arptables-nft.8 11.3 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
.TH ARPTABLES 8  "March 2019"
.\"
.\" Man page originally written by Jochen Friedrich <jochen@scram.de>,
.\" maintained by Bart De Schuymer.
.\" It is based on the iptables man page.
.\"
.\" Iptables page by Herve Eychenne March 2000.
.\"
.\"     This program is free software; you can redistribute it and/or modify
.\"     it under the terms of the GNU General Public License as published by
.\"     the Free Software Foundation; either version 2 of the License, or
.\"     (at your option) any later version.
.\"
.\"     This program is distributed in the hope that it will be useful,
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"     GNU General Public License for more details.
.\"
.\"     You should have received a copy of the GNU General Public License
.\"     along with this program; if not, write to the Free Software
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"
.SH NAME
arptables \- ARP table administration (nft-based)
.SH SYNOPSIS
.BR "arptables " [ "-t table" ] " -" [ AD ] " chain rule-specification " [ options ]
.br
.BR "arptables " [ "-t table" ] " -" [ RI ] " chain rulenum rule-specification " [ options ]
.br
.BR "arptables " [ "-t table" ] " -D chain rulenum " [ options ]
.br
.BR "arptables " [ "-t table" ] " -" [ "LFZ" ] " " [ chain ] " " [ options ]
.br
.BR "arptables " [ "-t table" ] " -" [ "NX" ] " chain"
.br
.BR "arptables " [ "-t table" ] " -E old-chain-name new-chain-name"
.br
.BR "arptables " [ "-t table" ] " -P chain target " [ options ]

.SH DESCRIPTION
.B arptables
is a user space tool, it is used to set up and maintain the
tables of ARP rules in the Linux kernel. These rules inspect
the ARP frames which they see.
.B arptables
is analogous to the
.B iptables
user space tool, but
.B arptables
is less complicated.

.SS CHAINS
The kernel table is used to divide functionality into
different sets of rules. Each set of rules is called a chain.
Each chain is an ordered list of rules that can match ARP frames. If a
rule matches an ARP frame, then a processing specification tells
what to do with that matching frame. The processing specification is
called a 'target'. However, if the frame does not match the current
rule in the chain, then the next rule in the chain is examined and so forth.
The user can create new (user-defined) chains which can be used as the 'target' of a rule.

.SS TARGETS
A firewall rule specifies criteria for an ARP frame and a frame
processing specification called a target.  When a frame matches a rule,
then the next action performed by the kernel is specified by the target.
The target can be one of these values:
.IR ACCEPT ,
.IR DROP ,
.IR CONTINUE ,
.IR RETURN ,
an 'extension' (see below) or a user-defined chain.
.PP
.I ACCEPT
means to let the frame through.
.I DROP
means the frame has to be dropped.
.I CONTINUE
means the next rule has to be checked. This can be handy to know how many
frames pass a certain point in the chain or to log those frames.
.I RETURN
means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
For the extension targets please see the
.B "TARGET EXTENSIONS"
section of this man page.
.SS TABLES
There is only one ARP table in the Linux
kernel.  The table is
.BR filter.
You can drop the '-t filter' argument to the arptables command.
The -t argument must be the
first argument on the arptables command line, if used.
.TP
.B "-t, --table"
.br
.BR filter ,
is the only table and contains two built-in chains:
.B INPUT 
(for frames destined for the host) and
.B OUTPUT 
(for locally-generated frames).
.br
.br
.SH ARPTABLES COMMAND LINE ARGUMENTS
After the initial arptables command line argument, the remaining
arguments can be divided into several different groups.  These groups
are commands, miscellaneous commands, rule-specifications, match-extensions,
and watcher-extensions.
.SS COMMANDS
The arptables command arguments specify the actions to perform on the table
defined with the -t argument.  If you do not use the -t argument to name
a table, the commands apply to the default filter table.
With the exception of the
.B "-Z"
command, only one command may be used on the command line at a time.
.TP
.B "-A, --append"
Append a rule to the end of the selected chain.
.TP
.B "-D, --delete"
Delete the specified rule from the selected chain. There are two ways to
use this command. The first is by specifying an interval of rule numbers
to delete, syntax: start_nr[:end_nr]. Using negative numbers is allowed, for more
details about using negative numbers, see the -I command. The second usage is by
specifying the complete rule as it would have been specified when it was added.
.TP
.B "-I, --insert"
Insert the specified rule into the selected chain at the specified rule number.
If the current number of rules equals N, then the specified number can be
between -N and N+1. For a positive number i, it holds that i and i-N-1 specify the
same place in the chain where the rule should be inserted. The number 0 specifies
the place past the last rule in the chain and using this number is therefore
equivalent with using the -A command.
.TP
.B "-R, --replace"
Replaces the specified rule into the selected chain at the specified rule number.
If the current number of rules equals N, then the specified number can be
between 1 and N. i specifies the place in the chain where the rule should be replaced.
.TP
.B "-P, --policy"
Set the policy for the chain to the given target. The policy can be
.BR ACCEPT ", " DROP " or " RETURN .
.TP
.B "-F, --flush"
Flush the selected chain. If no chain is selected, then every chain will be
flushed. Flushing the chain does not change the policy of the
chain, however.
.TP
.B "-Z, --zero"
Set the counters of the selected chain to zero. If no chain is selected, all the counters
are set to zero. The
.B "-Z"
command can be used in conjunction with the 
.B "-L"
command.
When both the
.B "-Z"
and
.B "-L"
commands are used together in this way, the rule counters are printed on the screen
before they are set to zero.
.TP
.B "-L, --list"
List all rules in the selected chain. If no chain is selected, all chains
are listed.
.TP
.B "-N, --new-chain"
Create a new user-defined chain with the given name. The number of
user-defined chains is unlimited. A user-defined chain name has maximum
length of 31 characters.
.TP
.B "-X, --delete-chain"
Delete the specified user-defined chain. There must be no remaining references
to the specified chain, otherwise
.B arptables
will refuse to delete it. If no chain is specified, all user-defined
chains that aren't referenced will be removed.
.TP
.B "-E, --rename-chain"
Rename the specified chain to a new name.  Besides renaming a user-defined
chain, you may rename a standard chain name to a name that suits your
taste. For example, if you like PREBRIDGING more than PREROUTING,
then you can use the -E command to rename the PREROUTING chain. If you do
rename one of the standard
.B arptables
chain names, please be sure to mention
this fact should you post a question on the
.B arptables
mailing lists.
It would be wise to use the standard name in your post. Renaming a standard
.B arptables
chain in this fashion has no effect on the structure or function
of the
.B arptables
kernel table.

.SS MISCELLANOUS COMMANDS
.TP
.B "-V, --version"
Show the version of the arptables userspace program.
.TP
.B "-h, --help"
Give a brief description of the command syntax.
.TP
.BR "-j, --jump " "\fItarget\fP"
The target of the rule. This is one of the following values:
.BR ACCEPT ,
.BR DROP ,
.BR CONTINUE ,
.BR RETURN ,
a target extension (see
.BR "TARGET EXTENSIONS" ")"
or a user-defined chain name.
.TP
.BI "-c, --set-counters " "PKTS BYTES"
This enables the administrator to initialize the packet and byte
counters of a rule (during
.B INSERT,
.B APPEND,
.B REPLACE
operations).

.SS RULE-SPECIFICATIONS
The following command line arguments make up a rule specification (as used 
in the add and delete commands). A "!" option before the specification 
inverts the test for that specification. Apart from these standard rule 
specifications there are some other command line arguments of interest.
.TP
.BR "-s, --source-ip " "[!] \fIaddress\fP[/\fImask]\fP"
The Source IP specification.
.TP 
.BR "-d, --destination-ip " "[!] \fIaddress\fP[/\fImask]\fP"
The Destination IP specification.
.TP 
.BR "--source-mac " "[!] \fIaddress\fP[/\fImask\fP]"
The source mac address. Both mask and address are written as 6 hexadecimal
numbers separated by colons.
.TP
.BR "--destination-mac " "[!] \fIaddress\fP[/\fImask\fP]"
The destination mac address. Both mask and address are written as 6 hexadecimal
numbers separated by colons.
.TP 
.BR "-i, --in-interface " "[!] \fIname\fP"
The interface via which a frame is received (for the
.B INPUT
chain). The flag
.B --in-if
is an alias for this option.
.TP
.BR "-o, --out-interface " "[!] \fIname\fP"
The interface via which a frame is going to be sent (for the
.B OUTPUT
chain). The flag
.B --out-if
is an alias for this option.
.TP
.BR "-l, --h-length " "\fIlength\fP[/\fImask\fP]"
The hardware length (nr of bytes)
.TP
.BR "--opcode " "\fIcode\fP[/\fImask\fP]
The operation code (2 bytes). Available values are:
.BR 1 = Request
.BR 2 = Reply
.BR 3 = Request_Reverse
.BR 4 = Reply_Reverse
.BR 5 = DRARP_Request
.BR 6 = DRARP_Reply
.BR 7 = DRARP_Error
.BR 8 = InARP_Request
.BR 9 = ARP_NAK .
.TP
.BR "--h-type " "\fItype\fP[/\fImask\fP]"
The hardware type (2 bytes, hexadecimal). Available values are:
.BR 1 = Ethernet .
.TP
.BR "--proto-type " "\fItype\fP[/\fImask\fP]"
The protocol type (2 bytes). Available values are:
.BR 0x800 = IPv4 .

.SS TARGET-EXTENSIONS
.B arptables
extensions are precompiled into the userspace tool. So there is no need
to explicitly load them with a -m option like in
.BR iptables .
However, these
extensions deal with functionality supported by supplemental kernel modules.
.SS mangle
.TP
.BR "--mangle-ip-s IP address"
Mangles Source IP Address to given value.
.TP
.BR "--mangle-ip-d IP address"
Mangles Destination IP Address to given value.
.TP
.BR "--mangle-mac-s MAC address"
Mangles Source MAC Address to given value.
.TP
.BR "--mangle-mac-d MAC address"
Mangles Destination MAC Address to given value.
.TP
.BR "--mangle-target target "
Target of ARP mangle operation
.BR "" ( DROP ", " CONTINUE " or " ACCEPT " -- default is " ACCEPT ).
.SS CLASSIFY
This  module  allows you to set the skb->priority value (and thus clas-
sify the packet into a specific CBQ class).

.TP
.BR "--set-class major:minor"

Set the major and minor  class  value.  The  values  are  always
interpreted as hexadecimal even if no 0x prefix is given.

.SS MARK
This  module  allows you to set the skb->mark value (and thus classify
the packet by the mark in u32)

.TP
.BR "--set-mark mark"
Set the mark value. The  values  are  always
interpreted as hexadecimal even if no 0x prefix is given

.TP
.BR "--and-mark mark"
Binary AND the mark with bits.

.TP
.BR "--or-mark mark"
Binary OR the mark with bits.

.SH NOTES
In this nft-based version of
.BR arptables ,
support for
.B FORWARD
chain has not been implemented. Since ARP packets are "forwarded" only by Linux
bridges, the same may be achieved using
.B FORWARD
chain in
.BR ebtables .

.SH MAILINGLISTS
.BR "" "See " http://netfilter.org/mailinglists.html
.SH SEE ALSO
.BR xtables-nft "(8), " iptables "(8), " ebtables "(8), " ip (8)
.PP
.BR "" "See " https://wiki.nftables.org