Comment 5 for bug 1794569

We hotfixed the issue with adding a flow to the particular flat network bridge (e.g. br-netX, not br-int). The flow basically drops all traffic coming from the physical interface, having a source MAC address of the distributed router's gateway interface.

However be aware that this flow may only be added on compute nodes, not controllers (or, specifically, network nodes; we use controllers as net nodes). This is because network nodes perform SNAT for north/south traffic, and because of this, any incoming traffic from the DVR's gateway MAC address is legitimate.