If a VM is flooded with more ingress packets than the guest OS can handle, the current virtio-net code will keep reading those packets and drop most of them as no space is available in the receive queue. This is an undesirable receive livelock, which is a waste of CPU and memory resources and potentially opens to DoS attacks.
With this change, virtio-net uses the new netbe_rx_disable() function to disable ingress operation in the backend while the guest is short on RX buffers. Once the guest makes more buffers available to the RX virtqueue, ingress operation is enabled again by calling netbe_rx_enable().
Note: this depends on https://reviews.freebsd.org/D20973