Revert "sysctl: Enable ping(8) inside rootless Podman containers"

This reverts commit 90ce7627df.

See https://github.com/systemd/systemd/issues/13177#issuecomment-514931461

NEWS

@@ -2,15 +2,6 @@ systemd System and Service Manager
 
 CHANGES WITH 243 in spe:
 
-        * This release enables unprivileged programs (i.e. requiring neither
-          setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
-          by turning on the net.ipv4.ping_group_range sysctl of the Linux
-          kernel for the whole UNIX group range, i.e. all processes. This
-          change should be reasonably safe, as the kernel support for it was
-          specifically implemented to allow safe access to ICMP Echo for
-          processes lacking any privileges. If this is not desirable, it can be
-          disabled again by setting the parameter to "1 0".
-
         * Previously, filters defined with SystemCallFilter= would have the
           effect that an calling an offending system call would terminate the
           calling thread. This behaviour never made much sense, since killing

sysctl.d/50-default.conf

@@ -30,14 +30,6 @@ net.ipv4.conf.all.accept_source_route = 0
 # Promote secondary addresses when the primary address is removed
 net.ipv4.conf.all.promote_secondaries = 1
 
-# ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
-# The upper limit is set to 2^31-1. Values greater than that get rejected by
-# the kernel because of this definition in linux/include/net/ping.h:
-#   #define GID_T_MAX (((gid_t)~0U) >> 1)
-# That's not so bad because values between 2^31 and 2^32-1 are reserved on
-# systemd-based systems anyway: https://systemd.io/UIDS-GIDS.html#summary
-net.ipv4.ping_group_range = 0 2147483647
-
 # Fair Queue CoDel packet scheduler to fight bufferbloat
 net.core.default_qdisc = fq_codel