As described in [1], some of Cilium SNAT/MASQUERADE iptables rules could benefit from --random-fully (TL;DR two concurrent requests sent from two different netns to the same outside destination might race for the same tuple resulting in one request being dropped by netfilter).

Before adding the param to the rules, we shoud:

1. Check whether the 4.9 kernel (min required vsn by Cilium) supports the param (i.e. whether [2] is included in 4.9). If not, then probing should be implemented.
2. Identify which rules should be patched (i.e. those which might handle traffic from non-host netns).

[1]: https://tech.xing.com/a-reason-for-unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02
[2]: http://patchwork.ozlabs.org/patch/304306/