From patchwork Sat Feb 24 21:06:33 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arturo Borrero Gonzalez <arturo@netfilter.org>
X-Patchwork-Id: 877462
X-Patchwork-Delegate: fw@strlen.de
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=netfilter.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3zpgct26RYz9sW5
	for <incoming@patchwork.ozlabs.org>;
	Sun, 25 Feb 2018 08:06:38 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751474AbeBXVGi (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Sat, 24 Feb 2018 16:06:38 -0500
Received: from mail-wm0-f65.google.com ([74.125.82.65]:37763 "EHLO
	mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751428AbeBXVGh (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Sat, 24 Feb 2018 16:06:37 -0500
Received: by mail-wm0-f65.google.com with SMTP id m207so10567046wma.2
	for <netfilter-devel@vger.kernel.org>;
	Sat, 24 Feb 2018 13:06:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to
	:references:user-agent:mime-version:content-transfer-encoding;
	bh=zyVuDEO+2/zK6WTClKhSdLp0WdKISY8EcTFL4K14iyU=;
	b=bNzW5v0D+iovneAwolm0gjtp9mzLh1UNz3rhcgry1Vf4VWQ8XsR26XfgM3vLIghc0Q
	zlwWVLBgcuyfBa0lK+LfH0xDABVdpuBUOOQhKuhQc6wv4OrUjvuoWdLZOgzSg0Bs6nGI
	wpF1b2TFeosGf+XPChAG5t9VgSKZw8VVspNS8dQHUiP2lWDo9SyUwgHZ+4E4awPvPY+1
	5fk2cVJHVeamFUIdn67pkdronVz24MLFg5QEKApNpdZE/sXEX55LTnqjJkqYweB3IRQc
	QQKPB4IQualSkxUgvH5pFAXrYmCTZ37/qty+k17x3WTmL/F39Xy2Fc+wkVgyYdvpfCmw
	m2zQ==
X-Gm-Message-State: APf1xPAvpHwcOyjCWSEimWPrxvBkvolSd91udWOcFd4VxWBlbsoC7lnB
	9LtRBdhoKcRbkVMiv0FeQZBVcbzL
X-Google-Smtp-Source: 
 AG47ELvF3tREN46wY4edrwgqdtU6M66W8iIkaoYCyjE9Dhcqi8HAiO5y8AlkdRoZUgQaJn0O+HluaA==
X-Received: by 10.28.128.137 with SMTP id b131mr5100256wmd.121.1519506396197;
	Sat, 24 Feb 2018 13:06:36 -0800 (PST)
Received: from endurance (77.red-88-20-135.staticip.rima-tde.net.
	[88.20.135.77])
	by smtp.gmail.com with ESMTPSA id 3sm795665wry.29.2018.02.24.13.06.34
	for <netfilter-devel@vger.kernel.org>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Sat, 24 Feb 2018 13:06:35 -0800 (PST)
Received: by endurance (sSMTP sendmail emulation);
	Sat, 24 Feb 2018 22:06:33 +0100
Subject: [nft PATCH v2 2/3] examples: add ct helper examples
From: Arturo Borrero Gonzalez <arturo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Date: Sat, 24 Feb 2018 22:06:33 +0100
Message-ID: <151950638675.13955.16352027104331884609.stgit@endurance>
In-Reply-To: <151950636353.13955.12971280407018844575.stgit@endurance>
References: <151950636353.13955.12971280407018844575.stgit@endurance>
User-Agent: StGit/0.18
MIME-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Include some examples in the nftables tarball on using the ct helper
infraestructure, inspired from wiki.nftables.org.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
v2: fix some typos

 files/examples/ct_helpers.nft |   43 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 files/examples/ct_helpers.nft


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/files/examples/ct_helpers.nft b/files/examples/ct_helpers.nft
new file mode 100755
index 0000000..fecdea6
--- /dev/null
+++ b/files/examples/ct_helpers.nft
@@ -0,0 +1,43 @@
+#!/usr/sin/nft -f
+
+# This example file shows how to use ct helpers in the nftables framework.
+# Note that nftables includes interesting improvements compared to how this
+# was done with iptables, such as loading multiple helpers with a single rule
+# This script is meant to be loaded with `nft -f <file>`
+# You require linux kernel >= 4.12 and nft >= 0.8
+# For up-to-date information please visit https://wiki.nftables.org
+
+# Using ct helpers is an important security feature when doing stateful
+# firewalling, since it mitigate certain networking attacks.
+# More info at: https://home.regit.org/netfilter-en/secure-use-of-helpers/
+
+
+flush ruleset
+table inet filter {
+	# declare helpers of this table
+	ct helper ftp-standard {
+		type "ftp" protocol tcp;
+		l3proto inet
+	}
+	ct helper sip-5060 {
+		type "sip" protocol udp;
+		l3proto inet
+	}
+	ct helper tftp-69 {
+		type "tftp" protocol udp
+		l3proto inet
+	}
+
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ct state established,related accept
+
+		# assign a single helper in a single rule
+		tcp dport 21 ct helper set "ftp-standard"
+
+		# assign multiple helpers in a single rule
+		ct helper set udp dport map {
+	                        69 : "tftp-69", \
+		                5060 : "sip-5060" }
+	}
+}