… Come to think of it, how in blazes would non-NATted/martian packets leak to the WAN? 
(I'm assuming that's what's implied by "NAT leakage", right?) I've never seen the rule hit counter higher than zero on my setups. Wouldn't that qualify as a kernel bug in routing/NAT/conntrack?