Connections denied by policy should be reset

[elevran]

Current policy denies are closed normally and may result in weird client behavior (e.g., failed TLS). It may be better to cause reset to connection (which could end up as "connection reset by peer" type error messages) in addition to the logging in the policy engine/ClusterLink. It may be doable by setting the SO_LINGER option to 0

Unclear if we can cause the same behavior in Envoy.