hotfix(pmtud/tcp): block kernel from racing to send RST packets

- this makes PMTUD TCP reliable
- this only works on kernels with the mark module
- on kernels without the mark module, the icmp pmtud mtu found is used

internal/pmtud/tcp/interfaces.go

@@ -1,5 +1,15 @@
 package tcp
 
+import (
+	"context"
+	"net/netip"
+)
+
+type Firewall interface {
+	TempDropOutputTCPRST(ctx context.Context, addrPort netip.AddrPort,
+		excludeMark int) (revert func(ctx context.Context) error, err error)
+}
+
 type Logger interface {
 	Debug(msg string)
 	Debugf(msg string, args ...any)