man-pages/man8/ebtables-nft.8.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of EBTABLES</TITLE>
</HEAD><BODY>
<H1>EBTABLES</H1>
Section: Maintenance Commands (8)<BR>Updated: December 2011<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>

























<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ebtables - Ethernet bridge frame table administration (nft-based)
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>ebtables </B>[<B>-t</B> table ] <B>-</B>[<B>ACDI</B>] chain rule specification [match extensions] [watcher extensions] target

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-P</B> chain <B>ACCEPT</B> | <B>DROP</B> | <B>RETURN</B>

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-F</B> [chain]

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-Z</B> [chain]

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-L</B> [<B>-Z</B>] [chain] [ [<B>--Ln</B>] | [<B>--Lx</B>] ] [<B>--Lc</B>] [<B>--Lmac2</B>]

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-N</B> chain [<B>-P ACCEPT </B>|<B> DROP </B>|<B> RETURN</B>]

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-X</B> [chain]

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>-E</B> old-chain-name new-chain-name

<BR>

<B>ebtables </B>[<B>-t</B> table ] <B>--init-table</B>

<BR>

<B>ebtables </B>[<B>-t</B> table ] [<B>--atomic-file</B> file] <B>--atomic-commit</B>

<BR>

<B>ebtables </B>[<B>-t</B> table ] [<B>--atomic-file</B> file] <B>--atomic-init</B>

<BR>

<B>ebtables </B>[<B>-t</B> table ] [<B>--atomic-file</B> file] <B>--atomic-save</B>

<BR>

<P>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<B>ebtables</B>

is an application program used to set up and maintain the
tables of rules (inside the Linux kernel) that inspect
Ethernet frames.
It is analogous to the
<B>iptables</B>

application, but less complicated, due to the fact that the Ethernet protocol
is much simpler than the IP protocol.
<A NAME="lbAE">&nbsp;</A>
<H3>CHAINS</H3>

There are two ebtables tables with built-in chains in the
Linux kernel. These tables are used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match Ethernet frames. If a
rule matches an Ethernet frame, then a processing specification tells
what to do with that matching frame. The processing specification is
called a 'target'. However, if the frame does not match the current
rule in the chain, then the next rule in the chain is examined and so forth.
The user can create new (user-defined) chains that can be used as the 'target'
of a rule. User-defined chains are very useful to get better performance
over the linear traversal of the rules and are also essential for structuring
the filtering rules into well-organized and maintainable sets of rules.
<A NAME="lbAF">&nbsp;</A>
<H3>TARGETS</H3>

A firewall rule specifies criteria for an Ethernet frame and a frame
processing specification called a target.  When a frame matches a rule,
then the next action performed by the kernel is specified by the target.
The target can be one of these values:
<B>ACCEPT</B>,

<B>DROP</B>,

<B>CONTINUE</B>,

<B>RETURN</B>,

an 'extension' (see below) or a jump to a user-defined chain.
<P>

<B>ACCEPT</B>

means to let the frame through.
<B>DROP</B>

means the frame has to be dropped.
<B>CONTINUE</B>

means the next rule has to be checked. This can be handy, f.e., to know how many
frames pass a certain point in the chain, to log those frames or to apply multiple
targets on a frame.
<B>RETURN</B>

means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
For the extension targets please refer to the
<B>TARGET EXTENSIONS</B>

section of this man page.
<A NAME="lbAG">&nbsp;</A>
<H3>TABLES</H3>

As stated earlier, there are two ebtables tables in the Linux
kernel.  The table names are
<B>filter</B> and <B>nat</B>.

Of these two tables,
the filter table is the default table that the command operates on.
If you are working with the filter table, then you can drop the '-t filter'
argument to the ebtables command.  However, you will need to provide
the -t argument for
<B>nat</B>

table.  Moreover, the -t argument must be the
first argument on the ebtables command line, if used. 
<DL COMPACT>
<DT id="1"><B>-t, --table</B>

<DD>
<BR>

<B>filter</B>

is the default table and contains three built-in chains:
<B>INPUT </B>

(for frames destined for the bridge itself, on the level of the MAC destination address), 
<B>OUTPUT </B>

(for locally-generated or (b)routed frames) and
<B>FORWARD </B>

(for frames being forwarded by the bridge).
<BR>

<BR>

<B>nat</B>

is mostly used to change the mac addresses and contains three built-in chains:
<B>PREROUTING </B>

(for altering frames as soon as they come in), 
<B>OUTPUT </B>

(for altering locally generated or (b)routed frames before they are bridged) and 
<B>POSTROUTING</B>

(for altering frames as they are about to go out). A small note on the naming
of chains PREROUTING and POSTROUTING: it would be more accurate to call them
PREFORWARDING and POSTFORWARDING, but for all those who come from the
iptables world to ebtables it is easier to have the same names. Note that you
can change the name
<B></B>(<B>-E</B>)

if you don't like the default.
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>EBTABLES COMMAND LINE ARGUMENTS</H2>

After the initial ebtables '-t table' command line argument, the remaining
arguments can be divided into several groups.  These groups
are commands, miscellaneous commands, rule specifications, match extensions,
watcher extensions and target extensions.
<A NAME="lbAI">&nbsp;</A>
<H3>COMMANDS</H3>

The ebtables command arguments specify the actions to perform on the table
defined with the -t argument.  If you do not use the -t argument to name
a table, the commands apply to the default filter table.
Only one command may be used on the command line at a time, except when
the commands
<B>-L</B> and <B>-Z</B>

are combined, the commands
<B>-N</B> and <B>-P</B>

are combined, or when
<B>--atomic-file</B>

is used.
<DL COMPACT>
<DT id="2"><B>-A, --append</B>

<DD>
Append a rule to the end of the selected chain.
<DT id="3"><B>-D, --delete</B>

<DD>
Delete the specified rule or rules from the selected chain. There are two ways to
use this command. The first is by specifying an interval of rule numbers
to delete (directly after
<B>-D</B>).

Syntax: <I>start_nr</I>[<I>:end_nr</I>] (use
<B>-L --Ln</B>

to list the rules with their rule number). When <I>end_nr</I> is omitted, all rules starting
from <I>start_nr</I> are deleted. Using negative numbers is allowed, for more
details about using negative numbers, see the
<B>-I</B>

command. The second usage is by
specifying the complete rule as it would have been specified when it was added. Only
the first encountered rule that is the same as this specified rule, in other
words the matching rule with the lowest (positive) rule number, is deleted.
<DT id="4"><B>-C, --change-counters</B>

<DD>
Change the counters of the specified rule or rules from the selected chain. There are two ways to
use this command. The first is by specifying an interval of rule numbers
to do the changes on (directly after
<B>-C</B>).

Syntax: <I>start_nr</I>[<I>:end_nr</I>] (use
<B>-L --Ln</B>

to list the rules with their rule number). The details are the same as for the
<B>-D</B> command. The second usage is by

specifying the complete rule as it would have been specified when it was added. Only
the counters of the first encountered rule that is the same as this specified rule, in other
words the matching rule with the lowest (positive) rule number, are changed.
In the first usage, the counters are specified directly after the interval specification,
in the second usage directly after
<B>-C</B>.

First the packet counter is specified, then the byte counter. If the specified counters start
with a '+', the counter values are added to the respective current counter values.
If the specified counters start with a '-', the counter values are decreased from the respective
current counter values. No bounds checking is done. If the counters don't start with '+' or '-',
the current counters are changed to the specified counters.
<DT id="5"><B>-I, --insert</B>

<DD>
Insert the specified rule into the selected chain at the specified rule number. If the
rule number is not specified, the rule is added at the head of the chain.
If the current number of rules equals
<I>N</I>,

then the specified number can be
between
<I>-N</I> and <I>N+1</I>.

For a positive number
<I>i</I>,

it holds that
<I>i</I> and <I>i-N-1</I>

specify the same place in the chain where the rule should be inserted. The rule number
0 specifies the place past the last rule in the chain and using this number is therefore
equivalent to using the
<B>-A</B> command.

Rule numbers structly smaller than 0 can be useful when more than one rule needs to be inserted
in a chain.
<DT id="6"><B>-P, --policy</B>

<DD>
Set the policy for the chain to the given target. The policy can be
<B>ACCEPT</B>, <B>DROP</B> or <B>RETURN</B>.

<DT id="7"><B>-F, --flush</B>

<DD>
Flush the selected chain. If no chain is selected, then every chain will be
flushed. Flushing a chain does not change the policy of the
chain, however.
<DT id="8"><B>-Z, --zero</B>

<DD>
Set the counters of the selected chain to zero. If no chain is selected, all the counters
are set to zero. The
<B>-Z</B>

command can be used in conjunction with the 
<B>-L</B>

command.
When both the
<B>-Z</B>

and
<B>-L</B>

commands are used together in this way, the rule counters are printed on the screen
before they are set to zero.
<DT id="9"><B>-L, --list</B>

<DD>
List all rules in the selected chain. If no chain is selected, all chains
are listed.
<BR>

The following options change the output of the
<B>-L</B>

command.
<BR>

<B>--Ln</B>

<BR>

Places the rule number in front of every rule. This option is incompatible with the
<B>--Lx</B> option.

<BR>

<B>--Lc</B>

<BR>

Shows the counters at the end of each rule displayed by the
<B>-L</B>

command. Both a frame counter (pcnt) and a byte counter (bcnt) are displayed.
The frame counter shows how many frames have matched the specific rule, the byte
counter shows the sum of the frame sizes of these matching frames. Using this option
<B></B>in combination with the <B>--Lx</B> option causes the counters to be written out

<B></B>in the '<B>-c</B> &lt;pcnt&gt; &lt;bcnt&gt;' option format.

<BR>

<B>--Lx</B>

<BR>

Changes the output so that it produces a set of ebtables commands that construct
the contents of the chain, when specified.
If no chain is specified, ebtables commands to construct the contents of the
table are given, including commands for creating the user-defined chains (if any).
You can use this set of commands in an ebtables boot or reload
script.  For example the output could be used at system startup.
The 
<B>--Lx</B>

option is incompatible with the
<B>--Ln</B>

listing option. Using the
<B>--Lx</B> option together with the <B>--Lc</B> option will cause the counters to be written out

<B></B>in the '<B>-c</B> &lt;pcnt&gt; &lt;bcnt&gt;' option format.

<BR>

<B>--Lmac2</B>

<BR>

Shows all MAC addresses with the same length, adding leading zeroes
if necessary. The default representation omits leading zeroes in the addresses.
<DT id="10"><B>-N, --new-chain</B>

<DD>
Create a new user-defined chain with the given name. The number of
user-defined chains is limited only by the number of possible chain names.
A user-defined chain name has a maximum
length of 31 characters. The standard policy of the user-defined chain is
ACCEPT. The policy of the new chain can be initialized to a different standard
target by using the
<B>-P</B>

command together with the
<B>-N</B>

command. In this case, the chain name does not have to be specified for the
<B>-P</B>

command.
<DT id="11"><B>-X, --delete-chain</B>

<DD>
Delete the specified user-defined chain. There must be no remaining references (jumps)
to the specified chain, otherwise ebtables will refuse to delete it. If no chain is
specified, all user-defined chains that aren't referenced will be removed.
<DT id="12"><B>-E, --rename-chain</B>

<DD>
Rename the specified chain to a new name.  Besides renaming a user-defined
chain, you can rename a standard chain to a name that suits your
taste. For example, if you like PREFORWARDING more than PREROUTING,
then you can use the -E command to rename the PREROUTING chain. If you do
rename one of the standard ebtables chain names, please be sure to mention
this fact should you post a question on the ebtables mailing lists.
It would be wise to use the standard name in your post. Renaming a standard
ebtables chain in this fashion has no effect on the structure or functioning
of the ebtables kernel table.
<DT id="13"><B>--init-table</B>

<DD>
Replace the current table data by the initial table data.
<DT id="14"><B>--atomic-init</B>

<DD>
Copy the kernel's initial data of the table to the specified
file. This can be used as the first action, after which rules are added
to the file. The file can be specified using the
<B>--atomic-file</B>

command or through the
<I>EBTABLES_ATOMIC_FILE</I> environment variable.

<DT id="15"><B>--atomic-save</B>

<DD>
Copy the kernel's current data of the table to the specified
file. This can be used as the first action, after which rules are added
to the file. The file can be specified using the
<B>--atomic-file</B>

command or through the
<I>EBTABLES_ATOMIC_FILE</I> environment variable.

<DT id="16"><B>--atomic-commit</B>

<DD>
Replace the kernel table data with the data contained in the specified
file. This is a useful command that allows you to load all your rules of a
certain table into the kernel at once, saving the kernel a lot of precious
time and allowing atomic updates of the tables. The file which contains
the table data is constructed by using either the
<B>--atomic-init</B>

or the
<B>--atomic-save</B>

command to generate a starting file. After that, using the
<B>--atomic-file</B>

command when constructing rules or setting the
<I>EBTABLES_ATOMIC_FILE</I> environment variable

allows you to extend the file and build the complete table before
committing it to the kernel. This command can be very useful in boot scripts
to populate the ebtables tables in a fast way.
</DL>
<A NAME="lbAJ">&nbsp;</A>
<H3>MISCELLANOUS COMMANDS</H3>

<DL COMPACT>
<DT id="17"><B>-V, --version</B>

<DD>
Show the version of the ebtables userspace program.
<DT id="18"><B>-h, --help </B>[<I>list of module names</I>]

<DD>
Give a brief description of the command syntax. Here you can also specify
names of extensions and ebtables will try to write help about those
extensions. E.g.
<I>ebtables -h snat log ip arp</I>.

Specify
<I>list_extensions</I>

to list all extensions supported by the userspace
utility.
<DT id="19"><B>-j, --jump </B><I>target</I>

<DD>
The target of the rule. This is one of the following values:
<B>ACCEPT</B>,

<B>DROP</B>,

<B>CONTINUE</B>,

<B>RETURN</B>,

a target extension (see
<B>TARGET EXTENSIONS</B>)

or a user-defined chain name.
<DT id="20"><B>--atomic-file </B><I>file</I>

<DD>
Let the command operate on the specified
<I>file</I>.

The data of the table to
operate on will be extracted from the file and the result of the operation
will be saved back into the file. If specified, this option should come
before the command specification. An alternative that should be preferred,
is setting the
<I>EBTABLES_ATOMIC_FILE</I> environment variable.

<DT id="21"><B>-M, --modprobe </B><I>program</I>

<DD>
When talking to the kernel, use this
<I>program</I>

to try to automatically load missing kernel modules.
<DT id="22"><B>--concurrent</B>

<DD>
Use a file lock to support concurrent scripts updating the ebtables kernel tables.
<P>
</DL>
<A NAME="lbAK">&nbsp;</A>
<H3>RULE SPECIFICATIONS</H3>

The following command line arguments make up a rule specification (as used 
in the add and delete commands). A &quot;!&quot; option before the specification 
inverts the test for that specification. Apart from these standard rule 
specifications there are some other command line arguments of interest.
See both the 
<B>MATCH EXTENSIONS</B>

and the
<B>WATCHER EXTENSIONS</B>

below.
<DL COMPACT>
<DT id="23"><B>-p, --protocol </B>[!] <I>protocol</I>

<DD>
The protocol that was responsible for creating the frame. This can be a
hexadecimal number, above 
<I>0x0600</I>,

a name (e.g.
<I>ARP</I>

) or
<B>LENGTH</B>.

The protocol field of the Ethernet frame can be used to denote the
length of the header (802.2/802.3 networks). When the value of that field is
below or equals
<I>0x0600</I>,

the value equals the size of the header and shouldn't be used as a
protocol number. Instead, all frames where the protocol field is used as
the length field are assumed to be of the same 'protocol'. The protocol
name used in ebtables for these frames is
<B>LENGTH</B>.

<BR>

The file
<B>/etc/ethertypes</B>

can be used to show readable
characters instead of hexadecimal numbers for the protocols. For example,
<I>0x0800</I>

will be represented by 
<I>IPV4</I>.

The use of this file is not case sensitive. 
See that file for more information. The flag 
<B>--proto</B>

is an alias for this option.
<DT id="24"><B>-i, --in-interface </B>[!] <I>name</I>

<DD>
The interface (bridge port) via which a frame is received (this option is useful in the
<B>INPUT</B>,

<B>FORWARD</B>,

<B>PREROUTING</B> and <B>BROUTING</B>

chains). If the interface name ends with '+', then
any interface name that begins with this name (disregarding '+') will match.
The flag
<B>--in-if</B>

is an alias for this option.
<DT id="25"><B>--logical-in </B>[!] <I>name</I>

<DD>
The (logical) bridge interface via which a frame is received (this option is useful in the
<B>INPUT</B>,

<B>FORWARD</B>,

<B>PREROUTING</B> and <B>BROUTING</B>

chains).
If the interface name ends with '+', then
any interface name that begins with this name (disregarding '+') will match.
<DT id="26"><B>-o, --out-interface </B>[!] <I>name</I>

<DD>
The interface (bridge port) via which a frame is going to be sent (this option is useful in the
<B>OUTPUT</B>,

<B>FORWARD</B>

and
<B>POSTROUTING</B>

chains). If the interface name ends with '+', then
any interface name that begins with this name (disregarding '+') will match.
The flag
<B>--out-if</B>

is an alias for this option.
<DT id="27"><B>--logical-out </B>[!] <I>name</I>

<DD>
The (logical) bridge interface via which a frame is going to be sent (this option
is useful in the
<B>OUTPUT</B>,

<B>FORWARD</B>

and
<B>POSTROUTING</B>

chains).
If the interface name ends with '+', then
any interface name that begins with this name (disregarding '+') will match.
<DT id="28"><B>-s, --source </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The source MAC address. Both mask and address are written as 6 hexadecimal
numbers separated by colons. Alternatively one can specify Unicast,
Multicast, Broadcast or BGA (Bridge Group Address):
<BR>

<I>Unicast</I>=00:00:00:00:00:00/01:00:00:00:00:00,

<I>Multicast</I>=01:00:00:00:00:00/01:00:00:00:00:00,

<I>Broadcast</I>=ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff or

<I>BGA</I>=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.

Note that a broadcast
address will also match the multicast specification. The flag
<B>--src</B>

is an alias for this option.
<DT id="29"><B>-d, --destination </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The destination MAC address. See
<B>-s</B>

(above) for more details on MAC addresses. The flag
<B>--dst</B>

is an alias for this option.
<DT id="30"><B>-c, --set-counter </B><I>pcnt bcnt</I>

<DD>
If used with
<B>-A</B> or <B>-I</B>, then the packet and byte counters of the new rule will be set to

<I>pcnt</I>, resp. <I>bcnt</I>.

If used with the
<B>-C</B> or <B>-D</B> commands, only rules with a packet and byte count equal to

<I>pcnt</I>, resp. <I>bcnt</I> will match.

<P>
</DL>
<A NAME="lbAL">&nbsp;</A>
<H3>MATCH EXTENSIONS</H3>

Ebtables extensions are dynamically loaded into the userspace tool,
there is therefore no need to explicitly load them with a
-m option like is done in iptables.
These extensions deal with functionality supported by kernel modules supplemental to
the core ebtables code.
<A NAME="lbAM">&nbsp;</A>
<H3>802_3</H3>

Specify 802.3 DSAP/SSAP fields or SNAP type.  The protocol must be specified as
<I>LENGTH </I>(see the option <I> -p </I>above).

<DL COMPACT>
<DT id="31"><B>--802_3-sap </B>[!] <I>sap</I>

<DD>
DSAP and SSAP are two one byte 802.3 fields.  The bytes are always
equal, so only one byte (hexadecimal) is needed as an argument.
<DT id="32"><B>--802_3-type </B>[!] <I>type</I>

<DD>
If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
be consulted to determine the payload protocol.  This is a two byte
(hexadecimal) argument.  Only 802.3 frames with DSAP/SSAP 0xaa are
checked for type.
</DL>
<A NAME="lbAN">&nbsp;</A>
<H3>among</H3>

Match a MAC address or MAC/IP address pair versus a list of MAC addresses
and MAC/IP address pairs.
A list entry has the following format:
<I>xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,]</I>. Multiple

list entries are separated by a comma, specifying an IP address corresponding to
the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
but different IP address (and vice versa) can be specified. If the MAC address doesn't
match any entry from the list, the frame doesn't match the rule (unless &quot;!&quot; was used).
<DL COMPACT>
<DT id="33"><B>--among-dst </B>[!] <I>list</I>

<DD>
Compare the MAC destination to the given list. If the Ethernet frame has type
<I>IPv4</I> or <I>ARP</I>,

then comparison with MAC/IP destination address pairs from the
list is possible.
<DT id="34"><B>--among-src </B>[!] <I>list</I>

<DD>
Compare the MAC source to the given list. If the Ethernet frame has type
<I>IPv4</I> or <I>ARP</I>,

then comparison with MAC/IP source address pairs from the list
is possible.
<DT id="35"><B>--among-dst-file </B>[!] <I>file</I>

<DD>
Same as
<B>--among-dst</B> but the list is read in from the specified file.

<DT id="36"><B>--among-src-file </B>[!] <I>file</I>

<DD>
Same as
<B>--among-src</B> but the list is read in from the specified file.

</DL>
<P>

Note that in this implementation of ebtables, among lists uses must be
internally homogeneous regarding whether IP addresses are present or not. Mixed
use of MAC addresses and MAC/IP address pairs is not supported yet.
<A NAME="lbAO">&nbsp;</A>
<H3>arp</H3>

Specify (R)ARP fields. The protocol must be specified as
<I>ARP</I> or <I>RARP</I>.

<DL COMPACT>
<DT id="37"><B>--arp-opcode </B>[!] <I>opcode</I>

<DD>
The (R)ARP opcode (decimal or a string, for more details see
<B>ebtables -h arp</B>).

<DT id="38"><B>--arp-htype </B>[!] <I>hardware type</I>

<DD>
The hardware type, this can be a decimal or the string
<I>Ethernet</I>

(which sets
<I>type</I>

to 1). Most (R)ARP packets have Eternet as hardware type.
<DT id="39"><B>--arp-ptype </B>[!] <I>protocol type</I>

<DD>
The protocol type for which the (r)arp is used (hexadecimal or the string
<I>IPv4</I>,

denoting 0x0800).
Most (R)ARP packets have protocol type IPv4.
<DT id="40"><B>--arp-ip-src </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The (R)ARP IP source address specification.
<DT id="41"><B>--arp-ip-dst </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The (R)ARP IP destination address specification.
<DT id="42"><B>--arp-mac-src </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The (R)ARP MAC source address specification.
<DT id="43"><B>--arp-mac-dst </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The (R)ARP MAC destination address specification.
<DT id="44"><B></B>[!]<B> --arp-gratuitous</B>

<DD>
Checks for ARP gratuitous packets: checks equality of IPv4 source
address and IPv4 destination address inside the ARP header.
</DL>
<A NAME="lbAP">&nbsp;</A>
<H3>ip</H3>

Specify IPv4 fields. The protocol must be specified as
<I>IPv4</I>.

<DL COMPACT>
<DT id="45"><B>--ip-source </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The source IP address.
The flag
<B>--ip-src</B>

is an alias for this option.
<DT id="46"><B>--ip-destination </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The destination IP address.
The flag
<B>--ip-dst</B>

is an alias for this option.
<DT id="47"><B>--ip-tos </B>[!] <I>tos</I>

<DD>
The IP type of service, in hexadecimal numbers.
<B>IPv4</B>.

<DT id="48"><B>--ip-protocol </B>[!] <I>protocol</I>

<DD>
The IP protocol.
The flag
<B>--ip-proto</B>

is an alias for this option.
<DT id="49"><B>--ip-source-port </B>[!] <I>port1</I>[:<I>port2</I>]

<DD>
The source port or port range for the IP protocols 6 (TCP), 17
(UDP), 33 (DCCP) or 132 (SCTP). The
<B>--ip-protocol</B>

option must be specified as
<I>TCP</I>, <I>UDP</I>, <I>DCCP</I> or <I>SCTP</I>.

If
<I>port1</I> is omitted, <I>0:port2</I> is used; if <I>port2</I> is omitted but a colon is specified, <I>port1:65535</I> is used.

The flag
<B>--ip-sport</B>

is an alias for this option.
<DT id="50"><B>--ip-destination-port </B>[!] <I>port1</I>[:<I>port2</I>]

<DD>
The destination port or port range for ip protocols 6 (TCP), 17
(UDP), 33 (DCCP) or 132 (SCTP). The
<B>--ip-protocol</B>

option must be specified as
<I>TCP</I>, <I>UDP</I>, <I>DCCP</I> or <I>SCTP</I>.

If
<I>port1</I> is omitted, <I>0:port2</I> is used; if <I>port2</I> is omitted but a colon is specified, <I>port1:65535</I> is used.

The flag
<B>--ip-dport</B>

is an alias for this option.
</DL>
<A NAME="lbAQ">&nbsp;</A>
<H3>ip6</H3>

Specify IPv6 fields. The protocol must be specified as
<I>IPv6</I>.

<DL COMPACT>
<DT id="51"><B>--ip6-source </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The source IPv6 address.
The flag
<B>--ip6-src</B>

is an alias for this option.
<DT id="52"><B>--ip6-destination </B>[!] <I>address</I>[/<I>mask</I>]

<DD>
The destination IPv6 address.
The flag
<B>--ip6-dst</B>

is an alias for this option.
<DT id="53"><B>--ip6-tclass </B>[!] <I>tclass</I>

<DD>
The IPv6 traffic class, in hexadecimal numbers.
<DT id="54"><B>--ip6-protocol </B>[!] <I>protocol</I>

<DD>
The IP protocol.
The flag
<B>--ip6-proto</B>

is an alias for this option.
<DT id="55"><B>--ip6-source-port </B>[!] <I>port1</I>[:<I>port2</I>]

<DD>
The source port or port range for the IPv6 protocols 6 (TCP), 17
(UDP), 33 (DCCP) or 132 (SCTP). The
<B>--ip6-protocol</B>

option must be specified as
<I>TCP</I>, <I>UDP</I>, <I>DCCP</I> or <I>SCTP</I>.

If
<I>port1</I> is omitted, <I>0:port2</I> is used; if <I>port2</I> is omitted but a colon is specified, <I>port1:65535</I> is used.

The flag
<B>--ip6-sport</B>

is an alias for this option.
<DT id="56"><B>--ip6-destination-port </B>[!] <I>port1</I>[:<I>port2</I>]

<DD>
The destination port or port range for IPv6 protocols 6 (TCP), 17
(UDP), 33 (DCCP) or 132 (SCTP). The
<B>--ip6-protocol</B>

option must be specified as
<I>TCP</I>, <I>UDP</I>, <I>DCCP</I> or <I>SCTP</I>.

If
<I>port1</I> is omitted, <I>0:port2</I> is used; if <I>port2</I> is omitted but a colon is specified, <I>port1:65535</I> is used.

The flag
<B>--ip6-dport</B>

is an alias for this option.
<DT id="57"><B>--ip6-icmp-type </B>[!] {<I>type</I>[:<I>type</I>]/<I>code</I>[:<I>code</I>]|<I>typename</I>}

<DD>
Specify ipv6-icmp type and code to match.
Ranges for both type and code are supported. Type and code are
separated by a slash. Valid numbers for type and range are 0 to 255.
To match a single type including all valid codes, symbolic names can
be used instead of numbers. The list of known type names is shown by the command
<PRE>
  ebtables --help ip6
</PRE>

This option is only valid for --ip6-prococol ipv6-icmp.
</DL>
<A NAME="lbAR">&nbsp;</A>
<H3>limit</H3>

This module matches at a limited rate using a token bucket filter.
A rule using this extension will match until this limit is reached.
It can be used with the
<B>--log</B>

watcher to give limited logging, for example. Its use is the same
as the limit match of iptables.
<DL COMPACT>
<DT id="58"><B>--limit </B>[<I>value</I>]

<DD>
Maximum average matching rate: specified as a number, with an optional
<I>/second</I>, <I>/minute</I>, <I>/hour</I>, or <I>/day</I> suffix; the default is <I>3/hour</I>.

<DT id="59"><B>--limit-burst </B>[<I>number</I>]

<DD>
Maximum initial number of packets to match: this number gets recharged by
one every time the limit specified above is not reached, up to this
number; the default is
<I>5</I>.

</DL>
<A NAME="lbAS">&nbsp;</A>
<H3>mark_m</H3>

<DL COMPACT>
<DT id="60"><B>--mark </B>[!] [<I>value</I>][/<I>mask</I>]

<DD>
Matches frames with the given unsigned mark value. If a
<I>value</I> and <I>mask</I> are specified, the logical AND of the mark value of the frame and

the user-specified
<I>mask</I> is taken before comparing it with the

user-specified mark
<I>value</I>. When only a mark 

<I>value</I> is specified, the packet

only matches when the mark value of the frame equals the user-specified
mark
<I>value</I>.

If only a
<I>mask</I> is specified, the logical

AND of the mark value of the frame and the user-specified
<I>mask</I> is taken and the frame matches when the result of this logical AND is

non-zero. Only specifying a
<I>mask</I> is useful to match multiple mark values.

</DL>
<A NAME="lbAT">&nbsp;</A>
<H3>pkttype</H3>

<DL COMPACT>
<DT id="61"><B>--pkttype-type </B>[!] <I>type</I>

<DD>
Matches on the Ethernet &quot;class&quot; of the frame, which is determined by the
generic networking code. Possible values:
<I>broadcast</I> (MAC destination is the broadcast address),

<I>multicast</I> (MAC destination is a multicast address),

<I>host</I> (MAC destination is the receiving network device), or 

<I>otherhost</I> (none of the above).

</DL>
<A NAME="lbAU">&nbsp;</A>
<H3>stp</H3>

Specify stp BPDU (bridge protocol data unit) fields. The destination
address
<B></B>(<B>-d</B>) must be specified as the bridge group address

<I></I>(<I>BGA</I>).

For all options for which a range of values can be specified, it holds that
if the lower bound is omitted (but the colon is not), then the lowest possible lower bound
for that option is used, while if the upper bound is omitted (but the colon again is not), the
highest possible upper bound for that option is used.
<DL COMPACT>
<DT id="62"><B>--stp-type </B>[!] <I>type</I>

<DD>
The BPDU type (0-255), recognized non-numerical types are
<I>config</I>, denoting a configuration BPDU (=0), and

<I>tcn</I>, denothing a topology change notification BPDU (=128).

<DT id="63"><B>--stp-flags </B>[!] <I>flag</I>

<DD>
The BPDU flag (0-255), recognized non-numerical flags are
<I>topology-change</I>, denoting the topology change flag (=1), and

<I>topology-change-ack</I>, denoting the topology change acknowledgement flag (=128).

<DT id="64"><B>--stp-root-prio </B>[!] [<I>prio</I>][:<I>prio</I>]

<DD>
The root priority (0-65535) range.
<DT id="65"><B>--stp-root-addr </B>[!] [<I>address</I>][/<I>mask</I>]

<DD>
The root mac address, see the option
<B>-s</B> for more details.

<DT id="66"><B>--stp-root-cost </B>[!] [<I>cost</I>][:<I>cost</I>]

<DD>
The root path cost (0-4294967295) range.
<DT id="67"><B>--stp-sender-prio </B>[!] [<I>prio</I>][:<I>prio</I>]

<DD>
The BPDU's sender priority (0-65535) range.
<DT id="68"><B>--stp-sender-addr </B>[!] [<I>address</I>][/<I>mask</I>]

<DD>
The BPDU's sender mac address, see the option
<B>-s</B> for more details.

<DT id="69"><B>--stp-port </B>[!] [<I>port</I>][:<I>port</I>]

<DD>
The port identifier (0-65535) range.
<DT id="70"><B>--stp-msg-age </B>[!] [<I>age</I>][:<I>age</I>]

<DD>
The message age timer (0-65535) range.
<DT id="71"><B>--stp-max-age </B>[!] [<I>age</I>][:<I>age</I>]

<DD>
The max age timer (0-65535) range.
<DT id="72"><B>--stp-hello-time </B>[!] [<I>time</I>][:<I>time</I>]

<DD>
The hello time timer (0-65535) range.
<DT id="73"><B>--stp-forward-delay </B>[!] [<I>delay</I>][:<I>delay</I>]

<DD>
The forward delay timer (0-65535) range.




















</DL>
<A NAME="lbAV">&nbsp;</A>
<H3>vlan</H3>

Specify 802.1Q Tag Control Information fields.
The protocol must be specified as
<I>802_1Q</I> (0x8100).

<DL COMPACT>
<DT id="74"><B>--vlan-id </B>[!] <I>id</I>

<DD>
The VLAN identifier field (VID). Decimal number from 0 to 4095.
<DT id="75"><B>--vlan-prio </B>[!] <I>prio</I>

<DD>
The user priority field, a decimal number from 0 to 7.
The VID should be set to 0 (&quot;null VID&quot;) or unspecified
(in the latter case the VID is deliberately set to 0).
<DT id="76"><B>--vlan-encap </B>[!] <I>type</I>

<DD>
The encapsulated Ethernet frame type/length.
Specified as a hexadecimal
number from 0x0000 to 0xFFFF or as a symbolic name
from
<B>/etc/ethertypes</B>.

<P>
</DL>
<A NAME="lbAW">&nbsp;</A>
<H3>WATCHER EXTENSIONS</H3>

Watchers only look at frames passing by, they don't modify them nor decide
to accept the frames or not. These watchers only
see the frame if the frame matches the rule, and they see it before the
target is executed.
<A NAME="lbAX">&nbsp;</A>
<H3>log</H3>

The log watcher writes descriptive data about a frame to the syslog.
<DL COMPACT>
<DT id="77"><B>--log</B>

<DD>
<BR>

Log with the default loggin options: log-level=
<I>info</I>,

log-prefix=&quot;&quot;, no ip logging, no arp logging.
<DT id="78"><B>--log-level </B><I>level</I>

<DD>
<BR>

Defines the logging level. For the possible values, see
<B>ebtables -h log</B>.

The default level is 
<I>info</I>.

<DT id="79"><B>--log-prefix</B> <I>text</I>

<DD>
<BR>

Defines the prefix
<I>text</I>

to be printed at the beginning of the line with the logging information.
<DT id="80"><B>--log-ip </B>

<DD>
<BR>

Will log the ip information when a frame made by the ip protocol matches 
the rule. The default is no ip information logging.
<DT id="81"><B>--log-ip6 </B>

<DD>
<BR>

Will log the ipv6 information when a frame made by the ipv6 protocol matches 
the rule. The default is no ipv6 information logging.
<DT id="82"><B>--log-arp</B>

<DD>
<BR>

Will log the (r)arp information when a frame made by the (r)arp protocols
matches the rule. The default is no (r)arp information logging.
</DL>
<A NAME="lbAY">&nbsp;</A>
<H3>nflog</H3>

The nflog watcher passes the packet to the loaded logging backend
in order to log the packet. This is usually used in combination with
nfnetlink_log as logging backend, which will multicast the packet
through a
<I>netlink</I>

socket to the specified multicast group. One or more userspace processes
may subscribe to the group to receive the packets.
<DL COMPACT>
<DT id="83"><B>--nflog</B>

<DD>
<BR>

Log with the default logging options
<DT id="84"><B>--nflog-group </B><I>nlgroup</I>

<DD>
<BR>

The netlink group (1 - 2^32-1) to which packets are (only applicable for
nfnetlink_log). The default value is 1.
<DT id="85"><B>--nflog-prefix </B><I>prefix</I>

<DD>
<BR>

A prefix string to include in the log message, up to 30 characters
long, useful for distinguishing messages in the logs.
<DT id="86"><B>--nflog-range </B><I>size</I>

<DD>
<BR>

The number of bytes to be copied to userspace (only applicable for
nfnetlink_log). nfnetlink_log instances may specify their own
range, this option overrides it.
<DT id="87"><B>--nflog-threshold </B><I>size</I>

<DD>
<BR>

Number of packets to queue inside the kernel before sending them
to userspace (only applicable for nfnetlink_log). Higher values
result in less overhead per packet, but increase delay until the
packets reach userspace. The default value is 1.
</DL>
<A NAME="lbAZ">&nbsp;</A>
<H3>ulog</H3>

The ulog watcher passes the packet to a userspace
logging daemon using netlink multicast sockets. This differs
from the log watcher in the sense that the complete packet is
sent to userspace instead of a descriptive text and that
netlink multicast sockets are used instead of the syslog.
This watcher enables parsing of packets with userspace programs, the
physical bridge in and out ports are also included in the netlink messages.
The ulog watcher module accepts 2 parameters when the module is loaded
into the kernel (e.g. with modprobe):
<B>nlbufsiz</B>

specifies how big the buffer for each netlink multicast
group is. If you say
<I>nlbufsiz=8192</I>,

for example, up to eight kB of packets will
get accumulated in the kernel until they are sent to userspace. It is
not possible to allocate more than 128kB. Please also keep in mind that
this buffer size is allocated for each nlgroup you are using, so the
total kernel memory usage increases by that factor. The default is 4096.
<B>flushtimeout</B>

specifies after how many hundredths of a second the queue should be
flushed, even if it is not full yet. The default is 10 (one tenth of
a second).
<DL COMPACT>
<DT id="88"><B>--ulog</B>

<DD>
<BR>

Use the default settings: ulog-prefix=&quot;&quot;, ulog-nlgroup=1,
ulog-cprange=4096, ulog-qthreshold=1.
<DT id="89"><B>--ulog-prefix </B><I>text</I>

<DD>
<BR>

Defines the prefix included with the packets sent to userspace.
<DT id="90"><B>--ulog-nlgroup</B> <I>group</I>

<DD>
<BR>

Defines which netlink group number to use (a number from 1 to 32).
Make sure the netlink group numbers used for the iptables ULOG
target differ from those used for the ebtables ulog watcher.
The default group number is 1.
<DT id="91"><B>--ulog-cprange</B> <I>range</I>

<DD>
<BR>

Defines the maximum copy range to userspace, for packets matching the
rule. The default range is 0, which means the maximum copy range is
given by
<B>nlbufsiz</B>.

A maximum copy range larger than
128*1024 is meaningless as the packets sent to userspace have an upper
size limit of 128*1024.
<DT id="92"><B>--ulog-qthreshold</B> <I>threshold</I>

<DD>
<BR>

Queue at most
<I>threshold</I>

number of packets before sending them to
userspace with a netlink socket. Note that packets can be sent to
userspace before the queue is full, this happens when the ulog
kernel timer goes off (the frequency of this timer depends on
<B>flushtimeout</B>).

</DL>
<A NAME="lbBA">&nbsp;</A>
<H3>TARGET EXTENSIONS</H3>

<A NAME="lbBB">&nbsp;</A>
<H3>arpreply</H3>

The
<B>arpreply</B>

target can be used in the
<B>PREROUTING</B> chain of the <B>nat</B> table.

If this target sees an ARP request it will automatically reply
with an ARP reply. The used MAC address for the reply can be specified.
The protocol must be specified as
<I>ARP</I>.

When the ARP message is not an ARP request or when the ARP request isn't
for an IP address on an Ethernet network, it is ignored by this target
<B></B>(<B>CONTINUE</B>).

When the ARP request is malformed, it is dropped
<B></B>(<B>DROP</B>).

<DL COMPACT>
<DT id="93"><B>--arpreply-mac </B><I>address</I>

<DD>
Specifies the MAC address to reply with: the Ethernet source MAC and the
ARP payload source MAC will be filled in with this address.
<DT id="94"><B>--arpreply-target </B><I>target</I>

<DD>
Specifies the standard target. After sending the ARP reply, the rule still
has to give a standard target so ebtables knows what to do with the ARP request.
The default target
<B></B>is <B>DROP</B>.

</DL>
<A NAME="lbBC">&nbsp;</A>
<H3>dnat</H3>

The
<B>dnat</B>

target can only be used in the
<B>PREROUTING</B> and <B>OUTPUT</B> chains of the <B>nat</B> table.

It specifies that the destination MAC address has to be changed.
<DL COMPACT>
<DT id="95"><B>--to-destination </B><I>address</I>

<DD>
<BR>

Change the destination MAC address to the specified
<I>address</I>.

The flag
<B>--to-dst</B>

is an alias for this option.
<DT id="96"><B>--dnat-target </B><I>target</I>

<DD>
<BR>

Specifies the standard target. After doing the dnat, the rule still has to
give a standard target so ebtables knows what to do with the dnated frame.
The default target is
<B>ACCEPT</B>.

Making it
<B>CONTINUE</B> could let you use

multiple target extensions on the same frame. Making it
<B>DROP</B> only makes

sense in the
<B>BROUTING</B> chain but using the <B>redirect</B> target is more logical there. <B>RETURN</B> is also allowed. Note that using <B>RETURN</B>

in a base chain is not allowed (for obvious reasons).
</DL>
<A NAME="lbBD">&nbsp;</A>
<H3>mark</H3>

<B></B>The <B>mark</B> target can be used in every chain of every table. It is possible

to use the marking of a frame/packet in both ebtables and iptables,
if the bridge-nf code is compiled into the kernel. Both put the marking at the
same place. This allows for a form of communication between ebtables and iptables.
<DL COMPACT>
<DT id="97"><B>--mark-set </B><I>value</I>

<DD>
<BR>

Mark the frame with the specified non-negative
<I>value</I>.

<DT id="98"><B>--mark-or </B><I>value</I>

<DD>
<BR>

Or the frame with the specified non-negative
<I>value</I>.

<DT id="99"><B>--mark-and </B><I>value</I>

<DD>
<BR>

And the frame with the specified non-negative
<I>value</I>.

<DT id="100"><B>--mark-xor </B><I>value</I>

<DD>
<BR>

Xor the frame with the specified non-negative
<I>value</I>.

<DT id="101"><B>--mark-target </B><I>target</I>

<DD>
<BR>

Specifies the standard target. After marking the frame, the rule
still has to give a standard target so ebtables knows what to do.
The default target is
<B>ACCEPT</B>. Making it <B>CONTINUE</B> can let you do other

things with the frame in subsequent rules of the chain.
</DL>
<A NAME="lbBE">&nbsp;</A>
<H3>redirect</H3>

The
<B>redirect</B>

target will change the MAC target address to that of the bridge device the
frame arrived on. This target can only be used in the
<B>PREROUTING</B> chain of the <B>nat</B> table.

The MAC address of the bridge is used as destination address.&quot;
<DL COMPACT>
<DT id="102"><B>--redirect-target </B><I>target</I>

<DD>
<BR>

Specifies the standard target. After doing the MAC redirect, the rule
still has to give a standard target so ebtables knows what to do.
The default target is
<B>ACCEPT</B>. Making it <B>CONTINUE</B> could let you use

multiple target extensions on the same frame. Making it
<B>DROP</B> in the <B>BROUTING</B> chain will let the frames be routed. <B>RETURN</B> is also allowed. Note

<B></B>that using <B>RETURN</B> in a base chain is not allowed.

</DL>
<A NAME="lbBF">&nbsp;</A>
<H3>snat</H3>

The
<B>snat</B>

target can only be used in the
<B>POSTROUTING</B> chain of the <B>nat</B> table.

It specifies that the source MAC address has to be changed.
<DL COMPACT>
<DT id="103"><B>--to-source </B><I>address</I>

<DD>
<BR>

Changes the source MAC address to the specified
<I>address</I>. The flag

<B>--to-src</B>

is an alias for this option.
<DT id="104"><B>--snat-target </B><I>target</I>

<DD>
<BR>

Specifies the standard target. After doing the snat, the rule still has 
to give a standard target so ebtables knows what to do.
<B></B>The default target is <B>ACCEPT</B>. Making it <B>CONTINUE</B> could let you use

<B></B>multiple target extensions on the same frame. Making it <B>DROP</B> doesn't

<B></B>make sense, but you could do that too. <B>RETURN</B> is also allowed. Note

<B></B>that using <B>RETURN</B> in a base chain is not allowed.

<BR>

<DT id="105"><B>--snat-arp </B>

<DD>
<BR>

Also change the hardware source address inside the arp header if the packet is an
arp message and the hardware address length in the arp header is 6 bytes.
<BR>

</DL>
<A NAME="lbBG">&nbsp;</A>
<H2>FILES</H2>

<I>/etc/ethertypes</I>

<A NAME="lbBH">&nbsp;</A>
<H2>ENVIRONMENT VARIABLES</H2>

<I>EBTABLES_ATOMIC_FILE</I>

<A NAME="lbBI">&nbsp;</A>
<H2>MAILINGLISTS</H2>

<B></B>See <B><A HREF="http://netfilter.org/mailinglists.html">http://netfilter.org/mailinglists.html</A></B>

<A NAME="lbBJ">&nbsp;</A>
<H2>BUGS</H2>

The version of ebtables this man page ships with does not support the
<B>broute</B>

table. Also there is no support for
<B>string</B>

match. And finally, this list is probably not complete.
<A NAME="lbBK">&nbsp;</A>
<H2>SEE ALSO</H2>

<B><A HREF="/cgi-bin/man/man2html?8+xtables-nft">xtables-nft</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip">ip</A></B>(8)

<P>

<B></B>See <B><A HREF="https://wiki.nftables.org">https://wiki.nftables.org</A></B>

<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="106"><A HREF="#lbAB">NAME</A><DD>
<DT id="107"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="108"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT id="109"><A HREF="#lbAE">CHAINS</A><DD>
<DT id="110"><A HREF="#lbAF">TARGETS</A><DD>
<DT id="111"><A HREF="#lbAG">TABLES</A><DD>
</DL>
<DT id="112"><A HREF="#lbAH">EBTABLES COMMAND LINE ARGUMENTS</A><DD>
<DL>
<DT id="113"><A HREF="#lbAI">COMMANDS</A><DD>
<DT id="114"><A HREF="#lbAJ">MISCELLANOUS COMMANDS</A><DD>
<DT id="115"><A HREF="#lbAK">RULE SPECIFICATIONS</A><DD>
<DT id="116"><A HREF="#lbAL">MATCH EXTENSIONS</A><DD>
<DT id="117"><A HREF="#lbAM">802_3</A><DD>
<DT id="118"><A HREF="#lbAN">among</A><DD>
<DT id="119"><A HREF="#lbAO">arp</A><DD>
<DT id="120"><A HREF="#lbAP">ip</A><DD>
<DT id="121"><A HREF="#lbAQ">ip6</A><DD>
<DT id="122"><A HREF="#lbAR">limit</A><DD>
<DT id="123"><A HREF="#lbAS">mark_m</A><DD>
<DT id="124"><A HREF="#lbAT">pkttype</A><DD>
<DT id="125"><A HREF="#lbAU">stp</A><DD>
<DT id="126"><A HREF="#lbAV">vlan</A><DD>
<DT id="127"><A HREF="#lbAW">WATCHER EXTENSIONS</A><DD>
<DT id="128"><A HREF="#lbAX">log</A><DD>
<DT id="129"><A HREF="#lbAY">nflog</A><DD>
<DT id="130"><A HREF="#lbAZ">ulog</A><DD>
<DT id="131"><A HREF="#lbBA">TARGET EXTENSIONS</A><DD>
<DT id="132"><A HREF="#lbBB">arpreply</A><DD>
<DT id="133"><A HREF="#lbBC">dnat</A><DD>
<DT id="134"><A HREF="#lbBD">mark</A><DD>
<DT id="135"><A HREF="#lbBE">redirect</A><DD>
<DT id="136"><A HREF="#lbBF">snat</A><DD>
</DL>
<DT id="137"><A HREF="#lbBG">FILES</A><DD>
<DT id="138"><A HREF="#lbBH">ENVIRONMENT VARIABLES</A><DD>
<DT id="139"><A HREF="#lbBI">MAILINGLISTS</A><DD>
<DT id="140"><A HREF="#lbBJ">BUGS</A><DD>
<DT id="141"><A HREF="#lbBK">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:12 GMT, March 31, 2021
</BODY>
</HTML>