OK, so I did bisection to find that hardware NAT offload is the culprit:
$ git bisect good
There are only 'skip'ped commits left to test.
The first bad commit could be any of:
424a9ae128bd2045cd4bfd6e3229f2529d150a25
bfed38254076d576914251689a2e1f85d514783d
We cannot bisect more!
Where is the proper place to report this bug? Here?