Just some suggestions. 1) Lists be allowed to contain only one value, or none. Requiring braces when > 1 value and requiring no braces when <2 values are present is a pain for automated rule generation and should be very easy to implement.
2) Sticky queue assignments. Using tags for many purposes gets klunky. 3) A neutral rule, which doesn't affect pass/block status, but allows one to assign a queue or assign a tag or what-have-you, orthogonal to pass/block filtering decisions. Can be done by placing previous to your "default deny" and other filtering rules, but makes the "default deny" rules and such less obvious. 4) A way to specify a network(s) directly attached to an interface, minus the IP address of the interface itself. I may want people to be able to talk to something on my DMZ, but I don't want them to talk to the IP of my firewall on that DMZ network! Can be done with tables, but is probably simple/frequent enough that a new :suffix could be added for it. 5) Rules symmetric to nat and rdr. I.E., change dst IP on outbound packets, change src IP on inbound packets. 6) A way to simulate packets hitting the filter, so that I may create a regression-test suite for my firewall rules. -- "Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484