If you like BoxMatrix then please contribute Supportdata, Supportdata2, Firmware and/or Hardware (get in touch).
My metamonk@yahoo.com is not reachable by me since years. Please use hippie2000@webnmail.de instead.

0
U

Property:ebtables

From BoxMatrix
(Redirected from ebtables)


BoxMatrix >> Shell-Commands >> ebtables @ BoxMatrix   -   IRC-Chat   -   Translate: de es fr it nl pl
News Selectors Models Accessories Components Environment Config Commands System Webif Software Develop Lexicon Community Project Media

Startup-Scr Hotplug-Scr BusyBox-Cmds Bash-Cmds AVM-Cmds Chipset-Cmds Linux-Cmds Shared-Libs Kernel-Mods Research

Linux-Command

Goto:   Modules  -  GPL-Browser  -  Dependencies   -   Model-Matrix   -   Symbols   -   SMW-Browser

Details

ebtables (Ethernet Bridge tables) is the Ethernet bridge frame table administration command.
It is the OSI layer 2 (Data Link Layer, Ethernet) equivalent to iptables.

ebtables controls a bunch of Kernel-Modules, see the Modules below, the core module is ebtables.ko.
These modules permit to apply filtering rules to Network-Bridges created and maintained by brctl.

On Broadcom models ebtables is just the commandline frontend to libebtc.so, which contains all the code.
In the Realtek Linux of the 7520v2 ebtables links the library statically.

Up to fw 7.31 ebtables depends on a bunch of syntax extension libraries for each optional module, see the Dependencies.
The syntax is activated once the respective module is loaded. Later this functionality has been merged into libebtc.so.

See also the ebtables(8) man page, the homepage, this explanation of a minimalistic ebtables firewall and br_netfilter.ko.

7581 fw 7.17:

root@fritz:/var/mod/root# ebtables

ebtables v2.0.10-4 (December 2011)

Usage:
ebtables -[ADI] chain rule-specification [options]
ebtables -P chain target
ebtables -[LFZ] [chain]
ebtables -[NX] [chain]
ebtables -E old-chain-name new-chain-name

Commands:
--append -A chain             : append to chain
--delete -D chain             : delete matching rule from chain
--delete -D chain rulenum     : delete rule at position rulenum from chain
--change-counters -C chain
          [rulenum] pcnt bcnt : change counters of existing rule
--insert -I chain rulenum     : insert rule at position rulenum in chain
--list   -L [chain]           : list the rules in a chain or in all chains
--flush  -F [chain]           : delete all rules in chain or in all chains
--init-table                  : replace the kernel table with the initial table
--zero   -Z [chain]           : put counters on zero in chain or in all chains
--policy -P chain target      : change policy on chain to target
--new-chain -N chain          : create a user defined chain
--rename-chain -E old new     : rename a chain
--delete-chain -X [chain]     : delete a user defined chain
--atomic-commit               : update the kernel w/t table contained in <FILE>
--atomic-init                 : put the initial kernel table into <FILE>
--atomic-save                 : put the current kernel table into <FILE>
--atomic-file file            : set <FILE> to file

Options:
--proto  -p [!] proto         : protocol hexadecimal, by name or LENGTH
--src    -s [!] address[/mask]: source mac address
--dst    -d [!] address[/mask]: destination mac address
--in-if  -i [!] name[+]       : network input interface name
--out-if -o [!] name[+]       : network output interface name
--logical-in  [!] name[+]     : logical bridge input interface name
--logical-out [!] name[+]     : logical bridge output interface name
--set-counters -c chain
          pcnt bcnt           : set the counters of the to be added rule
--modprobe -M program         : try to insert modules using this program
--concurrent                  : use a file lock to support concurrent scripts
--version -V                  : print package version

Environment variable:
EBTABLES_ATOMIC_FILE          : if set <FILE> (see above) will equal its value

Standard targets: DROP, ACCEPT, RETURN or CONTINUE;
The target can also be a user defined chain.

Supported chains for the filter table:
INPUT FORWARD OUTPUT 

Extended from todo / ebt_802_3.ko - fw 6.32:

802_3 options:
--802_3-sap [!] protocol       : 802.3 DSAP/SSAP- 1 byte value (hex)
  DSAP and SSAP are always the same.  One SAP applies to both fields
--802_3-type [!] protocol      : 802.3 SNAP Type- 2 byte value (hex)
  Type implies SAP value 0xaa

For 802.3 DSAP/SSAP filtering the protocol must be LENGTH

Extended from todo / ebt_among.ko - fw 6.32:

among options:
--among-dst      [!] list      : matches if ether dst is in list
--among-src      [!] list      : matches if ether src is in list
--among-dst-file [!] file      : obtain dst list from file
--among-src-file [!] file      : obtain src list from file

list has form:
 xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip],...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]
Things in brackets are optional.
If you want to allow two (or more) IP addresses to one MAC address, you
can specify two (or more) pairs with the same MAC, e.g.
 00:00:00:fa:eb:fe=153.19.120.250,00:00:00:fa:eb:fe=192.168.0.1

Extended from todo / ebt_arp.ko - fw 6.32:

arp options:
--arp-opcode  [!] opcode        : ARP opcode (integer or string)
--arp-htype   [!] type          : ARP hardware type (integer or string)
--arp-ptype   [!] type          : ARP protocol type (hexadecimal or string)
--arp-ip-src  [!] address[/mask]: ARP IP source specification
--arp-ip-dst  [!] address[/mask]: ARP IP target specification
--arp-mac-src [!] address[/mask]: ARP MAC source specification
--arp-mac-dst [!] address[/mask]: ARP MAC target specification
[!] --arp-gratuitous            : ARP gratuitous packet

Extended from todo / ebt_arpreply.ko - fw 6.32:

arpreply target options:
 --arpreply-mac address           : source MAC of generated reply
 --arpreply-target target         : ACCEPT, DROP, RETURN or CONTINUE
                                    (standard target is DROP)

Extended from libebt_blog.so / ebt_blog.ko - fw 7.31:

blog match options:
    --tcp-pureack                match when blog TCP Pure ACK is
                                 detected.

Extended from todo / ebt_dnat.ko - fw 6.32:

dnat options:
 --to-dst address       : MAC address to map destination to
 --dnat-target target   : ACCEPT, DROP, RETURN or CONTINUE

Extended from libebt_ftos.so / ebt_ftos.ko - fw 7.17:

ftos target options:
--set-ftos value     : Set TOS byte in IP packet header 
		       This value can be in decimal (ex: 32)
		       in hex (ex: 0x20)
--ftos-target target : ACCEPT, DROP, RETURN or CONTINUE

Extended from libebt_ip.so / ebt_ip.ko - fw 7.17:

ip options:
--ip-src    [!] address[/mask]: ip source specification
--ip-dst    [!] address[/mask]: ip destination specification
--ip-tos    [!] tos           : ip tos specification
--ip-dscp   [!] dscp          : ip dscp specification
--ip-proto  [!] protocol      : ip protocol specification
--ip-sport  [!] port[:port]   : tcp/udp source port or port range
--ip-dport  [!] port[:port]   : tcp/udp destination port or port range

For IP filtering the protocol must be specified as IPv4
For port filtering the IP protocol must be either 6 (tcp), 17 (udp), 33 (dccp) or 132 (sctp)

Extended from libebt_ip_extend.so / ebt_ip_extend.ko - fw 7.31:

ip options:
--ip-tos-extend    [!] tos[:tos][/mask]   : ip tos specification
--ip-dscp-extend   [!] dscp                : ip dscp specification

Extended from libebt_ip6.so / ebt_ip6.ko - fw 7.17:

ip6 options:
--ip6-src    [!] address[/mask]: ipv6 source specification
--ip6-dst    [!] address[/mask]: ipv6 destination specification
--ip6-tclass [!] tclass        : ipv6 traffic class specification
--ip6-proto  [!] protocol      : ipv6 protocol specification
--ip6-sport  [!] port[:port]   : tcp/udp source port or port range
--ip6-dport  [!] port[:port]   : tcp/udp destination port or port range
--ip6-icmp-type [!] type[[:type]/code[:code]] : ipv6-icmp type/code or type/code range

For IPv6 filtering the protocol must be specified as IPv6
For port filtering the IP protocol must be either 6 (tcp), 17 (udp), 33 (dccp) or 132 (sctp)
For ipv6-icmp filtering the IP protocol must be 58 (ipv6-icmp)

Extended from libebt_ip6_extend.so / ebt_ip6_extend.ko - fw 7.31:

ip6 options:
--ip6-tclass-extend [!] tclass[:tclass][/mask]        : ipv6 traffic class specification
--ip6-flow-label-extend [!] flowlabel : ipv6 flow label specification

Extended from todo / ebt_limit.ko - fw 6.32:

limit options:
--limit avg                   : max average match rate: default 3/hour
                                [Packets per second unless followed by 
                                /sec /minute /hour /day postfixes]
--limit-burst number          : number to match in a burst, -1 < number < 10001,

Extended from libebt_mark.so / ebt_mark.ko - fw 7.17:

mark target options:
 --mark-set value     : Set nfmark value
 --mark-or  value     : Or nfmark with value (nfmark |= value)
 --mark-and value     : And nfmark with value (nfmark &= value)
 --mark-xor value     : Xor nfmark with value (nfmark ^= value)
 --vtag-set value     : Set vlan tag value
 --mark-target target : ACCEPT, DROP, RETURN or CONTINUE

Extended from libebt_mark_m.so / ebt_mark_m.ko - fw 7.17:

mark option:
--mark    [!] [value][/mask]: Match nfmask value (see man page)

Extended from todo / ebt_pkttype.ko - fw 6.32:

pkttype options:
--pkttype-type    [!] type: class the packet belongs to

Possible values: broadcast, multicast, host, otherhost, or any other byte value (which would be pretty useless)

Extended from libebt_qos_map.so / ebt_qos_map.ko - fw 7.31:

todo

Extended from todo / ebt_redirect.ko - fw 7.70:

redirect option:
 --redirect-target target   : ACCEPT, DROP, RETURN or CONTINUE

Extended from libebt_reject.so / ebt_reject.ko - fw 7.31:

REJECT target options:
 --reject-with value      : reject reason

Extended from libebt_skbvlan.so / ebt_skbvlan_m.ko - fw 7.17:

skbvlan options:
--skbvlan-id [!] id       : vlan-tagged frame identifier, 0,1-4096 (integer)
--skbvlan-prio [!] prio   : Priority-tagged frame's user priority, 0-7 (integer)
--skbvlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)

Extended from libebt_skiplog.so / ebt_skiplog.ko - fw 7.17:

skiplog target takes no options:
SKIPLOG

Extended from todo / ebt_snat.ko - fw 6.32:

snat options:
 --to-src address       : MAC address to map source to
 --snat-target target   : ACCEPT, DROP, RETURN or CONTINUE
 --snat-arp             : also change src address in arp msg

Extended from libebt_standard.so / ebt_standard.ko - fw 7.17:

Standard targets: DROP, ACCEPT, RETURN or CONTINUE;
The target can also be a user defined chain.

Extended from todo / ebt_stp.ko - fw 6.32:

stp options:
--stp-type type                  : BPDU type
--stp-flags flag                 : control flag
--stp-root-prio prio[:prio]      : root priority (16-bit) range
--stp-root-addr address[/mask]   : MAC address of root
--stp-root-cost cost[:cost]      : root cost (32-bit) range
--stp-sender-prio prio[:prio]    : sender priority (16-bit) range
--stp-sender-addr address[/mask] : MAC address of sender
--stp-port port[:port]           : port id (16-bit) range
--stp-msg-age age[:age]          : message age timer (16-bit) range
--stp-max-age age[:age]          : maximum age timer (16-bit) range
--stp-hello-time time[:time]     : hello time timer (16-bit) range
--stp-forward-delay delay[:delay]: forward delay timer (16-bit) range

 Recognized BPDU type strings:
   "config": configuration BPDU (=0)
   "tcn"   : topology change notification BPDU (=0x80)
 Recognized control flag strings:
   "topology-change"    : topology change flag (0x01)
   "topology-change-ack": topology change acknowledgement flag (0x80)

STP matching is only valid when the destination MAC address is the bridge group address (BGA) 01:80:c2:00:00:00

Extended from libebt_time.so / ebt_time.ko - fw 7.17:

time options:
 --timestart value --timestop value --days listofdays
          timestart value : HH:MM
          timestop  value : HH:MM
          listofdays value: a list of days to apply -> ie. Mon,Tue,Wed,Thu,Fri. Case sensitive

Extended from libebt_u32.so / ebt_u32.ko - fw 7.31:

u32 match options:
--u32 [!] tests
                tests := location "=" value | tests "&&" location "=" value
                value := range | value "," range
                range := number | number ":" number
                location := number | location operator number
                operator := "&" | "<<" | ">>" | "@"

Extended from libebt_vlan.so / ebt_vlan.ko - fw 7.17:

vlan options:
--vlan-id [!] id       : vlan-tagged frame identifier, 0,1-4096 (integer)
--vlan-prio [!] prio   : Priority-tagged frame's user priority, 0-7 (integer)
--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)
--vlan-id %s%d 
--vlan-prio %s%d 
--vlan-encap %s

Extended from todo / ebt_vtag.ko - fw 7.70:

vtag target options:
 --vtag-set value     : Set vlan tag value
 --vtag-target target : ACCEPT, DROP, RETURN or CONTINUE

Extended from libebt_wmm_mark.so / ebt_wmm_mark.ko - fw 7.17:

wmm-mark target options:
 --wmm-mark-target target : ACCEPT, DROP, RETURN or CONTINUE
 --wmm-marktag value      : set nfmark based on: dscp or vlan 
 --wmm-markset value      : set nfmark regardless of the mark based on
 --wmm-markpos            : bit offset of nfmark to set

wmm-mark dscp must be used with -p IPv4/IPv6
wmm-mark vlan must be used with -p 802_1Q

Extended from libebtable_broute.so / ebtable_broute.ko - fw 7.17:

Supported chain for the broute table:
broute

Extended from libebtable_filter.so / ebtable_filter.ko - fw 7.17:

Supported chains for the filter table:
filter

Extended from libebtable_nat.so / ebtable_nat.ko - fw 7.17:

Supported chains for the nat table:
nat

Modules

This is a subset of the Kernel-Modules section, filtered for ebt* modules.

Daily updated index of all kernel modules found scanning Firmware-Probes . Last update: 2024-11-15 05:54 GMT.
The label (module) in the Module column shows there are other objects in this wiki using this name.
The Mod column shows the amount of models using the respective module. Click the column header to sort by this number.
You can hover or click a possible Link in the Type column to see the target of that link.

GPL-Browser

Daily updated index of all ebtables code findings on the GPL-Browser. Last update: 2024-11-15 05:10 GMT.
The Browse column points to the Path containing the respective source code on the gpl.boxmatrix.info service.
The SoC column lists the Chip-Codenames, the Model column lists the nicks of the Box-Models.
The Diff column links the comparison of the AVM Kernel to the pristine original from Kernel.org.
The Download column links the full tarball the respective directory content is extracted from.
The presence of the source does not mean it fits the respective model and architecture. See the Model-Matrix where it's used.

Dependencies

Daily updated index of all dependencies of this command. Last update: 2024-11-15 07:53 GMT.
A * in the Mod column marks info from Supportdata-Probes, which will always stay incomplete.

Relation Typ Object Mod Firmware Info Origin
Depends on lib libc.so 5 6.54 - 8.00 Standard C library Linux
Depends on lib libebt_blog.so 1 7.20 - 7.31 ebtables syntax extension for ebt_blog.ko Netfilter
Depends on lib libebt_ftos.so 3 6.54 - 7.31 ebtables syntax extension for ebt_ftos.ko Netfilter
Depends on lib libebt_ip.so 3 6.54 - 7.31 ebtables syntax extension for ebt_ip.ko Netfilter
Depends on lib libebt_ip6.so 3 6.54 - 7.31 ebtables syntax extension for ebt_ip6.ko Netfilter
Depends on lib libebt_ip6_extend.so 1 7.20 - 7.31 ebtables syntax extension for ebt_ip6_extend.ko Netfilter
Depends on lib libebt_ip_extend.so 1 7.20 - 7.31 ebtables syntax extension for ebt_ip_extend.ko Netfilter
Depends on lib libebt_mark.so 3 6.54 - 7.31 ebtables syntax extension for ebt_mark.ko Netfilter
Depends on lib libebt_mark_m.so 3 6.54 - 7.31 ebtables syntax extension for ebt_mark_m.ko Netfilter
Depends on lib libebt_qos_map.so 1 7.20 - 7.31 ebtables syntax extension for ebt_qos_map.ko Netfilter
Depends on lib libebt_reject.so 1 7.20 - 7.31 ebtables syntax extension for ebt_reject.ko Netfilter
Depends on lib libebt_skbvlan.so 3 6.98 - 7.31 ebtables syntax extension for ebt_skbvlan_m.ko Netfilter
Depends on lib libebt_skiplog.so 3 6.54 - 7.31 ebtables syntax extension for ebt_skiplog.ko Netfilter
Depends on lib libebt_standard.so 3 6.54 - 7.31 ebtables syntax extension for ebt_standard.ko Netfilter
Depends on lib libebt_time.so 3 6.54 - 7.31 ebtables syntax extension for ebt_time.ko Netfilter
Depends on lib libebt_u32.so 1 7.20 - 7.31 ebtables syntax extension for ebt_u32.ko Netfilter
Depends on lib libebt_vlan.so 3 6.54 - 7.31 ebtables syntax extension for ebt_vlan.ko Netfilter
Depends on lib libebt_wmm_mark.so 3 6.54 - 7.31 ebtables syntax extension for ebt_wmm_mark.ko Netfilter
Depends on lib libebtable_broute.so 3 6.54 - 7.31 ebtables syntax extension for ebtable_broute.ko Netfilter
Depends on lib libebtable_filter.so 3 6.54 - 7.31 ebtables syntax extension for ebtable_filter.ko Netfilter
Depends on lib libebtable_nat.so 3 6.54 - 7.31 ebtables syntax extension for ebtable_nat.ko Netfilter
Depends on lib libebtc.so 3 6.54 - 8.00 ebtables core library Netfilter
22 dependencies for this command

Model-Matrix

Daily updated index of the presence, path and size of this command for each model. Last update: 2024-11-15 05:54 GMT.
Showing all models using this command. Click any column header (click-wait-click) to sort the list by the respective data.
The (main/scrpn/boot/arm/prx/atom/rtl) label in the Model column shows which CPU is meant for Multi-Linux models.
Note that this list is merged from Firmware-Probes of all known AVM firmware for a model, including Recovery.exe and Labor-Files.

Model Firmware Path Size
FRITZ!Box 5690 Pro (rtl) 7.62 - 7.90 /bin 126k
FRITZ!Box 7520 v2 (rtl) /bin 129k
FRITZ!Box 7530 AX 7.20 - 8.00 /bin 5.4k - 5.5k
FRITZ!Box 7581 6.54 - 7.18 /bin 3.4k - 4.0k
FRITZ!Box 7582 6.83 - 7.18 /bin 3.4k - 4.0k
5 models use this command

Symbols

Daily updated index of all symbols of this command. Last update: 2024-11-15 07:53 GMT.

Firmware Symbol
7.62 - 7.90 do_command
7.62 - 7.90 ebt_802_3_init
7.62 - 7.90 ebt_add_match
7.62 - 7.90 ebt_add_rule
7.62 - 7.90 ebt_add_watcher
7.62 - 7.90 ebt_among_init
7.62 - 7.90 ebt_arp_init
7.62 - 7.90 ebt_arpreply_init
7.62 - 7.90 ebt_change_counters
7.62 - 7.90 ebt_change_policy
7.62 - 7.90 ebt_check_for_loops
7.62 - 7.90 ebt_check_for_references
7.62 - 7.90 ebt_check_for_references2
7.62 - 7.90 ebt_check_option
7.62 - 7.90 ebt_check_rule_exists
7.62 - 7.90 ebt_cleanup_replace
7.62 - 7.90 ebt_delete_cc
7.62 - 7.90 ebt_delete_chain
7.62 - 7.90 ebt_delete_rule
7.62 - 7.90 ebt_deliver_counters
7.62 - 7.90 ebt_deliver_table
7.62 - 7.90 ebt_do_final_checks
7.62 - 7.90 ebt_double_chains
7.62 - 7.90 ebt_early_init_once
7.62 - 7.90 ebt_empty_chain
7.62 - 7.90 ebt_find_match
7.62 - 7.90 ebt_find_table
7.62 - 7.90 ebt_find_target
7.62 - 7.90 ebt_find_watcher
7.62 - 7.90 ebt_flush_chains
7.62 - 7.90 ebt_free_u_entry
7.62 - 7.90 ebt_ftos_init
7.62 - 7.90 ebt_get_chainnr
7.62 - 7.90 ebt_get_kernel_table
7.62 - 7.90 ebt_get_mac_and_mask
7.62 - 7.90 ebt_get_table
7.62 - 7.90 ebt_initialize_entry
7.62 - 7.90 ebt_ip6_init
7.62 - 7.90 ebt_ip6_to_numeric
7.62 - 7.90 ebt_ip_init
7.62 - 7.90 ebt_iterate_matches
7.62 - 7.90 ebt_iterate_targets
7.62 - 7.90 ebt_iterate_watchers
7.62 - 7.90 ebt_limit_init
7.62 - 7.90 ebt_list_extensions
7.62 - 7.90 ebt_log_init
7.62 - 7.90 ebt_mark_init
7.62 - 7.90 ebt_mark_m_init
7.62 - 7.90 ebt_mask_to_dotted
7.62 - 7.90 ebt_name_to_chain
7.62 - 7.90 ebt_nat_init
7.62 - 7.90 ebt_new_chain
7.62 - 7.90 ebt_parse_ip6_address
7.62 - 7.90 ebt_parse_ip_address
7.62 - 7.90 ebt_pkttype_init
7.62 - 7.90 ebt_print_mac
7.62 - 7.90 ebt_print_mac_and_mask
7.62 - 7.90 ebt_redirect_init
7.62 - 7.90 ebt_register_match
7.62 - 7.90 ebt_register_table
7.62 - 7.90 ebt_register_target
7.62 - 7.90 ebt_register_watcher
7.62 - 7.90 ebt_reinit_extensions
7.62 - 7.90 ebt_rename_chain
7.62 - 7.90 ebt_standard_init
7.62 - 7.90 ebt_stp_init
7.62 - 7.90 ebt_ulog_init
7.62 - 7.90 ebt_vlan_init
7.62 - 7.90 ebt_zero_counters
7.62 - 7.90 ebtable_broute_init
7.62 - 7.90 ebtable_filter_init
7.62 - 7.90 ebtable_nat_init
7.62 - 7.90 ebtables_insmod
7.62 - 7.90 endethertypeent
7.62 - 7.90 getethertypebyname
7.62 - 7.90 getethertypebynumber
7.62 - 7.90 getethertypeent
7.62 - 7.90 init_extensions
7.20 - 7.90 main
7.62 - 7.90 parseethertypebynumber
7.62 - 7.90 setethertypeent
7.62 - 7.90 string_to_number
7.62 - 7.90 string_to_number_l
7.62 - 7.90 string_to_number_ll
84 symbols for this command

SMW-Browser

Information is currently being retrieved from the backend.