We should give useful debugging information for all of the fail states. Lack of comment match support results in fwknopd closing without a lot of useful output. We should either do better than the short warning about comment match, or add a more verbose output when fwknopd closes, in order to better inform the user what went wrong.

Agreed. In the case of the comment match, I think just not using -v would have made it more clear since there is a warning message. It just got kind of lost in all of the other firewall output when -v was used.