{ "mode": "man", "parameter": "ARPTABLES", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ARPTABLES/8/json", "generated": "2026-06-15T18:53:25Z", "synopsis": "arptables [-t table] -[AD] chain rule-specification [options]\narptables [-t table] -[RI] chain rulenum rule-specification [options]\narptables [-t table] -D chain rulenum [options]\narptables [-t table] -[LFZ] [chain] [options]\narptables [-t table] -[NX] chain\narptables [-t table] -E old-chain-name new-chain-name\narptables [-t table] -P chain target [options]", "sections": { "NAME": { "content": "arptables - ARP table administration (nft-based)\n", "subsections": [] }, "SYNOPSIS": { "content": "arptables [-t table] -[AD] chain rule-specification [options]\narptables [-t table] -[RI] chain rulenum rule-specification [options]\narptables [-t table] -D chain rulenum [options]\narptables [-t table] -[LFZ] [chain] [options]\narptables [-t table] -[NX] chain\narptables [-t table] -E old-chain-name new-chain-name\narptables [-t table] -P chain target [options]\n\n", "subsections": [] }, "DESCRIPTION": { "content": "arptables is a user space tool, it is used to set up and maintain the tables of ARP rules in\nthe Linux kernel. These rules inspect the ARP frames which they see. arptables is analogous\nto the iptables user space tool, but arptables is less complicated.\n\n\nCHAINS\nThe kernel table is used to divide functionality into different sets of rules. Each set of\nrules is called a chain. Each chain is an ordered list of rules that can match ARP frames.\nIf a rule matches an ARP frame, then a processing specification tells what to do with that\nmatching frame. The processing specification is called a 'target'. However, if the frame does\nnot match the current rule in the chain, then the next rule in the chain is examined and so\nforth. The user can create new (user-defined) chains which can be used as the 'target' of a\nrule.\n\n\nTARGETS\nA firewall rule specifies criteria for an ARP frame and a frame processing specification\ncalled a target. When a frame matches a rule, then the next action performed by the kernel\nis specified by the target. The target can be one of these values: ACCEPT, DROP, CONTINUE,\nRETURN, an 'extension' (see below) or a user-defined chain.\n\nACCEPT means to let the frame through. DROP means the frame has to be dropped. CONTINUE\nmeans the next rule has to be checked. This can be handy to know how many frames pass a cer‐\ntain point in the chain or to log those frames. RETURN means stop traversing this chain and\nresume at the next rule in the previous (calling) chain. For the extension targets please\nsee the TARGET EXTENSIONS section of this man page.\n\nTABLES\nThere is only one ARP table in the Linux kernel. The table is filter. You can drop the '-t\nfilter' argument to the arptables command. The -t argument must be the first argument on the\narptables command line, if used.\n", "subsections": [ { "name": "-t, --table", "content": "filter, is the only table and contains two built-in chains: INPUT (for frames destined\nfor the host) and OUTPUT (for locally-generated frames).\n", "flag": "-t", "long": "--table" } ] }, "ARPTABLES COMMAND LINE ARGUMENTS": { "content": "After the initial arptables command line argument, the remaining arguments can be divided\ninto several different groups. These groups are commands, miscellaneous commands, rule-spec‐\nifications, match-extensions, and watcher-extensions.\n\nCOMMANDS\nThe arptables command arguments specify the actions to perform on the table defined with the\n-t argument. If you do not use the -t argument to name a table, the commands apply to the\ndefault filter table. With the exception of the -Z command, only one command may be used on\nthe command line at a time.\n", "subsections": [ { "name": "-A, --append", "content": "Append a rule to the end of the selected chain.\n", "flag": "-A", "long": "--append" }, { "name": "-D, --delete", "content": "Delete the specified rule from the selected chain. There are two ways to use this com‐\nmand. The first is by specifying an interval of rule numbers to delete, syntax:\nstartnr[:endnr]. Using negative numbers is allowed, for more details about using\nnegative numbers, see the -I command. The second usage is by specifying the complete\nrule as it would have been specified when it was added.\n", "flag": "-D", "long": "--delete" }, { "name": "-I, --insert", "content": "Insert the specified rule into the selected chain at the specified rule number. If\nthe current number of rules equals N, then the specified number can be between -N and\nN+1. For a positive number i, it holds that i and i-N-1 specify the same place in the\nchain where the rule should be inserted. The number 0 specifies the place past the\nlast rule in the chain and using this number is therefore equivalent with using the -A\ncommand.\n", "flag": "-I", "long": "--insert" }, { "name": "-R, --replace", "content": "Replaces the specified rule into the selected chain at the specified rule number. If\nthe current number of rules equals N, then the specified number can be between 1 and\nN. i specifies the place in the chain where the rule should be replaced.\n", "flag": "-R", "long": "--replace" }, { "name": "-P, --policy", "content": "Set the policy for the chain to the given target. The policy can be ACCEPT, DROP or\nRETURN.\n", "flag": "-P", "long": "--policy" }, { "name": "-F, --flush", "content": "Flush the selected chain. If no chain is selected, then every chain will be flushed.\nFlushing the chain does not change the policy of the chain, however.\n", "flag": "-F", "long": "--flush" }, { "name": "-Z, --zero", "content": "Set the counters of the selected chain to zero. If no chain is selected, all the coun‐\nters are set to zero. The -Z command can be used in conjunction with the -L command.\nWhen both the -Z and -L commands are used together in this way, the rule counters are\nprinted on the screen before they are set to zero.\n", "flag": "-Z", "long": "--zero" }, { "name": "-L, --list", "content": "List all rules in the selected chain. If no chain is selected, all chains are listed.\n", "flag": "-L", "long": "--list" }, { "name": "-N, --new-chain", "content": "Create a new user-defined chain with the given name. The number of user-defined chains\nis unlimited. A user-defined chain name has maximum length of 31 characters.\n", "flag": "-N", "long": "--new-chain" }, { "name": "-X, --delete-chain", "content": "Delete the specified user-defined chain. There must be no remaining references to the\nspecified chain, otherwise arptables will refuse to delete it. If no chain is speci‐\nfied, all user-defined chains that aren't referenced will be removed.\n", "flag": "-X", "long": "--delete-chain" }, { "name": "-E, --rename-chain", "content": "Rename the specified chain to a new name. Besides renaming a user-defined chain, you\nmay rename a standard chain name to a name that suits your taste. For example, if you\nlike PREBRIDGING more than PREROUTING, then you can use the -E command to rename the\nPREROUTING chain. If you do rename one of the standard arptables chain names, please\nbe sure to mention this fact should you post a question on the arptables mailing\nlists. It would be wise to use the standard name in your post. Renaming a standard\narptables chain in this fashion has no effect on the structure or function of the\narptables kernel table.\n\n\nMISCELLANOUS COMMANDS", "flag": "-E", "long": "--rename-chain" }, { "name": "-V, --version", "content": "Show the version of the arptables userspace program.\n", "flag": "-V", "long": "--version" }, { "name": "-h, --help", "content": "Give a brief description of the command syntax.\n", "flag": "-h", "long": "--help" }, { "name": "-j, --jump", "content": "The target of the rule. This is one of the following values: ACCEPT, DROP, CONTINUE,\nRETURN, a target extension (see TARGET EXTENSIONS) or a user-defined chain name.\n", "flag": "-j", "long": "--jump" }, { "name": "-c, --set-counters", "content": "This enables the administrator to initialize the packet and byte counters of a rule\n(during INSERT, APPEND, REPLACE operations).\n\n\nRULE-SPECIFICATIONS\nThe following command line arguments make up a rule specification (as used in the add and\ndelete commands). A \"!\" option before the specification inverts the test for that specifica‐\ntion. Apart from these standard rule specifications there are some other command line argu‐\nments of interest.\n", "flag": "-c", "long": "--set-counters" }, { "name": "-s, --source-ip", "content": "The Source IP specification.\n", "flag": "-s", "long": "--source-ip" }, { "name": "-d, --destination-ip", "content": "The Destination IP specification.\n\n--source-mac [!] address[/mask]\nThe source mac address. Both mask and address are written as 6 hexadecimal numbers\nseparated by colons.\n\n--destination-mac [!] address[/mask]\nThe destination mac address. Both mask and address are written as 6 hexadecimal num‐\nbers separated by colons.\n", "flag": "-d", "long": "--destination-ip" }, { "name": "-i, --in-interface", "content": "The interface via which a frame is received (for the INPUT chain). The flag --in-if is\nan alias for this option.\n", "flag": "-i", "long": "--in-interface" }, { "name": "-o, --out-interface", "content": "The interface via which a frame is going to be sent (for the OUTPUT chain). The flag\n--out-if is an alias for this option.\n", "flag": "-o", "long": "--out-interface" }, { "name": "-l, --h-length", "content": "The hardware length (nr of bytes)\n\n--opcode code[/mask]\nThe operation code (2 bytes). Available values are: 1=Request 2=Reply 3=RequestRe‐‐\nverse 4=ReplyReverse 5=DRARPRequest 6=DRARPReply 7=DRARPError 8=InARPRequest\n9=ARPNAK.\n\n--h-type type[/mask]\nThe hardware type (2 bytes, hexadecimal). Available values are: 1=Ethernet.\n\n--proto-type type[/mask]\nThe protocol type (2 bytes). Available values are: 0x800=IPv4.\n\n\nTARGET-EXTENSIONS\narptables extensions are precompiled into the userspace tool. So there is no need to explic‐\nitly load them with a -m option like in iptables. However, these extensions deal with func‐\ntionality supported by supplemental kernel modules.\n", "flag": "-l", "long": "--h-length" }, { "name": "mangle", "content": "" }, { "name": "--mangle-ip-s IP address", "content": "Mangles Source IP Address to given value.\n", "long": "--mangle-ip-s", "arg": "IP" }, { "name": "--mangle-ip-d IP address", "content": "Mangles Destination IP Address to given value.\n", "long": "--mangle-ip-d", "arg": "IP" }, { "name": "--mangle-mac-s MAC address", "content": "Mangles Source MAC Address to given value.\n", "long": "--mangle-mac-s", "arg": "MAC" }, { "name": "--mangle-mac-d MAC address", "content": "Mangles Destination MAC Address to given value.\n", "long": "--mangle-mac-d", "arg": "MAC" }, { "name": "--mangle-target target", "content": "Target of ARP mangle operation (DROP, CONTINUE or ACCEPT -- default is ACCEPT).\n\nCLASSIFY\nThis module allows you to set the skb->priority value (and thus clas- sify the packet into\na specific CBQ class).\n\n", "long": "--mangle-target" }, { "name": "--set-class major:minor", "content": "Set the major and minor class value. The values are always interpreted as hexa‐\ndecimal even if no 0x prefix is given.\n\n\nMARK\nThis module allows you to set the skb->mark value (and thus classify the packet by the mark\nin u32)\n\n", "long": "--set-class" }, { "name": "--set-mark mark", "content": "Set the mark value. The values are always interpreted as hexadecimal even if no 0x\nprefix is given\n\n", "long": "--set-mark" }, { "name": "--and-mark mark", "content": "Binary AND the mark with bits.\n\n", "long": "--and-mark" }, { "name": "--or-mark mark", "content": "Binary OR the mark with bits.\n\n", "long": "--or-mark" } ] }, "NOTES": { "content": "In this nft-based version of arptables, support for FORWARD chain has not been implemented.\nSince ARP packets are \"forwarded\" only by Linux bridges, the same may be achieved using FOR‐‐\nWARD chain in ebtables.\n\n", "subsections": [] }, "MAILINGLISTS": { "content": "See http://netfilter.org/mailinglists.html\n", "subsections": [] }, "SEE ALSO": { "content": "xtables-nft(8), iptables(8), ebtables(8), ip(8)\n\nSee https://wiki.nftables.org\n\n\n\nMarch 2019 ARPTABLES(8)", "subsections": [] } }, "summary": "arptables - ARP table administration (nft-based)", "flags": [ { "flag": "-t", "long": "--table", "arg": null, "description": "filter, is the only table and contains two built-in chains: INPUT (for frames destined for the host) and OUTPUT (for locally-generated frames)." } ], "examples": [], "see_also": [ { "name": "xtables-nft", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-nft/8/json" }, { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" }, { "name": "ebtables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ebtables/8/json" }, { "name": "ip", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ip/8/json" } ] }