man-pages/man8/arptables-nft.8.html
2021-03-31 01:06:50 +01:00

552 lines
14 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of ARPTABLES</TITLE>
</HEAD><BODY>
<H1>ARPTABLES</H1>
Section: Maintenance Commands (8)<BR>Updated: March 2019<BR><A HREF="#index">Index</A>
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>
arptables - ARP table administration (nft-based)
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>AD</B>]<B> chain rule-specification </B>[<B>options</B>]
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>RI</B>]<B> chain rulenum rule-specification </B>[<B>options</B>]
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -D chain rulenum </B>[<B>options</B>]
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>LFZ</B>]<B> </B>[<B>chain</B>]<B> </B>[<B>options</B>]
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>NX</B>]<B> chain</B>
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -E old-chain-name new-chain-name</B>
<BR>
<B>arptables </B>[<B>-t table</B>]<B> -P chain target </B>[<B>options</B>]
<P>
<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>
<B>arptables</B>
is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect
the ARP frames which they see.
<B>arptables</B>
is analogous to the
<B>iptables</B>
user space tool, but
<B>arptables</B>
is less complicated.
<P>
<A NAME="lbAE">&nbsp;</A>
<H3>CHAINS</H3>
The kernel table is used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match ARP frames. If a
rule matches an ARP frame, then a processing specification tells
what to do with that matching frame. The processing specification is
called a 'target'. However, if the frame does not match the current
rule in the chain, then the next rule in the chain is examined and so forth.
The user can create new (user-defined) chains which can be used as the 'target' of a rule.
<P>
<A NAME="lbAF">&nbsp;</A>
<H3>TARGETS</H3>
A firewall rule specifies criteria for an ARP frame and a frame
processing specification called a target. When a frame matches a rule,
then the next action performed by the kernel is specified by the target.
The target can be one of these values:
<I>ACCEPT</I>,
<I>DROP</I>,
<I>CONTINUE</I>,
<I>RETURN</I>,
an 'extension' (see below) or a user-defined chain.
<P>
<I>ACCEPT</I>
means to let the frame through.
<I>DROP</I>
means the frame has to be dropped.
<I>CONTINUE</I>
means the next rule has to be checked. This can be handy to know how many
frames pass a certain point in the chain or to log those frames.
<I>RETURN</I>
means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
For the extension targets please see the
<B>TARGET EXTENSIONS</B>
section of this man page.
<A NAME="lbAG">&nbsp;</A>
<H3>TABLES</H3>
There is only one ARP table in the Linux
kernel. The table is
<B>filter.</B>
You can drop the '-t filter' argument to the arptables command.
The -t argument must be the
first argument on the arptables command line, if used.
<DL COMPACT>
<DT id="1"><B>-t, --table</B>
<DD>
<BR>
<B>filter</B>,
is the only table and contains two built-in chains:
<B>INPUT </B>
(for frames destined for the host) and
<B>OUTPUT </B>
(for locally-generated frames).
<BR>
<BR>
</DL>
<A NAME="lbAH">&nbsp;</A>
<H2>ARPTABLES COMMAND LINE ARGUMENTS</H2>
After the initial arptables command line argument, the remaining
arguments can be divided into several different groups. These groups
are commands, miscellaneous commands, rule-specifications, match-extensions,
and watcher-extensions.
<A NAME="lbAI">&nbsp;</A>
<H3>COMMANDS</H3>
The arptables command arguments specify the actions to perform on the table
defined with the -t argument. If you do not use the -t argument to name
a table, the commands apply to the default filter table.
With the exception of the
<B>-Z</B>
command, only one command may be used on the command line at a time.
<DL COMPACT>
<DT id="2"><B>-A, --append</B>
<DD>
Append a rule to the end of the selected chain.
<DT id="3"><B>-D, --delete</B>
<DD>
Delete the specified rule from the selected chain. There are two ways to
use this command. The first is by specifying an interval of rule numbers
to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
details about using negative numbers, see the -I command. The second usage is by
specifying the complete rule as it would have been specified when it was added.
<DT id="4"><B>-I, --insert</B>
<DD>
Insert the specified rule into the selected chain at the specified rule number.
If the current number of rules equals N, then the specified number can be
between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
same place in the chain where the rule should be inserted. The number 0 specifies
the place past the last rule in the chain and using this number is therefore
equivalent with using the -A command.
<DT id="5"><B>-R, --replace</B>
<DD>
Replaces the specified rule into the selected chain at the specified rule number.
If the current number of rules equals N, then the specified number can be
between 1 and N. i specifies the place in the chain where the rule should be replaced.
<DT id="6"><B>-P, --policy</B>
<DD>
Set the policy for the chain to the given target. The policy can be
<B>ACCEPT</B>, <B>DROP</B> or <B>RETURN</B>.
<DT id="7"><B>-F, --flush</B>
<DD>
Flush the selected chain. If no chain is selected, then every chain will be
flushed. Flushing the chain does not change the policy of the
chain, however.
<DT id="8"><B>-Z, --zero</B>
<DD>
Set the counters of the selected chain to zero. If no chain is selected, all the counters
are set to zero. The
<B>-Z</B>
command can be used in conjunction with the
<B>-L</B>
command.
When both the
<B>-Z</B>
and
<B>-L</B>
commands are used together in this way, the rule counters are printed on the screen
before they are set to zero.
<DT id="9"><B>-L, --list</B>
<DD>
List all rules in the selected chain. If no chain is selected, all chains
are listed.
<DT id="10"><B>-N, --new-chain</B>
<DD>
Create a new user-defined chain with the given name. The number of
user-defined chains is unlimited. A user-defined chain name has maximum
length of 31 characters.
<DT id="11"><B>-X, --delete-chain</B>
<DD>
Delete the specified user-defined chain. There must be no remaining references
to the specified chain, otherwise
<B>arptables</B>
will refuse to delete it. If no chain is specified, all user-defined
chains that aren't referenced will be removed.
<DT id="12"><B>-E, --rename-chain</B>
<DD>
Rename the specified chain to a new name. Besides renaming a user-defined
chain, you may rename a standard chain name to a name that suits your
taste. For example, if you like PREBRIDGING more than PREROUTING,
then you can use the -E command to rename the PREROUTING chain. If you do
rename one of the standard
<B>arptables</B>
chain names, please be sure to mention
this fact should you post a question on the
<B>arptables</B>
mailing lists.
It would be wise to use the standard name in your post. Renaming a standard
<B>arptables</B>
chain in this fashion has no effect on the structure or function
of the
<B>arptables</B>
kernel table.
<P>
</DL>
<A NAME="lbAJ">&nbsp;</A>
<H3>MISCELLANOUS COMMANDS</H3>
<DL COMPACT>
<DT id="13"><B>-V, --version</B>
<DD>
Show the version of the arptables userspace program.
<DT id="14"><B>-h, --help</B>
<DD>
Give a brief description of the command syntax.
<DT id="15"><B>-j, --jump </B><I>target</I>
<DD>
The target of the rule. This is one of the following values:
<B>ACCEPT</B>,
<B>DROP</B>,
<B>CONTINUE</B>,
<B>RETURN</B>,
a target extension (see
<B>TARGET EXTENSIONS</B>)
or a user-defined chain name.
<DT id="16"><B>-c, --set-counters </B><I>PKTS BYTES</I>
<DD>
This enables the administrator to initialize the packet and byte
counters of a rule (during
<B>INSERT,</B>
<B>APPEND,</B>
<B>REPLACE</B>
operations).
<P>
</DL>
<A NAME="lbAK">&nbsp;</A>
<H3>RULE-SPECIFICATIONS</H3>
The following command line arguments make up a rule specification (as used
in the add and delete commands). A &quot;!&quot; option before the specification
inverts the test for that specification. Apart from these standard rule
specifications there are some other command line arguments of interest.
<DL COMPACT>
<DT id="17"><B>-s, --source-ip </B>[!] <I>address</I>[/<I>mask]</I>
<DD>
The Source IP specification.
<DT id="18"><B>-d, --destination-ip </B>[!] <I>address</I>[/<I>mask]</I>
<DD>
The Destination IP specification.
<DT id="19"><B>--source-mac </B>[!] <I>address</I>[/<I>mask</I>]
<DD>
The source mac address. Both mask and address are written as 6 hexadecimal
numbers separated by colons.
<DT id="20"><B>--destination-mac </B>[!] <I>address</I>[/<I>mask</I>]
<DD>
The destination mac address. Both mask and address are written as 6 hexadecimal
numbers separated by colons.
<DT id="21"><B>-i, --in-interface </B>[!] <I>name</I>
<DD>
The interface via which a frame is received (for the
<B>INPUT</B>
chain). The flag
<B>--in-if</B>
is an alias for this option.
<DT id="22"><B>-o, --out-interface </B>[!] <I>name</I>
<DD>
The interface via which a frame is going to be sent (for the
<B>OUTPUT</B>
chain). The flag
<B>--out-if</B>
is an alias for this option.
<DT id="23"><B>-l, --h-length </B><I>length</I>[/<I>mask</I>]
<DD>
The hardware length (nr of bytes)
<DT id="24"><B>--opcode </B><I>code</I>[/<I>mask</I>]
<DD>
The operation code (2 bytes). Available values are:
<B>1</B>=<B>Request</B>
<B>2</B>=<B>Reply</B>
<B>3</B>=<B>Request_Reverse</B>
<B>4</B>=<B>Reply_Reverse</B>
<B>5</B>=<B>DRARP_Request</B>
<B>6</B>=<B>DRARP_Reply</B>
<B>7</B>=<B>DRARP_Error</B>
<B>8</B>=<B>InARP_Request</B>
<B>9</B>=<B>ARP_NAK</B>.
<DT id="25"><B>--h-type </B><I>type</I>[/<I>mask</I>]
<DD>
The hardware type (2 bytes, hexadecimal). Available values are:
<B>1</B>=<B>Ethernet</B>.
<DT id="26"><B>--proto-type </B><I>type</I>[/<I>mask</I>]
<DD>
The protocol type (2 bytes). Available values are:
<B>0x800</B>=<B>IPv4</B>.
<P>
</DL>
<A NAME="lbAL">&nbsp;</A>
<H3>TARGET-EXTENSIONS</H3>
<B>arptables</B>
extensions are precompiled into the userspace tool. So there is no need
to explicitly load them with a -m option like in
<B>iptables</B>.
However, these
extensions deal with functionality supported by supplemental kernel modules.
<A NAME="lbAM">&nbsp;</A>
<H3>mangle</H3>
<DL COMPACT>
<DT id="27"><B>--mangle-ip-s IP address</B>
<DD>
Mangles Source IP Address to given value.
<DT id="28"><B>--mangle-ip-d IP address</B>
<DD>
Mangles Destination IP Address to given value.
<DT id="29"><B>--mangle-mac-s MAC address</B>
<DD>
Mangles Source MAC Address to given value.
<DT id="30"><B>--mangle-mac-d MAC address</B>
<DD>
Mangles Destination MAC Address to given value.
<DT id="31"><B>--mangle-target target </B>
<DD>
Target of ARP mangle operation
<B></B>(<B>DROP</B>, <B>CONTINUE</B> or <B>ACCEPT</B> -- default is <B>ACCEPT</B>).
</DL>
<A NAME="lbAN">&nbsp;</A>
<H3>CLASSIFY</H3>
This module allows you to set the skb-&gt;priority value (and thus clas-
sify the packet into a specific CBQ class).
<P>
<DL COMPACT>
<DT id="32"><B>--set-class major:minor</B>
<DD>
<P>
Set the major and minor class value. The values are always
interpreted as hexadecimal even if no 0x prefix is given.
<P>
</DL>
<A NAME="lbAO">&nbsp;</A>
<H3>MARK</H3>
This module allows you to set the skb-&gt;mark value (and thus classify
the packet by the mark in u32)
<P>
<DL COMPACT>
<DT id="33"><B>--set-mark mark</B>
<DD>
Set the mark value. The values are always
interpreted as hexadecimal even if no 0x prefix is given
<P>
<DT id="34"><B>--and-mark mark</B>
<DD>
Binary AND the mark with bits.
<P>
<DT id="35"><B>--or-mark mark</B>
<DD>
Binary OR the mark with bits.
<P>
</DL>
<A NAME="lbAP">&nbsp;</A>
<H2>NOTES</H2>
In this nft-based version of
<B>arptables</B>,
support for
<B>FORWARD</B>
chain has not been implemented. Since ARP packets are &quot;forwarded&quot; only by Linux
bridges, the same may be achieved using
<B>FORWARD</B>
chain in
<B>ebtables</B>.
<P>
<A NAME="lbAQ">&nbsp;</A>
<H2>MAILINGLISTS</H2>
<B></B>See <B><A HREF="http://netfilter.org/mailinglists.html">http://netfilter.org/mailinglists.html</A></B>
<A NAME="lbAR">&nbsp;</A>
<H2>SEE ALSO</H2>
<B><A HREF="/cgi-bin/man/man2html?8+xtables-nft">xtables-nft</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ebtables">ebtables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip">ip</A></B>(8)
<P>
<B></B>See <B><A HREF="https://wiki.nftables.org">https://wiki.nftables.org</A></B>
<P>
<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT id="36"><A HREF="#lbAB">NAME</A><DD>
<DT id="37"><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT id="38"><A HREF="#lbAD">DESCRIPTION</A><DD>
<DL>
<DT id="39"><A HREF="#lbAE">CHAINS</A><DD>
<DT id="40"><A HREF="#lbAF">TARGETS</A><DD>
<DT id="41"><A HREF="#lbAG">TABLES</A><DD>
</DL>
<DT id="42"><A HREF="#lbAH">ARPTABLES COMMAND LINE ARGUMENTS</A><DD>
<DL>
<DT id="43"><A HREF="#lbAI">COMMANDS</A><DD>
<DT id="44"><A HREF="#lbAJ">MISCELLANOUS COMMANDS</A><DD>
<DT id="45"><A HREF="#lbAK">RULE-SPECIFICATIONS</A><DD>
<DT id="46"><A HREF="#lbAL">TARGET-EXTENSIONS</A><DD>
<DT id="47"><A HREF="#lbAM">mangle</A><DD>
<DT id="48"><A HREF="#lbAN">CLASSIFY</A><DD>
<DT id="49"><A HREF="#lbAO">MARK</A><DD>
</DL>
<DT id="50"><A HREF="#lbAP">NOTES</A><DD>
<DT id="51"><A HREF="#lbAQ">MAILINGLISTS</A><DD>
<DT id="52"><A HREF="#lbAR">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 00:06:11 GMT, March 31, 2021
</BODY>
</HTML>