my suggestion is to add a warning to the ebuild in pkg_postinst since it's not required to actually patch the kernel but to build the patched kernel. without CONFIG_NF_CT_ACCT it will fail with [...] net/netfilter/xt_layer7.c: In function `match': net/netfilter/xt_layer7.c:[...]: error: structure has no member named `counters' [...] this results due to the xt_layer7.c tries to access TOTAL_PACKETS which is macro defined in line 49/50 #define TOTAL_PACKETS master_conntrack->counters[IP_CT_DIR_ORIGINAL].packets + \ master_conntrack->counters[IP_CT_DIR_REPLY].packets and this master_conntrack is a nf_conn structure declared in include/net/netfilter/nf_conntrack_core in line 93 to 152 struct nf_conn { [...] #ifdef CONFIG_NF_CT_ACCT /* Accounting Information (same cache line as other written members) */ struct ip_conntrack_counter counters[IP_CT_DIR_MAX]; #endif [...] }; i provided a patched ebuild and the patch itself (most of it copied out of the mtrr_check session of the nvidia ebuilds). hope to see that in future releases. thanks ;)
Created attachment 131850 [details, diff] CONFIG_NF_CT_ACCT patch
Created attachment 131852 [details] the ebuild
Thank you for report, impulze. But actually this is UPSTREAM bug and should not be workarounded in our ebuild. l7-filter-2.17 I'm going to add in the tree soon already has this bug fixed: you do not have NETFILTER_XT_MATCH_LAYER7 option until you enable CONFIG_NF_CT_ACCT: Depends on: NET && INET && NETFILTER && NETFILTER_XTABLES && EXPERIMENTAL && (IP_NF_CONNTRACK || NF_CONNTRACK) && NF_CT_ACCT
Added dependency, so you'll have notice as soon as l7-filter comes to the tree.
