Couple of ways I can think to do this.
1. You could have the default gateway at the other end of the GRE tunnel, then use the controller routing table to route the other traffic.
2. Use ESI routing for the routes to networks you don't want to go down the GRE tunnel then you could have an "user any any route GRE" rule at the end of your role.