[Spce-user] [EXTERNAL] "XT target RTPENGINE not found" with NGCP mr13.2.1.3 and built-in firewall

[Richard Fuchs]

On 12/11/2025 23.02, Cesar Mora wrote:
>
> My questions:
>
> 1.
>
>     Is the “:XT target RTPENGINE not found” line in the ip6table
>     expected/harmless when using the NGCP firewall + rtpengine on
>     mr13.2.1.3, or does it indicate a partially translated RTPENGINE
>     rule that should be fixed?
>
> 2.
>
>     Are there any known caveats or recommended adjustments for
>     rtpengine + the integrated firewall (especially on IPv6) when
>     applying minimal hardening patches like this that only touch
>     web/API/XMPP/admin rules, but leave SIP/RTP rules intact?
>
Hi,

This is indeed known and expected, and sadly not trivial to fix due to 
the lack of plugin support in nftables.

The XT_RTPENGINE rule (and its related jump rule/table) is managed by 
rtpengine directly and can (and should) be ignored by any firewall 
scripts you may have.

Depending on your needs, you may have to adjust where this rule is 
created and where the jump rule is created (or not to create it at all). 
See the relevant `rtpengine.nftables_*` config options. The defaults 
should be fine for most users, but if you require more control, you can 
choose to create the jump rule and the jump table yourself from a 
firewall script, and have rtpengine only manage the XT_RTPENGINE rule 
itself. But for a regular user of just the built-in firewall scripts 
this shouldn't be needed.

Best regards,
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20251113/a0ae8cbe/attachment.htm>