Next Previous Contents

1. Introduction

Hi guys (famous opening sentence).

This document wants to tell the interested how to implement extensions on top of the ebtables architecture.

For more understanding of netfilter and a broader look I recommend reading the HOWTO's on the netfilter homepage. The "netfilter hacking HOWTO" is certainly worth your time. Also very recommended is the "ebtables/iptables interaction on a Linux-based bridge" document (call name br_fw_ia) which you can find on the ebtables homepage.

This document discusses ebtables version 2.0, later versions might have subtle changes.

(C) 2002 Bart De Schuymer. Licenced under the GNU GPL.

1.1 What is ebtables?

Ebtables is a filter/nat facility for the Linux Ethernet bridge. Its implementation and usage is very similar to that of iptables. However, ebtables works mostly on the Link Layer, while iptables mostly works on the Network Layer.

1.2 Why do I need ebtables?

Ebtables enables you to get a transparent bridging firewall, it also provides the functionality of a brouter and lets you make things like transparent proxys. What's cooler than playing around with a firewall? Playing around with a transparent firewall (stealth firewall), ofcourse! OK, a really cool stealth firewall would allow great stuff like IP NAT; that can be obtained with the bridge-nf stuff, which links iptables to the bridging world. For more information about bridge-nf, the br_fw_ia document is recommended.

Concentrating on ebtables, it enables us, for example, to filter out ugly stuff like NetBEUI traffic coming from another side of the bridge into our sweet IP-only side. Basically, it gives us complete access to the Ethernet header of all frames the bridge can get its hands on, along with some elementary access to the protocols on top of Ethernet (like IP and ARP).

1.3 Who are you?

I'm just someone who was foolish enough to start reading Rusty's code and, consequently, got hooked on kernel hacking. So all blame Rusty!


Next Previous Contents