[ ] investigate alternatives to the hack that identifies proxy traffic via tc_index
[ ] sort out the security identities (for instance, compare to how the HostFW uses MARK_MAGIC_HOST to identify genuine host-level traffic vs SNAT by kube-proxy)
[ ] wireguard.h actively sniffs and drops some ICMPv6 autoconf related traffic here. Explore whether this can go away if we flick the right sysctl values on the interface (exploratory task).
The main encryption function for wireguard has grown a lot of special cases. Once https://github.com/cilium/cilium/issues/31780 is resolved, we should have another look at simplifying the logic so that it's better maintenable.
tc_indexMARK_MAGIC_HOSTto identify genuine host-level traffic vs SNAT by kube-proxy)