[master] d97c4e339 vcc_acl: Turn on folding by default

Nils Goroll nils.goroll at uplex.de
Wed Jul 9 13:46:05 UTC 2025 

commit d97c4e3392ebe57dbe11c7f0c4e1cd621270dfe6
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Wed Jul 2 10:21:16 2025 +0200

    vcc_acl: Turn on folding by default

diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
index 8854329a4..0a6e90517 100644
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -72,7 +72,7 @@ varnish v1 -vcl {
 
 	backend dummy None;
 
-	acl acl1 +log -pedantic {
+	acl acl1 +log -fold -pedantic {
 		# bad notation (confusing)
 		"1.2.3.4"/24;
 		"1.2.3.66"/26;
@@ -206,7 +206,8 @@ varnish v1 -vcl {
 
 	backend dummy None;
 
-	acl acl1 +log +pedantic +fold {
+	// +fold and +pedantic are default
+	acl acl1 +log {
 		# bad notation (confusing)
 		"1.2.3.0"/24;
 		"1.2.3.64"/26;
diff --git a/doc/changes.rst b/doc/changes.rst
index ca0c5ff58..94b9de0e0 100644
--- a/doc/changes.rst
+++ b/doc/changes.rst
@@ -41,6 +41,11 @@ Varnish Cache NEXT (8.0, 2025-09-15)
 .. PLEASE keep this roughly in commit order as shown by git-log / tig
    (new to old)
 
+* The ACL option ``+fold`` is now default. This means that ACL entries will
+  automatically be merged for adjacent networks and subnets will be removed in
+  the presence of supernets. This affects logging. The old default behavior can
+  be restored by adding the ``-fold`` option to ACLs.
+
 * The VMOD functions ``std.real2integer()``, ``std.real2time()``,
   ``std.time2integer()`` and ``std.time2real()`` have been removed. They had
   been marked deprecated since Varnish Cache release 6.2.0 (2019-03-15).
diff --git a/doc/sphinx/reference/vcl.rst b/doc/sphinx/reference/vcl.rst
index 4c069eb8f..3df2d4d0d 100644
--- a/doc/sphinx/reference/vcl.rst
+++ b/doc/sphinx/reference/vcl.rst
@@ -344,13 +344,13 @@ individually:
   However, if the name resolves to both IPv4 and IPv6 you will still
   get an error.
 
-* `+fold` - Fold ACL supernets and adjacent networks.
+* `-fold` - Do not fold ACL supernets and adjacent networks.
 
-  With this parameter set to on, ACLs are optimized in that subnets
-  contained in other entries are skipped (e.g.  if 1.2.3.0/24 is part
-  of the ACL, an entry for 1.2.3.128/25 will not be added) and
-  adjacent entries get folded (e.g.  if both 1.2.3.0/25 and
-  1.2.3.128/25 are added, they will be folded to 1.2.3.0/24).
+  With this parameter set to on (default), ACLs are optimized in that subnets
+  contained in other entries are skipped (e.g.  if 1.2.3.0/24 is part of the
+  ACL, an entry for 1.2.3.128/25 will not be added) and adjacent entries get
+  folded (e.g.  if both 1.2.3.0/25 and 1.2.3.128/25 are added, they will be
+  folded to 1.2.3.0/24).
 
   Skip and fold operations on VCL entries are output as warnings
   during VCL compilation as entries from the VCL are processed in
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index b360fa682..188e63c6d 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -813,6 +813,7 @@ vcc_ParseAcl(struct vcc *tl)
 	INIT_OBJ(acl, VCC_ACL_MAGIC);
 	tl->acl = acl;
 	acl->flag_pedantic = 1;
+	acl->flag_fold = 1;
 	vcc_NextToken(tl);
 	VRBT_INIT(&acl->acl_tree);

More information about the varnish-commit mailing list