#include "../bridge/br_private.h"
 #endif
 
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+#include <net/netfilter/nf_conntrack.h>
+#endif
+
 #define NFQNL_QMAX_DEFAULT 1024
 
 /* We're using struct nlattr which has 16bit nla_len. Note that nla_len
        return NULL;
 }
 
+static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+       static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
+       const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+
+       if (ct && ((ct->status & flags) == IPS_DYING))
+               return true;
+#endif
+       return false;
+}
+
 static int
 __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
                        struct nf_queue_entry *entry)
        }
        spin_lock_bh(&queue->lock);
 
+       if (nf_ct_drop_unconfirmed(entry))
+               goto err_out_free_nskb;
+
        if (queue->queue_total >= queue->queue_maxlen) {
                if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
                        failopen = 1;