTING\nchain  but  using the redirect target is more logical there. RE-\nTURN is also allowed. Note that using RETURN in a base chain  is\nnot allowed (for obvious reasons).\n\nmark\nThe mark target can be used in every chain of every table. It is possi-\nble to use the marking of a frame/packet in both ebtables and iptables,\nif the bridge-nf code is compiled into the kernel. Both put the marking\nat the same place. This allows for  a  form  of  communication  between\nebtables and iptables.\n\n--mark-set value\nMark the frame with the specified non-negative value.\n\n--mark-or value\nOr the frame with the specified non-negative value.\n\n--mark-and value\nAnd the frame with the specified non-negative value.\n\n--mark-xor value\nXor the frame with the specified non-negative value.\n\n--mark-target target\nSpecifies the standard target. After marking the frame, the rule\nstill has to give a standard target so ebtables  knows  what  to\ndo.   The  default  target is ACCEPT. Making it CONTINUE can let\nyou do other things with the frame in subsequent  rules  of  the\nchain.\n\nredirect\nThe  redirect  target will change the MAC target address to that of the\nbridge device the frame arrived on. This target can only be used in the\nPREROUTING  chain  of  the nat table.  The MAC address of the bridge is\nused as destination address.\"\n\n--redirect-target target\nSpecifies the standard target. After doing the MAC redirect, the\nrule  still has to give a standard target so ebtables knows what\nto do.  The default target is ACCEPT. Making it  CONTINUE  could\nlet you use multiple target extensions on the same frame. Making\nit DROP in the BROUTING chain will let the frames be routed. RE-\nTURN  is also allowed. Note that using RETURN in a base chain is\nnot allowed.\n\nsnat\nThe snat target can only be used in the POSTROUTING chain  of  the  nat\ntable.  It specifies that the source MAC address has to be changed.\n\n--to-source address\nChanges  the  source  MAC  address to the specified address. The\nflag --to-src is an alias for this option.\n\n--snat-target target\nSpecifies the standard target. After doing the  snat,  the  rule\nstill  has  to  give a standard target so ebtables knows what to\ndo.  The default target is ACCEPT. Making it CONTINUE could  let\nyou  use multiple target extensions on the same frame. Making it\nDROP doesn't make sense, but you could do that  too.  RETURN  is\nalso  allowed. Note that using RETURN in a base chain is not al-\nlowed.\n",
                        "long": "--ulog"
                    },
                    {
                        "name": "--snat-arp",
                        "content": "Also change the hardware source address inside the arp header if\nthe  packet is an arp message and the hardware address length in\nthe arp header is 6 bytes.\n",
                        "long": "--snat-arp"
                    }
                ]
            },
            "FILES": {
                "content": "/etc/ethertypes\n",
                "subsections": []
            },
            "ENVIRONMENT VARIABLES": {
                "content": "EBTABLESATOMICFILE\n",
                "subsections": []
            },
            "MAILINGLISTS": {
                "content": "See http://netfilter.org/mailinglists.html\n",
                "subsections": []
            },
            "BUGS": {
                "content": "The version of ebtables this man page ships with does not  support  the\nbroute  table.  Also there is no support for string match. And finally,\nthis list is probably not complete.\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "xtables-nft(8), iptables(8), ip(8)\n\nSee https://wiki.nftables.org\n\nDecember 2011                     EBTABLES(8)",
                "subsections": []
            }
        }
    }
}