diff --git a/cookbooks/nftables/config/00-global.nft b/cookbooks/nftables/config/00-global.nft
index 59b7a31..650ead3 100755
--- a/cookbooks/nftables/config/00-global.nft
+++ b/cookbooks/nftables/config/00-global.nft
@@ -4,7 +4,7 @@ flush ruleset
 
 table inet itix-fw {
     chain input {
-        type filter hook input priority filter + 20
+        type filter hook input priority filter
         policy drop
 
         ct state invalid counter drop
@@ -15,7 +15,7 @@ table inet itix-fw {
     }
 
     chain output {
-        type filter hook output priority filter + 20
+        type filter hook output priority filter
         policy drop
 
         ct state invalid counter drop
@@ -26,7 +26,7 @@ table inet itix-fw {
     }
 
     chain forward {
-        type filter hook forward priority filter + 20
+        type filter hook forward priority filter
         policy drop
 
         # Loopback
@@ -36,11 +36,15 @@ table inet itix-fw {
 
 table inet itix-nat {
     chain prerouting {
-        type nat hook prerouting priority dstnat + 20
+        type nat hook prerouting priority dstnat
         policy accept
     }
     chain postrouting {
-        type nat hook postrouting priority srcnat + 20
+        type nat hook postrouting priority srcnat
+        policy accept
+    }
+    chain output {
+        type nat hook output priority dstnat
         policy accept
     }
 }
diff --git a/cookbooks/quay/dropins/quay-clair.container.d/quay.conf b/cookbooks/quay/dropins/quay-clair.container.d/quay.conf
new file mode 100644
index 0000000..c5036bf
--- /dev/null
+++ b/cookbooks/quay/dropins/quay-clair.container.d/quay.conf
@@ -0,0 +1,4 @@
+[Container]
+# Inject a DNS record into /etc/hosts to allow Clair to reach Quay over the loopback interface.
+# TODO: replace "quay" with the FQDN of the Quay instance.
+AddHost=quay:127.0.0.1
diff --git a/cookbooks/quay/other/nftables/50-quay.nft b/cookbooks/quay/other/nftables/50-quay.nft
index 60b09f3..2f0cca8 100755
--- a/cookbooks/quay/other/nftables/50-quay.nft
+++ b/cookbooks/quay/other/nftables/50-quay.nft
@@ -5,3 +5,4 @@ add rule inet itix-fw input tcp dport { 80, 8443 } counter accept
 
 # Redirect port 443 to 8443 (Quay)
 add rule inet itix-nat prerouting tcp dport 443 counter redirect to 8443
+add rule inet itix-nat output ip daddr 127.0.0.1 tcp dport 443 counter redirect to 8443