From 85d936133206f7026aaa61bc968ebe01883747fe Mon Sep 17 00:00:00 2001
From: Paul Holzinger <pholzing@redhat.com>
Date: Thu, 13 Jul 2023 13:21:13 +0200
Subject: [PATCH] network create: document --internal better

When using --internal for macvlan/ipvlan networks we simply do not add a
default gateway/route. Make this clear in the docs.

Fixes #18914

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
---
 docs/source/markdown/podman-network-create.1.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs/source/markdown/podman-network-create.1.md b/docs/source/markdown/podman-network-create.1.md
index 3a8728423a..a7a9f35708 100644
--- a/docs/source/markdown/podman-network-create.1.md
+++ b/docs/source/markdown/podman-network-create.1.md
@@ -62,7 +62,13 @@ For `macvlan` and `ipvlan`, it is the parent device on the host. It is the same
 
 #### **--internal**
 
-Restrict external access of this network. Note when using this option, the dnsname plugin is automatically disabled.
+Restrict external access of this network when using a `bridge` network. Note when using the CNI backend
+DNS will be automatically disabled, see **--disable-dns**.
+
+When using the `macvlan` or `ipvlan` driver with this option no default route will be added to the container.
+Because it bypasses the host network stack no additional restrictions can be set by podman and if a
+privileged container is run it can set a default route themselves. If this is a concern then the
+container connections should be blocked on your actual network gateway.
 
 #### **--ip-range**=*range*