VM can poison conntrack table for a LoadBalancer on another VM

[PlagueCZ]

When testing HA situation and needed changes, I noticed that the VM can send any packet to the router (using the default route). Not a problem in itself it seemed.

But this includes a packet that basically looks like a LB response (i.e. from LB IP to some public IP).

If this is done, then after installing a LB target/prefix on another VM on the same host, conntrack will still be using the old flow (the poisoned one) and refuse to communicate properly with the right VM (as it will use the old conntracked one).

There is a pytest in fix/conntrack_poisoning that speaks for itself better.