hi  Jan Collijs, as your suggestion, I do as below:
1. create networkA with subnet 10.10.10.0/24, networkB without subnet
2. there are 2 security group default sg, and sgA which allows ssh access
3. create a VM with one network interface which in networkA and belongs default sg and sgA
4. use nova CLI "nova interface-attach --net-id" to add a network interface which in networkB and belongs default sg

I also check iptables rules are correct as below:

-A neutron-openvswi-INPUT -m physdev --physdev-in tapf5b77831-81 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-of5b77831-8
-A neutron-openvswi-INPUT -m physdev --physdev-in tap2bd3ad0c-a7 --physdev-is-bridged -m comment --comment "Direct incoming traffic from VM to the security group chain." -j neutron-openvswi-o2bd3ad0c-a
-A neutron-openvswi-i2bd3ad0c-a -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-i2bd3ad0c-a -m set --match-set NIPv4e22b4152-0e39-4c8c-b811- src -j RETURN
-A neutron-openvswi-i2bd3ad0c-a -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-i2bd3ad0c-a -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-if5b77831-8 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-if5b77831-8 -s 10.10.10.2/32 -p udp -m udp --sport 67 -m udp --dport 68 -j RETURN
-A neutron-openvswi-if5b77831-8 -m set --match-set NIPv4e22b4152-0e39-4c8c-b811- src -j RETURN
-A neutron-openvswi-if5b77831-8 -p tcp -m tcp --dport 22 -j RETURN
-A neutron-openvswi-if5b77831-8 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-if5b77831-8 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-o2bd3ad0c-a -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-o2bd3ad0c-a -j neutron-openvswi-s2bd3ad0c-a
-A neutron-openvswi-o2bd3ad0c-a -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-o2bd3ad0c-a -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-o2bd3ad0c-a -j RETURN
-A neutron-openvswi-o2bd3ad0c-a -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-o2bd3ad0c-a -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-of5b77831-8 -p udp -m udp --sport 68 -m udp --dport 67 -m comment --comment "Allow DHCP client traffic." -j RETURN
-A neutron-openvswi-of5b77831-8 -j neutron-openvswi-sf5b77831-8
-A neutron-openvswi-of5b77831-8 -p udp -m udp --sport 67 -m udp --dport 68 -m comment --comment "Prevent DHCP Spoofing by VM." -j DROP
-A neutron-openvswi-of5b77831-8 -m state --state RELATED,ESTABLISHED -m comment --comment "Direct packets associated with a known session to the RETURN chain." -j RETURN
-A neutron-openvswi-of5b77831-8 -j RETURN
-A neutron-openvswi-of5b77831-8 -m state --state INVALID -m comment --comment "Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack." -j DROP
-A neutron-openvswi-of5b77831-8 -m comment --comment "Send unmatched traffic to the fallback chain." -j neutron-openvswi-sg-fallback
-A neutron-openvswi-s2bd3ad0c-a -m mac --mac-source FA:16:3E:53:17:FD -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-s2bd3ad0c-a -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sf5b77831-8 -s 10.10.10.4/32 -m mac --mac-source FA:16:3E:D9:0F:94 -m comment --comment "Allow traffic from defined IP/MAC pairs." -j RETURN
-A neutron-openvswi-sf5b77831-8 -m comment --comment "Drop traffic without an IP/MAC allow rule." -j DROP
-A neutron-openvswi-sg-chain -m physdev --physdev-out tapf5b77831-81 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-if5b77831-8
-A neutron-openvswi-sg-chain -m physdev --physdev-in tapf5b77831-81 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-of5b77831-8
-A neutron-openvswi-sg-chain -m physdev --physdev-out tap2bd3ad0c-a7 --physdev-is-bridged -m comment --comment "Jump to the VM specific chain." -j neutron-openvswi-i2bd3ad0c-a
-A neutron-openvswi-sg-chain -m physdev --


I think there is a bug in Nova. In nova, we can't create a VM with a network which does not  have subnet, but we can attach a interface with a network which does not  have subnet