New firewall maintainer here. I'm working on the backlog bugs. I hope I understand this right. So we have packets that should be NATed, but they end up in state INVALID and thus will not be NATed. In further processing/routing these packets will then lead to martian source log entries. So you'd like to have an additional iptables rule like iptables -A FORWARD -m state --state INVALID -j DROP to avoid forwarding such packets?