ARP Server (legitimately answer ARP requests for hosts that might be unable to)

arp-reply.py

#!/usr/bin/python3

import sys
from scapy.all import send, ARP, conf

s = conf.L3socket(promisc=False)

for line in sys.stdin:
	p = line.strip().split(' ')
	
	# Whom the ARP concerned
	host_ip = p[0]
	host_mac = p[1]
	
	# Sent the ARP request
	source_ip = p[2]
	source_mac = p[3]
	
	print("ARP Reply to (%s, %s), %s is-at %s"
		% (source_ip, source_mac, host_ip, host_mac))
	
	s.send(ARP(op=ARP.is_at, psrc=host_ip, hwsrc=host_mac,
		pdst=source_ip, hwdst=source_mac))

arp-server.service

[Unit]
Description=ARP Server
After=network.target

StartLimitIntervalSec=60
StartLimitBurst=5

[Service]
Type=simple

Environment="PYTHONUNBUFFERED=1"
ExecStart=/config/scripts/arp/arp-server.sh

Restart=on-failure
RestartSec=1

[Install]
WantedBy=multi-user.target

arp-server.sh

#!/bin/bash

set -e

declare -A ip_mac

# Answer ARP requests for <addr> with <mac>
ip_mac[<IP ADDRESS 1>]=<MAC ADDRESS 1>
ip_mac[<IP ADDRESS 2>]=<MAC ADDRESS 2>

# Ignore requests from these addresses
blacklist=(<IP ADDRESS 3> <IP ADDRESS 4>)

# ----------------

if [ ! "$INTERFACE" ]; then
	export INTERFACE="switch0"
fi

# SCRIPT_DIR="$(dirname $(realpath "$0"))"
# ARP_REPLY="$SCRIPT_DIR/arp-reply.py"

ARP_REPLY="/config/scripts/arp/arp-reply.py"

# ----------------

if [ $EUID != 0 ]; then
   echo "Please run as root"
   exit 1
fi

dl="dst $(sed 's/ / or dst /g' <<< "${!ip_mac[@]}")"
sl="src $(sed 's/ / or src /g' <<< "${blacklist[@]}")"

tcpdump -etln -i "$INTERFACE" "arp and (arp[6:2] = 1) and ($dl) and not ($sl)" \
| while read -r req; do
	target_ip=$(awk '{print $11}' <<< $req)
	source_ip=$(awk '{print substr($13, 0, length($13)-1)}' <<< $req)
	source_mac=$(awk '{print $1}' <<< $req)
	
	echo "$target_ip" "${ip_mac[$target_ip]}" "$source_ip" "$source_mac"
done | "$ARP_REPLY"