1ARPTABLES(8) System Manager's Manual ARPTABLES(8)
2
6 arptables - ARP table administration (nft-based)
7
9 arptables [-t table] -[AD] chain rule-specification [options]
10 arptables [-t table] -[RI] chain rulenum rule-specification [options]
11 arptables [-t table] -D chain rulenum [options]
12 arptables [-t table] -[LFZ] [chain] [options]
13 arptables [-t table] -[NX] chain
14 arptables [-t table] -E old-chain-name new-chain-name
15 arptables [-t table] -P chain target [options]
16
19 arptables is a user space tool, it is used to set up and maintain the
20 tables of ARP rules in the Linux kernel. These rules inspect the ARP
21 frames which they see. arptables is analogous to the iptables user
22 space tool, but arptables is less complicated.
23 CHAINS
26 The kernel table is used to divide functionality into different sets of
27 rules. Each set of rules is called a chain. Each chain is an ordered
28 list of rules that can match ARP frames. If a rule matches an ARP
29 frame, then a processing specification tells what to do with that
30 matching frame. The processing specification is called a 'target'. How‐
31 ever, if the frame does not match the current rule in the chain, then
32 the next rule in the chain is examined and so forth. The user can cre‐
33 ate new (user-defined) chains which can be used as the 'target' of a
34 rule.
35 TARGETS
38 A firewall rule specifies criteria for an ARP frame and a frame pro‐
39 cessing specification called a target. When a frame matches a rule,
40 then the next action performed by the kernel is specified by the tar‐
41 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
42 RETURN, an 'extension' (see below) or a user-defined chain.
43 ACCEPT means to let the frame through. DROP means the frame has to be
45 dropped. CONTINUE means the next rule has to be checked. This can be
46 handy to know how many frames pass a certain point in the chain or to
47 log those frames. RETURN means stop traversing this chain and resume
48 at the next rule in the previous (calling) chain. For the extension
49 targets please see the TARGET EXTENSIONS section of this man page.
50 TABLES
52 There is only one ARP table in the Linux kernel. The table is filter.
53 You can drop the '-t filter' argument to the arptables command. The -t
54 argument must be the first argument on the arptables command line, if
55 used.
56 -t, --table
58 filter, is the only table and contains two built-in chains:
59 INPUT (for frames destined for the host) and OUTPUT (for
60 locally-generated frames).
61
63 After the initial arptables command line argument, the remaining argu‐
64 ments can be divided into several different groups. These groups are
65 commands, miscellaneous commands, rule-specifications, match-exten‐
66 sions, and watcher-extensions.
67 COMMANDS
69 The arptables command arguments specify the actions to perform on the
70 table defined with the -t argument. If you do not use the -t argument
71 to name a table, the commands apply to the default filter table. With
72 the exception of the -Z command, only one command may be used on the
73 command line at a time.
74 -A, --append
76 Append a rule to the end of the selected chain.
77 -D, --delete
79 Delete the specified rule from the selected chain. There are two
80 ways to use this command. The first is by specifying an interval
81 of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
82 ative numbers is allowed, for more details about using negative
83 numbers, see the -I command. The second usage is by specifying
84 the complete rule as it would have been specified when it was
85 added.
86 -I, --insert
88 Insert the specified rule into the selected chain at the speci‐
89 fied rule number. If the current number of rules equals N, then
90 the specified number can be between -N and N+1. For a positive
91 number i, it holds that i and i-N-1 specify the same place in
92 the chain where the rule should be inserted. The number 0 speci‐
93 fies the place past the last rule in the chain and using this
94 number is therefore equivalent with using the -A command.
95 -R, --replace
97 Replaces the specified rule into the selected chain at the spec‐
98 ified rule number. If the current number of rules equals N,
99 then the specified number can be between 1 and N. i specifies
100 the place in the chain where the rule should be replaced.
101 -P, --policy
103 Set the policy for the chain to the given target. The policy can
104 be ACCEPT, DROP or RETURN.
105 -F, --flush
107 Flush the selected chain. If no chain is selected, then every
108 chain will be flushed. Flushing the chain does not change the
109 policy of the chain, however.
110 -Z, --zero
112 Set the counters of the selected chain to zero. If no chain is
113 selected, all the counters are set to zero. The -Z command can
114 be used in conjunction with the -L command. When both the -Z
115 and -L commands are used together in this way, the rule counters
116 are printed on the screen before they are set to zero.
117 -L, --list
119 List all rules in the selected chain. If no chain is selected,
120 all chains are listed.
121 -N, --new-chain
123 Create a new user-defined chain with the given name. The number
124 of user-defined chains is unlimited. A user-defined chain name
125 has maximum length of 31 characters.
126 -X, --delete-chain
128 Delete the specified user-defined chain. There must be no
129 remaining references to the specified chain, otherwise arptables
130 will refuse to delete it. If no chain is specified, all user-
131 defined chains that aren't referenced will be removed.
132 -E, --rename-chain
134 Rename the specified chain to a new name. Besides renaming a
135 user-defined chain, you may rename a standard chain name to a
136 name that suits your taste. For example, if you like PREBRIDGING
137 more than PREROUTING, then you can use the -E command to rename
138 the PREROUTING chain. If you do rename one of the standard arpt‐
139 ables chain names, please be sure to mention this fact should
140 you post a question on the arptables mailing lists. It would be
141 wise to use the standard name in your post. Renaming a standard
142 arptables chain in this fashion has no effect on the structure
143 or function of the arptables kernel table.
144 MISCELLANOUS COMMANDS
147 -V, --version
148 Show the version of the arptables userspace program.
149 -h, --help
151 Give a brief description of the command syntax.
152 -j, --jump target
154 The target of the rule. This is one of the following values:
155 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
156 EXTENSIONS) or a user-defined chain name.
157 -c, --set-counters PKTS BYTES
159 This enables the administrator to initialize the packet and byte
160 counters of a rule (during INSERT, APPEND, REPLACE operations).
161 RULE-SPECIFICATIONS
164 The following command line arguments make up a rule specification (as
165 used in the add and delete commands). A "!" option before the specifi‐
166 cation inverts the test for that specification. Apart from these stan‐
167 dard rule specifications there are some other command line arguments of
168 interest.
169 -s, --source-ip [!] address[/mask]
171 The Source IP specification.
172 -d, --destination-ip [!] address[/mask]
174 The Destination IP specification.
175 --source-mac [!] address[/mask]
177 The source mac address. Both mask and address are written as 6
178 hexadecimal numbers separated by colons.
179 --destination-mac [!] address[/mask]
181 The destination mac address. Both mask and address are written
182 as 6 hexadecimal numbers separated by colons.
183 -i, --in-interface [!] name
185 The interface via which a frame is received (for the INPUT
186 chain). The flag --in-if is an alias for this option.
187 -o, --out-interface [!] name
189 The interface via which a frame is going to be sent (for the
190 OUTPUT chain). The flag --out-if is an alias for this option.
191 -l, --h-length length[/mask]
193 The hardware length (nr of bytes)
194 --opcode code[/mask]
196 The operation code (2 bytes). Available values are: 1=Request
197 2=Reply 3=Request_Reverse 4=Reply_Reverse 5=DRARP_Request
198 6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
199 --h-type type[/mask]
201 The hardware type (2 bytes, hexadecimal). Available values are:
202 1=Ethernet.
203 --proto-type type[/mask]
205 The protocol type (2 bytes). Available values are: 0x800=IPv4.
206 TARGET-EXTENSIONS
209 arptables extensions are precompiled into the userspace tool. So there
210 is no need to explicitly load them with a -m option like in iptables.
211 However, these extensions deal with functionality supported by supple‐
212 mental kernel modules.
213 mangle
215 --mangle-ip-s IP address
216 Mangles Source IP Address to given value.
217 --mangle-ip-d IP address
219 Mangles Destination IP Address to given value.
220 --mangle-mac-s MAC address
222 Mangles Source MAC Address to given value.
223 --mangle-mac-d MAC address
225 Mangles Destination MAC Address to given value.
226 --mangle-target target
228 Target of ARP mangle operation (DROP, CONTINUE or ACCEPT --
229 default is ACCEPT).
230 CLASSIFY
232 This module allows you to set the skb->priority value (and thus clas-
233 sify the packet into a specific CBQ class).
234 --set-class major:minor
237 Set the major and minor class value. The values are always
239 interpreted as hexadecimal even if no 0x prefix is given.
240 MARK
243 This module allows you to set the skb->mark value (and thus classify
244 the packet by the mark in u32)
245 --set-mark mark
248 Set the mark value. The values are always interpreted as
249 hexadecimal even if no 0x prefix is given
250 --and-mark mark
253 Binary AND the mark with bits.
254 --or-mark mark
257 Binary OR the mark with bits.
258
261 In this nft-based version of arptables, support for FORWARD chain has
262 not been implemented. Since ARP packets are "forwarded" only by Linux
263 bridges, the same may be achieved using FORWARD chain in ebtables.
264
267 See http://netfilter.org/mailinglists.html
268
270 xtables-nft(8), iptables(8), ebtables(8), ip(8)
271 See https://wiki.nftables.org
273 March 2019 ARPTABLES(8)