proto: Add a new channel -> circuit queue type

This adds new a CircuitRxSender/CircuitRxReceiver queue type.

The corresponding Sink/Stream implementations prioritize the delivery of DESTROY messages, which get delivered immediately, even if there are other messages queued in the underlying MPSC message queue.

We are okay with the resulting data loss, because inbound DESTROY can be indicative of malicious activity on the circuit. We choose to err on the safe side, and free up the resources associated with such circuits as soon as possible. DESTROY messages are also sent by relays when they're about to hibernate, and by clients once they've decided to stop using a circuit. In the latter case, the lack of an RELAY_COMMAND_END_ACK does mean that this prioritization can cause data loss in cases where the client closes the circuit immediately after END-ing a stream. However, this is a deficiency in the protocol, and not something we want to fix by implementing custom flushing logic in the reactor. See torspec#196 and the discussion in #2490.

Note that changing this type affects the client implementation too (i.e. clients will start prioritizing inbound DESTROY, discarding any queued data without forwarding it to their local streams). But that's okay, because it will generally only affect misbehaving clients, and clients unlucky enough to encounter a hibernating relay.

Part of #2490

Edited by gabi-250

Merge request reports

Loading