Comment 7 for bug 1533285

Verified on MOS 7.0 mu-3 updates.

Steps to verify:
1) create instance
2) nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
3) check iptables on compute for created instance: iptables-save
4) add floating ip to instance and ping instance

Actual result:
1) ok
2) ok
3) iptables contain the following rule: nova-compute-inst-20 -p icmp -j ACCEPT
4) ping is ok

Iptables for existed instances are changing immediately if add/modify/delete security group.