From a49e06b54bbec00c5c4cc27e4cd5562de9d3bb97 Mon Sep 17 00:00:00 2001
From: oz123 <oz.tiram@gmail.com>
Date: Thu, 19 Apr 2018 15:46:42 +0200
Subject: [PATCH] Document how to allow ipip traffic with calico on OpenStack

---
 docs/calico.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/calico.md b/docs/calico.md
index 7992e57eb..b8cdc90cb 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -169,3 +169,12 @@ By default the felix agent(calico-node) will abort if the Kernel RPF setting is
 ```
 calico_node_ignorelooserpf: true
 ```
+
+Note that in OpenStack you must allow `ipip` traffic in your security groups,
+otherwise you will experience timeouts.
+To do this you must add a rule which allows it, for example:
+
+```
+neutron  security-group-rule-create  --protocol 4  --direction egress  k8s-a0tp4t
+neutron  security-group-rule-create  --protocol 4  --direction igress  k8s-a0tp4t
+```
-- 
GitLab