Operating System: All
Platform: All

(1) is my mistake - irrelevant, it does work ok.

(2) should be added AND we are also missing much more important rules, for TCP for example we need to add NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[], otherwise we allow all packets from source port 80 to pass, without validating the connection:

table=252, idle_timeout=3600, hard_timeout=3600, priority=61010,tcp,nw_src=8.8.8.8,tp_src=80 actions=fin_timeout(idle_timeout=60,hard_timeout=60),load:0x1->NXM_NX_REG6[0..7]

3. Currently these 252 (or 41) rules will allow this for all VMs - we need to support this per-VM that has the security group - ideally the metadata lport should be used, but i'm not sure we can configure that with learn - maybe this logic needs to be in the first ACL table (251 or 40)

More on this - it makes no point to set a hard timeout like the idle timeout. We probably don't even want a hard timeout.

And idle timeout should be 5 hours for TCP.
60 second for other protocols

If possible, I would also remove the drop rules from tables 41 and 252 - because of the double resubmit they don't really drop anything, so they just confuse debugging in this case

fixed in https://git.opendaylight.org/gerrit/#/c/46884/