I thought this could be protected by the same authentication that protects the rest of the traffic such that a node could only flush its own discovery data. I guess not though, no problem.
This didn’t seem to happen originally, I was still seeing DEBUG messages concerning UDP connections for hosts that were connected. After a few hours though (or rather a UK overnight) it all seems OK now.
I’m not logging every packet, however the firewall logs every new blocked connection. You’re right, it’s probably unnecessary and I’ll review whether we need to log stuff that was blocked, I just wasn’t expecting an upgrade of Syncthing to suddenly cause the log to fill up with these repeated connection attempts on random ports, and particularly when I couldn’t work out whether I’d done the right thing to make it stop.
Either way, now I’ve been to sleep for a few hours with most of the machines turned off, everything seems to have gone back to the pre-UDP behaviour which works well for me. Thanks for the tips, both of you