I think it depends on you to make the kernel knows which is blackhole address type.
From xt_addrtype.h file in iptables source code, you can see:
/* rtn_type enum values from rtnetlink.h, but shifted */
enum {
XT_ADDRTYPE_UNSPEC = 1 << 0,
XT_ADDRTYPE_UNICAST = 1 << 1, /* 1 << RTN_UNICAST */
XT_ADDRTYPE_LOCAL = 1 << 2, /* 1 << RTN_LOCAL, etc */
XT_ADDRTYPE_BROADCAST = 1 << 3,
XT_ADDRTYPE_ANYCAST = 1 << 4,
XT_ADDRTYPE_MULTICAST = 1 << 5,
XT_ADDRTYPE_BLACKHOLE = 1 << 6,
XT_ADDRTYPE_UNREACHABLE = 1 << 7,
XT_ADDRTYPE_PROHIBIT = 1 << 8,
XT_ADDRTYPE_THROW = 1 << 9,
XT_ADDRTYPE_NAT = 1 << 10,
XT_ADDRTYPE_XRESOLVE = 1 << 11,
};
And in rtnetlink.h, you will see the same definition:
enum {
RTN_UNSPEC,
RTN_UNICAST, /* Gateway or direct route */
RTN_LOCAL, /* Accept locally */
RTN_BROADCAST, /* Accept locally as broadcast,
send as broadcast */
RTN_ANYCAST, /* Accept locally as broadcast,
but send as unicast */
RTN_MULTICAST, /* Multicast route */
RTN_BLACKHOLE, /* Drop */
RTN_UNREACHABLE, /* Destination is unreachable */
RTN_PROHIBIT, /* Administratively prohibited */
RTN_THROW, /* Not in this table */
RTN_NAT, /* Translate this address */
RTN_XRESOLVE, /* Use external resolver */
__RTN_MAX
};
You can see iptables use the same definition of address type with kernel tcp networking stack.
Then from man ip:
Route types:
unicast - the route entry describes real paths to the destinations covered by the route prefix.
unreachable - these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated.
The local senders get an EHOSTUNREACH error.
blackhole - these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
prohibit - these destinations are unreachable. Packets are discarded and the ICMP message communication administratively
prohibited is generated. The local senders get an EACCES error.
local - the destinations are assigned to this host. The packets are looped back and delivered locally.
broadcast - the destinations are broadcast addresses. The packets are sent as link broadcasts.
throw - a special control route used together with policy rules. If such a route is selected, lookup in this table is termiā
nated pretending that no route was found. Without policy routing it is equivalent to the absence of the route in the routing
table. The packets are dropped and the ICMP message net unreachable is generated. The local senders get an ENETUNREACH
error.
nat - a special NAT route. Destinations covered by the prefix are considered to be dummy (or external) addresses which
require translation to real (or internal) ones before forwarding. The addresses to translate to are selected with the
attribute Warning: Route NAT is no longer supported in Linux 2.6.
via.
anycast - not implemented the destinations are anycast addresses assigned to this host. They are mainly equivalent to local
with one difference: such addresses are invalid when used as the source address of any packet.
multicast - a special type used for multicast routing. It is not present in normal routing tables.
So when you define a route to a network by ip command and mark it as a blackhole route, the kernel now make this network address blackhole type:
ip route add blackhole X.X.X.X/24
/proc/net/dev contains statistics about network interfaces, while /proc/<pid>/net/dev contains statistics about network interfaces from the process' point of view.
I suppose that if a process runs on a network namespace (see man ip-netns) where it has access only to a limited set of interfaces, only these will show up in /proc/<pid>/net/dev.
Best Answer
Based on the C structure (net/ipv4/netfilter/ipt_hashlimit.c) and assorted comments :
It seems fields 3 to 5 have this meaning :
If credit gets to 0 then the hash entry has gone over limit.
For instance :
would have a credit of 6400 out of possible 6400, with each match costing 1280. This means basically that this entry has replenished its full credit and is well behaved.