Today I got Xen live-migration and firewalls working at work. It was quite a battle. The end result seems to be that if the dom0 of physical machine is running Xen v. 3.0.2-2, the following iptables modules must NOT be loaded into the kernel, or our domU’s wouldn’t mount their root NFS filesystem:
iptable_nat ipt_REDIRECT xt_state
But now everything seems to work. Very nice.