After spending some time looking for more info and based on this: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_conntrack_proto_tcp.c?h=v5.8#n700 I think I figured it out: tcp flags & (fin|syn|rst|ack|urg) != { syn, syn|urg, syn|ack, rst, rst|ack, fin|ack, fin|ack|urg, ack, ack|urg } drop comment "TCP invalid" This checks the listed values against the mask "fin|syn|rst|ack|urg". The same values and mask are used in the conntrack code, i.e. it drops invalid TCP packets. According to my own tests, this works in the ingress hook, i.e. early drop. The only question that remains is performance measurement and comparison, as mentioned. Please let me know what you think.