feature/conn25: install all the hooks

Install the previously uninstalled hooks for the filter and tstun
intercepts. Move the DNS manager hook installation into Init() with all
the others. Protect all implementations with a short-circuit if the node
is not configured to use Connectors 2025. The short-circuit pattern
replaces the previous pattern used in managing the DNS manager hook, of
setting it to nil in response to CapMap changes.

Fixes tailscale/corp#38716

Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>

feature/conn25/datapath_test.go

@@ -112,7 +112,7 @@ func TestHandlePacketFromTunDevice(t *testing.T) {
 				}
 				return netip.Addr{}, nil
 			}
-			dph := newDatapathHandler(mock, nil)
+			dph := newDatapathHandler(mock, t.Logf)
 
 			tt.p.IPProto = ipproto.UDP
 			tt.p.IPVersion = 4
@@ -217,7 +217,7 @@ func TestHandlePacketFromWireGuard(t *testing.T) {
 				}
 				return netip.Addr{}, nil
 			}
-			dph := newDatapathHandler(mock, nil)
+			dph := newDatapathHandler(mock, t.Logf)
 
 			tt.p.IPProto = ipproto.UDP
 			tt.p.IPVersion = 4
@@ -254,7 +254,7 @@ func TestClientFlowCache(t *testing.T) {
 		getTransitIPCalled = true
 		return transitIP, nil
 	}
-	dph := newDatapathHandler(mock, nil)
+	dph := newDatapathHandler(mock, t.Logf)
 
 	outgoing := packet.Parsed{
 		IPProto:   ipproto.UDP,
@@ -316,7 +316,7 @@ func TestConnectorFlowCache(t *testing.T) {
 		getRealIPCalled = true
 		return realIP, nil
 	}
-	dph := newDatapathHandler(mock, nil)
+	dph := newDatapathHandler(mock, t.Logf)
 
 	outgoing := packet.Parsed{
 		IPProto:   ipproto.UDP,