2 files changed, 8 insertions, 2 deletions

diff --git a/pkg/tcpip/iptables/iptables.go b/pkg/tcpip/iptables/iptables.go
index 8a72feb77..83d807a4d 100644
--- a/pkg/tcpip/iptables/iptables.go
+++ b/pkg/tcpip/iptables/iptables.go
@@ -22,13 +22,13 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip"
 )
 
+// Table names.
 const (
 	TablenameNat    = "nat"
 	TablenameMangle = "mangle"
 	TablenameFilter = "filter"
 )
 
-// TODO: Make this an iota? Faster! Do it.
 // Chain names as defined by net/ipv4/netfilter/ip_tables.c.
 const (
 	ChainNamePrerouting  = "PREROUTING"
@@ -38,11 +38,15 @@ const (
 	ChainNamePostrouting = "POSTROUTING"
 )
 
+// HookUnset indicates that there is no hook set for an entrypoint or
+// underflow.
 const HookUnset = -1
 
 // DefaultTables returns a default set of tables. Each chain is set to accept
 // all packets.
 func DefaultTables() IPTables {
+	// TODO(gvisor.dev/issue/170): We may be able to swap out some strings for
+	// iotas.
 	return IPTables{
 		Tables: map[string]Table{
 			TablenameNat: Table{
@@ -111,6 +115,8 @@ func DefaultTables() IPTables {
 	}
 }
 
+// EmptyFilterTable returns a Table with no rules and the filter table chains
+// mapped to HookUnset.
 func EmptyFilterTable() Table {
 	return Table{
 		Rules: []Rule{},
diff --git a/pkg/tcpip/iptables/targets.go b/pkg/tcpip/iptables/targets.go
index 8180dcefd..4dd281371 100644
--- a/pkg/tcpip/iptables/targets.go
+++ b/pkg/tcpip/iptables/targets.go
@@ -41,7 +41,7 @@ func (UnconditionalDropTarget) Action(packet tcpip.PacketBuffer) (Verdict, strin
 // should be unreachable.
 type ErrorTarget struct{}
 
-// Actions implements Target.Action.
+// Action implements Target.Action.
 func (ErrorTarget) Action(packet tcpip.PacketBuffer) (Verdict, string) {
 	log.Warningf("ErrorTarget triggered.")
 	return Drop, ""