I have something similar in the way dfd_keeper expands variables. Basically it will expand a python variable to a macro if it contains one value (that is, if the python variable is a string or singleton list/tuple), and a list if it contains more than one (that is, if it is a list/tuple of length two or greater).
If you reference a variable that doesn't have a value, it throws and exception which inhibits feeding that rule to pfctl, so rules that refer to empty values don't get rendered. If you wish to take advantage of this, you can model your script after static_example.py --- it is not necessary to use the whole twisted run-time event loop if you just want a static config file. For the code, see the URL in my sig and look for "Dynamic Firewall Daemon". -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B