palo_alto_local_rulestack_rule - support port ranges and 'any' keyword in protocol_ports

antoniodiaz02 · antoniodiaz02 · commit a531de16a13a · 2026-04-13T19:37:58.000+02:00
- Accept port ranges in format 'TCP:1024-1206' and 'UDP:5000-5100' - Accept 'any' and 'application-default' as standalone values - Add unit tests for ProtocolWithPort validation function Fixes #25907
diff --git a/internal/services/paloalto/palo_alto_local_rulestack_rule_resource.go b/internal/services/paloalto/palo_alto_local_rulestack_rule_resource.go
@@ -157,7 +157,7 @@ func (r LocalRuleStackRule) Arguments() map[string]*pluginsdk.Schema {
 			Optional: true,
 			ValidateFunc: validation.Any(
 				validate.ProtocolWithPort,
-				validation.StringInSlice([]string{protocolApplicationDefault}, false),
+				validation.StringInSlice([]string{protocolApplicationDefault, "any"}, false),
 			),
 			ExactlyOneOf: []string{"protocol", "protocol_ports"},
 		},
diff --git a/internal/services/paloalto/validate/protocol.go b/internal/services/paloalto/validate/protocol.go
@@ -16,19 +16,46 @@ func ProtocolWithPort(input interface{}, k string) (warnings []string, errors []
 		return
 	}
 
+	if v == "any" || v == "application-default" {
+		return
+	}
+
 	parts := strings.Split(v, ":")
 	if len(parts) != 2 {
-		errors = append(errors, fmt.Errorf("expected %s to be a two part string separated by a `:`, e.g. TCP:80", k))
+		errors = append(errors, fmt.Errorf("expected %s to be a two part string separated by a `:`, e.g. TCP:80, or a supported keyword like `any`", k))
 		return
 	}
 
 	if parts[0] != "TCP" && parts[0] != "UDP" {
 		errors = append(errors, fmt.Errorf("protocol portion of %s must be one of `TCP` or `UDP`, got %q", k, parts[0]))
 	}
 
+	if strings.Contains(parts[1], "-") {
+		rangeParts := strings.Split(parts[1], "-")
+		if len(rangeParts) != 2 {
+			errors = append(errors, fmt.Errorf("port range in %s must be in format START-END, e.g. TCP:1024-1206", k))
+			return
+		}
+		startPort, err := strconv.Atoi(rangeParts[0])
+		if err != nil || startPort < 1 || startPort > 65535 {
+			errors = append(errors, fmt.Errorf("start port in %s must be an integer between 1 and 65535, got %q", k, rangeParts[0]))
+			return
+		}
+		endPort, err := strconv.Atoi(rangeParts[1])
+		if err != nil || endPort < 1 || endPort > 65535 {
+			errors = append(errors, fmt.Errorf("end port in %s must be an integer between 1 and 65535, got %q", k, rangeParts[1]))
+			return
+		}
+		if startPort > endPort {
+			errors = append(errors, fmt.Errorf("start port must be less than or equal to end port in %s", k))
+			return
+		}
+		return
+	}
+
 	port, err := strconv.Atoi(parts[1])
 	if err != nil || port == 0 || port > 65535 {
-		errors = append(errors, fmt.Errorf("port in %s must me an integer value between 1 and 65535, got %q", k, parts[1]))
+		errors = append(errors, fmt.Errorf("port in %s must be an integer value between 1 and 65535, got %q", k, parts[1]))
 	}
 
 	return
diff --git a/internal/services/paloalto/validate/protocol_test.go b/internal/services/paloalto/validate/protocol_test.go
@@ -0,0 +1,101 @@
+// Copyright IBM Corp. 2014, 2025
+// SPDX-License-Identifier: MPL-2.0
+
+package validate
+
+import (
+	"testing"
+)
+
+func TestProtocolWithPort(t *testing.T) {
+	tests := []struct {
+		name       string
+		input      string
+		wantErrors int
+	}{
+		{
+			name:       "single port TCP",
+			input:      "TCP:80",
+			wantErrors: 0,
+		},
+		{
+			name:       "single port UDP",
+			input:      "UDP:443",
+			wantErrors: 0,
+		},
+		{
+			name:       "port range TCP",
+			input:      "TCP:1024-1206",
+			wantErrors: 0,
+		},
+		{
+			name:       "port range UDP",
+			input:      "UDP:5000-5100",
+			wantErrors: 0,
+		},
+		{
+			name:       "any keyword",
+			input:      "any",
+			wantErrors: 0,
+		},
+		{
+			name:       "application-default keyword",
+			input:      "application-default",
+			wantErrors: 0,
+		},
+		{
+			name:       "invalid single port zero",
+			input:      "TCP:0",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid port too high",
+			input:      "TCP:70000",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid start greater than end",
+			input:      "TCP:2000-1000",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid start port zero in range",
+			input:      "TCP:0-100",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid end port zero in range",
+			input:      "TCP:100-0",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid protocol",
+			input:      "ICMP:80",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid missing port",
+			input:      "TCP:",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid missing colon",
+			input:      "TCP80",
+			wantErrors: 1,
+		},
+		{
+			name:       "invalid malformed range",
+			input:      "TCP:100-200-300",
+			wantErrors: 1,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, errors := ProtocolWithPort(tt.input, "test_field")
+			if len(errors) != tt.wantErrors {
+				t.Errorf("ProtocolWithPort(%q) got %d errors, want %d", tt.input, len(errors), tt.wantErrors)
+			}
+		})
+	}
+}
