DPI: netifyd fails to reload firewall, logging breaks fw4 reload

[Tbaile]

Steps to reproduce

• Enable the logging of the DPI with dpi.config.log_blocked='1'
• uci commit dpi
• reload_config

Expected behavior

• netifyd should successfully reload the firewall, with DPI analysis continuing as expected.

Actual behavior

• netifyd fails to reload the firewall, resulting in no DPI analysis since NFT chain is broken.
• The DPI firewall rule trusts firewall.ns_defaults.rule_log_limit but it does not work properly as FW4 translates rates like 1/s to 1/second and 1/s is an invalid value for nft.

Workaround

Apply these commands to mitigate the issue:

uci set dpi.config.log_blocked=0
uci commit dpi
reload_config

Components

• ns-dpi - 0.3.1-r1

See also

• Commit: d6853e8
• Documentation: https://docs.nethsecurity.org/en/latest/firewall_rules.html#changing-the-default-logging-limits

[Tbaile]

Since this section will be refactored in the following months we'll hardcode the logging limit for the moment.

#1544