Now works with firewalld - creates a permanent chain called INPUT_prefilter

which is before the conntrack stuff in the INPUT tables. We then create
our temporary rtpengine chain from that.
Also brought in some of the IPv6 stuff from the standard Centos init script

el/rtpengine.init

@@ -36,6 +36,7 @@ RETVAL=0
 
 OPTS="--pidfile $pidfile"
 MODULE=0
+IP6=0
 
 build_opts() {
 	shopt -s nocasematch
@@ -55,13 +56,26 @@ build_opts() {
 	fi
 	shopt -u nocasematch
 
-        if [[ -n "$RTP_IP" ]]
+	if [[ -n "$RTP_IP" ]]
-        then
+	then
-                for IP in "${RTP_IP[@]}"
+		OPTS+=" --interface=$RTP_IP"
-                do
+	fi
-                        OPTS+=" --interface=$IP"
+
-                done
+	if [[ -n "$RTP_ADV_IP" ]]
-        fi
+	then
+		OPTS+="!$RTP_ADV_IP"
+	fi
+
+	if [[ -n "$RTP_IP6" ]]
+	then
+		OPTS+=" --interface=$RTP_IP6"
+		IP6=1
+	fi
+
+	if [[ -n "$RTP_ADV_IP6" ]]
+	then
+		OPTS+="!$RTP_ADV_IP6"
+	fi
 
 	if [[ -n "$LISTEN_TCP" ]]
 	then
@@ -179,15 +193,43 @@ start() {
 	if [[ $MODULE == 1 ]]
 	then
 		echo "Loading module for in-kernel packet forwarding"
-		rmmod xt_MEDIAPROXY 2> /dev/null
+		rmmod xt_RTPENGINE 2> /dev/null
 		modprobe xt_RTPENGINE
-		iptables -N rtpengine
+		temp=`firewall-cmd --state 2>/dev/null`
-		iptables -t filter -A INPUT -j rtpengine
+		if [[ $? == 0 ]]
-		iptables -I rtpengine -p udp -j RTPENGINE --id $TABLE
+		then
-		ip6tables -I rtpengine -p udp -j RTPENGINE --id $TABLE
+			# Using firewalld
+			# Need to check if the INPUT_prefilter chain is present (permanently)
+			firewall-cmd --permanent --direct --query-chain ipv4 filter INPUT_prefilter > /dev/null
+			if [[ $? != 0 ]]
+			then
+				firewall-cmd --permanent --direct --add-chain ipv4 filter INPUT_prefilter
+				firewall-cmd --permanent --direct --passthrough ipv4 -t filter -I INPUT -j INPUT_prefilter
+				firewall-cmd --reload
+			fi
+				
+			firewall-cmd --direct --add-chain ipv4 filter rtpengine
+			firewall-cmd --direct --add-rule ipv4 filter INPUT_prefilter 0 -j rtpengine
+			firewall-cmd --direct --add-rule ipv4 filter rtpengine 0 -p udp -j RTPENGINE --id $TABLE
+			if [[ $IP6 == 1 ]]
+			then
+				firewall-cmd --direct --add-rule ipv6 filter rtpengine 0 -p udp -j RTPENGINE --id $TABLE
+  			fi
+			firewall-cmd --reload
+		else
+			iptables -N rtpengine
+			# We insert the rtpengine rule at the top of the input chain
+			iptables -t filter -I INPUT_prefilter -j rtpengine
+			iptables -I rtpengine -p udp -j RTPENGINE --id $TABLE
+			if [[ $IP6 == 1 ]]
+			then
+    				ip6tables -I rtpengine -p udp -j RTPENGINE --id $TABLE
+			fi
+  		fi
 
 		cat <<EOF > "$cachefile"
 CUR_TABLE=$TABLE
+CUR_IP6=$IP6
 EOF
 	fi
         echo -n $"Starting $prog: "
@@ -208,11 +250,27 @@ stop() {
 		. "$cachefile"
 		echo "Unloading module for in-kernel packet forwarding"
 		echo "del $TABLE" > /proc/rtpengine/control
-		iptables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE
+		temp=`firewall-cmd --state 2>/dev/null`
-		ip6tables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE
+		if [[ $? == 0 ]]
-		iptables -t filter -D INPUT -j rtpengine
+		then
-		iptables -X rtpengine
+			firewall-cmd --direct --remove-rules ipv4 filter rtpengine
-#		rmmod xt_RTPENGINE
+			if [[ $CUR_IP6 == 1 ]]
+			then
+				firewall-cmd --direct --remove-rules ipv6 filter rtpengine
+  			fi
+			firewall-cmd --direct --remove-rule ipv4 filter INPUT_prefilter 0 -j rtpengine
+			firewall-cmd --direct --remove-chain ipv4 filter rtpengine
+			firewall-cmd --reload
+		else
+			iptables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE
+			if [[ $CUR_IP6 == 1 ]]
+			then
+    				ip6tables -D rtpengine -p udp -j RTPENGINE --id $CUR_TABLE
+  			fi
+			iptables -t filter -D INPUT -j rtpengine
+			iptables -X rtpengine
+		fi
+		rmmod xt_RTPENGINE
 		rm -f $cachefile	
 	fi