diff --git a/roles/common/templates/nftables.conf.j2 b/roles/common/templates/nftables.conf.j2
index 90e263d..b993d3c 100755
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@@ -37,38 +37,31 @@ table inet filter {
     chain input {
         type filter hook input priority 0;
 
-        # Allow traffic from established and related packets.
-        ct state {established, related} accept
+        ct state {established, related} accept comment "Allow traffic from established and related packets"
 
-        # Drop invalid packets.
-        ct state invalid counter drop
+        ct state invalid counter drop comment "Early drop of invalid connections"
 
-        # Drop packets matching the spamhaus sets early.
-        ip saddr @spamhaus-ipv4 counter drop
-        ip6 saddr @spamhaus-ipv6 counter drop
+        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
+        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
 
-        # Drop packets matching the abusech set early.
-        ip saddr @abusech-ipv4 counter drop
+        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
 
-        # Allow loopback traffic.
-        iifname lo accept
+        iifname lo accept comment "Allow from loopback"
 
-        # Allow all ICMP and IGMP traffic, but enforce a rate limit
-        # to help prevent some types of flood attacks.
-        ip protocol icmp limit rate 4/second accept
-        ip6 nexthdr ipv6-icmp limit rate 4/second accept
-        ip protocol igmp limit rate 4/second accept
+        ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
+        ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
 
         {# SSH rules #}
-        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
-        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
 
         {# Web rules #}
         {% if 'web' in group_names %}
-        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
-        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
-        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
-        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
         {% endif %}
 
         {# Extra rules #}
@@ -91,11 +84,10 @@ table inet filter {
     }
     chain output {
         type filter hook output priority 0;
-        # Drop outgoing packets matching the spamhaus sets too
-        ip daddr @spamhaus-ipv4 counter drop
-        ip6 daddr @spamhaus-ipv6 counter drop
 
-        # Drop outgoing packets matching the abusech sets too
-        ip daddr @abusech-ipv4 counter drop
+        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
+        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
+
+        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
     }
 }