diff --git a/patches/lede/0051-ebtables-Use-flock-for-concurrent-option.patch b/patches/lede/0051-ebtables-Use-flock-for-concurrent-option.patch
new file mode 100644
index 00000000..e95dd2ff
--- /dev/null
+++ b/patches/lede/0051-ebtables-Use-flock-for-concurrent-option.patch
@@ -0,0 +1,146 @@
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 20 Dec 2017 16:55:17 +0100
+Subject: ebtables: Use flock() for --concurrent option
+
+The previous locking mechanism was not atomic, hence it was possible
+that a killed ebtables process would leave the lock file in place which
+in turn made future ebtables processes wait indefinitely for the lock to
+become free.
+
+Fix this by using flock(). This also simplifies code quite a bit because
+there is no need for a custom signal handler or an __exit routine
+anymore.
+
+diff --git a/package/network/utils/ebtables/patches/300-fix-concurrent.patch b/package/network/utils/ebtables/patches/300-fix-concurrent.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..1a99162bf51cd175e26d49e7ee5277b8b8645f48
+--- /dev/null
++++ b/package/network/utils/ebtables/patches/300-fix-concurrent.patch
+@@ -0,0 +1,127 @@
++From 6a826591878db3fa9e2a94b87a3d5edd8e0fc442 Mon Sep 17 00:00:00 2001
++From: Phil Sutter <phil@nwl.cc>
++Date: Fri, 6 Oct 2017 12:48:50 +0200
++Subject: Use flock() for --concurrent option
++
++The previous locking mechanism was not atomic, hence it was possible
++that a killed ebtables process would leave the lock file in place which
++in turn made future ebtables processes wait indefinitely for the lock to
++become free.
++
++Fix this by using flock(). This also simplifies code quite a bit because
++there is no need for a custom signal handler or an __exit routine
++anymore.
++
++Signed-off-by: Phil Sutter <phil@nwl.cc>
++Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
++
++Origin: upstream, https://git.netfilter.org/ebtables/commit/?id=6a826591878db3fa9e2a94b87a3d5edd8e0fc442
++---
++ ebtables.c |  8 --------
++ libebtc.c  | 49 +++++--------------------------------------------
++ 2 files changed, 5 insertions(+), 52 deletions(-)
++
++diff --git a/ebtables.c b/ebtables.c
++index 62f1ba8..f7dfccf 100644
++--- a/ebtables.c
+++++ b/ebtables.c
++@@ -528,12 +528,6 @@ void ebt_early_init_once()
++ 	ebt_iterate_targets(merge_target);
++ }
++ 
++-/* signal handler, installed when the option --concurrent is specified. */
++-static void sighandler(int signum)
++-{
++-	exit(-1);
++-}
++-
++ /* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
++ int do_command(int argc, char *argv[], int exec_style,
++                struct ebt_u_replace *replace_)
++@@ -1047,8 +1041,6 @@ big_iface_length:
++ 			strcpy(replace->filename, optarg);
++ 			break;
++ 		case 13 : /* concurrent */
++-			signal(SIGINT, sighandler);
++-			signal(SIGTERM, sighandler);
++ 			use_lockfd = 1;
++ 			break;
++ 		case 1 :
++diff --git a/libebtc.c b/libebtc.c
++index 74830ec..c0ff8cc 100644
++--- a/libebtc.c
+++++ b/libebtc.c
++@@ -31,6 +31,7 @@
++ #include "include/ethernetdb.h"
++ #include <unistd.h>
++ #include <fcntl.h>
+++#include <sys/file.h>
++ #include <sys/wait.h>
++ #include <sys/stat.h>
++ #include <sys/types.h>
++@@ -137,58 +138,18 @@ void ebt_list_extensions()
++ #define LOCKDIR "/var/lib/ebtables"
++ #define LOCKFILE LOCKDIR"/lock"
++ #endif
++-static int lockfd = -1, locked;
++ int use_lockfd;
++ /* Returns 0 on success, -1 when the file is locked by another process
++  * or -2 on any other error. */
++ static int lock_file()
++ {
++-	int try = 0;
++-	int ret = 0;
++-	sigset_t sigset;
++-
++-tryagain:
++-	/* the SIGINT handler will call unlock_file. To make sure the state
++-	 * of the variable locked is correct, we need to temporarily mask the
++-	 * SIGINT interrupt. */
++-	sigemptyset(&sigset);
++-	sigaddset(&sigset, SIGINT);
++-	sigprocmask(SIG_BLOCK, &sigset, NULL);
++-	lockfd = open(LOCKFILE, O_CREAT | O_EXCL | O_WRONLY, 00600);
++-	if (lockfd < 0) {
++-		if (errno == EEXIST)
++-			ret = -1;
++-		else if (try == 1)
++-			ret = -2;
++-		else {
++-			if (mkdir(LOCKDIR, 00700))
++-				ret = -2;
++-			else {
++-				try = 1;
++-				goto tryagain;
++-			}
++-		}
++-	} else {
++-		close(lockfd);
++-		locked = 1;
++-	}
++-	sigprocmask(SIG_UNBLOCK, &sigset, NULL);
++-	return ret;
++-}
+++	int fd = open(LOCKFILE, O_CREAT, 00600);
++ 
++-void unlock_file()
++-{
++-	if (locked) {
++-		remove(LOCKFILE);
++-		locked = 0;
++-	}
+++	if (fd < 0)
+++		return -2;
+++	return flock(fd, LOCK_EX);
++ }
++ 
++-void __attribute__ ((destructor)) onexit()
++-{
++-	if (use_lockfd)
++-		unlock_file();
++-}
++ /* Get the table from the kernel or from a binary file
++  * init: 1 = ask the kernel for the initial contents of a table, i.e. the
++  *           way it looks when the table is insmod'ed
++-- 
++cgit v1.1
++