Hi Noah
A script which shows the issue is (run as a non-root user):
$ sudo ip netns add temp &&
sudo ip -netns temp link set lo up &&
sudo ip netns exec temp su $USER -c "ping 127.0.0.1"
[sudo] password for <user>:
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?
You can call sysctl with a modified net.ipv4.ping_group_range range
within the namespace, but that requires that it occurs in every new
namespace, whereas the capability addition can be done once.
The example of how iproute2 handles optionally adding capabilities is at
https://salsa.debian.org/kernel-team/iproute2/-/blob/debian/sid/debian/iproute2.postinst,
I can port this over for ping and make a merge request on salsa if
that would help?
Regards
James
On Tue, 24 Feb 2026 at 02:21, Noah Meyerhans <[email protected]> wrote:
>
> Control: tags -1 + moreinfo
>
> On Sun, Feb 22, 2026 at 06:43:44PM +1100, James Tocknell wrote:
> > Due to the removal of cap_net_raw+p from ping, ping no longer works in
> > network
> > namespaces (such as those created by ip netns). The presence or absence of
> > linux-sysctl-defaults does not change this. Can the removal of the
> > capability be
> > reverted, a debconf setting be created to add the capability (it seems that
> > iproute2 does this for ip vrf) or a separate package with the capability
> > added
> > be uploaded?
>
> ping is fully functional in non-default network namespaces without
> cap_net_raw+p and is used in such a configuration every day.
>
> You'll need to provide more information about exactly how you're
> configuring your namespaces and invoking ping, as well as exactly what
> the failure is, so we can understand better what's actually going wrong.
>
> noah
>
