When I tested on INITIATOR side, transition between SYN_SENT -> ESTABLISHED was near RTT, but on RECEIVER side it was very low, as i showed before, but it should be the same as on INITIATOR side. Is that right? I just want to understand where to look at, if it's not netfilter.. Maybe eBPF or Linux networking? 09.06.2019, 22:48, "zrm" <zrm@xxxxxxxxxxxxxxx>: > On 6/9/19 15:04, iam@xxxxxxxxxxx wrote: >> While playing with eBPF i tried tcpstates.py (https://github.com/iovisor/bcc/blob/master/tools/tcpstates.py) and noticed very low time for TCP state transition SYN_RECV -> ESTABLISHED >> >> My numbers from tests: >> >> SYN_RECV -> ESTABLISHED 0.015 >> SYN_RECV -> ESTABLISHED 0.017 >> SYN_RECV -> ESTABLISHED 0.051 >> >> From handshake diagram(https://user-images.githubusercontent.com/1006307/58944706-0ffdb580-878b-11e9-95d3-8e7a4f85d8b0.png) it looks like that transition time from SYN_RECV to ESTABLISHED should be near RTT between hosts? >> >> TCP Fast Open turned off on host. >> >> OS: Ubuntu 18.10 (GNU/Linux 4.18.0-21-generic x86_64) >> >> tcpdump -tttttv >> >> 00:00:00.000000 IP (tos 0x28, ttl 49, id 280, offset 0, flags [DF], proto TCP (6), length 60) >> dst_host > src_host: Flags [S], cksum 0x46ae (correct), seq 4063608731, win 29200, options [mss 1460,sackOK,TS val 332512899 ecr 0,nop,wscale 6], length 0 >> 00:00:00.000071 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) >> src_host > dst_host: Flags [S.], cksum 0x84c2 (incorrect -> 0x3c01), seq 1516815880, ack 4063608732, win 28960, options [mss 1460,sackOK,TS val 2341429130 ecr 332512899,nop,wscale 7], length 0 >> 00:00:00.079183 IP (tos 0x28, ttl 49, id 281, offset 0, flags [DF], proto TCP (6), length 52) >> dst_host > src_host: Flags [.], cksum 0xda11 (correct), ack 1, win 457, options [nop,nop,TS val 332512918 ecr 2341429130], length 0 >> 00:00:00.093311 IP (tos 0x0, ttl 64, id 60333, offset 0, flags [DF], proto TCP (6), length 93) >> src_host > dst_host: Flags [P.], cksum 0x84e3 (incorrect -> 0xb341), seq 1:42, ack 1, win 227, options [nop,nop,TS val 2341429223 ecr 332512918], length 41 >> such low numbers are between syn_recv and syn+ack send, but between syn_recv and established it should be 00:00:00.079183 >> >> ping between hosts in this tcpdump is around 83ms >> >> Looks like nf_conntrack is doing this: >> >> https://github.com/torvalds/linux/blob/80f232121b69cc69a31ccb2b38c1665d770b0710/net/netfilter/nf_conntrack_proto_tcp.c#L1033-L1037 >> >> Is it bug or i'm wrong? > > See how on your TCP diagram there is ESTABLISHED on both sides? > Conntrack isn't the initiator or the receiver, it's on the path between > them (even if it's physically on the same machine as the receiver), and > it transitions to ESTABLISHED as soon as it sees SYN-ACK from the > receiver, the same as the initiator does.
