552 lines
14 KiB
HTML
552 lines
14 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of ARPTABLES</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>ARPTABLES</H1>
|
|
Section: Maintenance Commands (8)<BR>Updated: March 2019<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
arptables - ARP table administration (nft-based)
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>AD</B>]<B> chain rule-specification </B>[<B>options</B>]
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>RI</B>]<B> chain rulenum rule-specification </B>[<B>options</B>]
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -D chain rulenum </B>[<B>options</B>]
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>LFZ</B>]<B> </B>[<B>chain</B>]<B> </B>[<B>options</B>]
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -</B>[<B>NX</B>]<B> chain</B>
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -E old-chain-name new-chain-name</B>
|
|
|
|
<BR>
|
|
|
|
<B>arptables </B>[<B>-t table</B>]<B> -P chain target </B>[<B>options</B>]
|
|
|
|
<P>
|
|
<A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<B>arptables</B>
|
|
|
|
is a user space tool, it is used to set up and maintain the
|
|
tables of ARP rules in the Linux kernel. These rules inspect
|
|
the ARP frames which they see.
|
|
<B>arptables</B>
|
|
|
|
is analogous to the
|
|
<B>iptables</B>
|
|
|
|
user space tool, but
|
|
<B>arptables</B>
|
|
|
|
is less complicated.
|
|
<P>
|
|
<A NAME="lbAE"> </A>
|
|
<H3>CHAINS</H3>
|
|
|
|
The kernel table is used to divide functionality into
|
|
different sets of rules. Each set of rules is called a chain.
|
|
Each chain is an ordered list of rules that can match ARP frames. If a
|
|
rule matches an ARP frame, then a processing specification tells
|
|
what to do with that matching frame. The processing specification is
|
|
called a 'target'. However, if the frame does not match the current
|
|
rule in the chain, then the next rule in the chain is examined and so forth.
|
|
The user can create new (user-defined) chains which can be used as the 'target' of a rule.
|
|
<P>
|
|
<A NAME="lbAF"> </A>
|
|
<H3>TARGETS</H3>
|
|
|
|
A firewall rule specifies criteria for an ARP frame and a frame
|
|
processing specification called a target. When a frame matches a rule,
|
|
then the next action performed by the kernel is specified by the target.
|
|
The target can be one of these values:
|
|
<I>ACCEPT</I>,
|
|
|
|
<I>DROP</I>,
|
|
|
|
<I>CONTINUE</I>,
|
|
|
|
<I>RETURN</I>,
|
|
|
|
an 'extension' (see below) or a user-defined chain.
|
|
<P>
|
|
|
|
<I>ACCEPT</I>
|
|
|
|
means to let the frame through.
|
|
<I>DROP</I>
|
|
|
|
means the frame has to be dropped.
|
|
<I>CONTINUE</I>
|
|
|
|
means the next rule has to be checked. This can be handy to know how many
|
|
frames pass a certain point in the chain or to log those frames.
|
|
<I>RETURN</I>
|
|
|
|
means stop traversing this chain and resume at the next rule in the
|
|
previous (calling) chain.
|
|
For the extension targets please see the
|
|
<B>TARGET EXTENSIONS</B>
|
|
|
|
section of this man page.
|
|
<A NAME="lbAG"> </A>
|
|
<H3>TABLES</H3>
|
|
|
|
There is only one ARP table in the Linux
|
|
kernel. The table is
|
|
<B>filter.</B>
|
|
|
|
You can drop the '-t filter' argument to the arptables command.
|
|
The -t argument must be the
|
|
first argument on the arptables command line, if used.
|
|
<DL COMPACT>
|
|
<DT id="1"><B>-t, --table</B>
|
|
|
|
<DD>
|
|
<BR>
|
|
|
|
<B>filter</B>,
|
|
|
|
is the only table and contains two built-in chains:
|
|
<B>INPUT </B>
|
|
|
|
(for frames destined for the host) and
|
|
<B>OUTPUT </B>
|
|
|
|
(for locally-generated frames).
|
|
<BR>
|
|
|
|
<BR>
|
|
|
|
</DL>
|
|
<A NAME="lbAH"> </A>
|
|
<H2>ARPTABLES COMMAND LINE ARGUMENTS</H2>
|
|
|
|
After the initial arptables command line argument, the remaining
|
|
arguments can be divided into several different groups. These groups
|
|
are commands, miscellaneous commands, rule-specifications, match-extensions,
|
|
and watcher-extensions.
|
|
<A NAME="lbAI"> </A>
|
|
<H3>COMMANDS</H3>
|
|
|
|
The arptables command arguments specify the actions to perform on the table
|
|
defined with the -t argument. If you do not use the -t argument to name
|
|
a table, the commands apply to the default filter table.
|
|
With the exception of the
|
|
<B>-Z</B>
|
|
|
|
command, only one command may be used on the command line at a time.
|
|
<DL COMPACT>
|
|
<DT id="2"><B>-A, --append</B>
|
|
|
|
<DD>
|
|
Append a rule to the end of the selected chain.
|
|
<DT id="3"><B>-D, --delete</B>
|
|
|
|
<DD>
|
|
Delete the specified rule from the selected chain. There are two ways to
|
|
use this command. The first is by specifying an interval of rule numbers
|
|
to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
|
|
details about using negative numbers, see the -I command. The second usage is by
|
|
specifying the complete rule as it would have been specified when it was added.
|
|
<DT id="4"><B>-I, --insert</B>
|
|
|
|
<DD>
|
|
Insert the specified rule into the selected chain at the specified rule number.
|
|
If the current number of rules equals N, then the specified number can be
|
|
between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
|
|
same place in the chain where the rule should be inserted. The number 0 specifies
|
|
the place past the last rule in the chain and using this number is therefore
|
|
equivalent with using the -A command.
|
|
<DT id="5"><B>-R, --replace</B>
|
|
|
|
<DD>
|
|
Replaces the specified rule into the selected chain at the specified rule number.
|
|
If the current number of rules equals N, then the specified number can be
|
|
between 1 and N. i specifies the place in the chain where the rule should be replaced.
|
|
<DT id="6"><B>-P, --policy</B>
|
|
|
|
<DD>
|
|
Set the policy for the chain to the given target. The policy can be
|
|
<B>ACCEPT</B>, <B>DROP</B> or <B>RETURN</B>.
|
|
|
|
<DT id="7"><B>-F, --flush</B>
|
|
|
|
<DD>
|
|
Flush the selected chain. If no chain is selected, then every chain will be
|
|
flushed. Flushing the chain does not change the policy of the
|
|
chain, however.
|
|
<DT id="8"><B>-Z, --zero</B>
|
|
|
|
<DD>
|
|
Set the counters of the selected chain to zero. If no chain is selected, all the counters
|
|
are set to zero. The
|
|
<B>-Z</B>
|
|
|
|
command can be used in conjunction with the
|
|
<B>-L</B>
|
|
|
|
command.
|
|
When both the
|
|
<B>-Z</B>
|
|
|
|
and
|
|
<B>-L</B>
|
|
|
|
commands are used together in this way, the rule counters are printed on the screen
|
|
before they are set to zero.
|
|
<DT id="9"><B>-L, --list</B>
|
|
|
|
<DD>
|
|
List all rules in the selected chain. If no chain is selected, all chains
|
|
are listed.
|
|
<DT id="10"><B>-N, --new-chain</B>
|
|
|
|
<DD>
|
|
Create a new user-defined chain with the given name. The number of
|
|
user-defined chains is unlimited. A user-defined chain name has maximum
|
|
length of 31 characters.
|
|
<DT id="11"><B>-X, --delete-chain</B>
|
|
|
|
<DD>
|
|
Delete the specified user-defined chain. There must be no remaining references
|
|
to the specified chain, otherwise
|
|
<B>arptables</B>
|
|
|
|
will refuse to delete it. If no chain is specified, all user-defined
|
|
chains that aren't referenced will be removed.
|
|
<DT id="12"><B>-E, --rename-chain</B>
|
|
|
|
<DD>
|
|
Rename the specified chain to a new name. Besides renaming a user-defined
|
|
chain, you may rename a standard chain name to a name that suits your
|
|
taste. For example, if you like PREBRIDGING more than PREROUTING,
|
|
then you can use the -E command to rename the PREROUTING chain. If you do
|
|
rename one of the standard
|
|
<B>arptables</B>
|
|
|
|
chain names, please be sure to mention
|
|
this fact should you post a question on the
|
|
<B>arptables</B>
|
|
|
|
mailing lists.
|
|
It would be wise to use the standard name in your post. Renaming a standard
|
|
<B>arptables</B>
|
|
|
|
chain in this fashion has no effect on the structure or function
|
|
of the
|
|
<B>arptables</B>
|
|
|
|
kernel table.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAJ"> </A>
|
|
<H3>MISCELLANOUS COMMANDS</H3>
|
|
|
|
<DL COMPACT>
|
|
<DT id="13"><B>-V, --version</B>
|
|
|
|
<DD>
|
|
Show the version of the arptables userspace program.
|
|
<DT id="14"><B>-h, --help</B>
|
|
|
|
<DD>
|
|
Give a brief description of the command syntax.
|
|
<DT id="15"><B>-j, --jump </B><I>target</I>
|
|
|
|
<DD>
|
|
The target of the rule. This is one of the following values:
|
|
<B>ACCEPT</B>,
|
|
|
|
<B>DROP</B>,
|
|
|
|
<B>CONTINUE</B>,
|
|
|
|
<B>RETURN</B>,
|
|
|
|
a target extension (see
|
|
<B>TARGET EXTENSIONS</B>)
|
|
|
|
or a user-defined chain name.
|
|
<DT id="16"><B>-c, --set-counters </B><I>PKTS BYTES</I>
|
|
|
|
<DD>
|
|
This enables the administrator to initialize the packet and byte
|
|
counters of a rule (during
|
|
<B>INSERT,</B>
|
|
|
|
<B>APPEND,</B>
|
|
|
|
<B>REPLACE</B>
|
|
|
|
operations).
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAK"> </A>
|
|
<H3>RULE-SPECIFICATIONS</H3>
|
|
|
|
The following command line arguments make up a rule specification (as used
|
|
in the add and delete commands). A "!" option before the specification
|
|
inverts the test for that specification. Apart from these standard rule
|
|
specifications there are some other command line arguments of interest.
|
|
<DL COMPACT>
|
|
<DT id="17"><B>-s, --source-ip </B>[!] <I>address</I>[/<I>mask]</I>
|
|
|
|
<DD>
|
|
The Source IP specification.
|
|
<DT id="18"><B>-d, --destination-ip </B>[!] <I>address</I>[/<I>mask]</I>
|
|
|
|
<DD>
|
|
The Destination IP specification.
|
|
<DT id="19"><B>--source-mac </B>[!] <I>address</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The source mac address. Both mask and address are written as 6 hexadecimal
|
|
numbers separated by colons.
|
|
<DT id="20"><B>--destination-mac </B>[!] <I>address</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The destination mac address. Both mask and address are written as 6 hexadecimal
|
|
numbers separated by colons.
|
|
<DT id="21"><B>-i, --in-interface </B>[!] <I>name</I>
|
|
|
|
<DD>
|
|
The interface via which a frame is received (for the
|
|
<B>INPUT</B>
|
|
|
|
chain). The flag
|
|
<B>--in-if</B>
|
|
|
|
is an alias for this option.
|
|
<DT id="22"><B>-o, --out-interface </B>[!] <I>name</I>
|
|
|
|
<DD>
|
|
The interface via which a frame is going to be sent (for the
|
|
<B>OUTPUT</B>
|
|
|
|
chain). The flag
|
|
<B>--out-if</B>
|
|
|
|
is an alias for this option.
|
|
<DT id="23"><B>-l, --h-length </B><I>length</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The hardware length (nr of bytes)
|
|
<DT id="24"><B>--opcode </B><I>code</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The operation code (2 bytes). Available values are:
|
|
<B>1</B>=<B>Request</B>
|
|
|
|
<B>2</B>=<B>Reply</B>
|
|
|
|
<B>3</B>=<B>Request_Reverse</B>
|
|
|
|
<B>4</B>=<B>Reply_Reverse</B>
|
|
|
|
<B>5</B>=<B>DRARP_Request</B>
|
|
|
|
<B>6</B>=<B>DRARP_Reply</B>
|
|
|
|
<B>7</B>=<B>DRARP_Error</B>
|
|
|
|
<B>8</B>=<B>InARP_Request</B>
|
|
|
|
<B>9</B>=<B>ARP_NAK</B>.
|
|
|
|
<DT id="25"><B>--h-type </B><I>type</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The hardware type (2 bytes, hexadecimal). Available values are:
|
|
<B>1</B>=<B>Ethernet</B>.
|
|
|
|
<DT id="26"><B>--proto-type </B><I>type</I>[/<I>mask</I>]
|
|
|
|
<DD>
|
|
The protocol type (2 bytes). Available values are:
|
|
<B>0x800</B>=<B>IPv4</B>.
|
|
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAL"> </A>
|
|
<H3>TARGET-EXTENSIONS</H3>
|
|
|
|
<B>arptables</B>
|
|
|
|
extensions are precompiled into the userspace tool. So there is no need
|
|
to explicitly load them with a -m option like in
|
|
<B>iptables</B>.
|
|
|
|
However, these
|
|
extensions deal with functionality supported by supplemental kernel modules.
|
|
<A NAME="lbAM"> </A>
|
|
<H3>mangle</H3>
|
|
|
|
<DL COMPACT>
|
|
<DT id="27"><B>--mangle-ip-s IP address</B>
|
|
|
|
<DD>
|
|
Mangles Source IP Address to given value.
|
|
<DT id="28"><B>--mangle-ip-d IP address</B>
|
|
|
|
<DD>
|
|
Mangles Destination IP Address to given value.
|
|
<DT id="29"><B>--mangle-mac-s MAC address</B>
|
|
|
|
<DD>
|
|
Mangles Source MAC Address to given value.
|
|
<DT id="30"><B>--mangle-mac-d MAC address</B>
|
|
|
|
<DD>
|
|
Mangles Destination MAC Address to given value.
|
|
<DT id="31"><B>--mangle-target target </B>
|
|
|
|
<DD>
|
|
Target of ARP mangle operation
|
|
<B></B>(<B>DROP</B>, <B>CONTINUE</B> or <B>ACCEPT</B> -- default is <B>ACCEPT</B>).
|
|
|
|
</DL>
|
|
<A NAME="lbAN"> </A>
|
|
<H3>CLASSIFY</H3>
|
|
|
|
This module allows you to set the skb->priority value (and thus clas-
|
|
sify the packet into a specific CBQ class).
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="32"><B>--set-class major:minor</B>
|
|
|
|
<DD>
|
|
<P>
|
|
Set the major and minor class value. The values are always
|
|
interpreted as hexadecimal even if no 0x prefix is given.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAO"> </A>
|
|
<H3>MARK</H3>
|
|
|
|
This module allows you to set the skb->mark value (and thus classify
|
|
the packet by the mark in u32)
|
|
<P>
|
|
<DL COMPACT>
|
|
<DT id="33"><B>--set-mark mark</B>
|
|
|
|
<DD>
|
|
Set the mark value. The values are always
|
|
interpreted as hexadecimal even if no 0x prefix is given
|
|
<P>
|
|
<DT id="34"><B>--and-mark mark</B>
|
|
|
|
<DD>
|
|
Binary AND the mark with bits.
|
|
<P>
|
|
<DT id="35"><B>--or-mark mark</B>
|
|
|
|
<DD>
|
|
Binary OR the mark with bits.
|
|
<P>
|
|
</DL>
|
|
<A NAME="lbAP"> </A>
|
|
<H2>NOTES</H2>
|
|
|
|
In this nft-based version of
|
|
<B>arptables</B>,
|
|
|
|
support for
|
|
<B>FORWARD</B>
|
|
|
|
chain has not been implemented. Since ARP packets are "forwarded" only by Linux
|
|
bridges, the same may be achieved using
|
|
<B>FORWARD</B>
|
|
|
|
chain in
|
|
<B>ebtables</B>.
|
|
|
|
<P>
|
|
<A NAME="lbAQ"> </A>
|
|
<H2>MAILINGLISTS</H2>
|
|
|
|
<B></B>See <B><A HREF="http://netfilter.org/mailinglists.html">http://netfilter.org/mailinglists.html</A></B>
|
|
|
|
<A NAME="lbAR"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+xtables-nft">xtables-nft</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ebtables">ebtables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+ip">ip</A></B>(8)
|
|
|
|
<P>
|
|
|
|
<B></B>See <B><A HREF="https://wiki.nftables.org">https://wiki.nftables.org</A></B>
|
|
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="36"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="37"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="38"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DL>
|
|
<DT id="39"><A HREF="#lbAE">CHAINS</A><DD>
|
|
<DT id="40"><A HREF="#lbAF">TARGETS</A><DD>
|
|
<DT id="41"><A HREF="#lbAG">TABLES</A><DD>
|
|
</DL>
|
|
<DT id="42"><A HREF="#lbAH">ARPTABLES COMMAND LINE ARGUMENTS</A><DD>
|
|
<DL>
|
|
<DT id="43"><A HREF="#lbAI">COMMANDS</A><DD>
|
|
<DT id="44"><A HREF="#lbAJ">MISCELLANOUS COMMANDS</A><DD>
|
|
<DT id="45"><A HREF="#lbAK">RULE-SPECIFICATIONS</A><DD>
|
|
<DT id="46"><A HREF="#lbAL">TARGET-EXTENSIONS</A><DD>
|
|
<DT id="47"><A HREF="#lbAM">mangle</A><DD>
|
|
<DT id="48"><A HREF="#lbAN">CLASSIFY</A><DD>
|
|
<DT id="49"><A HREF="#lbAO">MARK</A><DD>
|
|
</DL>
|
|
<DT id="50"><A HREF="#lbAP">NOTES</A><DD>
|
|
<DT id="51"><A HREF="#lbAQ">MAILINGLISTS</A><DD>
|
|
<DT id="52"><A HREF="#lbAR">SEE ALSO</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:11 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|