1ARPTABLES(8) System Manager's Manual ARPTABLES(8)
2
6 arptables - ARP table administration
7
9 arptables [-t table] -[AD] chain rule-specification [options]
10 arptables [-t table] -[RI] chain rulenum rule-specification [options]
11 arptables [-t table] -D chain rulenum [options]
12 arptables [-t table] -[LFZ] [chain] [options]
13 arptables [-t table] -[NX] chain
14 arptables [-t table] -E old-chain-name new-chain-name
15 arptables [-t table] -P chain target [options]
16
18 arptables is a user space tool, it is used to set up and maintain the
19 tables of ARP rules in the Linux kernel. These rules inspect the ARP
20 frames which they see. arptables is analogous to the iptables user
21 space tool, but arptables is less complicated.
22 CHAINS
25 The kernel table is used to divide functionality into different sets of
26 rules. Each set of rules is called a chain. Each chain is an ordered
27 list of rules that can match ARP frames. If a rule matches an ARP
28 frame, then a processing specification tells what to do with that
29 matching frame. The processing specification is called a 'target'. How‐
30 ever, if the frame does not match the current rule in the chain, then
31 the next rule in the chain is examined and so forth. The user can cre‐
32 ate new (user-defined) chains which can be used as the 'target' of a
33 rule.
34 TARGETS
37 A firewall rule specifies criteria for an ARP frame and a frame pro‐
38 cessing specification called a target. When a frame matches a rule,
39 then the next action performed by the kernel is specified by the tar‐
40 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
41 RETURN, an 'extension' (see below) or a user-defined chain.
42 ACCEPT means to let the frame through. DROP means the frame has to be
44 dropped. CONTINUE means the next rule has to be checked. This can be
45 handy to know how many frames pass a certain point in the chain or to
46 log those frames. RETURN means stop traversing this chain and resume
47 at the next rule in the previous (calling) chain. For the extension
48 targets please see the TARGET EXTENSIONS section of this man page.
49 TABLES
51 There is only one ARP table in the Linux kernel. The table is filter.
52 You can drop the '-t filter' argument to the arptables command. The -t
53 argument must be the first argument on the arptables command line, if
54 used.
55 -t, --table
57 filter, is the only table and contains two built-in chains:
58 INPUT (for frames destined for the host) and OUTPUT (for
59 locally-generated frames).
60
62 After the initial arptables command line argument, the remaining argu‐
63 ments can be divided into several different groups. These groups are
64 commands, miscellaneous commands, rule-specifications, match-exten‐
65 sions, and watcher-extensions.
66 COMMANDS
68 The arptables command arguments specify the actions to perform on the
69 table defined with the -t argument. If you do not use the -t argument
70 to name a table, the commands apply to the default filter table. With
71 the exception of the -Z command, only one command may be used on the
72 command line at a time.
73 -A, --append
75 Append a rule to the end of the selected chain.
76 -D, --delete
78 Delete the specified rule from the selected chain. There are two
79 ways to use this command. The first is by specifying an interval
80 of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
81 ative numbers is allowed, for more details about using negative
82 numbers, see the -I command. The second usage is by specifying
83 the complete rule as it would have been specified when it was
84 added.
85 -I, --insert
87 Insert the specified rule into the selected chain at the speci‐
88 fied rule number. If the current number of rules equals N, then
89 the specified number can be between -N and N+1. For a positive
90 number i, it holds that i and i-N-1 specify the same place in
91 the chain where the rule should be inserted. The number 0 speci‐
92 fies the place past the last rule in the chain and using this
93 number is therefore equivalent with using the -A command.
94 -R, --replace
96 Replaces the specified rule into the selected chain at the spec‐
97 ified rule number. If the current number of rules equals N,
98 then the specified number can be between 1 and N. i specifies
99 the place in the chain where the rule should be replaced.
100 -P, --policy
102 Set the policy for the chain to the given target. The policy can
103 be ACCEPT, DROP or RETURN.
104 -F, --flush
106 Flush the selected chain. If no chain is selected, then every
107 chain will be flushed. Flushing the chain does not change the
108 policy of the chain, however.
109 -Z, --zero
111 Set the counters of the selected chain to zero. If no chain is
112 selected, all the counters are set to zero. The -Z command can
113 be used in conjunction with the -L command. When both the -Z
114 and -L commands are used together in this way, the rule counters
115 are printed on the screen before they are set to zero.
116 -L, --list
118 List all rules in the selected chain. If no chain is selected,
119 all chains are listed.
120 -N, --new-chain
122 Create a new user-defined chain with the given name. The number
123 of user-defined chains is unlimited. A user-defined chain name
124 has maximum length of 31 characters.
125 -X, --delete-chain
127 Delete the specified user-defined chain. There must be no
128 remaining references to the specified chain, otherwise arptables
129 will refuse to delete it. If no chain is specified, all user-
130 defined chains that aren't referenced will be removed.
131 -E, --rename-chain
133 Rename the specified chain to a new name. Besides renaming a
134 user-defined chain, you may rename a standard chain name to a
135 name that suits your taste. For example, if you like PREBRIDGING
136 more than PREROUTING, then you can use the -E command to rename
137 the PREROUTING chain. If you do rename one of the standard arpt‐
138 ables chain names, please be sure to mention this fact should
139 you post a question on the arptables mailing lists. It would be
140 wise to use the standard name in your post. Renaming a standard
141 arptables chain in this fashion has no effect on the structure
142 or function of the arptables kernel table.
143 MISCELLANOUS COMMANDS
146 -V, --version
147 Show the version of the arptables userspace program.
148 -h, --help
150 Give a brief description of the command syntax.
151 -j, --jump target
153 The target of the rule. This is one of the following values:
154 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
155 EXTENSIONS) or a user-defined chain name.
156 -c, --set-counters PKTS BYTES
158 This enables the administrator to initialize the packet and byte
159 counters of a rule (during INSERT, APPEND, REPLACE operations).
160 RULE-SPECIFICATIONS
163 The following command line arguments make up a rule specification (as
164 used in the add and delete commands). A "!" option before the specifi‐
165 cation inverts the test for that specification. Apart from these stan‐
166 dard rule specifications there are some other command line arguments of
167 interest.
168 -s, --source-ip [!] address[/mask]
170 The Source IP specification.
171 -d, --destination-ip [!] address[/mask]
173 The Destination IP specification.
174 --source-mac [!] address[/mask]
176 The source mac address. Both mask and address are written as 6
177 hexadecimal numbers separated by colons.
178 --destination-mac [!] address[/mask]
180 The destination mac address. Both mask and address are written
181 as 6 hexadecimal numbers separated by colons.
182 -i, --in-interface [!] name
184 The interface via which a frame is received (for the INPUT
185 chain). The flag --in-if is an alias for this option.
186 -o, --out-interface [!] name
188 The interface via which a frame is going to be sent (for the
189 OUTPUT chain). The flag --out-if is an alias for this option.
190 -l, --h-length length[/mask]
192 The hardware length (nr of bytes)
193 --opcode code[/mask]
195 The operation code (2 bytes). Available values are: 1=Request
196 2=Reply 3=Request_Reverse 4=Reply_Reverse 5=DRARP_Request
197 6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
198 --h-type type[/mask]
200 The hardware type (2 bytes, hexadecimal). Available values are:
201 1=Ethernet.
202 --proto-type type[/mask]
204 The protocol type (2 bytes). Available values are: 0x800=IPv4.
205 TARGET-EXTENSIONS
208 arptables extensions are precompiled into the userspace tool. So there
209 is no need to explicitly load them with a -m option like in iptables.
210 However, these extensions deal with functionality supported by supple‐
211 mental kernel modules.
212 mangle
214 --mangle-ip-s IP address
215 Mangles Source IP Address to given value.
216 --mangle-ip-d IP address
218 Mangles Destination IP Address to given value.
219 --mangle-mac-s MAC address
221 Mangles Source MAC Address to given value.
222 --mangle-mac-d MAC address
224 Mangles Destination MAC Address to given value.
225 --mangle-target target
227 Target of ARP mangle operation (DROP, CONTINUE or ACCEPT --
228 default is ACCEPT).
229 CLASSIFY
231 This module allows you to set the skb->priority value (and thus clas-
232 sify the packet into a specific CBQ class).
233 --set-class major:minor
236 Set the major and minor class value. The values are always
238 interpreted as hexadecimal even if no 0x prefix is given.
239
242 In this nft-based version of arptables, support for FORWARD chain has
243 not been implemented. Since ARP packets are "forwarded" only by Linux
244 bridges, the same may be achieved using FORWARD chain in ebtables.
245
248 See http://netfilter.org/mailinglists.html
249
251 xtables-nft(8), iptables(8), ebtables(8), arp(8), rarp(8), ifconfig(8),
252 route(8)
253 See http://ebtables.sf.net
255 November 2011 ARPTABLES(8)