Does Docker's CAP_NET_ADMIN allow a container to affect the host network, or only it's own?

security docker permissions

That depends on whether you set --net=host or not:

Or as the man page puts it:

--net="bridge" Set the Network mode for the container 'bridge': create a network stack on the default Docker bridge 'none': no networking 'container:': reuse another container's network stack 'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.

Related

How to limit number of connections per IP on Nginx?
Routing LAN traffic from Edgerouter to wg0
2nd Exchange Server 2013
Is there something like a map function in puppet?
Ubuntu 18.04 - Temporary failure resolving 'us-east-1.ec2.archive.ubuntu.com'
Wouldn't setting the DNS server to 127.0.0.1 prevent my system from actually resolving remote hosts? I found this answer
Twilight Zelda Guardian Puzzle : Shortest Path (UPDATE: ADDED RULES)
Exotic maps $S_5\to S_6$
group of units in a topological ring
Euler characteristic of covering space of CW complex
Does this tricky series converge?
Geometric interpretation of different types of field extensions?