Warm-reload for port and VLAN ACL configuration changes

[courtland]

Warm-reload for changes to a port or VLAN's acls_in list.

This is a fresh PR following the closure of #4799, which combined this
work with VIP, router, and VLAN-base warm-restart. Per @gizmoguy's
feedback on scope and complexity, the new PR narrows to ACL only.

Mechanism

Adopts the per-ACL design @gizmoguy proposed in his
2026-05-01 review of #4733;
supersedes #4733 with @hieunt79 co-authored. For each port/VLAN whose
only change is acls_in, iterate the old and new ACL lists and call
del/add per-ACL with a cold-start priority decrement.
remove_overlap_ofmsgs cancels unchanged del+add pairs at flow-emit.

add_port_acl / del_port_acl gain @gizmoguy's suggested priority
kwarg (defaults to auth_priority, so dot1x callers unchanged).
add_vlan_acl / del_vlan_acl are the new VLAN-side methods
@gizmoguy noted were missing for per-ACL VLAN warm-reload.

What was required to make the per-ACL approach work

• force_port_vlan rules were landing in the wrong table. The
  per-ACL install path hardcoded the same goto-instruction for both
  allow and force_port_vlan rules. Fine for dot1x (never uses
  force_port_vlan: 1) but wrong for arbitrary user ACLs. Fixed by
  deriving both instructions from the pipeline the way cold-start
  install does.

• Stale flows when a port loses its last ACL. Empty↔non-empty
  transitions need the wildcard rule flipped, which the per-ACL loop
  can't do, so they fall back to cold_start_port. That path had a
  latent bug @hieunt79 found in VLAN ACL change detection to be able to warm reload #4733: its flowdel and the wildcard
  flowmod shared a flowmodkey, so remove_overlap_ofmsgs cancelled
  the delete and old ACL flows stayed on the switch. Fixed by using
  a priority-less flowdel.

• Old acls_in lists weren't available where the loop runs.
  dp_init swaps self.dp partway through _apply_config_changes,
  so the per-ACL loop snapshots the old lists into local dicts before
  that point.

• Priority decrement matches cold-start. The loop's
  priority -= len(acl.rules) mirrors cold-start install's priority
  assignment so unchanged ACLs' del+add pairs have matching
  flowmodkeys and remove_overlap_ofmsgs can cancel them. That's how
  the optimization saves wire traffic.

• Separate changed_acl_vlans bucket. VLAN ACL changes used to
  fold into changed_vlans (forcing cold restart).
  _get_vlan_config_changes now signals them separately so they
  reach the warm-reload path.

Tests

@hieunt79's two integration tests are included verbatim.
FaucetConfigReloadPortAclRemoveAllTest and a unit-level
ValveRemoveAllPortACLsTestCase cover the wildcard-cancellation case
fixed in the second bullet above. Adding or removing the
first/last ACL on the DP still cold-starts because the port_acl
table itself is conditionally allocated.

Closes #4733.

[codecov]

Codecov Report

❌ Patch coverage is 96.07843% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.43%. Comparing base (9bc5528) to head (b202eee).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
faucet/valve_acl.py	88.24%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4807      +/-   ##
==========================================
+ Coverage   91.42%   91.43%   +0.02%     
==========================================
  Files          46       46              
  Lines        8923     8962      +39     
==========================================
+ Hits         8157     8194      +37     
- Misses        766      768       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.