Link: Pasta

pasta implements a translation layer between a Layer-2 network interface in a namespace and native Layer-4 sockets (TCP, UDP, ICMP/ICMPv6 echo) on the host. Traffic is forwarded using a tap interface inside the namespace, without the need to create further interfaces on the host, hence not requiring any capabilities or privileges.

So imagine a TCP connection (a Layer-4 sockets) to some destination:port is created in your container, then

• the TCP traffic will reach the kernel code (in the container namespace)
• it will be translated to a sequence of Ethernet packets (Layer-2) by the TCP/IP stack
• and all those packets will be sent to the tap device
• then, at the other side of the tap device, on the host, pasta will reconstruct the TCP connection from the sequence of Ethernet packets
• and it will create a TCP socket to the destination:port.

So a TCP connection in a container will be translated to a TP connection in the host, and pasta will undo all this work for the response traffic comming from destination:port.

As an optimization, it implements a tap bypass path for local connections: packets with a local destination address are moved directly between Layer-4 sockets, avoiding Layer-2 translations, using the splice(2) and recvmmsg(2)/sendmmsg(2) system calls for TCP and UDP, respectively.