+ <varlistentry>
+ <term><option>--network-ipvlan=</option></term>
+
+ <listitem><para>Create a
+ <literal>ipvlan</literal> interface
+ of the specified Ethernet network
+ interface and add it to the
+ container. An
+ <literal>ipvlan</literal> interface
+ is a virtual interface, similar to a
+ <literal>macvlan</literal> interface, which
+ uses the same MAC address as the underlying
+ interface. The interface
+ in the container will be named after
+ the interface on the host, prefixed
+ with <literal>iv-</literal>. Note that
+ <option>--network-ipvlan=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-n</option></term>
+ <term><option>--network-veth</option></term>
+
+ <listitem><para>Create a virtual
+ Ethernet link
+ (<literal>veth</literal>) between host
+ and container. The host side of the
+ Ethernet link will be available as a
+ network interface named after the
+ container's name (as specified with
+ <option>--machine=</option>), prefixed
+ with <literal>ve-</literal>. The
+ container side of the Ethernet
+ link will be named
+ <literal>host0</literal>. Note that
+ <option>--network-veth</option>
+ implies
+ <option>--private-network</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-bridge=</option></term>
+
+ <listitem><para>Adds the host side of
+ the Ethernet link created with
+ <option>--network-veth</option> to the
+ specified bridge. Note that
+ <option>--network-bridge=</option>
+ implies
+ <option>--network-veth</option>. If
+ this option is used, the host side of
+ the Ethernet link will use the
+ <literal>vb-</literal> prefix instead
+ of <literal>ve-</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-p</option></term>
+ <term><option>--port=</option></term>
+
+ <listitem><para>If private networking
+ is enabled, maps an IP port on the
+ host onto an IP port on the
+ container. Takes a protocol specifier
+ (either <literal>tcp</literal> or
+ <literal>udp</literal>), separated by
+ a colon from a host port number in the
+ range 1 to 65535, separated by a colon
+ from a container port number in the
+ range from 1 to 65535. The protocol
+ specifier and its separating colon may
+ be omitted, in which case
+ <literal>tcp</literal> is assumed.
+ The container port number and its
+ colon may be ommitted, in which case
+ the same port as the host port is
+ implied. This option is only supported
+ if private networking is used, such as
+ <option>--network-veth</option> or
+ <option>--network-bridge=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
+
+ <listitem><para>Sets the SELinux
+ security context to be used to label
+ processes in the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
+
+ <listitem><para>Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.</para>
+ </listitem>
+ </varlistentry>
+