diff --git a/analyzer/tcp/tls.go b/analyzer/tcp/tls.go
index 14aad20..c9c488d 100644
--- a/analyzer/tcp/tls.go
+++ b/analyzer/tcp/tls.go
@@ -30,12 +30,14 @@ type tlsStream struct {
 	reqUpdated bool
 	reqLSM     *utils.LinearStateMachine
 	reqDone    bool
+	reqFed     int
 
 	respBuf     *utils.ByteBuffer
 	respMap     analyzer.PropMap
 	respUpdated bool
 	respLSM     *utils.LinearStateMachine
 	respDone    bool
+	respFed     int
 
 	clientHelloLen int
 	serverHelloLen int
@@ -64,7 +66,10 @@ func (s *tlsStream) Feed(rev, start, end bool, skip int, data []byte) (u *analyz
 	var update *analyzer.PropUpdate
 	var cancelled bool
 	if rev {
-		s.respBuf.Append(data)
+		if len(data) > s.respFed {
+			s.respBuf.Append(data[s.respFed:])
+			s.respFed = len(data)
+		}
 		s.respUpdated = false
 		cancelled, s.respDone = s.respLSM.Run()
 		if s.respUpdated {
@@ -75,7 +80,10 @@ func (s *tlsStream) Feed(rev, start, end bool, skip int, data []byte) (u *analyz
 			s.respUpdated = false
 		}
 	} else {
-		s.reqBuf.Append(data)
+		if len(data) > s.reqFed {
+			s.reqBuf.Append(data[s.reqFed:])
+			s.reqFed = len(data)
+		}
 		s.reqUpdated = false
 		cancelled, s.reqDone = s.reqLSM.Run()
 		if s.reqUpdated {
diff --git a/io/nfqueue.go b/io/nfqueue.go
index 40e3ae8..683dc0e 100644
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@@ -58,7 +58,7 @@ func generateNftRules(local, rst bool, numQueues int) (*nftTableSpec, error) {
 		}
 	} else {
 		table.Chains = []nftChainSpec{
-			{Chain: "FORWARD", Header: "type filter hook forward priority filter; policy accept;"},
+			{Chain: "FORWARD", Header: "type filter hook forward priority mangle; policy accept;"},
 		}
 	}
 	for i := range table.Chains {