token bucket: Improve library to handle under/overflow and clock jump
The DoS subsystem implements a very simple token bucket but has a lot of safeguards against under/overflows and clock jump.
We should take those, move them into the token-bucket implementation and then make the DoS subsystem use it.
This is quite important to not wait too long on it because of #15516 (moved) will soon be used extensively using the generic token bucket.