DC/OS recently added a blanket setting of rp_filter=2 across all interfaces at startup. This was done to allow IP-per-container to IP-per-container traffic that has been DNAT'd. Specifically, this happens in DC/OS when an Agent tries to talk to a container that was launched on the new "dcos" docker network on another agent.
However, blanket setting of rp_filter opens the system up to IP spoofing of containers. Calico networking refuses to start when rp_filter=2 for this reason.
This bug is to request that rp_filter=2 only be set for the interfaces crucial for the described use case.