# Netfilter modules the firewall's iptables/ipset calls rely on. Preloaded at
# boot by systemd-modules-load.service so the daemon never has to modprobe them
# itself — letting it run without CAP_SYS_MODULE. On fresh installs the kernel
# has not autoloaded these yet, so without preloading iptables-restore/ipset
# fail under NoNewPrivileges (children get no privilege to load modules).
ip_tables
ip6_tables
iptable_filter
ip6table_filter
ip_set
xt_set
ip_set_hash_net
ip_set_hash_ip
ip_set_hash_netport
ip_set_bitmap_port