Add ipset and netfilter kernel modules for k3s NetworkPolicy support

kube-router (k3s embedded network policy controller) requires ipset
kernel support to enforce NetworkPolicy rules. Without these modules,
kube-router silently skips starting the network policy controller with:
"Skipping network policy controller start, ipset save failed"

Adds CONFIG_IP_SET and related hash/bitmap type modules, plus
xt_set (iptables set match), xt_physdev, and xt_nflog.

Author: kvinwang

meta-dstack/recipes-core/images/dstack-rootfs-base.inc

@@ -47,6 +47,19 @@ IMAGE_INSTALL = "\
     kernel-module-nft-reject \
     kernel-module-nft-reject-inet \
     kernel-module-nft-hash \
+    kernel-module-ip-set \
+    kernel-module-ip-set-hash-ip \
+    kernel-module-ip-set-hash-net \
+    kernel-module-ip-set-hash-ipport \
+    kernel-module-ip-set-hash-ipportip \
+    kernel-module-ip-set-hash-ipportnet \
+    kernel-module-ip-set-hash-netiface \
+    kernel-module-ip-set-bitmap-ip \
+    kernel-module-ip-set-bitmap-port \
+    kernel-module-ip-set-list-set \
+    kernel-module-xt-set \
+    kernel-module-xt-nflog \
+    kernel-module-xt-physdev \
     fuse3 \
     fuse3-utils \
     pigz \

meta-dstack/recipes-kernel/linux/files/dstack-docker.cfg

@@ -40,6 +40,20 @@ CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
 CONFIG_VXLAN=y
 CONFIG_CGROUP_BPF=y
 
+# ipset support (required by kube-router network policy controller)
+CONFIG_IP_SET=m
+CONFIG_IP_SET_HASH_IP=m
+CONFIG_IP_SET_HASH_NET=m
+CONFIG_IP_SET_HASH_IPPORT=m
+CONFIG_IP_SET_HASH_IPPORTIP=m
+CONFIG_IP_SET_HASH_IPPORTNET=m
+CONFIG_IP_SET_HASH_NETIFACE=m
+CONFIG_IP_SET_BITMAP_IP=m
+CONFIG_IP_SET_BITMAP_PORT=m
+CONFIG_IP_SET_LIST_SET=m
+CONFIG_NETFILTER_XT_SET=m
+CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
+
 # BLK IO throttling support
 CONFIG_BLK_CGROUP=y
 CONFIG_BLK_DEV_THROTTLING=y