{
    "content": [
        {
            "type": "text",
            "text": "# ARPTABLES (info)\n\n## NAME\n\narptables - ARP table administration (nft-based)\n\n## SYNOPSIS\n\narptables [-t table] -[AD] chain rule-specification [options]\narptables [-t table] -[RI] chain rulenum rule-specification [options]\narptables [-t table] -D chain rulenum [options]\narptables [-t table] -[LFZ] [chain] [options]\narptables [-t table] -[NX] chain\narptables [-t table] -E old-chain-name new-chain-name\narptables [-t table] -P chain target [options]\n\n## DESCRIPTION\n\narptables  is  a user space tool, it is used to set up and maintain the\ntables of ARP rules in the Linux kernel. These rules  inspect  the  ARP\nframes  which  they  see.   arptables is analogous to the iptables user\nspace tool, but arptables is less complicated.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION** (1 subsections)\n- **ARPTABLES COMMAND LINE ARGUMENTS** (13 subsections)\n- **NOTES**\n- **MAILINGLISTS**\n- **SEE ALSO**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n"
        }
    ],
    "structuredContent": {
        "command": "ARPTABLES",
        "section": "",
        "mode": "info",
        "summary": "arptables - ARP table administration (nft-based)",
        "synopsis": "arptables [-t table] -[AD] chain rule-specification [options]\narptables [-t table] -[RI] chain rulenum rule-specification [options]\narptables [-t table] -D chain rulenum [options]\narptables [-t table] -[LFZ] [chain] [options]\narptables [-t table] -[NX] chain\narptables [-t table] -E old-chain-name new-chain-name\narptables [-t table] -P chain target [options]",
        "tldr_summary": null,
        "tldr_examples": [],
        "tldr_source": null,
        "flags": [
            {
                "flag": "-t",
                "long": "--table",
                "arg": null,
                "description": "filter, is the only table and contains two built-in chains: IN- PUT (for frames destined for the host) and OUTPUT (for locally- generated frames)."
            }
        ],
        "examples": [],
        "see_also": [
            {
                "name": "xtables-nft",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/xtables-nft/8/json"
            },
            {
                "name": "iptables",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json"
            },
            {
                "name": "ebtables",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/ebtables/8/json"
            },
            {
                "name": "ip",
                "section": "8",
                "url": "https://www.chedong.com/phpMan.php/man/ip/8/json"
            }
        ],
        "section_outline": [
            {
                "name": "NAME",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SYNOPSIS",
                "lines": 8,
                "subsections": []
            },
            {
                "name": "DESCRIPTION",
                "lines": 36,
                "subsections": [
                    {
                        "name": "-t, --table",
                        "lines": 4,
                        "flag": "-t",
                        "long": "--table"
                    }
                ]
            },
            {
                "name": "ARPTABLES COMMAND LINE ARGUMENTS",
                "lines": 12,
                "subsections": [
                    {
                        "name": "-A, --append",
                        "lines": 2,
                        "flag": "-A",
                        "long": "--append"
                    },
                    {
                        "name": "-D, --delete",
                        "lines": 8,
                        "flag": "-D",
                        "long": "--delete"
                    },
                    {
                        "name": "-I, --insert",
                        "lines": 8,
                        "flag": "-I",
                        "long": "--insert"
                    },
                    {
                        "name": "-R, --replace",
                        "lines": 5,
                        "flag": "-R",
                        "long": "--replace"
                    },
                    {
                        "name": "-P, --policy",
                        "lines": 3,
                        "flag": "-P",
                        "long": "--policy"
                    },
                    {
                        "name": "-F, --flush",
                        "lines": 4,
                        "flag": "-F",
                        "long": "--flush"
                    },
                    {
                        "name": "-Z, --zero",
                        "lines": 6,
                        "flag": "-Z",
                        "long": "--zero"
                    },
                    {
                        "name": "-L, --list",
                        "lines": 3,
                        "flag": "-L",
                        "long": "--list"
                    },
                    {
                        "name": "-N, --new-chain",
                        "lines": 4,
                        "flag": "-N",
                        "long": "--new-chain"
                    },
                    {
                        "name": "-X, --delete-chain",
                        "lines": 5,
                        "flag": "-X",
                        "long": "--delete-chain"
                    },
                    {
                        "name": "-E, --rename-chain",
                        "lines": 12,
                        "flag": "-E",
                        "long": "--rename-chain"
                    },
                    {
                        "name": "-V, --version",
                        "lines": 2,
                        "flag": "-V",
                        "long": "--version"
                    },
                    {
                        "name": "-h, --help",
                        "lines": 101,
                        "flag": "-h",
                        "long": "--help"
                    }
                ]
            },
            {
                "name": "NOTES",
                "lines": 4,
                "subsections": []
            },
            {
                "name": "MAILINGLISTS",
                "lines": 2,
                "subsections": []
            },
            {
                "name": "SEE ALSO",
                "lines": 5,
                "subsections": []
            }
        ],
        "sections": {
            "NAME": {
                "content": "arptables - ARP table administration (nft-based)\n",
                "subsections": []
            },
            "SYNOPSIS": {
                "content": "arptables [-t table] -[AD] chain rule-specification [options]\narptables [-t table] -[RI] chain rulenum rule-specification [options]\narptables [-t table] -D chain rulenum [options]\narptables [-t table] -[LFZ] [chain] [options]\narptables [-t table] -[NX] chain\narptables [-t table] -E old-chain-name new-chain-name\narptables [-t table] -P chain target [options]\n",
                "subsections": []
            },
            "DESCRIPTION": {
                "content": "arptables  is  a user space tool, it is used to set up and maintain the\ntables of ARP rules in the Linux kernel. These rules  inspect  the  ARP\nframes  which  they  see.   arptables is analogous to the iptables user\nspace tool, but arptables is less complicated.\n\nCHAINS\nThe kernel table is used to divide functionality into different sets of\nrules.  Each  set of rules is called a chain.  Each chain is an ordered\nlist of rules that can match ARP frames.  If  a  rule  matches  an  ARP\nframe,  then  a  processing  specification  tells  what to do with that\nmatching frame. The processing specification is called a 'target'. How-\never,  if  the frame does not match the current rule in the chain, then\nthe next rule in the chain is examined and so forth.  The user can cre-\nate  new  (user-defined)  chains which can be used as the 'target' of a\nrule.\n\nTARGETS\nA firewall rule specifies criteria for an ARP frame and  a  frame  pro-\ncessing  specification  called  a target.  When a frame matches a rule,\nthen the next action performed by the kernel is specified by  the  tar-\nget.   The  target  can be one of these values: ACCEPT, DROP, CONTINUE,\nRETURN, an 'extension' (see below) or a user-defined chain.\n\nACCEPT means to let the frame through.  DROP means the frame has to  be\ndropped.   CONTINUE  means the next rule has to be checked. This can be\nhandy to know how many frames pass a certain point in the chain  or  to\nlog  those  frames.  RETURN means stop traversing this chain and resume\nat the next rule in the previous (calling) chain.   For  the  extension\ntargets please see the TARGET EXTENSIONS section of this man page.\n\nTABLES\nThere  is only one ARP table in the Linux kernel.  The table is filter.\nYou can drop the '-t filter' argument to the arptables command.  The -t\nargument  must  be the first argument on the arptables command line, if\nused.\n",
                "subsections": [
                    {
                        "name": "-t, --table",
                        "content": "filter, is the only table and contains two built-in chains:  IN-\nPUT  (for frames destined for the host) and OUTPUT (for locally-\ngenerated frames).\n",
                        "flag": "-t",
                        "long": "--table"
                    }
                ]
            },
            "ARPTABLES COMMAND LINE ARGUMENTS": {
                "content": "After the initial arptables command line argument, the remaining  argu-\nments  can  be divided into several different groups.  These groups are\ncommands,  miscellaneous  commands,  rule-specifications,  match-exten-\nsions, and watcher-extensions.\n\nCOMMANDS\nThe  arptables  command arguments specify the actions to perform on the\ntable defined with the -t argument.  If you do not use the -t  argument\nto  name a table, the commands apply to the default filter table.  With\nthe exception of the -Z command, only one command may be  used  on  the\ncommand line at a time.\n",
                "subsections": [
                    {
                        "name": "-A, --append",
                        "content": "Append a rule to the end of the selected chain.\n",
                        "flag": "-A",
                        "long": "--append"
                    },
                    {
                        "name": "-D, --delete",
                        "content": "Delete the specified rule from the selected chain. There are two\nways to use this command. The first is by specifying an interval\nof rule numbers to delete, syntax: startnr[:endnr]. Using neg-\native numbers is allowed, for more details about using  negative\nnumbers,  see  the -I command. The second usage is by specifying\nthe complete rule as it would have been specified  when  it  was\nadded.\n",
                        "flag": "-D",
                        "long": "--delete"
                    },
                    {
                        "name": "-I, --insert",
                        "content": "Insert  the specified rule into the selected chain at the speci-\nfied rule number.  If the current number of rules equals N, then\nthe  specified  number can be between -N and N+1. For a positive\nnumber i, it holds that i and i-N-1 specify the  same  place  in\nthe chain where the rule should be inserted. The number 0 speci-\nfies the place past the last rule in the chain  and  using  this\nnumber is therefore equivalent with using the -A command.\n",
                        "flag": "-I",
                        "long": "--insert"
                    },
                    {
                        "name": "-R, --replace",
                        "content": "Replaces the specified rule into the selected chain at the spec-\nified rule number.  If the current number  of  rules  equals  N,\nthen  the  specified  number can be between 1 and N. i specifies\nthe place in the chain where the rule should be replaced.\n",
                        "flag": "-R",
                        "long": "--replace"
                    },
                    {
                        "name": "-P, --policy",
                        "content": "Set the policy for the chain to the given target. The policy can\nbe ACCEPT, DROP or RETURN.\n",
                        "flag": "-P",
                        "long": "--policy"
                    },
                    {
                        "name": "-F, --flush",
                        "content": "Flush  the  selected  chain. If no chain is selected, then every\nchain will be flushed. Flushing the chain does  not  change  the\npolicy of the chain, however.\n",
                        "flag": "-F",
                        "long": "--flush"
                    },
                    {
                        "name": "-Z, --zero",
                        "content": "Set  the  counters of the selected chain to zero. If no chain is\nselected, all the counters are set to zero. The -Z  command  can\nbe  used  in  conjunction with the -L command.  When both the -Z\nand -L commands are used together in this way, the rule counters\nare printed on the screen before they are set to zero.\n",
                        "flag": "-Z",
                        "long": "--zero"
                    },
                    {
                        "name": "-L, --list",
                        "content": "List  all  rules in the selected chain. If no chain is selected,\nall chains are listed.\n",
                        "flag": "-L",
                        "long": "--list"
                    },
                    {
                        "name": "-N, --new-chain",
                        "content": "Create a new user-defined chain with the given name. The  number\nof  user-defined  chains is unlimited. A user-defined chain name\nhas maximum length of 31 characters.\n",
                        "flag": "-N",
                        "long": "--new-chain"
                    },
                    {
                        "name": "-X, --delete-chain",
                        "content": "Delete the specified user-defined chain. There must  be  no  re-\nmaining  references  to the specified chain, otherwise arptables\nwill refuse to delete it. If no chain is specified, all user-de-\nfined chains that aren't referenced will be removed.\n",
                        "flag": "-X",
                        "long": "--delete-chain"
                    },
                    {
                        "name": "-E, --rename-chain",
                        "content": "Rename  the  specified  chain to a new name.  Besides renaming a\nuser-defined chain, you may rename a standard chain  name  to  a\nname that suits your taste. For example, if you like PREBRIDGING\nmore than PREROUTING, then you can use the -E command to  rename\nthe PREROUTING chain. If you do rename one of the standard arpt-\nables chain names, please be sure to mention  this  fact  should\nyou post a question on the arptables mailing lists.  It would be\nwise to use the standard name in your post. Renaming a  standard\narptables  chain  in this fashion has no effect on the structure\nor function of the arptables kernel table.\n\nMISCELLANOUS COMMANDS",
                        "flag": "-E",
                        "long": "--rename-chain"
                    },
                    {
                        "name": "-V, --version",
                        "content": "Show the version of the arptables userspace program.\n",
                        "flag": "-V",
                        "long": "--version"
                    },
                    {
                        "name": "-h, --help",
                        "content": "Give a brief description of the command syntax.\n\n-j, --jump target\nThe target of the rule. This is one of the following values: AC-\nCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET EX-\nTENSIONS) or a user-defined chain name.\n\n-c, --set-counters PKTS BYTES\nThis enables the administrator to initialize the packet and byte\ncounters of a rule (during INSERT, APPEND, REPLACE operations).\n\nRULE-SPECIFICATIONS\nThe  following  command line arguments make up a rule specification (as\nused in the add and delete commands). A \"!\" option before the  specifi-\ncation  inverts the test for that specification. Apart from these stan-\ndard rule specifications there are some other command line arguments of\ninterest.\n\n-s, --source-ip [!] address[/mask]\nThe Source IP specification.\n\n-d, --destination-ip [!] address[/mask]\nThe Destination IP specification.\n\n--source-mac [!] address[/mask]\nThe  source  mac address. Both mask and address are written as 6\nhexadecimal numbers separated by colons.\n\n--destination-mac [!] address[/mask]\nThe destination mac address. Both mask and address  are  written\nas 6 hexadecimal numbers separated by colons.\n\n-i, --in-interface [!] name\nThe  interface  via  which  a  frame  is received (for the INPUT\nchain). The flag --in-if is an alias for this option.\n\n-o, --out-interface [!] name\nThe interface via which a frame is going to  be  sent  (for  the\nOUTPUT chain). The flag --out-if is an alias for this option.\n\n-l, --h-length length[/mask]\nThe hardware length (nr of bytes)\n\n--opcode code[/mask]\nThe  operation  code  (2 bytes). Available values are: 1=Request\n2=Reply   3=RequestReverse   4=ReplyReverse    5=DRARPRequest\n6=DRARPReply 7=DRARPError 8=InARPRequest 9=ARPNAK.\n\n--h-type type[/mask]\nThe  hardware type (2 bytes, hexadecimal). Available values are:\n1=Ethernet.\n\n--proto-type type[/mask]\nThe protocol type (2 bytes). Available values are: 0x800=IPv4.\n\nTARGET-EXTENSIONS\narptables extensions are precompiled into the userspace tool. So  there\nis  no  need to explicitly load them with a -m option like in iptables.\nHowever, these extensions deal with functionality supported by  supple-\nmental kernel modules.\n\nmangle\n--mangle-ip-s IP address\nMangles Source IP Address to given value.\n\n--mangle-ip-d IP address\nMangles Destination IP Address to given value.\n\n--mangle-mac-s MAC address\nMangles Source MAC Address to given value.\n\n--mangle-mac-d MAC address\nMangles Destination MAC Address to given value.\n\n--mangle-target target\nTarget  of ARP mangle operation (DROP, CONTINUE or ACCEPT -- de-\nfault is ACCEPT).\n\nCLASSIFY\nThis  module  allows you to set the skb->priority value (and thus clas-\nsify the packet into a specific CBQ class).\n\n--set-class major:minor\n\nSet the major and minor  class  value.  The  values  are  always\ninterpreted as hexadecimal even if no 0x prefix is given.\n\nMARK\nThis  module  allows you to set the skb->mark value (and thus  classify\nthe packet by the mark in u32)\n\n--set-mark mark\nSet  the  mark  value.  The   values  are  always interpreted as\nhexadecimal even if no 0x prefix is given\n\n--and-mark mark\nBinary AND the mark with bits.\n\n--or-mark mark\nBinary OR the mark with bits.\n",
                        "flag": "-h",
                        "long": "--help"
                    }
                ]
            },
            "NOTES": {
                "content": "In this nft-based version of arptables, support for FORWARD  chain  has\nnot  been  implemented. Since ARP packets are \"forwarded\" only by Linux\nbridges, the same may be achieved using FORWARD chain in ebtables.\n",
                "subsections": []
            },
            "MAILINGLISTS": {
                "content": "See http://netfilter.org/mailinglists.html\n",
                "subsections": []
            },
            "SEE ALSO": {
                "content": "xtables-nft(8), iptables(8), ebtables(8), ip(8)\n\nSee https://wiki.nftables.org\n\nMarch 2019                      ARPTABLES(8)",
                "subsections": []
            }
        }
    }
}