# info > ARPTABLES

---
type: CommandReference
command: arptables
mode: man
section: 8
source: man-pages
---

## Quick Reference
- `arptables -L` — List all ARP rules in the filter table.
- `arptables -A INPUT -s 192.168.1.1 -j DROP` — Drop ARP frames from source IP.
- `arptables -D INPUT 1` — Delete rule number 1 from the INPUT chain.
- `arptables -P INPUT DROP` — Set the default policy for INPUT to `DROP`.
- `arptables -F` — Flush all rules in all chains.
- `arptables -N mychain` — Create a new user-defined chain.
- `arptables -A OUTPUT --mangle-ip-s 10.0.0.1 -j mangle` — Mangle source IP in outgoing ARP frames.

## Name
arptables — ARP table administration (nft-based)

## Synopsis
arptables [-t filter] -A|-D chain rule-specification [options]
arptables [-t filter] -I|-R chain rulenum rule-specification [options]
arptables [-t filter] -D chain rulenum [options]
arptables [-t filter] -L|-F|-Z [chain] [options]
arptables [-t filter] -N|-X chain
arptables [-t filter] -E old-chain-name new-chain-name
arptables [-t filter] -P chain target [options]
## Options

### Table
- `-t, --table` — Table to operate on. Only `filter` exists (default).

### Commands
- `-A, --append` — Append rule to the end of the chain.
- `-D, --delete` — Delete rule(s). Can specify a range `start_nr[:end_nr]` (negative numbers allowed) or the full rule specification.
- `-I, --insert` — Insert rule at `rulenum` (range `-N` to `N+1`; `0` inserts after the last rule, same as `-A`).
- `-R, --replace` — Replace rule at `rulenum`.
- `-P, --policy` — Set chain policy to `ACCEPT`, `DROP` or `RETURN`.
- `-F, --flush` — Flush the chain; if no chain is given, flush all chains.
- `-Z, --zero` — Zero packet/byte counters of the chain (or all chains). Combined with `-L`, counters are printed before being zeroed.
- `-L, --list` — List rules in the chain; if no chain, list all chains.
- `-N, --new-chain` — Create a user-defined chain (max 31 characters).
- `-X, --delete-chain` — Delete the user-defined chain (must have no remaining references). Without a chain name, all unused user-defined chains are deleted.
- `-E, --rename-chain` — Rename a chain. Standard chain names (e.g., `PREROUTING`) may also be renamed.

### Miscellaneous
- `-V, --version` — Show version of the userspace program.
- `-h, --help` — Print a brief syntax description.
- `-j, --jump target` — Target of the rule: `ACCEPT`, `DROP`, `CONTINUE`, `RETURN`, a target extension, or a user-defined chain.
- `-c, --set-counters PKTS BYTES` — Initialize packet and byte counters when inserting, appending, or replacing a rule.

### Rule Specifications
- `-s, --source-ip [!] address[/mask]` — Source IP address.
- `-d, --destination-ip [!] address[/mask]` — Destination IP address.
- `--source-mac [!] address[/mask]` — Source MAC address (6 colon-separated hex bytes).
- `--destination-mac [!] address[/mask]` — Destination MAC address.
- `-i, --in-interface [!] name` — Input interface (`--in-if` alias).
- `-o, --out-interface [!] name` — Output interface (`--out-if` alias).
- `-l, --h-length length[/mask]` — Hardware length in bytes.
- `--opcode code[/mask]` — ARP operation code (2 bytes). Values: 1=Request, 2=Reply, 3=Request_Reverse, 4=Reply_Reverse, 5=DRARP_Request, 6=DRARP_Reply, 7=DRARP_Error, 8=InARP_Request, 9=ARP_NAK.
- `--h-type type[/mask]` — Hardware type (hex). Known: 1=Ethernet.
- `--proto-type type[/mask]` — Protocol type. Known: 0x800=IPv4.

### Target Extensions

#### `mangle`
- `--mangle-ip-s IP` — Set source IP.
- `--mangle-ip-d IP` — Set destination IP.
- `--mangle-mac-s MAC` — Set source MAC.
- `--mangle-mac-d MAC` — Set destination MAC.
- `--mangle-target target` — Action after mangling: `DROP`, `CONTINUE`, or `ACCEPT` (default `ACCEPT`).

#### `CLASSIFY`
- `--set-class major:minor` — Set `skb->priority` for CBQ class (hex values, `0x` prefix optional).

#### `MARK`
- `--set-mark mark` — Set `skb->mark` (hex).
- `--and-mark mark` — Bitwise AND with `skb->mark` (hex).
- `--or-mark mark` — Bitwise OR with `skb->mark` (hex).

## See Also
- [xtables-nft(8)](https://www.chedong.com/phpMan.php/man/xtables-nft/8/markdown) — generic nftables compatibility layer
- [iptables(8)](https://www.chedong.com/phpMan.php/man/iptables/8/markdown) — IPv4 packet filter administration
- [ebtables(8)](https://www.chedong.com/phpMan.php/man/ebtables/8/markdown) — Ethernet bridge frame table administration
- [ip(8)](https://www.chedong.com/phpMan.php/man/ip/8/markdown) — show / manipulate routing, devices, policy routing and tunnels
- <https://wiki.nftables.org>