…born in a separate network namespace, Jool would spit an incorrect layer-4 checksum. (Actually, the incoming packet already had an incorrect checksum.)
There were two problems:
1. The checksum was incorrect because it was unset. Jool wasn't handling CHECKSUM_PARTIAL differently; it started with an unset incorrect checksum, and ended with a set incorrect checksum.
2. Jool was intercepting packets in all namespaces. This triggered fake hairpinning symptoms, which in turn yielded misled packet drops. I fixed this poorly by making Jool only global-namespace sensitive. This solution is a very dirty patch, but I can't solve this better until #140 is fixed.