Add documentation for FWaaS v2 OSC plugin commands

This commit adds a Firewall-as-a-Service v2[1] CLI usage.
[1]http://specs.openstack.org/openstack/neutron-specs/specs/newton/fwaas-api-2.0.html

Change-Id: Ib271acad29229d78beebc2f1c2bd285c630768df
Partial-Implements: blueprint fwaas-api-2.0
Related-Bug: #1609686

3 files changed, 808 insertions, 0 deletions

diff --git a/doc/source/usage/osc/v2/firewall-group.rst b/doc/source/usage/osc/v2/firewall-group.rst
new file mode 100644
index 0000000..b0c24a8
--- /dev/null
+++ b/doc/source/usage/osc/v2/firewall-group.rst
@@ -0,0 +1,230 @@
+==============
+firewall group
+==============
+
+A **firewall group** is a perimeter firewall management to Networking.
+Firewall group uses iptables to apply firewall policy to all VM ports and
+router ports within a project.
+
+Network v2
+
+firewall group create
+---------------------
+
+Create a firewall group for a given project.
+
+.. program:: firewall group create
+.. code:: bash
+
+    openstack firewall group create
+
+.. _firewallgroup_create-firewallgroup:
+.. option:: --name <name>
+
+    Name for the firewall group.
+
+.. option:: --enable
+
+    Enable firewall group (default).
+
+.. option:: --disable
+
+    Disable firewall group.
+
+.. option:: --public
+
+    Make the firewall group public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall group to the current project.
+
+.. option:: --project <project>
+
+    Owner's project (name or ID).
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --description <description>
+
+    A description of the firewall group.
+
+.. option:: --ingress-firewall-policy <ingress-firewall-policy>
+
+    Ingress firewall policy (name or ID).
+
+.. option:: --no-ingress-firewall-policy
+
+    Detach ingress firewall policy from the firewall group.
+
+.. option:: --egress-firewall-policy <egress-firewall-policy>
+
+    Egress firewall policy (name or ID).
+
+.. option:: --no-egress-firewall-policy
+
+    Detach egress firewall policy from the firewall group.
+
+.. option:: --port <port>
+
+    Port(s) to apply firewall group (name or ID).
+
+.. option:: --no-port
+
+    Detach all port from the firewall group.
+
+firewall group delete
+---------------------
+
+Delete firewall group(s)
+
+.. program:: firewall group delete
+.. code:: bash
+
+    openstack firewall group delete
+        <firewall-group> [<firewall-group> ...]
+
+.. _firewallgroup_delete-firewallgroup:
+.. describe:: <firewall-group>
+
+    Firewall group(s) to delete (name or ID).
+
+firewall group list
+-------------------
+
+List all firewall groups
+
+.. program:: firewall group list
+.. code:: bash
+
+    openstack firewall group list
+        [--long]
+
+.. option:: --long
+
+    List additional fields in output.
+
+firewall group set
+------------------
+
+Set firewall group properties
+
+.. program:: firewall group set
+.. code:: bash
+
+    openstack firewall group set
+
+.. _firewallgroup_set-firewallgroup:
+.. describe:: <firewall-group>
+
+    Firewall group to set (name or ID).
+
+.. option:: --name <name>
+
+    Set firewall group name.
+
+.. option:: --enable
+
+    Enable firewall group (default).
+
+.. option:: --disable
+
+    Disable firewall group.
+
+.. option:: --public
+
+    Make the firewall group public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall group to the current project.
+
+.. option:: --description <description>
+
+    A description of the firewall group.
+
+.. option:: --ingress-firewall-policy <ingress-firewall-policy>
+
+    Ingress firewall policy (name or ID).
+
+.. option:: --no-ingress-firewall-policy
+
+    Detach ingress firewall policy from the firewall group.
+
+.. option:: --egress-firewall-policy
+
+    Egress firewall policy (name or ID).
+
+.. option:: --no-egress-firewall-policy
+
+    Detach egress firewall policy from the firewall group.
+
+.. option:: --port <port>
+
+    Port(s) to apply firewall group.
+
+.. option:: --no-port
+
+    Detach all port from the firewall group.
+
+firewall group show
+-------------------
+
+Show information of a given firewall group
+
+.. program:: firewall group show
+.. code:: bash
+
+    openstack firewall group show
+        <firewall-group>
+
+.. _firewallgroup_show-firewallgroup:
+.. describe:: <firewall-group>
+
+    Firewall group to display (name or ID).
+
+firewall group unset
+--------------------
+
+Unset firewall group properties
+
+.. program:: firewall group unset
+.. code:: bash
+
+    openstack firewall group unset
+
+.. _firewallgroup_unset-firewallgroup:
+.. describe:: <firewall-group>
+
+    Firewall group to unset (name or ID).
+
+.. option:: --enable
+
+    Disable firewall group.
+
+.. option:: --public
+
+    Restrict use of the firewall group to the current project.
+
+.. option:: --ingress-firewall-policy
+
+    Detach ingress firewall policy from the firewall group.
+
+.. option:: --egress-firewall-policy
+
+    Detach egress firewall policy from the firewall group.
+
+.. option:: --port <port>
+
+    Remove port(s) from the firewall group.
+
+.. option:: --all-port
+
+    Remove all ports from the firewall group.
diff --git a/doc/source/usage/osc/v2/firewall-policy.rst b/doc/source/usage/osc/v2/firewall-policy.rst
new file mode 100644
index 0000000..c4a78dd
--- /dev/null
+++ b/doc/source/usage/osc/v2/firewall-policy.rst
@@ -0,0 +1,274 @@
+=====================
+firewall group policy
+=====================
+
+A **firewall group policy** is an ordered collection of firewall rules.
+A firewall policy can be shared across projects. Thus it can also be made part
+of an audit workflow wherein the firewall_policy can be audited by the
+relevant entity that is authorized (and can be different from the projects
+which create or use the firewall group policy).
+
+Network v2
+
+firewall group policy create
+----------------------------
+
+Create a firewall policy for a given project
+
+.. program:: firewall group policy create
+.. code:: bash
+
+    openstack firewall group policy create
+
+.. _firewallpolicy_create-firewallpolicy:
+.. describe:: <name>
+
+    Name for the firewall policy.
+
+.. option:: --enable
+
+    Enable firewall policy (default).
+
+.. option:: --disable
+
+    Disable firewall policy.
+
+.. option:: --public
+
+    Make the firewall policy public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall policy to the current project.
+
+.. option:: --project <project>
+
+    Owner's project (name or ID).
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --description <description>
+
+    A description of the firewall policy.
+
+.. option:: --firewall-rule <firewall-rule>
+
+    Firewall rule(s) to apply (name or ID).
+
+.. option:: --no-firewall-rule
+
+    Remove all firewall rules from the firewall policy.
+
+.. option:: --audited
+
+    Enable auditing for the policy.
+
+.. option:: --no-audited
+
+    Disable auditing for the policy.
+
+
+firewall group policy delete
+----------------------------
+
+Delete a given firewall policy
+
+.. program:: firewall group policy delete
+.. code:: bash
+
+    openstack firewall group policy delete
+        <firewall-policy> [<firewall-policy> ...]
+
+.. _firewallpolicy_delete-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy(s) to delete (name or ID).
+
+firewall group policy list
+--------------------------
+
+List all firewall policies
+
+.. program:: firewall group policy list
+.. code:: bash
+
+    openstack firewall group policy list
+        [--long]
+
+.. option:: --long
+
+    List additional fields in output.
+
+firewall group policy set
+-------------------------
+
+Set firewall policy properties
+
+.. program:: firewall group policy set
+.. code:: bash
+
+    openstack firewall group policy set
+
+.. _firewallpolicy_set-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy to set (name or ID).
+
+.. option:: --name <name>
+
+    Set firewall policy name.
+
+.. option:: --enable
+
+    Enable firewall policy (default).
+
+.. option:: --disable
+
+    Disable firewall policy.
+
+.. option:: --public
+
+    Make the firewall policy public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall policy to the current project.
+
+.. option:: --project <project>
+
+    Owner's project (name or ID).
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --description <description>
+
+    A description of the firewall policy.
+
+.. option:: --firewall-rule <firewall-rule>
+
+    Firewall rule(s) to apply (name or ID).
+
+.. option:: --no-firewall-rule
+
+    Unset all firewall rules from firewall policy.
+
+.. option:: --audited
+
+    Enable auditing for the policy.
+
+.. option:: --no-audited
+
+    Disable auditing for the policy.
+
+
+firewall group policy show
+--------------------------
+
+Show information of a given firewall policy
+
+.. program:: firewall group policy show
+.. code:: bash
+
+    openstack firewall group policy show
+        <firewall-policy>
+
+.. _firewallpolicy_show-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy to display (name or ID).
+
+firewall group policy unset
+---------------------------
+
+Unset firewall policy properties
+
+.. program:: firewall group policy unset
+.. code:: bash
+
+    openstack firewall group policy unset
+
+.. _firewallpolicy_unset-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy to unset (name or ID).
+
+.. option:: --enable
+
+    Disable firewall policy.
+
+.. option:: --public
+
+    Restrict use of the firewall policy to the current project.
+
+.. option:: --firewall-rule <firewall-rule>
+
+    Firewall rule(s) to unset (name or ID).
+
+.. option:: --all-firewall-rule
+
+    Remove all firewall rules from the firewall policy.
+
+.. option:: --audited
+
+    Disable auditing for the policy.
+
+firewall group policy add rule
+------------------------------
+
+Adds a firewall rule in a firewall policy relative to the position of other
+rules.
+
+.. program:: firewall group policy add rule
+.. code:: bash
+
+    openstack firewall group policy add rule
+        <firewall-policy>
+        <firewall-rule>
+
+.. _firewallpolicy_add_rule-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy to add rule (name or ID).
+
+.. describe:: <firewall-rule>
+
+    Firewall rule to be inserted (name or ID).
+
+.. option:: --insert-after <firewall-rule>
+
+    Insert the new rule after this existing rule (name or ID).
+
+.. option:: --insert-before <firewall-rule>
+
+    Insert the new rule before this existing rule (name or ID).
+
+firewall group policy remove rule
+---------------------------------
+
+Removes a firewall rule from a firewall policy.
+
+.. program:: firewall group policy remove rule
+.. code:: bash
+
+    openstack firewall group policy remove rule
+        <firewall-policy>
+        <firewall-rule>
+
+.. _firewallpolicy_remove_rule-firewallpolicy:
+.. describe:: <firewall-policy>
+
+    Firewall policy to remove rule (name or ID).
+
+.. describe:: <firewall-rule>
+
+    Firewall rule to remove from policy (name or ID).
diff --git a/doc/source/usage/osc/v2/firewall-rule.rst b/doc/source/usage/osc/v2/firewall-rule.rst
new file mode 100644
index 0000000..fdb5206
--- /dev/null
+++ b/doc/source/usage/osc/v2/firewall-rule.rst
@@ -0,0 +1,304 @@
+===================
+firewall group rule
+===================
+
+A **firewall group rule** represents a collection of attributes like ports, IP
+addresses which define match criteria and action (allow, or deny) that needs to
+be taken on the matched data traffic.
+
+Network v2
+
+firewall group rule create
+--------------------------
+
+Create a firewall rule for a given project
+
+.. program:: firewall group rule create
+.. code:: bash
+
+    openstack firewall group rule create
+
+.. option:: --name <name>
+
+    Set firewall rule name.
+
+.. option:: --enable
+
+    Enable firewall rule (default).
+
+.. option:: --disable
+
+    Disable firewall rule.
+
+.. option:: --public
+
+    Make the firewall rule public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall rule to the current project.
+
+.. option:: --project <project>
+
+    Owner's project (name or ID)
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --description <description>
+
+    A description of the firewall rule.
+
+.. option:: --protocol <protocol>
+
+    Protocol for the firewall rule ('tcp', 'udp', 'icmp', 'any').
+    Default is 'any'.
+
+.. option:: --action <action>
+
+    Action for the firewall rule ('allow', 'deny', 'reject').
+    Default is 'deny'.
+
+.. option:: --ip-version <ip-version>
+
+    Set IP version 4 or 6 (default is 4).
+
+.. option:: --source-port <source-port>
+
+    Source port number or range
+    (integer in [1, 65535] or range like 123:456).
+
+.. option:: --no-source-port
+
+    Detach source port number or range.
+
+.. option:: --destination-port <destination-port>
+
+    Destination port number or range
+    (integer in [1, 65535] or range like 123:456).
+
+.. option:: --no-destination-port
+
+    Detach destination port number or range.
+
+.. option:: --source-ip-address <source-ip-address>
+
+    Source IP address or subnet.
+
+.. option:: --no-source-ip-address
+
+    Detach source IP address.
+
+.. option:: --destination-ip-address <destination-ip-address>
+
+    Destination IP address or subnet.
+
+.. option:: --no-destination-ip-address
+
+    Detach destination IP address.
+
+.. option:: --enable-rule
+
+    Enable this rule (default is enabled).
+
+.. option:: --disable-rule
+
+    Disable this rule.
+
+firewall group rule delete
+--------------------------
+
+Delete a given firewall rule
+
+.. program:: firewall group rule delete
+.. code:: bash
+
+    openstack firewall group rule delete
+        <firewall-rule> [<firewall-rule> ...]
+
+.. _firewallrule_delete-firewallrule:
+.. describe:: <firewall-rule>
+
+    Firewall rule(s) to delete (name or ID).
+
+firewall group rule list
+------------------------
+
+List all firewall rules
+
+.. program:: firewall group rule list
+.. code:: bash
+
+    openstack firewall group rule list
+        [--long]
+
+.. option:: --long
+
+    List additional fields in output.
+
+firewall group rule set
+-----------------------
+
+Set firewall rule properties
+
+.. program:: firewall group rule set
+.. code:: bash
+
+    openstack firewall group rule set
+
+.. _firewallrule_set-firewallrule:
+.. describe:: <firewall-rule>
+
+    Firewall rule to set (name or ID).
+
+.. option:: --name <name>
+
+    Set firewall rule name.
+
+.. option:: --enable
+
+    Enable firewall rule (default).
+
+.. option:: --disable
+
+    Disable firewall rule.
+
+.. option:: --public
+
+    Make the firewall rule public, which allows it to be used in all projects
+    (as opposed to the default, which is to restrict its use to the current
+    project).
+
+.. option:: --private
+
+    Restrict use of the firewall rule to the current project.
+
+.. option:: --project <project>
+
+    Owner's project (name or ID).
+
+.. option:: --project-domain <project-domain>
+
+    Domain the project belongs to (name or ID).
+    This can be used in case collisions between project names exist.
+
+.. option:: --description <description>
+
+    A description of the firewall rule.
+
+.. option:: --protocol <protocol>
+
+    Protocol for the firewall rule ('tcp', 'udp', 'icmp', 'any').
+
+.. option:: --action <action>
+
+    Action for the firewall rule ('allow', 'deny', 'reject').
+
+.. option:: --ip-version <ip-version>
+
+    Set IP version 4 or 6 (default is 4).
+
+.. option:: --source-port <source-port>
+
+    Source port number or range
+    (integer in [1, 65535] or range like 123:456).
+
+.. option:: --no-source-port
+
+    Detach source port number or range.
+
+.. option:: --destination-port <destination-port>
+
+    Destination port number or range
+    (integer in [1, 65535] or range like 123:456).
+
+.. option:: --no-destination-port
+
+    Detach destination port number or range.
+
+.. option:: --source-ip-address <source-ip-address>
+
+    Source IP address or subnet.
+
+.. option:: --no-source-ip-address
+
+    Detach source IP address.
+
+.. option:: --destination-ip-address <destination-ip-address>
+
+    Destination IP address or subnet.
+
+.. option:: --no-destination-ip-address
+
+    Detach destination IP address.
+
+.. option:: --enable-rule
+
+    Enable this rule (default is enabled).
+
+.. option:: --disable-rule
+
+    Disable this rule.
+
+firewall group rule show
+------------------------
+
+Show information of a given firewall rule
+
+.. program:: firewall group rule show
+.. code:: bash
+
+    openstack firewall group rule show
+        <firewall-rule>
+
+.. _firewallrule_show-firewallrule:
+.. describe:: <firewall-rule>
+
+    Firewall rule to display (name or ID).
+
+firewall group rule unset
+-------------------------
+
+Unset firewall rule properties
+
+.. program:: firewall group rule unset
+.. code:: bash
+
+    openstack firewall group rule unset
+
+.. _firewallrule_unset-firewallrule:
+.. describe:: <firewall-rule>
+
+    Firewall rule to unset (name or ID).
+
+.. option:: --enable
+
+    Disable firewall rule.
+
+.. option:: --public
+
+    Restrict use of the firewall rule to the current project.
+
+.. option:: --source-port
+
+    Detach source port number or range.
+
+.. option:: --destination-port
+
+    Detach destination port number or range.
+
+.. option:: --source-ip-address
+
+    Detach source IP address.
+
+.. option:: --destination-ip-address
+
+    Detach destination IP address.
+
+.. option:: --enable-rule
+
+    Disable this rule.