-
Nils Goroll authoredFunction: With the fold acl flag enabled (default: disabled, keeping the existing behavior), ACLs are optimized in that subnets contained in other entries are skipped (e.g. if 1.2.3.0/24 is part of the ACL, an entry for 1.2.3.128/25 will not be added) and adjacent entries get folded (e.g. if both 1.2.3.0/25 and 1.2.3.128/25 are added, they will be folded to 1.2.3.0/24). Skip and fold operations on VCL entries are output as warnings during VCL compilation as entries from the VCL are processed in order. Logging under the VCL_acl tag can change with this parameter enabled: Matches on skipped subnet entries are now logged as matches on the respective supernet entry. Matches on folded entries are logged with a shorter netmask which might not be contained in the original ACL as defined in VCL. Such log entries are marked by "fixed: folded". Negated ACL entries are excluded from folds. Implementation: The sort functions are changed such that the previous semantics are preserved: negative return values signify "a < b", positive return values signify "a > b". But additionally the values -2/2 and -3/3 are introduced (and given enums) to signify "contained in supernet" and "directly adjacent to". This allows for mostly unchanged code with vcc_acl_fold disabled. For the "subnet contained in supernet" case, all contained subnets are removed. By sort order, caontained subnets are always to be found left of supernets. For the "fold adjacent" case, the netmask of the entry with the smaller network number is decreased by one and the other entry removed. Because changing the netmask might affect sort order, we reinsert the changed entry.