diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc index d9b77cca150..818ba531822 100644 --- a/bin/varnishtest/tests/c00005.vtc +++ b/bin/varnishtest/tests/c00005.vtc @@ -163,13 +163,13 @@ varnish v1 -errvcl {Non-zero bits in masked part} { } } -# this is both an OK test for pedantic and merge +# this is both an OK test for pedantic and fold varnish v1 -vcl { import std; backend dummy None; - acl acl1 +log +pedantic +merge { + acl acl1 +log +pedantic +fold { # bad notation (confusing) "1.2.3.0"/24; "1.2.3.64"/26; @@ -191,12 +191,12 @@ varnish v1 -vcl { "2.3.4.0"/23; "2.3.6.0"/23; - # 12/14 merged, not 10 + # 12/14 folded, not 10 "2.10.0.0"/15; "2.12.0.0"/15; "2.14.0.0"/15; - # 226/227 merged, not 225 + # 226/227 folded, not 225 "2.225.0.0"/16; "2.226.0.0"/16; "2.227.0.0"/16; @@ -287,9 +287,9 @@ logexpect l1 -v v1 -g raw { expect 0 = VCL_acl {^\QMATCH acl1 "1.4.4.0"/22\E$} expect 1 = ReqHeader {^\Qip: 2.3.0.0\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.3.0.0"/21 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.3.0.0"/21 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 2.3.5.255\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.3.0.0"/21 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.3.0.0"/21 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 2.2.255.255\E$$} expect 0 = VCL_acl {^\QNO_MATCH acl1\E$} expect 1 = ReqHeader {^\Qip: 2.3.8.0\E$} @@ -300,9 +300,9 @@ logexpect l1 -v v1 -g raw { expect 1 = ReqHeader {^\Qip: 2.10.1.1\E$} expect 0 = VCL_acl {^\QMATCH acl1 "2.10.0.0"/15\E$} expect 1 = ReqHeader {^\Qip: 2.12.0.0\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.12.0.0"/14 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.12.0.0"/14 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 2.15.255.255\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.12.0.0"/14 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.12.0.0"/14 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 2.16.1.1\E$} expect 0 = VCL_acl {^\QNO_MATCH acl1\E} @@ -311,16 +311,16 @@ logexpect l1 -v v1 -g raw { expect 1 = ReqHeader {^\Qip: 2.225.1.1\E$} expect 0 = VCL_acl {^\QMATCH acl1 "2.225.0.0"/16\E$} expect 1 = ReqHeader {^\Qip: 2.226.1.1\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.226.0.0"/15 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.226.0.0"/15 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 2.227.1.1\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "2.226.0.0"/15 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "2.226.0.0"/15 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 10.0.3.255\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "10.0.0.0"/22 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "10.0.0.0"/22 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 10.1.1.255\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "10.1.0.0"/23 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "10.1.0.0"/23 fixed: folded\E} expect 1 = ReqHeader {^\Qip: 10.2.0.255\E$} - expect 0 = VCL_acl {^\QMATCH acl1 "10.2.0.0"/24 fixed: merged\E} + expect 0 = VCL_acl {^\QMATCH acl1 "10.2.0.0"/24 fixed: folded\E} } -start client c1 { diff --git a/doc/sphinx/reference/vcl.rst b/doc/sphinx/reference/vcl.rst index c8feabd6724..f479591417b 100644 --- a/doc/sphinx/reference/vcl.rst +++ b/doc/sphinx/reference/vcl.rst @@ -299,26 +299,26 @@ individually: However, if the name resolves to both IPv4 and IPv6 you will still get an error. -* `+merge` - Merge ACL supernets and adjacent networks. +* `+fold` - Merge ACL supernets and adjacent networks. With this parameter set to on, ACLs are optimized in that subnets contained in other entries are skipped (e.g. if 1.2.3.0/24 is part of the ACL, an entry for 1.2.3.128/25 will not be added) and - adjacent entries get merged (e.g. if both 1.2.3.0/25 and - 1.2.3.128/25 are added, they will be merged to 1.2.3.0/24). + adjacent entries get folded (e.g. if both 1.2.3.0/25 and + 1.2.3.128/25 are added, they will be folded to 1.2.3.0/24). - Skip and merge operations on VCL entries are output as warnings + Skip and fold operations on VCL entries are output as warnings during VCL compilation as entries from the VCL are processed in order. Logging under the ``VCL_acl`` tag can change with this parameter enabled: Matches on skipped subnet entries are now logged as matches - on the respective supernet entry. Matches on merged entries are + on the respective supernet entry. Matches on folded entries are logged with a shorter netmask which might not be contained in the original ACL as defined in VCL. Such log entries are marked by - ``fixed: merged``. + ``fixed: folded``. - Negated ACL entries are never merged. + Negated ACL entries are never folded. VCL objects ----------- diff --git a/include/tbl/vsl_tags.h b/include/tbl/vsl_tags.h index 0007ee5c05c..ebcb3ac3606 100644 --- a/include/tbl/vsl_tags.h +++ b/include/tbl/vsl_tags.h @@ -272,8 +272,8 @@ SLTM(VCL_acl, 0, "VCL ACL check results", "\t+-------------------- MATCH, NO_MATCH or NO_FAM\n" "\n" "* Fix info: either contains network/mask for non-canonical entries " - "(see acl +pedantic flag) or ``merged`` for entries " - "which were the result of a merge operation (see acl +merge flag).\n" + "(see acl +pedantic flag) or ``folded`` for entries " + "which were the result of a fold operation (see acl +fold flag).\n" "* ``MATCH`` denotes an ACL match\n" "* ``NO_MATCH`` denotes that a checked ACL has not matched\n" "* ``NO_FAM`` denotes a missing address family and should not occur.\n" diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c index de9f9b1ea05..2d757630b3f 100644 --- a/lib/libvcc/vcc_acl.c +++ b/lib/libvcc/vcc_acl.c @@ -53,7 +53,7 @@ struct acl { #define VCC_ACL_MAGIC 0xb9fb3cd0 int flag_log; - int flag_merge; + int flag_fold; int flag_pedantic; int flag_table; @@ -244,7 +244,7 @@ vcc_acl_chk(struct vcc *tl, const struct acl_e *ae, const int l, } static void -vcl_acl_merge(struct vcc *tl, struct acl_e **l, struct acl_e **r) +vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r) { enum acl_cmp_e cmp; @@ -276,7 +276,7 @@ vcl_acl_merge(struct vcc *tl, struct acl_e **l, struct acl_e **r) break; case ACL_LEFT: (*l)->mask--; - (*l)->fixed = "merged"; + (*l)->fixed = "folded"; VSB_cat(tl->sb, "ACL entry:\n"); vcc_ErrWhere(tl, (*l)->t_addr); VSB_cat(tl->sb, "left of:\n"); @@ -319,12 +319,12 @@ vcc_acl_insert_entry(struct vcc *tl, struct acl_e **aenp) r = *aenp; *aenp = NULL; - if (tl->acl->flag_merge == 0) + if (tl->acl->flag_fold == 0) return; l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, r); if (l != NULL) { - vcl_acl_merge(tl, &l, &r); + vcl_acl_fold(tl, &l, &r); } if (r == NULL) return; @@ -332,7 +332,7 @@ vcc_acl_insert_entry(struct vcc *tl, struct acl_e **aenp) r = VRBT_NEXT(acl_tree, &tl->acl->acl_tree, l); if (r == NULL) return; - vcl_acl_merge(tl, &l, &r); + vcl_acl_fold(tl, &l, &r); } static void @@ -836,8 +836,8 @@ vcc_ParseAcl(struct vcc *tl) if (vcc_IdIs(tl->t, "log")) { acl->flag_log = sign; vcc_NextToken(tl); - } else if (vcc_IdIs(tl->t, "merge")) { - acl->flag_merge = sign; + } else if (vcc_IdIs(tl->t, "fold")) { + acl->flag_fold = sign; vcc_NextToken(tl); } else if (vcc_IdIs(tl->t, "pedantic")) { acl->flag_pedantic = sign;