Great info here. Like the use of jump and using the “RFC ways” to terminate connection, instead of just “drop”.
I’ve never dug into “invalid” too much, so IDK here. But I suspect you’re right about “it’s the host”…so many tricks added to TCP stacks over the years, and not all play exactly by the rules.
One thing on “invalid”, you might want to look at the “input” and “output” chains. While I cannot say recently, but historically RouterOS itself (like “local processes” in Packet Flow) can induce “invalid” state in some cases. If you’re using IPSec, that’s something to look at in your “annual firewall review”…it may be covered in your “jump scheme” but IPSec gets complex in packet flow, so easy to have some issue there with custom firewall rules.