To set the state of iptables modules for backup/restore or live migration, use the prlctl set --netfilter command. If some of the iptables modules allowed for a container are not loaded on the hardware node where that container has been restored or migrated, they will be automatically loaded when that container starts. For example, the command
# prlctl set MyCT --netfilter stateful
will make sure that all modules except NAT-related will be allowed and loaded for the container MyCT (if required) on a hardware node where it has been restored or migrated.
Note
Note: The default setting is stateless, which allows all modules except conntrack and NAT-related.
