Hi, I think I mostly understand how TPROXY works, thanks to Máté’s super helpful article [1]. However, I still don’t understand how the "to address:port” part work. Given this rule: nft add rule nat prerouting iifname lan tproxy to 127.0.0.1:1234 meta mark set 1 accept And this policy based routing: ip rule add mark 1 lookup 100 ip route add local default dev lo table 100 When does a packet arriving on “lan" get redirected to 127.0.0.1:1234? Is it before or after the routing decision? It seems it should be after, but from trace, it shows that the packet goes through the input chain and its iifname is lan. Since tproxy redirects it to 127.0.0.1, shouldn’t it be “lo" instead? I wonder what the flow chart is like? My current guess is that packets arriving on “lan" first get routed to “lo", because of the mark and the policy routing, then tproxy redirects it to 127.0.0.1:1234, but again, this is probably wrong given iifname being lan. I also wonder do <addr> and <interface> have to match in "tproxy to <addr>:port “ and "dev <interface> table 100”? What the flow chart is like if they don’t? PS: In my case, lan is actually an XFRM interface, not sure if that matters. Could someone offer some pointers? Thanks in advance. [1] https://gsoc-blog.ecklm.com/iptables-redirect-vs.-dnat-vs.-tproxy/