From 0d6792fcfda4bc9121e558f154de5d76985f51da Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Mon, 22 Jan 2024 00:47:53 +0800
Subject: [PATCH] nixos/clash: restrict tunMode further

works for me(tm)
---
 nixos/modules/services/clash.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/clash.nix b/nixos/modules/services/clash.nix
index a9662eb..0024157 100644
--- a/nixos/modules/services/clash.nix
+++ b/nixos/modules/services/clash.nix
@@ -95,8 +95,8 @@ in {
           UMask = "0077";
         }
         // lib.optionalAttrs cfg.tunMode {
-          AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
-          CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
+          AmbientCapabilities = "CAP_NET_ADMIN";
+          CapabilityBoundingSet = "CAP_NET_ADMIN";
           PrivateDevices = false;
           PrivateUsers = false;
           RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";