Add EnableLogging and LogLabel supports for Node NetworkPolicy

This commit introduces limited support for traffic logging in Node
NetworkPolicy. The limitations are:

- Traffic logs are written only to the system log (not managed by Antrea).
  Users can filter logs using syslog filters.
- The `LogLabel` for Node NetworkPolicy is restricted to a maximum of
  12 characters.

Node NetworkPolicy's data path is implemented via iptables. An iptables
"non-terminating target" `LOG` is added before the final matching rule to
log packets to the system kernel log. The logs provide packet match details,
such as:

```
Sep  2 10:31:07 k8s-node-control-plane kernel: [6657320.789675] Antrea:I:Allow:allow-http:IN=ens224 OUT= MAC=00:50:56:a7:fb:18:00:50:56:a7:23:47:08:00 SRC=10.10.0.10 DST=192.168.240.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52813 DF PROTO=TCP SPT=57658 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Sep  2 10:31:11 k8s-node-control-plane kernel: [6657324.899219] Antrea:I:Drop:default-drop:IN=ens224 OUT= MAC=00:50:56:a7:fb:18:00:50:56:a7:23:47:08:00 SRC=192.168.240.201 DST=192.168.240.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27486 DF PROTO=TCP SPT=33152 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
```

The log prefix (e.g., `Antrea:I:Allow:allow-http:`) is up to 29 characters long
and includes a user-provided log label (up to 12 characters). The log prefix format:

```
|---1--| |2| |---3--| |----------4--------|
|Antrea|:|I|:|Reject|:|user-provided label|:|
|6     |1|1|1|4-6   |1|1-12               |1|
```

- Part 1: Fixed, "Antrea"
- Part 2: Direction, "I" (In) or "O" (Out)
- Part 3: Action, "Allow", "Drop", or "Reject"
- Part 4: User-provided log label, up to 12 characters

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>

test/e2e/nodenetworkpolicy_test.go

@@ -15,8 +15,8 @@
 package e2e
 
 import (
+	"antrea.io/antrea/pkg/agent/util/sysctl"
 	"fmt"
-	"os/exec"
 	"strings"
 	"testing"
 	"time"
@@ -898,12 +898,13 @@ func testNodeACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) {
 
 func testNodeACNPAuditLogging(t *testing.T, data *TestData) {
 	if testOptions.providerName == "kind" {
-		// Let kernel messages generated by iptables LOG targets in network namespaces of Kind Nodes.
-		cmd := exec.Command("sh", "-c", "sysctl -w \"/proc/sys/net/netfilter/nf_log_all_netns=1\"")
-		require.NoError(t, cmd.Run())
+		if err := sysctl.EnsureSysctlNetValue("netfilter/nf_log_all_netns", 1); err != nil {
+			t.Fatalf("failed to set", err)
+		}
 		defer func() {
-			cmd := exec.Command("sh", "-c", "sysctl -w \"/proc/sys/net/netfilter/nf_log_all_netns=0\"")
-			require.NoError(t, cmd.Run())
+			if err := sysctl.EnsureSysctlNetValue("netfilter/nf_log_all_netns", 0); err != nil {
+				t.Fatalf("failed to set", err)
+			}
 		}()
 	}
 	randomLogLabel := uuid.New().String()[:12] // Generate a random logLabel with 12 characters long.