feat(config): enable netfilter, bridge, VLAN and VXLAN for container networking

[appcypher]

Summary

• Enable the kernel-side primitives that Linux container runtimes (Docker, Podman, CNI) and Tailscale expect to find in the guest: netfilter core + conntrack, full IPv4/IPv6 iptables (filter/mangle/nat) and nftables (inet + bridge families) with MASQUERADE/REDIRECT/REJECT, ipset, and a focused set of xtables matches and targets.
• Turn on CONFIG_BRIDGE + CONFIG_BRIDGE_NETFILTER so docker0-style bridges can have iptables/nftables rules applied to bridged traffic, plus CONFIG_NF_CONNTRACK_BRIDGE for modern userland-proxy-free port publishing.
• Add L2 overlay/segmentation drivers: CONFIG_VLAN_8021Q (802.1Q tagging) and CONFIG_VXLAN (L2-over-UDP overlay used by Docker Swarm, Flannel, Weave and Cilium).
• Apply the same block identically to all three architecture configs (config-libkrunfw_x86_64, _aarch64, _riscv64) so guest behavior is uniform across builds.

Motivation: the previous configs had CONFIG_NETFILTER is not set, which blocks any container runtime or Tailscale (outside userspace-networking mode) from working inside the guest. Since CONFIG_MODULES is off, every option is built-in (=y) and make olddefconfig resolves any remaining dependencies at build time. The curated scope is intentionally tighter than a full netfilter dump — legacy helpers (FTP/IRC/H323 ALGs), flow offload, SYNPROXY/TPROXY, IPVS, XFRM-backed matches, raw/security tables, and most niche xtables matches are omitted to keep the embedded kernel bundle size increase modest (estimated ~400–700 KB added kernel text baked into the shipped .so/.dylib).

Test Plan

• Native build succeeds on x86_64: make -j"$(nproc)" produces libkrunfw.so.5.2.1 without kconfig errors from make olddefconfig.
• Native build succeeds on aarch64: same command on ubuntu-24.04-arm produces the aarch64 .so.
• Cross-build succeeds for riscv64 via the existing cross-build flow.
• Resulting .so size delta vs. the previous build is within expected range (~400–700 KB of added kernel text).
• Boot a guest with the new kernel via libkrun and confirm the netfilter stack is live: cat /proc/net/nf_conntrack exists, iptables -L -n works (via iptables-nft compat), nft list ruleset works.
• Docker smoke test in the guest: dockerd starts without errors, default docker0 bridge comes up, docker run --rm -p 8080:80 nginx publishes a port (exercises MASQUERADE + bridge-netfilter + conntrack).
• VXLAN smoke test: ip link add vxlan0 type vxlan id 42 dev eth0 dstport 4789 succeeds.
• VLAN smoke test: ip link add link eth0 name eth0.100 type vlan id 100 succeeds.
• Tailscale smoke test (optional): tailscaled in default mode successfully programs ts-input/ts-forward/ts-postrouting chains; tailscale up brings the node online.
• Release workflow produces all four artifacts (libkrunfw-linux-x86_64.so.5.2.1, libkrunfw-linux-aarch64.so.5.2.1, libkrunfw-macos-x86_64.5.dylib, libkrunfw-macos-aarch64.5.dylib) on a test release tag.

[ddelbondio]

Following up on the discussion in superradcompany/microsandbox#598:
These flags are required according to https://github.com/moby/moby/blob/master/contrib/check-config.sh

CONFIG_IP_NF_RAW=y
CONFIG_IP6_NF_RAW=y
CONFIG_NETFILTER_XT_MATCH_IPVS=y
CONFIG_POSIX_MQUEUE=y
CONFIG_NF_CT_NETLINK=y

All other flags I have in my local config are included in the PR already. I very quickly tested the config changes locally and docker seems to run fine.