diff mbox series

[ovs-dev] northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set.

Message ID 20241126110817.583224-1-amusil@redhat.com
State Changes Requested
Headers show
Series [ovs-dev] northd: Don't SNAT reply packets on LBs with lb_force_snat_ip set. | expand

Checks

Context Check Description
ovsrobot/apply-robot success apply and check: success
ovsrobot/github-robot-_Build_and_Test success github build: passed
ovsrobot/github-robot-_ovn-kubernetes fail github build: failed

Commit Message

Ales Musil Nov. 26, 2024, 11:08 a.m. UTC
In case of LB having client as VIP and lb_force_snat_ip being set
to specific IP we would SNAT the reply traffic for the load balancer.
That was caused by premature unDNAT due to the client IP being
LB VIP with combination of match for SNAT that was checking only
the flag "force_snat_for_lb == 1".

Add match to ensure that the reply traffic is not being sent to SNAT.

Reported-at: https://issues.redhat.com/browse/FDP-1009
Signed-off-by: Ales Musil <amusil@redhat.com>
---
 northd/northd.c     |   5 +-
 tests/ovn-northd.at | 268 ++++++++++++++++++++++----------------------
 tests/system-ovn.at |   4 +-
 3 files changed, 140 insertions(+), 137 deletions(-)

Comments

Dumitru Ceara Dec. 11, 2024, 2:44 p.m. UTC | #1
On 11/26/24 12:08 PM, Ales Musil wrote:
> In case of LB having client as VIP and lb_force_snat_ip being set
> to specific IP we would SNAT the reply traffic for the load balancer.
> That was caused by premature unDNAT due to the client IP being
> LB VIP with combination of match for SNAT that was checking only
> the flag "force_snat_for_lb == 1".
> 
> Add match to ensure that the reply traffic is not being sent to SNAT.
> 
> Reported-at: https://issues.redhat.com/browse/FDP-1009
> Signed-off-by: Ales Musil <amusil@redhat.com>
> ---

Hi Ales,

>  northd/northd.c     |   5 +-
>  tests/ovn-northd.at | 268 ++++++++++++++++++++++----------------------
>  tests/system-ovn.at |   4 +-
>  3 files changed, 140 insertions(+), 137 deletions(-)
> 
> diff --git a/northd/northd.c b/northd/northd.c
> index 2aa6c0958..9938c683e 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -16601,7 +16601,7 @@ build_lrouter_nat_defrag_and_lb(
>      if (lr_stateful_rec->has_lb_vip) {
>          ds_clear(match);
>  
> -        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
> +        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");

I think like this we won't unNAT related packets in the reply direction
(e.g., ICMP port unreachable).

Would it be possible to add a test that covers that case too?

Thanks,
Dumitru

>          size_t match_len = match->length;
>  
>          ds_put_cstr(match, " && ct_mark.skip_snat == 1");
> @@ -16626,7 +16626,8 @@ build_lrouter_nat_defrag_and_lb(
>           */
>          ds_clear(match);
>  
> -        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
> +        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
> +                           "ct_mark.natted");
>          match_len = match->length;
>  
>          ds_put_cstr(match, " && ct_mark.skip_snat == 1");
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index e3b7b0cb5..be92a23af 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -4292,12 +4292,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  
> @@ -4323,12 +4323,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -4374,12 +4374,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -4439,12 +4439,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -4489,8 +4489,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | ovn_strip_lflows], [0], [dnl
>  
>  AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; skip_snat);)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl
> @@ -5902,12 +5902,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -5972,12 +5972,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6046,12 +6046,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6109,12 +6109,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6175,12 +6175,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6253,12 +6253,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6315,12 +6315,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
> @@ -6372,12 +6372,12 @@ check ovn-nbctl --wait=sb sync
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  # LB with reject and skip_snat
> @@ -6386,12 +6386,12 @@ check ovn-nbctl --wait=sb set load_balancer lb5 options:skip_snat=true
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat
> @@ -6402,12 +6402,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  # LB with event=false and reject=false
> @@ -6419,12 +6419,12 @@ check ovn-nbctl --wait=sb lr-lb-add lr0 lb6
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  # LB with event=false, reject=false and skip_snat
> @@ -6433,12 +6433,12 @@ check ovn-nbctl --wait=sb set load_balancer lb6 options:skip_snat=true
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb = 1; drop;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  check ovn-nbctl remove load_balancer lb6 options skip_snat
> @@ -6449,12 +6449,12 @@ check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route
>  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
>    table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.force_snat_for_lb = 1; drop;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AT_CLEANUP
> @@ -9438,12 +9438,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_lb_aff_learn ), priority=0    , match=(1), action=(next;)
> @@ -9462,12 +9462,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  check ovn-nbctl remove load_balancer lb0 options skip_snat
> @@ -9483,12 +9483,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true])
> @@ -9503,12 +9503,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_skip_snat | ovn_strip_lflows], [0], [
>    table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1 lb_force_snat_ip="172.16.0.1"])
> @@ -9530,12 +9530,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_2lbs | ovn_strip_lflows], [0], [dnl
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);)
>    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
>  ])
>  
>  
> diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> index 145399ded..aef732233 100644
> --- a/tests/system-ovn.at
> +++ b/tests/system-ovn.at
> @@ -3068,8 +3068,10 @@ ovn-nbctl lsp-add bob bob16 \
>  -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4"
>  
>  # Config OVN load-balancer with a VIP.
> +# In addition add client VIP to force premature unDNAT.
>  uuid=`ovn-nbctl  create load_balancer vips:30.0.0.1="192.168.1.2,192.168.2.2" \
> -vips:\"fd30::1\"=\"fd11::2,fd12::2\"`
> +vips:172.16.1.3="192.168.1.2,192.168.2.2" vips:\"fd30::1\"=\"fd11::2,fd12::2\" \
> +vips:\"fd72::3\"=\"fd11::2,fd12::2\"`
>  ovn-nbctl set logical_router R2 load_balancer=$uuid
>  ovn-nbctl set logical_router R3 load_balancer=$uuid
>
Ales Musil Dec. 12, 2024, 9:08 a.m. UTC | #2
On Wed, Dec 11, 2024 at 3:54 PM Dumitru Ceara <dceara@redhat.com> wrote:

> On 11/26/24 12:08 PM, Ales Musil wrote:
> > In case of LB having client as VIP and lb_force_snat_ip being set
> > to specific IP we would SNAT the reply traffic for the load balancer.
> > That was caused by premature unDNAT due to the client IP being
> > LB VIP with combination of match for SNAT that was checking only
> > the flag "force_snat_for_lb == 1".
> >
> > Add match to ensure that the reply traffic is not being sent to SNAT.
> >
> > Reported-at: https://issues.redhat.com/browse/FDP-1009
> > Signed-off-by: Ales Musil <amusil@redhat.com>
> > ---
>
> Hi Ales,
>

Hi Dumitru,

thank you for the review.

>
> >  northd/northd.c     |   5 +-
> >  tests/ovn-northd.at | 268 ++++++++++++++++++++++----------------------
> >  tests/system-ovn.at |   4 +-
> >  3 files changed, 140 insertions(+), 137 deletions(-)
> >
> > diff --git a/northd/northd.c b/northd/northd.c
> > index 2aa6c0958..9938c683e 100644
> > --- a/northd/northd.c
> > +++ b/northd/northd.c
> > @@ -16601,7 +16601,7 @@ build_lrouter_nat_defrag_and_lb(
> >      if (lr_stateful_rec->has_lb_vip) {
> >          ds_clear(match);
> >
> > -        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
> > +        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
>
> I think like this we won't unNAT related packets in the reply direction
> (e.g., ICMP port unreachable).
>
> Would it be possible to add a test that covers that case too?
>

After walking through the pipeline once again with the updated test we
should be actually fine because the reply direction doesn't hit those flows
at all. Those are covered by unDNAT stage. Ask agreed offline I'll send v2
series that will contain updated system test that covers the reply
direction and this patch on top of that.


> Thanks,
> Dumitru
>
> >          size_t match_len = match->length;
> >
> >          ds_put_cstr(match, " && ct_mark.skip_snat == 1");
> > @@ -16626,7 +16626,8 @@ build_lrouter_nat_defrag_and_lb(
> >           */
> >          ds_clear(match);
> >
> > -        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new &&
> ct_mark.natted");
> > +        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
> > +                           "ct_mark.natted");
> >          match_len = match->length;
> >
> >          ds_put_cstr(match, " && ct_mark.skip_snat == 1");
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > index e3b7b0cb5..be92a23af 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -4292,12 +4292,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(ct_lb_mark(backends=10.0.0.4:8080);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80),
> action=(ct_lb_mark(backends=10.0.0.40:8080);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >
> > @@ -4323,12 +4323,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080;
> force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080;
> force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> > @@ -4374,12 +4374,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080;
> force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080;
> force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> > @@ -4439,12 +4439,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080;
> force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080;
> force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
> > @@ -4489,8 +4489,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >
> >  AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80),
> action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080;
> skip_snat);)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb |
> ovn_strip_lflows], [0], [dnl
> > @@ -5902,12 +5902,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 &&
> is_chassis_resident("cr-lr0-public")),
> action=(ct_lb_mark(backends=10.0.0.4:8080);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 &&
> is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=
> 10.0.0.50:82,10.0.0.60:82);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 &&
> is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=
> 10.0.0.50:6062,10.0.0.60:6062);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -5972,12 +5972,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 &&
> is_chassis_resident("cr-lr0-public")),
> action=(ct_lb_mark(backends=10.0.0.4:8080);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 &&
> is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=
> 10.0.0.50:82,10.0.0.60:82);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 &&
> is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=
> 10.0.0.50:6062,10.0.0.60:6062);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6046,12 +6046,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(ct_lb_mark(backends=10.0.0.4:8080);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082),
> action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60),
> action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6109,12 +6109,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080;
> force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,
> 10.0.0.60:82; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,
> 10.0.0.60:6062; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6175,12 +6175,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,
> 10.0.0.60:82; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,
> 10.0.0.60:82; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,
> 10.0.0.60:6062; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6253,12 +6253,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,
> 10.0.0.60:82; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,
> 10.0.0.60:6062; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000),
> action=(flags.force_snat_for_lb = 1;
> ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6315,12 +6315,12 @@ AT_CHECK([grep "lr_in_dnat" lr0flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,
> 10.0.0.60:6062; force_snat);)
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,
> 10.0.0.60:6062; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows],
> [0], [dnl
> > @@ -6372,12 +6372,12 @@ check ovn-nbctl --wait=sb sync
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject {
> outport <-> inport; next(pipeline=egress,table=??);};)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  # LB with reject and skip_snat
> > @@ -6386,12 +6386,12 @@ check ovn-nbctl --wait=sb set load_balancer lb5
> options:skip_snat=true
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb
> = 1; reg0 = 0; reject { outport <-> inport;
> next(pipeline=egress,table=??);};)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat
> > @@ -6402,12 +6402,12 @@ check ovn-nbctl --wait=sb set logical_router lr0
> options:lb_force_snat_ip="route
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.10),
> action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport;
> next(pipeline=egress,table=??);};)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  # LB with event=false and reject=false
> > @@ -6419,12 +6419,12 @@ check ovn-nbctl --wait=sb lr-lb-add lr0 lb6
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  # LB with event=false, reject=false and skip_snat
> > @@ -6433,12 +6433,12 @@ check ovn-nbctl --wait=sb set load_balancer lb6
> options:skip_snat=true
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb
> = 1; drop;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  check ovn-nbctl remove load_balancer lb6 options skip_snat
> > @@ -6449,12 +6449,12 @@ check ovn-nbctl --wait=sb set logical_router lr0
> options:lb_force_snat_ip="route
> >  AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=0    , match=(1),
> action=(next;)
> >    table=??(lr_in_dnat         ), priority=110  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.168.10.30),
> action=(flags.force_snat_for_lb = 1; drop;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AT_CLEANUP
> > @@ -9438,12 +9438,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80),
> action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >  AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0],
> [dnl
> >    table=??(lr_in_lb_aff_learn ), priority=0    , match=(1),
> action=(next;)
> > @@ -9462,12 +9462,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80),
> action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,
> 20.0.0.2:80; skip_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1;
> ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1;
> ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  check ovn-nbctl remove load_balancer lb0 options skip_snat
> > @@ -9483,12 +9483,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_force_snat
> | ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80),
> action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,
> 20.0.0.2:80; force_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1;
> ct_lb_mark(backends=10.0.0.2:80; force_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1;
> ct_lb_mark(backends=20.0.0.2:80; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true])
> > @@ -9503,12 +9503,12 @@ AT_CHECK([grep "lr_in_dnat "
> R1flows_force_skip_snat | ovn_strip_lflows], [0], [
> >    table=??(lr_in_dnat         ), priority=120  , match=(ct.new &&
> !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80),
> action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,
> 20.0.0.2:80; skip_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1;
> ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1;
> ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >  AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1
> lb_force_snat_ip="172.16.0.1"])
> > @@ -9530,12 +9530,12 @@ AT_CHECK([grep "lr_in_dnat " R1flows_2lbs |
> ovn_strip_lflows], [0], [dnl
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1;
> ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1;
> ct_lb_mark(backends=10.0.0.2:80; force_snat);)
> >    table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1
> && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] ==
> 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1;
> ct_lb_mark(backends=20.0.0.2:80; force_snat);)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted), action=(next;)
> > -  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new), action=(ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > -  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
> > +  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat ==
> 1), action=(flags.force_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.est &&
> !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; next;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1),
> action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
> > +  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel &&
> !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1),
> action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
> >  ])
> >
> >
> > diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> > index 145399ded..aef732233 100644
> > --- a/tests/system-ovn.at
> > +++ b/tests/system-ovn.at
> > @@ -3068,8 +3068,10 @@ ovn-nbctl lsp-add bob bob16 \
> >  -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4"
> >
> >  # Config OVN load-balancer with a VIP.
> > +# In addition add client VIP to force premature unDNAT.
> >  uuid=`ovn-nbctl  create load_balancer
> vips:30.0.0.1="192.168.1.2,192.168.2.2" \
> > -vips:\"fd30::1\"=\"fd11::2,fd12::2\"`
> > +vips:172.16.1.3="192.168.1.2,192.168.2.2"
> vips:\"fd30::1\"=\"fd11::2,fd12::2\" \
> > +vips:\"fd72::3\"=\"fd11::2,fd12::2\"`
> >  ovn-nbctl set logical_router R2 load_balancer=$uuid
> >  ovn-nbctl set logical_router R3 load_balancer=$uuid
> >
>
>
Thanks,
Ales
diff mbox series

Patch

diff --git a/northd/northd.c b/northd/northd.c
index 2aa6c0958..9938c683e 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -16601,7 +16601,7 @@  build_lrouter_nat_defrag_and_lb(
     if (lr_stateful_rec->has_lb_vip) {
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
+        ds_put_cstr(match, "ct.rel && !ct.est && !ct.new && !ct.rpl");
         size_t match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");
@@ -16626,7 +16626,8 @@  build_lrouter_nat_defrag_and_lb(
          */
         ds_clear(match);
 
-        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && ct_mark.natted");
+        ds_put_cstr(match, "ct.est && !ct.rel && !ct.new && !ct.rpl && "
+                           "ct_mark.natted");
         match_len = match->length;
 
         ds_put_cstr(match, " && ct_mark.skip_snat == 1");
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index e3b7b0cb5..be92a23af 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -4292,12 +4292,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 
@@ -4323,12 +4323,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -4374,12 +4374,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -4439,12 +4439,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.100 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_snat" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -4489,8 +4489,8 @@  AT_CHECK([grep "lr_in_defrag" lr0flows | ovn_strip_lflows], [0], [dnl
 
 AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.20 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.40:8080; skip_snat);)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | ovn_strip_lflows], [0], [dnl
@@ -5902,12 +5902,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -5972,12 +5972,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.4:8080);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6046,12 +6046,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6109,12 +6109,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 10.0.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.4:8080; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6175,12 +6175,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.10 && tcp && tcp.dst == 9082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6253,12 +6253,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.100 && tcp && tcp.dst == 8082), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip6 && ip6.dst == def0::2 && tcp && tcp.dst == 8000), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6315,12 +6315,12 @@  AT_CHECK([grep "lr_in_dnat" lr0flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && tcp && tcp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.0.210 && udp && udp.dst == 60), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | ovn_strip_lflows], [0], [dnl
@@ -6372,12 +6372,12 @@  check ovn-nbctl --wait=sb sync
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 # LB with reject and skip_snat
@@ -6386,12 +6386,12 @@  check ovn-nbctl --wait=sb set load_balancer lb5 options:skip_snat=true
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.skip_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 check ovn-nbctl --wait=sb remove load_balancer lb5 options skip_snat
@@ -6402,12 +6402,12 @@  check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.10), action=(flags.force_snat_for_lb = 1; reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=??);};)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 # LB with event=false and reject=false
@@ -6419,12 +6419,12 @@  check ovn-nbctl --wait=sb lr-lb-add lr0 lb6
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(drop;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 # LB with event=false, reject=false and skip_snat
@@ -6433,12 +6433,12 @@  check ovn-nbctl --wait=sb set load_balancer lb6 options:skip_snat=true
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.skip_snat_for_lb = 1; drop;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 check ovn-nbctl remove load_balancer lb6 options skip_snat
@@ -6449,12 +6449,12 @@  check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="route
 AT_CHECK([ovn-sbctl dump-flows lr0 | grep "lr_in_dnat" | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=0    , match=(1), action=(next;)
   table=??(lr_in_dnat         ), priority=110  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.168.10.30), action=(flags.force_snat_for_lb = 1; drop;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AT_CLEANUP
@@ -9438,12 +9438,12 @@  AT_CHECK([grep "lr_in_dnat " R1flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=10.0.0.2:80);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; ct_lb_mark(backends=20.0.0.2:80);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 AT_CHECK([grep "lr_in_lb_aff_learn" R1flows | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_lb_aff_learn ), priority=0    , match=(1), action=(next;)
@@ -9462,12 +9462,12 @@  AT_CHECK([grep "lr_in_dnat " R1flows_skip_snat | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 check ovn-nbctl remove load_balancer lb0 options skip_snat
@@ -9483,12 +9483,12 @@  AT_CHECK([grep "lr_in_dnat " R1flows_force_snat | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; force_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AS_BOX([Test LR flows - lb_force_snat_ip="172.16.0.1" + skip_snat=true])
@@ -9503,12 +9503,12 @@  AT_CHECK([grep "lr_in_dnat " R1flows_force_skip_snat | ovn_strip_lflows], [0], [
   table=??(lr_in_dnat         ), priority=120  , match=(ct.new && !ct.rel && ip4 && ip4.dst == 172.16.0.10 && tcp && tcp.dst == 80), action=(flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80,20.0.0.2:80; skip_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; skip_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 AS_BOX([Test LR flows - 2 LBs, lb0 skip_snat=true, lb1 lb_force_snat_ip="172.16.0.1"])
@@ -9530,12 +9530,12 @@  AT_CHECK([grep "lr_in_dnat " R1flows_2lbs | ovn_strip_lflows], [0], [dnl
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.10 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.10; flags.skip_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; skip_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 10.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=10.0.0.2:80; force_snat);)
   table=??(lr_in_dnat         ), priority=150  , match=(reg9[[6]] == 1 && ct.new && ip4.dst == 172.16.0.20 && reg4 == 20.0.0.2 && reg8[[0..15]] == 80), action=(reg0 = 172.16.0.20; flags.force_snat_for_lb = 1; ct_lb_mark(backends=20.0.0.2:80; force_snat);)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted), action=(next;)
-  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new), action=(ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
-  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted), action=(next;)
+  table=??(lr_in_dnat         ), priority=50   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl), action=(ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.est && !ct.rel && !ct.new && !ct.rpl && ct_mark.natted && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; next;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.force_snat == 1), action=(flags.force_snat_for_lb = 1; ct_commit_nat;)
+  table=??(lr_in_dnat         ), priority=70   , match=(ct.rel && !ct.est && !ct.new && !ct.rpl && ct_mark.skip_snat == 1), action=(flags.skip_snat_for_lb = 1; ct_commit_nat;)
 ])
 
 
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 145399ded..aef732233 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -3068,8 +3068,10 @@  ovn-nbctl lsp-add bob bob16 \
 -- lsp-set-addresses bob16 "f0:00:06:01:02:06 fd72::4"
 
 # Config OVN load-balancer with a VIP.
+# In addition add client VIP to force premature unDNAT.
 uuid=`ovn-nbctl  create load_balancer vips:30.0.0.1="192.168.1.2,192.168.2.2" \
-vips:\"fd30::1\"=\"fd11::2,fd12::2\"`
+vips:172.16.1.3="192.168.1.2,192.168.2.2" vips:\"fd30::1\"=\"fd11::2,fd12::2\" \
+vips:\"fd72::3\"=\"fd11::2,fd12::2\"`
 ovn-nbctl set logical_router R2 load_balancer=$uuid
 ovn-nbctl set logical_router R3 load_balancer=$uuid