amazon web services - Saltstack: (boto_secgroup) Add a rule that allows ALL TRAFFIC to a sec group -

[using salt --version: 2015.5.0] want add rule allows traffic security group

i have in pillar:

securitygroups:     groups:        - name: nfs          region: us-east-1          vpc_id: vpc-1234          description: desc          rules:            - ip_protocol: -1              from_port: -1              to_port: -1              ec2_group: sg123456 

api suggests use -1 specify ipprotcol. i'm getting error:

----------           id: secgroups_nfsecuritygroup     function: boto_secgroup.present         name: nfsecuritygroup       result: false      comment: exception occurred in state: traceback (most recent call last):                 file "/usr/lib/python2.6/site-packages/salt/state.py", line 1563, in call                   **cdata['kwargs'])                 file "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 140, in present                   _ret = _rules_present(name, rules, vpc_id, region, key, keyid, profile)                 file "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 345, in _rules_present                   to_delete, to_create = _get_rule_changes(rules, sg['rules'])                 file "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 265, in _get_rule_changes                   raise saltinvocationerror(msg.format(ip_protocol))               saltinvocationerror: invalid ip_protocol traffic specified in security group rule.      started: 03:09:58.163808     duration: 235.323 ms 

from_port: -1 , to_port: -1 works fine if specify ip_protocol: icmp|tcp|udp

i think -1 value protocol works security groups part of vpc. ec2-classic think have add 3 separate rules, 1 each protocol.