[master] c3b45a314 vcc_acl: Fix ACL folding with negated entries

[Nils Goroll]

commit c3b45a3140d340b2ed1a529b41253c2eb4ba70ae
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Mon Jul 21 09:27:22 2025 +0200

    vcc_acl: Fix ACL folding with negated entries
    
    We obviously must not fold positive ACL entries with negated ones, yet after
    seeing superseding ACL entries, the check for negated entries was missing, such
    that positive ACL entries could erroneously get merged into negated ACL entries.
    
    Fixes #4369

diff --git a/bin/varnishtest/tests/r04369.vtc b/bin/varnishtest/tests/r04369.vtc
new file mode 100644
index 000000000..5c42d575d
--- /dev/null
+++ b/bin/varnishtest/tests/r04369.vtc
@@ -0,0 +1,34 @@
+varnishtest "ACL folding with negative matches"
+
+varnish v1 -vcl+backend {
+	import std;
+
+	backend dummy None;
+
+	acl acl1 +log +fold +pedantic {
+		! "10.0.0.0"/23;
+		"10.0.3.0"/24;
+		"10.0.2.0"/23;
+	}
+	sub vcl_recv {
+		return (synth(200));
+	}
+	sub t {
+		if (std.ip(req.http.ip) ~ acl1) { }
+	}
+	sub vcl_synth {
+		set req.http.ip = "10.0.2.42";	call t;
+	}
+} -start
+
+logexpect l1 -v v1 -g raw {
+	expect * 1001	ReqHeader	{^\Qip: 10.0.2.42\E$}
+	expect 0 =	VCL_acl	{^\QMATCH acl1 "10.0.2.0"/23\E$}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+} -run
+
+logexpect l1 -wait
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index 188e63c6d..df2bce46a 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -291,7 +291,7 @@ vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r)
 		default:
 			INCOMPL();
 		}
-		if (*l == NULL || *r == NULL)
+		if (*l == NULL || *r == NULL || (*l)->not || (*r)->not)
 			break;
 		cmp = vcl_acl_cmp(*l, *r);
 	} while (cmp != ACL_LT);