Previously we set skb->mark in from_host@cilium_host, expect the mark
to remain unchanged after kernel transmits skb from cilium_host to
cilium_net. The skb->mark is for instance used to transport
IPsec-related information.

However, as of 2023-10-19, kernel 5.10 still misses the backport patch[1]
to fix a bug in skb_scrub_packet() which clears skb->mark for veth_xmit even if the
veth pair is under the same netns:
https://elixir.bootlin.com/linux/v5.10.198/source/include/linux/netdevice.h#L3975

To avoid hitting this issue, this patch sets metadata in skb->cb to
survive skb_scrub_packet(), then to_host@cilium_net can retrieve this
info and set proper mark.

Only from_host bpf is setting cb, while from_lxc bpf is still using mark.

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff70202b2d1a ("dev_forward_skb: do not scrub skb mark within the same name space")

Signed-off-by: Zhichuan Liang <gray.liang@isovalent.com>