[master] 155e83441 vcc_acl: Add +fold(-report) sub-option to omit fold warnings

[Nils Goroll]

commit 155e83441dd9068b03fe35c5b1b62d52012762ca
Author: Nils Goroll <nils.goroll at uplex.de>
Date:   Wed Nov 12 09:56:26 2025 +0100

    vcc_acl: Add +fold(-report) sub-option to omit fold warnings
    
    With a lot of folding going on, the warnings can easily bury more relevant CLI
    output.

diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
index 0a6e90517..51bb31e35 100644
--- a/bin/varnishtest/tests/c00005.vtc
+++ b/bin/varnishtest/tests/c00005.vtc
@@ -375,3 +375,39 @@ client c1 {
 } -run
 
 logexpect l1 -wait
+
+# test +fold(-report)
+varnish v1 -cliexpect "^$" {vcl.inline silent << EOF
+	vcl 4.1;
+
+	backend dummy None;
+
+	acl acl1 +log +pedantic +fold(-report) {
+		"1.2.0.0"/23;
+		"1.2.2.0"/24;
+		"1.2.3.0"/24;
+	}
+
+	sub vcl_recv {
+		if (client.ip ~ acl1) {
+			return (synth(403));
+		}
+	}
+	EOF
+}
+
+varnish v1 -errvcl "-fold(...) is invalid, use -fold" {
+	backend dummy None;
+
+	acl acl1 +log +pedantic -fold(+foo) {
+		"1.2.0.0"/23;
+	}
+}
+
+varnish v1 -errvcl "The only ACL fold sub-flag is `report`" {
+	backend dummy None;
+
+	acl acl1 +log +pedantic +fold(+foo) {
+		"1.2.0.0"/23;
+	}
+}
diff --git a/doc/sphinx/reference/vcl.rst b/doc/sphinx/reference/vcl.rst
index 307c97a4b..aae98629e 100644
--- a/doc/sphinx/reference/vcl.rst
+++ b/doc/sphinx/reference/vcl.rst
@@ -354,7 +354,7 @@ individually:
 
   Skip and fold operations on ACL entries are output as warnings
   during VCL compilation as entries from the VCL are processed in
-  order.
+  order unless the `-report` sub-flag is also given (see below).
 
   Logging under the ``VCL_acl`` tag can change with this parameter
   enabled: Matches on skipped subnet entries are now logged as matches
@@ -365,6 +365,19 @@ individually:
 
   Negated ACL entries are never folded.
 
+  Exactly one sub-flag is supported following `fold` in parenthesis:
+
+  - `+fold(+report)` - Fold with reporting (default)
+
+    Report about folding as described above
+
+  - `+fold(-report)` - Fold without reporting
+
+    Enable folding, but do not output folding-related warnings during VCL
+    compilation
+
+  The ``report`` sub-option is only valid with ``+fold``.
+
 VCL objects
 -----------
 
diff --git a/lib/libvcc/vcc_acl.c b/lib/libvcc/vcc_acl.c
index 4f52ca1e9..47d4d3350 100644
--- a/lib/libvcc/vcc_acl.c
+++ b/lib/libvcc/vcc_acl.c
@@ -54,6 +54,7 @@ struct acl {
 
 	int			flag_log;
 	int			flag_fold;
+	int			flag_fold_report;
 	int			flag_pedantic;
 	int			flag_table;
 
@@ -263,11 +264,13 @@ vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r)
 	do {
 		switch (cmp) {
 		case ACL_CONTAINED:
-			VSB_cat(tl->sb, "ACL entry:\n");
-			vcc_ErrWhere(tl, (*r)->t_addr);
-			VSB_cat(tl->sb, "supersedes / removes:\n");
-			vcc_ErrWhere(tl, (*l)->t_addr);
-			vcc_Warn(tl);
+			if (tl->acl->flag_fold_report) {
+				VSB_cat(tl->sb, "ACL entry:\n");
+				vcc_ErrWhere(tl, (*r)->t_addr);
+				VSB_cat(tl->sb, "supersedes / removes:\n");
+				vcc_ErrWhere(tl, (*l)->t_addr);
+				vcc_Warn(tl);
+			}
 			VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l);
 			FREE_OBJ(*l);
 			*l = VRBT_PREV(acl_tree, &tl->acl->acl_tree, *r);
@@ -275,14 +278,16 @@ vcl_acl_fold(struct vcc *tl, struct acl_e **l, struct acl_e **r)
 		case ACL_LEFT:
 			(*l)->mask--;
 			(*l)->fixed = "folded";
-			VSB_cat(tl->sb, "ACL entry:\n");
-			vcc_ErrWhere(tl, (*l)->t_addr);
-			VSB_cat(tl->sb, "left of:\n");
-			vcc_ErrWhere(tl, (*r)->t_addr);
-			VSB_printf(tl->sb, "removing the latter and expanding "
-			    "mask of the former by one to /%u\n",
-			    (*l)->mask - 8);
-			vcc_Warn(tl);
+			if (tl->acl->flag_fold_report) {
+				VSB_cat(tl->sb, "ACL entry:\n");
+				vcc_ErrWhere(tl, (*l)->t_addr);
+				VSB_cat(tl->sb, "left of:\n");
+				vcc_ErrWhere(tl, (*r)->t_addr);
+				VSB_printf(tl->sb, "removing the latter and "
+				    "expanding mask of the former by one to "
+				    "/%u\n", (*l)->mask - 8);
+				vcc_Warn(tl);
+			}
 			VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *r);
 			FREE_OBJ(*r);
 			VRBT_REMOVE(acl_tree, &tl->acl->acl_tree, *l);
@@ -814,7 +819,39 @@ vcc_parseAclFold(struct vcc *tl, int sign)
 	CHECK_OBJ_NOTNULL(acl, VCC_ACL_MAGIC);
 
 	acl->flag_fold = sign;
+	acl->flag_fold_report = 1;
 	vcc_NextToken(tl);
+	if (tl->t->tok != '(')
+		return;
+
+	if (! acl->flag_fold) {
+		VSB_cat(tl->sb, "-fold(...) is invalid, use -fold:\n");
+		vcc_ErrWhere(tl, tl->t);
+		return;
+	}
+
+	SkipToken(tl, '(');
+
+#define FOLD_SUBFLAGS_MSG "The only ACL fold sub-flag is `report`:\n"
+
+	sign = vcc_IsFlag(tl);
+	if (tl->err) {
+		VSB_cat(tl->sb, FOLD_SUBFLAGS_MSG);
+		return;
+	}
+	if (sign < 0)
+		return;
+
+	if (! vcc_IdIs(tl->t, "report")) {
+		VSB_cat(tl->sb, FOLD_SUBFLAGS_MSG);
+		vcc_ErrWhere(tl, tl->t);
+		return;
+	}
+
+	acl->flag_fold_report = sign;
+
+	vcc_NextToken(tl);
+	SkipToken(tl, ')');
 }
 
 void
@@ -828,6 +865,7 @@ vcc_ParseAcl(struct vcc *tl)
 	tl->acl = acl;
 	acl->flag_pedantic = 1;
 	acl->flag_fold = 1;
+	acl->flag_fold_report = 1;
 	vcc_NextToken(tl);
 	VRBT_INIT(&acl->acl_tree);