Nftables Families

Description

Netfilter enables filtering at multiple networking levels. With iptables there is a separate tool for each level: iptables, ip6tables, arptables, ebtables. With nftables the multiple networking levels are abstracted into families, all of which are served by the single tool nft. ipTables of this family see IPv4 traffic/packets. ip6Tables of this family see IPv6 traffic/packets. inetTables of this family see both IPv4 and IPv6 traffic/packets, simplifying dual stack support. arpTables of this family see ARP-level (i.e, L2) traffic, before any L3 handling is done by the kernel. bridgeTables of this family see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols. netdevThe netdev family is different from the others in that it is used to create base chains attached to a single network interface. Such base chains see all network traffic on the specified interface, with no assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here.