wgengine/netstack: fix bug with duplicate SYN packets in client limit

This fixes a bug that was introduced in #11258 where the handling of the
per-client limit didn't properly account for the fact that the gVisor
TCP forwarder will return 'true' to indicate that it's handled a
duplicate SYN packet, but not launch the handler goroutine.

In such a case, we neither decremented our per-client limit in the
wrapper function, nor did we do so in the handler function, leading to
our per-client limit table slowly filling up without bound.

Fix this by doing the same duplicate-tracking logic that the TCP
forwarder does so we can detect such cases and appropriately decrement
our in-flight counter.

Updates tailscale/corp#12184

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Ib6011a71d382a10d68c0802593f34b8153d06892

wgengine/netstack/netstack_test.go

@@ -580,6 +580,13 @@ func TestTCPForwardLimits(t *testing.T) {
 		t.Logf("got connection in progress")
 	}
 
+	// Inject another packet, which will be deduplicated and thus not
+	// increment our counter.
+	parsed.Decode(pkt)
+	if resp := impl.injectInbound(&parsed, impl.tundev); resp != filter.DropSilently {
+		t.Errorf("got filter outcome %v, want filter.DropSilently", resp)
+	}
+
 	// Verify that we now have a single in-flight address in our map.
 	impl.mu.Lock()
 	inFlight := maps.Clone(impl.connsInFlightByClient)
@@ -633,8 +640,11 @@ func TestTCPForwardLimits_PerClient(t *testing.T) {
 	destAddr := netip.MustParseAddr("192.0.2.1")
 
 	// Helpers
+	var port uint16 = 1234
 	mustInjectPacket := func() {
-		pkt := tcp4syn(t, client, destAddr, 1234, 4567)
+		pkt := tcp4syn(t, client, destAddr, port, 4567)
+		port++ // to avoid deduplication based on endpoint
+
 		var parsed packet.Parsed
 		parsed.Decode(pkt)