Function spawn_tcp_proxy 

pub fn spawn_tcp_proxy(
    handle: &Handle,
    guest_dst: SocketAddr,
    connect_dst: SocketAddr,
    from_smoltcp: Receiver<Bytes>,
    to_smoltcp: Sender<Bytes>,
    shared: Arc<SharedState>,
    network_policy: Arc<NetworkPolicy>,
    upstream_connected: Arc<AtomicBool>,
)

Spawn a TCP proxy task for a newly established connection.

guest_dst is what the guest dialed — the address policy rules match against. connect_dst is the host-side address tokio actually dials; for host-alias connections it’s loopback (gateway rewritten). For everything else the two are identical.

upstream_connected is flipped to true after the upstream TcpStream::connect succeeds. The connection tracker reads this on proxy exit to decide between FIN (clean close) and RST (upstream never reached, e.g. connect failure or policy denial).