add support for conntrack helpers

[vchepkov]

Some internet protocols use multiple ports that are negotiated between endpoints during the initial connection.
The ct helper tells conntrack to expect packets to these ports; when such packets arrive conntrack assigns them related status.

Conntrack provides the following helpers:
FTP
TFTP
NetBIOS
IRC
SIP
H.323
SNMP
PPTP
SANE
Amanda

Currently, there is no mechanism to define conntrack in the module, since it is defined in table itself and not in a chain

Consider adding ftp support, as an example

table inet stateful_ftp {

    # 1. ct helper stateful object
    #   "ftp-standard" is the name of this ct helper stateful object.
    #   "ftp" is the in-kernel name of the ct helper for ftp.
    ct helper ftp-standard {
        type "ftp" protocol tcp;
    }
    
    chain PRE {
        type filter hook prerouting priority filter;

        # 2. Rule for initial ftp connection (control channel), specifying ct helper stateful object to use.
        #    NOTE "ftp-standard" is the name of the ct helper stateful object.
        tcp dport 21 ct helper set "ftp-standard"
    }
    
    # Example (partial) input filter base chain.
    #   NOTE default policy drop - we have to explicitly accept all allowed packets.
    chain IN {
        type filter hook input priority filter; policy drop;

        # 3a. Rule for ftp control channel.
        #     NOTE conntrack works here without needing helper.
        tcp dport 21 ct state new,established accept

        # 3b. Rule for related packets on ftp data channel.
        #     NOTE in-kernel ct helper name "ftp" is used here;
        #          trying to use ct helper stateful object name "ftp-standard" will NOT work.
        ct helper "ftp" accept        
    }
}

[vchepkov]

cc: @traylenator per slack discussion with @bastelfreak

[vchepkov]

Submitted #208