diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e89389931..201dfac9d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -183,6 +183,19 @@ jobs:
       # the equals signs cause great confusion.
       run: go test ./... -bench . -benchtime 1x -run "^$"
 
+  privileged:
+    runs-on: ubuntu-22.04
+    container:
+      image: golang:latest
+      options: --privileged
+    steps:
+    - name: checkout
+      uses: actions/checkout@v4
+    - name: chown
+      run: chown -R $(id -u):$(id -g) $PWD
+    - name: privileged tests
+      run: ./tool/go test ./util/linuxfw
+
   vm:
     runs-on: ["self-hosted", "linux", "vm"]
     # VM tests run with some privileges, don't let them run on 3p PRs.
diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go
index 3092b08b5..c40508f15 100644
--- a/util/linuxfw/nftables_runner.go
+++ b/util/linuxfw/nftables_runner.go
@@ -866,7 +866,7 @@ func (n *nftablesRunner) createDummyPostroutingChains() (retErr error) {
 			return fmt.Errorf("create nat table: %w", err)
 		}
 		defer func(fm nftables.TableFamily) {
-			if err := deleteTableIfExists(n.conn, table.Proto, tsDummyTableName); err != nil && retErr == nil {
+			if err := deleteTableIfExists(n.conn, fm, tsDummyTableName); err != nil && retErr == nil {
 				retErr = fmt.Errorf("delete %q table: %w", tsDummyTableName, err)
 			}
 		}(table.Proto)