From: Daniel P. Berrangé <berrange@redhat.com> The result looks like $ nft list ruleset ...snip... table ip6 libvirt_network { comment "Managed by libvirt for virtual networks: https://libvirt.org/firewall.html#the-virtual-network-driver" chain forward { ...snip... This should reduce the number of people wondering why these rules exists. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- src/network/network_nftables.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index cffe8072f5..cd46ff8d83 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -61,6 +61,10 @@ VIR_LOG_INIT("network.nftables"); #define VIR_NFTABLES_PRIVATE_TABLE "libvirt_network" +#define VIR_NFTABLES_COMMENT \ + "{ comment \"Managed by libvirt for virtual networks: " \ + "https://libvirt.org/firewall.html#the-virtual-network-driver\"; }" + /* nftables backend uses the same binary (nft) for all layers, but * IPv4 and IPv6 have their rules in separate classes of tables, * either "ip" or "ip6". (there is also an "inet" class of tables that @@ -165,7 +169,9 @@ nftablesPrivateChainCreate(virFirewall *fw, if (!tableMatch) { virFirewallAddCmd(fw, layer, "add", "table", - layerStr, VIR_NFTABLES_PRIVATE_TABLE, NULL); + layerStr, VIR_NFTABLES_PRIVATE_TABLE, + VIR_NFTABLES_COMMENT, + NULL); } for (i = 0; i < data->nchains; i++) { -- 2.53.0