<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 12/11/2025 23.02, Cesar Mora wrote:<br>
</div>
<blockquote type="cite"
cite="mid:48141E04-16F8-4219-933C-B37B3FBF04B3@gmail.com">
<div>
<p data-start="1571" data-end="1584"
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">My
questions:</p>
<ol data-start="1586" data-end="2057"
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">
<li data-start="1586" data-end="1813">
<p data-start="1589" data-end="1813">Is the \u201c:XT target
RTPENGINE not found\u201d line in the ip6<font face="Helvetica"> </font>table
expected/harmless when using the NGCP firewall + rtpengine
on mr13.2.1.3, or does it indicate a partially translated
RTPENGINE rule that should be fixed?</p>
</li>
<li data-start="1815" data-end="2057">
<p data-start="1818" data-end="2057">Are there any known
caveats or recommended adjustments for rtpengine + the
integrated firewall (especially on IPv6) when applying
minimal hardening patches like this that only touch
web/API/XMPP/admin rules, but leave SIP/RTP rules intact?</p>
</li>
</ol>
</div>
</blockquote>
<p>Hi,</p>
<p>This is indeed known and expected, and sadly not trivial to fix
due to the lack of plugin support in nftables.</p>
<p>The XT_RTPENGINE rule (and its related jump rule/table) is
managed by rtpengine directly and can (and should) be ignored by
any firewall scripts you may have.</p>
<p>Depending on your needs, you may have to adjust where this rule
is created and where the jump rule is created (or not to create it
at all). See the relevant `rtpengine.nftables_*` config options.
The defaults should be fine for most users, but if you require
more control, you can choose to create the jump rule and the jump
table yourself from a firewall script, and have rtpengine only
manage the XT_RTPENGINE rule itself. But for a regular user of
just the built-in firewall scripts this shouldn't be needed.</p>
<p>Best regards,<br>
Richard</p>
</body>
</html>