diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
index 28579e3ba21..f12b2bfeee8 100644
--- a/dist/images/Dockerfile.base
+++ b/dist/images/Dockerfile.base
@@ -62,6 +62,8 @@ RUN cd /usr/src/ && git clone -b branch-22.03 --depth=1 https://github.com/ovn-o
     curl -s https://github.com/kubeovn/ovn/commit/472809ebc83588cf321935804f171b271fd81476.patch | git apply && \
     # ovn-controller: do not send GARP on localnet for Kube-OVN ports
     curl -s https://github.com/kubeovn/ovn/commit/1792621bf33a661d66ca47620871668267e3e521.patch | git apply && \
+    # lflow: do not send direct traffic between lports to conntrack
+    curl -s https://github.com/kubeovn/ovn/commit/55b22c91f9e4a128ab2ae0068e426cc2f0220e0c.patch | git apply && \
     sed -i 's/OVN/ovn/g' debian/changelog && \
     rm -rf .git && \
     ./boot.sh && \
diff --git a/dist/images/install.sh b/dist/images/install.sh
index 4fe0c838bb0..aeca68936bf 100644
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true}
 ENABLE_NP=${ENABLE_NP:-true}
 ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true}
 LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true}
+LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true}
 ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true}
 CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01}
 ENABLE_LB_SVC=${ENABLE_LB_SVC:-false}
@@ -3023,6 +3024,7 @@ spec:
           - --default-exchange-link-name=$EXCHANGE_LINK_NAME
           - --default-vlan-id=$VLAN_ID
           - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST
+          - --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS
           - --pod-nic-type=$POD_NIC_TYPE
           - --enable-lb=$ENABLE_LB
           - --enable-np=$ENABLE_NP
diff --git a/kubeovn-helm/templates/controller-deploy.yaml b/kubeovn-helm/templates/controller-deploy.yaml
index e280d335c8f..1abf44094a6 100644
--- a/kubeovn-helm/templates/controller-deploy.yaml
+++ b/kubeovn-helm/templates/controller-deploy.yaml
@@ -93,6 +93,7 @@ spec:
           - --default-exchange-link-name={{- .Values.networking.EXCHANGE_LINK_NAME }}
           - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
           - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
+          - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
           - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
           - --enable-lb={{- .Values.func.ENABLE_LB }}
           - --enable-np={{- .Values.func.ENABLE_NP }}
diff --git a/kubeovn-helm/values.yaml b/kubeovn-helm/values.yaml
index b610061876f..24507be26b4 100644
--- a/kubeovn-helm/values.yaml
+++ b/kubeovn-helm/values.yaml
@@ -51,6 +51,7 @@ func:
   LS_DNAT_MOD_DL_DST: true
   CHECK_GATEWAY: true
   LOGICAL_GATEWAY: false
+  LS_CT_SKIP_DST_LPORT_IPS: true
   ENABLE_BIND_LOCAL_IP: true
   ENABLE_IC: false
 
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
index 51735f91dc7..7ae5a15bbb9 100644
--- a/pkg/controller/config.go
+++ b/pkg/controller/config.go
@@ -78,6 +78,7 @@ type Configuration struct {
 	DefaultVlanName         string
 	DefaultVlanID           int
 	LsDnatModDlDst          bool
+	LsCtSkipDstLportIPs     bool
 
 	EnableLb          bool
 	EnableNP          bool
@@ -143,6 +144,7 @@ func ParseFlags() (*Configuration, error) {
 		argDefaultVlanName         = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name")
 		argDefaultVlanID           = pflag.Int("default-vlan-id", 1, "The default vlan id")
 		argLsDnatModDlDst          = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch")
+		argLsCtSkipDstLportIPs     = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports")
 		argPodNicType              = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type")
 		argPodDefaultFipType       = pflag.String("pod-default-fip-type", "", "The type of fip bind to pod automatically: iptables")
 		argEnableLb                = pflag.Bool("enable-lb", true, "Enable load balancer")
@@ -212,6 +214,7 @@ func ParseFlags() (*Configuration, error) {
 		NetworkType:                    *argNetworkType,
 		DefaultVlanID:                  *argDefaultVlanID,
 		LsDnatModDlDst:                 *argLsDnatModDlDst,
+		LsCtSkipDstLportIPs:            *argLsCtSkipDstLportIPs,
 		DefaultProviderName:            *argDefaultProviderName,
 		DefaultHostInterface:           *argDefaultInterfaceName,
 		DefaultExchangeLinkName:        *argDefaultExchangeLinkName,
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index b76743bbe4e..7d0639fae90 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -678,6 +678,10 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match")
 	}
 
+	if err := c.ovnLegacyClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil {
+		util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
+	}
+
 	if err := c.InitOVN(); err != nil {
 		util.LogFatalAndExit(err, "failed to initialize ovn resources")
 	}
diff --git a/pkg/ovs/ovn-nbctl-legacy.go b/pkg/ovs/ovn-nbctl-legacy.go
index 6e2d135e7bd..8d27086502f 100644
--- a/pkg/ovs/ovn-nbctl-legacy.go
+++ b/pkg/ovs/ovn-nbctl-legacy.go
@@ -96,6 +96,13 @@ func (c LegacyClient) SetUseCtInvMatch() error {
 	return nil
 }
 
+func (c LegacyClient) SetLsCtSkipDstLportIPs(enabled bool) error {
+	if _, err := c.ovnNbCommand("set", "NB_Global", ".", fmt.Sprintf("options:ls_ct_skip_dst_lport_ips=%v", enabled)); err != nil {
+		return fmt.Errorf("failed to set NB_Global option ls_ct_skip_dst_lport_ips to %v: %v", enabled, err)
+	}
+	return nil
+}
+
 func (c LegacyClient) SetICAutoRoute(enable bool, blackList []string) error {
 	if enable {
 		if _, err := c.ovnNbCommand("set", "NB_Global", ".", "options:ic-route-adv=true", "options:ic-route-learn=true", fmt.Sprintf("options:ic-route-blacklist=%s", strings.Join(blackList, ","))); err != nil {
diff --git a/yamls/kube-ovn-dual-stack.yaml b/yamls/kube-ovn-dual-stack.yaml
index 81b9c5001dd..82f7617f39a 100644
--- a/yamls/kube-ovn-dual-stack.yaml
+++ b/yamls/kube-ovn-dual-stack.yaml
@@ -64,6 +64,7 @@ spec:
             - --network-type=geneve
             - --default-interface-name=
             - --default-vlan-id=100
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true
diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml
index fa0cfb4d52f..7f2030026a9 100644
--- a/yamls/kube-ovn-ipv6.yaml
+++ b/yamls/kube-ovn-ipv6.yaml
@@ -65,6 +65,7 @@ spec:
             - --network-type=geneve
             - --default-interface-name=
             - --default-vlan-id=100
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true
diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml
index ab9c4fa7b34..dd5703ac229 100644
--- a/yamls/kube-ovn.yaml
+++ b/yamls/kube-ovn.yaml
@@ -64,6 +64,7 @@ spec:
             - --network-type=geneve
             - --default-interface-name=
             - --default-vlan-id=100
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true