vpp: support binding multiple ACL tables by priority (#1732)

why
currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one.

what this PR does
remove the default permit-all rules for each table
If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32
sort all the tables by priority in the table group. vpp doesn't support parallel matching
added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept.
Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null.

Signed-off-by: Yue Gao <yuega2@cisco.com>

Author: yue-fred-gao

vslib/vpp/SwitchVpp.h

@@ -622,6 +622,9 @@ namespace saivs
             std::map<sai_object_id_t, std::list<sai_object_id_t>> m_acl_tbl_grp_ports_map;
             std::map<sai_object_id_t, vpp_ace_cntr_info_t> m_ace_cntr_info_map;
 
+            uint32_t m_acl_default_swindex = 0;
+            bool m_acl_default_created = false;
+
         protected: // VPP
 
             sai_status_t createAclEntry(
@@ -804,9 +807,11 @@ namespace saivs
                     _In_ uint32_t attr_count,
                     _In_ const sai_attribute_t *attr_list);
 
-            sai_status_t aclDefaultAllowConfigure(
+            sai_status_t emptyAclCreate(
                     _In_ sai_object_id_t tbl_oid);
 
+            sai_status_t aclDefaultCreate();
+
             sai_status_t acl_rule_range_get(
                     _In_ const sai_object_list_t *range_list,
                     _Out_ sai_u32_range_t *range_limit_list,