MT#55283 kernel-module: clear skb->mark before forwarding to fix Cilium routing

Change-Id: Ibac5e897ed79d483ae4e8c4c3417fdd78a35f591
(cherry picked from commit 6b02c024b1)
(cherry picked from commit 6dd2fab79b)

kernel-module/nft_rtpengine.c

@@ -5006,6 +5006,12 @@ static int send_proxy_packet4(struct sk_buff *skb, const struct re_address *src,
 	};
 
 	skb->protocol = htons(ETH_P_IP);
+	/* Clear any mark inherited from the received packet.  On Cilium/GKE
+	 * DPv2 nodes, ingress BPF stamps identity/decrypt marks on incoming
+	 * skbs; leaving them in place can match an ip rule (e.g.
+	 * "fwmark 0x200/0xf00 → table 2004") and send forwarded packets into
+	 * a Cilium-internal routing table that has no default gateway. */
+	skb->mark = 0;
 
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(6,10,0)) || \
 		(defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE >= KERNEL_VERSION(5,14,0) && \
@@ -5093,6 +5099,9 @@ static int send_proxy_packet6(struct sk_buff *skb, const struct re_address *src,
 	memcpy(&ih->daddr, dst->u.ipv6, sizeof(ih->daddr));
 
 	skb->protocol = htons(ETH_P_IPV6);
+	/* Same reasoning as send_proxy_packet4: clear inherited Cilium ingress
+	 * marks to avoid misrouting via Cilium-internal tables. */
+	skb->mark = 0;
 
 	memset(&fl6, 0, sizeof(fl6));
 	memcpy(&fl6.saddr, src->u.ipv6, sizeof(fl6.saddr));