[caclmgrd]: Preserve dhcp_server_syslog rule during CACL rebuild

[Bojun-Feng]

Why I did it

Fix sonic-net/sonic-buildimage#27584

The dhcp_server container uses Docker bridge networking and sends syslog traffic to the host through docker0. Its iptables rule (-A INPUT -i docker0 -p udp --dport 514 -m comment --comment dhcp_server_syslog -j ACCEPT) is created by docker_image_ctl.j2 during container startup but has no representation in CONFIG_DB.

When caclmgrd processes a CACL update, it flushes all INPUT chain rules and rebuilds from CONFIG_DB state. Since the dhcp_server_syslog rule exists only in the kernel, it is permanently lost until the dhcp_server container is restarted. This silently breaks syslog delivery from dhcp_server after any CACL configuration change.

How I did it

• Regenerate the dhcp_server_syslog iptables rule during caclmgrd's flush-and-rebuild cycle when the dhcp_server feature is present in the FEATURE table, gated to host namespace only
• Add unit tests validating both feature-present (rule inserted) and feature-absent (rule skipped) cases

How to verify it

1. Enable dhcp_server feature and verify the syslog rule exists: iptables -S | grep dhcp_server_syslog
2. Apply a CACL update: sonic-db-cli CONFIG_DB HSET "ACL_TABLE|TEST" "policy_desc" "test" "type" "CTRLPLANE" "stage" "ingress" "services@" "SSH"
3. Verify the syslog rule is preserved: iptables -S | grep dhcp_server_syslog

Description for the changelog

Fix caclmgrd to preserve dhcp_server_syslog iptables rule during CACL flush-and-rebuild cycle

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[tirupatihemanth]

@Bojun-Feng I am not comfortable with dhcp_servrer modify kernel iptables rules directly instead of through CONFIG_DB involvement. I understand this fix tries to address the issue by modifying kernel iptables rules again in caclmgrd but I want to understand if we can address this in dhcp_server. I tagged the origin author PR in the github issue.