The bug are mostly caused by the openflow security group. We compared the flows after added the 0.0.0.0/0 allowed-addres-pair. These two flows are added to table=82:
> table=82, priority=70,ct_state=+est-rel-rpl,ip,reg6=0x3 actions=conjunction(16,1/2)
> table=82, priority=70,ct_state=+new-est,ip,reg6=0x3 actions=conjunction(17,1/2)
Yes, this is the root cause, it will allow almost all ip traffic.
The bug are mostly caused by the openflow security group. We compared the flows after added the 0.0.0.0/0 allowed- addres- pair. These two flows are added to table=82: 70,ct_state= +est-rel- rpl,ip, reg6=0x3 actions= conjunction( 16,1/2) 70,ct_state= +new-est, ip,reg6= 0x3 actions= conjunction( 17,1/2)
> table=82, priority=
> table=82, priority=
Yes, this is the root cause, it will allow almost all ip traffic.