diff --git a/pkg/nftables/rendering_test.go b/pkg/nftables/rendering_test.go
index cd80a9a2..891ff8a2 100644
--- a/pkg/nftables/rendering_test.go
+++ b/pkg/nftables/rendering_test.go
@@ -39,7 +39,7 @@ func TestFirewallRenderingData_renderString(t *testing.T) {
 				},
 				InternalPrefixes:   "1.2.3.0/24, 2.3.4.0/8",
 				RateLimitRules:     []string{"meta iifname \"eth0\" limit rate over 10 mbytes/second counter name drop_ratelimit drop"},
-				SnatRules:          []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 comment \"snat internet\""},
+				SnatRules:          []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 random comment \"snat internet\""},
 				PrivateVrfID:       uint(42),
 				AdditionalDNSAddrs: []string{"8.9.10.11", "4.5.6.7"},
 			},
diff --git a/pkg/nftables/snat.go b/pkg/nftables/snat.go
index 45b5fe89..189e6a22 100644
--- a/pkg/nftables/snat.go
+++ b/pkg/nftables/snat.go
@@ -16,7 +16,7 @@ type snatRule struct {
 }
 
 func (s *snatRule) String() string {
-	return fmt.Sprintf(`ip saddr { %s } oifname "%s" counter snat %s comment "%s"`, s.sourceNetworks, s.oifname, s.to, s.comment)
+	return fmt.Sprintf(`ip saddr { %s } oifname "%s" counter snat %s random comment "%s"`, s.sourceNetworks, s.oifname, s.to, s.comment)
 }
 
 // snatRules generates the nftables rules for SNAT based on the firewall spec
diff --git a/pkg/nftables/snat_test.go b/pkg/nftables/snat_test.go
index 3f1a0eed..88aed88c 100644
--- a/pkg/nftables/snat_test.go
+++ b/pkg/nftables/snat_test.go
@@ -75,8 +75,8 @@ func TestSnatRules(t *testing.T) {
 			},
 			cwnps: firewallv1.ClusterwideNetworkPolicyList{},
 			want: nftablesRules{
-				`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } comment "snat for internet"`,
-				`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 comment "snat for mpls"`,
+				`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } random comment "snat for internet"`,
+				`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 random comment "snat for mpls"`,
 			},
 		},
 		{
@@ -151,8 +151,8 @@ func TestSnatRules(t *testing.T) {
 			want: nftablesRules{
 				`ip saddr { 10.0.1.0/24 } tcp dport { 53 } accept comment "escape snat for dns proxy tcp"`,
 				`ip saddr { 10.0.1.0/24 } udp dport { 53 } accept comment "escape snat for dns proxy udp"`,
-				`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } comment "snat for internet"`,
-				`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 comment "snat for mpls"`,
+				`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } random comment "snat for internet"`,
+				`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 random comment "snat for mpls"`,
 			},
 		},
 		{
diff --git a/pkg/nftables/test_data/more-rules.nftable.v4 b/pkg/nftables/test_data/more-rules.nftable.v4
index 2a77cf52..0748b8a1 100644
--- a/pkg/nftables/test_data/more-rules.nftable.v4
+++ b/pkg/nftables/test_data/more-rules.nftable.v4
@@ -62,7 +62,7 @@ table inet firewall {
 
 	chain postrouting {
 		type nat hook postrouting priority -1; policy accept;
-		ip saddr { 10.0.0.0/8 } oifname "vlan104009" counter snat 185.1.2.3 comment "snat internet"
+		ip saddr { 10.0.0.0/8 } oifname "vlan104009" counter snat 185.1.2.3 random comment "snat internet"
 	}
 }