From 5deed1cb86a8d0f9cf4523113f92ac8b1b25dca3 Mon Sep 17 00:00:00 2001
From: Parnell Springmeyer <parnell@awakenetworks.com>
Date: Thu, 30 Jun 2016 18:59:18 -0500
Subject: [PATCH] network-interfaces: use setcap-wrappers for ping and ping6
 iff linux kernel is at-least 4.3

---
 nixos/modules/tasks/network-interfaces.nix | 23 ++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index c52bd904cae..588a328192d 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, utils, ... }:
+{ config, lib, pkgs, utils, stdenv, ... }:
 
 with lib;
 with utils;
@@ -889,7 +889,26 @@ in
         (i: flip map [ "4" "6" ] (v: nameValuePair "net.ipv${v}.conf.${i.name}.proxy_arp" true))
       ));
 
-    security.setuidPrograms = [ "ping" "ping6" ];
+    # Capabilities won't work unless we have at-least a 4.3 Linux
+    # kernel because we need the ambient capability
+    security.setcapCapabilities = mkIf (versionAtLeast (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [
+        { program = "ping";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+
+        { program = "ping6";
+          setcap  = true;
+          capabilities = "cap_net_raw+p";
+        }
+      ]
+    );
+
+    # If our linux kernel IS older than 4.3, let's setuid ping and ping6
+    security.setuidPrograms = mkIf (versionOlder (getVersion config.boot.kernelPackages.kernel) "4.3") (
+      [ "ping" "ping6" ]
+    );
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,