Add Linux IPv4 DPI desync mode for FakeTLS

[wildlock]

Summary

• add opt-in dpi-desync mode for Linux IPv4 FakeTLS handshakes
• clamp the client TCP receive window during the handshake, inject an invalid-checksum TLS alert for DPI desync, and restore the window after FakeTLS succeeds
• expose the option in config and simple-run, document CAP_NET_RAW requirements, and keep PROXY protocol sockets compatible with post-handshake clamp restore

Why

Some DPI deployments appear to classify and block Telegram/FakeTLS connections by the TLS ClientHello JA4/JA4+ fingerprint before MTProto can start. This mode does not change the client fingerprint. Instead, it desynchronizes the DPI TCP view from the real endpoint: DPI can observe an early TLS alert, while the real client drops the injected packet and continues the normal FakeTLS handshake.

Notes

• disabled by default
• Linux IPv4 only
• requires root or CAP_NET_RAW because it opens raw packet sockets
• the pre-handshake TCP_WINDOW_CLAMP value is intentionally fixed at 256: in testing it was small enough for desync to work while still allowing Telegram media after the post-handshake window restore

Test plan

• git diff --check
• gofumpt -l --extra ...
• go test ./...
• go test -race ./internal/desync ./internal/proxyprotocol ./internal/config ./internal/cli ./mtglib
• golangci-lint run ./...