Why system reports "permission denied on key" while setting the kernel parameter "net.ipv4.conf.all.mc_forwarding" ?

Solution Verified - Updated 6 Aug 2024

Environment

Red Hat Enterprise Linux

Issue

Why system reports "permission denied on key" while setting the kernel parameter net.ipv4.conf.all.mc_forwarding or net.ipv6.conf.all.mc_forwarding?

# sysctl -w net.ipv4.conf.all.mc_forwarding=1
error: "Permission denied" setting key "net.ipv4.conf.all.mc_forwarding"

# echo 1 > /proc/sys/net/ipv4/conf/all/mc_forwarding
bash: /proc/sys/net/ipv4/conf/all/mc_forwarding: Permission denied

Setting net.ipv4.conf.all.mc_forwarding to zero is failing with the following message:

-- Unit systemd-sysctl.service has begun starting up.
Aug 19 16:30:56 fl1-tst-x.y.z  systemd-sysctl[3603]: Failed to write '0' to '/proc/sys/net/ipv4/conf/all/mc_forwarding': Permission denied
Aug 19 16:30:56 fl1-tst-x.y.z  systemd[1]: systemd-sysctl.service: main process exited, code=exited, status=1/FAILURE
Aug 19 16:30:56 fl1-tst-x.y.z systemd[1]: Failed to start Apply Kernel Variables.
-- Subject: Unit systemd-sysctl.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit systemd-sysctl.service has failed.
-- 
-- The result is failed.
Aug 19 16:30:56 fl1-tst-x.y.z systemd[1]: Unit systemd-sysctl.service entered failed state.

Resolution

The kernel parameter net.ipv4.conf.all.mc_forwarding and net.ipv6.conf.all.mc_forwarding indicates that the multicast routing is enabled and is not supposed to be changed via the sysctl interface.
There is no need to enable the multicast routing manually. It is enabled pragmatically through the 'setsockopt()' interface and is used by multicast routing daemons whenever it required.
The 'mc_forwarding' values under '/proc/sys/net/' are apparently read-only for the reference and indicate if the kernel is actively performing multicast routing (i.e. if there are any multicast routes in the system routing table), so it is not a setting - it is an indicator.

Root Cause

The multicast routing is disabled by default and only a routing daemon can modify it. If some security guideline requires to turn it off, Red Hat kernel already does it.

SBR

Networking

Product(s)

Red Hat Enterprise Linux

Components

kernel

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.