Description of problem:

Consider the following topology,

Logical Network (192.168.0.0/24) -> sw0 -> lr0 -> sw1 -> External Network (11.0.0.0/24)

SNAT rule is placed on 'lr0' so all traffic from Logical Network to External Network is SNATted with address 11.0.0.254.

In this configuration, any traffic destined from External Network to Logical Network should be dropped be 'lr0'

How reproducible:
Always

Steps to Reproduce:
# Create the first logical switch with one port
ovn-nbctl ls-add sw0
ovn-nbctl lsp-add sw0 sw0-port1
ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"

# Create the second logical switch with one port
ovn-nbctl ls-add sw1
ovn-nbctl lsp-add sw1 sw1-port1
ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"

# Create a logical router and attach both logical switches
ovn-nbctl lr-add lr0
ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
ovn-nbctl lsp-add sw0 lrp0-attachment
ovn-nbctl lsp-set-type lrp0-attachment router
ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24
ovn-nbctl lsp-add sw1 lrp1-attachment
ovn-nbctl lsp-set-type lrp1-attachment router
ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1

ovs-vsctl add-port br-int p1 -- \
    set Interface p1 external_ids:iface-id=sw0-port1
ovs-vsctl add-port br-int p2 -- \
    set Interface p2 external_ids:iface-id=sw1-port1

ovn-nbctl set Logical_Router lr0 options:chassis=hv1
ovn-nbctl lr-nat-add lr0 snat 11.0.0.254 192.168.0.2

ovn-trace 'inport == "lrp1" && eth.src == f0:00:00:00:01:11 && eth.dst == 00:00:00:00:ff:02 && ip4.src == 11.0.0.2 && ip4.dst == 192.168.0.2 && ip.ttl == 64'

Actual results:
<snip>
    output;
    /* output to "sw0-port1", type "" */

Expected results:
<snip>
    drop;

Additional info:
We need to confirm if this is the expected behaviour.