Merge pull request #328164 from truh/docs/oci-containers-firewall-bypass

nixos/oci-containers: document firewall bypass
2024-11-22 23:13:19 +00:00 · 2024-08-04 16:35:23 +08:00 · 2024-08-04 16:35:23 +08:00 · e38e6a4490
commit e38e6a4490
parent 6da745203e c5c92feff7
1 changed files with 6 additions and 1 deletions
--- a/nixos/modules/virtualisation/oci-containers.nix
+++ b/nixos/modules/virtualisation/oci-containers.nix
@ -148,12 +148,17 @@ let
            somewhere within the specified `hostPort` range.
            Example: `1234-1236:1234/tcp`

+            Publishing a port bypasses the NixOS firewall. If the port is not
+            supposed to be shared on the network, make sure to publish the
+            port to localhost.
+            Example: `127.0.0.1:1234:1234`
+
            Refer to the
            [Docker engine documentation](https://docs.docker.com/engine/reference/run/#expose-incoming-ports) for full details.
          '';
          example = literalExpression ''
            [
-              "8080:9000"
+              "127.0.0.1:8080:9000"
            ]
          '';
        };