[44net] Security Idea/test: firewall rule for non AMPRGW routes

All, I thought on some security matters of AMPRNet; and one that could not be mitigated easily was: *  even if you firewall IPENCAP, how to block others except AMPRGW from sending routes to port 520/udp Someone mentioned previously they saw a MAC that was a hash that contained the outer SRC IP; but after years, I cannot find an OS Kernel that produces it.  I believe have a solution, it required some hexadecimal calculations (see: http://www.stearns.org/doc/iptables-u32.current.html). Using the u32 iptables module for those who can (and a compatible module on on other systems), we need to merely find in the bit/byte positions in the packet: Outer Header: * the IP of AMPRGW (0xa9e42254)* Protocol type IPENCAP (IP Protocol No. 4) (0x04) Inner Header (add 20 bytes to the offset of the first header): * SRC IP 44.0.0.1 (0x2c000001) * Protocol UDP (0x06)* UDP - port 520 (0x0208) I believe this should read as an iptables rule like: iptables <foo> -m u32 --u32 "12&0xFFFFFFFF=0xA9E42254 && 6&0xFF=0x04  && 32&0xFFFFFFFF=0x2c000001 && 26&0xFF=0x06 && 212&FFFF=0x0208" -j ACCEPT My question: has anyone already calculated these positions and values or tested before? I didn't want to have to "reinvent the wheel"...but you can just check my math now before attempting to implement. 73, Lynwood KB3VWG Member W3PGC/K3ERA -  APRS Coordinator / Co-SkyWarn Coordinator