This issue was found duing the investigation on #9053 .
This sounds like a critical/major issue.

steps the reproduce the issue

• create a VPC
• create a VPC tier with ACL "default_deny"
• create a VM in the VPC tier
• acquire the public IP
• create load balancing rule with public port=2222 and private port=22
• acquire another public IP (it may be not needed in 4.19/4.20 as vpc supports conserved mode)
• create port forwarding rule with public port=2223 and private port=22

Expected result

• both LB and PF ports (2222/2223) are unreachable as the ACL is "default_deny"

Actual result

• PF port (2223) is unreachable (as expected)
• LB port (2222) is reachable (bug/unexpected behavior)

ISSUE TYPE

• Bug Report

COMPONENT NAME

CLOUDSTACK VERSION

4.19/4.20, it impacts probably other versions as well

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS