diff --git a/lib/testing/test_runner.sh b/lib/testing/test_runner.sh
index 8805e38f..3fb2626d 100755
--- a/lib/testing/test_runner.sh
+++ b/lib/testing/test_runner.sh
@@ -25,7 +25,7 @@ ALL_TESTS=""
 VERBOSE_TESTS=${V:-0}
 NUM_NS=2
 
-NEEDED_TOOLS="capinfos ethtool ip ping sed tc tcpdump timeout nc tshark"
+NEEDED_TOOLS="capinfos ethtool ip ping sed tc tcpdump timeout nc tshark nft"
 
 if [ -f "$TEST_CONFIG" ]; then
     source "$TEST_CONFIG"
diff --git a/xdp-forward/tests/test-xdp-forward.sh b/xdp-forward/tests/test-xdp-forward.sh
index 2a6988e8..9049a82e 100644
--- a/xdp-forward/tests/test-xdp-forward.sh
+++ b/xdp-forward/tests/test-xdp-forward.sh
@@ -1,7 +1,7 @@
 XDP_LOADER=${XDP_LOADER:-./xdp-loader}
 XDP_FORWARD=${XDP_FORWARD:-./xdp-forward}
-ALL_TESTS="test_ping test_load test_fwd_full test_fwd_direct"
-
+ALL_TESTS="test_ping test_load test_fwd_full test_fwd_direct test_flowtable"
+INFILE="$(mktemp)"
 
 test_ping()
 {
@@ -52,8 +52,85 @@ test_fwd_direct()
     check_run $XDP_FORWARD unload ${NS_NAMES[@]}
 }
 
+test_flowtable()
+{
+    # veth NAPI GRO support added this symbol; forwarding won't work without it
+    skip_if_missing_kernel_symbol veth_set_features
+    # check if bpf flowtable lookup is available
+    skip_if_missing_kernel_symbol bpf_xdp_flow_lookup
+
+    # disable {tx,rx} checksum offload since it is not currently suported
+    # by XDP_REDIRECT
+    for n in ${NS_NAMES[@]}; do
+        ip netns exec $n ethtool -K veth0 tx-checksumming off rx-checksumming off
+        ethtool -K $n tx-checksumming off rx-checksumming off
+    done
+
+    # create data to send via tcp
+    dd if=/dev/urandom of="${INFILE}" bs=8192 count=32 status=none
+
+    # create flowtable configuration in the main namespace
+    check_run nft -f /dev/stdin <<EOF
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority filter; policy accept;
+        iifname == "${NS_NAMES[0]}" meta nfproto ipv4 tcp dport 12345 dnat ip to ${ALL_INSIDE_IP4[-1]}:10000
+        iifname == "${NS_NAMES[0]}" meta nfproto ipv6 tcp dport 12345 dnat ip6 to [${ALL_INSIDE_IP6[-1]}]:10000
+    }
+    chain postrouting {
+        type nat hook postrouting priority filter; policy accept;
+        oifname "${NS_NAMES[-1]}" masquerade
+    }
+}
+table inet filter {
+    flowtable ft {
+        hook ingress priority filter
+        devices = { ${NS_NAMES[0]}, ${NS_NAMES[-1]} }
+    }
+    chain forward {
+        type filter hook forward priority filter
+        meta l4proto { tcp } flow add @ft
+    }
+}
+EOF
+
+    # Add sone nft rules to check natting is done properly in
+    # the main namespace
+    check_run ip netns exec ${NS_NAMES[-1]} nft -f /dev/stdin <<EOF
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        ip daddr ${ALL_INSIDE_IP4[-1]} tcp dport 10000 accept
+        ip6 daddr ${ALL_INSIDE_IP6[-1]} tcp dport 10000 accept
+    }
+}
+EOF
+    # wait a bit to configure nft
+    sleep 2
+
+    check_run $XDP_FORWARD load -f flowtable ${NS_NAMES[0]}
+
+    PID=$(start_background_ns_devnull "nc -4 -l --no-shutdown 10000")
+    check_run ip netns exec ${NS_NAMES[0]} nc -w 1 -4 ${OUTSIDE_IP4} 12345 < ${INFILE}
+    stop_background $PID
+
+    PID=$(start_background_ns_devnull "nc -6 -l --no-shutdown 10000")
+    check_run ip netns exec ${NS_NAMES[0]} nc -w 1 -6 ${OUTSIDE_IP6} 12345 < ${INFILE}
+    stop_background $PID
+}
+
 cleanup_tests()
 {
-    $XDP_FORWARD unload ${NS_NAMES[@]} >/dev/null 2>&1
-    $XDP_LOADER unload $NS --all >/dev/null 2>&1
+    # enable {tx,rx} checksum offload
+    for n in ${NS_NAMES[@]}; do
+        ip netns exec $n ethtool -K veth0 tx-checksumming on rx-checksumming on
+        ethtool -K $n tx-checksumming on rx-checksumming on
+    done >/dev/null 2>&1
+    {
+        $XDP_FORWARD unload ${NS_NAMES[@]}
+        $XDP_LOADER unload $NS --all
+        check_run ip netns exec ${NS_NAMES[-1]} nft flush ruleset
+        check_run nft flush ruleset
+        rm -f ${INFILE}
+    } >/dev/null 2>&1
 }