--- a/components/openstack/neutron/files/neutron-l3-agent	Tue Jun 10 14:07:48 2014 -0700
+++ b/components/openstack/neutron/files/neutron-l3-agent	Wed Jun 11 17:13:12 2014 -0700
@@ -15,11 +15,13 @@
 #    under the License.
 
 import os
+import re
 import sys
 
+import netaddr
 import smf_include
 
-from subprocess import Popen, PIPE
+from subprocess import CalledProcessError, Popen, PIPE, check_call
 
 
 def start():
@@ -50,14 +52,112 @@
     v6fwding = "on" in output
 
     if not any((v4fwding, v6fwding)):
-        print "System-wide IPv4 or IPv6 (or both) forwarding must be enabled " \
-            "before enabling %s" % os.getenv("SMF_FMRI")
+        print "System-wide IPv4 or IPv6 (or both) forwarding must be " \
+              "enabled before enabling neutron-l3-agent"
         return smf_include.SMF_EXIT_ERR_CONFIG
 
     cmd = "/usr/lib/neutron/neutron-l3-agent --config-file %s " \
         "--config-file %s" % tuple(sys.argv[2:4])
     smf_include.smf_subprocess(cmd)
 
+
+def stop():
+    try:
+        # first kill the SMF contract
+        check_call(["/usr/bin/pkill", "-c", sys.argv[2]])
+    except CalledProcessError as err:
+        print "failed to kill the SMF contract: %s" % (err)
+        return smf_include.SMF_EXIT_ERR_FATAL
+    # remove VNICs associated with L3 agent
+    cmd = ["/usr/sbin/ipadm", "show-if", "-p", "-o", "ifname"]
+    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
+    output, error = p.communicate()
+    if p.returncode != 0:
+        print "failed to retrieve IP interface names"
+        return smf_include.SMF_EXIT_ERR_CONFIG
+
+    ifnames = output.splitlines()
+    # L3 agent datalinks are always 15 characters in length. They start
+    # with either 'l3i' or 'l3e', end with '_0', and in between they are
+    # hexadecimal digits.
+    prog = re.compile('l3[ie][0-9A-Fa-f\_]{10}_0')
+    for ifname in ifnames:
+        if not prog.search(ifname):
+            continue
+        try:
+            # first remove the IP
+            check_call(["/usr/bin/pfexec", "/usr/sbin/ipadm", "delete-ip",
+                        ifname])
+            # next remove the VNIC
+            check_call(["/usr/bin/pfexec", "/usr/sbin/dladm", "delete-vnic",
+                        ifname])
+        except CalledProcessError as err:
+            print "failed to remove datalinks used by L3 agent: %s" % (err)
+            return smf_include.SMF_EXIT_ERR_FATAL
+
+    # remove IP Filter rules added by neutron-l3-agent
+    cmd = ["/usr/bin/pfexec", "/usr/sbin/ipfstat", "-io"]
+    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
+    output, error = p.communicate()
+    if p.returncode != 0:
+        print "failed to retrieve IP Filter rules"
+        return smf_include.SMF_EXIT_ERR_FATAL
+
+    ipfilters = output.splitlines()
+    # L3 agent IP Filter rules are of the form
+    # block in quick on l3i64cbb496_a_0 from ... to pool/15417332
+    prog = re.compile('on l3i[0-9A-Fa-f\_]{10}_0')
+    ippool_names = []
+    for ipf in ipfilters:
+        if not prog.search(ipf):
+            continue
+        # capture the IP pool name
+        ippool_names.append(ipf.split('pool/')[1])
+
+        try:
+            # remove the IP Filter rule
+            p = Popen(["echo", ipf], stdout=PIPE)
+            check_call(["/usr/bin/pfexec", "/usr/sbin/ipf", "-r", "-f", "-"],
+                       stdin=p.stdout)
+        except CalledProcessError as err:
+            print "failed to remove IP Filter rule %s: %s" % (ipf, err)
+            return smf_include.SMF_EXIT_ERR_FATAL
+
+    # remove IP Pools added by neutron-l3-agent
+    for ippool_name in ippool_names:
+        try:
+            check_call(["/usr/bin/pfexec", "/usr/sbin/ippool", "-R",
+                        "-m", ippool_name, "-t", "tree"])
+        except CalledProcessError as err:
+            print "failed to remove IP Pool %s: %s" % (ippool_name, err)
+            return smf_include.SMF_EXIT_ERR_FATAL
+
+    # remove IP NAT rules added by neutron-l3-agent
+    cmd = ["/usr/bin/pfexec", "/usr/sbin/ipnat", "-lR"]
+    p = Popen(cmd, stdout=PIPE, stderr=PIPE)
+    output, error = p.communicate()
+    if p.returncode != 0:
+        print "failed to retrieve IP NAT rules"
+        return smf_include.SMF_EXIT_ERR_FATAL
+
+    ipnat_rules = output.splitlines()
+    # L3 agent IP NAT rules are of the form
+    # bimap l3e64ccc496_a_0 192.168.1.3/32 -> 172.16.10.3/32
+    prog = re.compile('l3e[0-9A-Fa-f\_]{10}_0')
+    for ipnat_rule in ipnat_rules:
+        if not prog.search(ipnat_rule):
+            continue
+        # remove the IP NAT rule
+        try:
+            p = Popen(["echo", ipnat_rule], stdout=PIPE)
+            check_call(["/usr/bin/pfexec", "/usr/sbin/ipnat", "-r", "-f", "-"],
+                       stdin=p.stdout)
+        except CalledProcessError as err:
+            print "failed to remove IP NAT rule %s: %s" % (ipnat_rule, err)
+            return smf_include.SMF_EXIT_ERR_FATAL
+
+    return smf_include.SMF_EXIT_OK
+
 if __name__ == "__main__":
     os.putenv("LC_ALL", "C")
     smf_include.smf_main()