diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
index 10211b0..4b536e7 100644
--- a/pkg/networkpolicy/controller.go
+++ b/pkg/networkpolicy/controller.go
@@ -674,8 +674,7 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error {
 			})
 		}
 	}
-
-	for _, hook := range []knftables.BaseChainHook{knftables.ForwardHook} {
+	for _, hook := range []knftables.BaseChainHook{knftables.ForwardHook, knftables.OutputHook} {
 		chainName := string(hook)
 		tx.Add(&knftables.Chain{
 			Name:     chainName,
@@ -694,6 +693,11 @@ func (c *Controller) syncNFTablesRules(ctx context.Context) error {
 			Rule: knftables.Concat(
 				"ct", "state", "established,related", "accept"),
 		})
+		tx.Add(&knftables.Rule{
+			Chain: chainName,
+			Rule: knftables.Concat(
+				"oif", "lo", "accept"),
+		})
 
 		action := fmt.Sprintf("queue num %d", c.config.QueueID)
 		if c.config.FailOpen {