On early versions of Linux, I could use ebtables to rewrite the ARP packet using the below command. This ensures that the switch would only see MAC address 00:50:56:96:12:5e, not aa:18:f0:55:79:1e. ebtables -t nat -I POSTROUTING --logical-out br0 --src aa:18:f0:55:79:1e \ -j snat --to-src 00:50:56:96:12:5e --snat-arp --snat-target ACCEPT I can get close to recreating this with nftables, but it is missing the functionality provided by the --snat-arp argument. table bridge filter { chain POSTROUTING { type filter hook postrouting priority 0; policy accept; ether saddr aa:18:f0:55:79:1e ether saddr set 00:50:56:96:12:5e } } My outgoing ARP packet has its source MAC address rewritten successfully, but the "is-at" still points to the original MAC address. How do I alter the outbound ARP response to set "is-at" to point to 00:50:56:96:12:5e? $ tcpdump -enni any arp or icmp 12:39:08.525439 vb-p0 P ifindex 5 aa:18:f0:55:79:1e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28 12:39:08.525441 ens192 Out ifindex 2 00:50:56:96:12:5e ethertype ARP (0x0806), length 48: Reply 10.60.0.67 is-at aa:18:f0:55:79:1e, length 28