To change the subject slightly:   
can we go for a more robust syntax?

Over time, i've gotten to really appreciate the ISC-standard config
file syntax, as used in dhcpd, dhclient, bind, ....

Using braces to delimit scope, and semicolons as terminators, really
helps config-file clarity.  At the original `little-language' spiel
from Ches at SNDSS '95 where (iirc part) the ipf language was born.

I've written rules for a couple of new firewalls recently, and I'd be
*much* happier with {}-based syntax to delimit groups, associate a
head with a named group, usw. clean scope seems so much more robust
than tagging each rule with a group number.  Especially if we start
adding sections for IPv6 (and other protocols?)

Darren? What d'you think?  Interested in BNF suggestions, or an
implementation, or what?