Add xt_comment, nf_tables and other iptables kernel modules for k3s support

Enable iptables comment match and nftables in the kernel config, and
include the corresponding module packages in all rootfs images.

These modules are required by Kubernetes kube-proxy (iptables mode)
and modern iptables-nft backend. Without xt_comment, kube-proxy cannot
create ClusterIP routing rules, breaking all pod networking.

Author: kvinwang

meta-dstack/recipes-core/images/dstack-rootfs-base.inc

@@ -26,6 +26,26 @@ IMAGE_INSTALL = "\
     kernel-module-br-netfilter \
     kernel-module-xt-mark \
     kernel-module-xt-connmark \
+    kernel-module-xt-comment \
+    kernel-module-xt-multiport \
+    kernel-module-xt-statistic \
+    kernel-module-xt-redirect \
+    kernel-module-xt-tcpmss \
+    kernel-module-xt-ct \
+    kernel-module-xt-log \
+    kernel-module-xt-limit \
+    kernel-module-nf-tables \
+    kernel-module-nft-compat \
+    kernel-module-nft-nat \
+    kernel-module-nft-chain-nat \
+    kernel-module-nft-masq \
+    kernel-module-nft-redir \
+    kernel-module-nft-ct \
+    kernel-module-nft-log \
+    kernel-module-nft-limit \
+    kernel-module-nft-reject \
+    kernel-module-nft-reject-inet \
+    kernel-module-nft-hash \
     fuse3 \
     fuse3-utils \
     pigz \

meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg

@@ -1,6 +1,21 @@
 CONFIG_BRIDGE=m
 CONFIG_BRIDGE_NETFILTER=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
+
+# nf_tables support (needed by modern iptables-nft backend)
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_HASH=m
 CONFIG_BPF_SYSCALL=y
 CONFIG_IP_VS=m
 CONFIG_SECCOMP=y