diff --git a/private/bpfloader.te b/private/bpfloader.te
index fe3e648f9c3564579181677bf268ee08121c6eed..c0b4999824e428bc9c634bbb42c371fea499fbe8 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -20,7 +20,8 @@ allow bpfloader netd:bpf { map_read map_write };
 allow bpfloader self:bpf { prog_load prog_run };
 
 # Neverallow rules
-neverallow { domain -bpfloader } *:bpf { prog_load prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd } *:bpf prog_run;
 neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
diff --git a/private/netd.te b/private/netd.te
index 461d59b34c1c8fd29edb5f5e1d7b2a97ff4e5230..281105d04fd76c181b581a0c116ef03ef5bd306b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,3 +10,6 @@ domain_auto_trans(netd, clatd_exec, clatd)
 
 # Allow netd to start bpfloader_exec in its own domain
 domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;