proto: Add a new channel -> circuit queue type
This adds new a CircuitRxSender/CircuitRxReceiver queue type.
The corresponding Sink/Stream implementations prioritize the
delivery of DESTROY messages, which get delivered immediately, even if
there are other messages queued in the underlying MPSC message queue.
We are okay with the resulting data loss, because inbound DESTROY can be
indicative of malicious activity on the circuit. We choose to err on the
safe side, and free up the resources associated with such circuits as
soon as possible. DESTROY messages are also sent by relays when they're
about to hibernate, and by clients once they've decided to stop using a
circuit. In the latter case, the lack of an RELAY_COMMAND_END_ACK
does mean that this prioritization can cause data loss in cases where
the client closes the circuit immediately after END-ing a stream.
However, this is a deficiency in the protocol, and not something we want
to fix by implementing custom flushing logic in the reactor. See
torspec#196 and the discussion in #2490.
Note that changing this type affects the client implementation too (i.e. clients will start prioritizing inbound DESTROY, discarding any queued data without forwarding it to their local streams). But that's okay, because it will generally only affect misbehaving clients, and clients unlucky enough to encounter a hibernating relay.
Part of #2490