There's an ip_queue bug on kernels prior to 2.6.12. It can hang the system when an ACCEPT decision is done on the INPUT chain. Thus DO NOT use a QUEUE target on INPUT with these kernels or it could freeze your computer. And anyway, you should use a recent kernel and NFQUEUE, as explained hereup in this howto.
NuFW should run seamlessly in virtualized environments. However it seems a Xen 3.1 does not allow the use of nfnetlink without problems. The following facts were reported (with NuFW 2.2.14, but NuFW versioning is not the matter) :
Xen 3.1, kernel 2.6.22 BUG : No network trafic when launching the nufw daemon.
Xen 3.2, kernel 2.6.22 BUG : No network trafic when launching the nufw daemon.
Xen 3.2, kernel 2.6.24 Everything works.