From 605a7e52f615805fb2f143eba3da010a0e3a65a9 Mon Sep 17 00:00:00 2001
From: Wei Zhou <weizhou@apache.org>
Date: Wed, 8 Apr 2026 21:25:34 +0200
Subject: [PATCH] Routed VR: accept packets from related and established
 connections

---
 systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
index 80d64e8f2d92..93d0d0388efe 100755
--- a/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
+++ b/systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
@@ -244,6 +244,8 @@ def add_ip4_chain(self, address_family, table, chain, hook, action):
         CsHelper.execute("nft add chain %s %s %s '{ %s }'" % (address_family, table, chain, chain_policy))
         if hook == "input" or hook == "output":
             CsHelper.execute("nft add rule %s %s %s icmp type { echo-request, echo-reply } accept" % (address_family, table, chain))
+        elif hook == "forward":
+            CsHelper.execute("nft add rule %s %s %s ct state established,related accept" % (address_family, table, chain))
 
     def apply_nft_ipv4_rules(self, rules, type):
         if len(rules) == 0: