Comment 7 for bug 1793029

I didn't try to reproduce this yet but I think that what happened here is:
1. By default in security group there is rule to accept ingress traffic from all other ports which uses same security group,
2. When You added this allowed_address_pair, security group rules (allowed source IPs) where updated for all other ports which use same SG - and because of that You had such bad rule in iptables.

If I am right, You should be able to remove this wrong rule from all ports by just removing from security group rules which allows traffic from "remote_group_id".

Also if that is the problem, disabling ipsets will not help to workaround this as such rules still will be added directly in iptables chains.

And also I think that in such case openvswitch firewall driver will also be impacted.