From bc96c63c0522dc81c036dcd340369eb04df8d0e9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 21 Mar 2018 16:07:20 +0100
Subject: [PATCH] man: add a note that nspawn gives access to network by
 default

Fixes #6546.
---
 man/systemd-nspawn.xml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 633d9393843..55ef48bfecb 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -519,8 +519,10 @@
         configured with <option>--network-veth</option>. If this
         option is specified, the CAP_NET_ADMIN capability will be
         added to the set of capabilities the container retains. The
-        latter may be disabled by using
-        <option>--drop-capability=</option>.</para></listitem>
+        latter may be disabled by using <option>--drop-capability=</option>.
+        If this option is not specified (or implied by one of the options
+        listed below), the container will have full access to the host network.
+        </para></listitem>
       </varlistentry>
 
       <varlistentry>
-- 
2.47.3