firewall_packagename() {
    echo -n "net-firewall/gentoo-firewall"
}

firewall() {
    LC_ALL=C /sbin/firewall "$@"
}

iptables() {
    LC_ALL=C /sbin/iptables "$@"
}

firewall_pre_start() {
    local iface=${1}
    interface_exists ${iface} true || return 1
    # avoid duplicate rules...
    while iptables -D INPUT \
	--in-interface ${iface} --jump ACCEPT &> /dev/null; do
      # wait till we're clear...
      echo -n
    done
    # accept all packets while bringing iface up
    # if config = noop, this is the rule for the firewall on this interface, since firewall_post_start isn't called.
    iptables -A INPUT \
	--in-interface ${iface} --jump ACCEPT &> /dev/null || true
    return 0
}

firewall_post_start() {
    local iface=${1}
    ebegin "Starting firewall on ${iface}"
    # get rid of blanket accept rule.
    iptables -D INPUT \
	--in-interface ${iface} --jump ACCEPT &> /dev/null || true
    # up the firewall
    firewall ${iface} up
    eend $?
    return $?
}

firewall_post_stop() {
    local iface=${1}
    # drop the firewall (deny all packets)
    ebegin "Stopping firewall on ${iface}"
    firewall ${iface} down
    eend $?
    return $?
}

firewall_check_installed() {
    local report=${1:-false} installed=0 packagename=$( firewall_packagename )
    if [[ ! -x /sbin/firewall ]]; then
	installed=1
	${report} && eerror "For firewall support, please emerge $packagename"
    fi
    if [[ ! -x /sbin/iptables ]]; then
	installed=1
	${report} && eerror "For firewall support, please emerge net-firewall/iptables"
    fi
    return ${installed}
}

firewall_provides() {
    echo "firewall"
}

firewall_check_depends() {
    local f

    for f in interface_exists interface_device interface_variable; do
	[[ $( type -t ${f} ) == function ]] && continue
	eerror "firewall: missing required function ${f}\n"
	return 1
    done

    return 0
}

firewall_depend() {
    # not really sure where this belongs in the chain...
    echo -n
}