Added CACL entry for Redfish

[shreyansh-nexthop]

Why I did it

The Redfish docker on the BMC binds host port 0.0.0.0:443:18080 (as per the docker-sonic-redfish rules in sonic-buildimage), so any IP that can reach the BMC's management interface on TCP/443 can hit the Redfish API.

caclmgrd only emits iptables rules for services that are registered in its ACL_SERVICES dict. Without an entry for REDFISH, any operator-defined ACL_TABLE referencing it is silently dropped with a syslog warning ("unrecognized service") i.e. the framework has no way to translate the operator's intent into iptables rules. This patch adds that registration.

How I did it

Added a single entry to ACL_SERVICES in scripts/caclmgrd, mirroring the existing SSH/SNMP/NTP entries:

How to verify it

1. Confirm the entry shipped:

   sudo grep -A4 '"REDFISH"' /usr/local/bin/caclmgrd

2. Configure a CTRLPLANE ACL via CONFIG_DB

   redis-cli -n 4 HSET "ACL_TABLE|REDFISH_ACL" \
       policy_desc REDFISH_ACL type CTRLPLANE stage ingress services@ REDFISH
   
   redis-cli -n 4 HSET "ACL_RULE|REDFISH_ACL|ALLOW_ME" \
       PRIORITY 999 SRC_IP <your-source-ip>/32 PACKET_ACTION ACCEPT
   
   redis-cli -n 4 HSET "ACL_RULE|REDFISH_ACL|DENY_REST" \
       PRIORITY 1 SRC_IP 0.0.0.0/0 PACKET_ACTION DROP

3. Confirm caclmgrd translated them into iptables:

   show acl table
   show acl rule
   sudo iptables -L INPUT -n --line-numbers | grep ':443'

4. Confirm enforcement:

   From the allowed source
   curl -k -u bmcweb:bmcweb https://<bmc-ip>/redfish/v1 # → 200

   From a non-allowed source
   curl -k --max-time 5 -u bmcweb:bmcweb https://<bmc-ip>/redfish/v1 # → connection refused / timeout

Remove rules if not needed:

redis-cli -n 4 DEL "ACL_RULE|REDFISH_ACL|DENY_REST"
redis-cli -n 4 DEL "ACL_RULE|REDFISH_ACL|ALLOW_ME"
redis-cli -n 4 DEL "ACL_TABLE|REDFISH_ACL"

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).