From 50172d86762c81652ca1b41e2ce45ceff10469c8 Mon Sep 17 00:00:00 2001
From: Kevin Wang <6442159+kvinwang@users.noreply.github.com>
Date: Tue, 17 Mar 2026 01:28:40 +0000
Subject: [PATCH] Add xt_comment, nf_tables and other iptables kernel modules
 for k3s support

Enable iptables comment match and nftables in the kernel config, and
include the corresponding module packages in all rootfs images.

These modules are required by Kubernetes kube-proxy (iptables mode)
and modern iptables-nft backend. Without xt_comment, kube-proxy cannot
create ClusterIP routing rules, breaking all pod networking.
---
 .../images/dstack-rootfs-base.inc             | 20 +++++++++++++++++++
 .../linux/files/dstack-docker.cfg             | 15 ++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
index 8998252..a799eaf 100644
--- a/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
+++ b/meta-dstack/recipes-core/images/dstack-rootfs-base.inc
@@ -26,6 +26,26 @@ IMAGE_INSTALL = "\
     kernel-module-br-netfilter \
     kernel-module-xt-mark \
     kernel-module-xt-connmark \
+    kernel-module-xt-comment \
+    kernel-module-xt-multiport \
+    kernel-module-xt-statistic \
+    kernel-module-xt-redirect \
+    kernel-module-xt-tcpmss \
+    kernel-module-xt-ct \
+    kernel-module-xt-log \
+    kernel-module-xt-limit \
+    kernel-module-nf-tables \
+    kernel-module-nft-compat \
+    kernel-module-nft-nat \
+    kernel-module-nft-chain-nat \
+    kernel-module-nft-masq \
+    kernel-module-nft-redir \
+    kernel-module-nft-ct \
+    kernel-module-nft-log \
+    kernel-module-nft-limit \
+    kernel-module-nft-reject \
+    kernel-module-nft-reject-inet \
+    kernel-module-nft-hash \
     fuse3 \
     fuse3-utils \
     pigz \
diff --git a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
index 64a2bef..015be74 100644
--- a/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
+++ b/meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg
@@ -1,6 +1,21 @@
 CONFIG_BRIDGE=m
 CONFIG_BRIDGE_NETFILTER=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
+
+# nf_tables support (needed by modern iptables-nft backend)
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_HASH=m
 CONFIG_BPF_SYSCALL=y
 CONFIG_IP_VS=m
 CONFIG_SECCOMP=y