More kmods for kubelet

kernel-extra.config

@@ -146,9 +146,12 @@ CONFIG_NF_NAT=y
 CONFIG_NF_TABLES=y
 # nftables framework. Modern Linux packet filtering backend.
 
-CONFIG_NFT_CT=m
+CONFIG_NFT_CT=y
 # nftables conntrack expressions.
 
+CONFIG_NFT_COUNTER=y
+# nftables packet/byte counters
+
 CONFIG_NFT_CHAIN_NAT=y
 # nftables NAT chain support.
 
@@ -161,50 +164,89 @@ CONFIG_NFT_REDIR=y
 CONFIG_NFT_NAT=y
 # nftables NAT support.
 
-CONFIG_NF_NAT_IPV4=m
+CONFIG_NF_NAT_IPV4=y
 # IPv4 NAT helper support. Some kernels still expose this separately.
 
-CONFIG_NF_NAT_IPV6=m
+CONFIG_NF_NAT_IPV6=y
 # IPv6 NAT helper support.
 
-CONFIG_IP_NF_IPTABLES=m
+CONFIG_NF_CT_NETLINK=y
+# userspace netlink access to the conntrack table; kube-proxy uses this for conntrack listing/cleanup
+
+CONFIG_NF_CT_NETLINK_TIMEOUT=y
+# userspace netlink support for conntrack timeout objects
+
+CONFIG_NF_CT_NETLINK_HELPER=y
+# userspace netlink support for conntrack helper objects
+
+CONFIG_IP_NF_IPTABLES=y
 # iptables compatibility for IPv4. Still useful because lots of CNI/plugin code
 # still expects iptables even on nft-backed systems.
 
-CONFIG_IP_NF_NAT=m
+CONFIG_IP_NF_NAT=y
 # IPv4 NAT support for iptables compatibility.
 
-CONFIG_IP6_NF_IPTABLES=m
+CONFIG_IP6_NF_IPTABLES=y
 # ip6tables compatibility.
 
+CONFIG_IP6_NF_FILTER=y
+# IPv6 "filter" table (same as above but for IPv6)
+
+CONFIG_NF_REJECT_IPV4=y
+# core IPv4 reject logic used by netfilter/iptables/nftables
+
+CONFIG_NFT_REJECT=y
+# nftables equivalent of REJECT (needed for nf_tables backend compatibility)
+
+CONFIG_IP_NF_FILTER=y
+# IPv4 "filter" table (INPUT/FORWARD/OUTPUT chains for iptables)
+
+CONFIG_IP_NF_TARGET_REJECT=y
+# IPv4-specific REJECT target for legacy iptables
+
+CONFIG_IP6_NF_TARGET_REJECT=y
+# IPv6-specific REJECT target for legacy iptables
+
 CONFIG_IP_SET=m
 # IP sets. Useful for some network policies / firewalling toolchains.
 
-CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
+CONFIG_NETFILTER_NETLINK_ACCT=y
+# netfilter accounting subsystem used for nfacct-based kube-proxy metrics
+
+CONFIG_NETFILTER_XT_MATCH_NFACCT=y
+# iptables nfacct match that hooks rules into the netfilter accounting subsystem
+
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
 # xtables match for address types. Often used in iptables rules.
 
-CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+CONFIG_NETFILTER_XT_TARGET_REJECT=y
+# iptables REJECT target (actively reject packets instead of silently dropping)
+
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
 # Allows comments in iptables rules. Not critical, but harmless and useful.
 
-CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
 # xtables conntrack matching.
 
-CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+# iptables "statistic" match used for probabilistic packet matching / load balancing
+
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
 # Match multiple ports in one rule.
 
-CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
 # Useful for TCP MSS clamping in some network paths.
 
-CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
+CONFIG_NETFILTER_XT_TARGET_MASQUERADE=y
 # iptables MASQUERADE target. Very commonly needed for pod outbound NAT.
 
-CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
 # Redirect target.
 
-CONFIG_NETFILTER_XT_TARGET_MARK=m
+CONFIG_NETFILTER_XT_TARGET_MARK=y
 # Packet marking support. Useful for advanced networking/routing rules.
 
-CONFIG_NETFILTER_XT_TARGET_CT=m
+CONFIG_NETFILTER_XT_TARGET_CT=y
 # Connection tracking target for xtables.
 
 # Optional. Good only if you know you need transparent proxying.
@@ -230,7 +272,7 @@ CONFIG_BRIDGE_NETFILTER=y
 # Optional / version-dependent:
 # Some kernels expose additional ebtables/bridge netfilter pieces separately.
 # Keep this if your kernel has it, but don't panic if it doesn't.
-CONFIG_BRIDGE_NF_EBTABLES=m
+CONFIG_BRIDGE_NF_EBTABLES=y
 # Bridge filtering via ebtables compatibility. Sometimes useful, not always critical.