diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding
new file mode 100644
index 0000000..96c65f0
--- /dev/null
+++ b/pkg/netconf/testdata/nftrules_accept_forwarding
@@ -0,0 +1,72 @@
+# This file was auto generated for machine: 'e0ab02d2-27cd-5a5e-8efc-080ba80cf258' by app version .
+# Do not edit.
+table inet metal {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        meta l4proto ipv6-icmp counter accept comment "icmpv6 input required for neighbor discovery"
+        iifname "lo" counter accept comment "BGP unnumbered"
+        iifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan0"
+        iifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan1"
+        iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0"
+        iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1"
+
+        ct state established,related counter accept comment "stateful input"
+
+        tcp dport ssh ct state new counter accept comment "SSH incoming connections"
+        ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
+        ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+        
+        ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
+        counter jump refuse
+    }
+    chain forward {
+        type filter hook forward priority 0; policy accept;
+        ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
+        counter jump refuse
+    }
+    chain output {
+        type filter hook output priority 0; policy accept;
+        meta l4proto ipv6-icmp counter accept comment "icmpv6 output required for neighbor discovery"
+        oifname "lo" counter accept comment "lo output required e.g. for chrony"
+        oifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan0"
+        oifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan1"
+
+        ip daddr 10.0.0.0/8 udp dport 4789 counter accept comment "outgoing VXLAN"
+        
+        ct state established,related counter accept comment "stateful output"
+        ct state invalid counter drop comment "drop invalid packets"
+    }
+    chain output_ct {
+        type filter hook output priority raw; policy accept;
+    }
+    chain refuse {
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
+        counter drop
+    }
+}
+table inet nat {
+    set public_dns_servers {
+    	type ipv4_addr
+    	flags interval
+    	auto-merge
+    	elements = { 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1 }
+    }
+
+    chain prerouting {
+        type nat hook prerouting priority 0; policy accept;
+    }
+    chain prerouting_ct {
+        type filter hook prerouting priority raw; policy accept;
+    }
+    chain input {
+        type nat hook input priority 0; policy accept;
+    }
+    chain output {
+        type nat hook output priority 0; policy accept;
+    }
+    chain postrouting {
+        type nat hook postrouting priority 0; policy accept;
+        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+    }
+}
\ No newline at end of file