Revert "Revert "sysctl: Enable ping(8) inside rootless Podman containers""

This reverts commit be74f51605.

Let's add this again. With the new sysctl "-" thing we can make this
work.

NEWS

@@ -2,6 +2,15 @@ systemd System and Service Manager
 
 CHANGES WITH 243 in spe:
 
+        * This release enables unprivileged programs (i.e. requiring neither
+          setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
+          by turning on the net.ipv4.ping_group_range sysctl of the Linux
+          kernel for the whole UNIX group range, i.e. all processes. This
+          change should be reasonably safe, as the kernel support for it was
+          specifically implemented to allow safe access to ICMP Echo for
+          processes lacking any privileges. If this is not desirable, it can be
+          disabled again by setting the parameter to "1 0".
+
         * Previously, filters defined with SystemCallFilter= would have the
           effect that an calling an offending system call would terminate the
           calling thread. This behaviour never made much sense, since killing

sysctl.d/50-default.conf

@@ -30,6 +30,14 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
+# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
+# The upper limit is set to 2^31-1. Values greater than that get rejected by
+# the kernel because of this definition in linux/include/net/ping.h:
+#   #define GID_T_MAX (((gid_t)~0U) >> 1)
+# That's not so bad because values between 2^31 and 2^32-1 are reserved on
+# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
+net.ipv4.ping_group_range = 0 2147483647
+
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel