#! nft -f add table ip filter add chain ip filter output { type filter hook output priority 0 ; } # ct: state add rule ip filter output ct state new,established counter # ct: direction original/reply add rule ip filter output ct direction original counter add rule ip filter output ct direction reply counter # ct: status add rule ip filter output ct status expected counter # ct: mark add rule ip filter output ct mark 0 counter # ct: secmark add rule ip filter output ct secmark 0 counter # ct: expiration add rule ip filter output ct expiration 30 counter # ct: helper ftp add rule ip filter output ct helper "ftp" counter