3 files changed, 8 insertions, 7 deletions

diff --git a/pkg/sentry/socket/netfilter/extensions.go b/pkg/sentry/socket/netfilter/extensions.go
index 3082976cd..22fd0ebe7 100644
--- a/pkg/sentry/socket/netfilter/extensions.go
+++ b/pkg/sentry/socket/netfilter/extensions.go
@@ -45,6 +45,8 @@ type matchMaker interface {
 	unmarshal(buf []byte, filter iptables.IPHeaderFilter) (iptables.Matcher, error)
 }
 
+// matchMakers maps the name of supported matchers to the matchMaker that
+// marshals and unmarshals it. It is immutable after package initialization.
 var matchMakers = map[string]matchMaker{}
 
 // registermatchMaker should be called by match extensions to register them
@@ -59,7 +61,7 @@ func registerMatchMaker(mm matchMaker) {
 func marshalMatcher(matcher iptables.Matcher) []byte {
 	matchMaker, ok := matchMakers[matcher.Name()]
 	if !ok {
-		panic(fmt.Errorf("Unknown matcher of type %T.", matcher))
+		panic(fmt.Sprintf("Unknown matcher of type %T.", matcher))
 	}
 	return matchMaker.marshal(matcher)
 }
diff --git a/pkg/sentry/socket/netfilter/netfilter.go b/pkg/sentry/socket/netfilter/netfilter.go
index ea43a0ce3..ea02627de 100644
--- a/pkg/sentry/socket/netfilter/netfilter.go
+++ b/pkg/sentry/socket/netfilter/netfilter.go
@@ -149,7 +149,6 @@ func FillDefaultIPTables(stack *stack.Stack) {
 	stack.SetIPTables(ipt)
 }
 
-// TODO: Return proto.
 // convertNetstackToBinary converts the iptables as stored in netstack to the
 // format expected by the iptables tool. Linux stores each table as a binary
 // blob that can only be traversed by parsing a bit, reading some offsets,
@@ -161,7 +160,7 @@ func convertNetstackToBinary(tablename string, table iptables.Table) (linux.Kern
 
 	// The table name has to fit in the struct.
 	if linux.XT_TABLE_MAXNAMELEN < len(tablename) {
-		return linux.KernelIPTGetEntries{}, metadata{}, fmt.Errorf("Table name %q too long.", tablename)
+		return linux.KernelIPTGetEntries{}, metadata{}, fmt.Errorf("table name %q too long.", tablename)
 	}
 	copy(entries.Name[:], tablename)
 
@@ -302,7 +301,7 @@ func translateToStandardVerdict(val int32) (iptables.Verdict, error) {
 	case linux.NF_RETURN:
 		return iptables.Invalid, errors.New("unsupported iptables verdict RETURN")
 	default:
-		return iptables.Invalid, fmt.Errorf("unknown iptables verdict %d.", val)
+		return iptables.Invalid, fmt.Errorf("unknown iptables verdict %d", val)
 	}
 }
 
@@ -553,12 +552,12 @@ func parseTarget(optVal []byte) (iptables.Target, error) {
 		case errorTargetName:
 			return iptables.ErrorTarget{}, nil
 		default:
-			return nil, fmt.Errorf("Unknown error target %q doesn't exist or isn't supported yet.", errorTarget.Name.String())
+			return nil, fmt.Errorf("unknown error target %q doesn't exist or isn't supported yet.", errorTarget.Name.String())
 		}
 	}
 
 	// Unknown target.
-	return nil, fmt.Errorf("Unknown target %q doesn't exist or isn't supported yet.", target.Name.String())
+	return nil, fmt.Errorf("unknown target %q doesn't exist or isn't supported yet.", target.Name.String())
 }
 
 func filterFromIPTIP(iptip linux.IPTIP) (iptables.IPHeaderFilter, error) {
diff --git a/pkg/sentry/socket/netfilter/tcp_matcher.go b/pkg/sentry/socket/netfilter/tcp_matcher.go
index 6b2f4c31a..f9945e214 100644
--- a/pkg/sentry/socket/netfilter/tcp_matcher.go
+++ b/pkg/sentry/socket/netfilter/tcp_matcher.go
@@ -48,7 +48,7 @@ func (tcpMarshaler) marshal(mr iptables.Matcher) []byte {
 		DestinationPortStart: matcher.destinationPortStart,
 		DestinationPortEnd:   matcher.destinationPortEnd,
 	}
-	buf := make([]byte, 0, linux.SizeOfXTUDP)
+	buf := make([]byte, 0, linux.SizeOfXTTCP)
 	return marshalEntryMatch(matcherNameTCP, binary.Marshal(buf, usermem.ByteOrder, xttcp))
 }