examples: add ct helper examples

Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 43 insertions, 0 deletions

diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft
new file mode 100755
index 00000000..07ebb2a2
--- /dev/null
+++ b/files/examples/ct_helpers.nft
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to use ct helpers in the nftables framework.
+# Note that nftables includes interesting improvements compared to how this
+# was done with iptables, such as loading multiple helpers with a single rule
+# This script is meant to be loaded with `nft -f <file>`
+# You require linux kernel >= 4.12 and nft >= 0.8
+# For up-to-date information please visit https://wiki.nftables.org
+
+# Using ct helpers is an important security feature when doing stateful
+# firewalling, since it mitigate certain networking attacks.
+# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+
+flush ruleset
+table inet filter {
+	# declare helpers of this table
+	ct helper ftp-standard {
+		type "ftp" protocol tcp;
+		l3proto inet
+	}
+	ct helper sip-5060 {
+		type "sip" protocol udp;
+		l3proto inet
+	}
+	ct helper tftp-69 {
+		type "tftp" protocol udp
+		l3proto inet
+	}
+
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ct state established,related accept
+
+		# assign a single helper in a single rule
+		tcp dport 21 ct helper set "ftp-standard"
+
+		# assign multiple helpers in a single rule
+		ct helper set udp dport map {
+	                        69 : "tftp-69", \
+		                5060 : "sip-5060" }
+	}
+}