diff --git a/charts/templates/controller-deploy.yaml b/charts/templates/controller-deploy.yaml
index 44ec67561d2..95427141ab3 100644
--- a/charts/templates/controller-deploy.yaml
+++ b/charts/templates/controller-deploy.yaml
@@ -99,6 +99,7 @@ spec:
           - --default-vlan-name={{- .Values.networking.vlan.VLAN_NAME }}
           - --default-vlan-id={{- .Values.networking.vlan.VLAN_ID }}
           - --ls-dnat-mod-dl-dst={{- .Values.func.LS_DNAT_MOD_DL_DST }}
+          - --ls-ct-skip-dst-lport-ips={{- .Values.func.LS_CT_SKIP_DST_LPORT_IPS }}
           - --pod-nic-type={{- .Values.networking.POD_NIC_TYPE }}
           - --enable-lb={{- .Values.func.ENABLE_LB }}
           - --enable-np={{- .Values.func.ENABLE_NP }}
diff --git a/charts/values.yaml b/charts/values.yaml
index f3360b8cd42..e8a5befce2f 100644
--- a/charts/values.yaml
+++ b/charts/values.yaml
@@ -62,6 +62,7 @@ func:
   ENABLE_LB_SVC: false
   ENABLE_KEEP_VM_IP: true
   LS_DNAT_MOD_DL_DST: true
+  LS_CT_SKIP_DST_LPORT_IPS: true
   ENABLE_BIND_LOCAL_IP: true
   U2O_INTERCONNECTION: false
   ENABLE_TPROXY: false
diff --git a/dist/images/Dockerfile.base b/dist/images/Dockerfile.base
index 6c2d4c6ffa4..163cf93cf1c 100644
--- a/dist/images/Dockerfile.base
+++ b/dist/images/Dockerfile.base
@@ -44,7 +44,9 @@ RUN cd /usr/src/ && git clone -b branch-22.12 --depth=1 https://github.com/ovn-o
     # ovn-controller: do not send GARP on localnet for Kube-OVN ports
     curl -s https://github.com/kubeovn/ovn/commit/8af8751cdb55f582c675db921f2526b06fd3d8c0.patch | git apply && \
     # ovn-ic blacklist function not work on ipv6
-    curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply
+    curl -s https://github.com/kubeovn/ovn/commit/78ab91005854532e7eb5c4fe6b2923ce292e3681.patch | git apply && \
+    # lflow: do not send direct traffic between lports to conntrack
+    curl -s https://github.com/kubeovn/ovn/commit/6f1af045845deeabf06fdc7c90073e0a6874ab2f.patch | git apply
 
 RUN apt install -y build-essential fakeroot \
     autoconf automake bzip2 debhelper-compat dh-exec dh-python dh-sequence-python3 dh-sequence-sphinxdoc \
diff --git a/dist/images/install.sh b/dist/images/install.sh
index a3d2f462dda..28e267b4f2f 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -15,6 +15,7 @@ ENABLE_LB=${ENABLE_LB:-true}
 ENABLE_NP=${ENABLE_NP:-true}
 ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true}
 LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true}
+LS_CT_SKIP_DST_LPORT_IPS=${LS_CT_SKIP_DST_LPORT_IPS:-true}
 ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true}
 CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01}
 ENABLE_LB_SVC=${ENABLE_LB_SVC:-false}
@@ -3959,6 +3960,7 @@ spec:
           - --default-exchange-link-name=$EXCHANGE_LINK_NAME
           - --default-vlan-id=$VLAN_ID
           - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST
+          - --ls-ct-skip-dst-lport-ips=$LS_CT_SKIP_DST_LPORT_IPS
           - --pod-nic-type=$POD_NIC_TYPE
           - --enable-lb=$ENABLE_LB
           - --enable-np=$ENABLE_NP
diff --git a/mocks/pkg/ovs/interface.go b/mocks/pkg/ovs/interface.go
index 970f335320f..e65767d8f0b 100644
--- a/mocks/pkg/ovs/interface.go
+++ b/mocks/pkg/ovs/interface.go
@@ -83,6 +83,20 @@ func (mr *MockNBGlobalMockRecorder) SetICAutoRoute(enable, blackList interface{}
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetICAutoRoute", reflect.TypeOf((*MockNBGlobal)(nil).SetICAutoRoute), enable, blackList)
 }
 
+// SetLsCtSkipDstLportIPs mocks base method.
+func (m *MockNBGlobal) SetLsCtSkipDstLportIPs(enabled bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs.
+func (mr *MockNBGlobalMockRecorder) SetLsCtSkipDstLportIPs(enabled interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNBGlobal)(nil).SetLsCtSkipDstLportIPs), enabled)
+}
+
 // SetLsDnatModDlDst mocks base method.
 func (m *MockNBGlobal) SetLsDnatModDlDst(enabled bool) error {
 	m.ctrl.T.Helper()
@@ -3853,6 +3867,20 @@ func (mr *MockNbClientMockRecorder) SetLogicalSwitchPrivate(lsName, cidrBlock, n
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLogicalSwitchPrivate", reflect.TypeOf((*MockNbClient)(nil).SetLogicalSwitchPrivate), lsName, cidrBlock, nodeSwitchCIDR, allowSubnets)
 }
 
+// SetLsCtSkipDstLportIPs mocks base method.
+func (m *MockNbClient) SetLsCtSkipDstLportIPs(enabled bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetLsCtSkipDstLportIPs", enabled)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetLsCtSkipDstLportIPs indicates an expected call of SetLsCtSkipDstLportIPs.
+func (mr *MockNbClientMockRecorder) SetLsCtSkipDstLportIPs(enabled interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetLsCtSkipDstLportIPs", reflect.TypeOf((*MockNbClient)(nil).SetLsCtSkipDstLportIPs), enabled)
+}
+
 // SetLsDnatModDlDst mocks base method.
 func (m *MockNbClient) SetLsDnatModDlDst(enabled bool) error {
 	m.ctrl.T.Helper()
diff --git a/pkg/controller/config.go b/pkg/controller/config.go
index e8bf142fd2f..35a756db8fa 100644
--- a/pkg/controller/config.go
+++ b/pkg/controller/config.go
@@ -78,6 +78,7 @@ type Configuration struct {
 	DefaultVlanName         string
 	DefaultVlanID           int
 	LsDnatModDlDst          bool
+	LsCtSkipDstLportIPs     bool
 
 	EnableLb          bool
 	EnableNP          bool
@@ -149,6 +150,7 @@ func ParseFlags() (*Configuration, error) {
 		argDefaultVlanName         = pflag.String("default-vlan-name", "ovn-vlan", "The default vlan name")
 		argDefaultVlanID           = pflag.Int("default-vlan-id", 1, "The default vlan id")
 		argLsDnatModDlDst          = pflag.Bool("ls-dnat-mod-dl-dst", true, "Set ethernet destination address for DNAT on logical switch")
+		argLsCtSkipDstLportIPs     = pflag.Bool("ls-ct-skip-dst-lport-ips", true, "Skip conntrack for direct traffic between lports")
 		argPodNicType              = pflag.String("pod-nic-type", "veth-pair", "The default pod network nic implementation type")
 		argPodDefaultFipType       = pflag.String("pod-default-fip-type", "", "The type of fip bind to pod automatically: iptables")
 		argEnableLb                = pflag.Bool("enable-lb", true, "Enable load balancer")
@@ -223,6 +225,7 @@ func ParseFlags() (*Configuration, error) {
 		NetworkType:                    *argNetworkType,
 		DefaultVlanID:                  *argDefaultVlanID,
 		LsDnatModDlDst:                 *argLsDnatModDlDst,
+		LsCtSkipDstLportIPs:            *argLsCtSkipDstLportIPs,
 		DefaultProviderName:            *argDefaultProviderName,
 		DefaultHostInterface:           *argDefaultInterfaceName,
 		DefaultExchangeLinkName:        *argDefaultExchangeLinkName,
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index 78f32b8d253..879092b5934 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -777,6 +777,10 @@ func (c *Controller) Run(ctx context.Context) {
 		util.LogFatalAndExit(err, "failed to set NB_Global option use_ct_inv_match to false")
 	}
 
+	if err := c.OVNNbClient.SetLsCtSkipDstLportIPs(c.config.LsCtSkipDstLportIPs); err != nil {
+		util.LogFatalAndExit(err, "failed to set NB_Global option ls_ct_skip_dst_lport_ips")
+	}
+
 	if err := c.InitOVN(); err != nil {
 		util.LogFatalAndExit(err, "failed to initialize ovn resources")
 	}
diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
index 22450431787..445301c03e4 100644
--- a/pkg/ovs/interface.go
+++ b/pkg/ovs/interface.go
@@ -17,6 +17,7 @@ type NBGlobal interface {
 	SetUseCtInvMatch() error
 	SetICAutoRoute(enable bool, blackList []string) error
 	SetLsDnatModDlDst(enabled bool) error
+	SetLsCtSkipDstLportIPs(enabled bool) error
 	GetNbGlobal() (*ovnnb.NBGlobal, error)
 }
 
diff --git a/pkg/ovs/ovn-nb_global.go b/pkg/ovs/ovn-nb_global.go
index c0944210e1c..ebffa90be13 100644
--- a/pkg/ovs/ovn-nb_global.go
+++ b/pkg/ovs/ovn-nb_global.go
@@ -153,3 +153,7 @@ func (c *OVNNbClient) SetLBCIDR(serviceCIDR string) error {
 func (c *OVNNbClient) SetLsDnatModDlDst(enabled bool) error {
 	return c.SetNbGlobalOptions("ls_dnat_mod_dl_dst", enabled)
 }
+
+func (c *OVNNbClient) SetLsCtSkipDstLportIPs(enabled bool) error {
+	return c.SetNbGlobalOptions("ls_ct_skip_dst_lport_ips", enabled)
+}
diff --git a/yamls/kube-ovn-dual-stack.yaml b/yamls/kube-ovn-dual-stack.yaml
index 829d462f3a3..7d2c36f4293 100644
--- a/yamls/kube-ovn-dual-stack.yaml
+++ b/yamls/kube-ovn-dual-stack.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true
diff --git a/yamls/kube-ovn-ipv6.yaml b/yamls/kube-ovn-ipv6.yaml
index eafa4bf307b..bc97a1eaf5d 100644
--- a/yamls/kube-ovn-ipv6.yaml
+++ b/yamls/kube-ovn-ipv6.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true
diff --git a/yamls/kube-ovn.yaml b/yamls/kube-ovn.yaml
index 15d8965a9ea..1b0a5c352e8 100644
--- a/yamls/kube-ovn.yaml
+++ b/yamls/kube-ovn.yaml
@@ -66,6 +66,7 @@ spec:
             - --default-exchange-link-name=false
             - --default-vlan-id=100
             - --ls-dnat-mod-dl-dst=true
+            - --ls-ct-skip-dst-lport-ips=true
             - --pod-nic-type=veth-pair
             - --enable-lb=true
             - --enable-np=true