From: Peter Zijlstra <a.p.zijlstra@chello.nl> 
Subject: [PATCH 21/31] netfilter: NF_QUEUE vs emergency skbs
Patch-mainline: not yet

Avoid memory getting stuck waiting for userspace, drop all emergency packets.
This of course requires the regular storage route to not include an NF_QUEUE
target ;-)

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
---
 net/netfilter/core.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -176,11 +176,14 @@ next_hook:
 	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
 		ret = 1;
	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
+drop:
 		kfree_skb(skb);
		ret = -(verdict >> NF_VERDICT_BITS);
		if (ret == 0)
			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
+		if (skb_emergency(skb))
+			goto drop;
 		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
 			      verdict >> NF_VERDICT_BITS))
 			goto next_hook;