When ARP response comes back to OVS bridge via external interface (eth2),
there is no match for this traffic on any of configured flows.

The simplest way how to replicated this is as folowing:

1) run ODL and install odl-groupbasedpolicy-neutronmapper and odl-restconf features

2) have a VM with OVS installed. Execute clear_ovs.sh (see the attachment or groupbasedpolicy/demos/gbp-devstack/puppet/scripts)

3) Create bridge on the VM and add an external port to it (e.g. eth2):
sudo ovs-vsctl add-br br-int
sudo ovs-vsctl add-port br-int eth2

4) set ODL controller for br-int
sudo ovs-vsctl add-controller br-int tcp:${ODL_IP}:6653

5) add a flow into table 0
sudo ovs-ofctl add-flow br-int -O OpenFlow13 "table=0,priority=10006,arp,in_port=1 actions=IN_PORT"

6) See the ip of your external port on VM (eth2). Try to ping it from another VM that is in the same subnet, so the ARP can reach your OVS bridge.

At this point, counters on the flow in table 0 should be rising.

There is a pcap file with one packet it in the attachment. It's actually an ARP response. If you try to replay it from the another VM (e.g. sudo tcpreplay --loop=5 --intf1=eth2 /vagrant/arp.pcap) it's not going to match on the flow in table 0, but it should.

Would you like to see the counters going up for this ARP response?
Repeat steps from 1 to 6 except step 4 - omit it.
Then you should see counters to grow for this ARP response too.

This is the closest observation I have so far.

Maybe you should generate your owm pcap file for ARP response so that the packet fields reflect your actual environment settings.