Opinions on `iptables` Setup

In my environment, I'm responsible for deploying a number of network-centric applications that each have a number of port-exceptions that I have to put into my iptables config. Early on in the game, I just hopped into /etc/sysconfig/iptables and added individual rules to the default chains (i.e. INPUT and OUTPUT). Later, I decided, "you know, this would be a lot more organized and easy to track if I put all these rules for application "X" into their own chain and then reference that chain from the default chains. I also started to get into the habit of using the iptables comment-module to make the `iptables -L` output a bit more self-documenting. Between the comments and descriptive chain-names, my iptables configs became a lot easier for both myself and the people I turned the systems over to be able to tell what was going on in the iptables configuration.

Lately, I've started experimenting with the multiport module. It allows me to collapse a set of simple port-rules into one multiport rule. Down side is, it costs me some of my "self-documenting" capability (with discreet rules, you can comment each one individually - can't really do that with multiport rules). At any rate, I'm trying to decide what the best route going forward is. Do mutliport rules have any impact on performance - particularly in large rule-sets (that is, is there a performance advantage in multiport rules that might make me want to switch away from the "self-documenting" allowable via discreet, commented rules and/or chains). Overall, how do others organize their rules for functionality, clarity, sanity and supportability?