From 6fb4a728ca98bcb09ed1902dd1a1fcf908ed9a60 Mon Sep 17 00:00:00 2001 From: Yushiro FURUKAWA Date: Fri, 30 Sep 2016 19:35:14 +0900 Subject: [PATCH] Add documentation for FWaaS v2 OSC plugin commands This commit adds a Firewall-as-a-Service v2[1] CLI usage. [1]http://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html Change-Id: Ib271acad29229d78beebc2f1c2bd285c630768df Partial-Implements: blueprint fwaas-api-2.0 Related-Bug: #1609686 --- doc/source/usage/osc/v2/firewall-group.rst | 230 +++++++++++++++ doc/source/usage/osc/v2/firewall-policy.rst | 274 ++++++++++++++++++ doc/source/usage/osc/v2/firewall-rule.rst | 304 ++++++++++++++++++++ 3 files changed, 808 insertions(+) create mode 100644 doc/source/usage/osc/v2/firewall-group.rst create mode 100644 doc/source/usage/osc/v2/firewall-policy.rst create mode 100644 doc/source/usage/osc/v2/firewall-rule.rst diff --git a/doc/source/usage/osc/v2/firewall-group.rst b/doc/source/usage/osc/v2/firewall-group.rst new file mode 100644 index 000000000..b0c24a884 --- /dev/null +++ b/doc/source/usage/osc/v2/firewall-group.rst @@ -0,0 +1,230 @@ +============== +firewall group +============== + +A **firewall group** is a perimeter firewall management to Networking. +Firewall group uses iptables to apply firewall policy to all VM ports and +router ports within a project. + +Network v2 + +firewall group create +--------------------- + +Create a firewall group for a given project. + +.. program:: firewall group create +.. code:: bash + + openstack firewall group create + +.. _firewallgroup_create-firewallgroup: +.. option:: --name + + Name for the firewall group. + +.. option:: --enable + + Enable firewall group (default). + +.. option:: --disable + + Disable firewall group. + +.. option:: --public + + Make the firewall group public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall group to the current project. + +.. option:: --project + + Owner's project (name or ID). + +.. option:: --project-domain + + Domain the project belongs to (name or ID). + This can be used in case collisions between project names exist. + +.. option:: --description + + A description of the firewall group. + +.. option:: --ingress-firewall-policy + + Ingress firewall policy (name or ID). + +.. option:: --no-ingress-firewall-policy + + Detach ingress firewall policy from the firewall group. + +.. option:: --egress-firewall-policy + + Egress firewall policy (name or ID). + +.. option:: --no-egress-firewall-policy + + Detach egress firewall policy from the firewall group. + +.. option:: --port + + Port(s) to apply firewall group (name or ID). + +.. option:: --no-port + + Detach all port from the firewall group. + +firewall group delete +--------------------- + +Delete firewall group(s) + +.. program:: firewall group delete +.. code:: bash + + openstack firewall group delete + [ ...] + +.. _firewallgroup_delete-firewallgroup: +.. describe:: + + Firewall group(s) to delete (name or ID). + +firewall group list +------------------- + +List all firewall groups + +.. program:: firewall group list +.. code:: bash + + openstack firewall group list + [--long] + +.. option:: --long + + List additional fields in output. + +firewall group set +------------------ + +Set firewall group properties + +.. program:: firewall group set +.. code:: bash + + openstack firewall group set + +.. _firewallgroup_set-firewallgroup: +.. describe:: + + Firewall group to set (name or ID). + +.. option:: --name + + Set firewall group name. + +.. option:: --enable + + Enable firewall group (default). + +.. option:: --disable + + Disable firewall group. + +.. option:: --public + + Make the firewall group public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall group to the current project. + +.. option:: --description + + A description of the firewall group. + +.. option:: --ingress-firewall-policy + + Ingress firewall policy (name or ID). + +.. option:: --no-ingress-firewall-policy + + Detach ingress firewall policy from the firewall group. + +.. option:: --egress-firewall-policy + + Egress firewall policy (name or ID). + +.. option:: --no-egress-firewall-policy + + Detach egress firewall policy from the firewall group. + +.. option:: --port + + Port(s) to apply firewall group. + +.. option:: --no-port + + Detach all port from the firewall group. + +firewall group show +------------------- + +Show information of a given firewall group + +.. program:: firewall group show +.. code:: bash + + openstack firewall group show + + +.. _firewallgroup_show-firewallgroup: +.. describe:: + + Firewall group to display (name or ID). + +firewall group unset +-------------------- + +Unset firewall group properties + +.. program:: firewall group unset +.. code:: bash + + openstack firewall group unset + +.. _firewallgroup_unset-firewallgroup: +.. describe:: + + Firewall group to unset (name or ID). + +.. option:: --enable + + Disable firewall group. + +.. option:: --public + + Restrict use of the firewall group to the current project. + +.. option:: --ingress-firewall-policy + + Detach ingress firewall policy from the firewall group. + +.. option:: --egress-firewall-policy + + Detach egress firewall policy from the firewall group. + +.. option:: --port + + Remove port(s) from the firewall group. + +.. option:: --all-port + + Remove all ports from the firewall group. diff --git a/doc/source/usage/osc/v2/firewall-policy.rst b/doc/source/usage/osc/v2/firewall-policy.rst new file mode 100644 index 000000000..c4a78dd07 --- /dev/null +++ b/doc/source/usage/osc/v2/firewall-policy.rst @@ -0,0 +1,274 @@ +===================== +firewall group policy +===================== + +A **firewall group policy** is an ordered collection of firewall rules. +A firewall policy can be shared across projects. Thus it can also be made part +of an audit workflow wherein the firewall_policy can be audited by the +relevant entity that is authorized (and can be different from the projects +which create or use the firewall group policy). + +Network v2 + +firewall group policy create +---------------------------- + +Create a firewall policy for a given project + +.. program:: firewall group policy create +.. code:: bash + + openstack firewall group policy create + +.. _firewallpolicy_create-firewallpolicy: +.. describe:: + + Name for the firewall policy. + +.. option:: --enable + + Enable firewall policy (default). + +.. option:: --disable + + Disable firewall policy. + +.. option:: --public + + Make the firewall policy public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall policy to the current project. + +.. option:: --project + + Owner's project (name or ID). + +.. option:: --project-domain + + Domain the project belongs to (name or ID). + This can be used in case collisions between project names exist. + +.. option:: --description + + A description of the firewall policy. + +.. option:: --firewall-rule + + Firewall rule(s) to apply (name or ID). + +.. option:: --no-firewall-rule + + Remove all firewall rules from the firewall policy. + +.. option:: --audited + + Enable auditing for the policy. + +.. option:: --no-audited + + Disable auditing for the policy. + + +firewall group policy delete +---------------------------- + +Delete a given firewall policy + +.. program:: firewall group policy delete +.. code:: bash + + openstack firewall group policy delete + [ ...] + +.. _firewallpolicy_delete-firewallpolicy: +.. describe:: + + Firewall policy(s) to delete (name or ID). + +firewall group policy list +-------------------------- + +List all firewall policies + +.. program:: firewall group policy list +.. code:: bash + + openstack firewall group policy list + [--long] + +.. option:: --long + + List additional fields in output. + +firewall group policy set +------------------------- + +Set firewall policy properties + +.. program:: firewall group policy set +.. code:: bash + + openstack firewall group policy set + +.. _firewallpolicy_set-firewallpolicy: +.. describe:: + + Firewall policy to set (name or ID). + +.. option:: --name + + Set firewall policy name. + +.. option:: --enable + + Enable firewall policy (default). + +.. option:: --disable + + Disable firewall policy. + +.. option:: --public + + Make the firewall policy public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall policy to the current project. + +.. option:: --project + + Owner's project (name or ID). + +.. option:: --project-domain + + Domain the project belongs to (name or ID). + This can be used in case collisions between project names exist. + +.. option:: --description + + A description of the firewall policy. + +.. option:: --firewall-rule + + Firewall rule(s) to apply (name or ID). + +.. option:: --no-firewall-rule + + Unset all firewall rules from firewall policy. + +.. option:: --audited + + Enable auditing for the policy. + +.. option:: --no-audited + + Disable auditing for the policy. + + +firewall group policy show +-------------------------- + +Show information of a given firewall policy + +.. program:: firewall group policy show +.. code:: bash + + openstack firewall group policy show + + +.. _firewallpolicy_show-firewallpolicy: +.. describe:: + + Firewall policy to display (name or ID). + +firewall group policy unset +--------------------------- + +Unset firewall policy properties + +.. program:: firewall group policy unset +.. code:: bash + + openstack firewall group policy unset + +.. _firewallpolicy_unset-firewallpolicy: +.. describe:: + + Firewall policy to unset (name or ID). + +.. option:: --enable + + Disable firewall policy. + +.. option:: --public + + Restrict use of the firewall policy to the current project. + +.. option:: --firewall-rule + + Firewall rule(s) to unset (name or ID). + +.. option:: --all-firewall-rule + + Remove all firewall rules from the firewall policy. + +.. option:: --audited + + Disable auditing for the policy. + +firewall group policy add rule +------------------------------ + +Adds a firewall rule in a firewall policy relative to the position of other +rules. + +.. program:: firewall group policy add rule +.. code:: bash + + openstack firewall group policy add rule + + + +.. _firewallpolicy_add_rule-firewallpolicy: +.. describe:: + + Firewall policy to add rule (name or ID). + +.. describe:: + + Firewall rule to be inserted (name or ID). + +.. option:: --insert-after + + Insert the new rule after this existing rule (name or ID). + +.. option:: --insert-before + + Insert the new rule before this existing rule (name or ID). + +firewall group policy remove rule +--------------------------------- + +Removes a firewall rule from a firewall policy. + +.. program:: firewall group policy remove rule +.. code:: bash + + openstack firewall group policy remove rule + + + +.. _firewallpolicy_remove_rule-firewallpolicy: +.. describe:: + + Firewall policy to remove rule (name or ID). + +.. describe:: + + Firewall rule to remove from policy (name or ID). diff --git a/doc/source/usage/osc/v2/firewall-rule.rst b/doc/source/usage/osc/v2/firewall-rule.rst new file mode 100644 index 000000000..fdb520684 --- /dev/null +++ b/doc/source/usage/osc/v2/firewall-rule.rst @@ -0,0 +1,304 @@ +=================== +firewall group rule +=================== + +A **firewall group rule** represents a collection of attributes like ports, IP +addresses which define match criteria and action (allow, or deny) that needs to +be taken on the matched data traffic. + +Network v2 + +firewall group rule create +-------------------------- + +Create a firewall rule for a given project + +.. program:: firewall group rule create +.. code:: bash + + openstack firewall group rule create + +.. option:: --name + + Set firewall rule name. + +.. option:: --enable + + Enable firewall rule (default). + +.. option:: --disable + + Disable firewall rule. + +.. option:: --public + + Make the firewall rule public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall rule to the current project. + +.. option:: --project + + Owner's project (name or ID) + +.. option:: --project-domain + + Domain the project belongs to (name or ID). + This can be used in case collisions between project names exist. + +.. option:: --description + + A description of the firewall rule. + +.. option:: --protocol + + Protocol for the firewall rule ('tcp', 'udp', 'icmp', 'any'). + Default is 'any'. + +.. option:: --action + + Action for the firewall rule ('allow', 'deny', 'reject'). + Default is 'deny'. + +.. option:: --ip-version + + Set IP version 4 or 6 (default is 4). + +.. option:: --source-port + + Source port number or range + (integer in [1, 65535] or range like 123:456). + +.. option:: --no-source-port + + Detach source port number or range. + +.. option:: --destination-port + + Destination port number or range + (integer in [1, 65535] or range like 123:456). + +.. option:: --no-destination-port + + Detach destination port number or range. + +.. option:: --source-ip-address + + Source IP address or subnet. + +.. option:: --no-source-ip-address + + Detach source IP address. + +.. option:: --destination-ip-address + + Destination IP address or subnet. + +.. option:: --no-destination-ip-address + + Detach destination IP address. + +.. option:: --enable-rule + + Enable this rule (default is enabled). + +.. option:: --disable-rule + + Disable this rule. + +firewall group rule delete +-------------------------- + +Delete a given firewall rule + +.. program:: firewall group rule delete +.. code:: bash + + openstack firewall group rule delete + [ ...] + +.. _firewallrule_delete-firewallrule: +.. describe:: + + Firewall rule(s) to delete (name or ID). + +firewall group rule list +------------------------ + +List all firewall rules + +.. program:: firewall group rule list +.. code:: bash + + openstack firewall group rule list + [--long] + +.. option:: --long + + List additional fields in output. + +firewall group rule set +----------------------- + +Set firewall rule properties + +.. program:: firewall group rule set +.. code:: bash + + openstack firewall group rule set + +.. _firewallrule_set-firewallrule: +.. describe:: + + Firewall rule to set (name or ID). + +.. option:: --name + + Set firewall rule name. + +.. option:: --enable + + Enable firewall rule (default). + +.. option:: --disable + + Disable firewall rule. + +.. option:: --public + + Make the firewall rule public, which allows it to be used in all projects + (as opposed to the default, which is to restrict its use to the current + project). + +.. option:: --private + + Restrict use of the firewall rule to the current project. + +.. option:: --project + + Owner's project (name or ID). + +.. option:: --project-domain + + Domain the project belongs to (name or ID). + This can be used in case collisions between project names exist. + +.. option:: --description + + A description of the firewall rule. + +.. option:: --protocol + + Protocol for the firewall rule ('tcp', 'udp', 'icmp', 'any'). + +.. option:: --action + + Action for the firewall rule ('allow', 'deny', 'reject'). + +.. option:: --ip-version + + Set IP version 4 or 6 (default is 4). + +.. option:: --source-port + + Source port number or range + (integer in [1, 65535] or range like 123:456). + +.. option:: --no-source-port + + Detach source port number or range. + +.. option:: --destination-port + + Destination port number or range + (integer in [1, 65535] or range like 123:456). + +.. option:: --no-destination-port + + Detach destination port number or range. + +.. option:: --source-ip-address + + Source IP address or subnet. + +.. option:: --no-source-ip-address + + Detach source IP address. + +.. option:: --destination-ip-address + + Destination IP address or subnet. + +.. option:: --no-destination-ip-address + + Detach destination IP address. + +.. option:: --enable-rule + + Enable this rule (default is enabled). + +.. option:: --disable-rule + + Disable this rule. + +firewall group rule show +------------------------ + +Show information of a given firewall rule + +.. program:: firewall group rule show +.. code:: bash + + openstack firewall group rule show + + +.. _firewallrule_show-firewallrule: +.. describe:: + + Firewall rule to display (name or ID). + +firewall group rule unset +------------------------- + +Unset firewall rule properties + +.. program:: firewall group rule unset +.. code:: bash + + openstack firewall group rule unset + +.. _firewallrule_unset-firewallrule: +.. describe:: + + Firewall rule to unset (name or ID). + +.. option:: --enable + + Disable firewall rule. + +.. option:: --public + + Restrict use of the firewall rule to the current project. + +.. option:: --source-port + + Detach source port number or range. + +.. option:: --destination-port + + Detach destination port number or range. + +.. option:: --source-ip-address + + Detach source IP address. + +.. option:: --destination-ip-address + + Detach destination IP address. + +.. option:: --enable-rule + + Disable this rule.