We're updating the issue view to help you get more done. 

Dial back rp_filter=2 from all interfaces to only necessary ones


DC/OS recently added a blanket setting of rp_filter=2 across all interfaces at startup. This was done to allow IP-per-container to IP-per-container traffic that has been DNAT'd. Specifically, this happens in DC/OS when an Agent tries to talk to a container that was launched on the new "dcos" docker network on another agent.

However, blanket setting of rp_filter opens the system up to IP spoofing of containers. Calico networking refuses to start when rp_filter=2 for this reason.

This bug is to request that rp_filter=2 only be set for the interfaces crucial for the described use case.

See: https://github.com/dcos/dcos/pull/454



Sargun Dhillon