When the egress IP is assigned to a different interface than the one with the default route, we'll have to install additional IP rules and routes to steer the traffic to the correct interface.

That's because the network stack routes packets before the TC egress hook (i.e. where bpf SNAT happens), which means can't match traffic on the egress IP. We instead need to explicitly match each combination of source (endpoints) IPs and destination CIDRs.

@pchaigno suggested we might want to look into switching to bpf_fib_lookup + bpf_redirect after the packet has been SNATed with the egress IP as that would allow to match the source/egress IP without the need for all the special IP rules/routes.