.\"
.\"
.SH NAME
-ebtables-legacy (2.0.10.4@) \- Ethernet bridge frame table administration (legacy)
+ebtables \- Ethernet bridge frame table administration (nft-based)
.SH SYNOPSIS
.BR "ebtables " [ -t " table ] " - [ ACDI "] chain rule specification [match extensions] [watcher extensions] target"
.br
.BR "ebtables " [ -t " table ] [" --atomic-file " file] " --atomic-save
.br
-.SH LEGACY
-This tool uses the old xtables/setsockopt framework, and is a legacy version
-of ebtables. That means that a new, more modern tool exists with the same
-functionality using the nf_tables framework and you are encouraged to migrate now.
-The new binaries (known as ebtables-nft and formerly known as ebtables-compat)
-uses the same syntax and semantics than this legacy one.
-
-You can still use this legacy tool. You should probably get some specific
-information from your Linux distribution or vendor.
-More docs are available at https://wiki.nftables.org
-
.SH DESCRIPTION
.B ebtables
is an application program used to set up and maintain the
application, but less complicated, due to the fact that the Ethernet protocol
is much simpler than the IP protocol.
.SS CHAINS
-There are three ebtables tables with built-in chains in the
+There are two ebtables tables with built-in chains in the
Linux kernel. These tables are used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match Ethernet frames. If a
.B ACCEPT
means to let the frame through.
.B DROP
-means the frame has to be dropped. In the
-.BR BROUTING " chain however, the " ACCEPT " and " DROP " target have different"
-meanings (see the info provided for the
-.BR -t " option)."
+means the frame has to be dropped.
.B CONTINUE
means the next rule has to be checked. This can be handy, f.e., to know how many
frames pass a certain point in the chain, to log those frames or to apply multiple
.B "TARGET EXTENSIONS"
section of this man page.
.SS TABLES
-As stated earlier, there are three ebtables tables in the Linux
+As stated earlier, there are two ebtables tables in the Linux
kernel. The table names are
-.BR filter ", " nat " and " broute .
-Of these three tables,
+.BR filter " and " nat .
+Of these two tables,
the filter table is the default table that the command operates on.
If you are working with the filter table, then you can drop the '-t filter'
argument to the ebtables command. However, you will need to provide
-the -t argument for the other two tables. Moreover, the -t argument must be the
+the -t argument for
+.B nat
+table. Moreover, the -t argument must be the
first argument on the ebtables command line, if used.
.TP
.B "-t, --table"
can change the name
.BR "" ( -E )
if you don't like the default.
-.br
-.br
-.B broute
-is used to make a brouter, it has one built-in chain:
-.BR BROUTING .
-The targets
-.BR DROP " and " ACCEPT
-have a special meaning in the broute table (these names are used instead of
-more descriptive names to keep the implementation generic).
-.B DROP
-actually means the frame has to be routed, while
-.B ACCEPT
-means the frame has to be bridged. The
-.B BROUTING
-chain is traversed very early. However, it is only traversed by frames entering on
-a bridge port that is in forwarding state. Normally those frames
-would be bridged, but you can decide otherwise here. The
-.B redirect
-target is very handy here.
.SH EBTABLES COMMAND LINE ARGUMENTS
After the initial ebtables '-t table' command line argument, the remaining
arguments can be divided into several groups. These groups
be consulted to determine the payload protocol. This is a two byte
(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
checked for type.
-.SS among
-Match a MAC address or MAC/IP address pair versus a list of MAC addresses
-and MAC/IP address pairs.
-A list entry has the following format:
-.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
-list entries are separated by a comma, specifying an IP address corresponding to
-the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
-but different IP address (and vice versa) can be specified. If the MAC address doesn't
-match any entry from the list, the frame doesn't match the rule (unless "!" was used).
-.TP
-.BR "--among-dst " "[!] \fIlist\fP"
-Compare the MAC destination to the given list. If the Ethernet frame has type
-.IR IPv4 " or " ARP ,
-then comparison with MAC/IP destination address pairs from the
-list is possible.
-.TP
-.BR "--among-src " "[!] \fIlist\fP"
-Compare the MAC source to the given list. If the Ethernet frame has type
-.IR IPv4 " or " ARP ,
-then comparison with MAC/IP source address pairs from the list
-is possible.
-.TP
-.BR "--among-dst-file " "[!] \fIfile\fP"
-Same as
-.BR --among-dst " but the list is read in from the specified file."
-.TP
-.BR "--among-src-file " "[!] \fIfile\fP"
-Same as
-.BR --among-src " but the list is read in from the specified file."
+.\" .SS among
+.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
+.\" and MAC/IP address pairs.
+.\" A list entry has the following format:
+.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
+.\" list entries are separated by a comma, specifying an IP address corresponding to
+.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
+.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
+.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
+.\" .TP
+.\" .BR "--among-dst " "[!] \fIlist\fP"
+.\" Compare the MAC destination to the given list. If the Ethernet frame has type
+.\" .IR IPv4 " or " ARP ,
+.\" then comparison with MAC/IP destination address pairs from the
+.\" list is possible.
+.\" .TP
+.\" .BR "--among-src " "[!] \fIlist\fP"
+.\" Compare the MAC source to the given list. If the Ethernet frame has type
+.\" .IR IPv4 " or " ARP ,
+.\" then comparison with MAC/IP source address pairs from the list
+.\" is possible.
+.\" .TP
+.\" .BR "--among-dst-file " "[!] \fIfile\fP"
+.\" Same as
+.\" .BR --among-dst " but the list is read in from the specified file."
+.\" .TP
+.\" .BR "--among-src-file " "[!] \fIfile\fP"
+.\" Same as
+.\" .BR --among-src " but the list is read in from the specified file."
.SS arp
Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP .
.TP
.BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
The forward delay timer (0-65535) range.
-.SS string
-This module matches on a given string using some pattern matching strategy.
-.TP
-.BR "--string-algo " "\fIalgorithm\fP"
-The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
-.TP
-.BR "--string-from " "\fIoffset\fP"
-The lowest offset from which a match can start. (default: 0)
-.TP
-.BR "--string-to " "\fIoffset\fP"
-The highest offset from which a match can start. (default: size of frame)
-.TP
-.BR "--string " "[!] \fIpattern\fP"
-Matches the given pattern.
-.TP
-.BR "--string-hex " "[!] \fIpattern\fP"
-Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
-.TP
-.BR "--string-icase"
-Ignore case when searching.
+.\" .SS string
+.\" This module matches on a given string using some pattern matching strategy.
+.\" .TP
+.\" .BR "--string-algo " "\fIalgorithm\fP"
+.\" The pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
+.\" .TP
+.\" .BR "--string-from " "\fIoffset\fP"
+.\" The lowest offset from which a match can start. (default: 0)
+.\" .TP
+.\" .BR "--string-to " "\fIoffset\fP"
+.\" The highest offset from which a match can start. (default: size of frame)
+.\" .TP
+.\" .BR "--string " "[!] \fIpattern\fP"
+.\" Matches the given pattern.
+.\" .TP
+.\" .BR "--string-hex " "[!] \fIpattern\fP"
+.\" Matches the given pattern in hex notation, e.g. '|0D 0A|', '|0D0A|', 'www|09|netfilter|03|org|00|'
+.\" .TP
+.\" .BR "--string-icase"
+.\" Ignore case when searching.
.SS vlan
Specify 802.1Q Tag Control Information fields.
The protocol must be specified as
The
.B dnat
target can only be used in the
-.BR BROUTING " chain of the " broute " table and the "
.BR PREROUTING " and " OUTPUT " chains of the " nat " table."
It specifies that the destination MAC address has to be changed.
.TP
.B redirect
target will change the MAC target address to that of the bridge device the
frame arrived on. This target can only be used in the
-.BR BROUTING " chain of the " broute " table and the "
.BR PREROUTING " chain of the " nat " table."
-In the
-.BR BROUTING " chain, the MAC address of the bridge port is used as destination address,"
-.BR "" "in the " PREROUTING " chain, the MAC address of the bridge is used."
+The MAC address of the bridge is used as destination address."
.TP
.BR "--redirect-target " "\fItarget\fP"
.br
.br
.SH FILES
.I /etc/ethertypes
-.I /var/lib/ebtables/lock
.SH ENVIRONMENT VARIABLES
.I EBTABLES_ATOMIC_FILE
.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
+.SH BUGS
+The version of ebtables this man page ships with does not support the
+.B broute
+table. Also there is no support for
+.BR among " and " string
+matches. And finally, this list is probably not complete.
.SH SEE ALSO
-.BR iptables "(8), " brctl "(8), " ifconfig "(8), " route (8)
+.BR xtables-nft "(8), " iptables "(8), " ip (8)
.PP
-.BR "" "See " http://ebtables.sf.net
+.BR "" "See " https://wiki.nftables.org
projects / thirdparty / iptables.git / commitdiff
