NAME<\/a> arptables \u2212 ARP table administration (nft-based)<\/p>\n arptables<\/b> [-t table<\/b>] –<\/b>[AD<\/b>] chain rule-specification<\/b> [options<\/b>] arptables<\/b> is a user space tool, it is used to set up and maintain the tables of ARP rules in the Linux kernel. These rules inspect the ARP frames which they see. arptables<\/b> is analogous to the iptables<\/b> user space tool, but arptables<\/b> is less complicated.<\/p>\n CHAINS<\/b> TARGETS<\/b> ACCEPT<\/i> means to let the frame through. DROP<\/i> means the frame has to be dropped. CONTINUE<\/i> means the next rule has to be checked. This can be handy to know how many frames pass a certain point in the chain or to log those frames. RETURN<\/i> means stop traversing this chain and resume at the next rule in the previous (calling) chain. For the extension targets please see the TARGET EXTENSIONS<\/b> section of this man page.<\/p>\n TABLES<\/b> filter<\/b>, is the only table and contains two built-in chains: INPUT<\/b> (for frames destined for the host) and OUTPUT<\/b> (for locally-generated frames).<\/p>\n After the initial arptables command line argument, the remaining arguments can be divided into several different groups. These groups are commands, miscellaneous commands, rule-specifications, match-extensions, and watcher-extensions.<\/p>\n COMMANDS<\/b> Append a rule to the end of the selected chain.<\/p>\n -D, –delete<\/b><\/p>\n Delete the specified rule from the selected chain. There are two ways to use this command. The first is by specifying an interval of rule numbers to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more details about using negative numbers, see the -I command. The second usage is by specifying the complete rule as it would have been specified when it was added.<\/p>\n -I, –insert<\/b><\/p>\n Insert the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the same place in the chain where the rule should be inserted. The number 0 specifies the place past the last rule in the chain and using this number is therefore equivalent with using the -A command.<\/p>\n -R, –replace<\/b><\/p>\n Replaces the specified rule into the selected chain at the specified rule number. If the current number of rules equals N, then the specified number can be between 1 and N. i specifies the place in the chain where the rule should be replaced.<\/p>\n -P, –policy<\/b><\/p>\n Set the policy for the chain to the given target. The policy can be ACCEPT<\/b>, DROP<\/b> or RETURN<\/b>.<\/p>\n -F, –flush<\/b><\/p>\n Flush the selected chain. If no chain is selected, then every chain will be flushed. Flushing the chain does not change the policy of the chain, however.<\/p>\n -Z, –zero<\/b><\/p>\n Set the counters of the selected chain to zero. If no chain is selected, all the counters are set to zero. The -Z<\/b> command can be used in conjunction with the -L<\/b> command. When both the -Z<\/b> and -L<\/b> commands are used together in this way, the rule counters are printed on the screen before they are set to zero.<\/p>\n -L, –list<\/b><\/p>\n List all rules in the selected chain. If no chain is selected, all chains are listed.<\/p>\n -N, –new-chain<\/b><\/p>\n Create a new user-defined chain with the given name. The number of user-defined chains is unlimited. A user-defined chain name has maximum length of 31 characters.<\/p>\n -X, –delete-chain<\/b><\/p>\n Delete the specified user-defined chain. There must be no remaining references to the specified chain, otherwise arptables<\/b> will refuse to delete it. If no chain is specified, all user-defined chains that aren\u2019t referenced will be removed.<\/p>\n -E, –rename-chain<\/b><\/p>\n Rename the specified chain to a new name. Besides renaming a user-defined chain, you may rename a standard chain name to a name that suits your taste. For example, if you like PREBRIDGING more than PREROUTING, then you can use the -E command to rename the PREROUTING chain. If you do rename one of the standard arptables<\/b> chain names, please be sure to mention this fact should you post a question on the arptables<\/b> mailing lists. It would be wise to use the standard name in your post. Renaming a standard arptables<\/b> chain in this fashion has no effect on the structure or function of the arptables<\/b> kernel table.<\/p>\n MISCELLANOUS COMMANDS Show the version of the arptables userspace program.<\/p>\n -h, –help<\/b><\/p>\n Give a brief description of the command syntax.<\/p>\n -j, –jump<\/b> target<\/i><\/p>\n The target of the rule. This is one of the following values: ACCEPT<\/b>, DROP<\/b>, CONTINUE<\/b>, RETURN<\/b>, a target extension (see TARGET EXTENSIONS<\/b>) or a user-defined chain name.<\/p>\n -c, –set-counters<\/b> PKTS BYTES<\/i><\/p>\n This enables the administrator to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE<\/b> operations).<\/p>\n RULE-SPECIFICATIONS<\/b> The Source IP specification.<\/p>\n -d, –destination-ip<\/b> [!] address<\/i>[\/mask]<\/i><\/p>\n The Destination IP specification.<\/p>\n –source-mac<\/b> [!] address<\/i>[\/mask<\/i>]<\/p>\n The source mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons.<\/p>\n –destination-mac<\/b> [!] address<\/i>[\/mask<\/i>]<\/p>\n The destination mac address. Both mask and address are written as 6 hexadecimal numbers separated by colons.<\/p>\n -i, –in-interface<\/b> [!] name<\/i><\/p>\n The interface via which a frame is received (for the INPUT<\/b> chain). The flag –in-if<\/b> is an alias for this option.<\/p>\n -o, –out-interface<\/b> [!] name<\/i><\/p>\n The interface via which a frame is going to be sent (for the OUTPUT<\/b> chain). The flag –out-if<\/b> is an alias for this option.<\/p>\n -l, –h-length<\/b> length<\/i>[\/mask<\/i>]<\/p>\n The hardware length (nr of bytes)<\/p>\n –opcode<\/b> code<\/i>[\/mask<\/i>]<\/p>\n The operation code (2 bytes). Available values are: 1<\/b>=Request 2<\/b>=Reply 3<\/b>=Request_Reverse 4<\/b>=Reply_Reverse 5<\/b>=DRARP_Request 6<\/b>=DRARP_Reply 7<\/b>=DRARP_Error 8<\/b>=InARP_Request 9<\/b>=ARP_NAK<\/b>.<\/p>\n –h-type<\/b> type<\/i>[\/mask<\/i>]<\/p>\n The hardware type (2 bytes, hexadecimal). Available values are: 1<\/b>=Ethernet<\/b>.<\/p>\n –proto-type<\/b> type<\/i>[\/mask<\/i>]<\/p>\n The protocol type (2 bytes). Available values are: 0x800<\/b>=IPv4<\/b>.<\/p>\n TARGET-EXTENSIONS mangle Mangles Source IP Address to given value.<\/p>\n –mangle-ip-d IP address<\/b><\/p>\n Mangles Destination IP Address to given value.<\/p>\n –mangle-mac-s MAC address<\/b><\/p>\n Mangles Source MAC Address to given value.<\/p>\n –mangle-mac-d MAC address<\/b><\/p>\n Mangles Destination MAC Address to given value.<\/p>\n –mangle-target target<\/b><\/p>\n Target of ARP mangle operation (DROP<\/b>, CONTINUE<\/b> or ACCEPT<\/b> — default is ACCEPT<\/b>).<\/p>\n CLASSIFY<\/b> Set the major and minor class value. The values are always interpreted as hexadecimal even if no 0x prefix is given.<\/p>\n MARK<\/b> Set the mark value. The values are always interpreted as hexadecimal even if no 0x prefix is given<\/p>\n –and-mark mark<\/b><\/p>\n Binary AND the mark with bits.<\/p>\n –or-mark mark<\/b><\/p>\n Binary OR the mark with bits.<\/p>\n In this nft-based version of arptables<\/b>, support for FORWARD<\/b> chain has not been implemented. Since ARP packets are “forwarded” only by Linux bridges, the same may be achieved using FORWARD<\/b> chain in ebtables<\/b>.<\/p>\n
SYNOPSIS<\/a>
DESCRIPTION<\/a>
ARPTABLES COMMAND LINE ARGUMENTS<\/a>
NOTES<\/a>
MAILINGLISTS<\/a>
SEE ALSO<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
SYNOPSIS <\/a> <\/h2>\n
arptables<\/b> [-t table<\/b>] –<\/b>[RI<\/b>] chain rulenum rule-specification<\/b> [options<\/b>]
arptables<\/b> [-t table<\/b>] -D chain rulenum<\/b> [options<\/b>]
arptables<\/b> [-t table<\/b>] –<\/b>[LFZ<\/b>] [chain<\/b>] [options<\/b>]
arptables<\/b> [-t table<\/b>] –<\/b>[NX<\/b>] chain
arptables<\/b> [-t table<\/b>] -E old-chain-name new-chain-name
arptables<\/b> [-t table<\/b>] -P chain target<\/b> [options<\/b>]<\/p>\nDESCRIPTION <\/a> <\/h2>\n
The kernel table is used to divide functionality into different sets of rules. Each set of rules is called a chain. Each chain is an ordered list of rules that can match ARP frames. If a rule matches an ARP frame, then a processing specification tells what to do with that matching frame. The processing specification is called a \u2019target\u2019. However, if the frame does not match the current rule in the chain, then the next rule in the chain is examined and so forth. The user can create new (user-defined) chains which can be used as the \u2019target\u2019 of a rule.<\/p>\n
A firewall rule specifies criteria for an ARP frame and a frame processing specification called a target. When a frame matches a rule, then the next action performed by the kernel is specified by the target. The target can be one of these values: ACCEPT<\/i>, DROP<\/i>, CONTINUE<\/i>, RETURN<\/i>, an \u2019extension\u2019 (see below) or a user-defined chain.<\/p>\n
There is only one ARP table in the Linux kernel. The table is filter.<\/b> You can drop the \u2019-t filter\u2019 argument to the arptables command. The -t argument must be the first argument on the arptables command line, if used.
-t, –table<\/b><\/p>\nARPTABLES COMMAND LINE ARGUMENTS <\/a> <\/h2>\n
The arptables command arguments specify the actions to perform on the table defined with the -t argument. If you do not use the -t argument to name a table, the commands apply to the default filter table. With the exception of the -Z<\/b> command, only one command may be used on the command line at a time.
-A, –append<\/b><\/p>\n
-V, –version<\/b><\/p>\n
The following command line arguments make up a rule specification (as used in the add and delete commands). A “!” option before the specification inverts the test for that specification. Apart from these standard rule specifications there are some other command line arguments of interest.
-s, –source-ip<\/b> [!] address<\/i>[\/mask]<\/i><\/p>\n
arptables<\/b> extensions are precompiled into the userspace tool. So there is no need to explicitly load them with a -m option like in iptables<\/b>. However, these extensions deal with functionality supported by supplemental kernel modules.<\/p>\n
–mangle-ip-s IP address<\/b><\/p>\n
This module allows you to set the skb->priority value (and thus clas- sify the packet into a specific CBQ class).
–set-class major:minor<\/b><\/p>\n
This module allows you to set the skb->mark value (and thus classify the packet by the mark in u32)
–set-mark mark<\/b><\/p>\nNOTES <\/a> <\/h2>\n
MAILINGLISTS <\/a> <\/h2>\n