This is yet another example of a simple test which would be much
trickier to execute against the host kernel. You would either need
to put networking in a complete lockdown, or do some "statistical"
methods where you trigger the bug many many times and attempt to
ascertain a rising trend in mbuf count. And, of course, the leaked
mbufs don't go away from the host kernel once the test ends. In
contrast, we *know* that there is no other networking activity in
a rump kernel, so we can execute the operation exactly once, plus
the leaked mbuf "disappears" when the test is done.
joerg