Routed VR: accept packets from related and established connections

Author: weizhouapache

systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py

@@ -244,6 +244,8 @@ def add_ip4_chain(self, address_family, table, chain, hook, action):
         CsHelper.execute("nft add chain %s %s %s '{ %s }'" % (address_family, table, chain, chain_policy))
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmp type { echo-request, echo-reply } accept" % (address_family, table, chain))
+        elif hook == "forward":
+            CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def apply_nft_ipv4_rules(self, rules, type):
         if len(rules) == 0: