Back porting xt_cgroup to the Ubuntu Precise kernel. This is confusing. Started out with this: netfilter: xtables: lightweight process control group matching http://lwn.net/Articles/569678/ http://patchwork.ozlabs.org/patch/280690/ But those refer to a cgroup by "fwid" and the use of a net_filter cgroup extension. But that's not what we ended up with. We had a net_cls cgroup extension. http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/patch/net/netfilter/xt_cgroup.c?id=82a37132f300ea53bdcd812917af5a6329ec80c3 Other References: http://askubuntu.com/questions/515407/how-recipe-to-build-only-one-kernel-module I started with that patch, applied it once, then ran a diff -ruN on the source to get a clean patch. I removed the uapi directory in the path to the source. Also, there is an iptables patch for the xt_cgroup frontend. This is built separately. See our iptables git repo for this build of the user space tools. https://git.netfilter.org/iptables/commit/?id=6465867eb48506687872b838b1ddfee61d1a0aeb git.gsc.wustl.edu/srv/git/vendor/iptables.git Ensure we're running the right kernel as our target host, in this case the kernel on data-xfer-i2 (i2dp). root@data-xfer-i2:~# uname -r 3.2.0-67-generic So in our build environment set it up: apt-get install linux-image-3.2.0-67-generic=3.2.0-67.101 from this git repository's dir: sudo apt-get install linux-headers-$( uname -r ) apt-get source linux-source-3.2.0 cd linux-3.2.0/ patch -p1 < ../xt_cgroup.patch cp /usr/src/linux-headers-$( uname -r )/Module.symvers . make oldconfig # Press 'm': "control group" match support (NETFILTER_XT_MATCH_CGROUP) [N/m/?] (NEW) m # Answer No for the rest of the new stuff. make prepare make modules_prepare make M=net/netfilter xt_cgroup.ko sudo cp ./net/netfilter/xt_cgroup.ko /lib/modules/3.2.0-67-generic/extra/ sudo depmod sudo modprobe xt_cgroup cd .. dpkg-buildpackage -uc -us -b