use v5.10;
my $acl_rx = qr{
    (?&acl)   # match one of these

 # according to these "regex sub" definitions:

    (?(DEFINE)
      (?<acl>          access_list (?&interface_name) (?&action) (?&protocol) (?&source) (?&destination) (?&port) )
      (?<action>       permit | deny )
      (?<protocol>     tcp | udp | ip | object-group (?&object_group_name) )
      (?<source>       object-group (?&object_group_name) | host (?&host_address) | (?&network_address) (?&net_mask) )
      (?<destination>  object-group (?&object_group_name) | host (?&host_address) | (?&network_address) (?&net_mask) )
      (?<port>         eq (?&port_number) | range (?&low_port) (?&high_port) | )

      (?<interface_name>    (?&chunk) )
      (?<object_group_name> (?&chunk) )
      (?<host_address>      (?&chunk) )
      (?<network_address>   (?&chunk) )
      (?<net_mask>          (?&chunk) )
      (?<port_number>       (?&chunk) )
      (?<low_port>          (?&chunk) )
      (?<high_port>         (?&chunk) )

      (?<chunk>             (?&ws) \S+ (?&ws) )
      (?<ws>                       \s*        )
    )
}x;