From a mailing list entry:
Question:
using nft from nftables, I created some IP filter rules inside a partially virtualized (Linux Vserver, www.linux-vserver.org) machine. Almost all rules are working as desired, but rules that need connection tracking helpers, like ftp and tftp, do not . some ip packets are blocked though they should be allowed. As the same tftp rules - I am sure that I made no mistake - work on a real host, there is probably some requirement for these helpers to work correctly and that is not fulfilled inside a Vserver.
Answer:
In recent kernels no default assignments of helpers is done anymore, iptables users need to use -j CT target, nft users need to add a helper object:
nft add ct helper inet filter bar '{ type "ftp" protocol tcp; }' nft add rule inet filter output tcp dport 21 ct helper set "bar"The assignnment needs to be done in the direction that creates the connections that need the helper.
So for a local host (connecting to remote server), this needs to be output; for a server (expecting ftp connections), input.
For a gateway it can be in forward, or prerouting and output in case its needed everywhere (local and forwarded).
Also it makes sense to limit helper assignemnt to connections that need it (e.g. ip saddr 192.168/16 or somesuch).
With a later addendum:
As I do not have the required nftables and kernel versions, I reactivated default assignment withecho 1 > /proc/sys/net/netfilter/nf_conntrack_helperlike described at the bottom of connection tracking meta-information