feat(network): BPF ingress/egress filtering

[Zenithar]

What does this PR do?

• Adds new functionality
• Alters existing functionality

Replaces the legacy iptables/u32-based network disruption packet filtering with a full eBPF (TC classifier) implementation for both ingress and egress traffic paths.

Key changes

• New bpfdisrupt package — Engine that manages the BPF data plane: clsact qdisc lifecycle, IFB device for ingress redirect, BPF program attachment (TC egress classifier + ingress DirectAction), and LPM trie map population for target CIDR matching.
• New eBPF C program (ebpf/network-disruption/disruption.bpf.c) — TC classifier that matches packets against an LPM trie of disruption rules (CIDR + port + protocol), supporting both IPv4 and IPv6.
• BPF map config tool (ebpf/network-disruption/main.go) — Userspace helper that pins and populates the LPM trie maps via libbpfgo.
• Refactored injector/network_disruption.go — Integrates the BPF engine, replacing iptables/u32 filter chains with BPF classifiers. Simplifies the overall tc qdisc/filter setup.
• New network/ abstractions — TrafficController and NetlinkAdapter interfaces for tc and netlink operations, with mocks for testability.
• Comprehensive tests — Unit tests for bpfdisrupt.Engine, network disruption helpers, and controller-level BPF network disruption integration tests.
• Updated docs — Revised network disruption documentation to reflect the BPF-based architecture.

Code Quality Checklist

• The documentation is up to date.
• My code is sufficiently commented and passes continuous integration checks.
• I have signed my commit (see Contributing Docs).

Testing

• I leveraged continuous integration testing
  • by adding new unit tests or end-to-end tests.
• I manually tested the following steps:
  • locally.
  • as a canary deployment to a cluster.