+ <varlistentry>
+ <term><option>--private-network</option></term>
+
+ <listitem><para>Disconnect networking
+ of the container from the host. This
+ makes all network interfaces
+ unavailable in the container, with the
+ exception of the loopback device and
+ those specified with
+ <option>--network-interface=</option>
+ and configured with
+ <option>--network-veth</option>. If
+ this option is specified, the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ <option>--drop-capability=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-interface=</option></term>
+
+ <listitem><para>Assign the specified
+ network interface to the
+ container. This will remove the
+ specified interface from the calling
+ namespace and place it in the
+ container. When the container
+ terminates, it is moved back to the
+ host namespace. Note that
+ <option>--network-interface=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-macvlan=</option></term>
+
+ <listitem><para>Create a
+ <literal>macvlan</literal> interface
+ of the specified Ethernet network
+ interface and add it to the
+ container. A
+ <literal>macvlan</literal> interface
+ is a virtual interface that adds a
+ second MAC address to an existing
+ physical Ethernet link. The interface
+ in the container will be named after
+ the interface on the host, prefixed
+ with <literal>mv-</literal>. Note that
+ <option>--network-macvlan=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-ipvlan=</option></term>
+
+ <listitem><para>Create an
+ <literal>ipvlan</literal> interface
+ of the specified Ethernet network
+ interface and add it to the
+ container. An
+ <literal>ipvlan</literal> interface
+ is a virtual interface, similar to a
+ <literal>macvlan</literal> interface, which
+ uses the same MAC address as the underlying
+ interface. The interface
+ in the container will be named after
+ the interface on the host, prefixed
+ with <literal>iv-</literal>. Note that
+ <option>--network-ipvlan=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-n</option></term>
+ <term><option>--network-veth</option></term>
+
+ <listitem><para>Create a virtual
+ Ethernet link
+ (<literal>veth</literal>) between host
+ and container. The host side of the
+ Ethernet link will be available as a
+ network interface named after the
+ container's name (as specified with
+ <option>--machine=</option>), prefixed
+ with <literal>ve-</literal>. The
+ container side of the Ethernet
+ link will be named
+ <literal>host0</literal>. Note that
+ <option>--network-veth</option>
+ implies
+ <option>--private-network</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-bridge=</option></term>
+
+ <listitem><para>Adds the host side of
+ the Ethernet link created with
+ <option>--network-veth</option> to the
+ specified bridge. Note that
+ <option>--network-bridge=</option>
+ implies
+ <option>--network-veth</option>. If
+ this option is used, the host side of
+ the Ethernet link will use the
+ <literal>vb-</literal> prefix instead
+ of <literal>ve-</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-p</option></term>
+ <term><option>--port=</option></term>
+
+ <listitem><para>If private networking
+ is enabled, maps an IP port on the
+ host onto an IP port on the
+ container. Takes a protocol specifier
+ (either <literal>tcp</literal> or
+ <literal>udp</literal>), separated by
+ a colon from a host port number in the
+ range 1 to 65535, separated by a colon
+ from a container port number in the
+ range from 1 to 65535. The protocol
+ specifier and its separating colon may
+ be omitted, in which case
+ <literal>tcp</literal> is assumed.
+ The container port number and its
+ colon may be ommitted, in which case
+ the same port as the host port is
+ implied. This option is only supported
+ if private networking is used, such as
+ <option>--network-veth</option> or
+ <option>--network-bridge=</option>.</para></listitem>
+ </varlistentry>
+