feat: add nftables support to guest kernel config

Enable the full nftables stack: tables, chains, NAT/masquerade,
conntrack, match expressions, counters, logging, reject, and the
compat layer so iptables-nft works too.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lightsofapollo

linux/vz-linux.config

@@ -48,6 +48,20 @@ CONFIG_IP_NF_FILTER=y
 CONFIG_IP_NF_NAT=y
 CONFIG_IP_NF_TARGET_MASQUERADE=y
 
+# nftables (modern netfilter replacement — tables, chains, NAT/masquerade,
+# conntrack, match expressions, and compat layer for iptables-nft)
+CONFIG_NF_TABLES=y
+CONFIG_NF_TABLES_INET=y
+CONFIG_NFT_CHAIN_NAT=y
+CONFIG_NFT_MASQ=y
+CONFIG_NFT_NAT=y
+CONFIG_NFT_CT=y
+CONFIG_NFT_META=y
+CONFIG_NFT_COUNTER=y
+CONFIG_NFT_LOG=y
+CONFIG_NFT_REJECT=y
+CONFIG_NFT_COMPAT=y
+
 # Cgroups / namespaces
 CONFIG_NAMESPACES=y
 CONFIG_CGROUPS=y