[caclmgrd] Fix subnet mask recognizing for drop ip2me rules

[ghost]

Why I did it

Resolves #7008
As described in #7008, currently, caclmgrd applies drop rules for network interfaces with ip_ntwrk.max_prefixlen, instead of real subnet mask prefix, what makes the rules are not valid. The changes make possible to apply iptables rules with a real subnet mask prefix.
As the changes makes the device inaccessible via SSH, SNMP and makes impossible to use NTP on MGMT interface due to result of execution of function generate_block_ip2me_traffic_iptables_commands, new function generate_commands_for_mgmt_intf has implemented to add missing iptables rules for SSH, SNMP and NTP to the system.
As ACL_SERVICES is currently used for generating rules for MGMT interface, it has renamed to stay clear in its purpose.

How I did it

By recognizing and setting a real prefix of subnet mask, instead of ip_ntwrk.max_prefixlen.
To stay possible to use SNMP, SSH and NTP on MGMT interface, new function generate_commands_for_mgmt_intf has added to caclmgrd. It adds the required rules and drops all the traffic, which has no related rules.

How to verify it

Boot the switch and try to connect to it via SSH. SSH should work normal, as same as SNMP and NTP, if configured.
See the logs with show logging | grep caclmgrd. All the applied rules will be listed after Issuing the following iptables commands:. All the rules should have its own subnet mask prefixes, not ip_ntwrk.max_prefixlen.

Example:

Apr 29 19:06:47.341051 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.28/31 -j DROP
Apr 29 19:06:47.343867 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.30/31 -j DROP
Apr 29 19:06:47.345009 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.22/31 -j DROP
Apr 29 19:06:47.346226 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.26/31 -j DROP
Apr 29 19:06:47.347987 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.34/31 -j DROP
Apr 29 19:06:47.349138 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 10.0.0.10/31 -j DROP
Apr 29 19:06:47.353227 sonic INFO caclmgrd[2475]:   iptables -A INPUT -p udp -d 192.168.111.0/24 --dport 123 -j ACCEPT
Apr 29 19:06:47.354688 sonic INFO caclmgrd[2475]:   iptables -A INPUT -p tcp -d 192.168.111.0/24 --dport 161 -j ACCEPT
Apr 29 19:06:47.356006 sonic INFO caclmgrd[2475]:   iptables -A INPUT -p udp -d 192.168.111.0/24 --dport 161 -j ACCEPT
Apr 29 19:06:47.357527 sonic INFO caclmgrd[2475]:   iptables -A INPUT -p tcp -d 192.168.111.0/24 --dport 22 -j ACCEPT
Apr 29 19:06:47.358928 sonic INFO caclmgrd[2475]:   iptables -A INPUT -d 192.168.111.0/24 -j DROP
Apr 29 19:06:47.361097 sonic INFO caclmgrd[2475]:   iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT
Apr 29 19:06:47.362360 sonic INFO caclmgrd[2475]:   ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012

The fix is desirable, because it releases incoming traffic from useless data.

Description for the changelog

Fixed subnet mask prefixes for drop rules in caclmgrd. A missed rules for MGMT interface.

A picture of a cute animal (not mandatory but encouraged)

[ghost]

retest this please

[pshulik]

@lguohan, Could you please review the changes

[bluecmd]

I just found out this PR. I created a related / alternative fix: #9826. Hopefully either PR can be merged so this issue can be fixed.