Bug: CACL updates remove dhcp_server syslog iptables rule

[tirupatihemanth]

Is it platform specific

generic

Importance or Severity

Critical

Description of the bug

CACL updates cause caclmgrd to flush and rebuild host iptables rules from CONFIG_DB ACL state. The dhcp_server container startup script separately adds this rule directly to the kernel:

-A INPUT -i docker0 -p udp --dport 514 -m comment --comment dhcp_server_syslog -j ACCEPT

This rule is needed because dhcp_server uses Docker bridge networking and sends syslog traffic to the host through docker0, unlike host-networked containers.

Because the rule is not represented in CONFIG_DB and is not regenerated by caclmgrd, any CACL change removes the rule until dhcp_server is restarted.

Relevant public code paths:

• The direct kernel filtering rules manipulation instead of going through the CONFIG_DB causes this issue - Here's the PR that introduced this change: [dhcp_server] Fix syslog blocked by caclmgrd catch-all DROP on bridge… #26637
• files/build_templates/docker_image_ctl.j2: adds/removes the dhcp_server_syslog rule during dhcp_server start/stop.
• src/sonic-host-services/scripts/caclmgrd: flushes/rebuilds host iptables when CACL configuration changes.

Steps to Reproduce

1. Verify the dhcp_server_syslog rule exists.
2. Add or update a CACL table in CONFIG_DB.
3. Check the dhcp_server_syslog rule again.
4. Restart dhcp_server and check the rule again.

Actual Behavior and Expected Behavior

Actual behavior: the dhcp_server_syslog iptables rule is removed after a CACL config update. It is restored only after restarting dhcp_server.

Expected behavior: CACL updates should not remove the dhcp_server syslog exception, or caclmgrd should regenerate/preserve it while rebuilding iptables.

Relevant log output

root@sonic:/home/admin# iptables -S | grep -i syslog
-A INPUT -i docker0 -p udp -m udp --dport 514 -m comment --comment dhcp_server_syslog -j ACCEPT

root@sonic:/home/admin# sonic-db-cli CONFIG_DB HSET "ACL_TABLE|TEST_CACL" "policy_desc" "test" "type" "CTRLPLANE" "stage" "ingress" "services@" "SSH"
4

root@sonic:/home/admin# iptables -S | grep -i syslog

root@sonic:/home/admin# systemctl restart dhcp_server

root@sonic:/home/admin# iptables -S | grep -i syslog
-A INPUT -i docker0 -p udp -m udp --dport 514 -m comment --comment dhcp_server_syslog -j ACCEPT

[Bojun-Feng]

Hi, I took a look at this and believe caclmgrd can regenerate the rule during its rebuild cycle when the dhcp_server feature is present in the FEATURE table (host namespace only, following the same pattern as the existing BFD and VxLAN rule regeneration).

PR Link: sonic-net/sonic-host-services#390

CI is all green. Would appreciate a reviewer being assigned when possible, happy to address any feedback.

[tirupatihemanth]

@Bojun-Feng I am not comfortable with dhcp_servrer modify kernel iptables rules directly instead of through CONFIG_DB involvement. I understand this fix tries to address the issue by modifying kernel iptables rules again but is it possible to have the fix in dhcp_server due to the original PR?
#26637

@Xichen96 @yejianquan

[vmittal-msft]

@Xichen96 can you please check this

[Sourabh-Kumar7]

@Xichen96 can you please take a look?