From cdc24ab40989d45fab2779d9df243aba5f3cfe3c Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Mon, 11 Dec 2023 10:53:19 +0100
Subject: [PATCH] nixos/networking-interfaces: fix rootless ping

In 759ec111 the ping setuid wrapper was removed in favour of giving
permissions to perform ICMP echo requests to all users.
The problem is that the systemd file that was supposed to change the
`net.ipv4.ping_group_range` sysctl is not always installed, specifically
only if systemd.coredump.enable.
In that case the range is "0 1", which is effectively restricts ping to
only root.

This change explicitely sets the range to "0 2^31-1", as systemd does.
---
 nixos/modules/tasks/network-interfaces.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index 298add13437a..53ffaa028038 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1396,6 +1396,8 @@ in
       "net.ipv4.conf.all.forwarding" = mkDefault (any (i: i.proxyARP) interfaces);
       "net.ipv6.conf.all.disable_ipv6" = mkDefault (!cfg.enableIPv6);
       "net.ipv6.conf.default.disable_ipv6" = mkDefault (!cfg.enableIPv6);
+      # allow all users to do ICMP echo requests (ping)
+      "net.ipv4.ping_group_range" = mkDefault "0 2147483647";
       # networkmanager falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr"
       "net.ipv6.conf.default.use_tempaddr" = tempaddrValues.${cfg.tempAddresses}.sysctl;
     } // listToAttrs (forEach interfaces