man: add a note that nspawn gives access to network by default

Fixes #6546.

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 633d9393843231ad0ded995c09d44e487331d537..55ef48bfecb4dc768ba023940da4f8d643284d2d 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -519,8 +519,10 @@
         configured with <option>--network-veth</option>. If this
         option is specified, the CAP_NET_ADMIN capability will be
         added to the set of capabilities the container retains. The
-        latter may be disabled by using
-        <option>--drop-capability=</option>.</para></listitem>
+        latter may be disabled by using <option>--drop-capability=</option>.
+        If this option is not specified (or implied by one of the options
+        listed below), the container will have full access to the host network.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>