Comment 3 for bug 1895547

I encountered issue, when traffic from pods cidr overlay was hitting the firewall instead being ipinip encapsulated in Calico. The firewall got allowance for underlay network on the worker nodes.Env is with no L2 seperation in vlans. Just 3 baremetal nodes and VMs on them as masters, workers etc.

The machines got the following settings

$ juju ssh -m kubernetes 3 sysctl net.ipv4.conf.eth0.rp_filter
net.ipv4.conf.eth0.rp_filter = 2
$ juju ssh -m kubernetes 3 sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 2
$ juju ssh -m kubernetes 3 sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 2

After setting ignore-loose-rpf=true the charm poked sysctl and set 'default.rp_filter' to 1 (Strict Mode) instead of 2 (Loose Mode).
$ juju ssh -m kubernetes 3 sysctl net.ipv4.conf.default.rp_filter
net.ipv4.conf.default.rp_filter = 1

Other all.rp_filter and eth0.rp_filter remain set 2.

But that fixed the issue for me.