From 822526f09e91f65081bc780803f23cc0997ff4ab Mon Sep 17 00:00:00 2001
From: Tuomas Tynkkynen <tuomas@tuxera.com>
Date: Wed, 28 Feb 2018 01:08:32 +0200
Subject: [PATCH] kernel config: Enable CGROUP_BPF

Avoids the following warning:

File /.../systemd-journald.service:35 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
---
 pkgs/os-specific/linux/kernel/common-config.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 2fa34341201..5fbd9955c2a 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -134,6 +134,7 @@ with stdenv.lib;
   ''}
   NETFILTER y
   NETFILTER_ADVANCED y
+  CGROUP_BPF? y # Required by systemd per-cgroup firewalling
   IP_ROUTE_VERBOSE y
   IP_MROUTE_MULTIPLE_TABLES y
   IP_VS_PROTO_TCP y