ebtables

ebtables [-t table] [{-A|-D|-I] chain rule-spec | [-L | -N chain | -P chain target | -Z | -X | -F [chain]] [options]

-t, --table table
    Specify table: filter (default), nat, or broute

-A, --append chain rule-spec
    Append rule to specified chain

-D, --delete chain rule-spec-or-num
    Delete rule from chain by spec or number

-I, --insert chain [rulenum] rule-spec
    Insert rule at position (default 1)

-L, --list [rulenum]
    List rules in chain or all (verbose with -v)

--Lc, --list-coded
    List rules in kernel understanding format

--Lf, --list-formatted
    Prefixed human-readable list

--Lx, --list-xml
    XML output of rules

--Lk, --list-kmod
    List kernel modules in use

-N, --new-chain chainname
    Create new user-defined chain

-P, --policy chain target
    Set policy for chain (ACCEPT|DROP)

-Z, --zero [chain]
    Zero counters in chain or all

-X, --delete-chain [chain]
    Delete chain(s); flushes first

-F, --flush [chain]
    Flush rules from chain or all

--atomic-save file
    Save rules atomically to file

--atomic-commit
    Commit atomic ruleset

--atomic-init
    Prepare for atomic update

--atomic-replace
    Replace atomically with loaded file

--atomic-file file
    Use file for atomic ops

--init-counters
    Initialize counters to zero

-j, --jump target
    Target for rule (used in rule-spec)

--set-counters pkts bytes
    Set rule counters

-M, --modprobe program
    Modprobe program

--version
    Print version info

--help
    Display help

ebtables is a powerful userspace command-line tool for configuring Layer 2 packet filtering tables in Linux Ethernet bridges. It extends the Netfilter framework to the data link layer, enabling inspection, modification, and filtering of Ethernet frames before they are forwarded by bridge devices.

Unlike iptables, which operates on IP packets, ebtables processes raw Ethernet frames, matching on MAC addresses, VLAN tags, EtherType, ARP fields, and more. It supports three predefined tables: filter for general filtering (default), nat for address translation (e.g., MAC rewriting), and broute for deciding bridge/routing paths.

Common chains include INPUT, OUTPUT, FORWARD, and user-defined ones. Targets like ACCEPT, DROP, CONTINUE, RETURN, or extensions (DNAT, SNAT, LOG) control frame flow. Rules are appended, inserted, or deleted in chains, with counters for stats.

Ideal for network segmentation in bridged environments, like VMs or WiFi access points. Requires kernel bridge_netfilter module. While functional, it's largely superseded by nftables for modern unified filtering.

(~180 words)

Requires CONFIG_BRIDGE_NETFILTER kernel config; deprecated for nftables; rule-spec extensions (e.g., -p protocol, --mac-source) are matchers, not core options; bridges must be active.

filter: Standard frame filtering (INPUT/FORWARD/OUTPUT).
nat: PREROUTING/POSTROUTING for MAC NAT.
broute: BROUTING for bridge/route decisions.

Examples: -p IPv4|ARP|802_1Q, --mac-source addr[/mask], --ip-protocol tcp|udp; see man for extensions.

Developed 2000-2002 as Netfilter ebtables extension by Bart De Schuymer; integrated into Linux kernel ~2.4; maintained until ~2011; usage declined post-nftables (2014+) but remains in most distros.

iptables(8), nft(8), arptables(8), bridge(8), brctl(8)