1 files changed, 12 insertions, 15 deletions

diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 3cff879a2..921546984 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -19,18 +19,17 @@ package iptables
 import (
 	"fmt"
 
-	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 )
 
+// Table names.
 const (
 	TablenameNat    = "nat"
 	TablenameMangle = "mangle"
 	TablenameFilter = "filter"
 )
 
-// TODO: Make this an iota? Faster! Do it.
 // Chain names as defined by net/ipv4/netfilter/ip_tables.c.
 const (
 	ChainNamePrerouting  = "PREROUTING"
@@ -40,11 +39,15 @@ const (
 	ChainNamePostrouting = "POSTROUTING"
 )
 
+// HookUnset indicates that there is no hook set for an entrypoint or
+// underflow.
 const HookUnset = -1
 
 // DefaultTables returns a default set of tables. Each chain is set to accept
 // all packets.
 func DefaultTables() IPTables {
+	// TODO(gvisor.dev/issue/170): We may be able to swap out some strings for
+	// iotas.
 	return IPTables{
 		Tables: map[string]Table{
 			TablenameNat: Table{
@@ -113,6 +116,8 @@ func DefaultTables() IPTables {
 	}
 }
 
+// EmptyFilterTable returns a Table with no rules and the filter table chains
+// mapped to HookUnset.
 func EmptyFilterTable() Table {
 	return Table{
 		Rules: []Rule{},
@@ -137,18 +142,15 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool {
 	// TODO(gvisor.dev/issue/170): A lot of this is uncomplicated because
 	// we're missing features. Jumps, the call stack, etc. aren't checked
 	// for yet because we're yet to support them.
-	log.Infof("kevin: iptables.IPTables: checking hook %v", hook)
 
 	// Go through each table containing the hook.
 	for _, tablename := range it.Priorities[hook] {
-		verdict := it.checkTable(hook, pkt, tablename)
-		switch verdict {
+		switch verdict := it.checkTable(hook, pkt, tablename); verdict {
 		// If the table returns Accept, move on to the next table.
 		case Accept:
 			continue
 		// The Drop verdict is final.
 		case Drop:
-			log.Infof("kevin: Packet dropped")
 			return false
 		case Stolen, Queue, Repeat, None, Jump, Return, Continue:
 			panic(fmt.Sprintf("Unimplemented verdict %v.", verdict))
@@ -156,21 +158,16 @@ func (it *IPTables) Check(hook Hook, pkt tcpip.PacketBuffer) bool {
 	}
 
 	// Every table returned Accept.
-	log.Infof("kevin: Packet accepted")
 	return true
 }
 
 func (it *IPTables) checkTable(hook Hook, pkt tcpip.PacketBuffer, tablename string) Verdict {
-	log.Infof("kevin: iptables.IPTables: checking table %q", tablename)
+	// Start from ruleIdx and walk the list of rules until a rule gives us
+	// a verdict.
 	table := it.Tables[tablename]
-	log.Infof("kevin: iptables.IPTables: table %+v", table)
-
-	// Start from ruleIdx and go down until a rule gives us a verdict.
 	for ruleIdx := table.BuiltinChains[hook]; ruleIdx < len(table.Rules); ruleIdx++ {
-		verdict := it.checkRule(hook, pkt, table, ruleIdx)
-		switch verdict {
-		// For either of these cases, this table is done with the
-		// packet.
+		switch verdict := it.checkRule(hook, pkt, table, ruleIdx); verdict {
+		// In either of these cases, this table is done with the packet.
 		case Accept, Drop:
 			return verdict
 		// Continue traversing the rules of the table.