Revise the "fill" signature in Ethernet (and likely other layers)

[hannesm]

The issue at hand is:

            E.write eth dst `IPv4 (fun b ->
                match Nat_packet.into_cstruct packet b with
                | Ok n -> n
                | Ok (n, adds) -> more := adds ; n
                | Error e ->
                  (* E.write takes a fill function (Cstruct.t -> int), which
                     can not result in an error. Now, if Nat_packet results in
                     an error (e.g. need to fragment, but fragmentation is not
                     allowed (don't fragment bit is set)), we can't pass this
                     information up the stack. Instead we log an error and
                     return 0 -- thus an empty Ethernet header will be
                     transmitted on the wire. *)
                  (* TODO an ICMP error should be sent to the packet origin *)
                  Log.err (fun m -> m "error %a while Nat_packet.into_cstruct"
                              Nat_packet.pp_error e);
                  0)

The ethernet write was called in order to allocate the buffer by the network device, and filling it is done via Nat_packet, which may fail (if don't fragment is set, and fragmentation is required). Instead of returning an int from E.write, it should be possible to result in an error, which can then be handled by the caller of write. I think I remember similar code elsewhere as well. May be worth to revise in the same go as Cstruct_cap gets used.

Further discussion by @cfcs in robur-coop/miragevpn#8 (comment)

[hannesm]

it may even be nice to use:

val write : t -> ?size:int -> (Cstruct.t -> (int * 'a, 'b) result) -> ('a, error | 'b) result Lwt.t

which would allow a smooth API for Nat_packet.into_cstruct, though I'm not sure how to express the error | 'b in OCaml (error is a polymorphic variant so it should be extensible, but 'b is just a type variable).