feature/conn25: add NATing support with flow caching

Introduce a datapathHandler that implements hooks that will
receive packets from the tstun.Wrapper. This commit does not wire
those up just yet.

Perform DNAT from Magic IP to Transit IP on outbound flows on clients,
and reverse SNAT in the reverse direction.

Perform DNAT from Transit IP to final destination IP on outbound flows
on connectors, and reverse SNAT in the reverse direction.

Introduce FlowTable to cache validated flows by 5-tuple for fast lookups
after the first packet.

Flow expiration is not covered, and is intended as future work before
the feature is officially released.

Fixes tailscale/corp#34249
Fixes tailscale/corp#35995

Co-authored-by: Fran Bull <fran@tailscale.com>
Signed-off-by: Michael Ben-Ami <mzb@tailscale.com>

cmd/tailscaled/depaware.txt

@@ -362,7 +362,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/netutil                                    from tailscale.com/client/local+
         tailscale.com/net/netx                                       from tailscale.com/control/controlclient+
         tailscale.com/net/packet                                     from tailscale.com/feature/capture+
-        tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun
+        tailscale.com/net/packet/checksum                            from tailscale.com/net/tstun+
         tailscale.com/net/ping                                       from tailscale.com/net/netcheck+
         tailscale.com/net/portmapper                                 from tailscale.com/feature/portmapper+
         tailscale.com/net/portmapper/portmappertype                  from tailscale.com/feature/portmapper+