Does Docker's CAP_NET_ADMIN allow a container to affect the host network, or only it's own?
That depends on whether you set --net=host
or not:
Or as the man page puts it:
--net="bridge" Set the Network mode for the container 'bridge': create a network stack on the default Docker bridge 'none': no networking 'container:': reuse another container's network stack 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.