In order to take advantage of ebtables the machine needs to be running as a bridge. (Accurate, nicht wahr?)
If you believe in really scary stuff, you can run the bridging code with netfilter, so you can manipulate IP packets transparently on your bridge. For more on this, see the documentation of bridging and firewalling. The firewall and bridge architecture is part of the development branch of the kernel 2.5 series.