Comment 8 for bug 1506076

Further experimenting, and with an idea of a co-worker, it is possible to use MAC address matching on the main bridge interface. And this seems to be good, since a port is always defined with a MAC (it is a not null field). So the final rules:

Mark packets arriving to the main bridge with the destination of the neutron port:

  ebtables -t nat -I PREROUTING -i br-vlan.913 -d fa:16:3e:50:9f:73 -j mark --mark-set 0x505050

Disable conntrack of the marked packets:

  iptables -I neutron-linuxbri-PREROUTING -t raw -m mark --mark 0x505050 -j NOTRACK

Disable conntrack on the tap interface belongs to the port:

  iptables -A neutron-linuxbri-PREROUTING -t raw -m physdev --physdev-in tap918bb4f3-23 -j NOTRACK