p2pblock: ipp2p must run before CONNTRACK.

And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types.

config/firewall/rules.pl

@@ -554,29 +554,19 @@ sub time_convert_to_minutes {
 }
 
 sub p2pblock {
-	my $search_action;
-	my $target;
-
-	if ($fwdfwsettings{"POLICY"} eq "MODE1") {
-		$search_action = "on";
-		$target = "ACCEPT";
-	} else {
-		$search_action = "off";
-		$target = "DROP";
-	}
-
 	open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
 	my @protocols = ();
 	foreach my $p2pentry (<FILE>) {
 		my @p2pline = split(/\;/, $p2pentry);
-		next unless ($p2pline[2] eq $search_action);
+		next unless ($p2pline[2] eq "off");
 
 		push(@protocols, "--$p2pline[1]");
 	}
 	close(FILE);
 
 	if (@protocols) {
-		run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target");
+		run("$IPTABLES -F P2PBLOCK");
+		run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP");
 	}
 }
 

src/initscripts/init.d/firewall

@@ -104,6 +104,12 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# P2PBLOCK
+	iptables -N P2PBLOCK
+	iptables -A INPUT -j P2PBLOCK
+	iptables -A FORWARD -j P2PBLOCK
+	iptables -A OUTPUT -j P2PBLOCK
+	
 	# Guardian (IPS) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN