diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
index d958424b35d..297d72c64a8 100644
--- a/pkg/controller/network_policy.go
+++ b/pkg/controller/network_policy.go
@@ -21,6 +21,7 @@ import (
 	"github.com/kubeovn/kube-ovn/pkg/ovs"
 	"github.com/kubeovn/kube-ovn/pkg/ovsdb/ovnnb"
 	"github.com/kubeovn/kube-ovn/pkg/util"
+	"github.com/scylladb/go-set/strset"
 )
 
 func (c *Controller) enqueueAddNp(obj interface{}) {
@@ -212,6 +213,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	var subnets []*kubeovnv1.Subnet
+	protocolSet := strset.NewWithSize(2)
 	for _, subnetName := range subnetNames {
 		subnet, err := c.subnetsLister.Get(subnetName)
 		if err != nil {
@@ -219,7 +221,14 @@ func (c *Controller) handleUpdateNp(key string) error {
 			return err
 		}
 		subnets = append(subnets, subnet)
+
+		if subnet.Spec.Protocol == kubeovnv1.ProtocolDual {
+			protocolSet.Add(kubeovnv1.ProtocolIPv4, kubeovnv1.ProtocolIPv6)
+		} else {
+			protocolSet.Add(subnet.Spec.Protocol)
+		}
 	}
+	klog.Infof("UpdateNp, releated subnets protocols %s", protocolSet.String())
 
 	if err = c.OVNNbClient.PortGroupSetPorts(pgName, ports); err != nil {
 		klog.Errorf("failed to set ports of port group %s to %v: %v", pgName, ports, err)
@@ -233,82 +242,79 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	if hasIngressRule(np) {
-		for _, subnet := range subnets {
-			for _, cidrBlock := range strings.Split(subnet.Spec.CIDRBlock, ",") {
-				protocol := util.CheckProtocol(cidrBlock)
-
-				for idx, npr := range np.Spec.Ingress {
-					// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
-					ingressAllowAsName := fmt.Sprintf("%s.%s.%d", ingressAllowAsNamePrefix, protocol, idx)
-					ingressExceptAsName := fmt.Sprintf("%s.%s.%d", ingressExceptAsNamePrefix, protocol, idx)
-					aclName := fmt.Sprintf("np/%s.%s/ingress/%s/%d", npName, np.Namespace, protocol, idx)
-
-					var allows, excepts []string
-					if len(npr.From) == 0 {
-						if protocol == kubeovnv1.ProtocolIPv4 {
-							allows = []string{"0.0.0.0/0"}
-						} else {
-							allows = []string{"::/0"}
-						}
+		for _, protocol := range protocolSet.List() {
+			for idx, npr := range np.Spec.Ingress {
+				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
+				ingressAllowAsName := fmt.Sprintf("%s.%s.%d", ingressAllowAsNamePrefix, protocol, idx)
+				ingressExceptAsName := fmt.Sprintf("%s.%s.%d", ingressExceptAsNamePrefix, protocol, idx)
+				aclName := fmt.Sprintf("np/%s.%s/ingress/%s/%d", npName, np.Namespace, protocol, idx)
+
+				var allows, excepts []string
+				if len(npr.From) == 0 {
+					if protocol == kubeovnv1.ProtocolIPv4 {
+						allows = []string{"0.0.0.0/0"}
 					} else {
-						var allow, except []string
-						for _, npp := range npr.From {
-							if allow, except, err = c.fetchPolicySelectedAddresses(np.Namespace, protocol, npp); err != nil {
-								klog.Errorf("failed to fetch policy selected addresses, %v", err)
-								return err
-							}
-							allows = append(allows, allow...)
-							excepts = append(excepts, except...)
-						}
+						allows = []string{"::/0"}
 					}
-					klog.Infof("UpdateNp Ingress, allows is %v, excepts is %v, log %v, protocol %v", allows, excepts, logEnable, protocol)
-
-					if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressAllowAsName, allows); err != nil {
-						klog.Error(err)
-						return err
-					}
-					if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressExceptAsName, excepts); err != nil {
-						klog.Error(err)
-						return err
+				} else {
+					var allow, except []string
+					for _, npp := range npr.From {
+						if allow, except, err = c.fetchPolicySelectedAddresses(np.Namespace, protocol, npp); err != nil {
+							klog.Errorf("failed to fetch policy selected addresses, %v", err)
+							return err
+						}
+						allows = append(allows, allow...)
+						excepts = append(excepts, except...)
 					}
+				}
+				klog.Infof("UpdateNp Ingress, allows is %v, excepts is %v, log %v, protocol %v", allows, excepts, logEnable, protocol)
 
-					npp := []netv1.NetworkPolicyPort{}
-					if len(allows) != 0 || len(excepts) != 0 {
-						npp = npr.Ports
-					}
+				if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressAllowAsName, allows); err != nil {
+					klog.Error(err)
+					return err
+				}
+				if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressExceptAsName, excepts); err != nil {
+					klog.Error(err)
+					return err
+				}
 
-					ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
-					if err != nil {
-						klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
-						return err
-					}
+				npp := []netv1.NetworkPolicyPort{}
+				if len(allows) != 0 || len(excepts) != 0 {
+					npp = npr.Ports
+				}
 
-					ingressACLOps = append(ingressACLOps, ops...)
+				ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
+				if err != nil {
+					klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
+					return err
 				}
-				if len(np.Spec.Ingress) == 0 {
-					ingressAllowAsName := fmt.Sprintf("%s.%s.all", ingressAllowAsNamePrefix, protocol)
-					ingressExceptAsName := fmt.Sprintf("%s.%s.all", ingressExceptAsNamePrefix, protocol)
-					aclName := fmt.Sprintf("np/%s.%s/ingress/%s/all", npName, np.Namespace, protocol)
 
-					if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressAllowAsName, nil); err != nil {
-						klog.Error(err)
-						return err
-					}
-					if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressExceptAsName, nil); err != nil {
-						klog.Error(err)
-						return err
-					}
+				ingressACLOps = append(ingressACLOps, ops...)
+			}
+			if len(np.Spec.Ingress) == 0 {
+				ingressAllowAsName := fmt.Sprintf("%s.%s.all", ingressAllowAsNamePrefix, protocol)
+				ingressExceptAsName := fmt.Sprintf("%s.%s.all", ingressExceptAsNamePrefix, protocol)
+				aclName := fmt.Sprintf("np/%s.%s/ingress/%s/all", npName, np.Namespace, protocol)
 
-					ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
-					if err != nil {
-						klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
-						return err
-					}
+				if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressAllowAsName, nil); err != nil {
+					klog.Error(err)
+					return err
+				}
+				if err = c.createAsForNetpol(np.Namespace, npName, "ingress", ingressExceptAsName, nil); err != nil {
+					klog.Error(err)
+					return err
+				}
 
-					ingressACLOps = append(ingressACLOps, ops...)
+				ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
+				if err != nil {
+					klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
+					return err
 				}
+
+				ingressACLOps = append(ingressACLOps, ops...)
 			}
 		}
+
 		if err := c.OVNNbClient.Transact("add-ingress-acls", ingressACLOps); err != nil {
 			return fmt.Errorf("add ingress acls to %s: %w", pgName, err)
 		}
@@ -365,70 +371,44 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	if hasEgressRule(np) {
-		for _, subnet := range subnets {
-			for _, cidrBlock := range strings.Split(subnet.Spec.CIDRBlock, ",") {
-				protocol := util.CheckProtocol(cidrBlock)
-
-				for idx, npr := range np.Spec.Egress {
-					// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
-					egressAllowAsName := fmt.Sprintf("%s.%s.%d", egressAllowAsNamePrefix, protocol, idx)
-					egressExceptAsName := fmt.Sprintf("%s.%s.%d", egressExceptAsNamePrefix, protocol, idx)
-					aclName := fmt.Sprintf("np/%s.%s/egress/%s/%d", npName, np.Namespace, protocol, idx)
-
-					var allows, excepts []string
-					if len(npr.To) == 0 {
-						if protocol == kubeovnv1.ProtocolIPv4 {
-							allows = []string{"0.0.0.0/0"}
-						} else {
-							allows = []string{"::/0"}
-						}
+		for _, protocol := range protocolSet.List() {
+			for idx, npr := range np.Spec.Egress {
+				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
+				egressAllowAsName := fmt.Sprintf("%s.%s.%d", egressAllowAsNamePrefix, protocol, idx)
+				egressExceptAsName := fmt.Sprintf("%s.%s.%d", egressExceptAsNamePrefix, protocol, idx)
+				aclName := fmt.Sprintf("np/%s.%s/egress/%s/%d", npName, np.Namespace, protocol, idx)
+
+				var allows, excepts []string
+				if len(npr.To) == 0 {
+					if protocol == kubeovnv1.ProtocolIPv4 {
+						allows = []string{"0.0.0.0/0"}
 					} else {
-						var allow, except []string
-						for _, npp := range npr.To {
-							if allow, except, err = c.fetchPolicySelectedAddresses(np.Namespace, protocol, npp); err != nil {
-								klog.Errorf("failed to fetch policy selected addresses, %v", err)
-								return err
-							}
-							allows = append(allows, allow...)
-							excepts = append(excepts, except...)
-						}
-					}
-					klog.Infof("UpdateNp Egress, allows is %v, excepts is %v, log %v", allows, excepts, logEnable)
-
-					if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressAllowAsName, allows); err != nil {
-						klog.Error(err)
-						return err
+						allows = []string{"::/0"}
 					}
-					if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressExceptAsName, excepts); err != nil {
-						klog.Error(err)
-						return err
-					}
-
-					if len(allows) != 0 || len(excepts) != 0 {
-						ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npr.Ports, logEnable, logActions, namedPortMap)
-						if err != nil {
-							klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
+				} else {
+					var allow, except []string
+					for _, npp := range npr.To {
+						if allow, except, err = c.fetchPolicySelectedAddresses(np.Namespace, protocol, npp); err != nil {
+							klog.Errorf("failed to fetch policy selected addresses, %v", err)
 							return err
 						}
-
-						egressACLOps = append(egressACLOps, ops...)
+						allows = append(allows, allow...)
+						excepts = append(excepts, except...)
 					}
 				}
-				if len(np.Spec.Egress) == 0 {
-					egressAllowAsName := fmt.Sprintf("%s.%s.all", egressAllowAsNamePrefix, protocol)
-					egressExceptAsName := fmt.Sprintf("%s.%s.all", egressExceptAsNamePrefix, protocol)
-					aclName := fmt.Sprintf("np/%s.%s/egress/%s/all", npName, np.Namespace, protocol)
+				klog.Infof("UpdateNp Egress, allows is %v, excepts is %v, log %v", allows, excepts, logEnable)
 
-					if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressAllowAsName, nil); err != nil {
-						klog.Error(err)
-						return err
-					}
-					if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressExceptAsName, nil); err != nil {
-						klog.Error(err)
-						return err
-					}
+				if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressAllowAsName, allows); err != nil {
+					klog.Error(err)
+					return err
+				}
+				if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressExceptAsName, excepts); err != nil {
+					klog.Error(err)
+					return err
+				}
 
-					ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
+				if len(allows) != 0 || len(excepts) != 0 {
+					ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npr.Ports, logEnable, logActions, namedPortMap)
 					if err != nil {
 						klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
 						return err
@@ -437,7 +417,30 @@ func (c *Controller) handleUpdateNp(key string) error {
 					egressACLOps = append(egressACLOps, ops...)
 				}
 			}
+			if len(np.Spec.Egress) == 0 {
+				egressAllowAsName := fmt.Sprintf("%s.%s.all", egressAllowAsNamePrefix, protocol)
+				egressExceptAsName := fmt.Sprintf("%s.%s.all", egressExceptAsNamePrefix, protocol)
+				aclName := fmt.Sprintf("np/%s.%s/egress/%s/all", npName, np.Namespace, protocol)
+
+				if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressAllowAsName, nil); err != nil {
+					klog.Error(err)
+					return err
+				}
+				if err = c.createAsForNetpol(np.Namespace, npName, "egress", egressExceptAsName, nil); err != nil {
+					klog.Error(err)
+					return err
+				}
+
+				ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
+				if err != nil {
+					klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
+					return err
+				}
+
+				egressACLOps = append(egressACLOps, ops...)
+			}
 		}
+
 		if err := c.OVNNbClient.Transact("add-egress-acls", egressACLOps); err != nil {
 			return fmt.Errorf("add egress acls to %s: %w", pgName, err)
 		}