When br-netfilter is enabled (set to 1), it enables bridge filtering, allowing IPtables rules to be applied to bridge traffic. However, there is a limitation in IPtables with bridge filtering, and it does not support marking packets for TPROXY when br-netfilter is enabled.
Unfortunately, TPROXY does not work with bridge filtering enabled because the bridge code path does not invoke the TPROXY functionality. The marking applied by the IPtables rule in the MANGLE table is not considered when br-netfilter is enabled, resulting in TPROXY not receiving the marked UDP packets.
How to fix this, I have to keep the br-netfilter 1 and TPROXY