Cilium uses a set of bits in the skb mark field to store metadata. However, these bits can conflict with other systems filtering packets based on selective bits (e.g., Kubernetes). Conflicts can lead to packet drops, but these drops can be indeterministic based on whether the set bits by cilium overlap with the bits used for filtering packets.

We should add preliminary checks to warn users about such scenarios. These checks can be part of the agent bootstrap (agent already iterates over some of the cilium-specific rules), or they can be added to a conformance test that validates the underlying system state when cilium is being installed.