- netrelay: replace per-direction read-deadline idle tracking with a
single connection-wide watchdog that observes activity on both sides,
so a long one-way transfer no longer trips the timeout on the quiet
direction. IdleTimeout==0 remains a no-op (SSH and uspfilter forwarder
call sites pass zero); only the reverse-proxy router sets one.
- netrelay tests: bound blocking peer reads/writes with deadlines so a
broken relay fails fast; add a lower-bound assertion on the idle-timeout
test.
- conntrack cap tests: assert that the newest flow is admitted and an
early flow was evicted, not just that the table stayed under the cap.
- ssh client RemotePortForward: bound the localAddr dial with a 10s
timeout so a black-holed address can't pin the accepted channel open.
