ContrailSecurity: Having AddressGroup with label associated as EndPoint doesnt work

Having one of the endpoints of a firewall rule as AddressGroup with a label associated and marking the workload with the address-group label doesnt get filtered.

    "firewall-rule": {
        "action_list": {
            "simple_action": "pass"
        },
        "address_group_refs": [
            {
                "attr": null,
                "href": "http://localhost:8095/address-group/1a9ecb9f-b4fc-45e9-9eda-f3c03008fb29",
                "to": [
                    "default-policy-management",
                    "ctest-admin-03099942"
                ],
                "uuid": "1a9ecb9f-b4fc-45e9-9eda-f3c03008fb29"
            }
        ],
        "direction": "<>",
        "display_name": "ctest-admin-47854219",
        "endpoint_1": {
            "address_group": "default-policy-management:ctest-admin-03099942",
            "any": null,
            "tags": [],
            "virtual_network": null
        },
        "endpoint_2": {
            "address_group": null,
            "any": null,
            "tag_ids": [
                131284
            ],
            "tags": [
                "global:tier=db"
            ],
            "virtual_network": null
        },
        "firewall_policy_back_refs": [
            {
                "attr": {
                    "sequence": "20"
                },
                "href": "http://localhost:8095/firewall-policy/8b33e7ac-aad7-4bb3-9288-41876dc6d6eb",
                "to": [
                    "default-policy-management",
                    "ctest-admin-93547805"
                ],
                "uuid": "8b33e7ac-aad7-4bb3-9288-41876dc6d6eb"
            }
        ],
        "fq_name": [
            "default-policy-management",
            "ctest-admin-47854219"
        ],
        "href": "http://localhost:8095/firewall-rule/d45c0184-96d0-4789-a217-4c47c151fd2a",
        "id_perms": {
            "created": "2017-11-14T05:29:29.282220",
            "creator": null,
            "description": null,
            "enable": true,
            "last_modified": "2017-11-14T05:38:42.648212",
            "permissions": {
                "group": "admin",
                "group_access": 7,
                "other_access": 7,
                "owner": "ctest-TestFirewallBasic-29296137",
                "owner_access": 7
            },
            "user_visible": true,
            "uuid": {
                "uuid_lslong": 11679888029678435626,
                "uuid_mslong": 15302107302875645833
            }
        },
        "match_tag_types": {
            "tag_type": [
                3
            ]
        },
        "match_tags": {
            "tag_list": [
                "deployment"
            ]
        },
        "name": "ctest-admin-47854219",
        "parent_href": "http://localhost:8095/policy-management/d81d90a0-4cba-42f9-9e03-06b514419eb7",
        "parent_type": "policy-management",
        "parent_uuid": "d81d90a0-4cba-42f9-9e03-06b514419eb7",
        "perms2": {
            "global_access": 0,
            "owner": "cloud-admin",
            "owner_access": 7,
            "share": []
        },
        "service": {
            "dst_ports": {
                "end_port": 8000,
                "start_port": 8000
            },
            "protocol": "udp",
            "protocol_id": 17,
            "src_ports": {
                "end_port": 65535,
                "start_port": 0
            }
        },
        "tag_refs": [
            {
                "attr": null,
                "href": "http://localhost:8095/tag/4f64a9dd-18fd-475d-afb9-0ea33b5a3160",
                "to": [
                    "tier=db"
                ],
                "uuid": "4f64a9dd-18fd-475d-afb9-0ea33b5a3160"
            }
        ],
        "uuid": "d45c0184-96d0-4789-a217-4c47c151fd2a"
    }
}