Clarify that ipmasq rules are not added when iptables is false

Signed-off-by: Misty Stanley-Jones <misty@docker.com> (cherry picked from commit db3f06fd97) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-11-18 14:22:49 -08:00 · 2016-11-18 14:22:49 -08:00 · bff68bc605
commit bff68bc605
parent 09b09c34b3
1 changed files with 8 additions and 4 deletions
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@ -1271,9 +1271,13 @@ set this parameter separately for each daemon.
 pid file here.
 - `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
 -  `--iptables=false` prevents the Docker daemon from adding iptables rules. If
-  multiple daemons manage iptables rules, they may overwrite rules set by
-  another daemon. Be aware that disabling this option requires you to manually
-  add iptables rules to expose container ports.
+multiple daemons manage iptables rules, they may overwrite rules set by another
+daemon. Be aware that disabling this option requires you to manually add
+iptables rules to expose container ports. If you prevent Docker from adding
+iptables rules, Docker will also not add IP masquerading rules, even if you set
+`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+able to connect to external hosts or the internet when using network other than
+default bridge.
 - `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
 daemon flags. Specify the path for each daemon.
 - `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.