Perhaps, we could create a more explicit rule. Something like:
iptables -I INPUT --proto icmp --icmp-type destination-unreachable -m state --state RELATED -j ACCEPT
Worst case, we’d let through a destination-unreachable package that’s not actually associated with a connection. In that case, it’d simply be discarded upon reception.
As for the danger of adding additional complexity because of the additional parsing required. As I understand it, this will happen here anyway in order for connection tracking to assign one of the NEW, ESTABLISHED, RELATED or INVALID states. Whether we use the state information doesn’t matter. (Of course, if connection tracking was disabled entirely or if additional conntrack helpers were in use, this wouldn’t hold true.)