On Fri, Mar 27, 2015 at 01:14:08AM +0100, Pablo Neira Ayuso wrote: > > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > > index 971cd75..044bd22 100644 > > --- a/net/netfilter/Kconfig > > +++ b/net/netfilter/Kconfig > > @@ -960,8 +960,13 @@ config NETFILTER_XT_MATCH_BPF > > > > config NETFILTER_XT_MATCH_CGROUP > > tristate '"control group" match support' > > + depends on NETFILTER_XTABLES > > why this? I think NETFILTER_ADVANCED is sufficient. > > > depends on NETFILTER_ADVANCED > > + depends on !NF_CONNTRACK || NF_CONNTRACK > > why conntrack? > > > + depends on (IPV6 || IPV6=n) > > Do we depend on any ipv6 symbol? > > > depends on CGROUPS > > + select NF_DEFRAG_IPV4 > > + select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES > > No need for defrag either. Wait, now I see why you need this. What started a simple cgroup match extension is turning into a more complicated thing. And you want to do firewalling with this, which doesn't work for other socket families than TCP and UDP. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
