fix(modules): strip inline comments in modules.list parser

3bcf2e1 added nft_numgen / nft_hash / nft_limit / nft_log to both module
lists but in a format the inject parser doesn't handle:

  nft_numgen     # numgen random/inc mod N vmap — Service endpoint LB

The parser's only comment skip is `case "$mod" in \#*|"") continue ;;`
which matches lines STARTING with #, not lines with inline #-comments.
So each new line was passed to modprobe verbatim as a single (invalid)
module name, modprobe returned nonzero, and the .ko never made it into
the initramfs. ls'ing the rootfs after the rootfs rebuild confirmed:

  ls .../lib/modules/*/kernel/net/netfilter/ | grep nft_numgen
  <empty>

Two changes:

1. Strip inline comments from the new entries in modules.list and
   modules-arm64.list. Each module name on its own line, matching the
   convention the rest of the file uses.

2. Harden the parser in inject-kubesolo.sh to handle "name # comment"
   regardless. Single-line tweak: `mod="${mod%%#*}"` before the
   continue check. Prevents a future contributor's inline doc from
   silently dropping a module the same way.

After rebuilding the rootfs on the Odroid (no kernel rebuild needed —
this is a rootfs-only change), the four .ko files should appear at
build/rootfs-work/rootfs/lib/modules/*/kernel/net/netfilter/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

build/config/modules-arm64.list

@@ -60,10 +60,12 @@ nft_fib_ipv6
 # Loading these at boot (stage 30) is mandatory because stage 85 sets
 # kernel.modules_disabled=1, which would otherwise block kube-proxy from
 # auto-loading them on first rule install.
-nft_numgen     # numgen random/inc mod N vmap — Service endpoint LB
-nft_hash       # hash — consistent-hash LB for sessionAffinity=ClientIP
-nft_limit      # rate-limit expression
-nft_log        # log expression
+# (Note: list parser only honours full-line "#"-prefixed comments, NOT
+# inline "module # comment". Keep module names on their own line.)
+nft_numgen
+nft_hash
+nft_limit
+nft_log
 
 # Reject targets (used by kube-proxy iptables-restore rules)
 nf_reject_ipv4

build/config/modules.list

@@ -56,10 +56,11 @@ nft_fib_ipv6
 
 # nft expressions used by the Kubernetes 1.34+ nftables kube-proxy backend.
 # Must be loaded at stage 30 because stage 85 sets modules_disabled=1.
-nft_numgen     # numgen random/inc mod N vmap — Service endpoint LB
-nft_hash       # hash — consistent-hash LB for sessionAffinity=ClientIP
-nft_limit      # rate-limit expression
-nft_log        # log expression
+# (Parser ignores full-line "#" comments only — keep module names alone.)
+nft_numgen
+nft_hash
+nft_limit
+nft_log
 
 # Reject targets (used by kube-proxy iptables-restore rules)
 nf_reject_ipv4

build/scripts/inject-kubesolo.sh

@@ -224,9 +224,14 @@ if [ -f "$CUSTOM_VMLINUZ" ] && [ -d "$CUSTOM_MODULES/lib/modules/$KVER" ]; then
     fi
 
     while IFS= read -r mod; do
-        # Skip comments and blank lines
-        case "$mod" in \#*|"") continue ;; esac
-        mod=$(echo "$mod" | xargs)  # trim whitespace
+        # Strip any inline "# comment" tail before further processing —
+        # several entries in the upstream lists started carrying inline
+        # docs and silently broke module loading because modprobe got
+        # passed "name # comment" as the module name.
+        mod="${mod%%#*}"
+        # Skip blank-or-comment-only lines
+        case "$mod" in "") continue ;; esac
+        mod=$(echo "$mod" | xargs)  # trim whitespace + collapse internal
         [ -z "$mod" ] && continue
 
         if [ "$MODPROBE_WORKS" = true ]; then