Comment 5 for bug 1972283

After long investigation and help from the RHEL iptables expert, Phil Sutter, I found out that the problem is with the geneve tunnel which is marked to be not tracked in the raw table but later in the filter table we have rule to allow such traffic with conntrack state "NEW" which didn't match. With default policy ACCEPT it all works just because geneve traffic is accepted by that default policy. We need to have rule to allow geneve traffic which has conntrack state UNTRACKED instead of NEW and that should solve the problem.