diff --git a/internal/trafpol/allowdevs_test.go b/internal/trafpol/allowdevs_test.go
new file mode 100644
index 0000000..7644173
--- /dev/null
+++ b/internal/trafpol/allowdevs_test.go
@@ -0,0 +1,68 @@
+package trafpol
+
+import (
+	"reflect"
+	"testing"
+)
+
+// TestAllowDevsAdd tests Add of AllowDevs
+func TestAllowDevsAdd(t *testing.T) {
+	a := NewAllowDevs()
+
+	got := []string{}
+	runNft = func(s string) {
+		got = append(got, s)
+	}
+
+	// test adding
+	want := []string{
+		"add element inet oc-daemon-filter allowdevs { eth3 }",
+	}
+	a.Add("eth3")
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %v, want %v", got, want)
+	}
+
+	// test adding again
+	// should not change anything
+	a.Add("eth3")
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %v, want %v", got, want)
+	}
+}
+
+// TestAllowDevsRemove tests Remove of AllowDevs
+func TestAllowDevsRemove(t *testing.T) {
+	a := NewAllowDevs()
+
+	got := []string{}
+	runNft = func(s string) {
+		got = append(got, s)
+	}
+
+	// test removing device
+	a.Add("eth3")
+	want := []string{
+		"delete element inet oc-daemon-filter allowdevs { eth3 }",
+	}
+	got = []string{}
+	a.Remove("eth3")
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %v, want %v", got, want)
+	}
+
+	// test removing again (not existing device)
+	// should not change anything
+	a.Remove("eth3")
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("got %v, want %v", got, want)
+	}
+}
+
+// TestNewAllowDevs tests NewAllowDevs
+func TestNewAllowDevs(t *testing.T) {
+	a := NewAllowDevs()
+	if a.m == nil {
+		t.Errorf("got nil, want != nil")
+	}
+}
diff --git a/internal/trafpol/filter.go b/internal/trafpol/filter.go
index 3e5000d..d4cd2fb 100644
--- a/internal/trafpol/filter.go
+++ b/internal/trafpol/filter.go
@@ -12,7 +12,7 @@ import (
 )
 
 // runNft runs nft and passes s to it via stdin
-func runNft(s string) {
+var runNft = func(s string) {
 	cmd := "nft -f -"
 	c := exec.Command("bash", "-c", cmd)
 	c.Stdin = bytes.NewBufferString(s)