►
From YouTube: Antrea Community Meeting 06/05/2023
Description
Antrea Community Meeting, June 5th 2023
A
So
good
morning,
good
afternoon,
good
evening,
thanks
for
joining
this
instance
of
the
entria
committee
meeting
today
is
a
Tuesday
June,
the
6th
or
Monday
June,
the
5th.
If
you
are
on
the
west
side
of
the
Atlantic,
and
for
today
we
have
a
discussion
which
will
be
led
by
winning
about
a
problem
that
has
been
recently
reported
with
natural
policy
logging.
A
So,
basically,
if
there
are
a
very
large
number
of
connections,
logging
might
cause
some
packet
drops
and
winning
as
a
design,
a
proposal
for
tackling
this
issue,
and
she
would
like
to
share
it
with
us
today.
Okay,
so
I'll,
let
winning
go
ahead
with
yourself,
with
your
presentation
and
I
will
shut
up
now.
Opening
please
go
ahead.
B
Thank
you.
Everyone
today,
I
want
to
proposal
a
solution
propose
a
solution
for
the
two
to
resolved
issue
performance
is
introduced
by
internal
policy.
Login
purpose
in
general,
I
want
to
use
a
separate
open
floor
entry
for
internet
policy
purpose,
and
the
motivation
is
that
recently,
with
zodied,
some
packages
could
be
dropped.
Unexpectedly,
if
massive
connections
hit
another
policy
within
login
enabled
after
some
triage,
we
found
that
the
rule
the
issue
happens
on
setup,
only
one
that
osmetry
is
supported.
B
It
is
because
that
we
are
trying
to
use
the
OS
meter
to
perform
the
rate
limits
on
login
on
adrenal
policy,
login
purpose,
but
season
open
from
window
file.
A
major
was
switching
from
a
separate
instruction
to
an
open,
Flow
action
and
the
the
open
flows
back
require
that
the
major
action
must
be
the
first
action
in
the
flow
action
site.
That
means
that,
in
the
existing
code,
we
are
trying
to
use
a
single
open,
Flow
entry
on
our
policy
traffic
property
and
no
policy
login
purposes.
B
We
have
to
use
the
Matrix
function,
the
first
fraction
and
it
will
have
read
limits
on
both
the
traffic
package
and
the
login
purpose
actions.
So
when
the
when
the
traffic
I
mean
the
the
business
Port
traffic
is
over
the
meter
rate
limits,
we
will
see
that
the
packets
are
dropped
by
the
meter
band,
although
the
internet
policy
may
be
is
possibly
designed
the
based
on
allow
actions,
so
here
I,
I
paste
the
example
for
the
the
internal
policy,
with
logging
configurations
on
the
open
entries.
B
People
see
that
in
the
entire
egress
routable
we
have
one
internal
policy.
If
the
package
has
matched
conjunction,
it
will
be
exactly
executed
with
the
actions.
Firstly,
you
need
to
process
service
feature.
I
mean
that
it
will
be.
The
package
need
to
be
checked.
With
the
meter
read
limit
and
bandwidth
and
after
the
meter
we
will
use
some
actions
to
load
the
direct
Mass
to
the
OS
registers
and
then
send
send
package
to
the
controller.
B
It
shows
that
the
meters
have
matched
the
totally
the
package
with
this
number
and
the
text
Bond
buys
I
with
this
number,
but
after
the
apply
the
limits
with
the
meter
band.
Sorry,
okay,
if
not
that's,
then
after
the
the
package
has
over
the
rate
limits,
it
will
be
processed
with
the
band
0
and
it
means
that
51
000
back
packets
was
processed
by
the
band
band
0,
which
means
that
these
packets
were
dropped
by
the
meter.
B
This
is
the
some
observations
in
the
real
setup
from
the
customers
and
then
to
process.
It
I
have
a
general
solution.
Instead,
so
we
need
to
use
a
separate
open
floor
for
entry
for
entry
policy,
login
purpose
in
which
voluntary
we
can
use
meter.
If
the
the
feature
is
ported
on
the
setup,
then
we
can
use
meter
to
have
some
read
limit
on
the
package
to
send
200
agent
purpose,
but
in
this
generous
solution
we
have
some
challenge.
B
Firstly,
is
that
when
we
must
have
two
copies
of
the
package
before
we
apply
meters
and
one
copy
of
the
package
is
supposed
to
be
forwarded
in
the
OS
pipeline
for
the
net
policy
traffic
now
policy
security
purpose
and
the
second
copy
is
used
to
to
be
applied
with
the
central
controller
action
and
the
Second
Challenge
is
that
by
now
we
have
switched
to
packaging
2
mechanism
for
the
for
the
central
controller
purpose
and
for
different
Central
controller
purpose.
So
we
may
have
different
user
data.
B
That
means
that
before
we
apply
package
to
send
to
control
action,
we
must
ensure
that
the
user
data
use
the
interflection
should
be
matched
correctly
to
the
package
with
some
special
garments.
So
this
is
the
second
Challenge
and
the
third
is
that
so,
since
we
have
two
copies
of
the
package-
and
we
have
two
different
actions
to
to
ensure
that
the
packet
can
leave
the
OS
pipeline
wise
to
Output
1
Port.
A
B
Os
port,
a
job
and
another,
is
to
send
package
to
the
Android
controller.
Then
we
must.
We
must
handle
the
conflict
with
Reflections
when
the
packet
is
using.
This
traffic
purpose
all
is
using
for
the
Android
login
purpose.
This
is
the
the
challenge,
so
my
proposal
is
focusing
on
how
to
resolve
this
challenge
and
after
having
some
analysis
on
the
existing
code,
I
found
that
there
are
four
functions
in
ensure
to
to
be
used
for
enter
the
policy
login
purpose
and
with
a
deeper
analysis.
B
This
can't
we
have
two
functions
and
there
is
a
some
alternatives
are
in
the
conjunctive
action
flow
affect
the
existing
code
in
a
conjunction
action
flow,
very,
firstly,
load
a
load
package
to
the
OS
contract
and
then
brings
back
to
send
package
200
agents.
So
as
a
alternative,
if
we
can
ignore
the
meter
in
central
controller
on
the
original
flow,
we
can
adjust
the
the
order
of
the
two
actions.
B
For
example,
we
can
firstly
move
the
package
to
OS
contract
because
OS
contract
has
make
a
call
a
fork
on
the
package
and
the
the
original
package
was
dropped
in
the
in
the
previous
table.
Then
we
can
leverage
it.
We
can
use
the
fork
package
in
the
OS
contract
and
we
can
use
the
original
package
to
send
it
to
200
agents.
So
we
can
just
I
just
move
it
to
the
second
kind
of
action
site
here.
B
So
then
we
come
to
the
detail.
Designs,
firstly,
is
about
how
to
resolve
the
two
copies
of
the
package.
B
I
would
propose
that
so
we
can
use
a
type
or
group
to
generate
the
required
copies
of
package
here.
I
mean
that
it's
because
we
see
that
there
are
two
kinds
of
packet
actions
action
sites.
One
is
how
two
two
actions
one
is
to
go
to
a
different
table
and
the
second
is
to
go
to
a
Android
agent
and
the
second
kind
of
exercise
is
only
send
a
package
to
enter
controller.
So
here
we
may
have
two
kinds
of
type:
all
groups
for
the
first
for
the
first
kind
of
action
sites.
B
We
we
need
to
have
a
thing.
We
need
to
have
a
a
single
group
for
person
table.
It
means
that,
because
you
know
that
it's
a
four
group
of
we
have
one
or
two
buckets
and
the
buckets
contents
should
be
static
for
each
group.
That
means
that
it,
when
any
type
one
we
have
a
different
next
table.
We
should
have
different
groups
using
the
bucket
to
send
it
to
resubmit
the
package
to
the
next
table.
B
So
here,
first
for
the
first
kind
of
action
sites
we
may
have
multiple
groups
and
each
each
group
for
product
table
and
for
the
second
kind
of
action
site
we
can
only
have
a
single
group
and
in
which
group
there
is
only
one
bucket
to
in
to
send
the
package
to
to
the
flow
where
we
are
trying
to
use
the
the
action
to
send
a
package
to
Android
agents.
Only,
and
maybe
we
also
need
to
apply
the
meter
action
on
the
floor.
B
This
is
the
the
first
part
and
then
sorry,
the
the
second
challenge
is
that
so
how
shall
we
process
the
conflict
from
the
outputs
package
to
OS,
open,
open,
Flow
Part
and
send
the
package
to
Android
agents?
My
purposely
my
proposal
is
set,
so
we
need
we
need.
I
would
prefer
to
install
the
separate
open,
Flow
entry
which
sends
package
to
enter
agents
to
layer,
2
forwarding
out
out
table
because
you,
you
know
that.
B
So
we
are
always
thought
that
little
forwarding
about
table
is
the
last
table
to
process
package
before
the
package
leaving
OS
Pipeline,
and
we
always
think
that
send
to
enter
send
to
open
Flow
controller
is
another
kind
of
behavior
or
package
to
leave
the
OS
pipeline.
So
I
would
prefer
to
install
the
flow
in
this
table,
and
the
second
part
is
that
we
may
need
to
introduce
a
new
Regis
OS
register
field.
I'll
put
this
project
position
field
to
indicate
how
the
package
leaves
OS
pipeline
in
the
existing
code.
B
The
way
how
osport
found
the
right
Mark,
in
which
one
we
find
that
our
packet
has
marked
with
this
right
Mark.
We
will
output
the
package
to
our
OS
Port,
but
now
we
have
two
two
kinds
of
actions
to
to
ensure
the
package
leave
OS
pipeline.
So
we
will
use
this
Mark
as
one
kind
of
value.
For
example.
B
I
would
I
would
use
number
one
as
the
mark
value
for
to
ensure
that
the
package
is
output
to
an
OS,
port
and
and
I
will
use
the
value
2,
as
marks
to
Let's
always
send
package
to
open
Flow
controller
for
internal
policy.
Login
purpose
in
this
way,
even
if
the
the
two
copies
of
a
package,
one
for
the
internal
policy
traffic
purpose
and
the
second
is
for
the
login
purpose.
Both
the
two
packets
are
coming
to
the
left
table
of
os
pipeline.
B
The
two
tables
are
marked
with
different
drug
marked,
where
we
can
not
make
a
confused
confused
on
the
dispositions
and
another.
Remind
not
key
points
is
that
where
we
marked
then
to
control
rank
mark,
it
is
marked
as
the
in
inside
the
open
Flow
group
buckets.
We
mentioned
in
the
last
in
the
previous,
slides
and
then
is
about
sorry.
Then
we
come
to
the
third
part
of
The
Proposal.
It
is
to
precise
how
to
differentiate
the
package
with
the
user
data
instant
to
controller
action
mythology.
B
Is
that
so
we
can
introduce
a
new
drug
field
in
the
OS
registers
to
Mark.
What
is
it
is
supposed
to
use
and
the
packet
operation
field
is
is:
is
sites
in
the
original
open
floor
entries
for
internet
work
policy
purpose
I
mean
where
we
send
packages
to
to
the
group,
and
then
the
market
is
consumed
in
the
flow
where
we
send
package
to
the
unsure
agents
in
the
last
table
of
the
OS
pipeline.
In
this
way
we
can.
We
will
not
confuse
the
package
for
different
user
data
purpose.
B
Then
sorry,
then,
in
general,
the
final
OpenFlow
entries
for
ensure
no
policy
and
the
login
purpose
should
be
like
this.
The
same
movie.
We
also
use
meter
in
a
setup
and
we
will
install
OpenFlow
groups
for
the
two
cans
of
action
sites.
The
first,
for
example,
the
group
id4
is
used,
is
configured
with
two
buckets.
B
One
bucket
is
two
same
package
to
a
next
table
and
the
second
bucket
is
to
set
to
to
load
the
Open
Floor,
the
send
to
controller
rack
Mark
and
the
resubmitted
package
to
the
output
table,
and
we
have
a
second
type
of
group,
including
only
one
bucket,
which
is
expected
to
set
the
central
controller
rank
Mark
and
send
resubmit.
The
package
to
the
left
table
then
for
the
internal
policy.
B
We
install
OpenFlow
in
the
policy
table
and
we
also
have
some
Conjunction
Junction
for
Mac
configured
after
the
package
match
the
conjunction.
We
will
update
the
conjunctive
conjunction
ID,
a
conjunction
action
flow,
and
we
also
set
all
the
right
marks
in
this
flow.
But
finally,
we
submit
the
package
to
group.
Then
the
package
will
be
processed
in
the
group
and
finally,
it
comes
to
the
output
table
and
it
will
match
the
send
to
controller
Mark
or
send
or
match
the
export
found
like
Mark
and
then
continue
the
actions.
C
B
B
I
listed
the
two
kind
of
action
sites
here
in
this
package,
for
example,
there
are
four
actions
and
the
the
group
seven
is
for
these
two
two
two
two
actions.
B
It's
the
the
every
guys
in
here
that
even
this
group
is
necessary
if
it
is
not
necessary.
I
think
I
can
just
use
this.
The
the
open
full
actions
is
that,
for
example,
we
just
set
the
rag
marks
and
there
is
a
package
to
output
table.
B
So
I
think
your
idea
is
to
this
is
better
to
ignore
the
group.
Just
use
open
selection
directly
right.
B
I
listed
here
because
I
mean
just
in
my
proposal
I.
This
group
is
because
that
I
think
it
will
keep
the
consistent
for
other
groups.
I
mean
that's
for
login
purpose.
We
just
use
groups
inside
the
instead
of
the
open
selections
directly
so
to
keep
the
same
style
for
with
other
blogging
purpose
actions.
I
use
a
single
group
here.
C
D
C
Well,
I
have
another
question:
if
the
package,
the
senator
controller,
is
for
generating
some
reject
packets
or
I'm,
going
to
show
you
if
we
we
have
some
function,
that
we
need
the
user
space
controller
to
decide
whether
to
allow
a
job
the
package.
But
if,
in
that
case,
and
then
we
will
have
two
copies
where
it
costs
doubly
duplicate
package
to
be
disabled
by
the
destination.
B
Yeah,
but
we
do
not
know,
we
don't
have
a
second
copy
to
send
to
control
in
the
existing
code
we
have
I.
Just
from
my
look
through
in
the
code.
I
saw
that
for
reject
purpose.
The
central
controller
was
more
extinct
with
the
login
purpose,
so
there
should
be
only
one.
A
All
right,
I'll
go
ahead
with
a
question
for
those
of
us
which
are
not
as
familiar
as
you
with
the
OpenFlow
flows.
You
mentioned
your
presentation
that
we
are
making
a
copy
of
every
packet.
B
It
is
performed
by
OS.
Well,
we
use
the
type
of
group.
Os
will
will
will
execute
every
package,
so
one
way
use
different.
Submit
actions
in
the
in
the
in
the
different
packets
OS
will
generate
the
the
equals
number
of
the
buckets
of
packet,
copies.
B
Actually,
the
the
group
actually
is
used
in
the
in
the
open
floor
entry,
where
you
use
to
process
the
first
package
in
the
connection,
so
it's
so
the
bucket
actually
is.
It
is
processed.
Firstly,
actually
it
has
matched
the
the
Open
Floor
entry,
which
was
used
to
match
the
the
package.
D
A
A
E
Yeah
I
have
a
I
have
a
quick
one.
This
is
Young.
I
think
this
might
be
all
actually
a
dumb
one.
So
is
there
any
effect
to
entry
level
policy
rules
that
doesn't
have
logging
specified?
Does
it
change
the
current
pipeline
anyway?.
B
2010
International
current
pipeline,
if
login
is
not
enabled
on
the
policy,
the
the
OpenFlow
interests
still
use
uses
the
the
previous
elections.
Only
once
we
find
out
a
login
is
enabled
and
under
rule
we
will
modify
the
conjunction
action
flow
action
to
to
a
leveraged
group.
Instead
of
the
Privacy
single
actions.
E
All
right,
it
makes
sense,
but
but
I'm
over
saying
that,
because
you
know
in
the
in
the
design
that
we
have
a
couple
of
you
know:
entry
level
policies,
maybe
with
similar
match
conditions
or
something
they
share.
You
know
a
entry
in
a
conjunction
right,
so
it
means
that
if
one
has
the
login
enabled
and
the
other
doesn't
now,
it's
considered
a
different
action
and
will
be
segregated.
B
C
We
I
got
another
question
since
we
move
the
Center
controller
to
output
table
right
yeah.
Could
that
happen
that
that
originally
the
packet
is
locked
after
it
is
actually
it
is
determined
to
be
allowed
by
egress
table.
However,
the
package
is
somehow
dropped
by
Ingress
table
later.
Could
that
package
there
be
logged.
C
B
You
see
if
we
have
a
logging
action
on
the
expected
job.
Actually
in
the
egress
table
it
means
that
one
package
is
dropped
in
the
US
table.
We
need
to
have
a
login
action
on
the
package.
Then
the
group
will
send
package
to
the
output
table
directly
to
Central
agents
and
for
the
for
the
the
package
so
still
working
in
the
inside
the
OS
pipeline
for
traffic
purpose.
It
is
dropped,
so
the
packet
has
no
chance
going
to
the
Ingress
table
to
generate
a
second
copy
of
the
going
to
send
to
controller.
C
No
I
mean
previously
the
pack,
the
the
package
could
pass
egress
check
and
below
it,
because
the
center
controller
is
enforced
in
as
one
action
of
the
egress
table
itself,
yeah
and
after
this
change,
because
the
logging
at
the
center
controller
action
is
moved
to
the
last
table.
Yes,
if
the
package
is
jobed
by
one
Ingress
Lua,
could
that
package
still
reach
the
last
table
and
to
be
locked?
D
B
I
think
it
should
be
be
how
to
packing
package.
Firstly,
the
First
Central
controller
is
from
the
egress
because
it
is
allowed
and
logging
right
and
then
the
package
comes
to
the
universe
table
and
we
have
another
login
requirements.
Then
the
package
was
going
through.
Another
group
open
block
group
and
we
generate
a
second
copy
for
send
to
controller.
B
Crossed
egress
login
purpose,
although
that
actually
is
to
allow
it
means
that
wakes
back
to
the
package,
to
resent
me
to
a
table
after
equalized
through
table
rights,
for
example,
egress
metric.
Then
the
package
there
is
one
group
using
having
two
two
buckets
device
to
send
controller
and
another
is
jewelry
Army
packaged
to
to
egress
metric
table.
And
then,
when
the
package
comes
to
the
Ingress
through
table-
and
we
have
another
login
purpose,
then
it
goes
to
Ingress
group
and
the
second
group
has
Central
controller
package
and
job,
maybe
drop.
Maybe
your
example.
C
F
But
if,
if
the
network
policy
role
is
a
drop
rule
and
if
the
traffic
is
UDP,
do
you
think
that
there
could
be
a
problem
if
we
have
like
a
ie
throughput
for
that
one
UDP
flow
where
we're
going
to
create
like
a
copy
of
each
UDP
packet,
and
so
the
first
copy
is
going
to
be
dropped,
because
it's
that's
what
the
network
policy
role
action
is
and
the
second
copy
will
also
be
dropped,
but
by
the
meter,
because
we're
going
to
exceed
the
rate
of
100
packets
per
second
pretty
fast.
B
I,
don't
think
you
should
just
introduced
my
new
performance
easily
in
the
last,
because
you
see
that
even
if
we
do
not
use
group
for
packet
copy,
we
just
use
different
Reflections
in
the
in
the
OS
open
floor
entries
for
the
rest
of
the
passage.
It
is
also
need
to
make
different
coffees
for
to
to
execut
executes
the
actions.
B
Algorithm
group,
but
we
just
use
the
open
Flow
actions
to
exactly
what
the
actions
like
send
to
controller
and
outputs
I
mean
the
two
actions
in
one
single
open
plant
trees
for
always
their
parts.
It
also
means
two
copies
to
exactly
to
the
actions
so
I,
don't
think
using
type
all
group
introduce
additional
costs
and
performance.
D
A
That
makes
sense
so
do
we
have
any
other
question
on
this
topic.
A
Perfect,
that
sounds
great,
and
so
thanks
a
lot
joining
that
should
solve
this
problem
for
good
and
we
don't
have
any
other
scheduled
Topic
in
the
agenda
for
today.
So
if
there
is
anything
that
you
would
like
to
bring
up
for
discussion,
please
go
ahead.
A
A
And
these
may
be
all
for
today,
then
all
right,
so
I
would
like
to
thank
everyone
for
attending
this
meeting
and
in
particular
thank
you
winning
for
today's
presentation,
and
that
I
mean
this
means
that
that's
all
for
today
and
see
you
in
two
weeks
time
thanks
everyone
for
joining
and
I
wish
everyone
a
great
evening
or
a
good
afternoon.