[Spce-user] "XT target RTPENGINE not found" with NGCP mr13.2.1.3 and built-in firewall

Cesar Mora cesarluis89 at gmail.com
Wed Nov 12 22:02:54 EST 2025 

Hi,

I’m running a single-node NGCP system on mr13.2.1.3 with both IPv4 and IPv6 enabled (A and AAAA records), using the ngcp built-in firewall integration.

I’m applying patchtt templates to rules.v4.tt2 and rules.v6.tt2 to:

- Close Admin Portal / Customer Portal / LDAP, and XMPP.

- SIP and RTP remain open

- SSH remains restricted to IPs listed on the corresponding config.yml variable.

- ICMP and all else remains as-is.

SIP/RTP over IPv4 and IPv6 works and rtpengine seems fine (daemon is running, xt_RTPENGINE is loaded, SDP shows a=oldmediaip: and the rtpengine chains’ counters increase).

However, when I dump the rules via iptables/nft, I see this on IPv6:

table ip6 filter {

    chain INPUT {

        type filter hook input priority filter; policy drop;

        ip6 nexthdr udp jump rtpengine

        iifname "lo" accept

        ct state related,established accept

        meta l4proto ipv6-icmp accept

        ...

        iifname "eth0" udp dport 5060 accept

        iifname "eth0" tcp dport 5060 accept

        iifname "eth0" tcp dport 5061 accept

:XT target RTPENGINE not found

        iifname "eth0" udp dport 30000-44999 accept

        ...

    }



    chain rtpengine {

        counter packets X bytes Y

    }

}

And running iptables-save fails with:

Error: target extension not found
iptables-save (nf_tables): Parsing nftables rule failed
Perhaps iptables-save or your kernel needs to be upgraded.

My questions:

Is the “:XT target RTPENGINE not found” line in the ip6 table expected/harmless when using the NGCP firewall + rtpengine on mr13.2.1.3, or does it indicate a partially translated RTPENGINE rule that should be fixed?

Are there any known caveats or recommended adjustments for rtpengine + the integrated firewall (especially on IPv6) when applying minimal hardening patches like this that only touch web/API/XMPP/admin rules, but leave SIP/RTP rules intact?

If needed I can provide the rules.v4.patchtt.tt2 / rules.v6.patchtt.tt2 diffs, but I wanted to check first if this behavior is already known or expected.

Thanks,
Cesar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20251112/284ddb9e/attachment.htm>

More information about the Spce-user mailing list