администрирование таблицы кадров моста Ethernet (на основе nft) (Ethernet bridge frame table administration (nft-based))
Имя (Name)
ebtables - Ethernet bridge frame table administration (nft-based)
Синопсис (Synopsis)
ebtables [-t table ] -[ACDI] chain rule specification [match
extensions] [watcher extensions] target
ebtables [-t table ] -P chain ACCEPT | DROP | RETURN
ebtables [-t table ] -F [chain]
ebtables [-t table ] -Z [chain]
ebtables [-t table ] -L [-Z] [chain] [ [--Ln] | [--Lx] ] [--Lc]
[--Lmac2]
ebtables [-t table ] -N chain [-P ACCEPT | DROP | RETURN]
ebtables [-t table ] -X [chain]
ebtables [-t table ] -E old-chain-name new-chain-name
ebtables [-t table ] --init-table
Описание (Description)
ebtables is an application program used to set up and maintain
the tables of rules (inside the Linux kernel) that inspect
Ethernet frames. It is analogous to the iptables application,
but less complicated, due to the fact that the Ethernet protocol
is much simpler than the IP protocol.
CHAINS
There are two ebtables tables with built-in chains in the Linux
kernel. These tables are used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match Ethernet
frames. If a rule matches an Ethernet frame, then a processing
specification tells what to do with that matching frame. The
processing specification is called a 'target'. However, if the
frame does not match the current rule in the chain, then the next
rule in the chain is examined and so forth. The user can create
new (user-defined) chains that can be used as the 'target' of a
rule. User-defined chains are very useful to get better
performance over the linear traversal of the rules and are also
essential for structuring the filtering rules into well-organized
and maintainable sets of rules.
TARGETS
A firewall rule specifies criteria for an Ethernet frame and a
frame processing specification called a target. When a frame
matches a rule, then the next action performed by the kernel is
specified by the target. The target can be one of these values:
ACCEPT, DROP, CONTINUE, RETURN, an 'extension' (see below) or a
jump to a user-defined chain.
ACCEPT means to let the frame through. DROP means the frame has
to be dropped. CONTINUE means the next rule has to be checked.
This can be handy, f.e., to know how many frames pass a certain
point in the chain, to log those frames or to apply multiple
targets on a frame. RETURN means stop traversing this chain and
resume at the next rule in the previous (calling) chain. For the
extension targets please refer to the TARGET EXTENSIONS section
of this man page.
TABLES
As stated earlier, there are two ebtables tables in the Linux
kernel. The table names are filter and nat. Of these two
tables, the filter table is the default table that the command
operates on. If you are working with the filter table, then you
can drop the '-t filter' argument to the ebtables command.
However, you will need to provide the -t argument for nat table.
Moreover, the -t argument must be the first argument on the
ebtables command line, if used.
-t, --table
filter is the default table and contains three built-in
chains: INPUT (for frames destined for the bridge itself,
on the level of the MAC destination address), OUTPUT (for
locally-generated or (b)routed frames) and FORWARD (for
frames being forwarded by the bridge).
nat is mostly used to change the mac addresses and
contains three built-in chains: PREROUTING (for altering
frames as soon as they come in), OUTPUT (for altering
locally generated or (b)routed frames before they are
bridged) and POSTROUTING (for altering frames as they are
about to go out). A small note on the naming of chains
PREROUTING and POSTROUTING: it would be more accurate to
call them PREFORWARDING and POSTFORWARDING, but for all
those who come from the iptables world to ebtables it is
easier to have the same names. Note that you can change
the name (-E) if you don't like the default.
