[test gap] Add a new case to check caclmgrd syslog

[ZhaohuiS]

Description of PR

Summary:
Fixes # (issue)
To address #16548.
The issue sonic-net/sonic-buildimage#21290, the issue of INFO level logs disappear in caclmgrd was reported after the commit got merged months later.
We need a test case to help us report this kind of issue earlier.

Type of change

• Bug fix
• Testbed and Framework(new/improvement)
• New Test case
  • Skipped for non-supported platforms
• Test case improvement

Back port request

• 202012
• 202205
• 202305
• 202311
• 202405
• 202411

Approach

What is the motivation for this PR?

A new test case to check if INFO logs of caclmgrd was printed into syslog successfully.

How did you do it?

1. rotate syslog
2. restart caclmgrd
3. check if iptables syslog existing in syslog file
4. Check if iptables rules are applied successfully in the output of systemctl status caclmgrd

How did you verify/test it?

Run the new test case on the testbed

Any platform specific information?

Supported testbed topology if it's a new test case?

Documentation

[mssonicbld]

/azp run

[Copilot]

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[StormLiangMS]

LGTM

[echuawu]

Hi @ZhaohuiS ,
Currently I found that case test_caclmgrd_syslog failed due to there is no "iptables -A INPUT" in the output of systemctl status caclmgrd command.
Instead, below information listed
Apr 11 08:25:22 xxx caclmgrd[941963]: iptables -t nat -A POSTROUTING --destination 192.168.0.47 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Is it supposed?

[ZhaohuiS]

@echuawu which platform did it fail? On which version?

[echuawu]

@echuawu which platform did it fail? On which version?
On SN4700 with master image

[ZhaohuiS]

@echuawu what's the output of "sudo iptables -S" in your testing?
I guess it has NAT config on your device?
If so, you can enhance this test case to support NAT iptables, whatever it has iptables logs, the case should pass.

[echuawu]

Hi @ZhaohuiS,
There are the output of "systemctl status caclmgrd"

â—� caclmgrd.service - Control Plane ACL configuration daemon
     Loaded: loaded (/lib/systemd/system/caclmgrd.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-04-14 13:13:16 IDT; 24s ago
   Main PID: 490292 (caclmgrd)
      Tasks: 1 (limit: 19014)
     Memory: 14.7M
     CGroup: /system.slice/caclmgrd.service
             └─490292 /usr/bin/python3 /usr/local/bin/caclmgrd

Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.47 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.11 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.13 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.15 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.17 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.19 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.21 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.5 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.23 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38
Apr 14 13:13:18 nvidia_sn_4700 caclmgrd[490292]:   iptables -t nat -A POSTROUTING --destination 192.168.0.25 --source 192.168.0.1 -j SNAT --to-source 10.1.0.38

And there are the output of "iptables -S":

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DHCP
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j DHCP
-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -p udp -m udp --dport 546:547 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -d 10.1.0.32/32 -j DROP
-A INPUT -d 10.1.0.34/32 -j DROP
-A INPUT -d 10.1.0.36/32 -j DROP
-A INPUT -d 10.1.0.38/32 -j DROP
-A INPUT -d 192.168.0.1/32 -j DROP
-A INPUT -d 10.0.0.56/32 -j DROP
-A INPUT -d 10.0.0.58/32 -j DROP
-A INPUT -d 10.0.0.60/32 -j DROP
-A INPUT -d 10.0.0.62/32 -j DROP
-A INPUT -p icmp -m ttl --ttl-lt 2 -j ACCEPT
-A INPUT -p udp -m ttl --ttl-lt 2 -m udp --dport 1025:65535 -j ACCEPT
-A INPUT -p tcp -m ttl --ttl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT
-A DHCP -j RETURN

There is no NAT rules found.

[echuawu]

hi @ZhaohuiS , do you have any updates?

[ZhaohuiS]

@echuawu In your case, you need to check "sudo iptables -t nat -S", the iptable rules are there.
Sorry, I don't have NAT config as your scenario, could you please enhance the case to check if there is "iptables -t nat -A POSTROUTING" in /var/log/syslog or the output of sudo systemctl status caclmgrd.

[echuawu]

@echuawu In your case, you need to check "sudo iptables -t nat -S", the iptable rules are there. Sorry, I don't have NAT config as your scenario, could you please enhance the case to check if there is "iptables -t nat -A POSTROUTING" in /var/log/syslog or the output of sudo systemctl status caclmgrd.

Update it in #18239