I'm really fed up with testing iptables on every openvz providers, every reboot, every migration etc. On openvz kernel, some modules listed in /proc/net/ip_tables_matches are actually do not work thanks to awful vz.conf and the shared kernel model.
https://gist.github.com/ko-zu/6c0a2e46f51d34edb1aa
It is a small script to check common iptables modules are working or not. Please note this script will insert new rules to your iptables (and try to remove the change) so run it on a clean guest vm first.
$ wget https://gist.githubusercontent.com/ko-zu/6c0a2e46f51d34edb1aa/raw/4247467728d2fc91b620a368f19061b071e3c8f1/iptcheck.py
$ sudo python iptcheck.py
will list failed modules. On openvz with proper conf, it will output only one or two lines as string module cannot work with current openvz kernel. On KVM guests, it should output nothing.
Or with -i option, list working modules tested by this script.
$ sudo python iptcheck.py -i
IPv4 LOG target
IPv4 MARK target
IPv4 hashlimit module
IPv4 icmp module
IPv4 length module
IPv4 limit module
IPv4 mark module
IPv4 multiport module
IPv4 recent module
IPv4 state module
IPv4 tcp module
IPv4 ttl module
IPv4 u32 module
IPv4 udp module
IPv6 LOG target
IPv6 MARK target
IPv6 hashlimit module
IPv6 hl module
IPv6 icmpv6 module
IPv6 length module
IPv6 limit module
IPv6 mark module
IPv6 multiport module
IPv6 recent module
IPv6 state module
IPv6 tcp module
IPv6 u32 module
IPv6 udp module
I hope some of providers here use this script before release modified vz.conf...
edit: tested on Centos6.4 and Ubuntu14.04