diff --git a/.ovn.metadata b/.ovn.metadata
index e0ddafb..6f3b0da 100644
--- a/.ovn.metadata
+++ b/.ovn.metadata
@@ -1,5 +1,5 @@
 002450621b33c5690060345b0aac25bc2426d675  SOURCES/docutils-0.12.tar.gz
-8746fd38571d535d663102d7023d40ae5f9f2329  SOURCES/openvswitch-49e64f1.tar.gz
-79fcdaccaa2229148d2f5c299d5e1ba51ea27ac0  SOURCES/ovn-23.09.3.tar.gz
+2a2d6ee59794e93723db7632f877427a735c0243  SOURCES/openvswitch-c88a35f.tar.gz
+25cb1cda6fe4f3906452e585e3a2ff6e24a61de3  SOURCES/ovn-23.09.4.tar.gz
 d34f96421a86004aa5d26ecf975edefd09f948b1  SOURCES/Pygments-1.4.tar.gz
 6beb30f18ffac3de7689b7fd63e9a8a7d9c8df3a  SOURCES/Sphinx-1.1.3.tar.gz
diff --git a/SOURCES/ovn23.09.patch b/SOURCES/ovn23.09.patch
index cefc342..a3b70e1 100644
--- a/SOURCES/ovn23.09.patch
+++ b/SOURCES/ovn23.09.patch
@@ -1,57 +1,1449 @@
-diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
-index 85916548a..5cd0babee 100644
---- a/.github/workflows/test.yml
-+++ b/.github/workflows/test.yml
-@@ -230,6 +230,14 @@ jobs:
-         sudo chmod +x /usr/bin/crun
-         echo "New crun version: "$(crun --version)
- 
-+    - name: Reduce ASLR entropy
-+      if:   matrix.cfg.sanitizers != ''
-+      # Asan in llvm 14 provided in ubuntu-22.04 is incompatible with
-+      # high-entropy ASLR configured in much newer kernels that GitHub
-+      # runners are using leading to random crashes:
-+      #   https://github.com/actions/runner-images/issues/9491
-+      run: sudo sysctl -w vm.mmap_rnd_bits=28
-+
-     - name: load image
+diff --git a/.ci/ovn-kubernetes/Dockerfile b/.ci/ovn-kubernetes/Dockerfile
+index eda8b6d02..554b5551b 100644
+--- a/.ci/ovn-kubernetes/Dockerfile
++++ b/.ci/ovn-kubernetes/Dockerfile
+@@ -1,4 +1,4 @@
+-ARG OVNKUBE_COMMIT=master
++ARG OVNKUBE_COMMIT
+ ARG GO_VERSION
+ 
+ FROM fedora:37 AS ovnbuilder
+diff --git a/.github/workflows/ovn-kubernetes.yml b/.github/workflows/ovn-kubernetes.yml
+index 0f2b30497..f7dfd1c39 100644
+--- a/.github/workflows/ovn-kubernetes.yml
++++ b/.github/workflows/ovn-kubernetes.yml
+@@ -13,7 +13,7 @@ concurrency:
+   cancel-in-progress: true
+ 
+ env:
+-  OVNKUBE_COMMIT: "master"
++  OVNKUBE_COMMIT: "release-1.0"
+   KIND_CLUSTER_NAME: ovn
+   KIND_INSTALL_INGRESS: true
+   KIND_ALLOW_SYSTEM_WRITES: true
+@@ -41,6 +41,7 @@ jobs:
+       with:
+           path: src/github.com/ovn-org/ovn-kubernetes
+           repository: ovn-org/ovn-kubernetes
++          ref: ${{ env.OVNKUBE_COMMIT }}
+ 
+     - name: Prepare
        run: |
-         sudo podman load -i /tmp/image.tar
+@@ -108,6 +109,7 @@ jobs:
+       with:
+           path: src/github.com/ovn-org/ovn-kubernetes
+           repository: ovn-org/ovn-kubernetes
++          ref: ${{ env.OVNKUBE_COMMIT }}
+ 
+     - name: Prepare
+       run: |
+diff --git a/AUTHORS.rst b/AUTHORS.rst
+index 65c8761f4..351523fd1 100644
+--- a/AUTHORS.rst
++++ b/AUTHORS.rst
+@@ -448,6 +448,7 @@ xushengping                        shengping.xu@huawei.com
+ yinpeijun                          yinpeijun@huawei.com
+ zangchuanqiang                     zangchuanqiang@huawei.com
+ zhang yanxian                      zhangyanxian@pmlabs.com.cn
++zhangqiang45                       zhangqiang45@lenovo.com
+ zhaojingjing                       zhao.jingjing1@zte.com.cn
+ zhongbaisong                       zhongbaisong@huawei.com
+ zhaozhanxu                         zhaozhanxu@163.com
 diff --git a/NEWS b/NEWS
-index 31c069aea..97e1c41d5 100644
+index 5c80fa482..9265e0836 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -1,3 +1,6 @@
-+OVN v23.09.4 - xx xxx xxxx
+@@ -1,3 +1,10 @@
++OVN v23.09.6 - xx xxx xxxx
++--------------------------
++
++OVN v23.09.5 - 16 Aug 2024
 +--------------------------
++  - Bug fixes
 +
- OVN v23.09.3 - 12 Mar 2024
+ OVN v23.09.4 - 09 May 2024
  --------------------------
    - Bug fixes
 diff --git a/configure.ac b/configure.ac
-index 090a29a15..c71ade236 100644
+index c71ade236..055d339e3 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -13,7 +13,7 @@
  # limitations under the License.
  
  AC_PREREQ(2.63)
--AC_INIT(ovn, 23.09.3, bugs@openvswitch.org)
-+AC_INIT(ovn, 23.09.4, bugs@openvswitch.org)
+-AC_INIT(ovn, 23.09.4, bugs@openvswitch.org)
++AC_INIT(ovn, 23.09.6, bugs@openvswitch.org)
  AC_CONFIG_MACRO_DIR([m4])
  AC_CONFIG_AUX_DIR([build-aux])
  AC_CONFIG_HEADERS([config.h])
+diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
+index e8e7ac6bd..66b656044 100644
+--- a/controller/ovn-controller.c
++++ b/controller/ovn-controller.c
+@@ -750,7 +750,7 @@ update_ct_zones(const struct sset *local_lports,
+     const char *user;
+     struct sset all_users = SSET_INITIALIZER(&all_users);
+     struct simap req_snat_zones = SIMAP_INITIALIZER(&req_snat_zones);
+-    unsigned long unreq_snat_zones_map[BITMAP_N_LONGS(MAX_CT_ZONES)];
++    unsigned long *unreq_snat_zones_map = bitmap_allocate(MAX_CT_ZONES);
+     struct simap unreq_snat_zones = SIMAP_INITIALIZER(&unreq_snat_zones);
+ 
+     const char *local_lport;
+@@ -861,6 +861,7 @@ update_ct_zones(const struct sset *local_lports,
+     simap_destroy(&req_snat_zones);
+     simap_destroy(&unreq_snat_zones);
+     sset_destroy(&all_users);
++    bitmap_free(unreq_snat_zones_map);
+ }
+ 
+ static void
+@@ -1146,6 +1147,7 @@ ctrl_register_ovs_idl(struct ovsdb_idl *ovs_idl)
+     ovsdb_idl_add_table(ovs_idl, &ovsrec_table_queue);
+     ovsdb_idl_add_column(ovs_idl, &ovsrec_queue_col_other_config);
+     ovsdb_idl_add_column(ovs_idl, &ovsrec_queue_col_external_ids);
++    ovsdb_idl_add_column(ovs_idl, &ovsrec_interface_col_link_state);
+ 
+     chassis_register_ovs_idl(ovs_idl);
+     encaps_register_ovs_idl(ovs_idl);
+@@ -2990,7 +2992,7 @@ lb_data_local_lb_add(struct ed_type_lb_data *lb_data,
+ 
+ static void
+ lb_data_local_lb_remove(struct ed_type_lb_data *lb_data,
+-                        struct ovn_controller_lb *lb, bool tracked)
++                        struct ovn_controller_lb *lb)
+ {
+     const struct uuid *uuid = &lb->slb->header_.uuid;
+ 
+@@ -2999,12 +3001,8 @@ lb_data_local_lb_remove(struct ed_type_lb_data *lb_data,
+ 
+     lb_data_removed_five_tuples_add(lb_data, lb);
+ 
+-    if (tracked) {
+-        hmap_insert(&lb_data->old_lbs, &lb->hmap_node, uuid_hash(uuid));
+-        uuidset_insert(&lb_data->deleted, uuid);
+-    } else {
+-        ovn_controller_lb_destroy(lb);
+-    }
++    hmap_insert(&lb_data->old_lbs, &lb->hmap_node, uuid_hash(uuid));
++    uuidset_insert(&lb_data->deleted, uuid);
+ }
+ 
+ static bool
+@@ -3029,7 +3027,7 @@ lb_data_handle_changed_ref(enum objdep_type type, const char *res_name,
+             continue;
+         }
+ 
+-        lb_data_local_lb_remove(lb_data, lb, true);
++        lb_data_local_lb_remove(lb_data, lb);
+ 
+         const struct sbrec_load_balancer *sbrec_lb =
+             sbrec_load_balancer_table_get_for_uuid(ctx_in->lb_table, uuid);
+@@ -3075,9 +3073,13 @@ en_lb_data_run(struct engine_node *node, void *data)
+     const struct sbrec_load_balancer_table *lb_table =
+         EN_OVSDB_GET(engine_get_input("SB_load_balancer", node));
+ 
++    objdep_mgr_clear(&lb_data->deps_mgr);
++
+     struct ovn_controller_lb *lb;
+     HMAP_FOR_EACH_SAFE (lb, hmap_node, &lb_data->local_lbs) {
+-        lb_data_local_lb_remove(lb_data, lb, false);
++        hmap_remove(&lb_data->local_lbs, &lb->hmap_node);
++        lb_data_removed_five_tuples_add(lb_data, lb);
++        ovn_controller_lb_destroy(lb);
+     }
+ 
+     const struct sbrec_load_balancer *sbrec_lb;
+@@ -3115,7 +3117,7 @@ lb_data_sb_load_balancer_handler(struct engine_node *node, void *data)
+                 continue;
+             }
+ 
+-            lb_data_local_lb_remove(lb_data, lb, true);
++            lb_data_local_lb_remove(lb_data, lb);
+         }
+ 
+         if (sbrec_load_balancer_is_deleted(sbrec_lb) ||
+@@ -4054,6 +4056,8 @@ en_lflow_output_run(struct engine_node *node, void *data)
+         EN_OVSDB_GET(engine_get_input("OVS_bridge", node));
+     const struct ovsrec_bridge *br_int = get_br_int(bridge_table, ovs_table);
+     const char *chassis_id = get_ovs_chassis_id(ovs_table);
++    const struct ovsrec_flow_sample_collector_set_table *flow_collector_table =
++        EN_OVSDB_GET(engine_get_input("OVS_flow_sample_collector_set", node));
+ 
+     struct ovsdb_idl_index *sbrec_chassis_by_name =
+         engine_ovsdb_node_get_index(
+@@ -4067,6 +4071,17 @@ en_lflow_output_run(struct engine_node *node, void *data)
+ 
+     ovs_assert(br_int && chassis);
+ 
++    const struct ovsrec_flow_sample_collector_set *set;
++    OVSREC_FLOW_SAMPLE_COLLECTOR_SET_TABLE_FOR_EACH (set,
++                                                    flow_collector_table) {
++        if (set->bridge == br_int) {
++            struct ed_type_lflow_output *lfo = data;
++            flow_collector_ids_clear(&lfo->collector_ids);
++            flow_collector_ids_init_from_table(&lfo->collector_ids,
++                                               flow_collector_table);
++        }
++    }
++
+     struct ed_type_lflow_output *fo = data;
+     struct ovn_desired_flow_table *lflow_table = &fo->flow_table;
+     struct ovn_extend_table *group_table = &fo->group_table;
+@@ -5719,17 +5734,14 @@ main(int argc, char *argv[])
+                                            br_int ? br_int->name : NULL)) {
+                 VLOG_INFO("OVS feature set changed, force recompute.");
+                 engine_set_force_recompute(true);
+-                if (ovs_feature_set_discovered()) {
+-                    uint32_t max_groups = ovs_feature_max_select_groups_get();
+-                    uint32_t max_meters = ovs_feature_max_meters_get();
+-                    struct ed_type_lflow_output *lflow_out_data =
+-                        engine_get_internal_data(&en_lflow_output);
+-
+-                    ovn_extend_table_reinit(&lflow_out_data->group_table,
+-                                            max_groups);
+-                    ovn_extend_table_reinit(&lflow_out_data->meter_table,
+-                                            max_meters);
+-                }
++
++                struct ed_type_lflow_output *lflow_out_data =
++                    engine_get_internal_data(&en_lflow_output);
++
++                ovn_extend_table_reinit(&lflow_out_data->group_table,
++                                        ovs_feature_max_select_groups_get());
++                ovn_extend_table_reinit(&lflow_out_data->meter_table,
++                                        ovs_feature_max_meters_get());
+             }
+ 
+             if (br_int) {
+diff --git a/controller/pinctrl.c b/controller/pinctrl.c
+index 98821d275..9e80556ef 100644
+--- a/controller/pinctrl.c
++++ b/controller/pinctrl.c
+@@ -655,8 +655,6 @@ pinctrl_forward_pkt(struct rconn *swconn, int64_t dp_key,
+     put_load(dp_key, MFF_LOG_DATAPATH, 0, 64, &ofpacts);
+     put_load(in_port_key, MFF_LOG_INPORT, 0, 32, &ofpacts);
+     put_load(out_port_key, MFF_LOG_OUTPORT, 0, 32, &ofpacts);
+-    /* Avoid re-injecting packet already consumed. */
+-    put_load(1, MFF_LOG_FLAGS, MLF_IGMP_IGMP_SNOOP_INJECT_BIT, 1, &ofpacts);
+ 
+     struct ofpact_resubmit *resubmit = ofpact_put_RESUBMIT(&ofpacts);
+     resubmit->in_port = OFPP_CONTROLLER;
+@@ -5756,6 +5754,10 @@ get_localnet_vifs_l3gwports(
+             if (!pb || pb->chassis != chassis) {
+                 continue;
+             }
++            if (!iface_rec->link_state ||
++                    strcmp(iface_rec->link_state, "up")) {
++                continue;
++            }
+             struct local_datapath *ld
+                 = get_local_datapath(local_datapaths,
+                                      pb->datapath->tunnel_key);
+@@ -6687,6 +6689,9 @@ struct svc_monitor {
+     long long int timestamp;
+     bool is_ip6;
+ 
++    struct eth_addr src_mac;
++    struct in6_addr src_ip;
++
+     long long int wait_time;
+     long long int next_send_time;
+ 
+@@ -6881,6 +6886,9 @@ sync_svc_monitors(struct ovsdb_idl_txn *ovnsb_idl_txn,
+             svc_mon->n_success = 0;
+             svc_mon->n_failures = 0;
+ 
++            eth_addr_from_string(sb_svc_mon->src_mac, &svc_mon->src_mac);
++            ip46_parse(sb_svc_mon->src_ip, &svc_mon->src_ip);
++
+             hmap_insert(&svc_monitors_map, &svc_mon->hmap_node, hash);
+             ovs_list_push_back(&svc_monitors, &svc_mon->list_node);
+             changed = true;
+@@ -7639,19 +7647,14 @@ svc_monitor_send_tcp_health_check__(struct rconn *swconn,
+     struct dp_packet packet;
+     dp_packet_use_stub(&packet, packet_stub, sizeof packet_stub);
+ 
+-    struct eth_addr eth_src;
+-    eth_addr_from_string(svc_mon->sb_svc_mon->src_mac, &eth_src);
+     if (svc_mon->is_ip6) {
+-        struct in6_addr ip6_src;
+-        ipv6_parse(svc_mon->sb_svc_mon->src_ip, &ip6_src);
+-        pinctrl_compose_ipv6(&packet, eth_src, svc_mon->ea,
+-                             &ip6_src, &svc_mon->ip, IPPROTO_TCP,
++        pinctrl_compose_ipv6(&packet, svc_mon->src_mac, svc_mon->ea,
++                             &svc_mon->src_ip, &svc_mon->ip, IPPROTO_TCP,
+                              63, TCP_HEADER_LEN);
+     } else {
+-        ovs_be32 ip4_src;
+-        ip_parse(svc_mon->sb_svc_mon->src_ip, &ip4_src);
+-        pinctrl_compose_ipv4(&packet, eth_src, svc_mon->ea,
+-                             ip4_src, in6_addr_get_mapped_ipv4(&svc_mon->ip),
++        pinctrl_compose_ipv4(&packet, svc_mon->src_mac, svc_mon->ea,
++                             in6_addr_get_mapped_ipv4(&svc_mon->src_ip),
++                             in6_addr_get_mapped_ipv4(&svc_mon->ip),
+                              IPPROTO_TCP, 63, TCP_HEADER_LEN);
+     }
+ 
+@@ -7707,24 +7710,18 @@ svc_monitor_send_udp_health_check(struct rconn *swconn,
+                                   struct svc_monitor *svc_mon,
+                                   ovs_be16 udp_src)
+ {
+-    struct eth_addr eth_src;
+-    eth_addr_from_string(svc_mon->sb_svc_mon->src_mac, &eth_src);
+-
+     uint64_t packet_stub[128 / 8];
+     struct dp_packet packet;
+     dp_packet_use_stub(&packet, packet_stub, sizeof packet_stub);
+ 
+     if (svc_mon->is_ip6) {
+-        struct in6_addr ip6_src;
+-        ipv6_parse(svc_mon->sb_svc_mon->src_ip, &ip6_src);
+-        pinctrl_compose_ipv6(&packet, eth_src, svc_mon->ea,
+-                             &ip6_src, &svc_mon->ip, IPPROTO_UDP,
++        pinctrl_compose_ipv6(&packet, svc_mon->src_mac, svc_mon->ea,
++                             &svc_mon->src_ip, &svc_mon->ip, IPPROTO_UDP,
+                              63, UDP_HEADER_LEN + 8);
+     } else {
+-        ovs_be32 ip4_src;
+-        ip_parse(svc_mon->sb_svc_mon->src_ip, &ip4_src);
+-        pinctrl_compose_ipv4(&packet, eth_src, svc_mon->ea,
+-                             ip4_src, in6_addr_get_mapped_ipv4(&svc_mon->ip),
++        pinctrl_compose_ipv4(&packet, svc_mon->src_mac, svc_mon->ea,
++                             in6_addr_get_mapped_ipv4(&svc_mon->src_ip),
++                             in6_addr_get_mapped_ipv4(&svc_mon->ip),
+                              IPPROTO_UDP, 63, UDP_HEADER_LEN + 8);
+     }
+ 
 diff --git a/debian/changelog b/debian/changelog
-index bbce8a3cb..4f2fabdd7 100644
+index e06f13536..244bb95ce 100644
 --- a/debian/changelog
 +++ b/debian/changelog
-@@ -1,3 +1,9 @@
-+OVN (23.09.4-1) unstable; urgency=low
+@@ -1,3 +1,15 @@
++ovn (23.09.6-1) unstable; urgency=low
 +   [ OVN team ]
 +   * New upstream version
 +
-+ -- OVN team <dev@openvswitch.org>  Tue, 12 Mar 2024 08:35:34 -0400
++ -- OVN team <dev@openvswitch.org>  Fri, 16 Aug 2024 13:51:01 -0400
 +
- OVN (23.09.3-1) unstable; urgency=low
++OVN (23.09.5-1) unstable; urgency=low
++   [ OVN team ]
++   * New upstream version
++
++ -- OVN team <dev@openvswitch.org>  Fri, 16 Aug 2024 13:51:01 -0400
++
+ OVN (23.09.4-1) unstable; urgency=low
     [ OVN team ]
     * New upstream version
+diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
+index 7446accad..cf0558c0e 100644
+--- a/ic/ovn-ic.c
++++ b/ic/ovn-ic.c
+@@ -2324,7 +2324,7 @@ ovn_ic_resume(struct unixctl_conn *conn, int argc OVS_UNUSED,
+ {
+     struct ic_state *state = state_;
+     state->paused = false;
+-
++    poll_immediate_wake();
+     unixctl_command_reply(conn, NULL);
+ }
+ 
+diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
+index e3236fa24..f07c4c42e 100644
+--- a/include/ovn/logical-fields.h
++++ b/include/ovn/logical-fields.h
+@@ -80,7 +80,6 @@ enum mff_log_flags_bits {
+     MLF_LOCALNET_BIT = 15,
+     MLF_RX_FROM_TUNNEL_BIT = 16,
+     MLF_ICMP_SNAT_BIT = 17,
+-    MLF_IGMP_IGMP_SNOOP_INJECT_BIT = 18,
+ };
+ 
+ /* MFF_LOG_FLAGS_REG flag assignments */
+@@ -136,8 +135,6 @@ enum mff_log_flags {
+     MLF_RX_FROM_TUNNEL = (1 << MLF_RX_FROM_TUNNEL_BIT),
+ 
+     MLF_ICMP_SNAT = (1 << MLF_ICMP_SNAT_BIT),
+-
+-    MLF_IGMP_IGMP_SNOOP = (1 << MLF_IGMP_IGMP_SNOOP_INJECT_BIT),
+ };
+ 
+ /* OVN logical fields
+diff --git a/lib/actions.c b/lib/actions.c
+index 2b3fc915c..5c10edf53 100644
+--- a/lib/actions.c
++++ b/lib/actions.c
+@@ -875,6 +875,9 @@ encode_CT_COMMIT_V2(const struct ovnact_nest *on,
+                     const struct ovnact_encode_params *ep OVS_UNUSED,
+                     struct ofpbuf *ofpacts)
+ {
++    size_t ct_offset = ofpacts->size;
++    ofpbuf_pull(ofpacts, ct_offset);
++
+     struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts);
+     ct->flags = NX_CT_F_COMMIT;
+     ct->recirc_table = NX_CT_RECIRC_NONE;
+@@ -906,6 +909,7 @@ encode_CT_COMMIT_V2(const struct ovnact_nest *on,
+     ofpacts->header = ofpbuf_push_uninit(ofpacts, set_field_offset);
+     ct = ofpacts->header;
+     ofpact_finish(ofpacts, &ct->ofpact);
++    ofpbuf_push_uninit(ofpacts, ct_offset);
+ }
+ 
+ static void
+diff --git a/lib/logical-fields.c b/lib/logical-fields.c
+index 68892dba5..d84528ef5 100644
+--- a/lib/logical-fields.c
++++ b/lib/logical-fields.c
+@@ -139,10 +139,6 @@ ovn_init_symtab(struct shash *symtab)
+                              flags_str);
+     snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_RX_FROM_TUNNEL_BIT);
+     expr_symtab_add_subfield(symtab, "flags.tunnel_rx", NULL, flags_str);
+-    snprintf(flags_str, sizeof flags_str, "flags[%d]",
+-             MLF_IGMP_IGMP_SNOOP_INJECT_BIT);
+-    expr_symtab_add_subfield(symtab, "flags.igmp_loopback", NULL,
+-                             flags_str);
+ 
+     /* Connection tracking state. */
+     expr_symtab_add_field_scoped(symtab, "ct_mark", MFF_CT_MARK, NULL, false,
+@@ -247,7 +243,7 @@ ovn_init_symtab(struct shash *symtab)
+     expr_symtab_add_field(symtab, "icmp4.code", MFF_ICMPV4_CODE, "icmp4",
+               false);
+ 
+-    expr_symtab_add_predicate(symtab, "igmp", "ip4 && ip.proto == 2");
++    expr_symtab_add_predicate(symtab, "igmp", "ip4.mcast && ip.proto == 2");
+ 
+     expr_symtab_add_field(symtab, "ip6.src", MFF_IPV6_SRC, "ip6", false);
+     expr_symtab_add_field(symtab, "ip6.dst", MFF_IPV6_DST, "ip6", false);
+@@ -307,6 +303,9 @@ ovn_init_symtab(struct shash *symtab)
+               "icmp6.type == {135, 136} && icmp6.code == 0 && ip.ttl == 255");
+     expr_symtab_add_predicate(symtab, "nd_ns",
+               "icmp6.type == 135 && icmp6.code == 0 && ip.ttl == 255");
++    expr_symtab_add_predicate(symtab, "nd_ns_mcast",
++              "ip6.mcast && icmp6.type == 135 && icmp6.code == 0 && "
++              "ip.ttl == 255");
+     expr_symtab_add_predicate(symtab, "nd_na",
+               "icmp6.type == 136 && icmp6.code == 0 && ip.ttl == 255");
+     expr_symtab_add_predicate(symtab, "nd_rs",
+@@ -321,11 +320,12 @@ ovn_init_symtab(struct shash *symtab)
+      * (RFC 2710 and RFC 3810).
+      */
+     expr_symtab_add_predicate(symtab, "mldv1",
+-                              "ip6.src == fe80::/10 && "
++                              "eth.mcastv6 && ip6.src == fe80::/10 && "
+                               "icmp6.type == {130, 131, 132}");
+     /* MLDv2 packets are sent to ff02::16 (RFC 3810, 5.2.14) */
+     expr_symtab_add_predicate(symtab, "mldv2",
+-                              "ip6.dst == ff02::16 && icmp6.type == 143");
++                              "eth.mcastv6 && ip6.dst == ff02::16 && "
++                              "icmp6.type == 143");
+ 
+     expr_symtab_add_predicate(symtab, "tcp", "ip.proto == 6");
+     expr_symtab_add_field(symtab, "tcp.src", MFF_TCP_SRC, "tcp", false);
+diff --git a/northd/northd.c b/northd/northd.c
+index 32240b856..d3ff7629d 100644
+--- a/northd/northd.c
++++ b/northd/northd.c
+@@ -119,6 +119,7 @@ static bool default_acl_drop;
+ #define REGBIT_PORT_SEC_DROP      "reg0[15]"
+ #define REGBIT_ACL_STATELESS      "reg0[16]"
+ #define REGBIT_ACL_HINT_ALLOW_REL "reg0[17]"
++#define REGBIT_FROM_ROUTER_PORT   "reg0[18]"
+ 
+ #define REG_ORIG_DIP_IPV4         "reg1"
+ #define REG_ORIG_DIP_IPV6         "xxreg1"
+@@ -805,12 +806,6 @@ ovn_datapath_is_stale(const struct ovn_datapath *od)
+     return !od->nbr && !od->nbs;
+ }
+ 
+-static inline bool
+-ovn_datapath_is_transit_switch(const struct ovn_datapath *od)
+-{
+-    return od->tunnel_key >= OVN_MIN_DP_KEY_GLOBAL;
+-}
+-
+ static struct ovn_datapath *
+ ovn_datapath_from_sbrec(const struct hmap *ls_datapaths,
+                         const struct hmap *lr_datapaths,
+@@ -6126,13 +6121,11 @@ ovn_igmp_group_get_ports(const struct sbrec_igmp_group *sb_igmp_group,
+             continue;
+         }
+ 
+-        /* If this is already a port of a router on which relay is enabled
+-         * and it's not a transit switch to router port, skip it for the
+-         * group.  Traffic is flooded there anyway.
++        /* If this is already a port of a router on which relay is enabled,
++         * skip it for the group. Traffic is flooded there anyway.
+          */
+         if (port->peer && port->peer->od &&
+-                port->peer->od->mcast_info.rtr.relay &&
+-                !ovn_datapath_is_transit_switch(port->od)) {
++                port->peer->od->mcast_info.rtr.relay) {
+             continue;
+         }
+ 
+@@ -6956,6 +6949,12 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct hmap *lflows,
+                     op->od->localnet_ports[0]->key,
+                     &op->od->localnet_ports[0]->nbsp->header_);
+         }
++    } else if (lsp_is_router(op->nbsp)) {
++        ds_put_format(actions, REGBIT_FROM_ROUTER_PORT" = 1; next;");
++        ovn_lflow_add_with_lport_and_hint(lflows, op->od,
++                                          S_SWITCH_IN_CHECK_PORT_SEC, 70,
++                                          ds_cstr(match), ds_cstr(actions),
++                                          op->key, &op->nbsp->header_);
+     }
+ }
+ 
+@@ -7252,8 +7251,7 @@ build_interconn_mcast_snoop_flows(struct ovn_datapath *od,
+             continue;
+         }
+         /* Punt IGMP traffic to controller. */
+-        char *match = xasprintf("inport == %s && igmp && "
+-                                "flags.igmp_loopback == 0", op->json_key);
++        char *match = xasprintf("inport == %s && igmp", op->json_key);
+         ovn_lflow_metered(lflows, od, S_SWITCH_OUT_PRE_LB, 120, match,
+                           "clone { igmp; }; next;",
+                           copp_meter_get(COPP_IGMP, od->nbs->copp,
+@@ -7261,8 +7259,7 @@ build_interconn_mcast_snoop_flows(struct ovn_datapath *od,
+         free(match);
+ 
+         /* Punt MLD traffic to controller. */
+-        match = xasprintf("inport == %s && (mldv1 || mldv2) && "
+-                          "flags.igmp_loopback == 0", op->json_key);
++        match = xasprintf("inport == %s && (mldv1 || mldv2)", op->json_key);
+         ovn_lflow_metered(lflows, od, S_SWITCH_OUT_PRE_LB, 120, match,
+                           "clone { igmp; }; next;",
+                           copp_meter_get(COPP_IGMP, od->nbs->copp,
+@@ -8933,13 +8930,16 @@ build_fwd_group_lflows(struct ovn_datapath *od, struct hmap *lflows)
+     struct ds actions = DS_EMPTY_INITIALIZER;
+     struct ds group_ports = DS_EMPTY_INITIALIZER;
+ 
+-    for (int i = 0; i < od->nbs->n_forwarding_groups; ++i) {
++    for (size_t i = 0; i < od->nbs->n_forwarding_groups; ++i) {
+         const struct nbrec_forwarding_group *fwd_group = NULL;
+         fwd_group = od->nbs->forwarding_groups[i];
+         if (!fwd_group->n_child_port) {
+             continue;
+         }
+ 
++        ds_clear(&match);
++        ds_clear(&actions);
++
+         /* ARP responder for the forwarding group's virtual IP */
+         ds_put_format(&match, "arp.tpa == %s && arp.op == 1",
+                       fwd_group->vip);
+@@ -8970,9 +8970,9 @@ build_fwd_group_lflows(struct ovn_datapath *od, struct hmap *lflows)
+             ds_put_cstr(&group_ports, "liveness=\"true\",");
+         }
+         ds_put_cstr(&group_ports, "childports=");
+-        for (i = 0; i < (fwd_group->n_child_port - 1); ++i) {
++        for (size_t j = 0; j < (fwd_group->n_child_port - 1); ++j) {
+             ds_put_format(&group_ports, "\"%s\",",
+-                         fwd_group->child_port[i]);
++                          fwd_group->child_port[j]);
+         }
+         ds_put_format(&group_ports, "\"%s\"",
+                       fwd_group->child_port[fwd_group->n_child_port - 1]);
+@@ -9912,16 +9912,21 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
+                                                   &op->nbsp->header_);
+             }
+ 
+-            /* For ND solicitations, we need to listen for both the
+-             * unicast IPv6 address and its all-nodes multicast address,
+-             * but always respond with the unicast IPv6 address. */
++            /* For ND solicitations:
++             *   - Reply only for the all-nodes multicast address(es) of the
++             *     logical port IPv6 address(es).
++             *
++             *   - Do not reply for unicast ND solicitations.  Let the target
++             *     reply to it, so that the sender has the ability to monitor
++             *     the target liveness via the unicast ND solicitations.
++             */
+             for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) {
+                 ds_clear(match);
+-                ds_put_format(match,
+-                        "nd_ns && ip6.dst == {%s, %s} && nd.target == %s",
+-                        op->lsp_addrs[i].ipv6_addrs[j].addr_s,
+-                        op->lsp_addrs[i].ipv6_addrs[j].sn_addr_s,
+-                        op->lsp_addrs[i].ipv6_addrs[j].addr_s);
++                ds_put_format(
++                    match,
++                    "nd_ns_mcast && ip6.dst == %s && nd.target == %s",
++                    op->lsp_addrs[i].ipv6_addrs[j].sn_addr_s,
++                    op->lsp_addrs[i].ipv6_addrs[j].addr_s);
+ 
+                 ds_clear(actions);
+                 ds_put_format(actions,
+@@ -9977,7 +9982,9 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
+         if (op->proxy_arp_addrs.n_ipv4_addrs) {
+             /* Match rule on all proxy ARP IPs. */
+             ds_clear(match);
+-            ds_put_cstr(match, "arp.op == 1 && arp.tpa == {");
++            ds_put_cstr(match,
++                        REGBIT_FROM_ROUTER_PORT" == 0 "
++                        "&& arp.op == 1 && arp.tpa == {");
+ 
+             for (i = 0; i < op->proxy_arp_addrs.n_ipv4_addrs; i++) {
+                 ds_put_format(match, "%s/%u,",
+@@ -10027,7 +10034,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op,
+             ds_truncate(&nd_target_match, nd_target_match.length - 2);
+             ds_clear(match);
+             ds_put_format(match,
+-                          "nd_ns "
++                          REGBIT_FROM_ROUTER_PORT" == 0 "
++                          "&& nd_ns "
+                           "&& ip6.dst == { %s } "
+                           "&& nd.target == { %s }",
+                           ds_cstr(&ip6_dst_match),
+@@ -10288,14 +10296,13 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
+         ds_put_cstr(actions, "igmp;");
+         /* Punt IGMP traffic to controller. */
+         ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 100,
+-                          "flags.igmp_loopback == 0 && igmp", ds_cstr(actions),
++                          "igmp", ds_cstr(actions),
+                           copp_meter_get(COPP_IGMP, od->nbs->copp,
+                                          meter_groups));
+ 
+         /* Punt MLD traffic to controller. */
+         ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 100,
+-                          "flags.igmp_loopback == 0 && (mldv1 || mldv2)",
+-                          ds_cstr(actions),
++                          "mldv1 || mldv2", ds_cstr(actions),
+                           copp_meter_get(COPP_IGMP, od->nbs->copp,
+                                          meter_groups));
+ 
+@@ -10359,16 +10366,8 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
+ }
+ 
+ 
+-/* Ingress table 27: Add IP multicast flows learnt from IGMP/MLD
+- * (priority 90).
+- *
+- * OR, for transit switches:
+- *
+- * Add IP multicast flows learnt from IGMP/MLD to forward traffic
+- * explicitly to the ports that are part of the IGMP/MLD group,
+- * and ignore MROUTER Ports.
+- * (priority 90).
+- */
++/* Ingress table 25: Add IP multicast flows learnt from IGMP/MLD
++ * (priority 90). */
+ static void
+ build_lswitch_ip_mcast_igmp_mld(struct ovn_igmp_group *igmp_group,
+                                 struct hmap *lflows,
+@@ -10382,9 +10381,6 @@ build_lswitch_ip_mcast_igmp_mld(struct ovn_igmp_group *igmp_group,
+         ds_clear(match);
+         ds_clear(actions);
+ 
+-        bool transit_switch =
+-            ovn_datapath_is_transit_switch(igmp_group->datapath);
+-
+         struct mcast_switch_info *mcast_sw_info =
+             &igmp_group->datapath->mcast_info.sw;
+         uint64_t table_size = mcast_sw_info->table_size;
+@@ -10430,7 +10426,7 @@ build_lswitch_ip_mcast_igmp_mld(struct ovn_igmp_group *igmp_group,
+         }
+ 
+         /* Also flood traffic to all multicast routers with relay enabled. */
+-        if (mcast_sw_info->flood_relay && !transit_switch) {
++        if (mcast_sw_info->flood_relay) {
+             ds_put_cstr(actions,
+                         "clone { "
+                             "outport = \""MC_MROUTER_FLOOD "\"; "
+@@ -17618,7 +17614,8 @@ build_static_mac_binding_table(
+     struct hmap *lr_ports)
+ {
+     /* Cleanup SB Static_MAC_Binding entries which do not have corresponding
+-     * NB Static_MAC_Binding entries. */
++     * NB Static_MAC_Binding entries, and SB Static_MAC_Binding entries for
++     * which there is not a NB Logical_Router_Port of the same name. */
+     const struct nbrec_static_mac_binding *nb_smb;
+     const struct sbrec_static_mac_binding *sb_smb;
+     SBREC_STATIC_MAC_BINDING_TABLE_FOR_EACH_SAFE (sb_smb,
+@@ -17628,6 +17625,12 @@ build_static_mac_binding_table(
+                                                sb_smb->ip);
+         if (!nb_smb) {
+             sbrec_static_mac_binding_delete(sb_smb);
++            continue;
++        }
++
++        struct ovn_port *op = ovn_port_find(lr_ports, nb_smb->logical_port);
++        if (!op || !op->nbrp || !op->od || !op->od->sb) {
++            sbrec_static_mac_binding_delete(sb_smb);
+         }
+     }
+ 
+diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
+index 897e626b4..f36afd999 100644
+--- a/northd/ovn-northd.8.xml
++++ b/northd/ovn-northd.8.xml
+@@ -1983,13 +1983,13 @@ output;
+       </li>
+ 
+       <li>
+-        Priority-90 flows for non-transit switches that forward registered
+-        IP multicast traffic to their corresponding multicast group, which
+-        <code>ovn-northd</code> creates based on learnt
+-        <ref table="IGMP_Group" db="OVN_Southbound"/> entries.  The flows
+-        also forward packets to the <code>MC_MROUTER_FLOOD</code> multicast
+-        group, which <code>ovn-nortdh</code> populates with all the logical
+-        ports that are connected to logical routers with
++        Priority-90 flows that forward registered IP multicast traffic to
++        their corresponding multicast group, which <code>ovn-northd</code>
++        creates based on learnt <ref table="IGMP_Group" db="OVN_Southbound"/>
++        entries.  The flows also forward packets to the
++        <code>MC_MROUTER_FLOOD</code> multicast group, which
++        <code>ovn-nortdh</code> populates with all the logical ports that
++        are connected to logical routers with
+         <ref column="options" table="Logical_Router"/>:mcast_relay='true'.
+       </li>
+ 
+diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
+index 00ff6ea4f..22c392b67 100644
+--- a/northd/ovn-northd.c
++++ b/northd/ovn-northd.c
+@@ -1098,6 +1098,7 @@ ovn_northd_resume(struct unixctl_conn *conn, int argc OVS_UNUSED,
+ {
+     struct northd_state *state = state_;
+     state->paused = false;
++    poll_immediate_wake();
+ 
+     unixctl_command_reply(conn, NULL);
+ }
+diff --git a/ovn-sb.xml b/ovn-sb.xml
+index 94e722512..01d1a3f4d 100644
+--- a/ovn-sb.xml
++++ b/ovn-sb.xml
+@@ -1155,6 +1155,7 @@
+       <ul>
+         <li><code>eth.bcast</code> expands to <code>eth.dst == ff:ff:ff:ff:ff:ff</code></li>
+         <li><code>eth.mcast</code> expands to <code>eth.dst[40]</code></li>
++        <li><code>eth.mcastv6</code> expands to <code>eth.dst[32..47] == 0x3333</code></li>
+         <li><code>vlan.present</code> expands to <code>vlan.tci[12]</code></li>
+         <li><code>ip4</code> expands to <code>eth.type == 0x800</code></li>
+         <li><code>ip4.src_mcast</code> expands to
+@@ -1170,8 +1171,10 @@
+         <li><code>ip.first_frag</code> expands to <code>ip.is_frag &amp;&amp; !ip.later_frag</code></li>
+         <li><code>arp</code> expands to <code>eth.type == 0x806</code></li>
+         <li><code>rarp</code> expands to <code>eth.type == 0x8035</code></li>
++        <li><code>ip6.mcast</code> expands to <code>eth.mcastv6 &amp;&amp; ip6.dst[120..127] == 0xff</code></li>
+         <li><code>nd</code> expands to <code>icmp6.type == {135, 136} &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+         <li><code>nd_ns</code> expands to <code>icmp6.type == 135 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
++        <li><code>nd_ns_mcast</code> expands to <code>ip6.mcast  &amp;&amp; icmp6.type == 135 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+         <li><code>nd_na</code> expands to <code>icmp6.type == 136 &amp;&amp; icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+         <li><code>nd_rs</code> expands to <code>icmp6.type == 133 &amp;&amp;
+         icmp6.code == 0 &amp;&amp; ip.ttl == 255</code></li>
+diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
+index 83d13213f..678afe462 100644
+--- a/tests/ovn-controller.at
++++ b/tests/ovn-controller.at
+@@ -2772,3 +2772,41 @@ priority=1100,ip,reg15=0x1,metadata=0x1,nw_src=10.0.0.4 actions=load:0x1->OXM_OF
+ 
+ OVN_CLEANUP([hv1])
+ AT_CLEANUP
++
++AT_SETUP([ovn-controller - LB remove after disconnect])
++ovn_start
++
++net_add n1
++sim_add hv1
++as hv1
++check ovs-vsctl add-br br-phys
++ovn_attach n1 br-phys 192.168.0.1
++check ovs-vsctl -- add-port br-int vif1 -- \
++    set interface vif1 external-ids:iface-id=lsp
++
++check ovs-vsctl set Open_vSwitch . external-ids:ovn-remote-probe-interval="5000"
++
++check ovn-nbctl ls-add ls
++check ovn-nbctl lsp-add ls lsp \
++-- lsp-set-addresses lsp "f0:00:00:00:00:01 172.16.0.10"
++
++check ovn-nbctl lb-add lb 192.168.100.100 172.16.0.10
++check ovn-nbctl ls-lb-add ls lb
++
++wait_for_ports_up
++check ovn-nbctl --wait=hv sync
++
++sleep_sb
++OVS_WAIT_UNTIL([grep -q 'OVNSB commit failed' hv1/ovn-controller.log])
++
++sleep_controller hv1
++wake_up_sb
++
++ovn-nbctl lb-del lb
++
++wake_up_controller hv1
++check ovn-nbctl --wait=hv sync
++
++OVN_CLEANUP([hv1
++/no response to inactivity probe after .* seconds, disconnecting/d])
++AT_CLEANUP
+diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at
+index f5de46a0b..fc89b5bab 100644
+--- a/tests/ovn-macros.at
++++ b/tests/ovn-macros.at
+@@ -957,16 +957,18 @@ stop_ovsdb_controller_updates() {
+   TCP_PORT=$1
+   echo Stopping updates from ovn-controller to ovsdb using port $TCP_PORT
+   on_exit 'nft list tables | grep ovn-test && nft delete table ip ovn-test'
+-  nft add table ip ovn-test
+-  nft 'add chain ip ovn-test INPUT { type filter hook input priority 0; policy accept; }'
+-  nft add rule ip ovn-test INPUT tcp dport $TCP_PORT counter drop
++  # Report the test as skipped if proper nft related packages are not installed.
++  AT_SKIP_IF([! which nft])
++  AT_CHECK([nft add table ip ovn-test])
++  AT_CHECK([nft 'add chain ip ovn-test INPUT { type filter hook input priority 0; policy accept; }'])
++  AT_CHECK([nft add rule ip ovn-test INPUT tcp dport $TCP_PORT counter drop])
+ }
+ 
+ restart_ovsdb_controller_updates() {
+   TCP_PORT=$1
+   echo Restarting updates from ovn-controller to ovsdb
+-  nft list ruleset | grep $TCP_PORT
+-  nft delete table ip ovn-test
++  AT_CHECK([nft list ruleset | grep $TCP_PORT], [0], [ignore])
++  AT_CHECK([nft delete table ip ovn-test])
+ }
+ 
+ trim_zeros() {
+diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
+index 4bebb2673..22c881d6a 100644
+--- a/tests/ovn-northd.at
++++ b/tests/ovn-northd.at
+@@ -7619,6 +7619,19 @@ wait_row_count Static_MAC_Binding 1 logical_port=lr0-p0 ip=192.168.10.100 mac="0
+ AT_CLEANUP
+ ])
+ 
++OVN_FOR_EACH_NORTHD_NO_HV([
++AT_SETUP([LR NB Static_MAC_Binding garbage collection])
++ovn_start
++
++check ovn-nbctl lr-add lr -- lrp-add lr lr-lrp 00:00:00:00:00:01 1.1.1.1/24
++check ovn-nbctl static-mac-binding-add lr-lrp 1.1.1.2 00:00:00:00:00:02
++wait_row_count sb:Static_MAC_Binding 1 logical_port=lr-lrp ip=1.1.1.2 mac="00\:00\:00\:00\:00\:02"
++check ovn-nbctl lr-del lr
++wait_row_count sb:Static_MAC_Binding 0
++
++AT_CLEANUP
++])
++
+ OVN_FOR_EACH_NORTHD_NO_HV([
+ AT_SETUP([LR neighbor lookup and learning flows])
+ ovn_start
+diff --git a/tests/ovn.at b/tests/ovn.at
+index ffd9f653e..a5b8f91b8 100644
+--- a/tests/ovn.at
++++ b/tests/ovn.at
+@@ -1304,6 +1304,9 @@ ct_commit { ct_label=0x181716151413121110090807060504030201; };
+     141-bit constant is not compatible with 128-bit field ct_label.
+ ct_commit { ip4.dst = 192.168.0.1; };
+     Field ip4.dst is not modifiable.
++reg8[17] = 1; ct_commit { ct_mark.blocked = 1; };
++    encodes as set_field:0x2000000000000/0x2000000000000->xreg4,ct(commit,zone=NXM_NX_REG13[0..15],exec(set_field:0x1/0x1->ct_mark))
++    has prereqs ip
+ 
+ # Legact ct_commit_v1 action.
+ ct_commit();
+@@ -5767,13 +5770,24 @@ for i in 1 2 3; do
+ 
+     # Test ICMPv6 MLD reports (v1 and v2) and NS for DAD
+     sip=00000000000000000000000000000000
+-    test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 83 21
+-    test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 8f 21
+-    test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff0200000000000000ea2aeafffe2800 87 21
++    # Multicast traffic is delivered to all ports, except for the source.
++    out_ports=
++    for j in 1 2 3; do
++        for k in 1 2 3; do
++            if test "${j}${k}" -eq "${i}3"; then
++                continue
++            else
++                out_ports="$out_ports ${j}${k}"
++            fi
++        done
++    done
++    test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 83 ${out_ports}
++    test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 8f ${out_ports}
++    test_icmpv6 ${i}3 f00000000${i}${i}3 3333fffe2800 $sip ff0200000000000000ea2aeafffe2800 87 ${out_ports}
+     # Traffic to non-multicast traffic should be dropped
+     test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 83
+     # Traffic of other ICMPv6 types should be dropped
+-    test_icmpv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip ff020000000000000000000000160000 80
++    test_icmpv6 ${i}3 f00000000${i}${i}3 333300160000 $sip ff020000000000000000000000160000 80
+ 
+     # should be dropped
+     sip=ae80000000000000ea2aeafffe2800aa
+@@ -8428,7 +8442,7 @@ done
+ # Complete Neighbor Solicitation packet and Neighbor Advertisement packet
+ # vif1 -> NS -> vif2.  vif1 <- NA <- ovn-controller.
+ # vif2 will not receive NS packet, since ovn-controller will reply for it.
+-ns_packet=3333ffa1f9aefa163e94059886dd6000000000203afffd81ce49a9480000f8163efffe940598fd81ce49a9480000f8163efffea1f9ae8700e01160000000fd81ce49a9480000f8163efffea1f9ae0101fa163e940598
++ns_packet=3333ffa1f9aefa163e94059886dd6000000000203afffd81ce49a9480000f8163efffe940598ff0200000000000000000001ffa1f9ae8700e01160000000fd81ce49a9480000f8163efffea1f9ae0101fa163e940598
+ na_packet=fa163e940598fa163ea1f9ae86dd6000000000203afffd81ce49a9480000f8163efffea1f9aefd81ce49a9480000f8163efffe9405988800e9ed60000000fd81ce49a9480000f8163efffea1f9ae0201fa163ea1f9ae
+ 
+ as hv1 ovs-appctl netdev-dummy/receive vif1 $ns_packet
+@@ -14131,7 +14145,7 @@ test_ns_na() {
+     local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5
+ 
+     packet=$(fmt_pkt "
+-        Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') /
++        Ether(dst='33:33:ff:ff:ff:ff', src='${src_mac}') /
+         IPv6(src='${src_ip}', dst='ff02::1:ff00:2') /
+         ICMPv6ND_NS(tgt='${dst_ip}')
+     ")
+@@ -14171,8 +14185,8 @@ test_mldv2() {
+     local inport=$1 outport=$2 src_mac=$3 src_ip=$4
+ 
+     packet=$(fmt_pkt "
+-        Ether(dst='ff:ff:ff:ff:ff:ff', src='${src_mac}') /
+-        IPv6(src='${src_ip}', dst='ff02::2') /
++        Ether(dst='33:33:00:00:00:01', src='${src_mac}') /
++        IPv6(src='${src_ip}', dst='ff02::1') /
+         ICMPv6MLQuery2()
+     ")
+     as hv1 ovs-appctl netdev-dummy/receive vif${inport} $packet
+@@ -26674,20 +26688,10 @@ wait_row_count IGMP_Group 2 address=239.0.1.68
+ wait_row_count IGMP_Group 2 address='"ff0a:dead:beef::1"'
+ check ovn-nbctl --wait=hv sync
+ 
+-#Validate that Multicast Group contains all registered ports for
+-# specific igmp group.
+-ts_dp=$(fetch_column datapath_binding _uuid external_ids:name=ts)
+-ports=$(fetch_column multicast_group ports name="239.0.1.68" datapath=$ts_dp)
+-check test X2 = X$(echo $ports | wc -w)
+-
+-
+ ovn_as az2
+ wait_row_count IGMP_Group 2 address=239.0.1.68
+ wait_row_count IGMP_Group 2 address='"ff0a:dead:beef::1"'
+ check ovn-nbctl --wait=hv sync
+-ts_dp=$(fetch_column datapath_binding _uuid external_ids:name=ts)
+-ports=$(fetch_column multicast_group ports name="239.0.1.68" datapath=$ts_dp)
+-check test X2 = X$(echo $ports | wc -w)
+ 
+ # Send an IP multicast packet from LSP2, it should be forwarded
+ # to lsp1 and lsp3.
+@@ -27428,7 +27432,14 @@ check ovs-vsctl add-port br-int vif3 -- set Interface vif3 external-ids:iface-id
+ # Add a forwarding group on ls2 with lsp21 and lsp22 as child ports
+ # virtual IP - 172.16.1.11, virtual MAC - 00:11:de:ad:be:ef
+ check ovn-nbctl --wait=hv fwd-group-add fwd_grp1 ls2 172.16.1.11 00:11:de:ad:be:ef lsp21 lsp22
++check ovn-nbctl --wait=hv fwd-group-add fwd_grp2 ls2 172.16.2.11 00:22:de:ad:be:ef lsp21 lsp22
+ 
++# Check logical flow
++AT_CAPTURE_FILE([sbflows])
++ovn-sbctl dump-flows > sbflows
++AT_CHECK([grep ls_in_l2_lkup sbflows | grep fwd_group | wc -l], [0], [2
++])
++check ovn-nbctl --wait=hv fwd-group-del fwd_grp2
+ # Check logical flow
+ AT_CAPTURE_FILE([sbflows])
+ ovn-sbctl dump-flows > sbflows
+@@ -32805,7 +32816,7 @@ AT_CHECK([ovn-sbctl dump-flows |
+           grep ls_in_arp_rsp |
+           grep "${arp_proxy_ls1[[1]]}" |
+           sed 's/table=../table=??/'], [0], [dnl
+-  table=??(ls_in_arp_rsp      ), priority=30   , match=(arp.op == 1 && dnl
++  table=??(ls_in_arp_rsp      ), priority=30   , match=(reg0[[18]] == 0 && arp.op == 1 && dnl
+ arp.tpa == {169.254.238.0/24,169.254.239.2/32}), dnl
+ action=(eth.dst = eth.src; eth.src = 00:00:00:01:02:f1; arp.op = 2; dnl
+ /* ARP reply */ arp.tha = arp.sha; arp.sha = 00:00:00:01:02:f1; dnl
+@@ -32818,7 +32829,7 @@ AT_CHECK([ovn-sbctl dump-flows |
+           grep "${arp_proxy_ls1[[3]]}" |
+           sed 's/table=../table=??/'], [0], [dnl
+   table=??(ls_in_arp_rsp      ), priority=30   , dnl
+-match=(nd_ns && ip6.dst == { fd7b:6b4d:7b25:d22d::/64, ff02::1:ff00:0/64, dnl
++match=(reg0[[18]] == 0 && nd_ns && ip6.dst == { fd7b:6b4d:7b25:d22d::/64, ff02::1:ff00:0/64, dnl
+ fd7b:6b4d:7b25:d22f::1/128, ff02::1:ff00:1/128 } && dnl
+ nd.target == { fd7b:6b4d:7b25:d22d::/64, fd7b:6b4d:7b25:d22f::1/128 }), dnl
+ action=(nd_na_router { eth.src = 00:00:00:01:02:f1; ip6.src = nd.target; dnl
+@@ -32832,7 +32843,7 @@ AT_CHECK([ovn-sbctl dump-flows |
+           grep "${arp_proxy_ls2[[2]]}" |
+           sed 's/table=../table=??/'], [0], [dnl
+   table=??(ls_in_arp_rsp      ), priority=30   , dnl
+-match=(arp.op == 1 && arp.tpa == {169.254.236.0/24,169.254.237.2/32}), dnl
++match=(reg0[[18]] == 0 && arp.op == 1 && arp.tpa == {169.254.236.0/24,169.254.237.2/32}), dnl
+ action=(eth.dst = eth.src; eth.src = 00:00:00:02:02:f1; arp.op = 2; dnl
+ /* ARP reply */ arp.tha = arp.sha; arp.sha = 00:00:00:02:02:f1; dnl
+ arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)
+@@ -32844,7 +32855,7 @@ AT_CHECK([ovn-sbctl dump-flows |
+           grep "${arp_proxy_ls2[[4]]}" |
+           sed 's/table=../table=??/'], [0], [dnl
+   table=??(ls_in_arp_rsp      ), priority=30   , dnl
+-match=(nd_ns && ip6.dst == { fd7b:6b4d:7b25:d22b::/64, ff02::1:ff00:0/64, dnl
++match=(reg0[[18]] == 0 && nd_ns && ip6.dst == { fd7b:6b4d:7b25:d22b::/64, ff02::1:ff00:0/64, dnl
+ fd7b:6b4d:7b25:d22c::1/128, ff02::1:ff00:1/128 } && dnl
+ nd.target == { fd7b:6b4d:7b25:d22b::/64, fd7b:6b4d:7b25:d22c::1/128 }), dnl
+ action=(nd_na_router { eth.src = 00:00:00:02:02:f1; ip6.src = nd.target; dnl
+@@ -35202,7 +35213,10 @@ check_default_flows() {
+ 
+ # Check that every drop flow gets sampled.
+ check_sample_drops() {
+-
++    hv=hv$1
++    remote_hv=hv$((${1}%2 + 1))
++    race_condition=$2
++    ovs-vsctl destroy Flow_Sample_Collector_Set 123
+     check ovn-nbctl -- remove NB_Global . options debug_drop_collector_set \
+                     -- remove NB_Global . options debug_drop_domain_id
+     check ovn-nbctl --wait=hv sync
+@@ -35212,14 +35226,52 @@ check_sample_drops() {
+     # Take match part of flows that contain "drop".
+     drop_matches="$(grep 'drop' oflows_nosample | grep -oP 'table=\d*, priority=.* ')"
+ 
++    if [[ x$race_condition = x"true" ]]; then
++        sleep_controller $hv
++        # Get ofport used by the geneve interface
++        OVS_WAIT_UNTIL([
++            ofport=$(as $hv ovs-vsctl --bare --columns ofport find Interface name=ovn-${remote_hv}-0)
++            test 1 -le $ofport
++        ])
++
++        # Add a vif while ovn-controller sleeps, and make it request the ofport used by the geneve interface.
++        # This is used to cause the geneve interface to change ofport.
++        ovs-vsctl -- add-port br-int vif3 -- set interface vif3\
++            options:tx_pcap=${hv}/vif3-tx.pcap \
++            options:rxq_pcap=${hv}/vif3-rx.pcap \
++            ofport-request=$ofport
++        OVS_WAIT_UNTIL([
++            vif_ofport=$(as $hv ovs-vsctl --bare --columns ofport find Interface name=vif3)
++            test 1 -le $vif_ofport
++        ])
++        # For the geneve interface ofport change to happen...
++        ovs-vsctl -- add-port br-int vif4 -- set interface vif4\
++            options:tx_pcap=${hv}/vif4-tx.pcap \
++            options:rxq_pcap=${hv}/vif4-rx.pcap
++        OVS_WAIT_UNTIL([
++            new_ofport=$(as $hv ovs-vsctl --bare --columns ofport find Interface name=ovn-${remote_hv}-0)
++            test $ofport -ne $new_ofport
++        ])
++    fi
++
+     ovs-vsctl --id=@br get Bridge br-int --  \
+         --id=@i create IPFIX targets=\"192.168.1.1\"  -- \
+         create Flow_Sample_Collector_Set bridge=@br id=123 ipfix=@i
+ 
+     check ovn-nbctl -- set NB_Global . options:debug_drop_collector_set="123" \
+                     -- set NB_Global . options:debug_drop_domain_id="1"
+-    check ovn-nbctl --wait=hv sync
+ 
++    if [[ x$race_condition = x"true" ]]; then
++        # Wait sb as ovn-controller sleeps.
++        check ovn-nbctl --wait=sb sync
++        # Wake up ovn-controller. It should most of the times receive non-vif ofport change and sb changes at the same time.
++        wake_up_controller $hv
++        # Check twice ovn-controller is running to guarantee if run a full loop.
++        OVS_WAIT_UNTIL([test x$(as $hv ovn-appctl -t ovn-controller debug/status) = "xrunning"])
++        OVS_WAIT_UNTIL([test x$(as $hv ovn-appctl -t ovn-controller debug/status) = "xrunning"])
++    else
++        check ovn-nbctl --wait=hv sync
++    fi
+     ovs-ofctl dump-flows --no-stats br-int > oflows_sample
+     AT_CAPTURE_FILE([oflows_sample])
+ 
+@@ -35227,6 +35279,8 @@ check_sample_drops() {
+     save_IFS=$IFS
+     IFS=$'\n'
+     for flow in $drop_matches; do
++        # Restore IFS to avoid "printf %s\n: command not found" errors.
++        IFS=$save_IFS
+         AT_CHECK([grep "${flow}actions=.*sample.*" oflows_sample], [0], [ignore], [ignore], [echo "Flow $flow has a drop and did not get sampled"])
+     done
+     IFS=$save_IFS
+@@ -35239,9 +35293,9 @@ check_drops() {
+     check_default_flows
+ 
+     as hv1
+-    check_sample_drops
++    check_sample_drops 1 $1
+     as hv2
+-    check_sample_drops
++    check_sample_drops 2 $1
+ }
+ 
+ # Logical network:
+@@ -35309,7 +35363,8 @@ ovs-vsctl -- add-port br-int hv2-vif1 -- \
+ wait_for_ports_up
+ check ovn-nbctl --wait=hv sync
+ 
+-check_debug
++check_drops
++check_drops true
+ 
+ # Add stateless ACL
+ check ovn-nbctl --wait=sb \
+@@ -35317,7 +35372,7 @@ check ovn-nbctl --wait=sb \
+ check ovn-nbctl --wait=sb \
+                 -- acl-add ls2 from-lport 100 'ip4' allow-stateless
+ 
+-check_debug
++check_drops
+ 
+ check ovn-nbctl --wait=sb acl-del ls1
+ check ovn-nbctl --wait=sb acl-del ls2
+@@ -35328,7 +35383,7 @@ check ovn-nbctl --wait=sb \
+ check ovn-nbctl --wait=sb \
+                 -- acl-add ls2 from-lport 100 "udp" allow-related
+ 
+-check_debug
++check_drops
+ 
+ check ovn-nbctl --wait=sb acl-del ls1
+ check ovn-nbctl --wait=sb acl-del ls2
+@@ -37663,9 +37718,9 @@ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                     --ca-cert=$PKIDIR/testpki-cacert.pem \
+                     --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                     --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+-                    chassis-add ch vxlan 1.2.4.8], [1], [ignore],
+-[ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
+-])
++                    chassis-add ch vxlan 1.2.4.8 2>&1 | grep 'transaction error]', [0], [dnl
++ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
++], [ignore])
+ 
+ OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+ AT_CLEANUP
+@@ -37840,3 +37895,170 @@ OVS_WAIT_FOR_OUTPUT([as hv1 ovs-ofctl dump-flows br-int table=0 |grep priority=1
+ OVN_CLEANUP([hv1])
+ AT_CLEANUP
+ ])
++
++dnl This test checks that the megaflows translated by ovs-vswitchd
++dnl don't match on IPv6 source and destination addresses for
++dnl simple switching.
++OVN_FOR_EACH_NORTHD([
++AT_SETUP([IPv6 switching - megaflow check for IPv6 src/dst matches])
++ovn_start
++
++check ovn-nbctl ls-add sw0
++
++check ovn-nbctl lsp-add sw0 vm0
++check ovn-nbctl lsp-set-addresses vm0 "f0:00:0f:01:02:03 10.0.0.3 1000::3"
++
++check ovn-nbctl lsp-add sw0 vm1
++check ovn-nbctl lsp-set-addresses vm1 "f0:00:0f:01:02:04 10.0.0.4 1000::4"
++
++check ovn-nbctl lr-add lr0
++check ovn-nbctl lrp-add lr0 lr0-sw0 fa:16:3e:00:00:01 10.0.0.1 1000::1/64
++check ovn-nbctl lsp-add sw0 sw0-lr0
++check ovn-nbctl lsp-set-type sw0-lr0 router
++check ovn-nbctl lsp-set-addresses sw0-lr0 router
++check ovn-nbctl --wait=hv lsp-set-options sw0-lr0 router-port=lr0-sw0
++
++net_add n1
++sim_add hv
++as hv
++check ovs-vsctl add-br br-phys
++ovn_attach n1 br-phys 192.168.0.1
++check ovs-vsctl add-port br-int vif1 -- \
++    set Interface vif1 external-ids:iface-id=vm0 \
++    options:tx_pcap=hv/vif1-tx.pcap \
++    options:rxq_pcap=hv/vif1-rx.pcap \
++    ofport-request=1
++check ovs-vsctl add-port br-int vif2 -- \
++    set Interface vif2  external-ids:iface-id=vm1 \
++    options:tx_pcap=hv/vif2-tx.pcap \
++    options:rxq_pcap=hv/vif2-rx.pcap \
++    ofport-request=2
++
++check ovn-nbctl --wait=sb sync
++wait_for_ports_up
++
++AS_BOX([No port security, to vm1])
++packet=$(fmt_pkt "Ether(dst='f0:00:0f:01:02:04', src='f0:00:0f:01:02:03')/ \
++                  IPv6(dst='1000::4', src='1000::3')/ \
++                  UDP(sport=53, dport=4369)")
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=1 $packet > vm0_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif1 $packet
++
++AT_CAPTURE_FILE([vm0_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [1], [dnl
++0
++])
++
++dnl Make sure that the packet was received by vm1.  This ensures that the
++dnl packet was delivered as expected and the megaflow didn't have any matches
++dnl on IPv6 src or dst.
++
++echo $packet >> expected-vif2
++OVN_CHECK_PACKETS([hv/vif2-tx.pcap], [expected-vif2])
++
++AS_BOX([No port security, to vm0])
++packet=$(fmt_pkt "Ether(dst='f0:00:0f:01:02:03', src='f0:00:0f:01:02:04')/ \
++                  IPv6(dst='1000::3', src='1000::4')/ \
++                  UDP(sport=53, dport=4369)")
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=2 $packet > vm1_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif2 $packet
++
++AT_CAPTURE_FILE([vm1_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [1], [dnl
++0
++])
++
++dnl Make sure that the packet was received by vm0.  This ensures that the
++dnl packet was delivered as expected and the megaflow didn't have any matches
++dnl on IPv6 src or dst.
++echo $packet >> expected-vif1
++OVN_CHECK_PACKETS([hv/vif1-tx.pcap], [expected-vif1])
++
++AS_BOX([With port security, to vm1])
++dnl Add port security to vm0.  The megaflow should now match on ipv6 src/dst.
++check ovn-nbctl lsp-set-port-security vm0 "f0:00:0f:01:02:03 10.0.0.3 1000::3"
++check ovn-nbctl --wait=hv sync
++
++packet=$(fmt_pkt "Ether(dst='f0:00:0f:01:02:04', src='f0:00:0f:01:02:03')/ \
++                  IPv6(dst='1000::4', src='1000::3')/ \
++                  UDP(sport=53, dport=4369)")
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=1 $packet > vm0_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif1 $packet
++
++AT_CAPTURE_FILE([vm0_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [0], [dnl
++1
++])
++
++dnl Make sure that the packet was received by vm1.
++echo $packet >> expected-vif2
++OVN_CHECK_PACKETS([hv/vif2-tx.pcap], [expected-vif2])
++
++AS_BOX([Clear port security, to vm1])
++dnl Clear port security.
++check ovn-nbctl lsp-set-port-security vm0 ""
++check ovn-nbctl --wait=hv sync
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=1 $packet > vm0_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif1 $packet
++
++AT_CAPTURE_FILE([vm0_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [1], [dnl
++0
++])
++
++dnl Make sure that the packet was received by vm1.
++echo $packet >> expected-vif2
++OVN_CHECK_PACKETS([hv/vif2-tx.pcap], [expected-vif2])
++
++AS_BOX([With proxy arp/nd, to vm1])
++dnl Configure proxy arp/nd on the router port.  The megaflow should now match
++dnl on ipv6 src/dst.
++check ovn-nbctl --wait=hv lsp-set-options sw0-lr0 router-port=lr0-sw0 arp_proxy="2000::1/64"
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=1 $packet > vm0_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif1 $packet
++
++AT_CAPTURE_FILE([vm0_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [0], [dnl
++1
++])
++
++dnl Make sure that the packet was received by vm1.
++echo $packet >> expected-vif2
++OVN_CHECK_PACKETS([hv/vif2-tx.pcap], [expected-vif2])
++
++AS_BOX([With proxy arp/nd, to vm0])
++packet=$(fmt_pkt "Ether(dst='f0:00:0f:01:02:03', src='f0:00:0f:01:02:04')/ \
++                  IPv6(dst='1000::3', src='1000::4')/ \
++                  UDP(sport=53, dport=4369)")
++
++as hv
++ovs-appctl ofproto/trace br-int in_port=2 $packet > vm1_ip6_ofproto_trace.txt
++ovs-appctl netdev-dummy/receive vif2 $packet
++
++AT_CAPTURE_FILE([vm1_ip6_ofproto_trace.txt])
++
++AT_CHECK([grep Megaflow vm0_ip6_ofproto_trace.txt | grep -e ipv6_src -e ipv6_dst -c], [0], [dnl
++1
++])
++
++dnl Make sure that the packet was received by vm0.
++echo $packet >> expected-vif1
++OVN_CHECK_PACKETS([hv/vif1-tx.pcap], [expected-vif1])
++
++AT_CLEANUP
++])
+diff --git a/tests/system-ovn.at b/tests/system-ovn.at
+index 463075ac0..45e9ac94f 100644
+--- a/tests/system-ovn.at
++++ b/tests/system-ovn.at
+@@ -10628,7 +10628,7 @@ check ovn-nbctl ls-add bar
+ # Connect foo to R1
+ check ovn-nbctl lrp-add R1 foo 00:00:01:01:02:03 192.168.1.1/24
+ check ovn-nbctl lsp-add foo rp-foo -- set Logical_Switch_Port rp-foo \
+-    type=router options:arp_proxy="0a:58:a9:fe:01:01 169.254.239.254 169.254.239.2 169.254.238.0/24 192.168.1.100" options:router-port=foo addresses='"router"'
++    type=router options:arp_proxy="0a:58:a9:fe:01:01 169.254.239.254 169.254.239.2 169.254.238.0/24 192.168.1.100 192.168.1.200" options:router-port=foo addresses='"router"'
+ 
+ # Connect bar to R1
+ check ovn-nbctl lrp-add R1 bar 00:00:01:01:02:04 192.168.2.1/24
+@@ -10657,6 +10657,12 @@ ADD_VETH(foo3, foo3, br-int, "192.168.1.4/24", "f0:00:00:01:02:05", \
+ check ovn-nbctl lsp-add foo foo3 \
+ -- lsp-set-addresses foo3 "f0:00:00:01:02:05 192.168.1.4"
+ 
++ADD_NAMESPACES(foo4)
++ADD_VETH(foo4, foo4, br-int, "192.168.1.6/24", "f0:00:00:01:02:11", \
++         "192.168.1.1")
++check ovn-nbctl lsp-add foo foo4 \
++-- lsp-set-addresses foo4 "f0:00:00:01:02:11 192.168.1.6"
++
+ # Logical port 'ext1' in switch 'foo'
+ ADD_NAMESPACES(ext1)
+ ADD_VETH(ext1, ext1, br-ext, "192.168.1.5/24", "f0:00:00:01:02:06", \
+@@ -10672,6 +10678,12 @@ ADD_VETH(bar1, bar1, br-int, "192.168.2.2/24", "f0:00:00:01:02:07", \
+ check ovn-nbctl lsp-add bar bar1 \
+ -- lsp-set-addresses bar1 "f0:00:00:01:02:07 192.168.2.2"
+ 
++ADD_NAMESPACES(bar2)
++ADD_VETH(bar2, bar2, br-int, "192.168.2.3/24", "f0:00:00:01:02:10", \
++"192.168.2.1")
++check ovn-nbctl lsp-add bar bar2 \
++-- lsp-set-addresses bar2 "f0:00:00:01:10:10 192.168.2.3"
++
+ # wait for ovn-controller to catch up.
+ check ovn-nbctl --wait=hv sync
+ 
+@@ -10723,6 +10735,14 @@ OVS_WAIT_UNTIL([
+     test "${total_pkts}" = "3"
+ ])
+ 
++check ovn-nbctl lr-route-add R1 169.254.240.0/24 192.168.1.200
++NETNS_START_TCPDUMP([foo4], [-nn -c 4 -e -i foo4 arp[[24:4]]=0xc0a801c8], [foo4-arp])
++
++NS_CHECK_EXEC([bar2], [ping -q -c 5 -i 0.3 -w 2 169.254.240.10],[ignore],[ignore])
++OVS_WAIT_UNTIL([
++    total_pkts=$(cat foo4-arp.tcpdump| wc -l)
++    test "${total_pkts}" = "4"
++])
+ 
+ OVS_APP_EXIT_AND_WAIT([ovn-controller])
+ 
+diff --git a/utilities/automake.mk b/utilities/automake.mk
+index 6a2b96e66..b7d2ebeef 100644
+--- a/utilities/automake.mk
++++ b/utilities/automake.mk
+@@ -41,6 +41,7 @@ EXTRA_DIST += \
+     utilities/checkpatch.py \
+     utilities/containers/Makefile \
+     utilities/containers/py-requirements.txt \
++    utilities/containers/prepare.sh \
+     utilities/containers/fedora/Dockerfile \
+     utilities/containers/ubuntu/Dockerfile \
+     utilities/docker/Makefile \
+diff --git a/utilities/containers/fedora/Dockerfile b/utilities/containers/fedora/Dockerfile
+index c11ea37b7..f5852378c 100755
+--- a/utilities/containers/fedora/Dockerfile
++++ b/utilities/containers/fedora/Dockerfile
+@@ -27,6 +27,7 @@ RUN dnf -y update \
+         libcap-ng-devel \
+         libtool \
+         net-tools \
++        nftables \
+         nmap-ncat \
+         openssl \
+         openssl-devel \
+@@ -44,23 +45,12 @@ RUN dnf -y update \
+     && \
+     dnf clean all
+ 
+-# Compile sparse from source
+-WORKDIR /workspace/sparse
+-
+-RUN git clone git://git.kernel.org/pub/scm/devel/sparse/sparse.git \
+-    /workspace/sparse \
+-    && \
+-    make -j4 PREFIX=/usr HAVE_LLVM= HAVE_SQLITE= install
+-
+ WORKDIR /workspace
+ 
+ COPY $CONTAINERS_PATH/py-requirements.txt /tmp/py-requirements.txt
+ 
+-# Update and install pip dependencies
+-RUN python3 -m pip install --upgrade pip \
+-    && \
+-    python3 -m pip install wheel \
+-    && \
+-    python3 -m pip install -r /tmp/py-requirements.txt
++COPY $CONTAINERS_PATH/prepare.sh /tmp/prepare.sh
++
++RUN /tmp/prepare.sh
+ 
+ CMD ["/usr/sbin/init"]
+diff --git a/utilities/containers/prepare.sh b/utilities/containers/prepare.sh
+new file mode 100755
+index 000000000..d3e8c4253
+--- /dev/null
++++ b/utilities/containers/prepare.sh
+@@ -0,0 +1,22 @@
++#!/bin/bash -xe
++
++function compile_sparse()
++{
++    git clone git://git.kernel.org/pub/scm/devel/sparse/sparse.git \
++        /workspace/sparse
++
++    pushd sparse
++    make -j4 PREFIX=/usr HAVE_LLVM= HAVE_SQLITE= install
++    popd
++}
++
++function install_python_dep()
++{
++    # The --user should be removed once pip can be upgraded on Ubuntu.
++    python3 -m pip install --user --upgrade pip
++    python3 -m pip install wheel
++    python3 -m pip install -r /tmp/py-requirements.txt
++}
++
++compile_sparse
++install_python_dep
+diff --git a/utilities/containers/ubuntu/Dockerfile b/utilities/containers/ubuntu/Dockerfile
+index 3c7fe7775..4e9599004 100755
+--- a/utilities/containers/ubuntu/Dockerfile
++++ b/utilities/containers/ubuntu/Dockerfile
+@@ -32,6 +32,7 @@ RUN apt update -y \
+         llvm-dev \
+         ncat \
+         net-tools \
++        nftables \
+         python3-dev \
+         python3-pip \
+         selinux-policy-dev \
+@@ -43,23 +44,12 @@ RUN apt update -y \
+     && \
+     apt clean
+ 
+-# Compile sparse from source
+-WORKDIR /workspace/sparse
+-
+-RUN git clone git://git.kernel.org/pub/scm/devel/sparse/sparse.git \
+-    /workspace/sparse \
+-    && \
+-    make -j4 PREFIX=/usr HAVE_LLVM= HAVE_SQLITE= install
+-
+ WORKDIR /workspace
+ 
+ COPY $CONTAINERS_PATH/py-requirements.txt /tmp/py-requirements.txt
+ 
+-# Update and install pip dependencies
+-RUN python3 -m pip install --upgrade pip \
+-    && \
+-    python3 -m pip install wheel \
+-    && \
+-    python3 -m pip install -r /tmp/py-requirements.txt
++COPY $CONTAINERS_PATH/prepare.sh /tmp/prepare.sh
++
++RUN /tmp/prepare.sh
+ 
+ CMD ["/sbin/init"]
diff --git a/SPECS/ovn23.09.spec b/SPECS/ovn23.09.spec
index a3aadf5..2e7dec9 100644
--- a/SPECS/ovn23.09.spec
+++ b/SPECS/ovn23.09.spec
@@ -50,8 +50,8 @@ Name: %{pkgname}
 Summary: Open Virtual Network support
 Group: System Environment/Daemons
 URL: http://www.ovn.org/
-Version: 23.09.3
-Release: 5%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
+Version: 23.09.4
+Release: 28%{?commit0:.%{date}git%{shortcommit0}}%{?dist}
 Provides: openvswitch%{pkgver}-ovn-common = %{?epoch:%{epoch}:}%{version}-%{release}
 Obsoletes: openvswitch%{pkgver}-ovn-common < 2.11.0-1
 
@@ -59,13 +59,13 @@ Obsoletes: openvswitch%{pkgver}-ovn-common < 2.11.0-1
 # lib/sflow*.[ch] files are SISSL
 License: ASL 2.0 and LGPLv2+ and SISSL
 
-%define ovncommit fbdc94d4309f28ad59e41025ff42945478dd12cc
+%define ovncommit 6b204436d028d49765929671b20b7f4bc0248a52
 
 # Always pull an upstream release, since this is what we rebase to.
 Source: https://github.com/ovn-org/ovn/archive/%{ovncommit}.tar.gz#/ovn-%{version}.tar.gz
 
-%define ovscommit 49e64f13b2c965f5b53a65eeab70ac2e3f0bf69a
-%define ovsshortcommit 49e64f1
+%define ovscommit c88a35fc29f0c0eb6189853bfc738c2100d4860f
+%define ovsshortcommit c88a35f
 
 Source10: https://github.com/openvswitch/ovs/archive/%{ovscommit}.tar.gz#/openvswitch-%{ovsshortcommit}.tar.gz
 %define ovsdir ovs-%{ovscommit}
@@ -483,6 +483,7 @@ fi
 %{_bindir}/ovn-appctl
 %{_bindir}/ovn-ic-nbctl
 %{_bindir}/ovn-ic-sbctl
+%{_bindir}/ovn-debug
 %dir %{_datadir}/ovn/
 %dir %{_datadir}/ovn/scripts/
 %{_datadir}/ovn/scripts/ovn-ctl
@@ -497,6 +498,7 @@ fi
 %{_mandir}/man7/ovn-architecture.7*
 %{_mandir}/man8/ovn-sbctl.8*
 %{_mandir}/man8/ovn-ic-sbctl.8*
+%{_mandir}/man8/ovn-debug.8*
 %{_mandir}/man5/ovn-nb.5*
 %{_mandir}/man5/ovn-ic-nb.5*
 %{_mandir}/man5/ovn-sb.5*
@@ -530,11 +532,103 @@ fi
 %{_unitdir}/ovn-controller-vtep.service
 
 %changelog
-* Tue Mar 12 2024 Ilya Maximets <i.maximets@ovn.org> - 23.09.3-5
-- github: Reduce ASLR entropy to be compatible with asan in llvm 14.
-[Upstream: 835b43811dfcf469da3123911240cc953b52bac3]
+* Fri Aug 16 2024 Numan Siddique <numans@ovn.org> - 23.09.4-28
+- Reply only for the multicast ND solicitations.
+[Upstream: 6b6bfd53dd10fff1925c7f5b3658b689794c8ab9]
 
-* Tue Mar 12 2024 Mark Michelson <mmichels@redhat.com> - 23.09.3-4
-- Prepare for 23.09.4.
-[Upstream: 5ce1740aaa02ebeed561ffb6298b71035b5c908a]
+* Fri Aug 16 2024 Mark Michelson <mmichels@redhat.com> - 23.09.4-27
+- Prepare for 23.09.6.
+[Upstream: 3b523c8136099f46d8fe82ff2389d7ad733d77fc]
+
+* Fri Aug 16 2024 Mark Michelson <mmichels@redhat.com> - 23.09.4-26
+- Set release date for 23.09.5.
+[Upstream: 6582276862c7c1b7bbf879f0af0ce350a9253a78]
+
+* Wed Aug 14 2024 Xavier Simonart <xsimonar@redhat.com> - 23.09.4-25
+- ci: Add nftables to containers.
+[Upstream: 23b86e41ab8c91b10b9e187a1ebfef8f41ec0fe5]
+
+* Wed Aug 14 2024 Xavier Simonart <xsimonar@redhat.com> - 23.09.4-24
+- tests: Skip some tests if nft not installed.
+[Upstream: e43b9140e5f8f02cf86e06d69ed9c0df5d01989a]
+
+* Mon Aug 12 2024 Rosemarie O'Riorden <roriorden@redhat.com> - 23.09.4-23
+- northd: Clean up SB MAC bindings for deleted ports.
+[Upstream: 4a98b76fe4dec6029002b7c67c91a8120583006d]
+
+* Mon Aug 12 2024 Ales Musil <amusil@redhat.com> - 23.09.4-22
+- controller: Make sure the meter and group tables are initialized.
+[Upstream: 563f0b7d2a70f903f43679b18b025e10572c3332]
+
+* Fri Aug 09 2024 Dumitru Ceara <dceara@redhat.com> - 23.09.4-21
+- ci: ovn-kubernetes: Move to stable release-1.0 branch.
+[Upstream: 8e4f3ff204db3a577306f0455e2de99662d284b0]
+
+* Fri Aug 09 2024 Ilya Maximets <i.maximets@ovn.org> - 23.09.4-20
+- logical-fields: Add missing multicast matches for MLD and IGMP.
+[Upstream: ea584fd60936997cd15f2d9d3340d62c1f3b5ace]
+
+* Mon Jul 22 2024 zhangqiang45 <zhangqiang45@lenovo.com> - 23.09.4-19
+- northd: Fix issues for Forwarding_Group.
+[Upstream: 3cbd4d8e1f3c699bc378e0cab6ae980cef8725cf]
+
+* Fri Jul 19 2024 Vladislav Odintsov <odivlad@gmail.com> - 23.09.4-18
+- tests: Fix ssl-ciphers RO sb test with old openssl.
+[Upstream: aa4cd0cdd0df5d4dd202bf089f7ff6db58732a9d]
+
+* Tue Jun 25 2024 Ales Musil <amusil@redhat.com> - 23.09.4-17
+- ci: Move common build steps into script.
+[Upstream: dca6e187d6e63c6f37111aeddb05517886481751]
+
+* Tue Jun 18 2024 Dumitru Ceara <dceara@redhat.com> - 23.09.4-16
+- northd: ic: Remove unused function and fix unit test.
+[Upstream: 83c2238cbf41f6600fe024ce1df58c9800299bd6]
+
+* Tue Jun 18 2024 Dumitru Ceara <dceara@redhat.com> - 23.09.4-15
+- Revert "northd: Don't skip transit switch LSP when creating mcast groups."
+[Upstream: 5f0809be565713d3634a6c663e122c0bfb5dff92]
+
+* Tue Jun 18 2024 Dumitru Ceara <dceara@redhat.com> - 23.09.4-14
+- Revert "ovn-ic: Avoid igmp/mld traffic flooding."
+[Upstream: 848b17e907a6d8d333c8d995994d524951ad0efd]
+
+* Tue Jun 18 2024 Dumitru Ceara <dceara@redhat.com> - 23.09.4-13
+- Revert "IC: Tansit switch don't flood mcast traffic to router ports if matches igmp group."
+[Upstream: dc62643b9cb2eaa3e91bd8df4588d0b8e2aad16c]
+
+* Mon Jun 17 2024 Shibir Basak <shibir.basak@nutanix.com> - 23.09.4-12
+- controller: Send RARP/GARP for VIF post link state is up.
+[Upstream: 0539de39078ee018fe5a6962d6f2950cec0860fb]
+
+* Wed Jun 12 2024 Vladislav Odintsov <odivlad@gmail.com> - 23.09.4-11
+- controller: Store src_mac, src_ip in svc_monitor struct.
+[Upstream: d20498c4ef621934f0fb3a416c032313f29c6688]
+
+* Tue Jun 11 2024 Naveen Yerramneni <naveen.yerramneni@nutanix.com> - 23.09.4-10
+- controller: Fix issue with ct_commit encode.
+[Upstream: 24e0e2dc3bcac752480c958afd0d23420be3b5d4]
+
+* Fri Jun 07 2024 Lorenzo Bianconi <lorenzo.bianconi@redhat.com> - 23.09.4-9
+- northd: Skip arp-proxy flows if the lsp is a router port.
+[Upstream: cf6cd0f579495906ac189b4b054eb5d5276eda20]
+
+* Wed Jun 05 2024 Ales Musil <amusil@redhat.com> - 23.09.4-8
+- ovn-controller: Initialize bitmap to zero.
+[Upstream: 76d7a30f6652c9da81c81178ca5eddbf24d81323]
+
+* Wed May 29 2024 Xavier Simonart <xsimonar@redhat.com> - 23.09.4-7
+- lflow: Add missing sample flow.
+[Upstream: fb8b58913f5275563d8f80ea3658d8c5dfe55d03]
+
+* Wed May 15 2024 Ales Musil <amusil@redhat.com> - 23.09.4-6
+- controller: Avoid use after free in LB I-P.
+[Upstream: a8b1a53244ef885f840be848ae99bf4e406a96ff]
+
+* Tue May 14 2024 Xavier Simonart <xsimonar@redhat.com> - 23.09.4-5
+- northd, ic: Fix handling of ovn-appctl resume.
+[Upstream: d929ea791822c502989a688a1687fbbc6950d92f]
+
+* Fri May 10 2024 Mark Michelson <mmichels@redhat.com> - 23.09.4-4
+- Prepare for 23.09.5.
+[Upstream: d70ff69318f4ef4553ee1da32345d5243525b698]